From fa88efbbacbbe74b72ddb9e316265de2aab31260 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 10 Aug 1998 07:04:53 +0000 Subject: split the system password checking routines out of smbd/password.c and into passdb/pass_check.c. This means SWAT no longer needs to link to smbd/password.c (This used to be commit 90d93889d722670cbb517017531264630af759bf) --- source3/auth/pass_check.c | 950 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 950 insertions(+) create mode 100644 source3/auth/pass_check.c (limited to 'source3/auth') diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c new file mode 100644 index 0000000000..b5aa832f48 --- /dev/null +++ b/source3/auth/pass_check.c @@ -0,0 +1,950 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + Password checking + Copyright (C) Andrew Tridgell 1992-1998 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +/* this module is for checking a username/password against a system + password database. The SMB encrypted password support is elsewhere */ + +#include "includes.h" + +extern int DEBUGLEVEL; + +/* these are kept here to keep the string_combinations function simple */ +static char this_user[100]=""; +static char this_salt[100]=""; +static char this_crypted[100]=""; + + +/**************************************************************************** +update the enhanced security database. Only relevant for OSF1 at the moment. +****************************************************************************/ +static void update_protected_database(char *user, BOOL result) +{ +#ifdef OSF1_ENH_SEC + struct pr_passwd *mypasswd; + time_t starttime; + + mypasswd = getprpwnam (user); + starttime = time (NULL); + + if (result) { + mypasswd->ufld.fd_slogin = starttime; + mypasswd->ufld.fd_nlogins = 0; + + putprpwnam(user,mypasswd); + } else { + mypasswd->ufld.fd_ulogin = starttime; + mypasswd->ufld.fd_nlogins = mypasswd->ufld.fd_nlogins + 1; + if (mypasswd->ufld.fd_max_tries != 0 && + mypasswd->ufld.fd_nlogins > mypasswd->ufld.fd_max_tries) { + mypasswd->uflg.fg_lock = 0; + DEBUG(3,("Account %s is disabled\n", user)); + } + putprpwnam(user ,mypasswd); + } +#endif +} + + +#ifdef HAVE_PAM +/******************************************************************* +check on PAM authentication +********************************************************************/ + +/* We first need some helper functions */ +#include +/* Static variables used to communicate between the conversation function + * and the server_login function + */ +static char *PAM_username; +static char *PAM_password; + +/* PAM conversation function + * Here we assume (for now, at least) that echo on means login name, and + * echo off means password. + */ +static int PAM_conv (int num_msg, + const struct pam_message **msg, + struct pam_response **resp, + void *appdata_ptr) { + int replies = 0; + struct pam_response *reply = NULL; + + #define COPY_STRING(s) (s) ? strdup(s) : NULL + + reply = malloc(sizeof(struct pam_response) * num_msg); + if (!reply) return PAM_CONV_ERR; + + for (replies = 0; replies < num_msg; replies++) { + switch (msg[replies]->msg_style) { + case PAM_PROMPT_ECHO_ON: + reply[replies].resp_retcode = PAM_SUCCESS; + reply[replies].resp = COPY_STRING(PAM_username); + /* PAM frees resp */ + break; + case PAM_PROMPT_ECHO_OFF: + reply[replies].resp_retcode = PAM_SUCCESS; + reply[replies].resp = COPY_STRING(PAM_password); + /* PAM frees resp */ + break; + case PAM_TEXT_INFO: + /* fall through */ + case PAM_ERROR_MSG: + /* ignore it... */ + reply[replies].resp_retcode = PAM_SUCCESS; + reply[replies].resp = NULL; + break; + default: + /* Must be an error of some sort... */ + free (reply); + return PAM_CONV_ERR; + } + } + if (reply) *resp = reply; + return PAM_SUCCESS; +} +static struct pam_conv PAM_conversation = { + &PAM_conv, + NULL +}; + + +static BOOL pam_auth(char *this_user,char *password) +{ + pam_handle_t *pamh; + int pam_error; + + /* Now use PAM to do authentication. For now, we won't worry about + * session logging, only authentication. Bail out if there are any + * errors. Since this is a limited protocol, and an even more limited + * function within a server speaking this protocol, we can't be as + * verbose as would otherwise make sense. + * Query: should we be using PAM_SILENT to shut PAM up? + */ + #define PAM_BAIL if (pam_error != PAM_SUCCESS) { \ + pam_end(pamh, 0); return False; \ + } + PAM_password = password; + PAM_username = this_user; + pam_error = pam_start("samba", this_user, &PAM_conversation, &pamh); + PAM_BAIL; +/* Setting PAM_SILENT stops generation of error messages to syslog + * to enable debugging on Red Hat Linux set: + * /etc/pam.d/samba: + * auth required /lib/security/pam_pwdb.so nullok shadow audit + * _OR_ change PAM_SILENT to 0 to force detailed reporting (logging) + */ + pam_error = pam_authenticate(pamh, PAM_SILENT); + PAM_BAIL; + /* It is not clear to me that account management is the right thing + * to do, but it is not clear that it isn't, either. This can be + * removed if no account management should be done. Alternately, + * put a pam_allow.so entry in /etc/pam.conf for account handling. */ + pam_error = pam_acct_mgmt(pamh, PAM_SILENT); + PAM_BAIL; + pam_end(pamh, PAM_SUCCESS); + /* If this point is reached, the user has been authenticated. */ + return(True); +} +#endif + + +#ifdef WITH_AFS +/******************************************************************* +check on AFS authentication +********************************************************************/ +static BOOL afs_auth(char *this_user,char *password) +{ + long password_expires = 0; + char *reason; + + /* For versions of AFS prior to 3.3, this routine has few arguments, */ + /* but since I can't find the old documentation... :-) */ + setpag(); + if (ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION+KA_USERAUTH_DOSETPAG, + this_user, + (char *) 0, /* instance */ + (char *) 0, /* cell */ + password, + 0, /* lifetime, default */ + &password_expires, /*days 'til it expires */ + 0, /* spare 2 */ + &reason) == 0) { + return(True); + } + return(False); +} +#endif + + +#ifdef WITH_DFS + +/***************************************************************** + This new version of the DFS_AUTH code was donated by Karsten Muuss + . It fixes the following problems with the + old code : + + - Server credentials may expire + - Client credential cache files have wrong owner + - purge_context() function is called with invalid argument + + This new code was modified to ensure that on exit the uid/gid is + still root, and the original directory is restored. JRA. +******************************************************************/ + +sec_login_handle_t my_dce_sec_context; +int dcelogin_atmost_once = 0; + +/******************************************************************* +check on a DCE/DFS authentication +********************************************************************/ +static BOOL dfs_auth(char *this_user,char *password) +{ + error_status_t err; + int err2; + int prterr; + signed32 expire_time, current_time; + boolean32 password_reset; + struct passwd *pw; + sec_passwd_rec_t passwd_rec; + sec_login_auth_src_t auth_src = sec_login_auth_src_network; + unsigned char dce_errstr[dce_c_error_string_len]; + + if (dcelogin_atmost_once) return(False); + +#ifdef HAVE_CRYPT + /* + * We only go for a DCE login context if the given password + * matches that stored in the local password file.. + * Assumes local passwd file is kept in sync w/ DCE RGY! + */ + + if (strcmp((char *)crypt(password,this_salt),this_crypted)) { + return(False); + } +#endif + + sec_login_get_current_context(&my_dce_sec_context, &err); + if (err != error_status_ok ) { + dce_error_inq_text(err, dce_errstr, &err2); + DEBUG(0,("DCE can't get current context. %s\n", dce_errstr)); + + return(False); + } + + sec_login_certify_identity(my_dce_sec_context, &err); + if (err != error_status_ok) { + dce_error_inq_text(err, dce_errstr, &err2); + DEBUG(0,("DCE can't get current context. %s\n", dce_errstr)); + + return(False); + } + + sec_login_get_expiration(my_dce_sec_context, &expire_time, &err); + if (err != error_status_ok) { + dce_error_inq_text(err, dce_errstr, &err2); + DEBUG(0,("DCE can't get expiration. %s\n", dce_errstr)); + + return(False); + } + + time(¤t_time); + + if (expire_time < (current_time + 60)) { + struct passwd *pw; + sec_passwd_rec_t *key; + + sec_login_get_pwent(my_dce_sec_context, + (sec_login_passwd_t*)&pw, &err); + if (err != error_status_ok ) { + dce_error_inq_text(err, dce_errstr, &err2); + DEBUG(0,("DCE can't get pwent. %s\n", dce_errstr)); + + return(False); + } + + sec_login_refresh_identity(my_dce_sec_context, &err); + if (err != error_status_ok) { + dce_error_inq_text(err, dce_errstr, &err2); + DEBUG(0,("DCE can't refresh identity. %s\n", + dce_errstr)); + + return(False); + } + + sec_key_mgmt_get_key(rpc_c_authn_dce_secret, NULL, + (unsigned char *)pw->pw_name, + sec_c_key_version_none, + (void**)&key, &err); + if (err != error_status_ok) { + dce_error_inq_text(err, dce_errstr, &err2); + DEBUG(0,("DCE can't get key for %s. %s\n", + pw->pw_name, dce_errstr)); + + return(False); + } + + sec_login_valid_and_cert_ident(my_dce_sec_context, key, + &password_reset, &auth_src, + &err); + if (err != error_status_ok ) { + dce_error_inq_text(err, dce_errstr, &err2); + DEBUG(0,("DCE can't validate and certify identity for %s. %s\n", + pw->pw_name, dce_errstr)); + } + + sec_key_mgmt_free_key(key, &err); + if (err != error_status_ok ) { + dce_error_inq_text(err, dce_errstr, &err2); + DEBUG(0,("DCE can't free key.\n", dce_errstr)); + } + } + + if (sec_login_setup_identity((unsigned char *)this_user, + sec_login_no_flags, + &my_dce_sec_context, + &err) == 0) { + dce_error_inq_text(err, dce_errstr, &err2); + DEBUG(0,("DCE Setup Identity for %s failed: %s\n", + this_user,dce_errstr)); + return(False); + } + + sec_login_get_pwent(my_dce_sec_context, + (sec_login_passwd_t*)&pw, &err); + if (err != error_status_ok) { + dce_error_inq_text(err, dce_errstr, &err2); + DEBUG(0,("DCE can't get pwent. %s\n", dce_errstr)); + + return(False); + } + + sec_login_purge_context(&my_dce_sec_context, &err); + if (err != error_status_ok) { + dce_error_inq_text(err, dce_errstr, &err2); + DEBUG(0,("DCE can't purge context. %s\n", dce_errstr)); + + return(False); + } + + /* + * NB. I'd like to change these to call something like become_user() + * instead but currently we don't have a connection + * context to become the correct user. This is already + * fairly platform specific code however, so I think + * this should be ok. I have added code to go + * back to being root on error though. JRA. + */ + + if (setregid(-1, pw->pw_gid) != 0) { + DEBUG(0,("Can't set egid to %d (%s)\n", + pw->pw_gid, strerror(errno))); + return False; + } + + if (setreuid(-1, pw->pw_uid) != 0) { + setgid(0); + DEBUG(0,("Can't set euid to %d (%s)\n", + pw->pw_uid, strerror(errno))); + return False; + } + + if (sec_login_setup_identity((unsigned char *)this_user, + sec_login_no_flags, + &my_dce_sec_context, + &err) == 0) { + dce_error_inq_text(err, dce_errstr, &err2); + /* Go back to root, JRA. */ + setuid(0); + setgid(0); + DEBUG(0,("DCE Setup Identity for %s failed: %s\n", + this_user,dce_errstr)); + return(False); + } + + sec_login_get_pwent(my_dce_sec_context, + (sec_login_passwd_t*)&pw, &err); + if (err != error_status_ok ) { + dce_error_inq_text(err, dce_errstr, &err2); + /* Go back to root, JRA. */ + setuid(0); + setgid(0); + DEBUG(0,("DCE can't get pwent. %s\n", dce_errstr)); + + return(False); + } + + passwd_rec.version_number = sec_passwd_c_version_none; + passwd_rec.pepper = NULL; + passwd_rec.key.key_type = sec_passwd_plain; + passwd_rec.key.tagged_union.plain = (idl_char *)password; + + sec_login_validate_identity(my_dce_sec_context, + &passwd_rec, &password_reset, + &auth_src, &err); + if (err != error_status_ok ) { + dce_error_inq_text(err, dce_errstr, &err2); + /* Go back to root, JRA. */ + setuid(0); + setgid(0); + DEBUG(0,("DCE Identity Validation failed for principal %s: %s\n", + this_user,dce_errstr)); + + return(False); + } + + sec_login_certify_identity(my_dce_sec_context, &err); + if (err != error_status_ok) { + dce_error_inq_text(err, dce_errstr, &err2); + /* Go back to root, JRA. */ + setuid(0); + setgid(0); + DEBUG(0,("DCE certify identity failed: %s\n", dce_errstr)); + + return(False); + } + + if (auth_src != sec_login_auth_src_network) { + DEBUG(0,("DCE context has no network credentials.\n")); + } + + sec_login_set_context(my_dce_sec_context, &err); + if (err != error_status_ok) { + dce_error_inq_text(err, dce_errstr, &err2); + DEBUG(0,("DCE login failed for principal %s, cant set context: %s\n", + this_user,dce_errstr)); + + sec_login_purge_context(&my_dce_sec_context, &err); + /* Go back to root, JRA. */ + setuid(0); + setgid(0); + return(False); + } + + sec_login_get_pwent(my_dce_sec_context, + (sec_login_passwd_t*)&pw, &err); + if (err != error_status_ok) { + dce_error_inq_text(err, dce_errstr, &err2); + DEBUG(0,("DCE can't get pwent. %s\n", dce_errstr)); + + /* Go back to root, JRA. */ + setuid(0); + setgid(0); + return(False); + } + + DEBUG(0,("DCE login succeeded for principal %s on pid %d\n", + this_user, getpid())); + + DEBUG(3,("DCE principal: %s\n" + " uid: %d\n" + " gid: %d\n", + pw->pw_name, pw->pw_uid, pw->pw_gid)); + DEBUG(3,(" info: %s\n" + " dir: %s\n" + " shell: %s\n", + pw->pw_gecos, pw->pw_dir, pw->pw_shell)); + + sec_login_get_expiration(my_dce_sec_context, &expire_time, &err); + if (err != error_status_ok) { + dce_error_inq_text(err, dce_errstr, &err2); + /* Go back to root, JRA. */ + setuid(0); + setgid(0); + DEBUG(0,("DCE can't get expiration. %s\n", dce_errstr)); + + return(False); + } + + setuid(0); + setgid(0); + + DEBUG(0,("DCE context expires: %s",asctime(localtime(&expire_time)))); + + dcelogin_atmost_once = 1; + return (True); +} + +void dfs_unlogin(void) +{ + error_status_t err; + int err2; + unsigned char dce_errstr[dce_c_error_string_len]; + + sec_login_purge_context(&my_dce_sec_context, &err); + if (err != error_status_ok) { + dce_error_inq_text(err, dce_errstr, &err2); + DEBUG(0,("DCE purge login context failed for server instance %d: %s\n", + getpid(), dce_errstr)); + } +} +#endif + +#ifdef KRB5_AUTH +/******************************************************************* +check on Kerberos authentication +********************************************************************/ +static BOOL krb5_auth(char *this_user,char *password) +{ + krb5_data tgtname = { + 0, + KRB5_TGS_NAME_SIZE, + KRB5_TGS_NAME + }; + krb5_context kcontext; + krb5_principal kprinc; + krb5_principal server; + krb5_creds kcreds; + int options = 0; + krb5_address **addrs = (krb5_address **)0; + krb5_preauthtype *preauth = NULL; + krb5_keytab keytab = NULL; + krb5_timestamp now; + krb5_ccache ccache = NULL; + int retval; + char *name; + + if (retval=krb5_init_context(&kcontext)) { + return(False); + } + + if (retval = krb5_timeofday(kcontext, &now)) { + return(False); + } + + if (retval = krb5_cc_default(kcontext, &ccache)) { + return(False); + } + + if (retval = krb5_parse_name(kcontext, this_user, &kprinc)) { + return(False); + } + + memset((char *)&kcreds, 0, sizeof(kcreds)); + + kcreds.client = kprinc; + + if ((retval = krb5_build_principal_ext(kcontext, &server, + krb5_princ_realm(kcontext, kprinc)->length, + krb5_princ_realm(kcontext, kprinc)->data, + tgtname.length, + tgtname.data, + krb5_princ_realm(kcontext, kprinc)->length, + krb5_princ_realm(kcontext, kprinc)->data, + 0))) { + return(False); + } + + kcreds.server = server; + + retval = krb5_get_in_tkt_with_password(kcontext, + options, + addrs, + NULL, + preauth, + password, + 0, + &kcreds, + 0); + + if (retval) { + return(False); + } + + return(True); +} +#endif /* KRB5_AUTH */ + +#ifdef KRB4_AUTH +/******************************************************************* +check on Kerberos authentication +********************************************************************/ +static BOOL krb4_auth(char *this_user,char *password) +{ + char realm[REALM_SZ]; + char tkfile[MAXPATHLEN]; + + if (krb_get_lrealm(realm, 1) != KSUCCESS) { + (void) safe_strcpy(realm, KRB_REALM, sizeof (realm) - 1); + } + + (void) slprintf(tkfile, sizeof(tkfile) - 1, "/tmp/samba_tkt_%d", + getpid()); + + krb_set_tkt_string(tkfile); + if (krb_verify_user(this_user, "", realm, + password, 0, + "rmcd") == KSUCCESS) { + unlink(tkfile); + return 1; + } + unlink(tkfile); + return 0; +} +#endif /* KRB4_AUTH */ + +#ifdef LINUX_BIGCRYPT +/**************************************************************************** +an enhanced crypt for Linux to handle password longer than 8 characters +****************************************************************************/ +static int linux_bigcrypt(char *password,char *salt1, char *crypted) +{ +#define LINUX_PASSWORD_SEG_CHARS 8 + char salt[3]; + int i; + + StrnCpy(salt,salt1,2); + crypted +=2; + + for ( i=strlen(password); i > 0; i -= LINUX_PASSWORD_SEG_CHARS) { + char * p = crypt(password,salt) + 2; + if (strncmp(p, crypted, LINUX_PASSWORD_SEG_CHARS) != 0) + return(0); + password += LINUX_PASSWORD_SEG_CHARS; + crypted += strlen(p); + } + + return(1); +} +#endif + +#ifdef OSF1_ENH_SEC +/**************************************************************************** +an enhanced crypt for OSF1 +****************************************************************************/ +static char *osf1_bigcrypt(char *password,char *salt1) +{ + static char result[AUTH_MAX_PASSWD_LENGTH] = ""; + char *p1; + char *p2=password; + char salt[3]; + int i; + int parts = strlen(password) / AUTH_CLEARTEXT_SEG_CHARS; + if (strlen(password)%AUTH_CLEARTEXT_SEG_CHARS) { + parts++; + } + + StrnCpy(salt,salt1,2); + StrnCpy(result,salt1,2); + + for (i=0; i= len) { + return(fn(s)); + } + + for (i=offset;i<(len-(N-1));i++) { + char c = s[i]; + if (!islower(c)) continue; + s[i] = toupper(c); + if (string_combinations2(s,i+1,fn,N-1)) + return(True); + s[i] = c; + } + return(False); +} + +/**************************************************************************** +apply a function to upper/lower case combinations +of a string and return true if one of them returns true. +try all combinations with up to N uppercase letters. +offset is the first char to try and change (start with 0) +it assumes the string starts lowercased +****************************************************************************/ +static BOOL string_combinations(char *s,BOOL (*fn)(char *),int N) +{ + int n; + for (n=1;n<=N;n++) + if (string_combinations2(s,0,fn,n)) return(True); + return(False); +} + + +/**************************************************************************** +core of password checking routine +****************************************************************************/ +static BOOL password_check(char *password) +{ + +#ifdef HAVE_PAM + /* This falls through if the password check fails + - if HAVE_CRYPT is not defined this causes an error msg + saying Warning - no crypt available + - if HAVE_CRYPT is defined this is a potential security hole + as it may authenticate via the crypt call when PAM + settings say it should fail. + if (pam_auth(this_user,password)) return(True); + Hence we make a direct return to avoid a second chance!!! + */ + return (pam_auth(this_user,password)); +#endif + +#ifdef WITH_AFS + if (afs_auth(this_user,password)) return(True); +#endif + +#ifdef WITH_DFS + if (dfs_auth(this_user,password)) return(True); +#endif + +#ifdef KRB5_AUTH + if (krb5_auth(this_user,password)) return(True); +#endif + +#ifdef KRB4_AUTH + if (krb4_auth(this_user,password)) return(True); +#endif + +#ifdef OSF1_ENH_SEC + { + BOOL ret = (strcmp(osf1_bigcrypt(password,this_salt),this_crypted) == 0); + if(!ret) { + DEBUG(2,("OSF1_ENH_SEC failed. Trying normal crypt.\n")); + ret = (strcmp((char *)crypt(password,this_salt),this_crypted) == 0); + } + return ret; + } +#endif + +#ifdef ULTRIX_AUTH + return (strcmp((char *)crypt16(password, this_salt ),this_crypted) == 0); +#endif + +#ifdef LINUX_BIGCRYPT + return(linux_bigcrypt(password,this_salt,this_crypted)); +#endif + +#ifdef HAVE_BIGCRYPT + return(strcmp(bigcrypt(password,this_salt),this_crypted) == 0); +#endif + +#ifndef HAVE_CRYPT + DEBUG(1,("Warning - no crypt available\n")); + return(False); +#else + return(strcmp((char *)crypt(password,this_salt),this_crypted) == 0); +#endif +} + + + +/**************************************************************************** +check if a username/password is OK +the function pointer fn() points to a function to call when a successful +match is found and is used to update the encrypted password file +return True on correct match, False otherwise +****************************************************************************/ +BOOL pass_check(char *user,char *password, int pwlen, struct passwd *pwd, + BOOL (*fn)(char *, char *)) +{ + pstring pass2; + int level = lp_passwordlevel(); + struct passwd *pass; + + if (password) password[pwlen] = 0; + +#if DEBUG_PASSWORD + DEBUG(100,("checking user=[%s] pass=[%s]\n",user,password)); +#endif + + if (!password) { + return(False); + } + + if (((!*password) || (!pwlen)) && !lp_null_passwords()) { + return(False); + } + + if (pwd && !user) { + pass = (struct passwd *) pwd; + user = pass->pw_name; + } else { + pass = Get_Pwnam(user,True); + } + + + DEBUG(4,("Checking password for user %s (l=%d)\n",user,pwlen)); + + if (!pass) { + DEBUG(3,("Couldn't find user %s\n",user)); + return(False); + } + +#ifdef HAVE_GETSPNAM + { + struct spwd *spass; + + /* many shadow systems require you to be root to get + the password, in most cases this should already be + the case when this function is called, except + perhaps for IPC password changing requests */ + + spass = getspnam(pass->pw_name); + if (spass && spass->sp_pwdp) { + pass->pw_passwd = spass->sp_pwdp; + } + } +#elif defined(IA_UINFO) + { + /* Need to get password with SVR4.2's ia_ functions + instead of get{sp,pw}ent functions. Required by + UnixWare 2.x, tested on version + 2.1. (tangent@cyberport.com) */ + uinfo_t uinfo; + if (ia_openinfo(pass->pw_name, &uinfo) != -1) { + ia_get_logpwd(uinfo, &(pass->pw_passwd)); + } + } +#endif + +#ifdef HAVE_GETPRPWNAM + { + struct pr_passwd *pr_pw = getprpwnam(pass->pw_name); + if (pr_pw && pr_pw->ufld.fd_encrypt) + pass->pw_passwd = pr_pw->ufld.fd_encrypt; + } +#endif + +#ifdef OSF1_ENH_SEC + { + struct pr_passwd *mypasswd; + DEBUG(5,("Checking password for user %s in OSF1_ENH_SEC\n", + user)); + mypasswd = getprpwnam (user); + if (mypasswd) { + fstrcpy(pass->pw_name,mypasswd->ufld.fd_name); + fstrcpy(pass->pw_passwd,mypasswd->ufld.fd_encrypt); + } else { + DEBUG(5,("No entry for user %s in protected database !\n", + user)); + return(False); + } + } +#endif + +#ifdef ULTRIX_AUTH + { + AUTHORIZATION *ap = getauthuid(pass->pw_uid); + if (ap) { + fstrcpy(pass->pw_passwd, ap->a_password); + endauthent(); + } + } +#endif + + /* extract relevant info */ + fstrcpy(this_user,pass->pw_name); + fstrcpy(this_salt,pass->pw_passwd); + /* crypt on some platforms (HPUX in particular) + won't work with more than 2 salt characters. */ + this_salt[2] = 0; + + fstrcpy(this_crypted,pass->pw_passwd); + + if (!*this_crypted) { + if (!lp_null_passwords()) { + DEBUG(2,("Disallowing %s with null password\n", + this_user)); + return(False); + } + if (!*password) { + DEBUG(3,("Allowing access to %s with null password\n", + this_user)); + return(True); + } + } + + /* try it as it came to us */ + if (password_check(password)) { + update_protected_database(user,True); + if (fn) fn(user,password); + return(True); + } + + /* if the password was given to us with mixed case then we don't + need to proceed as we know it hasn't been case modified by the + client */ + if (strhasupper(password) && strhaslower(password)) { + return(False); + } + + /* make a copy of it */ + StrnCpy(pass2,password,sizeof(pstring)-1); + + /* try all lowercase */ + strlower(password); + if (password_check(password)) { + update_protected_database(user,True); + if (fn) fn(user,password); + return(True); + } + + /* give up? */ + if (level < 1) { + update_protected_database(user,False); + + /* restore it */ + fstrcpy(password,pass2); + + return(False); + } + + /* last chance - all combinations of up to level chars upper! */ + strlower(password); + + if (string_combinations(password,password_check,level)) { + update_protected_database(user,True); + if (fn) fn(user,password); + return(True); + } + + update_protected_database(user,False); + + /* restore it */ + fstrcpy(password,pass2); + + return(False); +} -- cgit From 37d5ba8eae030ef852ca64181a5f8e5dbdc52079 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 15 Aug 1998 03:31:57 +0000 Subject: use user instead of this_user to prevent global shadowing (This used to be commit 76e523907c2ee51031341c3cef9e9f6b5b2d9dc4) --- source3/auth/pass_check.c | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index b5aa832f48..23ae4d0974 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -126,7 +126,7 @@ static struct pam_conv PAM_conversation = { }; -static BOOL pam_auth(char *this_user,char *password) +static BOOL pam_auth(char *user,char *password) { pam_handle_t *pamh; int pam_error; @@ -142,8 +142,8 @@ static BOOL pam_auth(char *this_user,char *password) pam_end(pamh, 0); return False; \ } PAM_password = password; - PAM_username = this_user; - pam_error = pam_start("samba", this_user, &PAM_conversation, &pamh); + PAM_username = user; + pam_error = pam_start("samba", user, &PAM_conversation, &pamh); PAM_BAIL; /* Setting PAM_SILENT stops generation of error messages to syslog * to enable debugging on Red Hat Linux set: @@ -170,7 +170,7 @@ static BOOL pam_auth(char *this_user,char *password) /******************************************************************* check on AFS authentication ********************************************************************/ -static BOOL afs_auth(char *this_user,char *password) +static BOOL afs_auth(char *user,char *password) { long password_expires = 0; char *reason; @@ -179,7 +179,7 @@ static BOOL afs_auth(char *this_user,char *password) /* but since I can't find the old documentation... :-) */ setpag(); if (ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION+KA_USERAUTH_DOSETPAG, - this_user, + user, (char *) 0, /* instance */ (char *) 0, /* cell */ password, @@ -215,7 +215,7 @@ int dcelogin_atmost_once = 0; /******************************************************************* check on a DCE/DFS authentication ********************************************************************/ -static BOOL dfs_auth(char *this_user,char *password) +static BOOL dfs_auth(char *user,char *password) { error_status_t err; int err2; @@ -317,13 +317,13 @@ static BOOL dfs_auth(char *this_user,char *password) } } - if (sec_login_setup_identity((unsigned char *)this_user, + if (sec_login_setup_identity((unsigned char *)user, sec_login_no_flags, &my_dce_sec_context, &err) == 0) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0,("DCE Setup Identity for %s failed: %s\n", - this_user,dce_errstr)); + user,dce_errstr)); return(False); } @@ -366,7 +366,7 @@ static BOOL dfs_auth(char *this_user,char *password) return False; } - if (sec_login_setup_identity((unsigned char *)this_user, + if (sec_login_setup_identity((unsigned char *)user, sec_login_no_flags, &my_dce_sec_context, &err) == 0) { @@ -375,7 +375,7 @@ static BOOL dfs_auth(char *this_user,char *password) setuid(0); setgid(0); DEBUG(0,("DCE Setup Identity for %s failed: %s\n", - this_user,dce_errstr)); + user,dce_errstr)); return(False); } @@ -405,7 +405,7 @@ static BOOL dfs_auth(char *this_user,char *password) setuid(0); setgid(0); DEBUG(0,("DCE Identity Validation failed for principal %s: %s\n", - this_user,dce_errstr)); + user,dce_errstr)); return(False); } @@ -429,7 +429,7 @@ static BOOL dfs_auth(char *this_user,char *password) if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0,("DCE login failed for principal %s, cant set context: %s\n", - this_user,dce_errstr)); + user,dce_errstr)); sec_login_purge_context(&my_dce_sec_context, &err); /* Go back to root, JRA. */ @@ -451,7 +451,7 @@ static BOOL dfs_auth(char *this_user,char *password) } DEBUG(0,("DCE login succeeded for principal %s on pid %d\n", - this_user, getpid())); + user, getpid())); DEBUG(3,("DCE principal: %s\n" " uid: %d\n" @@ -501,7 +501,7 @@ void dfs_unlogin(void) /******************************************************************* check on Kerberos authentication ********************************************************************/ -static BOOL krb5_auth(char *this_user,char *password) +static BOOL krb5_auth(char *user,char *password) { krb5_data tgtname = { 0, @@ -533,7 +533,7 @@ static BOOL krb5_auth(char *this_user,char *password) return(False); } - if (retval = krb5_parse_name(kcontext, this_user, &kprinc)) { + if (retval = krb5_parse_name(kcontext, user, &kprinc)) { return(False); } @@ -576,7 +576,7 @@ static BOOL krb5_auth(char *this_user,char *password) /******************************************************************* check on Kerberos authentication ********************************************************************/ -static BOOL krb4_auth(char *this_user,char *password) +static BOOL krb4_auth(char *user,char *password) { char realm[REALM_SZ]; char tkfile[MAXPATHLEN]; @@ -589,7 +589,7 @@ static BOOL krb4_auth(char *this_user,char *password) getpid()); krb_set_tkt_string(tkfile); - if (krb_verify_user(this_user, "", realm, + if (krb_verify_user(user, "", realm, password, 0, "rmcd") == KSUCCESS) { unlink(tkfile); @@ -716,7 +716,7 @@ static BOOL password_check(char *password) - if HAVE_CRYPT is defined this is a potential security hole as it may authenticate via the crypt call when PAM settings say it should fail. - if (pam_auth(this_user,password)) return(True); + if (pam_auth(user,password)) return(True); Hence we make a direct return to avoid a second chance!!! */ return (pam_auth(this_user,password)); -- cgit From 48514704c2825bcde8bed3b92255ba2abcb955b4 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 29 Aug 1998 14:08:17 +0000 Subject: got rid of calls to update_protected_database(). It was causing core dumps. It is gone until someone can tell us why its needed and what it does. (It was only used on OSF1 and core dumped there anyway!) (This used to be commit a564e4662711d384069757ce3ee5adcadc1b061d) --- source3/auth/pass_check.c | 37 ------------------------------------- 1 file changed, 37 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 23ae4d0974..9005864b08 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -32,37 +32,6 @@ static char this_salt[100]=""; static char this_crypted[100]=""; -/**************************************************************************** -update the enhanced security database. Only relevant for OSF1 at the moment. -****************************************************************************/ -static void update_protected_database(char *user, BOOL result) -{ -#ifdef OSF1_ENH_SEC - struct pr_passwd *mypasswd; - time_t starttime; - - mypasswd = getprpwnam (user); - starttime = time (NULL); - - if (result) { - mypasswd->ufld.fd_slogin = starttime; - mypasswd->ufld.fd_nlogins = 0; - - putprpwnam(user,mypasswd); - } else { - mypasswd->ufld.fd_ulogin = starttime; - mypasswd->ufld.fd_nlogins = mypasswd->ufld.fd_nlogins + 1; - if (mypasswd->ufld.fd_max_tries != 0 && - mypasswd->ufld.fd_nlogins > mypasswd->ufld.fd_max_tries) { - mypasswd->uflg.fg_lock = 0; - DEBUG(3,("Account %s is disabled\n", user)); - } - putprpwnam(user ,mypasswd); - } -#endif -} - - #ifdef HAVE_PAM /******************************************************************* check on PAM authentication @@ -899,7 +868,6 @@ BOOL pass_check(char *user,char *password, int pwlen, struct passwd *pwd, /* try it as it came to us */ if (password_check(password)) { - update_protected_database(user,True); if (fn) fn(user,password); return(True); } @@ -917,14 +885,12 @@ BOOL pass_check(char *user,char *password, int pwlen, struct passwd *pwd, /* try all lowercase */ strlower(password); if (password_check(password)) { - update_protected_database(user,True); if (fn) fn(user,password); return(True); } /* give up? */ if (level < 1) { - update_protected_database(user,False); /* restore it */ fstrcpy(password,pass2); @@ -936,13 +902,10 @@ BOOL pass_check(char *user,char *password, int pwlen, struct passwd *pwd, strlower(password); if (string_combinations(password,password_check,level)) { - update_protected_database(user,True); if (fn) fn(user,password); return(True); } - update_protected_database(user,False); - /* restore it */ fstrcpy(password,pass2); -- cgit From f6044c87c021342d68d614d59bc8dacd32d223b9 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 5 Sep 1998 13:24:20 +0000 Subject: some cleanups to use ZERO_STRUCT() and friends (This used to be commit 7b154dc4313324dfad6cf0117b8ce246bf12bf16) --- source3/auth/pass_check.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 9005864b08..edb4c97290 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -506,7 +506,7 @@ static BOOL krb5_auth(char *user,char *password) return(False); } - memset((char *)&kcreds, 0, sizeof(kcreds)); + ZERO_STRUCT(kcreds); kcreds.client = kprinc; -- cgit From b053652d490c8b37084797a64f14cdd44ff82578 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 26 Sep 1998 03:30:15 +0000 Subject: Added Kerberos4 support patches from Johan Hedin Jeremy. (This used to be commit 548634915f21f774b7efb06f138c8fb7bc089daa) --- source3/auth/pass_check.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index edb4c97290..d847407bbb 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -542,6 +542,8 @@ static BOOL krb5_auth(char *user,char *password) #endif /* KRB5_AUTH */ #ifdef KRB4_AUTH +#include + /******************************************************************* check on Kerberos authentication ********************************************************************/ @@ -555,7 +557,7 @@ static BOOL krb4_auth(char *user,char *password) } (void) slprintf(tkfile, sizeof(tkfile) - 1, "/tmp/samba_tkt_%d", - getpid()); + (int)getpid()); krb_set_tkt_string(tkfile); if (krb_verify_user(user, "", realm, -- cgit From 269f11bfa90bc4e6373a666486b97d927c7be7c7 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Mon, 8 Mar 1999 18:43:50 +0000 Subject: pass_check.c could receive encrypted password: printing it out as a %s results in garbage. with no password length argument doing dump_data( 100, password, strlen(password)) is the next best alternative. (This used to be commit 073c8652c13408b883fc73203e5558b1a9a64d62) --- source3/auth/pass_check.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index d847407bbb..f07f0e1abb 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -758,7 +758,8 @@ BOOL pass_check(char *user,char *password, int pwlen, struct passwd *pwd, if (password) password[pwlen] = 0; #if DEBUG_PASSWORD - DEBUG(100,("checking user=[%s] pass=[%s]\n",user,password)); + DEBUG(100,("checking user=[%s] pass=",user)); + dump_data(100, password, strlen(password)); #endif if (!password) { -- cgit From 731c7f2ecfe17651506ba05b88358360e4654a37 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Sun, 13 Jun 1999 04:14:24 +0000 Subject: Moved code that changes the pw_passwd entry (i.e shadow password and weird unixware stuff) into _Get_Pwnam() to fix a memory allocation bug. Note that the Get_Pwnam() function now returns a const struct passwd * as a hint to other developers not to change entries in the struct passwd. (This used to be commit 36d7cb4ccc42268e8e6a7b783c945d1853624958) --- source3/auth/pass_check.c | 64 +---------------------------------------------- 1 file changed, 1 insertion(+), 63 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index f07f0e1abb..7effbfef8d 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -753,7 +753,7 @@ BOOL pass_check(char *user,char *password, int pwlen, struct passwd *pwd, { pstring pass2; int level = lp_passwordlevel(); - struct passwd *pass; + const struct passwd *pass; if (password) password[pwlen] = 0; @@ -785,68 +785,6 @@ BOOL pass_check(char *user,char *password, int pwlen, struct passwd *pwd, return(False); } -#ifdef HAVE_GETSPNAM - { - struct spwd *spass; - - /* many shadow systems require you to be root to get - the password, in most cases this should already be - the case when this function is called, except - perhaps for IPC password changing requests */ - - spass = getspnam(pass->pw_name); - if (spass && spass->sp_pwdp) { - pass->pw_passwd = spass->sp_pwdp; - } - } -#elif defined(IA_UINFO) - { - /* Need to get password with SVR4.2's ia_ functions - instead of get{sp,pw}ent functions. Required by - UnixWare 2.x, tested on version - 2.1. (tangent@cyberport.com) */ - uinfo_t uinfo; - if (ia_openinfo(pass->pw_name, &uinfo) != -1) { - ia_get_logpwd(uinfo, &(pass->pw_passwd)); - } - } -#endif - -#ifdef HAVE_GETPRPWNAM - { - struct pr_passwd *pr_pw = getprpwnam(pass->pw_name); - if (pr_pw && pr_pw->ufld.fd_encrypt) - pass->pw_passwd = pr_pw->ufld.fd_encrypt; - } -#endif - -#ifdef OSF1_ENH_SEC - { - struct pr_passwd *mypasswd; - DEBUG(5,("Checking password for user %s in OSF1_ENH_SEC\n", - user)); - mypasswd = getprpwnam (user); - if (mypasswd) { - fstrcpy(pass->pw_name,mypasswd->ufld.fd_name); - fstrcpy(pass->pw_passwd,mypasswd->ufld.fd_encrypt); - } else { - DEBUG(5,("No entry for user %s in protected database !\n", - user)); - return(False); - } - } -#endif - -#ifdef ULTRIX_AUTH - { - AUTHORIZATION *ap = getauthuid(pass->pw_uid); - if (ap) { - fstrcpy(pass->pw_passwd, ap->a_password); - endauthent(); - } - } -#endif - /* extract relevant info */ fstrcpy(this_user,pass->pw_name); fstrcpy(this_salt,pass->pw_passwd); -- cgit From 3db52feb1f3b2c07ce0b06ad4a7099fa6efe3fc7 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 13 Dec 1999 13:27:58 +0000 Subject: first pass at updating head branch to be to be the same as the SAMBA_2_0 branch (This used to be commit 453a822a76780063dff23526c35408866d0c0154) --- source3/auth/pass_check.c | 183 ++++++++++++++++++++++++++++++++-------------- 1 file changed, 129 insertions(+), 54 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 7effbfef8d..11ce0d754e 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -32,7 +32,7 @@ static char this_salt[100]=""; static char this_crypted[100]=""; -#ifdef HAVE_PAM +#ifdef WITH_PAM /******************************************************************* check on PAM authentication ********************************************************************/ @@ -136,6 +136,10 @@ static BOOL pam_auth(char *user,char *password) #ifdef WITH_AFS + +#include +#include + /******************************************************************* check on AFS authentication ********************************************************************/ @@ -158,6 +162,7 @@ static BOOL afs_auth(char *user,char *password) &reason) == 0) { return(True); } + DEBUG(1,("AFS authentication for \"%s\" failed (%s)\n", user, reason)); return(False); } #endif @@ -165,6 +170,9 @@ static BOOL afs_auth(char *user,char *password) #ifdef WITH_DFS +#include +#include + /***************************************************************** This new version of the DFS_AUTH code was donated by Karsten Muuss . It fixes the following problems with the @@ -195,6 +203,7 @@ static BOOL dfs_auth(char *user,char *password) sec_passwd_rec_t passwd_rec; sec_login_auth_src_t auth_src = sec_login_auth_src_network; unsigned char dce_errstr[dce_c_error_string_len]; + gid_t egid; if (dcelogin_atmost_once) return(False); @@ -322,14 +331,16 @@ static BOOL dfs_auth(char *user,char *password) * back to being root on error though. JRA. */ - if (setregid(-1, pw->pw_gid) != 0) { + egid = getegid(); + + if (set_effective_gid(pw->pw_gid) != 0) { DEBUG(0,("Can't set egid to %d (%s)\n", pw->pw_gid, strerror(errno))); return False; } - if (setreuid(-1, pw->pw_uid) != 0) { - setgid(0); + if (set_effective_uid(pw->pw_uid) != 0) { + set_effective_gid(egid); DEBUG(0,("Can't set euid to %d (%s)\n", pw->pw_uid, strerror(errno))); return False; @@ -340,24 +351,17 @@ static BOOL dfs_auth(char *user,char *password) &my_dce_sec_context, &err) == 0) { dce_error_inq_text(err, dce_errstr, &err2); - /* Go back to root, JRA. */ - setuid(0); - setgid(0); DEBUG(0,("DCE Setup Identity for %s failed: %s\n", user,dce_errstr)); - return(False); + goto err; } sec_login_get_pwent(my_dce_sec_context, (sec_login_passwd_t*)&pw, &err); if (err != error_status_ok ) { dce_error_inq_text(err, dce_errstr, &err2); - /* Go back to root, JRA. */ - setuid(0); - setgid(0); DEBUG(0,("DCE can't get pwent. %s\n", dce_errstr)); - - return(False); + goto err; } passwd_rec.version_number = sec_passwd_c_version_none; @@ -370,24 +374,16 @@ static BOOL dfs_auth(char *user,char *password) &auth_src, &err); if (err != error_status_ok ) { dce_error_inq_text(err, dce_errstr, &err2); - /* Go back to root, JRA. */ - setuid(0); - setgid(0); DEBUG(0,("DCE Identity Validation failed for principal %s: %s\n", user,dce_errstr)); - - return(False); + goto err; } sec_login_certify_identity(my_dce_sec_context, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); - /* Go back to root, JRA. */ - setuid(0); - setgid(0); DEBUG(0,("DCE certify identity failed: %s\n", dce_errstr)); - - return(False); + goto err; } if (auth_src != sec_login_auth_src_network) { @@ -401,10 +397,7 @@ static BOOL dfs_auth(char *user,char *password) user,dce_errstr)); sec_login_purge_context(&my_dce_sec_context, &err); - /* Go back to root, JRA. */ - setuid(0); - setgid(0); - return(False); + goto err; } sec_login_get_pwent(my_dce_sec_context, @@ -412,11 +405,7 @@ static BOOL dfs_auth(char *user,char *password) if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0,("DCE can't get pwent. %s\n", dce_errstr)); - - /* Go back to root, JRA. */ - setuid(0); - setgid(0); - return(False); + goto err; } DEBUG(0,("DCE login succeeded for principal %s on pid %d\n", @@ -434,21 +423,24 @@ static BOOL dfs_auth(char *user,char *password) sec_login_get_expiration(my_dce_sec_context, &expire_time, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); - /* Go back to root, JRA. */ - setuid(0); - setgid(0); DEBUG(0,("DCE can't get expiration. %s\n", dce_errstr)); - - return(False); + goto err; } - setuid(0); - setgid(0); + set_effective_uid(0); + set_effective_gid(0); DEBUG(0,("DCE context expires: %s",asctime(localtime(&expire_time)))); dcelogin_atmost_once = 1; return (True); + +err: + + /* Go back to root, JRA. */ + set_effective_uid(0); + set_effective_gid(egid); + return(False); } void dfs_unlogin(void) @@ -467,6 +459,9 @@ void dfs_unlogin(void) #endif #ifdef KRB5_AUTH + +#include + /******************************************************************* check on Kerberos authentication ********************************************************************/ @@ -614,6 +609,7 @@ static char *osf1_bigcrypt(char *password,char *salt1) StrnCpy(salt,salt1,2); StrnCpy(result,salt1,2); + result[2]='\0'; for (i=0; ipw_name); + if (spass && spass->sp_pwdp) { + pstrcpy(pass->pw_passwd,spass->sp_pwdp); + } + } +#elif defined(IA_UINFO) + { + /* Need to get password with SVR4.2's ia_ functions + instead of get{sp,pw}ent functions. Required by + UnixWare 2.x, tested on version + 2.1. (tangent@cyberport.com) */ + uinfo_t uinfo; + if (ia_openinfo(pass->pw_name, &uinfo) != -1) { + ia_get_logpwd(uinfo, &(pass->pw_passwd)); + } + } +#endif + +#ifdef HAVE_GETPRPWNAM + { + struct pr_passwd *pr_pw = getprpwnam(pass->pw_name); + if (pr_pw && pr_pw->ufld.fd_encrypt) + pstrcpy(pass->pw_passwd,pr_pw->ufld.fd_encrypt); + } +#endif + +#ifdef OSF1_ENH_SEC + { + struct pr_passwd *mypasswd; + DEBUG(5,("Checking password for user %s in OSF1_ENH_SEC\n", + user)); + mypasswd = getprpwnam (user); + if (mypasswd) { + fstrcpy(pass->pw_name,mypasswd->ufld.fd_name); + fstrcpy(pass->pw_passwd,mypasswd->ufld.fd_encrypt); + } else { + DEBUG(5,("OSF1_ENH_SEC: No entry for user %s in protected database !\n", + user)); + } + } +#endif + +#ifdef ULTRIX_AUTH + { + AUTHORIZATION *ap = getauthuid(pass->pw_uid); + if (ap) { + fstrcpy(pass->pw_passwd, ap->a_password); + endauthent(); + } + } +#endif + /* extract relevant info */ fstrcpy(this_user,pass->pw_name); fstrcpy(this_salt,pass->pw_passwd); + +#if defined(HAVE_TRUNCATED_SALT) /* crypt on some platforms (HPUX in particular) won't work with more than 2 salt characters. */ this_salt[2] = 0; +#endif fstrcpy(this_crypted,pass->pw_passwd); -- cgit From 2864ac574b7d2c7422b632068ace7a02dcc61cee Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Tue, 21 Mar 2000 21:08:07 +0000 Subject: indent update to make t easier to see setuid mods in TNG. some code from these modules i had to leave out (nothing to do withj setuid) (This used to be commit 96717211edcc389daa4494907251ffb79ffa56d9) --- source3/auth/pass_check.c | 825 ++++++++++++++++++++++++++-------------------- 1 file changed, 459 insertions(+), 366 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 11ce0d754e..c3e5669747 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -27,9 +27,9 @@ extern int DEBUGLEVEL; /* these are kept here to keep the string_combinations function simple */ -static char this_user[100]=""; -static char this_salt[100]=""; -static char this_crypted[100]=""; +static char this_user[100] = ""; +static char this_salt[100] = ""; +static char this_crypted[100] = ""; #ifdef WITH_PAM @@ -49,88 +49,94 @@ static char *PAM_password; * Here we assume (for now, at least) that echo on means login name, and * echo off means password. */ -static int PAM_conv (int num_msg, - const struct pam_message **msg, - struct pam_response **resp, - void *appdata_ptr) { - int replies = 0; - struct pam_response *reply = NULL; - - #define COPY_STRING(s) (s) ? strdup(s) : NULL - - reply = malloc(sizeof(struct pam_response) * num_msg); - if (!reply) return PAM_CONV_ERR; - - for (replies = 0; replies < num_msg; replies++) { - switch (msg[replies]->msg_style) { - case PAM_PROMPT_ECHO_ON: - reply[replies].resp_retcode = PAM_SUCCESS; - reply[replies].resp = COPY_STRING(PAM_username); - /* PAM frees resp */ - break; - case PAM_PROMPT_ECHO_OFF: - reply[replies].resp_retcode = PAM_SUCCESS; - reply[replies].resp = COPY_STRING(PAM_password); - /* PAM frees resp */ - break; - case PAM_TEXT_INFO: - /* fall through */ - case PAM_ERROR_MSG: - /* ignore it... */ - reply[replies].resp_retcode = PAM_SUCCESS; - reply[replies].resp = NULL; - break; - default: - /* Must be an error of some sort... */ - free (reply); - return PAM_CONV_ERR; - } - } - if (reply) *resp = reply; - return PAM_SUCCESS; +static int PAM_conv(int num_msg, + const struct pam_message **msg, + struct pam_response **resp, void *appdata_ptr) +{ + int replies = 0; + struct pam_response *reply = NULL; + +#define COPY_STRING(s) (s) ? strdup(s) : NULL + + reply = malloc(sizeof(struct pam_response) * num_msg); + if (!reply) + return PAM_CONV_ERR; + + for (replies = 0; replies < num_msg; replies++) + { + switch (msg[replies]->msg_style) + { + case PAM_PROMPT_ECHO_ON: + reply[replies].resp_retcode = PAM_SUCCESS; + reply[replies].resp = + COPY_STRING(PAM_username); + /* PAM frees resp */ + break; + case PAM_PROMPT_ECHO_OFF: + reply[replies].resp_retcode = PAM_SUCCESS; + reply[replies].resp = + COPY_STRING(PAM_password); + /* PAM frees resp */ + break; + case PAM_TEXT_INFO: + /* fall through */ + case PAM_ERROR_MSG: + /* ignore it... */ + reply[replies].resp_retcode = PAM_SUCCESS; + reply[replies].resp = NULL; + break; + default: + /* Must be an error of some sort... */ + free(reply); + return PAM_CONV_ERR; + } + } + if (reply) + *resp = reply; + return PAM_SUCCESS; } static struct pam_conv PAM_conversation = { - &PAM_conv, - NULL + &PAM_conv, + NULL }; -static BOOL pam_auth(char *user,char *password) +static BOOL pam_auth(char *user, char *password) { - pam_handle_t *pamh; - int pam_error; - - /* Now use PAM to do authentication. For now, we won't worry about - * session logging, only authentication. Bail out if there are any - * errors. Since this is a limited protocol, and an even more limited - * function within a server speaking this protocol, we can't be as - * verbose as would otherwise make sense. - * Query: should we be using PAM_SILENT to shut PAM up? - */ - #define PAM_BAIL if (pam_error != PAM_SUCCESS) { \ + pam_handle_t *pamh; + int pam_error; + + /* Now use PAM to do authentication. For now, we won't worry about + * session logging, only authentication. Bail out if there are any + * errors. Since this is a limited protocol, and an even more limited + * function within a server speaking this protocol, we can't be as + * verbose as would otherwise make sense. + * Query: should we be using PAM_SILENT to shut PAM up? + */ +#define PAM_BAIL if (pam_error != PAM_SUCCESS) { \ pam_end(pamh, 0); return False; \ } - PAM_password = password; - PAM_username = user; - pam_error = pam_start("samba", user, &PAM_conversation, &pamh); - PAM_BAIL; + PAM_password = password; + PAM_username = user; + pam_error = pam_start("samba", user, &PAM_conversation, &pamh); + PAM_BAIL; /* Setting PAM_SILENT stops generation of error messages to syslog * to enable debugging on Red Hat Linux set: * /etc/pam.d/samba: * auth required /lib/security/pam_pwdb.so nullok shadow audit * _OR_ change PAM_SILENT to 0 to force detailed reporting (logging) */ - pam_error = pam_authenticate(pamh, PAM_SILENT); - PAM_BAIL; - /* It is not clear to me that account management is the right thing - * to do, but it is not clear that it isn't, either. This can be - * removed if no account management should be done. Alternately, - * put a pam_allow.so entry in /etc/pam.conf for account handling. */ - pam_error = pam_acct_mgmt(pamh, PAM_SILENT); - PAM_BAIL; - pam_end(pamh, PAM_SUCCESS); - /* If this point is reached, the user has been authenticated. */ - return(True); + pam_error = pam_authenticate(pamh, PAM_SILENT); + PAM_BAIL; + /* It is not clear to me that account management is the right thing + * to do, but it is not clear that it isn't, either. This can be + * removed if no account management should be done. Alternately, + * put a pam_allow.so entry in /etc/pam.conf for account handling. */ + pam_error = pam_acct_mgmt(pamh, PAM_SILENT); + PAM_BAIL; + pam_end(pamh, PAM_SUCCESS); + /* If this point is reached, the user has been authenticated. */ + return (True); } #endif @@ -143,27 +149,27 @@ static BOOL pam_auth(char *user,char *password) /******************************************************************* check on AFS authentication ********************************************************************/ -static BOOL afs_auth(char *user,char *password) +static BOOL afs_auth(char *user, char *password) { long password_expires = 0; char *reason; - + /* For versions of AFS prior to 3.3, this routine has few arguments, */ /* but since I can't find the old documentation... :-) */ setpag(); - if (ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION+KA_USERAUTH_DOSETPAG, - user, - (char *) 0, /* instance */ - (char *) 0, /* cell */ - password, - 0, /* lifetime, default */ - &password_expires, /*days 'til it expires */ - 0, /* spare 2 */ - &reason) == 0) { - return(True); - } - DEBUG(1,("AFS authentication for \"%s\" failed (%s)\n", user, reason)); - return(False); + if (ka_UserAuthenticateGeneral + (KA_USERAUTH_VERSION + KA_USERAUTH_DOSETPAG, user, (char *)0, /* instance */ + (char *)0, /* cell */ + password, 0, /* lifetime, default */ + &password_expires, /*days 'til it expires */ + 0, /* spare 2 */ + &reason) == 0) + { + return (True); + } + DEBUG(1, + ("AFS authentication for \"%s\" failed (%s)\n", user, reason)); + return (False); } #endif @@ -192,7 +198,7 @@ int dcelogin_atmost_once = 0; /******************************************************************* check on a DCE/DFS authentication ********************************************************************/ -static BOOL dfs_auth(char *user,char *password) +static BOOL dfs_auth(char *user, char *password) { error_status_t err; int err2; @@ -205,7 +211,8 @@ static BOOL dfs_auth(char *user,char *password) unsigned char dce_errstr[dce_c_error_string_len]; gid_t egid; - if (dcelogin_atmost_once) return(False); + if (dcelogin_atmost_once) + return (False); #ifdef HAVE_CRYPT /* @@ -214,112 +221,125 @@ static BOOL dfs_auth(char *user,char *password) * Assumes local passwd file is kept in sync w/ DCE RGY! */ - if (strcmp((char *)crypt(password,this_salt),this_crypted)) { - return(False); + if (strcmp((char *)crypt(password, this_salt), this_crypted)) + { + return (False); } #endif sec_login_get_current_context(&my_dce_sec_context, &err); - if (err != error_status_ok ) { + if (err != error_status_ok) + { dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0,("DCE can't get current context. %s\n", dce_errstr)); + DEBUG(0, ("DCE can't get current context. %s\n", dce_errstr)); - return(False); + return (False); } sec_login_certify_identity(my_dce_sec_context, &err); - if (err != error_status_ok) { + if (err != error_status_ok) + { dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0,("DCE can't get current context. %s\n", dce_errstr)); - - return(False); + DEBUG(0, ("DCE can't get current context. %s\n", dce_errstr)); + + return (False); } sec_login_get_expiration(my_dce_sec_context, &expire_time, &err); - if (err != error_status_ok) { + if (err != error_status_ok) + { dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0,("DCE can't get expiration. %s\n", dce_errstr)); - - return(False); + DEBUG(0, ("DCE can't get expiration. %s\n", dce_errstr)); + + return (False); } - + time(¤t_time); - if (expire_time < (current_time + 60)) { - struct passwd *pw; + if (expire_time < (current_time + 60)) + { + struct passwd *pw; sec_passwd_rec_t *key; - - sec_login_get_pwent(my_dce_sec_context, - (sec_login_passwd_t*)&pw, &err); - if (err != error_status_ok ) { + + sec_login_get_pwent(my_dce_sec_context, + (sec_login_passwd_t *) & pw, &err); + if (err != error_status_ok) + { dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0,("DCE can't get pwent. %s\n", dce_errstr)); - - return(False); + DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr)); + + return (False); } - + sec_login_refresh_identity(my_dce_sec_context, &err); - if (err != error_status_ok) { + if (err != error_status_ok) + { dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0,("DCE can't refresh identity. %s\n", - dce_errstr)); - - return(False); + DEBUG(0, ("DCE can't refresh identity. %s\n", + dce_errstr)); + + return (False); } - + sec_key_mgmt_get_key(rpc_c_authn_dce_secret, NULL, (unsigned char *)pw->pw_name, sec_c_key_version_none, - (void**)&key, &err); - if (err != error_status_ok) { + (void **)&key, &err); + if (err != error_status_ok) + { dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0,("DCE can't get key for %s. %s\n", - pw->pw_name, dce_errstr)); + DEBUG(0, ("DCE can't get key for %s. %s\n", + pw->pw_name, dce_errstr)); - return(False); + return (False); } - + sec_login_valid_and_cert_ident(my_dce_sec_context, key, - &password_reset, &auth_src, + &password_reset, &auth_src, &err); - if (err != error_status_ok ) { + if (err != error_status_ok) + { dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0,("DCE can't validate and certify identity for %s. %s\n", - pw->pw_name, dce_errstr)); + DEBUG(0, + ("DCE can't validate and certify identity for %s. %s\n", + pw->pw_name, dce_errstr)); } - + sec_key_mgmt_free_key(key, &err); - if (err != error_status_ok ) { + if (err != error_status_ok) + { dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0,("DCE can't free key.\n", dce_errstr)); + DEBUG(0, ("DCE can't free key.\n", dce_errstr)); } } if (sec_login_setup_identity((unsigned char *)user, sec_login_no_flags, - &my_dce_sec_context, - &err) == 0) { + &my_dce_sec_context, &err) == 0) + { dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0,("DCE Setup Identity for %s failed: %s\n", - user,dce_errstr)); - return(False); + DEBUG(0, ("DCE Setup Identity for %s failed: %s\n", + user, dce_errstr)); + return (False); } - sec_login_get_pwent(my_dce_sec_context, - (sec_login_passwd_t*)&pw, &err); - if (err != error_status_ok) { + sec_login_get_pwent(my_dce_sec_context, + (sec_login_passwd_t *) & pw, &err); + if (err != error_status_ok) + { dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0,("DCE can't get pwent. %s\n", dce_errstr)); - - return(False); + DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr)); + + return (False); } sec_login_purge_context(&my_dce_sec_context, &err); - if (err != error_status_ok) { + if (err != error_status_ok) + { dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0,("DCE can't purge context. %s\n", dce_errstr)); + DEBUG(0, ("DCE can't purge context. %s\n", dce_errstr)); - return(False); + return (False); } /* @@ -330,117 +350,129 @@ static BOOL dfs_auth(char *user,char *password) * this should be ok. I have added code to go * back to being root on error though. JRA. */ - + egid = getegid(); - if (set_effective_gid(pw->pw_gid) != 0) { - DEBUG(0,("Can't set egid to %d (%s)\n", - pw->pw_gid, strerror(errno))); + if (set_effective_gid(pw->pw_gid) != 0) + { + DEBUG(0, ("Can't set egid to %d (%s)\n", + pw->pw_gid, strerror(errno))); return False; } - if (set_effective_uid(pw->pw_uid) != 0) { + if (set_effective_uid(pw->pw_uid) != 0) + { set_effective_gid(egid); - DEBUG(0,("Can't set euid to %d (%s)\n", - pw->pw_uid, strerror(errno))); + DEBUG(0, ("Can't set euid to %d (%s)\n", + pw->pw_uid, strerror(errno))); return False; } - + if (sec_login_setup_identity((unsigned char *)user, sec_login_no_flags, - &my_dce_sec_context, - &err) == 0) { + &my_dce_sec_context, &err) == 0) + { dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0,("DCE Setup Identity for %s failed: %s\n", - user,dce_errstr)); + DEBUG(0, ("DCE Setup Identity for %s failed: %s\n", + user, dce_errstr)); goto err; } - sec_login_get_pwent(my_dce_sec_context, - (sec_login_passwd_t*)&pw, &err); - if (err != error_status_ok ) { + sec_login_get_pwent(my_dce_sec_context, + (sec_login_passwd_t *) & pw, &err); + if (err != error_status_ok) + { dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0,("DCE can't get pwent. %s\n", dce_errstr)); + DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr)); goto err; } passwd_rec.version_number = sec_passwd_c_version_none; passwd_rec.pepper = NULL; passwd_rec.key.key_type = sec_passwd_plain; - passwd_rec.key.tagged_union.plain = (idl_char *)password; - + passwd_rec.key.tagged_union.plain = (idl_char *) password; + sec_login_validate_identity(my_dce_sec_context, &passwd_rec, &password_reset, &auth_src, &err); - if (err != error_status_ok ) { + if (err != error_status_ok) + { dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0,("DCE Identity Validation failed for principal %s: %s\n", - user,dce_errstr)); + DEBUG(0, + ("DCE Identity Validation failed for principal %s: %s\n", + user, dce_errstr)); goto err; } sec_login_certify_identity(my_dce_sec_context, &err); - if (err != error_status_ok) { + if (err != error_status_ok) + { dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0,("DCE certify identity failed: %s\n", dce_errstr)); + DEBUG(0, ("DCE certify identity failed: %s\n", dce_errstr)); goto err; } - if (auth_src != sec_login_auth_src_network) { - DEBUG(0,("DCE context has no network credentials.\n")); + if (auth_src != sec_login_auth_src_network) + { + DEBUG(0, ("DCE context has no network credentials.\n")); } sec_login_set_context(my_dce_sec_context, &err); - if (err != error_status_ok) { + if (err != error_status_ok) + { dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0,("DCE login failed for principal %s, cant set context: %s\n", - user,dce_errstr)); - + DEBUG(0, + ("DCE login failed for principal %s, cant set context: %s\n", + user, dce_errstr)); + sec_login_purge_context(&my_dce_sec_context, &err); goto err; } - - sec_login_get_pwent(my_dce_sec_context, - (sec_login_passwd_t*)&pw, &err); - if (err != error_status_ok) { + + sec_login_get_pwent(my_dce_sec_context, + (sec_login_passwd_t *) & pw, &err); + if (err != error_status_ok) + { dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0,("DCE can't get pwent. %s\n", dce_errstr)); + DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr)); goto err; } - - DEBUG(0,("DCE login succeeded for principal %s on pid %d\n", - user, getpid())); - - DEBUG(3,("DCE principal: %s\n" - " uid: %d\n" - " gid: %d\n", - pw->pw_name, pw->pw_uid, pw->pw_gid)); - DEBUG(3,(" info: %s\n" - " dir: %s\n" - " shell: %s\n", - pw->pw_gecos, pw->pw_dir, pw->pw_shell)); - + + DEBUG(0, ("DCE login succeeded for principal %s on pid %d\n", + user, getpid())); + + DEBUG(3, ("DCE principal: %s\n" + " uid: %d\n" + " gid: %d\n", + pw->pw_name, pw->pw_uid, pw->pw_gid)); + DEBUG(3, (" info: %s\n" + " dir: %s\n" + " shell: %s\n", + pw->pw_gecos, pw->pw_dir, pw->pw_shell)); + sec_login_get_expiration(my_dce_sec_context, &expire_time, &err); - if (err != error_status_ok) { + if (err != error_status_ok) + { dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0,("DCE can't get expiration. %s\n", dce_errstr)); + DEBUG(0, ("DCE can't get expiration. %s\n", dce_errstr)); goto err; } - + set_effective_uid(0); set_effective_gid(0); - - DEBUG(0,("DCE context expires: %s",asctime(localtime(&expire_time)))); - + + DEBUG(0, + ("DCE context expires: %s", asctime(localtime(&expire_time)))); + dcelogin_atmost_once = 1; return (True); -err: + err: /* Go back to root, JRA. */ set_effective_uid(0); set_effective_gid(egid); - return(False); + return (False); } void dfs_unlogin(void) @@ -448,12 +480,14 @@ void dfs_unlogin(void) error_status_t err; int err2; unsigned char dce_errstr[dce_c_error_string_len]; - + sec_login_purge_context(&my_dce_sec_context, &err); - if (err != error_status_ok) { + if (err != error_status_ok) + { dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0,("DCE purge login context failed for server instance %d: %s\n", - getpid(), dce_errstr)); + DEBUG(0, + ("DCE purge login context failed for server instance %d: %s\n", + getpid(), dce_errstr)); } } #endif @@ -465,19 +499,19 @@ void dfs_unlogin(void) /******************************************************************* check on Kerberos authentication ********************************************************************/ -static BOOL krb5_auth(char *user,char *password) +static BOOL krb5_auth(char *user, char *password) { krb5_data tgtname = { 0, KRB5_TGS_NAME_SIZE, - KRB5_TGS_NAME - }; + KRB5_TGS_NAME + }; krb5_context kcontext; krb5_principal kprinc; krb5_principal server; krb5_creds kcreds; int options = 0; - krb5_address **addrs = (krb5_address **)0; + krb5_address **addrs = (krb5_address **) 0; krb5_preauthtype *preauth = NULL; krb5_keytab keytab = NULL; krb5_timestamp now; @@ -485,35 +519,45 @@ static BOOL krb5_auth(char *user,char *password) int retval; char *name; - if (retval=krb5_init_context(&kcontext)) { - return(False); + if (retval = krb5_init_context(&kcontext)) + { + return (False); } - if (retval = krb5_timeofday(kcontext, &now)) { - return(False); + if (retval = krb5_timeofday(kcontext, &now)) + { + return (False); } - if (retval = krb5_cc_default(kcontext, &ccache)) { - return(False); + if (retval = krb5_cc_default(kcontext, &ccache)) + { + return (False); } - - if (retval = krb5_parse_name(kcontext, user, &kprinc)) { - return(False); + + if (retval = krb5_parse_name(kcontext, user, &kprinc)) + { + return (False); } ZERO_STRUCT(kcreds); kcreds.client = kprinc; - + if ((retval = krb5_build_principal_ext(kcontext, &server, - krb5_princ_realm(kcontext, kprinc)->length, - krb5_princ_realm(kcontext, kprinc)->data, - tgtname.length, - tgtname.data, - krb5_princ_realm(kcontext, kprinc)->length, - krb5_princ_realm(kcontext, kprinc)->data, - 0))) { - return(False); + krb5_princ_realm(kcontext, + kprinc)-> + length, + krb5_princ_realm(kcontext, + kprinc)->data, + tgtname.length, tgtname.data, + krb5_princ_realm(kcontext, + kprinc)-> + length, + krb5_princ_realm(kcontext, + kprinc)->data, + 0))) + { + return (False); } kcreds.server = server; @@ -523,16 +567,14 @@ static BOOL krb5_auth(char *user,char *password) addrs, NULL, preauth, - password, - 0, - &kcreds, - 0); + password, 0, &kcreds, 0); - if (retval) { - return(False); + if (retval) + { + return (False); } - return(True); + return (True); } #endif /* KRB5_AUTH */ @@ -542,22 +584,22 @@ static BOOL krb5_auth(char *user,char *password) /******************************************************************* check on Kerberos authentication ********************************************************************/ -static BOOL krb4_auth(char *user,char *password) +static BOOL krb4_auth(char *user, char *password) { char realm[REALM_SZ]; char tkfile[MAXPATHLEN]; - - if (krb_get_lrealm(realm, 1) != KSUCCESS) { - (void) safe_strcpy(realm, KRB_REALM, sizeof (realm) - 1); + + if (krb_get_lrealm(realm, 1) != KSUCCESS) + { + (void)safe_strcpy(realm, KRB_REALM, sizeof(realm) - 1); } - (void) slprintf(tkfile, sizeof(tkfile) - 1, "/tmp/samba_tkt_%d", - (int)getpid()); - + (void)slprintf(tkfile, sizeof(tkfile) - 1, "/tmp/samba_tkt_%d", + (int)getpid()); + krb_set_tkt_string(tkfile); - if (krb_verify_user(user, "", realm, - password, 0, - "rmcd") == KSUCCESS) { + if (krb_verify_user(user, "", realm, password, 0, "rmcd") == KSUCCESS) + { unlink(tkfile); return 1; } @@ -570,24 +612,25 @@ static BOOL krb4_auth(char *user,char *password) /**************************************************************************** an enhanced crypt for Linux to handle password longer than 8 characters ****************************************************************************/ -static int linux_bigcrypt(char *password,char *salt1, char *crypted) +static int linux_bigcrypt(char *password, char *salt1, char *crypted) { #define LINUX_PASSWORD_SEG_CHARS 8 char salt[3]; int i; - - StrnCpy(salt,salt1,2); - crypted +=2; - - for ( i=strlen(password); i > 0; i -= LINUX_PASSWORD_SEG_CHARS) { - char * p = crypt(password,salt) + 2; + + StrnCpy(salt, salt1, 2); + crypted += 2; + + for (i = strlen(password); i > 0; i -= LINUX_PASSWORD_SEG_CHARS) + { + char *p = crypt(password, salt) + 2; if (strncmp(p, crypted, LINUX_PASSWORD_SEG_CHARS) != 0) - return(0); + return (0); password += LINUX_PASSWORD_SEG_CHARS; - crypted += strlen(p); + crypted += strlen(p); } - - return(1); + + return (1); } #endif @@ -595,30 +638,33 @@ static int linux_bigcrypt(char *password,char *salt1, char *crypted) /**************************************************************************** an enhanced crypt for OSF1 ****************************************************************************/ -static char *osf1_bigcrypt(char *password,char *salt1) +static char *osf1_bigcrypt(char *password, char *salt1) { static char result[AUTH_MAX_PASSWD_LENGTH] = ""; char *p1; - char *p2=password; + char *p2 = password; char salt[3]; int i; int parts = strlen(password) / AUTH_CLEARTEXT_SEG_CHARS; - if (strlen(password)%AUTH_CLEARTEXT_SEG_CHARS) { + if (strlen(password) % AUTH_CLEARTEXT_SEG_CHARS) + { parts++; } - - StrnCpy(salt,salt1,2); - StrnCpy(result,salt1,2); - result[2]='\0'; - for (i=0; i= len) { - return(fn(s)); + if (N <= 0 || offset >= len) + { + return (fn(s)); } - for (i=offset;i<(len-(N-1));i++) { + for (i = offset; i < (len - (N - 1)); i++) + { char c = s[i]; - if (!islower(c)) continue; + if (!islower(c)) + continue; s[i] = toupper(c); - if (string_combinations2(s,i+1,fn,N-1)) - return(True); + if (string_combinations2(s, i + 1, fn, N - 1)) + return (True); s[i] = c; } - return(False); + return (False); } /**************************************************************************** @@ -661,12 +711,13 @@ try all combinations with up to N uppercase letters. offset is the first char to try and change (start with 0) it assumes the string starts lowercased ****************************************************************************/ -static BOOL string_combinations(char *s,BOOL (*fn)(char *),int N) +static BOOL string_combinations(char *s, BOOL (*fn) (char *), int N) { int n; - for (n=1;n<=N;n++) - if (string_combinations2(s,0,fn,n)) return(True); - return(False); + for (n = 1; n <= N; n++) + if (string_combinations2(s, 0, fn, n)) + return (True); + return (False); } @@ -685,43 +736,56 @@ static BOOL password_check(char *password) settings say it should fail. if (pam_auth(user,password)) return(True); Hence we make a direct return to avoid a second chance!!! - */ - return (pam_auth(this_user,password)); + */ + return (pam_auth(this_user, password)); #endif /* WITH_PAM */ - + #ifdef WITH_AFS - if (afs_auth(this_user,password)) return(True); + if (afs_auth(this_user, password)) + return (True); #endif /* WITH_AFS */ - + #ifdef WITH_DFS - if (dfs_auth(this_user,password)) return(True); + if (dfs_auth(this_user, password)) + return (True); #endif /* WITH_DFS */ #ifdef KRB5_AUTH - if (krb5_auth(this_user,password)) return(True); + if (krb5_auth(this_user, password)) + return (True); #endif /* KRB5_AUTH */ #ifdef KRB4_AUTH - if (krb4_auth(this_user,password)) return(True); + if (krb4_auth(this_user, password)) + return (True); #endif /* KRB4_AUTH */ #ifdef OSF1_ENH_SEC { - BOOL ret = (strcmp(osf1_bigcrypt(password,this_salt),this_crypted) == 0); - if(!ret) { - DEBUG(2,("OSF1_ENH_SEC failed. Trying normal crypt.\n")); - ret = (strcmp((char *)crypt(password,this_salt),this_crypted) == 0); - } - return ret; + BOOL ret = + (strcmp + (osf1_bigcrypt(password, this_salt), + this_crypted) == 0); + if (!ret) + { + DEBUG(2, + ("OSF1_ENH_SEC failed. Trying normal crypt.\n")); + ret = + (strcmp + ((char *)crypt(password, this_salt), + this_crypted) == 0); + } + return ret; } #endif /* OSF1_ENH_SEC */ #ifdef ULTRIX_AUTH - return (strcmp((char *)crypt16(password, this_salt ),this_crypted) == 0); + return (strcmp((char *)crypt16(password, this_salt), this_crypted) == + 0); #endif /* ULTRIX_AUTH */ #ifdef LINUX_BIGCRYPT - return(linux_bigcrypt(password,this_salt,this_crypted)); + return (linux_bigcrypt(password, this_salt, this_crypted)); #endif /* LINUX_BIGCRYPT */ #if defined(HAVE_BIGCRYPT) && defined(HAVE_CRYPT) && defined(USE_BOTH_CRYPT_CALLS) @@ -733,21 +797,24 @@ static BOOL password_check(char *password) * by crypt. */ - if(strcmp(bigcrypt(password,this_salt),this_crypted) == 0) + if (strcmp(bigcrypt(password, this_salt), this_crypted) == 0) return True; - else - return (strcmp((char *)crypt(password,this_salt),this_crypted) == 0); + else + return (strcmp + ((char *)crypt(password, this_salt), + this_crypted) == 0); #else /* HAVE_BIGCRYPT && HAVE_CRYPT && USE_BOTH_CRYPT_CALLS */ #ifdef HAVE_BIGCRYPT - return(strcmp(bigcrypt(password,this_salt),this_crypted) == 0); + return (strcmp(bigcrypt(password, this_salt), this_crypted) == 0); #endif /* HAVE_BIGCRYPT */ #ifndef HAVE_CRYPT - DEBUG(1,("Warning - no crypt available\n")); - return(False); + DEBUG(1, ("Warning - no crypt available\n")); + return (False); #else /* HAVE_CRYPT */ - return(strcmp((char *)crypt(password,this_salt),this_crypted) == 0); + return (strcmp((char *)crypt(password, this_salt), this_crypted) == + 0); #endif /* HAVE_CRYPT */ #endif /* HAVE_BIGCRYPT && HAVE_CRYPT && USE_BOTH_CRYPT_CALLS */ } @@ -760,40 +827,47 @@ the function pointer fn() points to a function to call when a successful match is found and is used to update the encrypted password file return True on correct match, False otherwise ****************************************************************************/ -BOOL pass_check(char *user,char *password, int pwlen, struct passwd *pwd, - BOOL (*fn)(char *, char *)) +BOOL pass_check(char *user, char *password, int pwlen, struct passwd *pwd, + BOOL (*fn) (char *, char *)) { pstring pass2; int level = lp_passwordlevel(); struct passwd *pass; - if (password) password[pwlen] = 0; + if (password) + password[pwlen] = 0; #if DEBUG_PASSWORD - DEBUG(100,("checking user=[%s] pass=[%s]\n",user,password)); + DEBUG(100, ("checking user=[%s] pass=[%s]\n", user, password)); #endif - if (!password) { - return(False); + if (!password) + { + return (False); } - if (((!*password) || (!pwlen)) && !lp_null_passwords()) { - return(False); + if (((!*password) || (!pwlen)) && !lp_null_passwords()) + { + return (False); } - if (pwd && !user) { - pass = (struct passwd *) pwd; + if (pwd && !user) + { + pass = (struct passwd *)pwd; user = pass->pw_name; - } else { - pass = Get_Pwnam(user,True); + } + else + { + pass = Get_Pwnam(user, True); } - DEBUG(4,("Checking password for user %s (l=%d)\n",user,pwlen)); + DEBUG(4, ("Checking password for user %s (l=%d)\n", user, pwlen)); - if (!pass) { - DEBUG(3,("Couldn't find user %s\n",user)); - return(False); + if (!pass) + { + DEBUG(3, ("Couldn't find user %s\n", user)); + return (False); } #ifdef HAVE_GETSPNAM @@ -806,8 +880,9 @@ BOOL pass_check(char *user,char *password, int pwlen, struct passwd *pwd, perhaps for IPC password changing requests */ spass = getspnam(pass->pw_name); - if (spass && spass->sp_pwdp) { - pstrcpy(pass->pw_passwd,spass->sp_pwdp); + if (spass && spass->sp_pwdp) + { + pstrcpy(pass->pw_passwd, spass->sp_pwdp); } } #elif defined(IA_UINFO) @@ -817,7 +892,8 @@ BOOL pass_check(char *user,char *password, int pwlen, struct passwd *pwd, UnixWare 2.x, tested on version 2.1. (tangent@cyberport.com) */ uinfo_t uinfo; - if (ia_openinfo(pass->pw_name, &uinfo) != -1) { + if (ia_openinfo(pass->pw_name, &uinfo) != -1) + { ia_get_logpwd(uinfo, &(pass->pw_passwd)); } } @@ -827,22 +903,26 @@ BOOL pass_check(char *user,char *password, int pwlen, struct passwd *pwd, { struct pr_passwd *pr_pw = getprpwnam(pass->pw_name); if (pr_pw && pr_pw->ufld.fd_encrypt) - pstrcpy(pass->pw_passwd,pr_pw->ufld.fd_encrypt); + pstrcpy(pass->pw_passwd, pr_pw->ufld.fd_encrypt); } #endif #ifdef OSF1_ENH_SEC { struct pr_passwd *mypasswd; - DEBUG(5,("Checking password for user %s in OSF1_ENH_SEC\n", - user)); - mypasswd = getprpwnam (user); - if (mypasswd) { - fstrcpy(pass->pw_name,mypasswd->ufld.fd_name); - fstrcpy(pass->pw_passwd,mypasswd->ufld.fd_encrypt); - } else { - DEBUG(5,("OSF1_ENH_SEC: No entry for user %s in protected database !\n", - user)); + DEBUG(5, ("Checking password for user %s in OSF1_ENH_SEC\n", + user)); + mypasswd = getprpwnam(user); + if (mypasswd) + { + fstrcpy(pass->pw_name, mypasswd->ufld.fd_name); + fstrcpy(pass->pw_passwd, mypasswd->ufld.fd_encrypt); + } + else + { + DEBUG(5, + ("OSF1_ENH_SEC: No entry for user %s in protected database !\n", + user)); } } #endif @@ -850,7 +930,8 @@ BOOL pass_check(char *user,char *password, int pwlen, struct passwd *pwd, #ifdef ULTRIX_AUTH { AUTHORIZATION *ap = getauthuid(pass->pw_uid); - if (ap) { + if (ap) + { fstrcpy(pass->pw_passwd, ap->a_password); endauthent(); } @@ -858,72 +939,84 @@ BOOL pass_check(char *user,char *password, int pwlen, struct passwd *pwd, #endif /* extract relevant info */ - fstrcpy(this_user,pass->pw_name); - fstrcpy(this_salt,pass->pw_passwd); + fstrcpy(this_user, pass->pw_name); + fstrcpy(this_salt, pass->pw_passwd); #if defined(HAVE_TRUNCATED_SALT) /* crypt on some platforms (HPUX in particular) won't work with more than 2 salt characters. */ this_salt[2] = 0; #endif - - fstrcpy(this_crypted,pass->pw_passwd); - - if (!*this_crypted) { - if (!lp_null_passwords()) { - DEBUG(2,("Disallowing %s with null password\n", - this_user)); - return(False); + + fstrcpy(this_crypted, pass->pw_passwd); + + if (!*this_crypted) + { + if (!lp_null_passwords()) + { + DEBUG(2, ("Disallowing %s with null password\n", + this_user)); + return (False); } - if (!*password) { - DEBUG(3,("Allowing access to %s with null password\n", - this_user)); - return(True); + if (!*password) + { + DEBUG(3, + ("Allowing access to %s with null password\n", + this_user)); + return (True); } } /* try it as it came to us */ - if (password_check(password)) { - if (fn) fn(user,password); - return(True); + if (password_check(password)) + { + if (fn) + fn(user, password); + return (True); } /* if the password was given to us with mixed case then we don't need to proceed as we know it hasn't been case modified by the client */ - if (strhasupper(password) && strhaslower(password)) { - return(False); + if (strhasupper(password) && strhaslower(password)) + { + return (False); } /* make a copy of it */ - StrnCpy(pass2,password,sizeof(pstring)-1); - + StrnCpy(pass2, password, sizeof(pstring) - 1); + /* try all lowercase */ strlower(password); - if (password_check(password)) { - if (fn) fn(user,password); - return(True); + if (password_check(password)) + { + if (fn) + fn(user, password); + return (True); } /* give up? */ - if (level < 1) { + if (level < 1) + { /* restore it */ - fstrcpy(password,pass2); - - return(False); + fstrcpy(password, pass2); + + return (False); } /* last chance - all combinations of up to level chars upper! */ strlower(password); - if (string_combinations(password,password_check,level)) { - if (fn) fn(user,password); - return(True); + if (string_combinations(password, password_check, level)) + { + if (fn) + fn(user, password); + return (True); } /* restore it */ - fstrcpy(password,pass2); - - return(False); + fstrcpy(password, pass2); + + return (False); } -- cgit From 693ffb8466ada58ecc59fde754ba79fc6f51528d Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 2 May 2000 02:23:41 +0000 Subject: Added sys_fork() and sys_getpid() functions to stop the overhead of doing a system call every time we want to just get our pid. Jeremy. (This used to be commit 148628b616b5c29ba6340d65fc3ddbcabba6e67a) --- source3/auth/pass_check.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index c3e5669747..0496ed9961 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -439,7 +439,7 @@ static BOOL dfs_auth(char *user, char *password) } DEBUG(0, ("DCE login succeeded for principal %s on pid %d\n", - user, getpid())); + user, sys_getpid())); DEBUG(3, ("DCE principal: %s\n" " uid: %d\n" @@ -487,7 +487,7 @@ void dfs_unlogin(void) dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE purge login context failed for server instance %d: %s\n", - getpid(), dce_errstr)); + sys_getpid(), dce_errstr)); } } #endif @@ -595,7 +595,7 @@ static BOOL krb4_auth(char *user, char *password) } (void)slprintf(tkfile, sizeof(tkfile) - 1, "/tmp/samba_tkt_%d", - (int)getpid()); + (int)sys_getpid()); krb_set_tkt_string(tkfile); if (krb_verify_user(user, "", realm, password, 0, "rmcd") == KSUCCESS) -- cgit From f0080e5a3979fac94d6668cf6ee9d9f61302839c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 1 Jun 2000 17:01:34 +0000 Subject: Getting back to a compilable state (not there yet but close). Added patches for random -> sys_random. Added set_effective_xxx patches for AFS code. Memory allocation changes in spoolss code. Jeremy. (This used to be commit c2099cfb033c2cdb6035f4f7f50ce21b98e1584d) --- source3/auth/pass_check.c | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 0496ed9961..aea543d853 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -353,20 +353,8 @@ static BOOL dfs_auth(char *user, char *password) egid = getegid(); - if (set_effective_gid(pw->pw_gid) != 0) - { - DEBUG(0, ("Can't set egid to %d (%s)\n", - pw->pw_gid, strerror(errno))); - return False; - } - - if (set_effective_uid(pw->pw_uid) != 0) - { - set_effective_gid(egid); - DEBUG(0, ("Can't set euid to %d (%s)\n", - pw->pw_uid, strerror(errno))); - return False; - } + set_effective_gid(pw->pw_gid); + set_effective_uid(pw->pw_uid); if (sec_login_setup_identity((unsigned char *)user, sec_login_no_flags, -- cgit From b5eb73d9aa3e25aee0ef800961dc8345229fc779 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 8 Feb 2001 18:39:36 +0000 Subject: add pam_setcred() call to pam_auth(). Patch was submited last Oct. jerry (This used to be commit 57165d1578eefa270d5c0bd8697a774eb8cb06cf) --- source3/auth/pass_check.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index aea543d853..c803816e04 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -134,6 +134,14 @@ static BOOL pam_auth(char *user, char *password) * put a pam_allow.so entry in /etc/pam.conf for account handling. */ pam_error = pam_acct_mgmt(pamh, PAM_SILENT); PAM_BAIL; + + /* + * This will allow samba to aquire a kerberos token. And, when + * exporting an AFS cell, be able to /write/ to this cell. + */ + pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED|PAM_SILENT)); + PAM_BAIL; + pam_end(pamh, PAM_SUCCESS); /* If this point is reached, the user has been authenticated. */ return (True); -- cgit From ef1a7311cec15f4444c80b92301de0dec92df288 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 10 Apr 2001 18:10:38 +0000 Subject: Added JohnT and Andrew Bartlett's PAM changes. Jeremy. (This used to be commit ecd00e258c6fe4e8d90f48da74874e090dce4a40) --- source3/auth/pampass.c | 440 ++++++++++++++++++++++++++++++++++++++++++++++ source3/auth/pass_check.c | 138 +-------------- 2 files changed, 444 insertions(+), 134 deletions(-) create mode 100644 source3/auth/pampass.c (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c new file mode 100644 index 0000000000..a23727b689 --- /dev/null +++ b/source3/auth/pampass.c @@ -0,0 +1,440 @@ +/* + Unix SMB/Netbios implementation. + Version 2.2. + PAM Password checking + Copyright (C) Andrew Tridgell 1992-2001 + Copyright (C) John H Terpsta 1999-2001 + Copyright (C) Andrew Barton 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +/* + * This module provides PAM based functions for validation of + * username/password pairs, account managment, session and access control. + * Note: SMB password checking is done in smbpass.c + */ + +#include "includes.h" + +extern int DEBUGLEVEL; + +#ifdef WITH_PAM + +/******************************************************************* + * Handle PAM authentication + * - Access, Authentication, Session, Password + * Note: See PAM Documentation and refer to local system PAM implementation + * which determines what actions/limitations/allowances become affected. + *********************************************************************/ + +#include + +/* + * Static variables used to communicate between the conversation function + * and the server_login function + */ + +static char *PAM_username; +static char *PAM_password; + +/* + * Macros to help make life easy + */ +#define COPY_STRING(s) (s) ? strdup(s) : NULL + +/* + * Macro converted to a function to simplyify this thing + */ +static BOOL pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl) +{ + + int retval; + + if( pam_error != PAM_SUCCESS) + { + DEBUG(dbglvl, ("PAM %s: %s\n", pam_strerror(pamh, pam_error))); + return False; + } + return True; +} + +/* + * PAM conversation function + * Here we assume (for now, at least) that echo on means login name, and + * echo off means password. + */ + +static int PAM_conv(int num_msg, + const struct pam_message **msg, + struct pam_response **resp, + void *appdata_ptr) +{ + int replies = 0; + struct pam_response *reply = NULL; + + reply = malloc(sizeof(struct pam_response) * num_msg); + if (!reply) + return PAM_CONV_ERR; + + for (replies = 0; replies < num_msg; replies++) + { + switch (msg[replies]->msg_style) + { + case PAM_PROMPT_ECHO_ON: + reply[replies].resp_retcode = PAM_SUCCESS; + reply[replies].resp = + COPY_STRING(PAM_username); + /* PAM frees resp */ + break; + + case PAM_PROMPT_ECHO_OFF: + reply[replies].resp_retcode = PAM_SUCCESS; + reply[replies].resp = + COPY_STRING(PAM_password); + /* PAM frees resp */ + break; + + case PAM_TEXT_INFO: + /* fall through */ + + case PAM_ERROR_MSG: + /* ignore it... */ + reply[replies].resp_retcode = PAM_SUCCESS; + reply[replies].resp = NULL; + break; + + default: + /* Must be an error of some sort... */ + free(reply); + return PAM_CONV_ERR; + } + } + if (reply) + *resp = reply; + return PAM_SUCCESS; +} + +static struct pam_conv PAM_conversation = { + &PAM_conv, + NULL +}; + +static BOOL proc_pam_end(pam_handle_t *pamh) +{ + int pam_error; + + if( pamh != NULL ) + { + pam_error = pam_end(pamh, 0); + if(pam_error_handler(pamh, pam_error, "End Cleanup Failed", 2) == True) { + return True; + } + } + DEBUG(2,("PAM not initialised")); + return False; +} + + +static BOOL pam_auth(char *user, char *password) +{ + pam_handle_t *pamh; + int pam_error; + + /* + * Now use PAM to do authentication. Bail out if there are any + * errors. + */ + + PAM_password = password; + PAM_username = user; + DEBUG(4,("PAM Start for User: %s\n", user)); + pam_error = pam_start("samba", user, &PAM_conversation, &pamh); + if(!pam_error_handler(pamh, pam_error, "start failure", 2)) { + proc_pam_end(pamh); + return False; + } + + /* + * To enable debugging set in /etc/pam.d/samba: + * auth required /lib/security/pam_pwdb.so nullok shadow audit + */ + + pam_error = pam_authenticate(pamh, PAM_SILENT); /* Can we authenticate user? */ + switch( pam_error ){ + case PAM_AUTH_ERR: + DEBUG(2, ("PAM: Athentication Error\n")); + break; + case PAM_CRED_INSUFFICIENT: + DEBUG(2, ("PAM: Insufficient Credentials\n")); + break; + case PAM_AUTHINFO_UNAVAIL: + DEBUG(2, ("PAM: Authentication Information Unavailable\n")); + break; + case PAM_USER_UNKNOWN: + DEBUG(2, ("PAM: Username NOT known to Authentication system\n")); + break; + case PAM_MAXTRIES: + DEBUG(2, ("PAM: One or more authentication modules reports user limit exceeeded\n")); + break; + case PAM_ABORT: + DEBUG(0, ("PAM: One or more PAM modules failed to load\n")); + break; + default: + DEBUG(4, ("PAM: User %s Authenticated OK\n", user)); + } + if(!pam_error_handler(pamh, pam_error, "Authentication Failure", 2)) { + proc_pam_end(pamh); + return False; + } + + /* + * Now do account management control and validation + */ + pam_error = pam_acct_mgmt(pamh, PAM_SILENT); /* Is user account enabled? */ + switch( pam_error ) { + case PAM_AUTHTOK_EXPIRED: + DEBUG(2, ("PAM: User is valid but password is expired\n")); + break; + case PAM_ACCT_EXPIRED: + DEBUG(2, ("PAM: User no longer permitted to access system\n")); + break; + case PAM_AUTH_ERR: + DEBUG(2, ("PAM: There was an authentication error\n")); + break; + case PAM_PERM_DENIED: + DEBUG(0, ("PAM: User is NOT permitted to access system at this time\n")); + break; + case PAM_USER_UNKNOWN: + DEBUG(2, ("PAM: User \"%s\" is NOT known to account management\n", user)); + break; + default: + DEBUG(4, ("PAM: Account OK for User: %s\n", user)); + } + if(!pam_error_handler(pamh, pam_error, "Account Check Failed", 2)) { + proc_pam_end(pamh); + return False; + } + + /* + * This will allow samba to aquire a kerberos token. And, when + * exporting an AFS cell, be able to /write/ to this cell. + */ + + pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED|PAM_SILENT)); + if(!pam_error_handler(pamh, pam_error, "Set Credential Failure", 2)) { + proc_pam_end(pamh); + return False; + } + + if( !proc_pam_end(pamh)) + return False; + + /* If this point is reached, the user has been authenticated. */ + DEBUG(4, ("PAM: pam_authentication passed for User: %s\n", user)); + return (True); +} + +#if NOTBLOCKEDOUT +/* Start PAM authentication for specified account */ +static BOOL proc_pam_start(pam_handle_t **pamh, char *user) +{ + int pam_error; + char * rhost; + + DEBUG(4,("PAM Init for user: %s\n", user)); + + pam_error = pam_start("samba", user, &PAM_conversation, pamh); + if( !pam_error_handler(*pamh, pam_error, "Init Failed", 0)) { + proc_pam_end(*pamh); + return False; + } + + rhost = client_name(); + if (strcmp(rhost,"UNKNOWN") == 0) + rhost = client_addr(); + +#ifdef PAM_RHOST + DEBUG(4,("PAM setting rhost to: %s\n", rhost)); + pam_error = pam_set_item(*pamh, PAM_RHOST, rhost); + if(!pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) { + proc_pam_end(*pamh); + return False; + } +#endif + +#if defined(PAM_TTY_KLUDGE) && defined(PAM_TTY) + pam_error = pam_set_item(*pamh, PAM_TTY, "samba"); + if (!pam_error_handler(*pamh, pam_error, "set tty failed", 0)) { + proc_pam_end(*pamh); + return False; + } +#endif + + return True; +} + +static BOOL pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL instance) +{ + int pam_error; + + PAM_password = NULL; + PAM_username = user; + +#ifdef PAM_TTY + DEBUG(4,("PAM tty set to: %s\"\n", tty)); + pam_error = pam_set_item(pamh, PAM_TTY, tty); + if (!pam_error_handler(pamh, pam_error, "set tty failed", 0)) { + proc_pam_end(pamh); + return False; + } +#endif + + if (instance) { + pam_error = pam_open_session(pamh, PAM_SILENT); + if (!pam_error_handler(pamh, pam_error, "session setup failed", 0)) { + proc_pam_end(pamh); + return False; + } + } + else + { + pam_error = pam_close_session(pamh, PAM_SILENT); + if (!pam_error_handler(pamh, pam_error, "session close failed", 0)) { + proc_pam_end(pamh); + return False; + } + } + return (True); +} + +static BOOL pam_account(pam_handle_t *pamh, char *user) +{ + int pam_error; + + PAM_password = NULL; + PAM_username = user; + + DEBUG(4,("PAM starting account management for user: %s \n", user)); + + pam_error = pam_acct_mgmt(pamh, PAM_SILENT); + if (!pam_error_handler(pamh, pam_error, "PAM set account management failed", 0)) { + proc_pam_end(pamh); + return False; + } else { + DEBUG(4,("PAM account management passed\n")); + } + + /* + * This will allow samba to aquire a kerberos token. And, when + * exporting an AFS cell, be able to /write/ to this cell. + */ + pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED)); + if (!pam_error_handler(pamh, pam_error, "set credentials failed\n", 0)) { + proc_pam_end(pamh); + return False; + } + + /* If this point is reached, the user has been authenticated. */ + return (True); +} +static BOOL account_pam(char *user) +{ + /* + * Check the account with the PAM account module: + * - This means that accounts can be disabled + * and or expired with avoidance of samba then just + * bypassing the situation. + */ + + pam_handle_t *pamh = NULL; + char * PAMuser; + + PAMuser = malloc(strlen(user)+1); + /* This is freed by PAM */ + strncpy(PAMuser, user, strlen(user)+1); + + if (proc_pam_start(&pamh, PAMuser)) + { + if (pam_account(pamh, PAMuser)) + { + return proc_pam_end(pamh); + } + } + proc_pam_end(pamh); + return False; +} + +BOOL PAM_session(BOOL instance, const connection_struct *conn, char *tty) +{ + pam_handle_t *pamh=NULL; + char * user; + + user = malloc(strlen(conn->user)+1); + + /* This is freed by PAM */ + strncpy(user, conn->user, strlen(conn->user)+1); + + if (!proc_pam_start(&pamh, user)) + { + proc_pam_end(pamh); + return False; + } + + if (pam_session(pamh, user, tty, instance)) + { + return proc_pam_end(pamh); + } + else + { + proc_pam_end(pamh); + return False; + } +} + +BOOL pam_passcheck(char * user, char * password) +{ + pam_handle_t *pamh = NULL; + + PAM_username = user; + PAM_password = password; + + if( proc_pam_start(&pamh, user)) + { + if( pam_auth(user, password)) + { + if( account_pam(user)) + { + return( proc_pam_end(pamh)); + } + } + } + proc_pam_end(pamh); + return( False ); +} +#endif /* NOTBLOCKEDOUT */ + +BOOL pam_passcheck( char * user, char * password ) +{ + return( pam_auth( user, password )); + +} +#else + + /* Do *NOT* make this function static. Doing so breaks the compile on gcc */ + + void pampass_dummy_function( void ) { } /*This stops compiler complaints */ + +#endif /* WITH_PAM */ diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index c803816e04..6acbb91606 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -31,124 +31,6 @@ static char this_user[100] = ""; static char this_salt[100] = ""; static char this_crypted[100] = ""; - -#ifdef WITH_PAM -/******************************************************************* -check on PAM authentication -********************************************************************/ - -/* We first need some helper functions */ -#include -/* Static variables used to communicate between the conversation function - * and the server_login function - */ -static char *PAM_username; -static char *PAM_password; - -/* PAM conversation function - * Here we assume (for now, at least) that echo on means login name, and - * echo off means password. - */ -static int PAM_conv(int num_msg, - const struct pam_message **msg, - struct pam_response **resp, void *appdata_ptr) -{ - int replies = 0; - struct pam_response *reply = NULL; - -#define COPY_STRING(s) (s) ? strdup(s) : NULL - - reply = malloc(sizeof(struct pam_response) * num_msg); - if (!reply) - return PAM_CONV_ERR; - - for (replies = 0; replies < num_msg; replies++) - { - switch (msg[replies]->msg_style) - { - case PAM_PROMPT_ECHO_ON: - reply[replies].resp_retcode = PAM_SUCCESS; - reply[replies].resp = - COPY_STRING(PAM_username); - /* PAM frees resp */ - break; - case PAM_PROMPT_ECHO_OFF: - reply[replies].resp_retcode = PAM_SUCCESS; - reply[replies].resp = - COPY_STRING(PAM_password); - /* PAM frees resp */ - break; - case PAM_TEXT_INFO: - /* fall through */ - case PAM_ERROR_MSG: - /* ignore it... */ - reply[replies].resp_retcode = PAM_SUCCESS; - reply[replies].resp = NULL; - break; - default: - /* Must be an error of some sort... */ - free(reply); - return PAM_CONV_ERR; - } - } - if (reply) - *resp = reply; - return PAM_SUCCESS; -} -static struct pam_conv PAM_conversation = { - &PAM_conv, - NULL -}; - - -static BOOL pam_auth(char *user, char *password) -{ - pam_handle_t *pamh; - int pam_error; - - /* Now use PAM to do authentication. For now, we won't worry about - * session logging, only authentication. Bail out if there are any - * errors. Since this is a limited protocol, and an even more limited - * function within a server speaking this protocol, we can't be as - * verbose as would otherwise make sense. - * Query: should we be using PAM_SILENT to shut PAM up? - */ -#define PAM_BAIL if (pam_error != PAM_SUCCESS) { \ - pam_end(pamh, 0); return False; \ - } - PAM_password = password; - PAM_username = user; - pam_error = pam_start("samba", user, &PAM_conversation, &pamh); - PAM_BAIL; -/* Setting PAM_SILENT stops generation of error messages to syslog - * to enable debugging on Red Hat Linux set: - * /etc/pam.d/samba: - * auth required /lib/security/pam_pwdb.so nullok shadow audit - * _OR_ change PAM_SILENT to 0 to force detailed reporting (logging) - */ - pam_error = pam_authenticate(pamh, PAM_SILENT); - PAM_BAIL; - /* It is not clear to me that account management is the right thing - * to do, but it is not clear that it isn't, either. This can be - * removed if no account management should be done. Alternately, - * put a pam_allow.so entry in /etc/pam.conf for account handling. */ - pam_error = pam_acct_mgmt(pamh, PAM_SILENT); - PAM_BAIL; - - /* - * This will allow samba to aquire a kerberos token. And, when - * exporting an AFS cell, be able to /write/ to this cell. - */ - pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED|PAM_SILENT)); - PAM_BAIL; - - pam_end(pamh, PAM_SUCCESS); - /* If this point is reached, the user has been authenticated. */ - return (True); -} -#endif - - #ifdef WITH_AFS #include @@ -724,16 +606,7 @@ static BOOL password_check(char *password) { #ifdef WITH_PAM - /* This falls through if the password check fails - - if HAVE_CRYPT is not defined this causes an error msg - saying Warning - no crypt available - - if HAVE_CRYPT is defined this is a potential security hole - as it may authenticate via the crypt call when PAM - settings say it should fail. - if (pam_auth(user,password)) return(True); - Hence we make a direct return to avoid a second chance!!! - */ - return (pam_auth(this_user, password)); + return (pam_passcheck(this_user, password)); #endif /* WITH_PAM */ #ifdef WITH_AFS @@ -946,16 +819,13 @@ BOOL pass_check(char *user, char *password, int pwlen, struct passwd *pwd, fstrcpy(this_crypted, pass->pw_passwd); - if (!*this_crypted) - { - if (!lp_null_passwords()) - { + if (!*this_crypted) { + if (!lp_null_passwords()) { DEBUG(2, ("Disallowing %s with null password\n", this_user)); return (False); } - if (!*password) - { + if (!*password) { DEBUG(3, ("Allowing access to %s with null password\n", this_user)); -- cgit From 6d96224f81039756180d496a95b121768953f5ed Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 10 Apr 2001 19:43:14 +0000 Subject: passdb/pass_check.c: Ensure second check is done only if given username is all in caps. rpc_server/srv_srvsvc_nt.c: Added "CONFIGFILE" arg to scripts so path to smb.conf is given. Jeremy. (This used to be commit 3c4c649951464be51541d5890afb997e3ecfcd23) --- source3/auth/pass_check.c | 88 ++++++++++++++--------------------------------- 1 file changed, 26 insertions(+), 62 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 6acbb91606..236465bc90 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -499,8 +499,7 @@ static int linux_bigcrypt(char *password, char *salt1, char *crypted) StrnCpy(salt, salt1, 2); crypted += 2; - for (i = strlen(password); i > 0; i -= LINUX_PASSWORD_SEG_CHARS) - { + for (i = strlen(password); i > 0; i -= LINUX_PASSWORD_SEG_CHARS) { char *p = crypt(password, salt) + 2; if (strncmp(p, crypted, LINUX_PASSWORD_SEG_CHARS) != 0) return (0); @@ -525,16 +524,13 @@ static char *osf1_bigcrypt(char *password, char *salt1) int i; int parts = strlen(password) / AUTH_CLEARTEXT_SEG_CHARS; if (strlen(password) % AUTH_CLEARTEXT_SEG_CHARS) - { parts++; - } StrnCpy(salt, salt1, 2); StrnCpy(result, salt1, 2); result[2] = '\0'; - for (i = 0; i < parts; i++) - { + for (i = 0; i < parts; i++) { p1 = crypt(p2, salt); strncat(result, p1 + 2, AUTH_MAX_PASSWD_LENGTH - strlen(p1 + 2) - 1); @@ -565,12 +561,9 @@ static BOOL string_combinations2(char *s, int offset, BOOL (*fn) (char *), #endif if (N <= 0 || offset >= len) - { return (fn(s)); - } - for (i = offset; i < (len - (N - 1)); i++) - { + for (i = offset; i < (len - (N - 1)); i++) { char c = s[i]; if (!islower(c)) continue; @@ -635,22 +628,17 @@ static BOOL password_check(char *password) (strcmp (osf1_bigcrypt(password, this_salt), this_crypted) == 0); - if (!ret) - { + if (!ret) { DEBUG(2, ("OSF1_ENH_SEC failed. Trying normal crypt.\n")); - ret = - (strcmp - ((char *)crypt(password, this_salt), - this_crypted) == 0); + ret = (strcmp((char *)crypt(password, this_salt), this_crypted) == 0); } return ret; } #endif /* OSF1_ENH_SEC */ #ifdef ULTRIX_AUTH - return (strcmp((char *)crypt16(password, this_salt), this_crypted) == - 0); + return (strcmp((char *)crypt16(password, this_salt), this_crypted) == 0); #endif /* ULTRIX_AUTH */ #ifdef LINUX_BIGCRYPT @@ -669,9 +657,7 @@ static BOOL password_check(char *password) if (strcmp(bigcrypt(password, this_salt), this_crypted) == 0) return True; else - return (strcmp - ((char *)crypt(password, this_salt), - this_crypted) == 0); + return (strcmp((char *)crypt(password, this_salt), this_crypted) == 0); #else /* HAVE_BIGCRYPT && HAVE_CRYPT && USE_BOTH_CRYPT_CALLS */ #ifdef HAVE_BIGCRYPT @@ -682,8 +668,7 @@ static BOOL password_check(char *password) DEBUG(1, ("Warning - no crypt available\n")); return (False); #else /* HAVE_CRYPT */ - return (strcmp((char *)crypt(password, this_salt), this_crypted) == - 0); + return (strcmp((char *)crypt(password, this_salt), this_crypted) == 0); #endif /* HAVE_CRYPT */ #endif /* HAVE_BIGCRYPT && HAVE_CRYPT && USE_BOTH_CRYPT_CALLS */ } @@ -711,30 +696,22 @@ BOOL pass_check(char *user, char *password, int pwlen, struct passwd *pwd, #endif if (!password) - { return (False); - } if (((!*password) || (!pwlen)) && !lp_null_passwords()) - { return (False); - } - if (pwd && !user) - { + if (pwd && !user) { pass = (struct passwd *)pwd; user = pass->pw_name; - } - else - { + } else { pass = Get_Pwnam(user, True); } DEBUG(4, ("Checking password for user %s (l=%d)\n", user, pwlen)); - if (!pass) - { + if (!pass) { DEBUG(3, ("Couldn't find user %s\n", user)); return (False); } @@ -750,9 +727,7 @@ BOOL pass_check(char *user, char *password, int pwlen, struct passwd *pwd, spass = getspnam(pass->pw_name); if (spass && spass->sp_pwdp) - { pstrcpy(pass->pw_passwd, spass->sp_pwdp); - } } #elif defined(IA_UINFO) { @@ -762,9 +737,7 @@ BOOL pass_check(char *user, char *password, int pwlen, struct passwd *pwd, 2.1. (tangent@cyberport.com) */ uinfo_t uinfo; if (ia_openinfo(pass->pw_name, &uinfo) != -1) - { ia_get_logpwd(uinfo, &(pass->pw_passwd)); - } } #endif @@ -782,13 +755,10 @@ BOOL pass_check(char *user, char *password, int pwlen, struct passwd *pwd, DEBUG(5, ("Checking password for user %s in OSF1_ENH_SEC\n", user)); mypasswd = getprpwnam(user); - if (mypasswd) - { + if (mypasswd) { fstrcpy(pass->pw_name, mypasswd->ufld.fd_name); fstrcpy(pass->pw_passwd, mypasswd->ufld.fd_encrypt); - } - else - { + } else { DEBUG(5, ("OSF1_ENH_SEC: No entry for user %s in protected database !\n", user)); @@ -799,8 +769,7 @@ BOOL pass_check(char *user, char *password, int pwlen, struct passwd *pwd, #ifdef ULTRIX_AUTH { AUTHORIZATION *ap = getauthuid(pass->pw_uid); - if (ap) - { + if (ap) { fstrcpy(pass->pw_passwd, ap->a_password); endauthent(); } @@ -834,8 +803,7 @@ BOOL pass_check(char *user, char *password, int pwlen, struct passwd *pwd, } /* try it as it came to us */ - if (password_check(password)) - { + if (password_check(password)) { if (fn) fn(user, password); return (True); @@ -844,38 +812,34 @@ BOOL pass_check(char *user, char *password, int pwlen, struct passwd *pwd, /* if the password was given to us with mixed case then we don't need to proceed as we know it hasn't been case modified by the client */ - if (strhasupper(password) && strhaslower(password)) - { + if (strhasupper(password) && strhaslower(password)) { return (False); } /* make a copy of it */ StrnCpy(pass2, password, sizeof(pstring) - 1); - /* try all lowercase */ - strlower(password); - if (password_check(password)) - { - if (fn) - fn(user, password); - return (True); + /* try all lowercase if it's currently all uppercase */ + if (strhasupper(password)) { + strlower(password); + if (password_check(password)) { + if (fn) + fn(user, password); + return (True); + } } /* give up? */ - if (level < 1) - { - + if (level < 1) { /* restore it */ fstrcpy(password, pass2); - return (False); } /* last chance - all combinations of up to level chars upper! */ strlower(password); - if (string_combinations(password, password_check, level)) - { + if (string_combinations(password, password_check, level)) { if (fn) fn(user, password); return (True); -- cgit From abd96b890bc03e06672777c73b55a18b9e869620 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Wed, 11 Apr 2001 01:29:42 +0000 Subject: Updating pampass from Samba-2.2 code tree. ===> JHT (This used to be commit 88b6043b4e26c2771e0c444376b7017f5048baf8) --- source3/auth/pampass.c | 226 +++++++++++++++++++------------------------------ 1 file changed, 87 insertions(+), 139 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index a23727b689..90a6f773ce 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -56,7 +56,7 @@ static char *PAM_password; #define COPY_STRING(s) (s) ? strdup(s) : NULL /* - * Macro converted to a function to simplyify this thing + * PAM error handler. */ static BOOL pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl) { @@ -65,7 +65,7 @@ static BOOL pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int if( pam_error != PAM_SUCCESS) { - DEBUG(dbglvl, ("PAM %s: %s\n", pam_strerror(pamh, pam_error))); + DEBUG(dbglvl, ("PAM: %s : %s\n", msg, pam_strerror(pamh, pam_error))); return False; } return True; @@ -132,6 +132,9 @@ static struct pam_conv PAM_conversation = { NULL }; +/* + * PAM Closing out cleanup handler + */ static BOOL proc_pam_end(pam_handle_t *pamh) { int pam_error; @@ -140,38 +143,66 @@ static BOOL proc_pam_end(pam_handle_t *pamh) { pam_error = pam_end(pamh, 0); if(pam_error_handler(pamh, pam_error, "End Cleanup Failed", 2) == True) { + DEBUG(4, ("PAM: PAM_END OK.\n")); return True; } } - DEBUG(2,("PAM not initialised")); + DEBUG(2,("PAM: not initialised")); return False; } - -static BOOL pam_auth(char *user, char *password) +/* + * Start PAM authentication for specified account + */ +static BOOL proc_pam_start(pam_handle_t **pamh, char *user) { - pam_handle_t *pamh; - int pam_error; + int pam_error; + char * rhost; - /* - * Now use PAM to do authentication. Bail out if there are any - * errors. - */ + DEBUG(4,("PAM: Init user: %s\n", user)); - PAM_password = password; - PAM_username = user; - DEBUG(4,("PAM Start for User: %s\n", user)); - pam_error = pam_start("samba", user, &PAM_conversation, &pamh); - if(!pam_error_handler(pamh, pam_error, "start failure", 2)) { - proc_pam_end(pamh); - return False; - } + pam_error = pam_start("samba", user, &PAM_conversation, pamh); + if( !pam_error_handler(*pamh, pam_error, "Init Failed", 0)) { + proc_pam_end(*pamh); + return False; + } + + rhost = client_name(); + if (strcmp(rhost,"UNKNOWN") == 0) + rhost = client_addr(); + +#ifdef PAM_RHOST + DEBUG(4,("PAM: setting rhost to: %s\n", rhost)); + pam_error = pam_set_item(*pamh, PAM_RHOST, rhost); + if(!pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) { + proc_pam_end(*pamh); + return False; + } +#endif +#ifdef PAM_TTY + pam_error = pam_set_item(*pamh, PAM_TTY, "samba"); + if (!pam_error_handler(*pamh, pam_error, "set tty failed", 0)) { + proc_pam_end(*pamh); + return False; + } +#endif + DEBUG(4,("PAM: Init passed for user: %s\n", user)); + return True; +} + +/* + * PAM Authentication Handler + */ +static BOOL pam_auth(pam_handle_t *pamh, char *user, char *password) +{ + int pam_error; /* * To enable debugging set in /etc/pam.d/samba: * auth required /lib/security/pam_pwdb.so nullok shadow audit */ + DEBUG(4,("PAM: Authenticate User: %s\n", user)); pam_error = pam_authenticate(pamh, PAM_SILENT); /* Can we authenticate user? */ switch( pam_error ){ case PAM_AUTH_ERR: @@ -199,10 +230,18 @@ static BOOL pam_auth(char *user, char *password) proc_pam_end(pamh); return False; } + /* If this point is reached, the user has been authenticated. */ + return (True); +} - /* - * Now do account management control and validation - */ +/* + * PAM Account Handler + */ +static BOOL pam_account(pam_handle_t *pamh, char * user, char * password) +{ + int pam_error; + + DEBUG(4,("PAM: Account Management for User: %s\n", user)); pam_error = pam_acct_mgmt(pamh, PAM_SILENT); /* Is user account enabled? */ switch( pam_error ) { case PAM_AUTHTOK_EXPIRED: @@ -218,7 +257,7 @@ static BOOL pam_auth(char *user, char *password) DEBUG(0, ("PAM: User is NOT permitted to access system at this time\n")); break; case PAM_USER_UNKNOWN: - DEBUG(2, ("PAM: User \"%s\" is NOT known to account management\n", user)); + DEBUG(0, ("PAM: User \"%s\" is NOT known to account management\n", user)); break; default: DEBUG(4, ("PAM: Account OK for User: %s\n", user)); @@ -239,54 +278,15 @@ static BOOL pam_auth(char *user, char *password) return False; } - if( !proc_pam_end(pamh)) - return False; - /* If this point is reached, the user has been authenticated. */ - DEBUG(4, ("PAM: pam_authentication passed for User: %s\n", user)); return (True); } -#if NOTBLOCKEDOUT -/* Start PAM authentication for specified account */ -static BOOL proc_pam_start(pam_handle_t **pamh, char *user) -{ - int pam_error; - char * rhost; - - DEBUG(4,("PAM Init for user: %s\n", user)); - - pam_error = pam_start("samba", user, &PAM_conversation, pamh); - if( !pam_error_handler(*pamh, pam_error, "Init Failed", 0)) { - proc_pam_end(*pamh); - return False; - } - - rhost = client_name(); - if (strcmp(rhost,"UNKNOWN") == 0) - rhost = client_addr(); - -#ifdef PAM_RHOST - DEBUG(4,("PAM setting rhost to: %s\n", rhost)); - pam_error = pam_set_item(*pamh, PAM_RHOST, rhost); - if(!pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) { - proc_pam_end(*pamh); - return False; - } -#endif - -#if defined(PAM_TTY_KLUDGE) && defined(PAM_TTY) - pam_error = pam_set_item(*pamh, PAM_TTY, "samba"); - if (!pam_error_handler(*pamh, pam_error, "set tty failed", 0)) { - proc_pam_end(*pamh); - return False; - } -#endif - - return True; -} -static BOOL pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL instance) +/* + * PAM Internal Session Handler + */ +static BOOL proc_pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL flag) { int pam_error; @@ -294,7 +294,7 @@ static BOOL pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL instance PAM_username = user; #ifdef PAM_TTY - DEBUG(4,("PAM tty set to: %s\"\n", tty)); + DEBUG(4,("PAM: tty set to: %s\n", tty)); pam_error = pam_set_item(pamh, PAM_TTY, tty); if (!pam_error_handler(pamh, pam_error, "set tty failed", 0)) { proc_pam_end(pamh); @@ -302,7 +302,7 @@ static BOOL pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL instance } #endif - if (instance) { + if (flag) { pam_error = pam_open_session(pamh, PAM_SILENT); if (!pam_error_handler(pamh, pam_error, "session setup failed", 0)) { proc_pam_end(pamh); @@ -320,72 +320,23 @@ static BOOL pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL instance return (True); } -static BOOL pam_account(pam_handle_t *pamh, char *user) -{ - int pam_error; - - PAM_password = NULL; - PAM_username = user; - - DEBUG(4,("PAM starting account management for user: %s \n", user)); - - pam_error = pam_acct_mgmt(pamh, PAM_SILENT); - if (!pam_error_handler(pamh, pam_error, "PAM set account management failed", 0)) { - proc_pam_end(pamh); - return False; - } else { - DEBUG(4,("PAM account management passed\n")); - } - - /* - * This will allow samba to aquire a kerberos token. And, when - * exporting an AFS cell, be able to /write/ to this cell. - */ - pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED)); - if (!pam_error_handler(pamh, pam_error, "set credentials failed\n", 0)) { - proc_pam_end(pamh); - return False; - } - - /* If this point is reached, the user has been authenticated. */ - return (True); -} -static BOOL account_pam(char *user) -{ - /* - * Check the account with the PAM account module: - * - This means that accounts can be disabled - * and or expired with avoidance of samba then just - * bypassing the situation. - */ - - pam_handle_t *pamh = NULL; - char * PAMuser; - - PAMuser = malloc(strlen(user)+1); - /* This is freed by PAM */ - strncpy(PAMuser, user, strlen(user)+1); - - if (proc_pam_start(&pamh, PAMuser)) - { - if (pam_account(pamh, PAMuser)) - { - return proc_pam_end(pamh); - } - } - proc_pam_end(pamh); - return False; -} - -BOOL PAM_session(BOOL instance, const connection_struct *conn, char *tty) +/* + * PAM Externally accessible Session handler + */ +BOOL pam_session(BOOL flag, const connection_struct *conn, char *tty) { - pam_handle_t *pamh=NULL; + pam_handle_t *pamh = NULL; char * user; user = malloc(strlen(conn->user)+1); + if ( user == NULL ) + { + DEBUG(0, ("PAM: PAM_session Malloc Failed!\n")); + return False; + } /* This is freed by PAM */ - strncpy(user, conn->user, strlen(conn->user)+1); + StrnCpy(user, conn->user, strlen(conn->user)+1); if (!proc_pam_start(&pamh, user)) { @@ -393,7 +344,7 @@ BOOL PAM_session(BOOL instance, const connection_struct *conn, char *tty) return False; } - if (pam_session(pamh, user, tty, instance)) + if (proc_pam_session(pamh, user, tty, flag)) { return proc_pam_end(pamh); } @@ -404,6 +355,9 @@ BOOL PAM_session(BOOL instance, const connection_struct *conn, char *tty) } } +/* + * PAM Password Validation Suite + */ BOOL pam_passcheck(char * user, char * password) { pam_handle_t *pamh = NULL; @@ -413,24 +367,18 @@ BOOL pam_passcheck(char * user, char * password) if( proc_pam_start(&pamh, user)) { - if( pam_auth(user, password)) + if ( pam_auth(pamh, user, password)) { - if( account_pam(user)) + if ( pam_account(pamh, user, password)) { return( proc_pam_end(pamh)); } - } + } } - proc_pam_end(pamh); + DEBUG(0, ("PAM: System Validation Failed - Rejecting User!\n")); return( False ); } -#endif /* NOTBLOCKEDOUT */ -BOOL pam_passcheck( char * user, char * password ) -{ - return( pam_auth( user, password )); - -} #else /* Do *NOT* make this function static. Doing so breaks the compile on gcc */ -- cgit From e5691d44a8e4551abe6290b8994f6fc8568e5759 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 12 Apr 2001 05:32:27 +0000 Subject: Merged John's changes. Jeremy. (This used to be commit add847778bf458238bf2a1b14ab71b8cdfd7aec0) --- source3/auth/pampass.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 90a6f773ce..204deaf8c7 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -180,6 +180,7 @@ static BOOL proc_pam_start(pam_handle_t **pamh, char *user) } #endif #ifdef PAM_TTY + DEBUG(4,("PAM: setting tty\n")); pam_error = pam_set_item(*pamh, PAM_TTY, "samba"); if (!pam_error_handler(*pamh, pam_error, "set tty failed", 0)) { proc_pam_end(*pamh); @@ -272,6 +273,7 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password) * exporting an AFS cell, be able to /write/ to this cell. */ + DEBUG(4,("PAM: Account Management SetCredentials for User: %s\n", user)); pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED|PAM_SILENT)); if(!pam_error_handler(pamh, pam_error, "Set Credential Failure", 2)) { proc_pam_end(pamh); -- cgit From abd4296ebf83d15d0a44a7173e4a0b4d711e17d8 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Fri, 13 Apr 2001 04:27:50 +0000 Subject: Updated with Andrew Bartlett patch. (This used to be commit 02e84267f74b26bdf7f76c0fc9dbaecbc8574d58) --- source3/auth/pampass.c | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 204deaf8c7..08f6027a88 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -4,7 +4,7 @@ PAM Password checking Copyright (C) Andrew Tridgell 1992-2001 Copyright (C) John H Terpsta 1999-2001 - Copyright (C) Andrew Barton 2001 + Copyright (C) Andrew Bartlett 2001 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -224,8 +224,11 @@ static BOOL pam_auth(pam_handle_t *pamh, char *user, char *password) case PAM_ABORT: DEBUG(0, ("PAM: One or more PAM modules failed to load\n")); break; - default: + case PAM_SUCCESS: DEBUG(4, ("PAM: User %s Authenticated OK\n", user)); + break; + default: + DEBUG(0, ("PAM: UNKNOWN ERROR while authenticating user %s\n", user)); } if(!pam_error_handler(pamh, pam_error, "Authentication Failure", 2)) { proc_pam_end(pamh); @@ -260,8 +263,11 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password) case PAM_USER_UNKNOWN: DEBUG(0, ("PAM: User \"%s\" is NOT known to account management\n", user)); break; - default: + case PAM_SUCCESS: DEBUG(4, ("PAM: Account OK for User: %s\n", user)); + break; + default: + DEBUG(0, ("PAM: UNKNOWN ERROR for User: %s\n", user)); } if(!pam_error_handler(pamh, pam_error, "Account Check Failed", 2)) { proc_pam_end(pamh); @@ -357,6 +363,27 @@ BOOL pam_session(BOOL flag, const connection_struct *conn, char *tty) } } +/* + * PAM Externally accessible Account handler + */ +BOOL pam_accountcheck(char * user) +{ + pam_handle_t *pamh = NULL; + + PAM_username = user; + PAM_password = NULL; + + if( proc_pam_start(&pamh, user)) + { + if ( pam_account(pamh, user, NULL)) + { + return( proc_pam_end(pamh)); + } + } + DEBUG(0, ("PAM: Account Validation Failed - Rejecting User!\n")); + return( False ); +} + /* * PAM Password Validation Suite */ -- cgit From a40fe7b47d269d294b1bbf5c22d9a6d6c9f81e17 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 18 Apr 2001 04:34:42 +0000 Subject: patch from Steve Langasek to make sure we don't use pam_setcred() if we haven't called pam_authenticate() Merge from 2.2 Jeremy. (This used to be commit 89589895e3adce75ecd6205547392326cf291543) --- source3/auth/pampass.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 08f6027a88..271c46045b 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -61,8 +61,6 @@ static char *PAM_password; static BOOL pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl) { - int retval; - if( pam_error != PAM_SUCCESS) { DEBUG(dbglvl, ("PAM: %s : %s\n", msg, pam_strerror(pamh, pam_error))); @@ -241,7 +239,7 @@ static BOOL pam_auth(pam_handle_t *pamh, char *user, char *password) /* * PAM Account Handler */ -static BOOL pam_account(pam_handle_t *pamh, char * user, char * password) +static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL pam_auth) { int pam_error; @@ -274,6 +272,14 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password) return False; } + /* Skip the pam_setcred() call if we didn't use pam_authenticate() + for authentication -- it's an error to call pam_setcred without + calling pam_authenticate first */ + if (!pam_auth) { + DEBUG(4, ("PAM: Skipping setcred for user: %s (using encrypted passwords)\n", user)); + return True; + } + /* * This will allow samba to aquire a kerberos token. And, when * exporting an AFS cell, be able to /write/ to this cell. @@ -375,7 +381,7 @@ BOOL pam_accountcheck(char * user) if( proc_pam_start(&pamh, user)) { - if ( pam_account(pamh, user, NULL)) + if ( pam_account(pamh, user, NULL, False)) { return( proc_pam_end(pamh)); } @@ -398,7 +404,7 @@ BOOL pam_passcheck(char * user, char * password) { if ( pam_auth(pamh, user, password)) { - if ( pam_account(pamh, user, password)) + if ( pam_account(pamh, user, password, True)) { return( proc_pam_end(pamh)); } -- cgit From 9ce5a03ccbcc21c60a3dbc39b1dbd06b30655852 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 18 Apr 2001 16:41:04 +0000 Subject: merge from 2.2 (This used to be commit f52a5014ee325f9d91f266f88eac51b6136a75b9) --- source3/auth/pampass.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 271c46045b..d9137045e2 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -337,12 +337,12 @@ static BOOL proc_pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL fla /* * PAM Externally accessible Session handler */ -BOOL pam_session(BOOL flag, const connection_struct *conn, char *tty) +BOOL pam_session(BOOL flag, const char *in_user, char *tty) { pam_handle_t *pamh = NULL; char * user; - user = malloc(strlen(conn->user)+1); + user = malloc(strlen(in_user)+1); if ( user == NULL ) { DEBUG(0, ("PAM: PAM_session Malloc Failed!\n")); @@ -350,7 +350,7 @@ BOOL pam_session(BOOL flag, const connection_struct *conn, char *tty) } /* This is freed by PAM */ - StrnCpy(user, conn->user, strlen(conn->user)+1); + StrnCpy(user, in_user, strlen(in_user)+1); if (!proc_pam_start(&pamh, user)) { -- cgit From 80187366f2679e5c43d21978d4c6b1f7beee503a Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Thu, 19 Apr 2001 23:52:45 +0000 Subject: Added error reporting to pam_session code. (This used to be commit 72812e4cf199d804418dc52cc0b0ba683b8a2e5c) --- source3/auth/pampass.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index d9137045e2..277544ed91 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -287,6 +287,25 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL p DEBUG(4,("PAM: Account Management SetCredentials for User: %s\n", user)); pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED|PAM_SILENT)); + switch( pam_error ) { + case PAM_CRED_UNAVAIL: + DEBUG(0, ("PAM: Credentials not found for user:%s", user )); + break; + case PAM_CRED_EXPIRED: + DEBUG(0, ("PAM: Credentials for user: \"%s\" EXPIRED!", user )); + break; + case PAM_CRED_UNKNOWN: + DEBUG(0, ("PAM: User: \"%s\" is NOT known so can not set credentials!", user )); + break; + case PAM_CRED_UNKNOWN: + DEBUG(0, ("PAM: Unknown setcredentials error - unable to set credentials for %s", user )); + break; + case PAM_SUCCESS: + DEBUG(4, ("PAM: SetCredentials OK for User: %s\n", user)); + break; + default: + DEBUG(0, ("PAM: Error Condition Unknown in pam_setcred function call!")); + } if(!pam_error_handler(pamh, pam_error, "Set Credential Failure", 2)) { proc_pam_end(pamh); return False; -- cgit From 790588eda41a7c8b2a56dce3fef57abd10df8a3f Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Fri, 20 Apr 2001 00:19:49 +0000 Subject: Oops. Typos. (This used to be commit 44f96771c384b319290ab5e14cad6ba8f3fb5383) --- source3/auth/pampass.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 277544ed91..bf1aca1e2c 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -294,10 +294,10 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL p case PAM_CRED_EXPIRED: DEBUG(0, ("PAM: Credentials for user: \"%s\" EXPIRED!", user )); break; - case PAM_CRED_UNKNOWN: + case PAM_USER_UNKNOWN: DEBUG(0, ("PAM: User: \"%s\" is NOT known so can not set credentials!", user )); break; - case PAM_CRED_UNKNOWN: + case PAM_CRED_ERR: DEBUG(0, ("PAM: Unknown setcredentials error - unable to set credentials for %s", user )); break; case PAM_SUCCESS: -- cgit From e277c08631316ccda875a09a67ebb220c495c5a9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sun, 22 Apr 2001 07:20:24 +0000 Subject: Commit of a modified version of Andrew Bartlett's patch that removes the horrid utmp hostname parameter - now uses the client name instead. Also tidies up some of the unencrypted password checking when PAM is compiled in. FIXME ! An pam_accountcheck() is being called even when smb encrypted passwords are negotiated. Is this the correct thing to do when winbindd is running ! This needs *SEVERE* testing.... Jeremy. (This used to be commit 071c799f479dd25efdb9c41745fc8f2beea7b568) --- source3/auth/pampass.c | 181 +++++++++++++++++++++------------------------- source3/auth/pass_check.c | 19 ++++- 2 files changed, 101 insertions(+), 99 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index bf1aca1e2c..e84a045d49 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -61,8 +61,7 @@ static char *PAM_password; static BOOL pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl) { - if( pam_error != PAM_SUCCESS) - { + if( pam_error != PAM_SUCCESS) { DEBUG(dbglvl, ("PAM: %s : %s\n", msg, pam_strerror(pamh, pam_error))); return False; } @@ -87,10 +86,8 @@ static int PAM_conv(int num_msg, if (!reply) return PAM_CONV_ERR; - for (replies = 0; replies < num_msg; replies++) - { - switch (msg[replies]->msg_style) - { + for (replies = 0; replies < num_msg; replies++) { + switch (msg[replies]->msg_style) { case PAM_PROMPT_ECHO_ON: reply[replies].resp_retcode = PAM_SUCCESS; reply[replies].resp = @@ -135,58 +132,58 @@ static struct pam_conv PAM_conversation = { */ static BOOL proc_pam_end(pam_handle_t *pamh) { - int pam_error; + int pam_error; - if( pamh != NULL ) - { + if( pamh != NULL ) { pam_error = pam_end(pamh, 0); if(pam_error_handler(pamh, pam_error, "End Cleanup Failed", 2) == True) { DEBUG(4, ("PAM: PAM_END OK.\n")); - return True; + return True; } - } - DEBUG(2,("PAM: not initialised")); - return False; + } + DEBUG(2,("PAM: not initialised")); + return False; } /* * Start PAM authentication for specified account */ -static BOOL proc_pam_start(pam_handle_t **pamh, char *user) +static BOOL proc_pam_start(pam_handle_t **pamh, char *user, char *rhost) { - int pam_error; - char * rhost; + int pam_error; - DEBUG(4,("PAM: Init user: %s\n", user)); + DEBUG(4,("PAM: Init user: %s\n", user)); - pam_error = pam_start("samba", user, &PAM_conversation, pamh); - if( !pam_error_handler(*pamh, pam_error, "Init Failed", 0)) { - proc_pam_end(*pamh); - return False; - } + pam_error = pam_start("samba", user, &PAM_conversation, pamh); + if( !pam_error_handler(*pamh, pam_error, "Init Failed", 0)) { + proc_pam_end(*pamh); + return False; + } - rhost = client_name(); - if (strcmp(rhost,"UNKNOWN") == 0) - rhost = client_addr(); + if (rhost == NULL) { + rhost = client_name(); + if (strequal(rhost,"UNKNOWN")) + rhost = client_addr(); + } #ifdef PAM_RHOST - DEBUG(4,("PAM: setting rhost to: %s\n", rhost)); - pam_error = pam_set_item(*pamh, PAM_RHOST, rhost); - if(!pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) { - proc_pam_end(*pamh); - return False; - } + DEBUG(4,("PAM: setting rhost to: %s\n", rhost)); + pam_error = pam_set_item(*pamh, PAM_RHOST, rhost); + if(!pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) { + proc_pam_end(*pamh); + return False; + } #endif #ifdef PAM_TTY - DEBUG(4,("PAM: setting tty\n")); - pam_error = pam_set_item(*pamh, PAM_TTY, "samba"); - if (!pam_error_handler(*pamh, pam_error, "set tty failed", 0)) { - proc_pam_end(*pamh); - return False; - } + DEBUG(4,("PAM: setting tty\n")); + pam_error = pam_set_item(*pamh, PAM_TTY, "samba"); + if (!pam_error_handler(*pamh, pam_error, "set tty failed", 0)) { + proc_pam_end(*pamh); + return False; + } #endif - DEBUG(4,("PAM: Init passed for user: %s\n", user)); - return True; + DEBUG(4,("PAM: Init passed for user: %s\n", user)); + return True; } /* @@ -201,7 +198,7 @@ static BOOL pam_auth(pam_handle_t *pamh, char *user, char *password) * auth required /lib/security/pam_pwdb.so nullok shadow audit */ - DEBUG(4,("PAM: Authenticate User: %s\n", user)); + DEBUG(4,("PAM: Authenticate User: %s\n", user)); pam_error = pam_authenticate(pamh, PAM_SILENT); /* Can we authenticate user? */ switch( pam_error ){ case PAM_AUTH_ERR: @@ -243,7 +240,7 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL p { int pam_error; - DEBUG(4,("PAM: Account Management for User: %s\n", user)); + DEBUG(4,("PAM: Account Management for User: %s\n", user)); pam_error = pam_acct_mgmt(pamh, PAM_SILENT); /* Is user account enabled? */ switch( pam_error ) { case PAM_AUTHTOK_EXPIRED: @@ -285,7 +282,7 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL p * exporting an AFS cell, be able to /write/ to this cell. */ - DEBUG(4,("PAM: Account Management SetCredentials for User: %s\n", user)); + DEBUG(4,("PAM: Account Management SetCredentials for User: %s\n", user)); pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED|PAM_SILENT)); switch( pam_error ) { case PAM_CRED_UNAVAIL: @@ -321,49 +318,46 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL p */ static BOOL proc_pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL flag) { - int pam_error; + int pam_error; - PAM_password = NULL; - PAM_username = user; + PAM_password = NULL; + PAM_username = user; #ifdef PAM_TTY - DEBUG(4,("PAM: tty set to: %s\n", tty)); - pam_error = pam_set_item(pamh, PAM_TTY, tty); - if (!pam_error_handler(pamh, pam_error, "set tty failed", 0)) { - proc_pam_end(pamh); - return False; - } + DEBUG(4,("PAM: tty set to: %s\n", tty)); + pam_error = pam_set_item(pamh, PAM_TTY, tty); + if (!pam_error_handler(pamh, pam_error, "set tty failed", 0)) { + proc_pam_end(pamh); + return False; + } #endif - if (flag) { - pam_error = pam_open_session(pamh, PAM_SILENT); - if (!pam_error_handler(pamh, pam_error, "session setup failed", 0)) { - proc_pam_end(pamh); - return False; - } - } - else - { - pam_error = pam_close_session(pamh, PAM_SILENT); - if (!pam_error_handler(pamh, pam_error, "session close failed", 0)) { - proc_pam_end(pamh); - return False; - } - } - return (True); + if (flag) { + pam_error = pam_open_session(pamh, PAM_SILENT); + if (!pam_error_handler(pamh, pam_error, "session setup failed", 0)) { + proc_pam_end(pamh); + return False; + } + } else { + pam_error = pam_close_session(pamh, PAM_SILENT); + if (!pam_error_handler(pamh, pam_error, "session close failed", 0)) { + proc_pam_end(pamh); + return False; + } + } + return (True); } /* * PAM Externally accessible Session handler */ -BOOL pam_session(BOOL flag, const char *in_user, char *tty) +BOOL pam_session(BOOL flag, const char *in_user, char *tty, char *rhost) { pam_handle_t *pamh = NULL; char * user; user = malloc(strlen(in_user)+1); - if ( user == NULL ) - { + if ( user == NULL ) { DEBUG(0, ("PAM: PAM_session Malloc Failed!\n")); return False; } @@ -371,20 +365,16 @@ BOOL pam_session(BOOL flag, const char *in_user, char *tty) /* This is freed by PAM */ StrnCpy(user, in_user, strlen(in_user)+1); - if (!proc_pam_start(&pamh, user)) - { - proc_pam_end(pamh); - return False; + if (!proc_pam_start(&pamh, user, rhost)) { + proc_pam_end(pamh); + return False; } - if (proc_pam_session(pamh, user, tty, flag)) - { - return proc_pam_end(pamh); - } - else - { - proc_pam_end(pamh); - return False; + if (proc_pam_session(pamh, user, tty, flag)) { + return proc_pam_end(pamh); + } else { + proc_pam_end(pamh); + return False; } } @@ -398,12 +388,10 @@ BOOL pam_accountcheck(char * user) PAM_username = user; PAM_password = NULL; - if( proc_pam_start(&pamh, user)) - { - if ( pam_account(pamh, user, NULL, False)) - { - return( proc_pam_end(pamh)); - } + if( proc_pam_start(&pamh, user, NULL)) { + if ( pam_account(pamh, user, NULL, False)) { + return( proc_pam_end(pamh)); + } } DEBUG(0, ("PAM: Account Validation Failed - Rejecting User!\n")); return( False ); @@ -419,12 +407,9 @@ BOOL pam_passcheck(char * user, char * password) PAM_username = user; PAM_password = password; - if( proc_pam_start(&pamh, user)) - { - if ( pam_auth(pamh, user, password)) - { - if ( pam_account(pamh, user, password, True)) - { + if( proc_pam_start(&pamh, user, NULL)) { + if ( pam_auth(pamh, user, password)) { + if ( pam_account(pamh, user, password, True)) { return( proc_pam_end(pamh)); } } @@ -435,8 +420,10 @@ BOOL pam_passcheck(char * user, char * password) #else - /* Do *NOT* make this function static. Doing so breaks the compile on gcc */ - - void pampass_dummy_function( void ) { } /*This stops compiler complaints */ +/* If PAM not used, no PAM restrictions on accounts. */ + BOOL pam_accountcheck(char * user) +{ + return True; +} #endif /* WITH_PAM */ diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 236465bc90..08961e5099 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -681,12 +681,13 @@ the function pointer fn() points to a function to call when a successful match is found and is used to update the encrypted password file return True on correct match, False otherwise ****************************************************************************/ + BOOL pass_check(char *user, char *password, int pwlen, struct passwd *pwd, BOOL (*fn) (char *, char *)) { pstring pass2; int level = lp_passwordlevel(); - struct passwd *pass; + struct passwd *pass = NULL; if (password) password[pwlen] = 0; @@ -708,8 +709,20 @@ BOOL pass_check(char *user, char *password, int pwlen, struct passwd *pwd, pass = Get_Pwnam(user, True); } +#ifdef WITH_PAM + + /* + * If we're using PAM we want to short-circuit all the + * checks below and dive straight into the PAM code. + */ + + fstrcpy(this_user, user); + + DEBUG(4, ("pass_check: Checking (PAM) password for user %s (l=%d)\n", user, pwlen)); + +#else /* Not using PAM */ - DEBUG(4, ("Checking password for user %s (l=%d)\n", user, pwlen)); + DEBUG(4, ("pass_check: Checking password for user %s (l=%d)\n", user, pwlen)); if (!pass) { DEBUG(3, ("Couldn't find user %s\n", user)); @@ -802,6 +815,8 @@ BOOL pass_check(char *user, char *password, int pwlen, struct passwd *pwd, } } +#endif /* WITH_PAM */ + /* try it as it came to us */ if (password_check(password)) { if (fn) -- cgit From ae8418d0c400f6458c1eb0b79881fd02629e5acd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 23 Apr 2001 04:15:35 +0000 Subject: Added smb_ prefix to all Samba wrapper pam functions. Fixed off by one bug using StrnCpy instead of strdup(). Jeremy. (This used to be commit d4b1c0be2e700c86a4338bb497777f97e3c960a7) --- source3/auth/pampass.c | 96 +++++++++++++++++++++++------------------------ source3/auth/pass_check.c | 2 +- 2 files changed, 48 insertions(+), 50 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index e84a045d49..553ffcd323 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -5,6 +5,7 @@ Copyright (C) Andrew Tridgell 1992-2001 Copyright (C) John H Terpsta 1999-2001 Copyright (C) Andrew Bartlett 2001 + Copyright (C) Jeremy Allison 2001 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -58,7 +59,7 @@ static char *PAM_password; /* * PAM error handler. */ -static BOOL pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl) +static BOOL smb_pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl) { if( pam_error != PAM_SUCCESS) { @@ -74,7 +75,7 @@ static BOOL pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int * echo off means password. */ -static int PAM_conv(int num_msg, +static int smb_pam_conv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr) @@ -122,21 +123,21 @@ static int PAM_conv(int num_msg, return PAM_SUCCESS; } -static struct pam_conv PAM_conversation = { - &PAM_conv, +static struct pam_conv smb_pam_conversation = { + &smb_pam_conv, NULL }; /* * PAM Closing out cleanup handler */ -static BOOL proc_pam_end(pam_handle_t *pamh) +static BOOL smb_pam_end(pam_handle_t *pamh) { int pam_error; if( pamh != NULL ) { pam_error = pam_end(pamh, 0); - if(pam_error_handler(pamh, pam_error, "End Cleanup Failed", 2) == True) { + if(smb_pam_error_handler(pamh, pam_error, "End Cleanup Failed", 2) == True) { DEBUG(4, ("PAM: PAM_END OK.\n")); return True; } @@ -148,15 +149,15 @@ static BOOL proc_pam_end(pam_handle_t *pamh) /* * Start PAM authentication for specified account */ -static BOOL proc_pam_start(pam_handle_t **pamh, char *user, char *rhost) +static BOOL smb_pam_start(pam_handle_t **pamh, char *user, char *rhost) { int pam_error; DEBUG(4,("PAM: Init user: %s\n", user)); - pam_error = pam_start("samba", user, &PAM_conversation, pamh); - if( !pam_error_handler(*pamh, pam_error, "Init Failed", 0)) { - proc_pam_end(*pamh); + pam_error = pam_start("samba", user, &smb_pam_conversation, pamh); + if( !smb_pam_error_handler(*pamh, pam_error, "Init Failed", 0)) { + smb_pam_end(*pamh); return False; } @@ -169,16 +170,16 @@ static BOOL proc_pam_start(pam_handle_t **pamh, char *user, char *rhost) #ifdef PAM_RHOST DEBUG(4,("PAM: setting rhost to: %s\n", rhost)); pam_error = pam_set_item(*pamh, PAM_RHOST, rhost); - if(!pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) { - proc_pam_end(*pamh); + if(!smb_pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) { + smb_pam_end(*pamh); return False; } #endif #ifdef PAM_TTY DEBUG(4,("PAM: setting tty\n")); pam_error = pam_set_item(*pamh, PAM_TTY, "samba"); - if (!pam_error_handler(*pamh, pam_error, "set tty failed", 0)) { - proc_pam_end(*pamh); + if (!smb_pam_error_handler(*pamh, pam_error, "set tty failed", 0)) { + smb_pam_end(*pamh); return False; } #endif @@ -189,7 +190,7 @@ static BOOL proc_pam_start(pam_handle_t **pamh, char *user, char *rhost) /* * PAM Authentication Handler */ -static BOOL pam_auth(pam_handle_t *pamh, char *user, char *password) +static BOOL smb_pam_auth(pam_handle_t *pamh, char *user, char *password) { int pam_error; @@ -225,8 +226,8 @@ static BOOL pam_auth(pam_handle_t *pamh, char *user, char *password) default: DEBUG(0, ("PAM: UNKNOWN ERROR while authenticating user %s\n", user)); } - if(!pam_error_handler(pamh, pam_error, "Authentication Failure", 2)) { - proc_pam_end(pamh); + if(!smb_pam_error_handler(pamh, pam_error, "Authentication Failure", 2)) { + smb_pam_end(pamh); return False; } /* If this point is reached, the user has been authenticated. */ @@ -236,7 +237,7 @@ static BOOL pam_auth(pam_handle_t *pamh, char *user, char *password) /* * PAM Account Handler */ -static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL pam_auth) +static BOOL smb_pam_account(pam_handle_t *pamh, char * user, char * password, BOOL pam_auth) { int pam_error; @@ -264,8 +265,8 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL p default: DEBUG(0, ("PAM: UNKNOWN ERROR for User: %s\n", user)); } - if(!pam_error_handler(pamh, pam_error, "Account Check Failed", 2)) { - proc_pam_end(pamh); + if(!smb_pam_error_handler(pamh, pam_error, "Account Check Failed", 2)) { + smb_pam_end(pamh); return False; } @@ -303,8 +304,8 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL p default: DEBUG(0, ("PAM: Error Condition Unknown in pam_setcred function call!")); } - if(!pam_error_handler(pamh, pam_error, "Set Credential Failure", 2)) { - proc_pam_end(pamh); + if(!smb_pam_error_handler(pamh, pam_error, "Set Credential Failure", 2)) { + smb_pam_end(pamh); return False; } @@ -316,7 +317,7 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL p /* * PAM Internal Session Handler */ -static BOOL proc_pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL flag) +static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL flag) { int pam_error; @@ -326,22 +327,22 @@ static BOOL proc_pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL fla #ifdef PAM_TTY DEBUG(4,("PAM: tty set to: %s\n", tty)); pam_error = pam_set_item(pamh, PAM_TTY, tty); - if (!pam_error_handler(pamh, pam_error, "set tty failed", 0)) { - proc_pam_end(pamh); + if (!smb_pam_error_handler(pamh, pam_error, "set tty failed", 0)) { + smb_pam_end(pamh); return False; } #endif if (flag) { pam_error = pam_open_session(pamh, PAM_SILENT); - if (!pam_error_handler(pamh, pam_error, "session setup failed", 0)) { - proc_pam_end(pamh); + if (!smb_pam_error_handler(pamh, pam_error, "session setup failed", 0)) { + smb_pam_end(pamh); return False; } } else { pam_error = pam_close_session(pamh, PAM_SILENT); - if (!pam_error_handler(pamh, pam_error, "session close failed", 0)) { - proc_pam_end(pamh); + if (!smb_pam_error_handler(pamh, pam_error, "session close failed", 0)) { + smb_pam_end(pamh); return False; } } @@ -351,29 +352,26 @@ static BOOL proc_pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL fla /* * PAM Externally accessible Session handler */ -BOOL pam_session(BOOL flag, const char *in_user, char *tty, char *rhost) +BOOL smb_pam_session(BOOL flag, const char *in_user, char *tty, char *rhost) { pam_handle_t *pamh = NULL; char * user; - user = malloc(strlen(in_user)+1); + user = strdup(in_user); if ( user == NULL ) { DEBUG(0, ("PAM: PAM_session Malloc Failed!\n")); return False; } - /* This is freed by PAM */ - StrnCpy(user, in_user, strlen(in_user)+1); - - if (!proc_pam_start(&pamh, user, rhost)) { - proc_pam_end(pamh); + if (!smb_pam_start(&pamh, user, rhost)) { + smb_pam_end(pamh); return False; } - if (proc_pam_session(pamh, user, tty, flag)) { - return proc_pam_end(pamh); + if (smb_internal_pam_session(pamh, user, tty, flag)) { + return smb_pam_end(pamh); } else { - proc_pam_end(pamh); + smb_pam_end(pamh); return False; } } @@ -381,16 +379,16 @@ BOOL pam_session(BOOL flag, const char *in_user, char *tty, char *rhost) /* * PAM Externally accessible Account handler */ -BOOL pam_accountcheck(char * user) +BOOL smb_pam_accountcheck(char * user) { pam_handle_t *pamh = NULL; PAM_username = user; PAM_password = NULL; - if( proc_pam_start(&pamh, user, NULL)) { - if ( pam_account(pamh, user, NULL, False)) { - return( proc_pam_end(pamh)); + if( smb_pam_start(&pamh, user, NULL)) { + if ( smb_pam_account(pamh, user, NULL, False)) { + return( smb_pam_end(pamh)); } } DEBUG(0, ("PAM: Account Validation Failed - Rejecting User!\n")); @@ -400,17 +398,17 @@ BOOL pam_accountcheck(char * user) /* * PAM Password Validation Suite */ -BOOL pam_passcheck(char * user, char * password) +BOOL smb_pam_passcheck(char * user, char * password) { pam_handle_t *pamh = NULL; PAM_username = user; PAM_password = password; - if( proc_pam_start(&pamh, user, NULL)) { - if ( pam_auth(pamh, user, password)) { - if ( pam_account(pamh, user, password, True)) { - return( proc_pam_end(pamh)); + if( smb_pam_start(&pamh, user, NULL)) { + if ( smb_pam_auth(pamh, user, password)) { + if ( smb_pam_account(pamh, user, password, True)) { + return( smb_pam_end(pamh)); } } } @@ -421,7 +419,7 @@ BOOL pam_passcheck(char * user, char * password) #else /* If PAM not used, no PAM restrictions on accounts. */ - BOOL pam_accountcheck(char * user) + BOOL smb_pam_accountcheck(char * user) { return True; } diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 08961e5099..05f7138c3c 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -599,7 +599,7 @@ static BOOL password_check(char *password) { #ifdef WITH_PAM - return (pam_passcheck(this_user, password)); + return (smb_pam_passcheck(this_user, password)); #endif /* WITH_PAM */ #ifdef WITH_AFS -- cgit From d6a5dec6f225395ec764b29eb76c0a6577f3e039 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 23 Apr 2001 06:09:27 +0000 Subject: Fix for bug in code for pam_session failure - pam_end called twice. Jeremy. (This used to be commit c4048fcdb6ff3a890b69be8ef4832e9bd958cfec) --- source3/auth/pampass.c | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 553ffcd323..3335ed5551 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -327,24 +327,18 @@ static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty, #ifdef PAM_TTY DEBUG(4,("PAM: tty set to: %s\n", tty)); pam_error = pam_set_item(pamh, PAM_TTY, tty); - if (!smb_pam_error_handler(pamh, pam_error, "set tty failed", 0)) { - smb_pam_end(pamh); + if (!smb_pam_error_handler(pamh, pam_error, "set tty failed", 0)) return False; - } #endif if (flag) { pam_error = pam_open_session(pamh, PAM_SILENT); - if (!smb_pam_error_handler(pamh, pam_error, "session setup failed", 0)) { - smb_pam_end(pamh); + if (!smb_pam_error_handler(pamh, pam_error, "session setup failed", 0)) return False; - } } else { pam_error = pam_close_session(pamh, PAM_SILENT); - if (!smb_pam_error_handler(pamh, pam_error, "session close failed", 0)) { - smb_pam_end(pamh); + if (!smb_pam_error_handler(pamh, pam_error, "session close failed", 0)) return False; - } } return (True); } @@ -368,12 +362,11 @@ BOOL smb_pam_session(BOOL flag, const char *in_user, char *tty, char *rhost) return False; } - if (smb_internal_pam_session(pamh, user, tty, flag)) { - return smb_pam_end(pamh); - } else { + if (!smb_internal_pam_session(pamh, user, tty, flag)) { smb_pam_end(pamh); return False; } + return smb_pam_end(pamh); } /* -- cgit From e00451106bc0365405f68195afcb6351bd2a55c0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 23 Apr 2001 06:22:02 +0000 Subject: Fix more free twice bugs. Jeremy. (This used to be commit 4db22afeed659a871a4a1f719d5fa1f2df07e24d) --- source3/auth/pampass.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 3335ed5551..f91f472603 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -153,11 +153,13 @@ static BOOL smb_pam_start(pam_handle_t **pamh, char *user, char *rhost) { int pam_error; + *pamh = (pam_handle_t *)NULL; + DEBUG(4,("PAM: Init user: %s\n", user)); pam_error = pam_start("samba", user, &smb_pam_conversation, pamh); if( !smb_pam_error_handler(*pamh, pam_error, "Init Failed", 0)) { - smb_pam_end(*pamh); + *pamh = (pam_handle_t *)NULL; return False; } @@ -172,6 +174,7 @@ static BOOL smb_pam_start(pam_handle_t **pamh, char *user, char *rhost) pam_error = pam_set_item(*pamh, PAM_RHOST, rhost); if(!smb_pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) { smb_pam_end(*pamh); + *pamh = (pam_handle_t *)NULL; return False; } #endif @@ -180,6 +183,7 @@ static BOOL smb_pam_start(pam_handle_t **pamh, char *user, char *rhost) pam_error = pam_set_item(*pamh, PAM_TTY, "samba"); if (!smb_pam_error_handler(*pamh, pam_error, "set tty failed", 0)) { smb_pam_end(*pamh); + *pamh = (pam_handle_t *)NULL; return False; } #endif @@ -358,7 +362,6 @@ BOOL smb_pam_session(BOOL flag, const char *in_user, char *tty, char *rhost) } if (!smb_pam_start(&pamh, user, rhost)) { - smb_pam_end(pamh); return False; } -- cgit From 70b55a9abc109df0e15e3aa6f01c03d9acea154a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 23 Apr 2001 20:43:20 +0000 Subject: Added "obey pam restrictions" parameter - default to "off". Only set this to "on" if you know you have your PAM set up correctly..... NB. Doesn't apply to plaintext password authentication, which must use pam when compiled in. Jeremy. (This used to be commit 59aa99f3901d098b7afbe675021bda53b62ee496) --- source3/auth/pampass.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index f91f472603..9f4a8f57b9 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -350,11 +350,17 @@ static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty, /* * PAM Externally accessible Session handler */ + BOOL smb_pam_session(BOOL flag, const char *in_user, char *tty, char *rhost) { pam_handle_t *pamh = NULL; char * user; + /* Ignore PAM if told to. */ + + if (!lp_obey_pam_restrictions()) + return True; + user = strdup(in_user); if ( user == NULL ) { DEBUG(0, ("PAM: PAM_session Malloc Failed!\n")); @@ -382,6 +388,11 @@ BOOL smb_pam_accountcheck(char * user) PAM_username = user; PAM_password = NULL; + /* Ignore PAM if told to. */ + + if (!lp_obey_pam_restrictions()) + return True; + if( smb_pam_start(&pamh, user, NULL)) { if ( smb_pam_account(pamh, user, NULL, False)) { return( smb_pam_end(pamh)); @@ -401,6 +412,12 @@ BOOL smb_pam_passcheck(char * user, char * password) PAM_username = user; PAM_password = password; + /* + * Note we can't ignore PAM here as this is the only + * way of doing auths on plaintext passwords when + * compiled --with-pam. + */ + if( smb_pam_start(&pamh, user, NULL)) { if ( smb_pam_auth(pamh, user, password)) { if ( smb_pam_account(pamh, user, password, True)) { -- cgit From c3a999409db6a9e0d38928feb02ab6815bd28d57 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 30 Apr 2001 21:05:58 +0000 Subject: Based on an original PAM patch by Andrew Bartlett, re-written by me to remove global static PAM variables, and to tidy up the PAM internals code. Now looks like the rest of Samba. Still needs testing. Jeremy. (This used to be commit 1648ac64a75de74d1a1575eb49cccc4f75488bfa) --- source3/auth/pampass.c | 541 +++++++++++++++++++++++++++++++++++++------------ 1 file changed, 417 insertions(+), 124 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 9f4a8f57b9..83640bf5c8 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -44,31 +44,58 @@ extern int DEBUGLEVEL; #include /* - * Static variables used to communicate between the conversation function - * and the server_login function + * Structure used to communicate between the conversation function + * and the server_login/change password functions. */ -static char *PAM_username; -static char *PAM_password; +struct smb_pam_userdata { + char *PAM_username; + char *PAM_password; + char *PAM_newpassword; +}; + +typedef int (*smb_pam_conv_fn)(int, const struct pam_message **, struct pam_response **, void *appdata_ptr); /* * Macros to help make life easy */ #define COPY_STRING(s) (s) ? strdup(s) : NULL -/* - * PAM error handler. - */ +/******************************************************************* + PAM error handler. + *********************************************************************/ + static BOOL smb_pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl) { if( pam_error != PAM_SUCCESS) { - DEBUG(dbglvl, ("PAM: %s : %s\n", msg, pam_strerror(pamh, pam_error))); + DEBUG(dbglvl, ("smb_pam_error_handler: PAM: %s : %s\n", + msg, pam_strerror(pamh, pam_error))); return False; } return True; } +/******************************************************************* + This function is a sanity check, to make sure that we NEVER report + failure as sucess. +*********************************************************************/ + +static BOOL smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error, + char *msg, int dbglvl, uint32 *nt_status) +{ + if (smb_pam_error_handler(pamh, pam_error, msg, dbglvl)) + return True; + + if (*nt_status == NT_STATUS_NOPROBLEMO) { + /* Complain LOUDLY */ + DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: BUG: PAM and NT_STATUS \ +error MISMATCH, forcing to NT_STATUS_LOGON_FAILURE")); + *nt_status = NT_STATUS_LOGON_FAILURE; + } + return False; +} + /* * PAM conversation function * Here we assume (for now, at least) that echo on means login name, and @@ -82,6 +109,9 @@ static int smb_pam_conv(int num_msg, { int replies = 0; struct pam_response *reply = NULL; + struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr; + + *resp = NULL; reply = malloc(sizeof(struct pam_response) * num_msg); if (!reply) @@ -91,15 +121,13 @@ static int smb_pam_conv(int num_msg, switch (msg[replies]->msg_style) { case PAM_PROMPT_ECHO_ON: reply[replies].resp_retcode = PAM_SUCCESS; - reply[replies].resp = - COPY_STRING(PAM_username); + reply[replies].resp = COPY_STRING(udp->PAM_username); /* PAM frees resp */ break; case PAM_PROMPT_ECHO_OFF: reply[replies].resp_retcode = PAM_SUCCESS; - reply[replies].resp = - COPY_STRING(PAM_password); + reply[replies].resp = COPY_STRING(udp->PAM_password); /* PAM frees resp */ break; @@ -123,41 +151,158 @@ static int smb_pam_conv(int num_msg, return PAM_SUCCESS; } -static struct pam_conv smb_pam_conversation = { - &smb_pam_conv, - NULL -}; +/* + * PAM password change conversation function + * Here we assume (for now, at least) that echo on means login name, and + * echo off means password. + */ + +static int smb_pam_passchange_conv(int num_msg, + const struct pam_message **msg, + struct pam_response **resp, + void *appdata_ptr) +{ + int replies = 0; + struct pam_response *reply = NULL; + fstring currentpw_prompt; + fstring newpw_prompt; + fstring repeatpw_prompt; + char *p = lp_passwd_chat(); + struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr; + + /* Get the prompts... */ + + if (!next_token(&p, currentpw_prompt, NULL, sizeof(fstring))) + return PAM_CONV_ERR; + if (!next_token(&p, newpw_prompt, NULL, sizeof(fstring))) + return PAM_CONV_ERR; + if (!next_token(&p, repeatpw_prompt, NULL, sizeof(fstring))) + return PAM_CONV_ERR; + + *resp = NULL; + + reply = malloc(sizeof(struct pam_response) * num_msg); + if (!reply) + return PAM_CONV_ERR; + + for (replies = 0; replies < num_msg; replies++) { + switch (msg[replies]->msg_style) { + case PAM_PROMPT_ECHO_ON: + reply[replies].resp_retcode = PAM_SUCCESS; + reply[replies].resp = COPY_STRING(udp->PAM_username); + /* PAM frees resp */ + break; + + case PAM_PROMPT_ECHO_OFF: + reply[replies].resp_retcode = PAM_SUCCESS; + DEBUG(10,("smb_pam_passchange_conv: PAM Replied: %s\n", msg[replies]->msg)); + if (strncmp(currentpw_prompt, msg[replies]->msg, strlen(currentpw_prompt)) == 0) { + reply[replies].resp = COPY_STRING(udp->PAM_password); + } else if (strncmp(newpw_prompt, msg[replies]->msg, strlen(newpw_prompt)) == 0) { + reply[replies].resp = COPY_STRING(udp->PAM_newpassword); + } else if (strncmp(repeatpw_prompt, msg[replies]->msg, strlen(repeatpw_prompt)) == 0) { + reply[replies].resp = COPY_STRING(udp->PAM_newpassword); + } else { + DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg)); + DEBUG(5,("smb_pam_passchange_conv: Prompts available:\n CurrentPW: \"%s\"\n NewPW: \"%s\"\n \ +RepeatPW: \"%s\"\n",currentpw_prompt,newpw_prompt,repeatpw_prompt)); + } + /* PAM frees resp */ + break; + + case PAM_TEXT_INFO: + /* fall through */ + + case PAM_ERROR_MSG: + /* ignore it... */ + reply[replies].resp_retcode = PAM_SUCCESS; + reply[replies].resp = NULL; + break; + + default: + /* Must be an error of some sort... */ + free(reply); + reply = NULL; + return PAM_CONV_ERR; + } + } + + if (reply) + *resp = reply; + return PAM_SUCCESS; +} + +/*************************************************************************** + Free up a malloced pam_conv struct. +****************************************************************************/ + +static void smb_free_pam_conv(struct pam_conv *pconv) +{ + if (pconv) + safe_free(pconv->appdata_ptr); + + safe_free(pconv); +} + +/*************************************************************************** + Allocate a pam_conv struct. +****************************************************************************/ + +static struct pam_conv *smb_setup_pam_conv(smb_pam_conv_fn smb_pam_conv_fnptr, char *user, + char *passwd, char *newpass) +{ + struct pam_conv *pconv = (struct pam_conv *)malloc(sizeof(struct pam_conv)); + struct smb_pam_userdata *udp = (struct smb_pam_userdata *)malloc(sizeof(struct smb_pam_userdata)); + + if (pconv == NULL || udp == NULL) { + safe_free(pconv); + safe_free(udp); + return NULL; + } + + udp->PAM_username = user; + udp->PAM_password = passwd; + udp->PAM_newpassword = newpass; + + pconv->conv = smb_pam_conv_fnptr; + pconv->appdata_ptr = (void *)udp; + return pconv; +} /* * PAM Closing out cleanup handler */ -static BOOL smb_pam_end(pam_handle_t *pamh) + +static BOOL smb_pam_end(pam_handle_t *pamh, struct pam_conv *smb_pam_conv_ptr) { int pam_error; + + smb_free_pam_conv(smb_pam_conv_ptr); if( pamh != NULL ) { pam_error = pam_end(pamh, 0); if(smb_pam_error_handler(pamh, pam_error, "End Cleanup Failed", 2) == True) { - DEBUG(4, ("PAM: PAM_END OK.\n")); + DEBUG(4, ("smb_pam_end: PAM: PAM_END OK.\n")); return True; } } - DEBUG(2,("PAM: not initialised")); + DEBUG(2,("smb_pam_end: PAM: not initialised")); return False; } /* * Start PAM authentication for specified account */ -static BOOL smb_pam_start(pam_handle_t **pamh, char *user, char *rhost) + +static BOOL smb_pam_start(pam_handle_t **pamh, char *user, char *rhost, struct pam_conv *pconv) { int pam_error; *pamh = (pam_handle_t *)NULL; - DEBUG(4,("PAM: Init user: %s\n", user)); + DEBUG(4,("smb_pam_start: PAM: Init user: %s\n", user)); - pam_error = pam_start("samba", user, &smb_pam_conversation, pamh); + pam_error = pam_start("samba", user, pconv, pamh); if( !smb_pam_error_handler(*pamh, pam_error, "Init Failed", 0)) { *pamh = (pam_handle_t *)NULL; return False; @@ -170,117 +315,134 @@ static BOOL smb_pam_start(pam_handle_t **pamh, char *user, char *rhost) } #ifdef PAM_RHOST - DEBUG(4,("PAM: setting rhost to: %s\n", rhost)); + DEBUG(4,("smb_pam_start: PAM: setting rhost to: %s\n", rhost)); pam_error = pam_set_item(*pamh, PAM_RHOST, rhost); if(!smb_pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) { - smb_pam_end(*pamh); + smb_pam_end(*pamh, pconv); *pamh = (pam_handle_t *)NULL; return False; } #endif #ifdef PAM_TTY - DEBUG(4,("PAM: setting tty\n")); + DEBUG(4,("smb_pam_start: PAM: setting tty\n")); pam_error = pam_set_item(*pamh, PAM_TTY, "samba"); if (!smb_pam_error_handler(*pamh, pam_error, "set tty failed", 0)) { - smb_pam_end(*pamh); + smb_pam_end(*pamh, pconv); *pamh = (pam_handle_t *)NULL; return False; } #endif - DEBUG(4,("PAM: Init passed for user: %s\n", user)); + DEBUG(4,("smb_pam_start: PAM: Init passed for user: %s\n", user)); return True; } /* * PAM Authentication Handler */ -static BOOL smb_pam_auth(pam_handle_t *pamh, char *user, char *password) +static uint32 smb_pam_auth(pam_handle_t *pamh, char *user) { int pam_error; + uint32 nt_status = NT_STATUS_LOGON_FAILURE; /* * To enable debugging set in /etc/pam.d/samba: * auth required /lib/security/pam_pwdb.so nullok shadow audit */ - DEBUG(4,("PAM: Authenticate User: %s\n", user)); - pam_error = pam_authenticate(pamh, PAM_SILENT); /* Can we authenticate user? */ + DEBUG(4,("smb_pam_auth: PAM: Authenticate User: %s\n", user)); + pam_error = pam_authenticate(pamh, PAM_SILENT | lp_null_passwords() ? 0 : PAM_DISALLOW_NULL_AUTHTOK); switch( pam_error ){ case PAM_AUTH_ERR: - DEBUG(2, ("PAM: Athentication Error\n")); + DEBUG(2, ("smb_pam_auth: PAM: Athentication Error for user %s\n", user)); + nt_status = NT_STATUS_WRONG_PASSWORD; break; case PAM_CRED_INSUFFICIENT: - DEBUG(2, ("PAM: Insufficient Credentials\n")); + DEBUG(2, ("smb_pam_auth: PAM: Insufficient Credentials for user %s\n", user)); + nt_status = NT_STATUS_INSUFFICIENT_LOGON_INFO; break; case PAM_AUTHINFO_UNAVAIL: - DEBUG(2, ("PAM: Authentication Information Unavailable\n")); + DEBUG(2, ("smb_pam_auth: PAM: Authentication Information Unavailable for user %s\n", user)); + nt_status = NT_STATUS_LOGON_FAILURE; break; case PAM_USER_UNKNOWN: - DEBUG(2, ("PAM: Username NOT known to Authentication system\n")); + DEBUG(2, ("smb_pam_auth: PAM: Username %s NOT known to Authentication system\n", user)); + nt_status = NT_STATUS_NO_SUCH_USER; break; case PAM_MAXTRIES: - DEBUG(2, ("PAM: One or more authentication modules reports user limit exceeeded\n")); + DEBUG(2, ("smb_pam_auth: PAM: One or more authentication modules reports user limit for user %s exceeeded\n", user)); + nt_status = NT_STATUS_REMOTE_SESSION_LIMIT; break; case PAM_ABORT: - DEBUG(0, ("PAM: One or more PAM modules failed to load\n")); + DEBUG(0, ("smb_pam_auth: PAM: One or more PAM modules failed to load for user %s\n", user)); + nt_status = NT_STATUS_LOGON_FAILURE; + break; + case PAM_SUCCESS: + DEBUG(4, ("smb_pam_auth: PAM: User %s Authenticated OK\n", user)); + nt_status = NT_STATUS_NOPROBLEMO; break; - case PAM_SUCCESS: - DEBUG(4, ("PAM: User %s Authenticated OK\n", user)); - break; default: - DEBUG(0, ("PAM: UNKNOWN ERROR while authenticating user %s\n", user)); - } - if(!smb_pam_error_handler(pamh, pam_error, "Authentication Failure", 2)) { - smb_pam_end(pamh); - return False; + DEBUG(0, ("smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user %s\n", user)); + nt_status = NT_STATUS_LOGON_FAILURE; + break; } - /* If this point is reached, the user has been authenticated. */ - return (True); + + smb_pam_nt_status_error_handler(pamh, pam_error, "Authentication Failure", 2, &nt_status); + return nt_status; } /* * PAM Account Handler */ -static BOOL smb_pam_account(pam_handle_t *pamh, char * user, char * password, BOOL pam_auth) +static uint32 smb_pam_account(pam_handle_t *pamh, char * user) { int pam_error; + uint32 nt_status = NT_STATUS_ACCOUNT_DISABLED; - DEBUG(4,("PAM: Account Management for User: %s\n", user)); + DEBUG(4,("smb_pam_account: PAM: Account Management for User: %s\n", user)); pam_error = pam_acct_mgmt(pamh, PAM_SILENT); /* Is user account enabled? */ switch( pam_error ) { case PAM_AUTHTOK_EXPIRED: - DEBUG(2, ("PAM: User is valid but password is expired\n")); + DEBUG(2, ("smb_pam_account: PAM: User %s is valid but password is expired\n", user)); + nt_status = NT_STATUS_PASSWORD_EXPIRED; break; case PAM_ACCT_EXPIRED: - DEBUG(2, ("PAM: User no longer permitted to access system\n")); + DEBUG(2, ("smb_pam_account: PAM: User %s no longer permitted to access system\n", user)); + nt_status = NT_STATUS_ACCOUNT_EXPIRED; break; case PAM_AUTH_ERR: - DEBUG(2, ("PAM: There was an authentication error\n")); + DEBUG(2, ("smb_pam_account: PAM: There was an authentication error for user %s\n", user)); + nt_status = NT_STATUS_LOGON_FAILURE; break; case PAM_PERM_DENIED: - DEBUG(0, ("PAM: User is NOT permitted to access system at this time\n")); + DEBUG(0, ("smb_pam_account: PAM: User %s is NOT permitted to access system at this time\n", user)); + nt_status = NT_STATUS_ACCOUNT_RESTRICTION; break; case PAM_USER_UNKNOWN: - DEBUG(0, ("PAM: User \"%s\" is NOT known to account management\n", user)); + DEBUG(0, ("smb_pam_account: PAM: User \"%s\" is NOT known to account management\n", user)); + nt_status = NT_STATUS_NO_SUCH_USER; + break; + case PAM_SUCCESS: + DEBUG(4, ("smb_pam_account: PAM: Account OK for User: %s\n", user)); + nt_status = NT_STATUS_NOPROBLEMO; break; - case PAM_SUCCESS: - DEBUG(4, ("PAM: Account OK for User: %s\n", user)); - break; default: - DEBUG(0, ("PAM: UNKNOWN ERROR for User: %s\n", user)); - } - if(!smb_pam_error_handler(pamh, pam_error, "Account Check Failed", 2)) { - smb_pam_end(pamh); - return False; + nt_status = NT_STATUS_ACCOUNT_DISABLED; + DEBUG(0, ("smb_pam_account: PAM: UNKNOWN PAM ERROR (%d) during Account Management for User: %s\n", pam_error, user)); + break; } - /* Skip the pam_setcred() call if we didn't use pam_authenticate() - for authentication -- it's an error to call pam_setcred without - calling pam_authenticate first */ - if (!pam_auth) { - DEBUG(4, ("PAM: Skipping setcred for user: %s (using encrypted passwords)\n", user)); - return True; - } + smb_pam_nt_status_error_handler(pamh, pam_error, "Account Check Failed", 2, &nt_status); + return nt_status; +} + +/* + * PAM Credential Setting + */ + +static uint32 smb_pam_setcred(pam_handle_t *pamh, char * user) +{ + int pam_error; + uint32 nt_status = NT_STATUS_NO_TOKEN; /* * This will allow samba to aquire a kerberos token. And, when @@ -291,32 +453,34 @@ static BOOL smb_pam_account(pam_handle_t *pamh, char * user, char * password, BO pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED|PAM_SILENT)); switch( pam_error ) { case PAM_CRED_UNAVAIL: - DEBUG(0, ("PAM: Credentials not found for user:%s", user )); + DEBUG(0, ("smb_pam_setcred: PAM: Credentials not found for user:%s\n", user )); + nt_status = NT_STATUS_NO_TOKEN; break; case PAM_CRED_EXPIRED: - DEBUG(0, ("PAM: Credentials for user: \"%s\" EXPIRED!", user )); + DEBUG(0, ("smb_pam_setcred: PAM: Credentials for user: \"%s\" EXPIRED!\n", user )); + nt_status = NT_STATUS_PASSWORD_EXPIRED; break; case PAM_USER_UNKNOWN: - DEBUG(0, ("PAM: User: \"%s\" is NOT known so can not set credentials!", user )); + DEBUG(0, ("smb_pam_setcred: PAM: User: \"%s\" is NOT known so can not set credentials!\n", user )); + nt_status = NT_STATUS_NO_SUCH_USER; break; case PAM_CRED_ERR: - DEBUG(0, ("PAM: Unknown setcredentials error - unable to set credentials for %s", user )); + DEBUG(0, ("smb_pam_setcred: PAM: Unknown setcredentials error - unable to set credentials for %s\n", user )); + nt_status = NT_STATUS_LOGON_FAILURE; + break; + case PAM_SUCCESS: + DEBUG(4, ("smb_pam_setcred: PAM: SetCredentials OK for User: %s\n", user)); + nt_status = NT_STATUS_NOPROBLEMO; break; - case PAM_SUCCESS: - DEBUG(4, ("PAM: SetCredentials OK for User: %s\n", user)); - break; default: - DEBUG(0, ("PAM: Error Condition Unknown in pam_setcred function call!")); - } - if(!smb_pam_error_handler(pamh, pam_error, "Set Credential Failure", 2)) { - smb_pam_end(pamh); - return False; + DEBUG(0, ("smb_pam_setcred: PAM: UNKNOWN PAM ERROR (%d) during SetCredentials for User: %s\n", pam_error, user)); + nt_status = NT_STATUS_NO_TOKEN; + break; } - - /* If this point is reached, the user has been authenticated. */ - return (True); -} + smb_pam_nt_status_error_handler(pamh, pam_error, "Set Credential Failure", 2, &nt_status); + return nt_status; +} /* * PAM Internal Session Handler @@ -325,11 +489,8 @@ static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty, { int pam_error; - PAM_password = NULL; - PAM_username = user; - #ifdef PAM_TTY - DEBUG(4,("PAM: tty set to: %s\n", tty)); + DEBUG(4,("smb_internal_pam_session: PAM: tty set to: %s\n", tty)); pam_error = pam_set_item(pamh, PAM_TTY, tty); if (!smb_pam_error_handler(pamh, pam_error, "set tty failed", 0)) return False; @@ -340,77 +501,156 @@ static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty, if (!smb_pam_error_handler(pamh, pam_error, "session setup failed", 0)) return False; } else { - pam_error = pam_close_session(pamh, PAM_SILENT); + pam_setcred(pamh, (PAM_DELETE_CRED|PAM_SILENT)); /* We don't care if this fails */ + pam_error = pam_close_session(pamh, PAM_SILENT); /* This will probably pick up the error anyway */ if (!smb_pam_error_handler(pamh, pam_error, "session close failed", 0)) return False; } return (True); } +/* + * Internal PAM Password Changer. + */ + +static BOOL smb_pam_chauthtok(pam_handle_t *pamh, char * user) +{ + int pam_error; + + DEBUG(4,("smb_pam_chauthtok: PAM: Password Change for User: %s\n", user)); + + pam_error = pam_chauthtok(pamh, PAM_SILENT); /* Change Password */ + + switch( pam_error ) { + case PAM_AUTHTOK_ERR: + DEBUG(2, ("PAM: unable to obtain the new authentication token - is password to weak?\n")); + break; + case PAM_AUTHTOK_RECOVER_ERR: + DEBUG(2, ("PAM: unable to obtain the old authentication token - was the old password wrong?.\n")); + break; + case PAM_AUTHTOK_LOCK_BUSY: + DEBUG(2, ("PAM: unable to change the authentication token since it is currently locked.\n")); + break; + case PAM_AUTHTOK_DISABLE_AGING: + DEBUG(2, ("PAM: Authentication token aging has been disabled.\n")); + break; + case PAM_PERM_DENIED: + DEBUG(0, ("PAM: Permission denied.\n")); + break; + case PAM_TRY_AGAIN: + DEBUG(0, ("PAM: Could not update all authentication token(s). No authentication tokens were updated.\n")); + break; + case PAM_USER_UNKNOWN: + DEBUG(0, ("PAM: User not known to PAM\n")); + break; + case PAM_SUCCESS: + DEBUG(4, ("PAM: Account OK for User: %s\n", user)); + break; + default: + DEBUG(0, ("PAM: UNKNOWN PAM ERROR (%d) for User: %s\n", pam_error, user)); + } + + if(!smb_pam_error_handler(pamh, pam_error, "Password Change Failed", 2)) { + return False; + } + + /* If this point is reached, the password has changed. */ + return True; +} + /* * PAM Externally accessible Session handler */ -BOOL smb_pam_session(BOOL flag, const char *in_user, char *tty, char *rhost) +BOOL smb_pam_claim_session(char *user, char *tty, char *rhost) { pam_handle_t *pamh = NULL; - char * user; + struct pam_conv *pconv = NULL; /* Ignore PAM if told to. */ if (!lp_obey_pam_restrictions()) return True; - user = strdup(in_user); - if ( user == NULL ) { - DEBUG(0, ("PAM: PAM_session Malloc Failed!\n")); + if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL) return False; - } - if (!smb_pam_start(&pamh, user, rhost)) { + if (!smb_pam_start(&pamh, user, rhost, pconv)) return False; - } - if (!smb_internal_pam_session(pamh, user, tty, flag)) { - smb_pam_end(pamh); + if (!smb_internal_pam_session(pamh, user, tty, True)) { + smb_pam_end(pamh, pconv); return False; } - return smb_pam_end(pamh); + + return smb_pam_end(pamh, pconv); } /* - * PAM Externally accessible Account handler + * PAM Externally accessible Session handler */ -BOOL smb_pam_accountcheck(char * user) + +BOOL smb_pam_close_session(char *user, char *tty, char *rhost) { pam_handle_t *pamh = NULL; - - PAM_username = user; - PAM_password = NULL; + struct pam_conv *pconv = NULL; /* Ignore PAM if told to. */ if (!lp_obey_pam_restrictions()) return True; - if( smb_pam_start(&pamh, user, NULL)) { - if ( smb_pam_account(pamh, user, NULL, False)) { - return( smb_pam_end(pamh)); - } + if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL) + return False; + + if (!smb_pam_start(&pamh, user, rhost, pconv)) + return False; + + if (!smb_internal_pam_session(pamh, user, tty, False)) { + smb_pam_end(pamh, pconv); + return False; } - DEBUG(0, ("PAM: Account Validation Failed - Rejecting User!\n")); - return( False ); + + return smb_pam_end(pamh, pconv); } /* - * PAM Password Validation Suite + * PAM Externally accessible Account handler */ -BOOL smb_pam_passcheck(char * user, char * password) + +uint32 smb_pam_accountcheck(char * user) { + uint32 nt_status = NT_STATUS_ACCOUNT_DISABLED; pam_handle_t *pamh = NULL; + struct pam_conv *pconv = NULL; - PAM_username = user; - PAM_password = password; + /* Ignore PAM if told to. */ + + if (!lp_obey_pam_restrictions()) + return NT_STATUS_NOPROBLEMO; + + if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL) + return False; + + if (!smb_pam_start(&pamh, user, NULL, pconv)) + return NT_STATUS_ACCOUNT_DISABLED; + + if ((nt_status = smb_pam_account(pamh, user)) != NT_STATUS_NOPROBLEMO) + DEBUG(0, ("smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User %s!\n", user)); + + smb_pam_end(pamh, pconv); + return nt_status; +} + +/* + * PAM Password Validation Suite + */ + +uint32 smb_pam_passcheck(char * user, char * password) +{ + pam_handle_t *pamh = NULL; + uint32 nt_status = NT_STATUS_LOGON_FAILURE; + struct pam_conv *pconv = NULL; /* * Note we can't ignore PAM here as this is the only @@ -418,23 +658,76 @@ BOOL smb_pam_passcheck(char * user, char * password) * compiled --with-pam. */ - if( smb_pam_start(&pamh, user, NULL)) { - if ( smb_pam_auth(pamh, user, password)) { - if ( smb_pam_account(pamh, user, password, True)) { - return( smb_pam_end(pamh)); - } - } + if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, password, NULL)) == NULL) + return False; + + if (!smb_pam_start(&pamh, user, NULL, NULL)) + return NT_STATUS_LOGON_FAILURE; + + if ((nt_status = smb_pam_auth(pamh, user)) != NT_STATUS_NOPROBLEMO) { + DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User %s !\n", user)); + smb_pam_end(pamh, pconv); + return nt_status; + } + + if ((nt_status = smb_pam_account(pamh, user)) != NT_STATUS_NOPROBLEMO) { + DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_account failed - Rejecting User %s !\n", user)); + smb_pam_end(pamh, pconv); + return nt_status; + } + + if ((nt_status = smb_pam_setcred(pamh, user)) != NT_STATUS_NOPROBLEMO) { + DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_setcred failed - Rejecting User %s !\n", user)); + smb_pam_end(pamh, pconv); + return nt_status; } - DEBUG(0, ("PAM: System Validation Failed - Rejecting User!\n")); - return( False ); + + smb_pam_end(pamh, pconv); + return nt_status; +} + +/* + * PAM Password Change Suite + */ + +BOOL smb_pam_passchange(char * user, char * oldpassword, char * newpassword) +{ + /* Appropriate quantities of root should be obtained BEFORE calling this function */ + struct pam_conv *pconv = NULL; + pam_handle_t *pamh = NULL; + + if ((pconv = smb_setup_pam_conv(smb_pam_passchange_conv, user, oldpassword, newpassword)) == NULL) + return False; + + if(!smb_pam_start(&pamh, user, NULL, pconv)) + return False; + + if (!smb_pam_chauthtok(pamh, user)) { + DEBUG(0, ("smb_pam_passchange: PAM: Password Change Failed for user %s!\n", user)); + smb_pam_end(pamh, pconv); + return False; + } + + return smb_pam_end(pamh, pconv); } #else /* If PAM not used, no PAM restrictions on accounts. */ - BOOL smb_pam_accountcheck(char * user) + uint32 smb_pam_accountcheck(char * user) +{ + return NT_STATUS_NOPROBLEMO; +} + +/* If PAM not used, also no PAM restrictions on sessions. */ + BOOL smb_pam_claim_session(const char *user, char *tty, char *rhost) { return True; } +/* If PAM not used, also no PAM restrictions on sessions. */ + BOOL smb_pam_close_session(const char *in_user, char *tty, char *rhost) +{ + return True; +} #endif /* WITH_PAM */ -- cgit From 0901dd473ae163b815b364fc7ac954778b77d3b5 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 30 Apr 2001 23:14:44 +0000 Subject: Fixing consts in pam code. Jeremy. (This used to be commit c4d3df4f145dc28d1b285fad64c787cebb613e70) --- source3/auth/pampass.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 83640bf5c8..01d2d81b9d 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -720,13 +720,13 @@ BOOL smb_pam_passchange(char * user, char * oldpassword, char * newpassword) } /* If PAM not used, also no PAM restrictions on sessions. */ - BOOL smb_pam_claim_session(const char *user, char *tty, char *rhost) + BOOL smb_pam_claim_session(char *user, char *tty, char *rhost) { return True; } /* If PAM not used, also no PAM restrictions on sessions. */ - BOOL smb_pam_close_session(const char *in_user, char *tty, char *rhost) + BOOL smb_pam_close_session(char *in_user, char *tty, char *rhost) { return True; } -- cgit From a290cd597db9e94b603b5e94c3ac87cb9e068da0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 1 May 2001 01:26:15 +0000 Subject: Allow pam code to compile on Solaris (which doesn't have PAM_AUTHTOK_RECOVER_ERR). Jeremy. (This used to be commit 6b2dd14205a4170c11067c4f851db11ab9154fce) --- source3/auth/pampass.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 01d2d81b9d..09b84db71a 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -525,9 +525,14 @@ static BOOL smb_pam_chauthtok(pam_handle_t *pamh, char * user) case PAM_AUTHTOK_ERR: DEBUG(2, ("PAM: unable to obtain the new authentication token - is password to weak?\n")); break; + + /* This doesn't seem to be defined on Solaris. JRA */ +#ifdef PAM_AUTHTOK_RECOVER_ERR case PAM_AUTHTOK_RECOVER_ERR: DEBUG(2, ("PAM: unable to obtain the old authentication token - was the old password wrong?.\n")); break; +#endif + case PAM_AUTHTOK_LOCK_BUSY: DEBUG(2, ("PAM: unable to change the authentication token since it is currently locked.\n")); break; -- cgit From 5197ccfef498d8d8072fba71d3bd58509fa10ad4 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 1 May 2001 17:19:42 +0000 Subject: Added Andrew Bartlett's fixes to my changes to his original patch (at the court of king caractacus, was just passing by... :-). Jeremy. (This used to be commit acc3e7a057ad7fb0c2fb1cafff0c623ec0524d04) --- source3/auth/pampass.c | 4 ++-- source3/auth/pass_check.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 09b84db71a..061e5ee0bf 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -664,9 +664,9 @@ uint32 smb_pam_passcheck(char * user, char * password) */ if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, password, NULL)) == NULL) - return False; + return NT_STATUS_LOGON_FAILURE; - if (!smb_pam_start(&pamh, user, NULL, NULL)) + if (!smb_pam_start(&pamh, user, NULL, pconv)) return NT_STATUS_LOGON_FAILURE; if ((nt_status = smb_pam_auth(pamh, user)) != NT_STATUS_NOPROBLEMO) { diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 05f7138c3c..9424189b23 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -599,7 +599,7 @@ static BOOL password_check(char *password) { #ifdef WITH_PAM - return (smb_pam_passcheck(this_user, password)); + return (smb_pam_passcheck(this_user, password) == NT_STATUS_NOPROBLEMO); #endif /* WITH_PAM */ #ifdef WITH_AFS -- cgit From e2a997f7a9d987fb96321a581fae9a5f3e8f4110 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 1 May 2001 18:19:15 +0000 Subject: Stop coredump on pam password change with pam_pwdb.so module on error. Jeremy. (This used to be commit d9b960b4a5997e4cd09e3da9ea4754cbae1e29b3) --- source3/auth/pampass.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 061e5ee0bf..68024f9481 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -188,6 +188,7 @@ static int smb_pam_passchange_conv(int num_msg, for (replies = 0; replies < num_msg; replies++) { switch (msg[replies]->msg_style) { case PAM_PROMPT_ECHO_ON: + DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: Replied: %s\n", msg[replies]->msg)); reply[replies].resp_retcode = PAM_SUCCESS; reply[replies].resp = COPY_STRING(udp->PAM_username); /* PAM frees resp */ @@ -195,7 +196,7 @@ static int smb_pam_passchange_conv(int num_msg, case PAM_PROMPT_ECHO_OFF: reply[replies].resp_retcode = PAM_SUCCESS; - DEBUG(10,("smb_pam_passchange_conv: PAM Replied: %s\n", msg[replies]->msg)); + DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: Replied: %s\n", msg[replies]->msg)); if (strncmp(currentpw_prompt, msg[replies]->msg, strlen(currentpw_prompt)) == 0) { reply[replies].resp = COPY_STRING(udp->PAM_password); } else if (strncmp(newpw_prompt, msg[replies]->msg, strlen(newpw_prompt)) == 0) { @@ -206,6 +207,9 @@ static int smb_pam_passchange_conv(int num_msg, DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg)); DEBUG(5,("smb_pam_passchange_conv: Prompts available:\n CurrentPW: \"%s\"\n NewPW: \"%s\"\n \ RepeatPW: \"%s\"\n",currentpw_prompt,newpw_prompt,repeatpw_prompt)); + free(reply); + reply = NULL; + return PAM_CONV_ERR; } /* PAM frees resp */ break; -- cgit From 0961f7b494319e90c581016fda95be0b8eaf4229 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 1 May 2001 18:25:20 +0000 Subject: Runtime check for broken PAM systems with no appdata_ptr support. This should eventually be an autoconf test with a #ifdef workaround. I *HATE* pam :-). Jeremy. (This used to be commit 52a9226a5aaa769e960619c2bd0a561dd9b0493d) --- source3/auth/pampass.c | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 68024f9481..8f62d35317 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -113,6 +113,16 @@ static int smb_pam_conv(int num_msg, *resp = NULL; + /* + * Apparantly HPUX has a buggy PAM that doesn't support the + * appdata_ptr. Fail if this is the case. JRA. + */ + + if (udp == NULL) { + DEBUG(0,("smb_pam_conv: PAM on this system is broken - appdata_ptr == NULL !\n")); + return PAM_CONV_ERR; + } + reply = malloc(sizeof(struct pam_response) * num_msg); if (!reply) return PAM_CONV_ERR; @@ -170,6 +180,18 @@ static int smb_pam_passchange_conv(int num_msg, char *p = lp_passwd_chat(); struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr; + *resp = NULL; + + /* + * Apparantly HPUX has a buggy PAM that doesn't support the + * appdata_ptr. Fail if this is the case. JRA. + */ + + if (udp == NULL) { + DEBUG(0,("smb_pam_passchange_conv: PAM on this system is broken - appdata_ptr == NULL !\n")); + return PAM_CONV_ERR; + } + /* Get the prompts... */ if (!next_token(&p, currentpw_prompt, NULL, sizeof(fstring))) @@ -179,8 +201,6 @@ static int smb_pam_passchange_conv(int num_msg, if (!next_token(&p, repeatpw_prompt, NULL, sizeof(fstring))) return PAM_CONV_ERR; - *resp = NULL; - reply = malloc(sizeof(struct pam_response) * num_msg); if (!reply) return PAM_CONV_ERR; -- cgit From aac630b382fefff2e3ead291d2d838832a180925 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 2 May 2001 23:32:09 +0000 Subject: Had to add a "pam password change" parameter (defaults to "off") and inlined the pam password change code to ensure that existing and working password chat scripts don't break with 2.2.1. PAM password changing has to be explicitly requested. Allowed wildcards in pam password change matching (matches password chat script matching). Had to add const (sorry Tim :-) to ms_fnmatch() to stop warnings. Don't worry - the const changes are isolated and don't cause any other warnings :-). Jeremy. (This used to be commit 47b4d82536c09bffe3a0d9917fa31d935f1be7d8) --- source3/auth/pampass.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 8f62d35317..2d7bdcdf6a 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -113,6 +113,9 @@ static int smb_pam_conv(int num_msg, *resp = NULL; + if (num_msg <= 0) + return PAM_CONV_ERR; + /* * Apparantly HPUX has a buggy PAM that doesn't support the * appdata_ptr. Fail if this is the case. JRA. @@ -174,7 +177,6 @@ static int smb_pam_passchange_conv(int num_msg, { int replies = 0; struct pam_response *reply = NULL; - fstring currentpw_prompt; fstring newpw_prompt; fstring repeatpw_prompt; char *p = lp_passwd_chat(); @@ -182,6 +184,9 @@ static int smb_pam_passchange_conv(int num_msg, *resp = NULL; + if (num_msg <= 0) + return PAM_CONV_ERR; + /* * Apparantly HPUX has a buggy PAM that doesn't support the * appdata_ptr. Fail if this is the case. JRA. @@ -192,10 +197,8 @@ static int smb_pam_passchange_conv(int num_msg, return PAM_CONV_ERR; } - /* Get the prompts... */ + /* Get the prompts. We're running as root so we only get 2 prompts. */ - if (!next_token(&p, currentpw_prompt, NULL, sizeof(fstring))) - return PAM_CONV_ERR; if (!next_token(&p, newpw_prompt, NULL, sizeof(fstring))) return PAM_CONV_ERR; if (!next_token(&p, repeatpw_prompt, NULL, sizeof(fstring))) @@ -217,16 +220,14 @@ static int smb_pam_passchange_conv(int num_msg, case PAM_PROMPT_ECHO_OFF: reply[replies].resp_retcode = PAM_SUCCESS; DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: Replied: %s\n", msg[replies]->msg)); - if (strncmp(currentpw_prompt, msg[replies]->msg, strlen(currentpw_prompt)) == 0) { - reply[replies].resp = COPY_STRING(udp->PAM_password); - } else if (strncmp(newpw_prompt, msg[replies]->msg, strlen(newpw_prompt)) == 0) { + if (ms_fnmatch( newpw_prompt, msg[replies]->msg) == 0) { reply[replies].resp = COPY_STRING(udp->PAM_newpassword); - } else if (strncmp(repeatpw_prompt, msg[replies]->msg, strlen(repeatpw_prompt)) == 0) { + } else if (ms_fnmatch(repeatpw_prompt, msg[replies]->msg) == 0) { reply[replies].resp = COPY_STRING(udp->PAM_newpassword); } else { DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg)); - DEBUG(5,("smb_pam_passchange_conv: Prompts available:\n CurrentPW: \"%s\"\n NewPW: \"%s\"\n \ -RepeatPW: \"%s\"\n",currentpw_prompt,newpw_prompt,repeatpw_prompt)); + DEBUG(5,("smb_pam_passchange_conv: Prompts available:\n NewPW: \"%s\"\n \ +RepeatPW: \"%s\"\n",newpw_prompt,repeatpw_prompt)); free(reply); reply = NULL; return PAM_CONV_ERR; -- cgit From 5db15a0d682cb04047f28a076b0c8c6d95144c38 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 9 May 2001 21:14:41 +0000 Subject: Fixed up the oldpw prompts. Made the matching case insensitive. Jeremy. (This used to be commit 70bdf8e76135e96fabcedeffbfd5892a564985e0) --- source3/auth/pampass.c | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 2d7bdcdf6a..e27e15f24f 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -177,8 +177,10 @@ static int smb_pam_passchange_conv(int num_msg, { int replies = 0; struct pam_response *reply = NULL; + fstring oldpw_prompt; fstring newpw_prompt; fstring repeatpw_prompt; + fstring prompt_ret; char *p = lp_passwd_chat(); struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr; @@ -197,12 +199,17 @@ static int smb_pam_passchange_conv(int num_msg, return PAM_CONV_ERR; } - /* Get the prompts. We're running as root so we only get 2 prompts. */ + /* Get the prompts. */ + if (!next_token(&p, oldpw_prompt, NULL, sizeof(fstring))) + return PAM_CONV_ERR; + strlower(oldpw_prompt); if (!next_token(&p, newpw_prompt, NULL, sizeof(fstring))) return PAM_CONV_ERR; + strlower(newpw_prompt); if (!next_token(&p, repeatpw_prompt, NULL, sizeof(fstring))) return PAM_CONV_ERR; + strlower(repeatpw_prompt); reply = malloc(sizeof(struct pam_response) * num_msg); if (!reply) @@ -219,15 +226,27 @@ static int smb_pam_passchange_conv(int num_msg, case PAM_PROMPT_ECHO_OFF: reply[replies].resp_retcode = PAM_SUCCESS; + if (!msg[replies]->msg) { + free(reply); + reply = NULL; + return PAM_CONV_ERR; + } + DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: Replied: %s\n", msg[replies]->msg)); - if (ms_fnmatch( newpw_prompt, msg[replies]->msg) == 0) { + + fstrcpy(prompt_ret, msg[replies]->msg); + strlower(prompt_ret); + + if (ms_fnmatch( oldpw_prompt, prompt_ret) == 0) { + reply[replies].resp = COPY_STRING(udp->PAM_password); + } else if (ms_fnmatch( newpw_prompt, prompt_ret) == 0) { reply[replies].resp = COPY_STRING(udp->PAM_newpassword); - } else if (ms_fnmatch(repeatpw_prompt, msg[replies]->msg) == 0) { + } else if (ms_fnmatch(repeatpw_prompt, prompt_ret) == 0) { reply[replies].resp = COPY_STRING(udp->PAM_newpassword); } else { DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg)); - DEBUG(5,("smb_pam_passchange_conv: Prompts available:\n NewPW: \"%s\"\n \ -RepeatPW: \"%s\"\n",newpw_prompt,repeatpw_prompt)); + DEBUG(5,("smb_pam_passchange_conv: Prompts available:\n OldPW: \"%s\"\nNewPW: \"%s\"\n \ +RepeatPW: \"%s\"\n",oldpw_prompt, newpw_prompt,repeatpw_prompt)); free(reply); reply = NULL; return PAM_CONV_ERR; -- cgit From b0be9cd7683ae2b8d53aac3d98f1cb5a7d77f3f3 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 25 Jun 2001 20:44:04 +0000 Subject: Added Andrew's pam password change stuff. Needs some testing but looks good ! Jeremy. (This used to be commit e94957d548745649ce04423dc6f16bbe3dd4f869) --- source3/auth/pampass.c | 184 +++++++++++++++++++++++++++++++++++++------------ 1 file changed, 140 insertions(+), 44 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index e27e15f24f..53d2a062fd 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -71,6 +71,7 @@ static BOOL smb_pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, if( pam_error != PAM_SUCCESS) { DEBUG(dbglvl, ("smb_pam_error_handler: PAM: %s : %s\n", msg, pam_strerror(pamh, pam_error))); + return False; } return True; @@ -130,6 +131,8 @@ static int smb_pam_conv(int num_msg, if (!reply) return PAM_CONV_ERR; + memset(reply, '\0', sizeof(struct pam_response) * num_msg); + for (replies = 0; replies < num_msg; replies++) { switch (msg[replies]->msg_style) { case PAM_PROMPT_ECHO_ON: @@ -170,6 +173,82 @@ static int smb_pam_conv(int num_msg, * echo off means password. */ +static void special_char_sub(char *buf) +{ + all_string_sub(buf, "\\n", "", 0); + all_string_sub(buf, "\\r", "", 0); + all_string_sub(buf, "\\s", " ", 0); + all_string_sub(buf, "\\t", "\t", 0); +} + +static void pwd_sub(char *buf, char *username, char *oldpass, char *newpass) +{ + pstring_sub(buf, "%u", username); + all_string_sub(buf, "%o", oldpass, sizeof(fstring)); + all_string_sub(buf, "%n", newpass, sizeof(fstring)); +} + + +struct chat_struct { + struct chat_struct *next, *prev; + fstring prompt; + fstring reply; +}; + +/************************************************************** + Create a linked list containing chat data. +***************************************************************/ + +static struct chat_struct *make_pw_chat(char *p) +{ + fstring prompt; + fstring reply; + struct chat_struct *list = NULL; + struct chat_struct *t; + struct chat_struct *tmp; + + while (1) { + t = (struct chat_struct *)malloc(sizeof(*t)); + if (!t) { + DEBUG(0,("make_pw_chat: malloc failed!\n")); + return NULL; + } + + ZERO_STRUCTP(t); + + DLIST_ADD_END(list, t, tmp); + + if (!next_token(&p, prompt, NULL, sizeof(fstring))) + break; + + if (strequal(prompt,".")) + fstrcpy(prompt,"*"); + + special_char_sub(prompt); + fstrcpy(t->prompt, prompt); + + if (!next_token(&p, reply, NULL, sizeof(fstring))) + break; + + if (strequal(reply,".")) + fstrcpy(reply,""); + + special_char_sub(reply); + fstrcpy(t->reply, reply); + + } + return list; +} + +static void free_pw_chat(struct chat_struct *list) +{ + while (list) { + struct chat_struct *old_head = list; + DLIST_REMOVE(list, list); + free(old_head); + } +} + static int smb_pam_passchange_conv(int num_msg, const struct pam_message **msg, struct pam_response **resp, @@ -177,18 +256,22 @@ static int smb_pam_passchange_conv(int num_msg, { int replies = 0; struct pam_response *reply = NULL; - fstring oldpw_prompt; - fstring newpw_prompt; - fstring repeatpw_prompt; - fstring prompt_ret; - char *p = lp_passwd_chat(); + fstring current_prompt; + fstring current_reply; struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr; - + struct chat_struct *pw_chat= make_pw_chat(lp_passwd_chat()); + struct chat_struct *t; + BOOL found; *resp = NULL; + + DEBUG(10,("smb_pam_passchange_conv: starting converstation for %d messages\n", num_msg)); if (num_msg <= 0) return PAM_CONV_ERR; + if (pw_chat == NULL) + return PAM_CONV_ERR; + /* * Apparantly HPUX has a buggy PAM that doesn't support the * appdata_ptr. Fail if this is the case. JRA. @@ -196,62 +279,73 @@ static int smb_pam_passchange_conv(int num_msg, if (udp == NULL) { DEBUG(0,("smb_pam_passchange_conv: PAM on this system is broken - appdata_ptr == NULL !\n")); + free_pw_chat(pw_chat); return PAM_CONV_ERR; } - /* Get the prompts. */ - - if (!next_token(&p, oldpw_prompt, NULL, sizeof(fstring))) - return PAM_CONV_ERR; - strlower(oldpw_prompt); - if (!next_token(&p, newpw_prompt, NULL, sizeof(fstring))) - return PAM_CONV_ERR; - strlower(newpw_prompt); - if (!next_token(&p, repeatpw_prompt, NULL, sizeof(fstring))) - return PAM_CONV_ERR; - strlower(repeatpw_prompt); - reply = malloc(sizeof(struct pam_response) * num_msg); - if (!reply) + if (!reply) { + DEBUG(0,("smb_pam_passchange_conv: malloc for reply failed!\n")); + free_pw_chat(pw_chat); return PAM_CONV_ERR; + } for (replies = 0; replies < num_msg; replies++) { + found = False; + DEBUG(10,("smb_pam_passchange_conv: Processing message %d\n", replies)); switch (msg[replies]->msg_style) { case PAM_PROMPT_ECHO_ON: - DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: Replied: %s\n", msg[replies]->msg)); - reply[replies].resp_retcode = PAM_SUCCESS; - reply[replies].resp = COPY_STRING(udp->PAM_username); + DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: PAM said: %s\n", msg[replies]->msg)); + fstrcpy(current_prompt, msg[replies]->msg); + strlower(current_prompt); + for (t=pw_chat; t; t=t->next) { + if (ms_fnmatch(t->prompt, current_prompt) == 0) { + fstrcpy(current_reply, t->reply); + pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword); + DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We sent: %s\n", current_reply)); + reply[replies].resp_retcode = PAM_SUCCESS; + reply[replies].resp = COPY_STRING(current_reply); + found = True; + break; + } + } /* PAM frees resp */ - break; - - case PAM_PROMPT_ECHO_OFF: - reply[replies].resp_retcode = PAM_SUCCESS; - if (!msg[replies]->msg) { + if (!found) { + DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg)); + free_pw_chat(pw_chat); free(reply); reply = NULL; return PAM_CONV_ERR; } + break; - DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: Replied: %s\n", msg[replies]->msg)); - - fstrcpy(prompt_ret, msg[replies]->msg); - strlower(prompt_ret); - - if (ms_fnmatch( oldpw_prompt, prompt_ret) == 0) { - reply[replies].resp = COPY_STRING(udp->PAM_password); - } else if (ms_fnmatch( newpw_prompt, prompt_ret) == 0) { - reply[replies].resp = COPY_STRING(udp->PAM_newpassword); - } else if (ms_fnmatch(repeatpw_prompt, prompt_ret) == 0) { - reply[replies].resp = COPY_STRING(udp->PAM_newpassword); - } else { + case PAM_PROMPT_ECHO_OFF: + DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: PAM said: %s\n", msg[replies]->msg)); + fstrcpy(current_prompt, msg[replies]->msg); + strlower(current_prompt); + for (t=pw_chat; t; t=t->next) { + if (ms_fnmatch(t->prompt, current_prompt) == 0) { + fstrcpy(current_reply, t->reply); + DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We sent: %s\n", current_reply)); + pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword); + reply[replies].resp_retcode = PAM_SUCCESS; + reply[replies].resp = COPY_STRING(current_reply); +#ifdef DEBUG_PASSWORD + DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We actualy sent: %s\n", current_reply)); +#endif + found = True; + break; + } + } + /* PAM frees resp */ + + if (!found) { DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg)); - DEBUG(5,("smb_pam_passchange_conv: Prompts available:\n OldPW: \"%s\"\nNewPW: \"%s\"\n \ -RepeatPW: \"%s\"\n",oldpw_prompt, newpw_prompt,repeatpw_prompt)); + free_pw_chat(pw_chat); free(reply); reply = NULL; return PAM_CONV_ERR; } - /* PAM frees resp */ break; case PAM_TEXT_INFO: @@ -262,15 +356,17 @@ RepeatPW: \"%s\"\n",oldpw_prompt, newpw_prompt,repeatpw_prompt)); reply[replies].resp_retcode = PAM_SUCCESS; reply[replies].resp = NULL; break; - + default: /* Must be an error of some sort... */ + free_pw_chat(pw_chat); free(reply); reply = NULL; return PAM_CONV_ERR; } } - + + free_pw_chat(pw_chat); if (reply) *resp = reply; return PAM_SUCCESS; -- cgit From 429b3c3cc5ea810d03716a1efd81140c772c15ee Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 6 Jul 2001 22:54:49 +0000 Subject: Password changing via PAM works now. DONT CHANGE THIS UNLESS YOU RE-TEST !!!!!! Jeremy. (This used to be commit 79574c07ed5de7194a17c9ee8d189370d8e42bcc) --- source3/auth/pampass.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 53d2a062fd..fc8e4af47d 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -226,7 +226,9 @@ static struct chat_struct *make_pw_chat(char *p) special_char_sub(prompt); fstrcpy(t->prompt, prompt); - + strlower(t->prompt); + trim_string(t->prompt, " ", " "); + if (!next_token(&p, reply, NULL, sizeof(fstring))) break; @@ -235,6 +237,8 @@ static struct chat_struct *make_pw_chat(char *p) special_char_sub(reply); fstrcpy(t->reply, reply); + strlower(t->reply); + trim_string(t->reply, " ", " "); } return list; @@ -298,11 +302,19 @@ static int smb_pam_passchange_conv(int num_msg, DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: PAM said: %s\n", msg[replies]->msg)); fstrcpy(current_prompt, msg[replies]->msg); strlower(current_prompt); + trim_string(current_prompt, " ", " "); for (t=pw_chat; t; t=t->next) { + + DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: trying to match |%s| to |%s|\n", + t->prompt, current_prompt )); + if (ms_fnmatch(t->prompt, current_prompt) == 0) { fstrcpy(current_reply, t->reply); - pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword); DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We sent: %s\n", current_reply)); + pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword); +#ifdef DEBUG_PASSWORD + DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We actualy sent: %s\n", current_reply)); +#endif reply[replies].resp_retcode = PAM_SUCCESS; reply[replies].resp = COPY_STRING(current_reply); found = True; @@ -323,7 +335,12 @@ static int smb_pam_passchange_conv(int num_msg, DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: PAM said: %s\n", msg[replies]->msg)); fstrcpy(current_prompt, msg[replies]->msg); strlower(current_prompt); + trim_string(current_prompt, " ", " "); for (t=pw_chat; t; t=t->next) { + + DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |%s| to |%s|\n", + t->prompt, current_prompt )); + if (ms_fnmatch(t->prompt, current_prompt) == 0) { fstrcpy(current_reply, t->reply); DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We sent: %s\n", current_reply)); -- cgit From 5b8d230e39cedda6117cf8528065cbab45bdd835 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 8 Jul 2001 14:10:30 +0000 Subject: This removes unused paramaters from various authtication functions, and should not change behaviour. This should make my later diffs smaller, where I actualy start cleaning up this mess... Andrew Bartlett (This used to be commit 04f090c224bb7ac3b53c430a591fce1fc939a81c) --- source3/auth/pass_check.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 9424189b23..677d298449 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -682,7 +682,7 @@ match is found and is used to update the encrypted password file return True on correct match, False otherwise ****************************************************************************/ -BOOL pass_check(char *user, char *password, int pwlen, struct passwd *pwd, +BOOL pass_check(char *user, char *password, int pwlen, BOOL (*fn) (char *, char *)) { pstring pass2; @@ -702,12 +702,7 @@ BOOL pass_check(char *user, char *password, int pwlen, struct passwd *pwd, if (((!*password) || (!pwlen)) && !lp_null_passwords()) return (False); - if (pwd && !user) { - pass = (struct passwd *)pwd; - user = pass->pw_name; - } else { - pass = Get_Pwnam(user, True); - } + pass = Get_Pwnam(user, True); #ifdef WITH_PAM -- cgit From a9ab7eaa5d023f0f6c2421f504f81988fd41467b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 23 Jul 2001 22:06:05 +0000 Subject: Fix case insensitive password change code. Fixed crash bug with un-zeroed talloced memory. Jeremy. (This used to be commit eea1c30df246e081e672d7132345d0fd35ad9841) --- source3/auth/pampass.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index fc8e4af47d..418c618af2 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -301,14 +301,13 @@ static int smb_pam_passchange_conv(int num_msg, case PAM_PROMPT_ECHO_ON: DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: PAM said: %s\n", msg[replies]->msg)); fstrcpy(current_prompt, msg[replies]->msg); - strlower(current_prompt); trim_string(current_prompt, " ", " "); for (t=pw_chat; t; t=t->next) { DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: trying to match |%s| to |%s|\n", t->prompt, current_prompt )); - if (ms_fnmatch(t->prompt, current_prompt) == 0) { + if (wild_match(t->prompt, current_prompt) == 0) { fstrcpy(current_reply, t->reply); DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We sent: %s\n", current_reply)); pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword); @@ -334,14 +333,13 @@ static int smb_pam_passchange_conv(int num_msg, case PAM_PROMPT_ECHO_OFF: DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: PAM said: %s\n", msg[replies]->msg)); fstrcpy(current_prompt, msg[replies]->msg); - strlower(current_prompt); trim_string(current_prompt, " ", " "); for (t=pw_chat; t; t=t->next) { DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |%s| to |%s|\n", t->prompt, current_prompt )); - if (ms_fnmatch(t->prompt, current_prompt) == 0) { + if (wild_match(t->prompt, current_prompt) == 0) { fstrcpy(current_reply, t->reply); DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We sent: %s\n", current_reply)); pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword); -- cgit From 986372901e85a79343ba32f590a4a3e7658d2565 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 3 Aug 2001 13:09:23 +0000 Subject: This is my 'Authentication Rewrite' version 1.01, mostly as submitted to samba-technical a few weeks ago. The idea here is to standardize the checking of user names and passwords, thereby ensuring that all authtentications pass the same standards. The interface currently implemented in as nt_status = check_password(user_info, server_info) where user_info contains (mostly) the authentication data, and server_info contains things like the user-id they got, and their resolved user name. The current ugliness with the way the structures are created will be killed the next revision, when they will be created and malloced by creator functions. This patch also includes the first implementation of NTLMv2 in HEAD, but which needs some more testing. We also add a hack to allow plaintext passwords to be compared with smbpasswd, not the system password database. Finally, this patch probably reintroduces the PAM accounts bug we had in 2.2.0, I'll fix that once this hits the tree. (I've just finished testing it on a wide variety of platforms, so I want to get this patch in). (This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42) --- source3/auth/auth.c | 275 ++++++++++++++++++++++++++++++ source3/auth/auth_domain.c | 417 +++++++++++++++++++++++++++++++++++++++++++++ source3/auth/auth_rhosts.c | 165 ++++++++++++++++++ source3/auth/auth_sam.c | 229 +++++++++++++++++++++++++ source3/auth/auth_server.c | 244 ++++++++++++++++++++++++++ source3/auth/auth_util.c | 141 +++++++++++++++ 6 files changed, 1471 insertions(+) create mode 100644 source3/auth/auth.c create mode 100644 source3/auth/auth_domain.c create mode 100644 source3/auth/auth_rhosts.c create mode 100644 source3/auth/auth_sam.c create mode 100644 source3/auth/auth_server.c create mode 100644 source3/auth/auth_util.c (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c new file mode 100644 index 0000000000..851e1f53cf --- /dev/null +++ b/source3/auth/auth.c @@ -0,0 +1,275 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + Password and authentication handling + Copyright (C) Andrew Tridgell 1992-2000 + Copyright (C) Luke Kenneth Casson Leighton 1996-2000 + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +extern int DEBUGLEVEL; + +extern pstring global_myname; + + +/**************************************************************************** +update the encrypted smbpasswd file from the plaintext username and password + +this ugly hack needs to die, but not quite yet... +*****************************************************************************/ +static BOOL update_smbpassword_file(char *user, char *password) +{ + SAM_ACCOUNT *sampass = NULL; + BOOL ret; + + pdb_init_sam(&sampass); + + become_root(); + ret = pdb_getsampwnam(sampass, user); + unbecome_root(); + + if(ret == False) { + DEBUG(0,("pdb_getsampwnam returned NULL\n")); + pdb_free_sam(sampass); + return False; + } + + /* + * Remove the account disabled flag - we are updating the + * users password from a login. + */ + pdb_set_acct_ctrl(sampass, pdb_get_acct_ctrl(sampass) & ~ACB_DISABLED); + + /* Here, the flag is one, because we want to ignore the + XXXXXXX'd out password */ + ret = change_oem_password( sampass, password, True); + if (ret == False) { + DEBUG(3,("change_oem_password returned False\n")); + } + + pdb_free_sam(sampass); + return ret; +} + +/**************************************************************************** + Check user is in correct domain if required +****************************************************************************/ + +static BOOL check_domain_match(char *user, char *domain) +{ + /* + * If we aren't serving to trusted domains, we must make sure that + * the validation request comes from an account in the same domain + * as the Samba server + */ + + if (!lp_allow_trusted_domains() && + !strequal(lp_workgroup(), domain) ) { + DEBUG(1, ("check_domain_match: Attempt to connect as user %s from domain %s denied.\n", user, domain)); + return False; + } else { + return True; + } +} + + +uint32 check_password(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +{ + + uint32 nt_status = NT_STATUS_LOGON_FAILURE; + + DEBUG(3, ("check_password: Checking password for user %s with the new password interface\n", user_info->smb_username.str)); + if (check_hosts_equiv(user_info->smb_username.str)) { + nt_status = NT_STATUS_NOPROBLEMO; + } + + if (!check_domain_match(user_info->smb_username.str, user_info->domain.str)) { + return NT_STATUS_LOGON_FAILURE; + } + + if ((lp_security() == SEC_DOMAIN) && (nt_status != NT_STATUS_NOPROBLEMO)) { + nt_status = check_domain_security(user_info, server_info); + } + + if ((lp_security() == SEC_SERVER) && (nt_status != NT_STATUS_NOPROBLEMO)) { + nt_status = check_server_security(user_info, server_info); + } + + if (lp_security() >= SEC_SERVER) { + smb_user_control(user_info->smb_username.str, nt_status); + } + + if ((nt_status != NT_STATUS_NOPROBLEMO) + && (user_info->plaintext_password.len > 0) + && (!lp_plaintext_to_smbpasswd())) { + return (pass_check(user_info->smb_username.str, + user_info->plaintext_password.str, + user_info->plaintext_password.len, + lp_update_encrypted() ? + update_smbpassword_file : NULL) + ? NT_STATUS_NOPROBLEMO : NT_STATUS_LOGON_FAILURE); + } + + if (nt_status != NT_STATUS_NOPROBLEMO) { + nt_status = check_smbpasswd_security(user_info, server_info); + } + + if (nt_status == NT_STATUS_NOPROBLEMO) { + nt_status = smb_pam_accountcheck(user_info->smb_username.str); + } + + if (nt_status == NT_STATUS_NOPROBLEMO) { + DEBUG(5, ("check_password: Password for user %s suceeded\n", user_info->smb_username.str)); + } else { + DEBUG(3, ("check_password: Password for user %s FAILED with error %d\n", user_info->smb_username.str, nt_status)); + } + return nt_status; + +} + +/**************************************************************************** + COMPATABILITY INTERFACES: + ***************************************************************************/ + +/**************************************************************************** +check if a username/password is OK assuming the password is a 24 byte +SMB hash +return True if the password is correct, False otherwise +****************************************************************************/ + +uint32 pass_check_smb_with_chal(char *user, char *domain, uchar chal[8], + uchar *lm_pwd, int lm_pwd_len, + uchar *nt_pwd, int nt_pwd_len) +{ + + auth_usersupplied_info user_info; + auth_serversupplied_info server_info; + AUTH_STR ourdomain, theirdomain, smb_username, wksta_name; + + ZERO_STRUCT(user_info); + ZERO_STRUCT(ourdomain); + ZERO_STRUCT(theirdomain); + ZERO_STRUCT(smb_username); + ZERO_STRUCT(wksta_name); + + ourdomain.str = lp_workgroup(); + ourdomain.len = strlen(ourdomain.str); + + theirdomain.str = domain; + theirdomain.len = strlen(theirdomain.str); + + user_info.requested_domain = theirdomain; + user_info.domain = ourdomain; + + smb_username.str = user; + smb_username.len = strlen(smb_username.str); + + user_info.requested_username = smb_username; /* For the time-being */ + user_info.smb_username = smb_username; + + user_info.wksta_name.str = client_name(); + user_info.wksta_name.len = strlen(client_name()); + + user_info.wksta_name = wksta_name; + + memcpy(user_info.chal, chal, 8); + + if (lm_pwd_len >= 24 || (lp_encrypted_passwords() && (lm_pwd_len == 0) && lp_null_passwords())) { + /* if 24 bytes long assume it is an encrypted password */ + + user_info.lm_resp.buffer = (uint8 *)lm_pwd; + user_info.lm_resp.len = lm_pwd_len; + user_info.nt_resp.buffer = (uint8 *)nt_pwd; + user_info.nt_resp.len = nt_pwd_len; + + } else { + unsigned char local_lm_response[24]; + unsigned char local_nt_response[24]; + + /* + * Not encrypted - do so. + */ + + DEBUG(5,("pass_check_smb: User passwords not in encrypted format.\n")); + + if (lm_pwd_len > 0) { + SMBencrypt( (uchar *)lm_pwd, user_info.chal, local_lm_response); + user_info.lm_resp.buffer = (uint8 *)local_lm_response; + user_info.lm_resp.len = 24; + + /* This encrypts the lm_pwd feild, which actualy contains the password + rather than the nt_pwd field becouse that contains nothing */ + SMBNTencrypt((uchar *)lm_pwd, user_info.chal, local_nt_response); + user_info.nt_resp.buffer = (uint8 *)local_nt_response; + user_info.nt_resp.len = 24; + } + + user_info.plaintext_password.str = lm_pwd; + user_info.plaintext_password.len = lm_pwd_len; + + } + + return check_password(&user_info, &server_info); +} + +uint32 pass_check_smb(char *user, char *domain, + uchar *lm_pwd, int lm_pwd_len, + uchar *nt_pwd, int nt_pwd_len) +{ + uchar chal[8]; + + if (!last_challenge(chal)) { + generate_random_buffer( chal, 8, False); + } + + return pass_check_smb_with_chal(user, domain, chal, + lm_pwd, lm_pwd_len, + nt_pwd, nt_pwd_len); + +} + +/**************************************************************************** +check if a username/password pair is OK either via the system password +database or the encrypted SMB password database +return True if the password is correct, False otherwise +****************************************************************************/ +BOOL password_ok(char *user, char *password, int pwlen) +{ + + /* + * This hack must die! But until I rewrite the rest of samba + * it must stay - abartlet 2001-08-03 + */ + + if ((pwlen == 0) && !lp_null_passwords()) { + DEBUG(4,("Null passwords not allowed.\n")); + return False; + } + + if (pass_check_smb(user, lp_workgroup(), NULL, 0, password, pwlen) == NT_STATUS_NOPROBLEMO) { + return True; + } + + if (pass_check_smb(user, lp_workgroup(), password, pwlen, NULL, 0) == NT_STATUS_NOPROBLEMO) { + return True; + } + + return False; +} + diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c new file mode 100644 index 0000000000..4bf0a05d7f --- /dev/null +++ b/source3/auth/auth_domain.c @@ -0,0 +1,417 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + Authenticate against a remote domain + Copyright (C) Andrew Tridgell 1992-1998 + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +extern int DEBUGLEVEL; +extern struct in_addr ipzero; + +BOOL global_machine_password_needs_changing = False; + +extern pstring global_myname; + +/*********************************************************************** + Connect to a remote machine for domain security authentication + given a name or IP address. + ***********************************************************************/ + +static BOOL connect_to_domain_password_server(struct cli_state *pcli, + char *server, unsigned char *trust_passwd) +{ + struct in_addr dest_ip; + fstring remote_machine; + + if(cli_initialise(pcli) == NULL) { + DEBUG(0,("connect_to_domain_password_server: unable to initialize client connection.\n")); + return False; + } + + if (is_ipaddress(server)) { + struct in_addr to_ip; + + /* we shouldn't have 255.255.255.255 forthe IP address of + a password server anyways */ + if ((to_ip.s_addr=inet_addr(server)) == 0xFFFFFFFF) { + DEBUG (0,("connect_to_domain_password_server: inet_addr(%s) returned 0xFFFFFFFF!\n", server)); + return False; + } + + if (!name_status_find(0x20, to_ip, remote_machine)) { + DEBUG(0, ("connect_to_domain_password_server: Can't " + "resolve name for IP %s\n", server)); + return False; + } + } else { + fstrcpy(remote_machine, server); + } + + standard_sub_basic(remote_machine); + strupper(remote_machine); + + if(!resolve_name( remote_machine, &dest_ip, 0x20)) { + DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", remote_machine)); + cli_shutdown(pcli); + return False; + } + + if (ismyip(dest_ip)) { + DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n", + remote_machine)); + cli_shutdown(pcli); + return False; + } + + if (!cli_connect(pcli, remote_machine, &dest_ip)) { + DEBUG(0,("connect_to_domain_password_server: unable to connect to SMB server on \ +machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + cli_shutdown(pcli); + return False; + } + + if (!attempt_netbios_session_request(pcli, global_myname, remote_machine, &dest_ip)) { + DEBUG(0,("connect_to_password_server: machine %s rejected the NetBIOS \ +session request. Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + return False; + } + + pcli->protocol = PROTOCOL_NT1; + + if (!cli_negprot(pcli)) { + DEBUG(0,("connect_to_domain_password_server: machine %s rejected the negotiate protocol. \ +Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + cli_shutdown(pcli); + return False; + } + + if (pcli->protocol != PROTOCOL_NT1) { + DEBUG(0,("connect_to_domain_password_server: machine %s didn't negotiate NT protocol.\n", + remote_machine)); + cli_shutdown(pcli); + return False; + } + + /* + * Do an anonymous session setup. + */ + + if (!cli_session_setup(pcli, "", "", 0, "", 0, "")) { + DEBUG(0,("connect_to_domain_password_server: machine %s rejected the session setup. \ +Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + cli_shutdown(pcli); + return False; + } + + if (!(pcli->sec_mode & 1)) { + DEBUG(1,("connect_to_domain_password_server: machine %s isn't in user level security mode\n", + remote_machine)); + cli_shutdown(pcli); + return False; + } + + if (!cli_send_tconX(pcli, "IPC$", "IPC", "", 1)) { + DEBUG(0,("connect_to_domain_password_server: machine %s rejected the tconX on the IPC$ share. \ +Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + cli_shutdown(pcli); + return False; + } + + /* + * We now have an anonymous connection to IPC$ on the domain password server. + */ + + /* + * Even if the connect succeeds we need to setup the netlogon + * pipe here. We do this as we may just have changed the domain + * account password on the PDC and yet we may be talking to + * a BDC that doesn't have this replicated yet. In this case + * a successful connect to a DC needs to take the netlogon connect + * into account also. This patch from "Bjart Kvarme" . + */ + + if(cli_nt_session_open(pcli, PIPE_NETLOGON) == False) { + DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ +machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli))); + cli_nt_session_close(pcli); + cli_ulogoff(pcli); + cli_shutdown(pcli); + return False; + } + + if (cli_nt_setup_creds(pcli, trust_passwd) == False) { + DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ +%s. Error was : %s.\n", remote_machine, cli_errstr(pcli))); + cli_nt_session_close(pcli); + cli_ulogoff(pcli); + cli_shutdown(pcli); + return(False); + } + + return True; +} + +/*********************************************************************** + Utility function to attempt a connection to an IP address of a DC. +************************************************************************/ + +static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, + unsigned char *trust_passwd) +{ + fstring dc_name; + + /* + * Ignore addresses we have already tried. + */ + + if (ip_equal(ipzero, *ip)) + return False; + + if (!lookup_pdc_name(global_myname, lp_workgroup(), ip, dc_name)) + return False; + + return connect_to_domain_password_server(pcli, dc_name, trust_passwd); +} + +/*********************************************************************** + We have been asked to dynamcially determine the IP addresses of + the PDC and BDC's for this DOMAIN, and query them in turn. +************************************************************************/ +static BOOL find_connect_pdc(struct cli_state *pcli, + unsigned char *trust_passwd, + time_t last_change_time) +{ + struct in_addr *ip_list = NULL; + int count = 0; + int i; + BOOL connected_ok = False; + time_t time_now = time(NULL); + BOOL use_pdc_only = False; + + /* + * If the time the machine password has changed + * was less than an hour ago then we need to contact + * the PDC only, as we cannot be sure domain replication + * has yet taken place. Bug found by Gerald (way to go + * Gerald !). JRA. + */ + + if (time_now - last_change_time < 3600) + use_pdc_only = True; + + if (!get_dc_list(use_pdc_only, lp_workgroup(), &ip_list, &count)) + return False; + + /* + * Firstly try and contact a PDC/BDC who has the same + * network address as any of our interfaces. + */ + for(i = 0; i < count; i++) { + if(!is_local_net(ip_list[i])) + continue; + + if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + break; + + ip_list[i] = ipzero; /* Tried and failed. */ + } + + /* + * Secondly try and contact a random PDC/BDC. + */ + if(!connected_ok) { + i = (sys_random() % count); + + if (!(connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + ip_list[i] = ipzero; /* Tried and failed. */ + } + + /* + * Finally go through the IP list in turn, ignoring any addresses + * we have already tried. + */ + if(!connected_ok) { + /* + * Try and connect to any of the other IP addresses in the PDC/BDC list. + * Note that from a WINS server the #1 IP address is the PDC. + */ + for(i = 0; i < count; i++) { + if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + break; + } + } + + if(ip_list != NULL) + free((char *)ip_list); + + + return connected_ok; +} + +/*********************************************************************** + Do the same as security=server, but using NT Domain calls and a session + key from the machine password. If the server parameter is specified + use it, otherwise figure out a server from the 'password server' param. +************************************************************************/ + +uint32 domain_client_validate(const auth_usersupplied_info *user_info, + auth_serversupplied_info *server_info, + char *server) +{ + unsigned char trust_passwd[16]; + fstring remote_machine; + char *p, *pserver; + NET_ID_INFO_CTR ctr; + NET_USER_INFO_3 info3; + struct cli_state cli; + uint32 smb_uid_low; + BOOL connected_ok = False; + time_t last_change_time; + uint32 nt_status; + + /* + * Check that the requested domain is not our own machine name. + * If it is, we should never check the PDC here, we use our own local + * password file. + */ + + if(strequal(user_info->domain.str, global_myname)) { + DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n")); + return NT_STATUS_LOGON_FAILURE; + } + + /* + * Get the machine account password for our primary domain + */ + if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, &last_change_time)) + { + DEBUG(0, ("domain_client_validate: could not fetch trust account password for domain %s\n", lp_workgroup())); + return NT_STATUS_LOGON_FAILURE; + } + + /* Test if machine password is expired and need to be changed */ + if (time(NULL) > last_change_time + lp_machine_password_timeout()) + { + global_machine_password_needs_changing = True; + } + + /* + * At this point, smb_apasswd points to the lanman response to + * the challenge in local_challenge, and smb_ntpasswd points to + * the NT response to the challenge in local_challenge. Ship + * these over the secure channel to a domain controller and + * see if they were valid. + */ + + ZERO_STRUCT(cli); + + /* + * Treat each name in the 'password server =' line as a potential + * PDC/BDC. Contact each in turn and try and authenticate. + */ + + if (server) { + p = server; + } else { + pserver = lp_passwordserver(); + if (! *pserver) pserver = "*"; + p = pserver; + } + + while (!connected_ok && + next_token(&p,remote_machine,LIST_SEP,sizeof(remote_machine))) { + if(strequal(remote_machine, "*")) { + connected_ok = find_connect_pdc(&cli, trust_passwd, last_change_time); + } else { + connected_ok = connect_to_domain_password_server(&cli, remote_machine, trust_passwd); + } + } + + if (!connected_ok) { + DEBUG(0,("domain_client_validate: Domain password server not available.\n")); + cli_shutdown(&cli); + return NT_STATUS_LOGON_FAILURE; + } + + /* We really don't care what LUID we give the user. */ + generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False); + + ZERO_STRUCT(info3); + + cli_nt_login_network(&cli, user_info->domain.str, user_info->smb_username.str, smb_uid_low, user_info->chal, + user_info->lm_resp.buffer, user_info->lm_resp.len, + user_info->nt_resp.buffer, user_info->lm_resp.len, + &ctr, &info3); + + cli_error(&cli, NULL, NULL, &nt_status); + if (nt_status != NT_STATUS_NOPROBLEMO) { + DEBUG(0,("domain_client_validate: unable to validate password for user %s in domain \ +%s to Domain controller %s. Error was %s.\n", user_info->smb_username.str, user_info->domain.str, remote_machine, cli_errstr(&cli))); + } + + /* + * Here, if we really want it, we have lots of info about the user in info3. + */ + +#if 0 + /* + * We don't actually need to do this - plus it fails currently with + * NT_STATUS_INVALID_INFO_CLASS - we need to know *exactly* what to + * send here. JRA. + */ + + if (nt_status == NT_STATUS_NOPROBLMO) { + if(cli_nt_logoff(&cli, &ctr) == False) { + DEBUG(0,("domain_client_validate: unable to log off user %s in domain \ +%s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli))); + nt_status = NT_STATUS_LOGON_FAILURE; + } + } +#endif /* 0 */ + + /* Note - once the cli stream is shutdown the mem_ctx used + to allocate the other_sids and gids structures has been deleted - so + these pointers are no longer valid..... */ + + cli_nt_session_close(&cli); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return nt_status; +} + +/**************************************************************************** + Check for a valid username and password in security=domain mode. +****************************************************************************/ + +uint32 check_domain_security(const auth_usersupplied_info *user_info, + auth_serversupplied_info *server_info) +{ + uint32 nt_status = NT_STATUS_LOGON_FAILURE; + + if(lp_security() != SEC_DOMAIN) + return NT_STATUS_LOGON_FAILURE; + + nt_status = domain_client_validate(user_info, server_info, NULL); + + return nt_status; +} + + + diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c new file mode 100644 index 0000000000..c1bee6247c --- /dev/null +++ b/source3/auth/auth_rhosts.c @@ -0,0 +1,165 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + Main SMB reply routines + Copyright (C) Andrew Tridgell 1992-1998 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +extern int DEBUGLEVEL; + + +/**************************************************************************** + Read the a hosts.equiv or .rhosts file and check if it + allows this user from this machine. +****************************************************************************/ + +static BOOL check_user_equiv(char *user, char *remote, char *equiv_file) +{ + int plus_allowed = 1; + char *file_host; + char *file_user; + char **lines = file_lines_load(equiv_file, NULL); + int i; + + DEBUG(5, ("check_user_equiv %s %s %s\n", user, remote, equiv_file)); + if (! lines) return False; + for (i=0; lines[i]; i++) { + char *buf = lines[i]; + trim_string(buf," "," "); + + if (buf[0] != '#' && buf[0] != '\n') + { + BOOL is_group = False; + int plus = 1; + char *bp = buf; + if (strcmp(buf, "NO_PLUS\n") == 0) + { + DEBUG(6, ("check_user_equiv NO_PLUS\n")); + plus_allowed = 0; + } + else { + if (buf[0] == '+') + { + bp++; + if (*bp == '\n' && plus_allowed) + { + /* a bare plus means everbody allowed */ + DEBUG(6, ("check_user_equiv everybody allowed\n")); + file_lines_free(lines); + return True; + } + } + else if (buf[0] == '-') + { + bp++; + plus = 0; + } + if (*bp == '@') + { + is_group = True; + bp++; + } + file_host = strtok(bp, " \t\n"); + file_user = strtok(NULL, " \t\n"); + DEBUG(7, ("check_user_equiv %s %s\n", file_host ? file_host : "(null)", + file_user ? file_user : "(null)" )); + if (file_host && *file_host) + { + BOOL host_ok = False; + +#if defined(HAVE_NETGROUP) && defined(HAVE_YP_GET_DEFAULT_DOMAIN) + if (is_group) + { + static char *mydomain = NULL; + if (!mydomain) + yp_get_default_domain(&mydomain); + if (mydomain && innetgr(file_host,remote,user,mydomain)) + host_ok = True; + } +#else + if (is_group) + { + DEBUG(1,("Netgroups not configured\n")); + continue; + } +#endif + + /* is it this host */ + /* the fact that remote has come from a call of gethostbyaddr + * means that it may have the fully qualified domain name + * so we could look up the file version to get it into + * a canonical form, but I would rather just type it + * in full in the equiv file + */ + if (!host_ok && !is_group && strequal(remote, file_host)) + host_ok = True; + + if (!host_ok) + continue; + + /* is it this user */ + if (file_user == 0 || strequal(user, file_user)) + { + DEBUG(5, ("check_user_equiv matched %s%s %s\n", + (plus ? "+" : "-"), file_host, + (file_user ? file_user : ""))); + file_lines_free(lines); + return (plus ? True : False); + } + } + } + } + } + file_lines_free(lines); + return False; +} + + +/**************************************************************************** +check for a possible hosts equiv or rhosts entry for the user +****************************************************************************/ +BOOL check_hosts_equiv(char *user) +{ + char *fname = NULL; + pstring rhostsfile; + struct passwd *pass = Get_Pwnam(user,True); + + if (!pass) + return(False); + + fname = lp_hosts_equiv(); + + /* note: don't allow hosts.equiv on root */ + if (fname && *fname && (pass->pw_uid != 0)) { + if (check_user_equiv(user,client_name(),fname)) + return(True); + } + + if (lp_use_rhosts()) + { + char *home = get_user_home_dir(user); + if (home) { + slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home); + if (check_user_equiv(user,client_name(),rhostsfile)) + return(True); + } + } + + return(False); +} diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c new file mode 100644 index 0000000000..ce0b03d942 --- /dev/null +++ b/source3/auth/auth_sam.c @@ -0,0 +1,229 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + Password and authentication handling + Copyright (C) Andrew Tridgell 1992-2000 + Copyright (C) Luke Kenneth Casson Leighton 1996-2000 + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +extern int DEBUGLEVEL; + +/**************************************************************************** +core of smb password checking routine. +****************************************************************************/ +static BOOL smb_pwd_check_ntlmv1(const uchar *password, + const uchar *part_passwd, + const uchar *c8, + uchar user_sess_key[16]) +{ + /* Finish the encryption of part_passwd. */ + uchar p24[24]; + + if (part_passwd == NULL) { + DEBUG(10,("No password set - DISALLOWING access\n")); + /* No password set - always false ! */ + return False; + } + + SMBOWFencrypt(part_passwd, c8, p24); + if (user_sess_key != NULL) + { + SMBsesskeygen_ntv1(part_passwd, NULL, user_sess_key); + } + + + +#if DEBUG_PASSWORD + DEBUG(100,("Part password (P16) was |")); + dump_data(100, part_passwd, 16); + DEBUG(100,("Password from client was |")); + dump_data(100, password, 24); + DEBUG(100,("Given challenge was |")); + dump_data(100, c8, 8); + DEBUG(100,("Value from encryption was |")); + dump_data(100, p24, 24); +#endif + return (memcmp(p24, password, 24) == 0); +} + +/**************************************************************************** +core of smb password checking routine. +****************************************************************************/ +static BOOL smb_pwd_check_ntlmv2(const uchar *password, size_t pwd_len, + uchar *part_passwd, + uchar const *c8, + const char *user, const char *domain, + char *user_sess_key) +{ + /* Finish the encryption of part_passwd. */ + uchar kr[16]; + uchar resp[16]; + + if (part_passwd == NULL) + { + DEBUG(10,("No password set - DISALLOWING access\n")); + /* No password set - always False */ + return False; + } + + ntv2_owf_gen(part_passwd, user, domain, kr); + SMBOWFencrypt_ntv2(kr, c8, 8, password+16, pwd_len-16, resp); + if (user_sess_key != NULL) + { + SMBsesskeygen_ntv2(kr, resp, user_sess_key); + } + +#if DEBUG_PASSWORD + DEBUG(100,("Part password (P16) was |")); + dump_data(100, part_passwd, 16); + DEBUG(100,("Password from client was |")); + dump_data(100, password, pwd_len); + DEBUG(100,("Given challenge was |")); + dump_data(100, c8, 8); + DEBUG(100,("Value from encryption was |")); + dump_data(100, resp, 16); +#endif + + return (memcmp(resp, password, 16) == 0); +} + + +/**************************************************************************** + Do a specific test for an smb password being correct, given a smb_password and + the lanman and NT responses. +****************************************************************************/ +uint32 smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +{ + uint8 *nt_pw, *lm_pw; + + /* Quit if the account was disabled. */ + if(pdb_get_acct_ctrl(sampass) & ACB_DISABLED) { + DEBUG(1,("Account for user '%s' was disabled.\n", user_info->smb_username.str)); + return(NT_STATUS_ACCOUNT_DISABLED); + } + + if (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ) + { + if (lp_null_passwords()) + { + DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", user_info->smb_username.str)); + return(NT_STATUS_NOPROBLEMO); + } + else + { + DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", user_info->smb_username.str)); + return(NT_STATUS_LOGON_FAILURE); + } + } + + if (!user_info || !sampass) + return(NT_STATUS_LOGON_FAILURE); + + DEBUG(4,("smb_password_ok: Checking SMB password for user %s\n",user_info->smb_username.str)); + + nt_pw = pdb_get_nt_passwd(sampass); + + if (nt_pw != NULL) { + if ((user_info->nt_resp.len > 24 )) { + /* We have the NT MD4 hash challenge available - see if we can + use it (ie. does it exist in the smbpasswd file). + */ + DEBUG(4,("smb_password_ok: Checking NTLMv2 password\n")); + if (smb_pwd_check_ntlmv2( user_info->nt_resp.buffer, + user_info->nt_resp.len, + nt_pw, + user_info->chal, user_info->requested_username.str, + user_info->requested_domain.str, + server_info->session_key)) + { + return NT_STATUS_NOPROBLEMO; + } + DEBUG(4,("smb_password_ok: NT MD4 password check failed\n")); + + } else if (lp_ntlm_auth() && (user_info->nt_resp.len == 24 )) { + /* We have the NT MD4 hash challenge available - see if we can + use it (ie. does it exist in the smbpasswd file). + */ + DEBUG(4,("smb_password_ok: Checking NT MD4 password\n")); + if (smb_pwd_check_ntlmv1(user_info->nt_resp.buffer, + nt_pw, user_info->chal, + server_info->session_key)) { + DEBUG(4,("smb_password_ok: NT MD4 password check succeeded\n")); + return NT_STATUS_NOPROBLEMO; + } else { + DEBUG(4,("smb_password_ok: NT MD4 password check failed\n")); + return NT_STATUS_WRONG_PASSWORD; + } + } + } + + lm_pw = pdb_get_lanman_passwd(sampass); + + if(lp_lanman_auth() && (lm_pw != NULL) && (user_info->lm_resp.len == 24 )) { + DEBUG(4,("smb_password_ok: Checking LM password\n")); + if (smb_pwd_check_ntlmv1(user_info->lm_resp.buffer, + lm_pw, user_info->chal, + server_info->session_key)) { + DEBUG(4,("smb_password_ok: LM password check succeeded\n")); + return NT_STATUS_NOPROBLEMO; + } else { + DEBUG(4,("smb_password_ok: LM password check failed\n")); + return NT_STATUS_WRONG_PASSWORD; + } + } + + return NT_STATUS_LOGON_FAILURE; +} + + +/**************************************************************************** +check if a username/password is OK assuming the password is a 24 byte +SMB hash +return True if the password is correct, False otherwise +****************************************************************************/ + +uint32 check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +{ + SAM_ACCOUNT *sampass=NULL; + BOOL ret; + uint32 nt_status; + + pdb_init_sam(&sampass); + + /* get the account information */ + ret = pdb_getsampwnam(sampass, user_info->smb_username.str); + if (ret == False) + { + DEBUG(1,("Couldn't find user '%s' in passdb file.\n", user_info->smb_username.str)); + pdb_free_sam(sampass); + return(NT_STATUS_NO_SUCH_USER); + } + + if ((nt_status = smb_password_ok(sampass, user_info, server_info)) != NT_STATUS_NOPROBLEMO) + { + pdb_free_sam(sampass); + return(nt_status); + } + + pdb_free_sam(sampass); + return nt_status; +} + + diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c new file mode 100644 index 0000000000..dc1d924b3c --- /dev/null +++ b/source3/auth/auth_server.c @@ -0,0 +1,244 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + Authenticate to a remote server + Copyright (C) Andrew Tridgell 1992-1998 + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +extern int DEBUGLEVEL; + +extern pstring global_myname; + +/**************************************************************************** + Return the client state structure. +****************************************************************************/ + +struct cli_state *server_client(void) +{ + static struct cli_state pw_cli; + return &pw_cli; +} + +/**************************************************************************** + Support for server level security. +****************************************************************************/ + +struct cli_state *server_cryptkey(void) +{ + struct cli_state *cli; + fstring desthost; + struct in_addr dest_ip; + char *p, *pserver; + BOOL connected_ok = False; + + cli = server_client(); + + if (!cli_initialise(cli)) + return NULL; + + pserver = strdup(lp_passwordserver()); + p = pserver; + + while(next_token( &p, desthost, LIST_SEP, sizeof(desthost))) { + standard_sub_basic(desthost); + strupper(desthost); + + if(!resolve_name( desthost, &dest_ip, 0x20)) { + DEBUG(1,("server_cryptkey: Can't resolve address for %s\n",desthost)); + continue; + } + + if (ismyip(dest_ip)) { + DEBUG(1,("Password server loop - disabling password server %s\n",desthost)); + continue; + } + + if (cli_connect(cli, desthost, &dest_ip)) { + DEBUG(3,("connected to password server %s\n",desthost)); + connected_ok = True; + break; + } + } + + free(pserver); + + if (!connected_ok) { + DEBUG(0,("password server not available\n")); + cli_shutdown(cli); + return NULL; + } + + if (!attempt_netbios_session_request(cli, global_myname, desthost, &dest_ip)) + return NULL; + + DEBUG(3,("got session\n")); + + if (!cli_negprot(cli)) { + DEBUG(1,("%s rejected the negprot\n",desthost)); + cli_shutdown(cli); + return NULL; + } + + if (cli->protocol < PROTOCOL_LANMAN2 || + !(cli->sec_mode & 1)) { + DEBUG(1,("%s isn't in user level security mode\n",desthost)); + cli_shutdown(cli); + return NULL; + } + + DEBUG(3,("password server OK\n")); + + return cli; +} + + +/**************************************************************************** + Validate a password with the password server. +****************************************************************************/ + +static uint32 server_validate(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +{ + struct cli_state *cli; + static unsigned char badpass[24]; + static fstring baduser; + static BOOL tested_password_server = False; + static BOOL bad_password_server = False; + uint32 nt_status = NT_STATUS_LOGON_FAILURE; + + cli = server_client(); + + if (!cli->initialised) { + DEBUG(1,("password server %s is not connected\n", cli->desthost)); + return(NT_STATUS_LOGON_FAILURE); + } + + if(badpass[0] == 0) + memset(badpass, 0x1f, sizeof(badpass)); + + if((user_info->nt_resp.len == sizeof(badpass)) && + !memcmp(badpass, user_info->nt_resp.buffer, sizeof(badpass))) { + /* + * Very unlikely, our random bad password is the same as the users + * password. + */ + memset(badpass, badpass[0]+1, sizeof(badpass)); + } + + if(baduser[0] == 0) { + fstrcpy(baduser, INVALID_USER_PREFIX); + fstrcat(baduser, global_myname); + } + + /* + * Attempt a session setup with a totally incorrect password. + * If this succeeds with the guest bit *NOT* set then the password + * server is broken and is not correctly setting the guest bit. We + * need to detect this as some versions of NT4.x are broken. JRA. + */ + + /* I sure as hell hope that there arn't servers out there that take + * NTLMv2 and have this bug, as we don't test for that... + * - abartlet@samba.org + */ + + if(!tested_password_server) { + if (cli_session_setup(cli, baduser, (char *)badpass, sizeof(badpass), + (char *)badpass, sizeof(badpass), user_info->domain.str)) { + + /* + * We connected to the password server so we + * can say we've tested it. + */ + tested_password_server = True; + + if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) { + DEBUG(0,("server_validate: password server %s allows users as non-guest \ +with a bad password.\n", cli->desthost)); + DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \ +use this machine as the password server.\n")); + cli_ulogoff(cli); + + /* + * Password server has the bug. + */ + bad_password_server = True; + return NT_STATUS_LOGON_FAILURE; + } + cli_ulogoff(cli); + } + } else { + + /* + * We have already tested the password server. + * Fail immediately if it has the bug. + */ + + if(bad_password_server) { + DEBUG(0,("server_validate: [1] password server %s allows users as non-guest \ +with a bad password.\n", cli->desthost)); + DEBUG(0,("server_validate: [1] This is broken (and insecure) behaviour. Please do not \ +use this machine as the password server.\n")); + return NT_STATUS_LOGON_FAILURE; + } + } + + /* + * Now we know the password server will correctly set the guest bit, or is + * not guest enabled, we can try with the real password. + */ + + if (!cli_session_setup(cli, user_info->smb_username.str, + user_info->lm_resp.buffer, + user_info->lm_resp.len, + user_info->nt_resp.buffer, + user_info->nt_resp.len, + user_info->domain.str)) { + DEBUG(1,("password server %s rejected the password\n", cli->desthost)); + nt_status = NT_STATUS_LOGON_FAILURE; + } else { + nt_status = NT_STATUS_NOPROBLEMO; + } + + /* if logged in as guest then reject */ + if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) { + DEBUG(1,("password server %s gave us guest only\n", cli->desthost)); + nt_status = NT_STATUS_LOGON_FAILURE; + } + + cli_ulogoff(cli); + + return(nt_status); +} + +/**************************************************************************** + Check for a valid username and password in security=server mode. +****************************************************************************/ + +uint32 check_server_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +{ + + if(lp_security() != SEC_SERVER) + return NT_STATUS_LOGON_FAILURE; + + return server_validate(user_info, server_info); + +} + + diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c new file mode 100644 index 0000000000..1c12a4322d --- /dev/null +++ b/source3/auth/auth_util.c @@ -0,0 +1,141 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + Authentication utility functions + Copyright (C) Andrew Tridgell 1992-1998 + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ +#include "includes.h" + +extern int DEBUGLEVEL; + +/* Data to do lanman1/2 password challenge. */ +static unsigned char saved_challenge[8]; +static BOOL challenge_sent=False; + +/******************************************************************* +Get the next challenge value - no repeats. +********************************************************************/ +void generate_next_challenge(char *challenge) +{ + unsigned char buf[8]; + + generate_random_buffer(buf,8,False); + memcpy(saved_challenge, buf, 8); + memcpy(challenge,buf,8); + challenge_sent = True; +} + +/******************************************************************* +set the last challenge sent, usually from a password server +********************************************************************/ +BOOL set_challenge(unsigned char *challenge) +{ + memcpy(saved_challenge,challenge,8); + challenge_sent = True; + return(True); +} + +/******************************************************************* +get the last challenge sent +********************************************************************/ +BOOL last_challenge(unsigned char *challenge) +{ + if (!challenge_sent) return(False); + memcpy(challenge,saved_challenge,8); + return(True); +} + + +/**************************************************************************** + Create a UNIX user on demand. +****************************************************************************/ + +static int smb_create_user(char *unix_user, char *homedir) +{ + pstring add_script; + int ret; + + pstrcpy(add_script, lp_adduser_script()); + if (! *add_script) return -1; + all_string_sub(add_script, "%u", unix_user, sizeof(pstring)); + if (homedir) + all_string_sub(add_script, "%H", homedir, sizeof(pstring)); + ret = smbrun(add_script,NULL); + DEBUG(3,("smb_create_user: Running the command `%s' gave %d\n",add_script,ret)); + return ret; +} + +/**************************************************************************** + Delete a UNIX user on demand. +****************************************************************************/ + +static int smb_delete_user(char *unix_user) +{ + pstring del_script; + int ret; + + pstrcpy(del_script, lp_deluser_script()); + if (! *del_script) return -1; + all_string_sub(del_script, "%u", unix_user, sizeof(pstring)); + ret = smbrun(del_script,NULL); + DEBUG(3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret)); + return ret; +} + +/**************************************************************************** + Add and Delete UNIX users on demand, based on NT_STATUS codes. +****************************************************************************/ + +void smb_user_control(char *unix_user, uint32 nt_status) +{ + struct passwd *pwd=NULL; + + if(nt_status == NT_STATUS_NOPROBLEMO) { + /* + * User validated ok against Domain controller. + * If the admin wants us to try and create a UNIX + * user on the fly, do so. + */ + if(lp_adduser_script() && !(pwd = smb_getpwnam(unix_user,True))) + smb_create_user(unix_user, NULL); + + if(lp_adduser_script() && pwd) { + SMB_STRUCT_STAT st; + + /* + * Also call smb_create_user if the users home directory + * doesn't exist. Used with winbindd to allow the script to + * create the home directory for a user mapped with winbindd. + */ + + if (pwd->pw_dir && (sys_stat(pwd->pw_dir, &st) == -1) && (errno == ENOENT)) + smb_create_user(unix_user, pwd->pw_dir); + } + + } else if (nt_status == NT_STATUS_NO_SUCH_USER) { + /* + * User failed to validate ok against Domain controller. + * If the failure was "user doesn't exist" and admin + * wants us to try and delete that UNIX user on the fly, + * do so. + */ + if(lp_deluser_script() && smb_getpwnam(unix_user,True)) + smb_delete_user(unix_user); + } + +} -- cgit From 384b522c9235ab538c23b64bdf9b3d57e4b15b53 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 3 Aug 2001 13:24:38 +0000 Subject: This is the fix for the PAM bug I probably introduced in the previous commit, which I will confirm once I can find a box it would break on in the first place. (this is the pam accounts as nobody thing we had with 2.2.0) Andrew Bartlett (This used to be commit 9746ad12bd2d310e5c255c7ea491b87170b807af) --- source3/auth/auth.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 851e1f53cf..4bfbfe65fe 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -131,7 +131,10 @@ uint32 check_password(const auth_usersupplied_info *user_info, auth_serversuppli } if (nt_status == NT_STATUS_NOPROBLEMO) { + /* We might not be root if we are an RPC call */ + become_root(); nt_status = smb_pam_accountcheck(user_info->smb_username.str); + unbecome_root(); } if (nt_status == NT_STATUS_NOPROBLEMO) { -- cgit From ac989cbe0777beb4def038ab0b552a64a0f1ba0c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 6 Aug 2001 09:35:08 +0000 Subject: Record the NT_STATUS constant rather than its number in the logfiles Fix typo in lmhosts manpage (This used to be commit 9fff946cf113b4858b730f5ba644d5648ba95027) --- source3/auth/auth.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 4bfbfe65fe..b679312cc4 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -140,7 +140,8 @@ uint32 check_password(const auth_usersupplied_info *user_info, auth_serversuppli if (nt_status == NT_STATUS_NOPROBLEMO) { DEBUG(5, ("check_password: Password for user %s suceeded\n", user_info->smb_username.str)); } else { - DEBUG(3, ("check_password: Password for user %s FAILED with error %d\n", user_info->smb_username.str, nt_status)); + DEBUG(3, ("check_password: Password for user %s FAILED with error %s\n", user_info->smb_username.str, get_nt_error_msg(nt_status))); + } return nt_status; -- cgit From f8d3cac8af0185eca2995e524c62f064ab9b4017 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 9 Aug 2001 15:53:49 +0000 Subject: a few cleanups while mergeing the passdb code into 2.2 (This used to be commit ef01739708479c43f529c646dd136ee5670b08f9) --- source3/auth/auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index b679312cc4..94008e4d00 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -45,7 +45,7 @@ static BOOL update_smbpassword_file(char *user, char *password) unbecome_root(); if(ret == False) { - DEBUG(0,("pdb_getsampwnam returned NULL\n")); + DEBUG(0,("update_smbpassword_file: pdb_getsampwnam failed to locate %s\n", user)); pdb_free_sam(sampass); return False; } -- cgit From 62f7f6a022dea6fd4fbe514dcb3154bda334a07f Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 10 Aug 2001 06:01:11 +0000 Subject: Use the new client error api. (This used to be commit 688da3c41dd944f7f69083518d25e9edbc55406f) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 4bf0a05d7f..e94ea13edc 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -360,7 +360,7 @@ uint32 domain_client_validate(const auth_usersupplied_info *user_info, user_info->nt_resp.buffer, user_info->lm_resp.len, &ctr, &info3); - cli_error(&cli, NULL, NULL, &nt_status); + nt_status = cli_nt_error(&cli); if (nt_status != NT_STATUS_NOPROBLEMO) { DEBUG(0,("domain_client_validate: unable to validate password for user %s in domain \ %s to Domain controller %s. Error was %s.\n", user_info->smb_username.str, user_info->domain.str, remote_machine, cli_errstr(&cli))); -- cgit From 6ad80352dd2523c310258de3211a2af0f1763d2a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 12 Aug 2001 11:19:57 +0000 Subject: This patch does a number of things, mostly smaller than they look :-) In particuar, it moves the domain_client_validate stuff out of auth_domain.c to somwhere where they (I hope) they can be shared with winbind better. (This may need some work) The main purpose of this patch was however to improve some of the internal documentation and to correctly place become_root()/unbecome_root() calls within the code. Finally this patch moves some more of auth.c into other files, auth_unix.c in this case. Andrew Bartlett (This used to be commit ea1c547ac880def29f150de2172c95213509350e) --- source3/auth/auth.c | 83 +++------- source3/auth/auth_domain.c | 374 +++------------------------------------------ source3/auth/auth_rhosts.c | 21 +++ source3/auth/auth_sam.c | 10 +- source3/auth/auth_unix.c | 85 +++++++++++ 5 files changed, 153 insertions(+), 420 deletions(-) create mode 100644 source3/auth/auth_unix.c (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 94008e4d00..bbcf34e8ca 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -27,46 +27,6 @@ extern int DEBUGLEVEL; extern pstring global_myname; - -/**************************************************************************** -update the encrypted smbpasswd file from the plaintext username and password - -this ugly hack needs to die, but not quite yet... -*****************************************************************************/ -static BOOL update_smbpassword_file(char *user, char *password) -{ - SAM_ACCOUNT *sampass = NULL; - BOOL ret; - - pdb_init_sam(&sampass); - - become_root(); - ret = pdb_getsampwnam(sampass, user); - unbecome_root(); - - if(ret == False) { - DEBUG(0,("update_smbpassword_file: pdb_getsampwnam failed to locate %s\n", user)); - pdb_free_sam(sampass); - return False; - } - - /* - * Remove the account disabled flag - we are updating the - * users password from a login. - */ - pdb_set_acct_ctrl(sampass, pdb_get_acct_ctrl(sampass) & ~ACB_DISABLED); - - /* Here, the flag is one, because we want to ignore the - XXXXXXX'd out password */ - ret = change_oem_password( sampass, password, True); - if (ret == False) { - DEBUG(3,("change_oem_password returned False\n")); - } - - pdb_free_sam(sampass); - return ret; -} - /**************************************************************************** Check user is in correct domain if required ****************************************************************************/ @@ -88,21 +48,29 @@ static BOOL check_domain_match(char *user, char *domain) } } +/**************************************************************************** + Check a users password, as given in the user-info struct and return various + interesting details in the server_info struct. + + This functions does NOT need to be in a become_root()/unbecome_root() pair + as it makes the calls itself when needed. +****************************************************************************/ uint32 check_password(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) { uint32 nt_status = NT_STATUS_LOGON_FAILURE; - + BOOL done_pam = False; + DEBUG(3, ("check_password: Checking password for user %s with the new password interface\n", user_info->smb_username.str)); - if (check_hosts_equiv(user_info->smb_username.str)) { - nt_status = NT_STATUS_NOPROBLEMO; - } - if (!check_domain_match(user_info->smb_username.str, user_info->domain.str)) { return NT_STATUS_LOGON_FAILURE; } + if (nt_status != NT_STATUS_NOPROBLEMO) { + nt_status = check_rhosts_security(user_info, server_info); + } + if ((lp_security() == SEC_DOMAIN) && (nt_status != NT_STATUS_NOPROBLEMO)) { nt_status = check_domain_security(user_info, server_info); } @@ -115,28 +83,23 @@ uint32 check_password(const auth_usersupplied_info *user_info, auth_serversuppli smb_user_control(user_info->smb_username.str, nt_status); } - if ((nt_status != NT_STATUS_NOPROBLEMO) - && (user_info->plaintext_password.len > 0) - && (!lp_plaintext_to_smbpasswd())) { - return (pass_check(user_info->smb_username.str, - user_info->plaintext_password.str, - user_info->plaintext_password.len, - lp_update_encrypted() ? - update_smbpassword_file : NULL) - ? NT_STATUS_NOPROBLEMO : NT_STATUS_LOGON_FAILURE); - } - if (nt_status != NT_STATUS_NOPROBLEMO) { - nt_status = check_smbpasswd_security(user_info, server_info); + if ((user_info->plaintext_password.len > 0) + && (!lp_plaintext_to_smbpasswd())) { + nt_status = check_unix_security(user_info, server_info); + done_pam = True; + } else { + nt_status = check_smbpasswd_security(user_info, server_info); + } } - - if (nt_status == NT_STATUS_NOPROBLEMO) { + + if ((nt_status == NT_STATUS_NOPROBLEMO) && !done_pam) { /* We might not be root if we are an RPC call */ become_root(); nt_status = smb_pam_accountcheck(user_info->smb_username.str); unbecome_root(); } - + if (nt_status == NT_STATUS_NOPROBLEMO) { DEBUG(5, ("check_password: Password for user %s suceeded\n", user_info->smb_username.str)); } else { diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index e94ea13edc..a2e3c7a9b5 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -23,392 +23,56 @@ #include "includes.h" extern int DEBUGLEVEL; -extern struct in_addr ipzero; BOOL global_machine_password_needs_changing = False; -extern pstring global_myname; - -/*********************************************************************** - Connect to a remote machine for domain security authentication - given a name or IP address. - ***********************************************************************/ - -static BOOL connect_to_domain_password_server(struct cli_state *pcli, - char *server, unsigned char *trust_passwd) -{ - struct in_addr dest_ip; - fstring remote_machine; - - if(cli_initialise(pcli) == NULL) { - DEBUG(0,("connect_to_domain_password_server: unable to initialize client connection.\n")); - return False; - } - - if (is_ipaddress(server)) { - struct in_addr to_ip; - - /* we shouldn't have 255.255.255.255 forthe IP address of - a password server anyways */ - if ((to_ip.s_addr=inet_addr(server)) == 0xFFFFFFFF) { - DEBUG (0,("connect_to_domain_password_server: inet_addr(%s) returned 0xFFFFFFFF!\n", server)); - return False; - } - - if (!name_status_find(0x20, to_ip, remote_machine)) { - DEBUG(0, ("connect_to_domain_password_server: Can't " - "resolve name for IP %s\n", server)); - return False; - } - } else { - fstrcpy(remote_machine, server); - } - - standard_sub_basic(remote_machine); - strupper(remote_machine); - - if(!resolve_name( remote_machine, &dest_ip, 0x20)) { - DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", remote_machine)); - cli_shutdown(pcli); - return False; - } - - if (ismyip(dest_ip)) { - DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n", - remote_machine)); - cli_shutdown(pcli); - return False; - } - - if (!cli_connect(pcli, remote_machine, &dest_ip)) { - DEBUG(0,("connect_to_domain_password_server: unable to connect to SMB server on \ -machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; - } - - if (!attempt_netbios_session_request(pcli, global_myname, remote_machine, &dest_ip)) { - DEBUG(0,("connect_to_password_server: machine %s rejected the NetBIOS \ -session request. Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - return False; - } - - pcli->protocol = PROTOCOL_NT1; - - if (!cli_negprot(pcli)) { - DEBUG(0,("connect_to_domain_password_server: machine %s rejected the negotiate protocol. \ -Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; - } - - if (pcli->protocol != PROTOCOL_NT1) { - DEBUG(0,("connect_to_domain_password_server: machine %s didn't negotiate NT protocol.\n", - remote_machine)); - cli_shutdown(pcli); - return False; - } - - /* - * Do an anonymous session setup. - */ - - if (!cli_session_setup(pcli, "", "", 0, "", 0, "")) { - DEBUG(0,("connect_to_domain_password_server: machine %s rejected the session setup. \ -Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; - } - - if (!(pcli->sec_mode & 1)) { - DEBUG(1,("connect_to_domain_password_server: machine %s isn't in user level security mode\n", - remote_machine)); - cli_shutdown(pcli); - return False; - } - - if (!cli_send_tconX(pcli, "IPC$", "IPC", "", 1)) { - DEBUG(0,("connect_to_domain_password_server: machine %s rejected the tconX on the IPC$ share. \ -Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; - } - - /* - * We now have an anonymous connection to IPC$ on the domain password server. - */ - - /* - * Even if the connect succeeds we need to setup the netlogon - * pipe here. We do this as we may just have changed the domain - * account password on the PDC and yet we may be talking to - * a BDC that doesn't have this replicated yet. In this case - * a successful connect to a DC needs to take the netlogon connect - * into account also. This patch from "Bjart Kvarme" . - */ - - if(cli_nt_session_open(pcli, PIPE_NETLOGON) == False) { - DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ -machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli))); - cli_nt_session_close(pcli); - cli_ulogoff(pcli); - cli_shutdown(pcli); - return False; - } - - if (cli_nt_setup_creds(pcli, trust_passwd) == False) { - DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ -%s. Error was : %s.\n", remote_machine, cli_errstr(pcli))); - cli_nt_session_close(pcli); - cli_ulogoff(pcli); - cli_shutdown(pcli); - return(False); - } - - return True; -} - -/*********************************************************************** - Utility function to attempt a connection to an IP address of a DC. -************************************************************************/ - -static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, - unsigned char *trust_passwd) -{ - fstring dc_name; - - /* - * Ignore addresses we have already tried. - */ - - if (ip_equal(ipzero, *ip)) - return False; - - if (!lookup_pdc_name(global_myname, lp_workgroup(), ip, dc_name)) - return False; - - return connect_to_domain_password_server(pcli, dc_name, trust_passwd); -} - -/*********************************************************************** - We have been asked to dynamcially determine the IP addresses of - the PDC and BDC's for this DOMAIN, and query them in turn. -************************************************************************/ -static BOOL find_connect_pdc(struct cli_state *pcli, - unsigned char *trust_passwd, - time_t last_change_time) -{ - struct in_addr *ip_list = NULL; - int count = 0; - int i; - BOOL connected_ok = False; - time_t time_now = time(NULL); - BOOL use_pdc_only = False; - - /* - * If the time the machine password has changed - * was less than an hour ago then we need to contact - * the PDC only, as we cannot be sure domain replication - * has yet taken place. Bug found by Gerald (way to go - * Gerald !). JRA. - */ - - if (time_now - last_change_time < 3600) - use_pdc_only = True; - - if (!get_dc_list(use_pdc_only, lp_workgroup(), &ip_list, &count)) - return False; - - /* - * Firstly try and contact a PDC/BDC who has the same - * network address as any of our interfaces. - */ - for(i = 0; i < count; i++) { - if(!is_local_net(ip_list[i])) - continue; - - if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) - break; - - ip_list[i] = ipzero; /* Tried and failed. */ - } - - /* - * Secondly try and contact a random PDC/BDC. - */ - if(!connected_ok) { - i = (sys_random() % count); - - if (!(connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) - ip_list[i] = ipzero; /* Tried and failed. */ - } - - /* - * Finally go through the IP list in turn, ignoring any addresses - * we have already tried. - */ - if(!connected_ok) { - /* - * Try and connect to any of the other IP addresses in the PDC/BDC list. - * Note that from a WINS server the #1 IP address is the PDC. - */ - for(i = 0; i < count; i++) { - if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) - break; - } - } - - if(ip_list != NULL) - free((char *)ip_list); - - - return connected_ok; -} - -/*********************************************************************** - Do the same as security=server, but using NT Domain calls and a session - key from the machine password. If the server parameter is specified - use it, otherwise figure out a server from the 'password server' param. -************************************************************************/ +/**************************************************************************** + Check for a valid username and password in security=domain mode. +****************************************************************************/ -uint32 domain_client_validate(const auth_usersupplied_info *user_info, - auth_serversupplied_info *server_info, - char *server) +uint32 check_domain_security(const auth_usersupplied_info *user_info, + auth_serversupplied_info *server_info) { - unsigned char trust_passwd[16]; - fstring remote_machine; + uint32 nt_status = NT_STATUS_LOGON_FAILURE; char *p, *pserver; - NET_ID_INFO_CTR ctr; - NET_USER_INFO_3 info3; - struct cli_state cli; - uint32 smb_uid_low; - BOOL connected_ok = False; + unsigned char trust_passwd[16]; time_t last_change_time; - uint32 nt_status; - - /* - * Check that the requested domain is not our own machine name. - * If it is, we should never check the PDC here, we use our own local - * password file. - */ - if(strequal(user_info->domain.str, global_myname)) { - DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n")); + if(lp_security() != SEC_DOMAIN) return NT_STATUS_LOGON_FAILURE; - } + + become_root(); /* * Get the machine account password for our primary domain */ + if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, &last_change_time)) { DEBUG(0, ("domain_client_validate: could not fetch trust account password for domain %s\n", lp_workgroup())); + unbecome_root(); return NT_STATUS_LOGON_FAILURE; } + unbecome_root(); + /* Test if machine password is expired and need to be changed */ if (time(NULL) > last_change_time + lp_machine_password_timeout()) { global_machine_password_needs_changing = True; } - /* - * At this point, smb_apasswd points to the lanman response to - * the challenge in local_challenge, and smb_ntpasswd points to - * the NT response to the challenge in local_challenge. Ship - * these over the secure channel to a domain controller and - * see if they were valid. - */ - - ZERO_STRUCT(cli); - /* * Treat each name in the 'password server =' line as a potential * PDC/BDC. Contact each in turn and try and authenticate. */ - if (server) { - p = server; - } else { - pserver = lp_passwordserver(); - if (! *pserver) pserver = "*"; - p = pserver; - } - - while (!connected_ok && - next_token(&p,remote_machine,LIST_SEP,sizeof(remote_machine))) { - if(strequal(remote_machine, "*")) { - connected_ok = find_connect_pdc(&cli, trust_passwd, last_change_time); - } else { - connected_ok = connect_to_domain_password_server(&cli, remote_machine, trust_passwd); - } - } - - if (!connected_ok) { - DEBUG(0,("domain_client_validate: Domain password server not available.\n")); - cli_shutdown(&cli); - return NT_STATUS_LOGON_FAILURE; - } - - /* We really don't care what LUID we give the user. */ - generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False); - - ZERO_STRUCT(info3); - - cli_nt_login_network(&cli, user_info->domain.str, user_info->smb_username.str, smb_uid_low, user_info->chal, - user_info->lm_resp.buffer, user_info->lm_resp.len, - user_info->nt_resp.buffer, user_info->lm_resp.len, - &ctr, &info3); - - nt_status = cli_nt_error(&cli); - if (nt_status != NT_STATUS_NOPROBLEMO) { - DEBUG(0,("domain_client_validate: unable to validate password for user %s in domain \ -%s to Domain controller %s. Error was %s.\n", user_info->smb_username.str, user_info->domain.str, remote_machine, cli_errstr(&cli))); - } - - /* - * Here, if we really want it, we have lots of info about the user in info3. - */ - -#if 0 - /* - * We don't actually need to do this - plus it fails currently with - * NT_STATUS_INVALID_INFO_CLASS - we need to know *exactly* what to - * send here. JRA. - */ - - if (nt_status == NT_STATUS_NOPROBLMO) { - if(cli_nt_logoff(&cli, &ctr) == False) { - DEBUG(0,("domain_client_validate: unable to log off user %s in domain \ -%s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli))); - nt_status = NT_STATUS_LOGON_FAILURE; - } - } -#endif /* 0 */ - - /* Note - once the cli stream is shutdown the mem_ctx used - to allocate the other_sids and gids structures has been deleted - so - these pointers are no longer valid..... */ - - cli_nt_session_close(&cli); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return nt_status; -} - -/**************************************************************************** - Check for a valid username and password in security=domain mode. -****************************************************************************/ - -uint32 check_domain_security(const auth_usersupplied_info *user_info, - auth_serversupplied_info *server_info) -{ - uint32 nt_status = NT_STATUS_LOGON_FAILURE; - - if(lp_security() != SEC_DOMAIN) - return NT_STATUS_LOGON_FAILURE; + pserver = lp_passwordserver(); + if (! *pserver) pserver = "*"; + p = pserver; - nt_status = domain_client_validate(user_info, server_info, NULL); + nt_status = domain_client_validate(user_info, server_info, + p, trust_passwd, last_change_time); return nt_status; } diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index c1bee6247c..f11f9cf777 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -163,3 +163,24 @@ BOOL check_hosts_equiv(char *user) return(False); } + +/**************************************************************************** + Check for a valid .rhosts/hosts.equiv entry for this user +****************************************************************************/ + +uint32 check_rhosts_security(const auth_usersupplied_info *user_info, + auth_serversupplied_info *server_info) +{ + uint32 nt_status = NT_STATUS_LOGON_FAILURE; + + become_root(); + if (check_hosts_equiv(user_info->smb_username.str)) { + nt_status = NT_STATUS_NOPROBLEMO; + } + unbecome_root(); + + return nt_status; +} + + + diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index ce0b03d942..927a262dc6 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -208,7 +208,11 @@ uint32 check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_se pdb_init_sam(&sampass); /* get the account information */ + + become_root(); ret = pdb_getsampwnam(sampass, user_info->smb_username.str); + unbecome_root(); + if (ret == False) { DEBUG(1,("Couldn't find user '%s' in passdb file.\n", user_info->smb_username.str)); @@ -216,11 +220,7 @@ uint32 check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_se return(NT_STATUS_NO_SUCH_USER); } - if ((nt_status = smb_password_ok(sampass, user_info, server_info)) != NT_STATUS_NOPROBLEMO) - { - pdb_free_sam(sampass); - return(nt_status); - } + nt_status = smb_password_ok(sampass, user_info, server_info); pdb_free_sam(sampass); return nt_status; diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c new file mode 100644 index 0000000000..89e670747f --- /dev/null +++ b/source3/auth/auth_unix.c @@ -0,0 +1,85 @@ +/* + Unix SMB/Netbios implementation. + Version 2.2 + Password and authentication handling + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +extern int DEBUGLEVEL; + +/**************************************************************************** +update the encrypted smbpasswd file from the plaintext username and password + +this ugly hack needs to die, but not quite yet... +*****************************************************************************/ +static BOOL update_smbpassword_file(char *user, char *password) +{ + SAM_ACCOUNT *sampass = NULL; + BOOL ret; + + pdb_init_sam(&sampass); + + become_root(); + ret = pdb_getsampwnam(sampass, user); + unbecome_root(); + + if(ret == False) { + DEBUG(0,("pdb_getsampwnam returned NULL\n")); + pdb_free_sam(sampass); + return False; + } + + /* + * Remove the account disabled flag - we are updating the + * users password from a login. + */ + pdb_set_acct_ctrl(sampass, pdb_get_acct_ctrl(sampass) & ~ACB_DISABLED); + + /* Here, the flag is one, because we want to ignore the + XXXXXXX'd out password */ + ret = change_oem_password( sampass, password, True); + if (ret == False) { + DEBUG(3,("change_oem_password returned False\n")); + } + + pdb_free_sam(sampass); + return ret; +} + + +/**************************************************************************** +check if a username/password is OK assuming the password +in PLAIN TEXT +****************************************************************************/ + +uint32 check_unix_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +{ + uint32 nt_status; + + become_root(); + nt_status = (pass_check(user_info->smb_username.str, user_info->plaintext_password.str, + user_info->plaintext_password.len, + lp_update_encrypted() ? update_smbpassword_file : NULL) + ? NT_STATUS_NOPROBLEMO : NT_STATUS_LOGON_FAILURE); + unbecome_root(); + + return nt_status; +} + + -- cgit From a0171765ff080ea0510f8c4475348e6b33044b9b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 17 Aug 2001 06:06:56 +0000 Subject: Style cleanup for the last vuid change. Style, doco and DEBUG() fixes for auth_smbpasswd.c (In particular for the account control call). Andrew Bartlett (This used to be commit 3d91c119420973d7dd1af416a1e26efa113dc626) --- source3/auth/auth_sam.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 927a262dc6..27cb801c33 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -112,14 +112,17 @@ static BOOL smb_pwd_check_ntlmv2(const uchar *password, size_t pwd_len, uint32 smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) { uint8 *nt_pw, *lm_pw; + uint16 acct_ctrl; + acct_ctrl = pdb_get_acct_ctrl(sampass); + /* Quit if the account was disabled. */ - if(pdb_get_acct_ctrl(sampass) & ACB_DISABLED) { + if(acct_ctrl & ACB_DISABLED) { DEBUG(1,("Account for user '%s' was disabled.\n", user_info->smb_username.str)); return(NT_STATUS_ACCOUNT_DISABLED); } - if (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ) + if (acct_ctrl & ACB_PWNOTREQ) { if (lp_null_passwords()) { @@ -155,7 +158,7 @@ uint32 smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_ { return NT_STATUS_NOPROBLEMO; } - DEBUG(4,("smb_password_ok: NT MD4 password check failed\n")); + DEBUG(4,("smb_password_ok: NTLMv2 password check failed\n")); } else if (lp_ntlm_auth() && (user_info->nt_resp.len == 24 )) { /* We have the NT MD4 hash challenge available - see if we can @@ -195,8 +198,8 @@ uint32 smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_ /**************************************************************************** check if a username/password is OK assuming the password is a 24 byte -SMB hash -return True if the password is correct, False otherwise +SMB hash supplied in the user_info structure +return an NT_STATUS constant. ****************************************************************************/ uint32 check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) -- cgit From 578a39d44f532a211169a7635043e2dfc18b3c65 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 17 Aug 2001 07:03:27 +0000 Subject: smbd/auth_server: Doco, we want to use cli_nt_error here soon smbd/password.c: We don't use globals here anymore smbd/reply.c: Tidyness, global_myworkgroup must die! smbd/service.c: Move some of the make_connection code into a helper function. (This used to be commit 15c87e404fcaff9e360a40b8b673938c6e611daf) --- source3/auth/auth_server.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index dc1d924b3c..1960fc1cfb 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -211,6 +211,7 @@ use this machine as the password server.\n")); user_info->nt_resp.len, user_info->domain.str)) { DEBUG(1,("password server %s rejected the password\n", cli->desthost)); + /* Make this cli_nt_error() when the conversion is in */ nt_status = NT_STATUS_LOGON_FAILURE; } else { nt_status = NT_STATUS_NOPROBLEMO; -- cgit From f9ce2028104fcb1694bc3e8f8d4b7ac3ec8c972e Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 20 Aug 2001 21:11:55 +0000 Subject: two fixes for NT clients -> share level Samba server (This used to be commit a25911d58c752350b62b205cfb0d6fc5b1c90cef) --- source3/auth/auth.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index bbcf34e8ca..cb0d54bf9b 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -157,7 +157,8 @@ uint32 pass_check_smb_with_chal(char *user, char *domain, uchar chal[8], memcpy(user_info.chal, chal, 8); - if (lm_pwd_len >= 24 || (lp_encrypted_passwords() && (lm_pwd_len == 0) && lp_null_passwords())) { + if ((lm_pwd_len >= 24 || nt_pwd_len >= 24) || + (lp_encrypted_passwords() && (lm_pwd_len == 0) && lp_null_passwords())) { /* if 24 bytes long assume it is an encrypted password */ user_info.lm_resp.buffer = (uint8 *)lm_pwd; -- cgit From 68525e9021832a74608f2dc3e0247317e713e384 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 20 Aug 2001 22:01:44 +0000 Subject: Add comment to clarify why we call this twice. (This used to be commit afece03d023b2905c27e147516b61487a7503028) --- source3/auth/auth.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index cb0d54bf9b..d33bc225e6 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -230,6 +230,8 @@ BOOL password_ok(char *user, char *password, int pwlen) return False; } + /* The password could be either NTLM or plain LM. Try NTLM first, but fall-through as + required. */ if (pass_check_smb(user, lp_workgroup(), NULL, 0, password, pwlen) == NT_STATUS_NOPROBLEMO) { return True; } -- cgit From 252742f2b021e8d7a06c8c86e099e616511f9996 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 21 Aug 2001 02:58:07 +0000 Subject: Add a new option to disable our paranoid server check. Defaults to ON, ie checking (This used to be commit bd3010263be24425206587abfdb41164089e2157) --- source3/auth/auth_server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 1960fc1cfb..0711b056bd 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -158,7 +158,7 @@ static uint32 server_validate(const auth_usersupplied_info *user_info, auth_serv * - abartlet@samba.org */ - if(!tested_password_server) { + if ((!tested_password_server) && (lp_paranoid_server_security())) { if (cli_session_setup(cli, baduser, (char *)badpass, sizeof(badpass), (char *)badpass, sizeof(badpass), user_info->domain.str)) { -- cgit From 2f6486b55f05947205c380e071b16cd40af4d057 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 23 Aug 2001 18:13:56 +0000 Subject: Fix up some unused variables and functions, fix up formatting (This used to be commit bfce4ba7b6db261d981a60a7e262f2f690355f5c) --- source3/auth/auth_util.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1c12a4322d..4a0f45f843 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -137,5 +137,4 @@ void smb_user_control(char *unix_user, uint32 nt_status) if(lp_deluser_script() && smb_getpwnam(unix_user,True)) smb_delete_user(unix_user); } - } -- cgit From bb94537ab5858fecb34f047c9e5c0e6fe4fd8ae9 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 24 Aug 2001 18:55:56 +0000 Subject: Fixed incorrect debug. (This used to be commit cec051cf5fb93d9f45eca3f9cf462f78a7d7040d) --- source3/auth/auth_domain.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index a2e3c7a9b5..d9d7b6fd40 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -49,7 +49,7 @@ uint32 check_domain_security(const auth_usersupplied_info *user_info, if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, &last_change_time)) { - DEBUG(0, ("domain_client_validate: could not fetch trust account password for domain %s\n", lp_workgroup())); + DEBUG(0, ("check_domain_security: could not fetch trust account password for domain %s\n", lp_workgroup())); unbecome_root(); return NT_STATUS_LOGON_FAILURE; } @@ -76,6 +76,3 @@ uint32 check_domain_security(const auth_usersupplied_info *user_info, return nt_status; } - - - -- cgit From 717533483b41ef975953f58e0c6be04828a3d467 Mon Sep 17 00:00:00 2001 From: Herb Lewis Date: Fri, 24 Aug 2001 20:32:01 +0000 Subject: get rid of compiler warnings (This used to be commit 0768991d04ea03e774ca8662c9cae5e1951b88e0) --- source3/auth/auth.c | 6 +++--- source3/auth/auth_sam.c | 6 +++--- source3/auth/auth_server.c | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index d33bc225e6..8ea867fe8c 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -188,7 +188,7 @@ uint32 pass_check_smb_with_chal(char *user, char *domain, uchar chal[8], user_info.nt_resp.len = 24; } - user_info.plaintext_password.str = lm_pwd; + user_info.plaintext_password.str = (char *)lm_pwd; user_info.plaintext_password.len = lm_pwd_len; } @@ -232,11 +232,11 @@ BOOL password_ok(char *user, char *password, int pwlen) /* The password could be either NTLM or plain LM. Try NTLM first, but fall-through as required. */ - if (pass_check_smb(user, lp_workgroup(), NULL, 0, password, pwlen) == NT_STATUS_NOPROBLEMO) { + if (pass_check_smb(user, lp_workgroup(), NULL, 0, (unsigned char *)password, pwlen) == NT_STATUS_NOPROBLEMO) { return True; } - if (pass_check_smb(user, lp_workgroup(), password, pwlen, NULL, 0) == NT_STATUS_NOPROBLEMO) { + if (pass_check_smb(user, lp_workgroup(), (unsigned char *)password, pwlen, NULL, 0) == NT_STATUS_NOPROBLEMO) { return True; } diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 27cb801c33..1a5d02e4a4 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -45,7 +45,7 @@ static BOOL smb_pwd_check_ntlmv1(const uchar *password, SMBOWFencrypt(part_passwd, c8, p24); if (user_sess_key != NULL) { - SMBsesskeygen_ntv1(part_passwd, NULL, user_sess_key); + SMBsesskeygen_ntv1(part_passwd, NULL, (char *)user_sess_key); } @@ -84,7 +84,7 @@ static BOOL smb_pwd_check_ntlmv2(const uchar *password, size_t pwd_len, } ntv2_owf_gen(part_passwd, user, domain, kr); - SMBOWFencrypt_ntv2(kr, c8, 8, password+16, pwd_len-16, resp); + SMBOWFencrypt_ntv2(kr, c8, 8, password+16, pwd_len-16, (char *)resp); if (user_sess_key != NULL) { SMBsesskeygen_ntv2(kr, resp, user_sess_key); @@ -154,7 +154,7 @@ uint32 smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_ nt_pw, user_info->chal, user_info->requested_username.str, user_info->requested_domain.str, - server_info->session_key)) + (char *)server_info->session_key)) { return NT_STATUS_NOPROBLEMO; } diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 0711b056bd..ad66f0c4ac 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -205,9 +205,9 @@ use this machine as the password server.\n")); */ if (!cli_session_setup(cli, user_info->smb_username.str, - user_info->lm_resp.buffer, + (char *)user_info->lm_resp.buffer, user_info->lm_resp.len, - user_info->nt_resp.buffer, + (char *)user_info->nt_resp.buffer, user_info->nt_resp.len, user_info->domain.str)) { DEBUG(1,("password server %s rejected the password\n", cli->desthost)); -- cgit From ee5f7237decfe446f4fdb08422beb2e6cb43af7f Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 27 Aug 2001 17:52:23 +0000 Subject: started converting NTSTATUS to be a structure on systems with gcc in order to make it type incompatible with BOOL so we catch errors sooner. This has already found a number of bugs (This used to be commit 1b778bc7d22efff3f90dc450eb12baa1241cf68f) --- source3/auth/auth.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 8ea867fe8c..ec493b7c06 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -56,10 +56,11 @@ static BOOL check_domain_match(char *user, char *domain) as it makes the calls itself when needed. ****************************************************************************/ -uint32 check_password(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +NTSTATUS check_password(const auth_usersupplied_info *user_info, + auth_serversupplied_info *server_info) { - uint32 nt_status = NT_STATUS_LOGON_FAILURE; + NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; BOOL done_pam = False; DEBUG(3, ("check_password: Checking password for user %s with the new password interface\n", user_info->smb_username.str)); @@ -120,9 +121,9 @@ SMB hash return True if the password is correct, False otherwise ****************************************************************************/ -uint32 pass_check_smb_with_chal(char *user, char *domain, uchar chal[8], - uchar *lm_pwd, int lm_pwd_len, - uchar *nt_pwd, int nt_pwd_len) +NTSTATUS pass_check_smb_with_chal(char *user, char *domain, uchar chal[8], + uchar *lm_pwd, int lm_pwd_len, + uchar *nt_pwd, int nt_pwd_len) { auth_usersupplied_info user_info; @@ -196,9 +197,9 @@ uint32 pass_check_smb_with_chal(char *user, char *domain, uchar chal[8], return check_password(&user_info, &server_info); } -uint32 pass_check_smb(char *user, char *domain, - uchar *lm_pwd, int lm_pwd_len, - uchar *nt_pwd, int nt_pwd_len) +NTSTATUS pass_check_smb(char *user, char *domain, + uchar *lm_pwd, int lm_pwd_len, + uchar *nt_pwd, int nt_pwd_len) { uchar chal[8]; -- cgit From b031af348c7dcc8c74bf49945211c466b8eca079 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 27 Aug 2001 19:46:22 +0000 Subject: converted another bunch of stuff to NTSTATUS (This used to be commit 1d36250e338ae0ff9fbbf86019809205dd97d05e) --- source3/auth/auth.c | 16 ++++++++-------- source3/auth/auth_rhosts.c | 2 +- source3/auth/auth_sam.c | 8 ++++---- source3/auth/auth_server.c | 2 +- source3/auth/auth_unix.c | 2 +- source3/auth/auth_util.c | 2 +- source3/auth/pampass.c | 20 ++++++++++---------- source3/auth/pass_check.c | 2 +- 8 files changed, 27 insertions(+), 27 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index ec493b7c06..d6bc8aeadc 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -68,15 +68,15 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, return NT_STATUS_LOGON_FAILURE; } - if (nt_status != NT_STATUS_NOPROBLEMO) { + if (nt_status != NT_STATUS_OK) { nt_status = check_rhosts_security(user_info, server_info); } - if ((lp_security() == SEC_DOMAIN) && (nt_status != NT_STATUS_NOPROBLEMO)) { + if ((lp_security() == SEC_DOMAIN) && (nt_status != NT_STATUS_OK)) { nt_status = check_domain_security(user_info, server_info); } - if ((lp_security() == SEC_SERVER) && (nt_status != NT_STATUS_NOPROBLEMO)) { + if ((lp_security() == SEC_SERVER) && (nt_status != NT_STATUS_OK)) { nt_status = check_server_security(user_info, server_info); } @@ -84,7 +84,7 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, smb_user_control(user_info->smb_username.str, nt_status); } - if (nt_status != NT_STATUS_NOPROBLEMO) { + if (nt_status != NT_STATUS_OK) { if ((user_info->plaintext_password.len > 0) && (!lp_plaintext_to_smbpasswd())) { nt_status = check_unix_security(user_info, server_info); @@ -94,14 +94,14 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, } } - if ((nt_status == NT_STATUS_NOPROBLEMO) && !done_pam) { + if ((nt_status == NT_STATUS_OK) && !done_pam) { /* We might not be root if we are an RPC call */ become_root(); nt_status = smb_pam_accountcheck(user_info->smb_username.str); unbecome_root(); } - if (nt_status == NT_STATUS_NOPROBLEMO) { + if (nt_status == NT_STATUS_OK) { DEBUG(5, ("check_password: Password for user %s suceeded\n", user_info->smb_username.str)); } else { DEBUG(3, ("check_password: Password for user %s FAILED with error %s\n", user_info->smb_username.str, get_nt_error_msg(nt_status))); @@ -233,11 +233,11 @@ BOOL password_ok(char *user, char *password, int pwlen) /* The password could be either NTLM or plain LM. Try NTLM first, but fall-through as required. */ - if (pass_check_smb(user, lp_workgroup(), NULL, 0, (unsigned char *)password, pwlen) == NT_STATUS_NOPROBLEMO) { + if (pass_check_smb(user, lp_workgroup(), NULL, 0, (unsigned char *)password, pwlen) == NT_STATUS_OK) { return True; } - if (pass_check_smb(user, lp_workgroup(), (unsigned char *)password, pwlen, NULL, 0) == NT_STATUS_NOPROBLEMO) { + if (pass_check_smb(user, lp_workgroup(), (unsigned char *)password, pwlen, NULL, 0) == NT_STATUS_OK) { return True; } diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index f11f9cf777..a4914f2ef1 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -175,7 +175,7 @@ uint32 check_rhosts_security(const auth_usersupplied_info *user_info, become_root(); if (check_hosts_equiv(user_info->smb_username.str)) { - nt_status = NT_STATUS_NOPROBLEMO; + nt_status = NT_STATUS_OK; } unbecome_root(); diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 1a5d02e4a4..5484758167 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -127,7 +127,7 @@ uint32 smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_ if (lp_null_passwords()) { DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", user_info->smb_username.str)); - return(NT_STATUS_NOPROBLEMO); + return(NT_STATUS_OK); } else { @@ -156,7 +156,7 @@ uint32 smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_ user_info->requested_domain.str, (char *)server_info->session_key)) { - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; } DEBUG(4,("smb_password_ok: NTLMv2 password check failed\n")); @@ -169,7 +169,7 @@ uint32 smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_ nt_pw, user_info->chal, server_info->session_key)) { DEBUG(4,("smb_password_ok: NT MD4 password check succeeded\n")); - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; } else { DEBUG(4,("smb_password_ok: NT MD4 password check failed\n")); return NT_STATUS_WRONG_PASSWORD; @@ -185,7 +185,7 @@ uint32 smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_ lm_pw, user_info->chal, server_info->session_key)) { DEBUG(4,("smb_password_ok: LM password check succeeded\n")); - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; } else { DEBUG(4,("smb_password_ok: LM password check failed\n")); return NT_STATUS_WRONG_PASSWORD; diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index ad66f0c4ac..9636094fa3 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -214,7 +214,7 @@ use this machine as the password server.\n")); /* Make this cli_nt_error() when the conversion is in */ nt_status = NT_STATUS_LOGON_FAILURE; } else { - nt_status = NT_STATUS_NOPROBLEMO; + nt_status = NT_STATUS_OK; } /* if logged in as guest then reject */ diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 89e670747f..fda44fd91c 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -76,7 +76,7 @@ uint32 check_unix_security(const auth_usersupplied_info *user_info, auth_servers nt_status = (pass_check(user_info->smb_username.str, user_info->plaintext_password.str, user_info->plaintext_password.len, lp_update_encrypted() ? update_smbpassword_file : NULL) - ? NT_STATUS_NOPROBLEMO : NT_STATUS_LOGON_FAILURE); + ? NT_STATUS_OK : NT_STATUS_LOGON_FAILURE); unbecome_root(); return nt_status; diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 4a0f45f843..5ccf963889 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -105,7 +105,7 @@ void smb_user_control(char *unix_user, uint32 nt_status) { struct passwd *pwd=NULL; - if(nt_status == NT_STATUS_NOPROBLEMO) { + if(nt_status == NT_STATUS_OK) { /* * User validated ok against Domain controller. * If the admin wants us to try and create a UNIX diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 418c618af2..359ed02b29 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -88,7 +88,7 @@ static BOOL smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error, if (smb_pam_error_handler(pamh, pam_error, msg, dbglvl)) return True; - if (*nt_status == NT_STATUS_NOPROBLEMO) { + if (*nt_status == NT_STATUS_OK) { /* Complain LOUDLY */ DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: BUG: PAM and NT_STATUS \ error MISMATCH, forcing to NT_STATUS_LOGON_FAILURE")); @@ -533,7 +533,7 @@ static uint32 smb_pam_auth(pam_handle_t *pamh, char *user) break; case PAM_SUCCESS: DEBUG(4, ("smb_pam_auth: PAM: User %s Authenticated OK\n", user)); - nt_status = NT_STATUS_NOPROBLEMO; + nt_status = NT_STATUS_OK; break; default: DEBUG(0, ("smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user %s\n", user)); @@ -578,7 +578,7 @@ static uint32 smb_pam_account(pam_handle_t *pamh, char * user) break; case PAM_SUCCESS: DEBUG(4, ("smb_pam_account: PAM: Account OK for User: %s\n", user)); - nt_status = NT_STATUS_NOPROBLEMO; + nt_status = NT_STATUS_OK; break; default: nt_status = NT_STATUS_ACCOUNT_DISABLED; @@ -625,7 +625,7 @@ static uint32 smb_pam_setcred(pam_handle_t *pamh, char * user) break; case PAM_SUCCESS: DEBUG(4, ("smb_pam_setcred: PAM: SetCredentials OK for User: %s\n", user)); - nt_status = NT_STATUS_NOPROBLEMO; + nt_status = NT_STATUS_OK; break; default: DEBUG(0, ("smb_pam_setcred: PAM: UNKNOWN PAM ERROR (%d) during SetCredentials for User: %s\n", pam_error, user)); @@ -787,7 +787,7 @@ uint32 smb_pam_accountcheck(char * user) /* Ignore PAM if told to. */ if (!lp_obey_pam_restrictions()) - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL) return False; @@ -795,7 +795,7 @@ uint32 smb_pam_accountcheck(char * user) if (!smb_pam_start(&pamh, user, NULL, pconv)) return NT_STATUS_ACCOUNT_DISABLED; - if ((nt_status = smb_pam_account(pamh, user)) != NT_STATUS_NOPROBLEMO) + if ((nt_status = smb_pam_account(pamh, user)) != NT_STATUS_OK) DEBUG(0, ("smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User %s!\n", user)); smb_pam_end(pamh, pconv); @@ -824,19 +824,19 @@ uint32 smb_pam_passcheck(char * user, char * password) if (!smb_pam_start(&pamh, user, NULL, pconv)) return NT_STATUS_LOGON_FAILURE; - if ((nt_status = smb_pam_auth(pamh, user)) != NT_STATUS_NOPROBLEMO) { + if ((nt_status = smb_pam_auth(pamh, user)) != NT_STATUS_OK) { DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User %s !\n", user)); smb_pam_end(pamh, pconv); return nt_status; } - if ((nt_status = smb_pam_account(pamh, user)) != NT_STATUS_NOPROBLEMO) { + if ((nt_status = smb_pam_account(pamh, user)) != NT_STATUS_OK) { DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_account failed - Rejecting User %s !\n", user)); smb_pam_end(pamh, pconv); return nt_status; } - if ((nt_status = smb_pam_setcred(pamh, user)) != NT_STATUS_NOPROBLEMO) { + if ((nt_status = smb_pam_setcred(pamh, user)) != NT_STATUS_OK) { DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_setcred failed - Rejecting User %s !\n", user)); smb_pam_end(pamh, pconv); return nt_status; @@ -876,7 +876,7 @@ BOOL smb_pam_passchange(char * user, char * oldpassword, char * newpassword) /* If PAM not used, no PAM restrictions on accounts. */ uint32 smb_pam_accountcheck(char * user) { - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; } /* If PAM not used, also no PAM restrictions on sessions. */ diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 677d298449..b6cc403b86 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -599,7 +599,7 @@ static BOOL password_check(char *password) { #ifdef WITH_PAM - return (smb_pam_passcheck(this_user, password) == NT_STATUS_NOPROBLEMO); + return (smb_pam_passcheck(this_user, password) == NT_STATUS_OK); #endif /* WITH_PAM */ #ifdef WITH_AFS -- cgit From 8debe5b629cb85c88d3ad62e2c6d2831db14f0d8 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 30 Aug 2001 19:16:56 +0000 Subject: Fix from Paul Green to set correct lengths. Jeremy. (This used to be commit 52b9b6d519c38b2a3e524d098a09fb996e8a2047) --- source3/auth/pass_check.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index b6cc403b86..f8c0da89a6 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -27,9 +27,9 @@ extern int DEBUGLEVEL; /* these are kept here to keep the string_combinations function simple */ -static char this_user[100] = ""; -static char this_salt[100] = ""; -static char this_crypted[100] = ""; +static fstring this_user[100] = ""; +static fstring this_salt[100] = ""; +static fstring this_crypted[100] = ""; #ifdef WITH_AFS -- cgit From 58ed70f37865d81d98d2fca87139465dc21e5bb1 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 30 Aug 2001 20:09:49 +0000 Subject: Fixed silly typo. Jeremy. (This used to be commit 6ee2b41429e43f6a9a58eba3cb01b952be3d5ca5) --- source3/auth/pass_check.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index f8c0da89a6..bd712b3563 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -27,9 +27,9 @@ extern int DEBUGLEVEL; /* these are kept here to keep the string_combinations function simple */ -static fstring this_user[100] = ""; -static fstring this_salt[100] = ""; -static fstring this_crypted[100] = ""; +static fstring this_user; +static fstring this_salt; +static fstring this_crypted; #ifdef WITH_AFS -- cgit From 19fea3242cf6234786b6cbb60631e0071f31ff9f Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 4 Sep 2001 07:13:01 +0000 Subject: the next stage in the NTSTATUS/WERROR change. smbd and nmbd now compile, but the client code still needs some work (This used to be commit dcd6e735f709a9231860ceb9682db40ff26c9a66) --- source3/auth/auth.c | 16 ++++++++-------- source3/auth/auth_domain.c | 6 +++--- source3/auth/auth_rhosts.c | 4 ++-- source3/auth/auth_sam.c | 8 ++++---- source3/auth/auth_server.c | 7 +++---- source3/auth/auth_unix.c | 4 ++-- source3/auth/auth_util.c | 6 +++--- source3/auth/pampass.c | 35 ++++++++++++++++++----------------- source3/auth/pass_check.c | 2 +- 9 files changed, 44 insertions(+), 44 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index d6bc8aeadc..b707c38c62 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -68,15 +68,15 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, return NT_STATUS_LOGON_FAILURE; } - if (nt_status != NT_STATUS_OK) { + if (!NT_STATUS_IS_OK(nt_status)) { nt_status = check_rhosts_security(user_info, server_info); } - if ((lp_security() == SEC_DOMAIN) && (nt_status != NT_STATUS_OK)) { + if ((lp_security() == SEC_DOMAIN) && !NT_STATUS_IS_OK(nt_status)) { nt_status = check_domain_security(user_info, server_info); } - if ((lp_security() == SEC_SERVER) && (nt_status != NT_STATUS_OK)) { + if ((lp_security() == SEC_SERVER) && !NT_STATUS_IS_OK(nt_status)) { nt_status = check_server_security(user_info, server_info); } @@ -84,7 +84,7 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, smb_user_control(user_info->smb_username.str, nt_status); } - if (nt_status != NT_STATUS_OK) { + if (!NT_STATUS_IS_OK(nt_status)) { if ((user_info->plaintext_password.len > 0) && (!lp_plaintext_to_smbpasswd())) { nt_status = check_unix_security(user_info, server_info); @@ -94,14 +94,14 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, } } - if ((nt_status == NT_STATUS_OK) && !done_pam) { + if (NT_STATUS_IS_OK(nt_status) && !done_pam) { /* We might not be root if we are an RPC call */ become_root(); nt_status = smb_pam_accountcheck(user_info->smb_username.str); unbecome_root(); } - if (nt_status == NT_STATUS_OK) { + if (NT_STATUS_IS_OK(nt_status)) { DEBUG(5, ("check_password: Password for user %s suceeded\n", user_info->smb_username.str)); } else { DEBUG(3, ("check_password: Password for user %s FAILED with error %s\n", user_info->smb_username.str, get_nt_error_msg(nt_status))); @@ -233,11 +233,11 @@ BOOL password_ok(char *user, char *password, int pwlen) /* The password could be either NTLM or plain LM. Try NTLM first, but fall-through as required. */ - if (pass_check_smb(user, lp_workgroup(), NULL, 0, (unsigned char *)password, pwlen) == NT_STATUS_OK) { + if (NT_STATUS_IS_OK(pass_check_smb(user, lp_workgroup(), NULL, 0, (unsigned char *)password, pwlen))) { return True; } - if (pass_check_smb(user, lp_workgroup(), (unsigned char *)password, pwlen, NULL, 0) == NT_STATUS_OK) { + if (NT_STATUS_IS_OK(pass_check_smb(user, lp_workgroup(), (unsigned char *)password, pwlen, NULL, 0))) { return True; } diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index d9d7b6fd40..111f0f143c 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -30,10 +30,10 @@ BOOL global_machine_password_needs_changing = False; Check for a valid username and password in security=domain mode. ****************************************************************************/ -uint32 check_domain_security(const auth_usersupplied_info *user_info, - auth_serversupplied_info *server_info) +NTSTATUS check_domain_security(const auth_usersupplied_info *user_info, + auth_serversupplied_info *server_info) { - uint32 nt_status = NT_STATUS_LOGON_FAILURE; + NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; char *p, *pserver; unsigned char trust_passwd[16]; time_t last_change_time; diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index a4914f2ef1..ffb9212264 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -168,10 +168,10 @@ BOOL check_hosts_equiv(char *user) Check for a valid .rhosts/hosts.equiv entry for this user ****************************************************************************/ -uint32 check_rhosts_security(const auth_usersupplied_info *user_info, +NTSTATUS check_rhosts_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) { - uint32 nt_status = NT_STATUS_LOGON_FAILURE; + NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; become_root(); if (check_hosts_equiv(user_info->smb_username.str)) { diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 5484758167..33b0623643 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -109,7 +109,7 @@ static BOOL smb_pwd_check_ntlmv2(const uchar *password, size_t pwd_len, Do a specific test for an smb password being correct, given a smb_password and the lanman and NT responses. ****************************************************************************/ -uint32 smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +NTSTATUS smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) { uint8 *nt_pw, *lm_pw; uint16 acct_ctrl; @@ -202,11 +202,11 @@ SMB hash supplied in the user_info structure return an NT_STATUS constant. ****************************************************************************/ -uint32 check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +NTSTATUS check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) { SAM_ACCOUNT *sampass=NULL; BOOL ret; - uint32 nt_status; + NTSTATUS nt_status; pdb_init_sam(&sampass); @@ -220,7 +220,7 @@ uint32 check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_se { DEBUG(1,("Couldn't find user '%s' in passdb file.\n", user_info->smb_username.str)); pdb_free_sam(sampass); - return(NT_STATUS_NO_SUCH_USER); + return NT_STATUS_NO_SUCH_USER; } nt_status = smb_password_ok(sampass, user_info, server_info); diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 9636094fa3..b279152f74 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -113,14 +113,14 @@ struct cli_state *server_cryptkey(void) Validate a password with the password server. ****************************************************************************/ -static uint32 server_validate(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +static NTSTATUS server_validate(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) { struct cli_state *cli; static unsigned char badpass[24]; static fstring baduser; static BOOL tested_password_server = False; static BOOL bad_password_server = False; - uint32 nt_status = NT_STATUS_LOGON_FAILURE; + NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; cli = server_client(); @@ -232,14 +232,13 @@ use this machine as the password server.\n")); Check for a valid username and password in security=server mode. ****************************************************************************/ -uint32 check_server_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +NTSTATUS check_server_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) { if(lp_security() != SEC_SERVER) return NT_STATUS_LOGON_FAILURE; return server_validate(user_info, server_info); - } diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index fda44fd91c..1708320961 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -68,9 +68,9 @@ check if a username/password is OK assuming the password in PLAIN TEXT ****************************************************************************/ -uint32 check_unix_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +NTSTATUS check_unix_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) { - uint32 nt_status; + NTSTATUS nt_status; become_root(); nt_status = (pass_check(user_info->smb_username.str, user_info->plaintext_password.str, diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5ccf963889..28f58eb8ae 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -101,11 +101,11 @@ static int smb_delete_user(char *unix_user) Add and Delete UNIX users on demand, based on NT_STATUS codes. ****************************************************************************/ -void smb_user_control(char *unix_user, uint32 nt_status) +void smb_user_control(char *unix_user, NTSTATUS nt_status) { struct passwd *pwd=NULL; - if(nt_status == NT_STATUS_OK) { + if (NT_STATUS_IS_OK(nt_status)) { /* * User validated ok against Domain controller. * If the admin wants us to try and create a UNIX @@ -127,7 +127,7 @@ void smb_user_control(char *unix_user, uint32 nt_status) smb_create_user(unix_user, pwd->pw_dir); } - } else if (nt_status == NT_STATUS_NO_SUCH_USER) { + } else if (NT_STATUS_V(nt_status) == NT_STATUS_V(NT_STATUS_NO_SUCH_USER)) { /* * User failed to validate ok against Domain controller. * If the failure was "user doesn't exist" and admin diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 359ed02b29..46b38ab1c0 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -83,12 +83,13 @@ static BOOL smb_pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, *********************************************************************/ static BOOL smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error, - char *msg, int dbglvl, uint32 *nt_status) + char *msg, int dbglvl, + NTSTATUS *nt_status) { if (smb_pam_error_handler(pamh, pam_error, msg, dbglvl)) return True; - if (*nt_status == NT_STATUS_OK) { + if (NT_STATUS_IS_OK(*nt_status)) { /* Complain LOUDLY */ DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: BUG: PAM and NT_STATUS \ error MISMATCH, forcing to NT_STATUS_LOGON_FAILURE")); @@ -494,10 +495,10 @@ static BOOL smb_pam_start(pam_handle_t **pamh, char *user, char *rhost, struct p /* * PAM Authentication Handler */ -static uint32 smb_pam_auth(pam_handle_t *pamh, char *user) +static NTSTATUS smb_pam_auth(pam_handle_t *pamh, char *user) { int pam_error; - uint32 nt_status = NT_STATUS_LOGON_FAILURE; + NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; /* * To enable debugging set in /etc/pam.d/samba: @@ -548,10 +549,10 @@ static uint32 smb_pam_auth(pam_handle_t *pamh, char *user) /* * PAM Account Handler */ -static uint32 smb_pam_account(pam_handle_t *pamh, char * user) +static NTSTATUS smb_pam_account(pam_handle_t *pamh, char * user) { int pam_error; - uint32 nt_status = NT_STATUS_ACCOUNT_DISABLED; + NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED; DEBUG(4,("smb_pam_account: PAM: Account Management for User: %s\n", user)); pam_error = pam_acct_mgmt(pamh, PAM_SILENT); /* Is user account enabled? */ @@ -594,10 +595,10 @@ static uint32 smb_pam_account(pam_handle_t *pamh, char * user) * PAM Credential Setting */ -static uint32 smb_pam_setcred(pam_handle_t *pamh, char * user) +static NTSTATUS smb_pam_setcred(pam_handle_t *pamh, char * user) { int pam_error; - uint32 nt_status = NT_STATUS_NO_TOKEN; + NTSTATUS nt_status = NT_STATUS_NO_TOKEN; /* * This will allow samba to aquire a kerberos token. And, when @@ -778,9 +779,9 @@ BOOL smb_pam_close_session(char *user, char *tty, char *rhost) * PAM Externally accessible Account handler */ -uint32 smb_pam_accountcheck(char * user) +NTSTATUS smb_pam_accountcheck(char * user) { - uint32 nt_status = NT_STATUS_ACCOUNT_DISABLED; + NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED; pam_handle_t *pamh = NULL; struct pam_conv *pconv = NULL; @@ -790,12 +791,12 @@ uint32 smb_pam_accountcheck(char * user) return NT_STATUS_OK; if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL) - return False; + return NT_STATUS_NO_MEMORY; if (!smb_pam_start(&pamh, user, NULL, pconv)) return NT_STATUS_ACCOUNT_DISABLED; - if ((nt_status = smb_pam_account(pamh, user)) != NT_STATUS_OK) + if (!NT_STATUS_IS_OK(nt_status = smb_pam_account(pamh, user))) DEBUG(0, ("smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User %s!\n", user)); smb_pam_end(pamh, pconv); @@ -806,10 +807,10 @@ uint32 smb_pam_accountcheck(char * user) * PAM Password Validation Suite */ -uint32 smb_pam_passcheck(char * user, char * password) +NTSTATUS smb_pam_passcheck(char * user, char * password) { pam_handle_t *pamh = NULL; - uint32 nt_status = NT_STATUS_LOGON_FAILURE; + NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; struct pam_conv *pconv = NULL; /* @@ -824,19 +825,19 @@ uint32 smb_pam_passcheck(char * user, char * password) if (!smb_pam_start(&pamh, user, NULL, pconv)) return NT_STATUS_LOGON_FAILURE; - if ((nt_status = smb_pam_auth(pamh, user)) != NT_STATUS_OK) { + if (!NT_STATUS_IS_OK(nt_status = smb_pam_auth(pamh, user))) { DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User %s !\n", user)); smb_pam_end(pamh, pconv); return nt_status; } - if ((nt_status = smb_pam_account(pamh, user)) != NT_STATUS_OK) { + if (!NT_STATUS_IS_OK(nt_status = smb_pam_account(pamh, user))) { DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_account failed - Rejecting User %s !\n", user)); smb_pam_end(pamh, pconv); return nt_status; } - if ((nt_status = smb_pam_setcred(pamh, user)) != NT_STATUS_OK) { + if (!NT_STATUS_IS_OK(nt_status = smb_pam_setcred(pamh, user))) { DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_setcred failed - Rejecting User %s !\n", user)); smb_pam_end(pamh, pconv); return nt_status; diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index bd712b3563..59fc9e2eac 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -599,7 +599,7 @@ static BOOL password_check(char *password) { #ifdef WITH_PAM - return (smb_pam_passcheck(this_user, password) == NT_STATUS_OK); + return NT_STATUS_IS_OK(smb_pam_passcheck(this_user, password)); #endif /* WITH_PAM */ #ifdef WITH_AFS -- cgit From ed3fbafdd34af0f22c0f90c93718e887bae23dec Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 4 Sep 2001 11:39:57 +0000 Subject: cope with pam being off (This used to be commit 5f6e7bbce76c85571ee10a3f8b5bbbd0beadb632) --- source3/auth/pampass.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 46b38ab1c0..fda4a54103 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -875,7 +875,7 @@ BOOL smb_pam_passchange(char * user, char * oldpassword, char * newpassword) #else /* If PAM not used, no PAM restrictions on accounts. */ - uint32 smb_pam_accountcheck(char * user) + NTSTATUS smb_pam_accountcheck(char * user) { return NT_STATUS_OK; } -- cgit From 11bd06e99c34a1805a3708321997633349e2dae7 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 10 Sep 2001 11:23:41 +0000 Subject: made a couple of local fns static (This used to be commit f0851202a852bed28fbd2446b44ce2b977ddacd8) --- source3/auth/auth_rhosts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index ffb9212264..b447bed5d1 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -134,7 +134,7 @@ static BOOL check_user_equiv(char *user, char *remote, char *equiv_file) /**************************************************************************** check for a possible hosts equiv or rhosts entry for the user ****************************************************************************/ -BOOL check_hosts_equiv(char *user) +static BOOL check_hosts_equiv(char *user) { char *fname = NULL; pstring rhostsfile; -- cgit From b800a36b1c81fb37ca963acdc49978ff065fb0d7 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 12 Sep 2001 06:39:50 +0000 Subject: Some patches to authentication: - the usersupplied_info now contains a smb_username (as it comes across on the wire) and a unix_username (after being passed through mapping functions) - when doing security={server,domain} use the smb_username, otherwise use the unix_username (This used to be commit d34fd8ec0716127c7a68eeb8e77d1ae8cc07b547) --- source3/auth/auth.c | 33 ++++++++++++++++++++------------- source3/auth/auth_rhosts.c | 2 +- source3/auth/auth_sam.c | 2 +- source3/auth/auth_unix.c | 6 ++++-- 4 files changed, 26 insertions(+), 17 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index b707c38c62..0101aa65a2 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -63,7 +63,7 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; BOOL done_pam = False; - DEBUG(3, ("check_password: Checking password for user %s with the new password interface\n", user_info->smb_username.str)); + DEBUG(3, ("check_password: Checking password for smb user %s with the new password interface\n", user_info->smb_username.str)); if (!check_domain_match(user_info->smb_username.str, user_info->domain.str)) { return NT_STATUS_LOGON_FAILURE; } @@ -81,7 +81,7 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, } if (lp_security() >= SEC_SERVER) { - smb_user_control(user_info->smb_username.str, nt_status); + smb_user_control(user_info->unix_username.str, nt_status); } if (!NT_STATUS_IS_OK(nt_status)) { @@ -97,14 +97,14 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, if (NT_STATUS_IS_OK(nt_status) && !done_pam) { /* We might not be root if we are an RPC call */ become_root(); - nt_status = smb_pam_accountcheck(user_info->smb_username.str); + nt_status = smb_pam_accountcheck(user_info->unix_username.str); unbecome_root(); } if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(5, ("check_password: Password for user %s suceeded\n", user_info->smb_username.str)); + DEBUG(5, ("check_password: Password for smb user %s suceeded\n", user_info->smb_username.str)); } else { - DEBUG(3, ("check_password: Password for user %s FAILED with error %s\n", user_info->smb_username.str, get_nt_error_msg(nt_status))); + DEBUG(3, ("check_password: Password for smb user %s FAILED with error %s\n", user_info->smb_username.str, get_nt_error_msg(nt_status))); } return nt_status; @@ -121,14 +121,16 @@ SMB hash return True if the password is correct, False otherwise ****************************************************************************/ -NTSTATUS pass_check_smb_with_chal(char *user, char *domain, uchar chal[8], +NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user, + char *domain, uchar chal[8], uchar *lm_pwd, int lm_pwd_len, uchar *nt_pwd, int nt_pwd_len) { auth_usersupplied_info user_info; auth_serversupplied_info server_info; - AUTH_STR ourdomain, theirdomain, smb_username, wksta_name; + AUTH_STR ourdomain, theirdomain, unix_username, smb_username, + wksta_name; ZERO_STRUCT(user_info); ZERO_STRUCT(ourdomain); @@ -145,10 +147,15 @@ NTSTATUS pass_check_smb_with_chal(char *user, char *domain, uchar chal[8], user_info.requested_domain = theirdomain; user_info.domain = ourdomain; - smb_username.str = user; + smb_username.str = smb_user; smb_username.len = strlen(smb_username.str); - user_info.requested_username = smb_username; /* For the time-being */ + /* If unix user is NULL, use smb user */ + + unix_username.str = unix_user ? unix_user : smb_user; + unix_username.len = strlen(unix_username.str); + + user_info.unix_username = unix_username; user_info.smb_username = smb_username; user_info.wksta_name.str = client_name(); @@ -197,7 +204,7 @@ NTSTATUS pass_check_smb_with_chal(char *user, char *domain, uchar chal[8], return check_password(&user_info, &server_info); } -NTSTATUS pass_check_smb(char *user, char *domain, +NTSTATUS pass_check_smb(char *smb_user, char *unix_user, char *domain, uchar *lm_pwd, int lm_pwd_len, uchar *nt_pwd, int nt_pwd_len) { @@ -207,7 +214,7 @@ NTSTATUS pass_check_smb(char *user, char *domain, generate_random_buffer( chal, 8, False); } - return pass_check_smb_with_chal(user, domain, chal, + return pass_check_smb_with_chal(smb_user, unix_user, domain, chal, lm_pwd, lm_pwd_len, nt_pwd, nt_pwd_len); @@ -233,11 +240,11 @@ BOOL password_ok(char *user, char *password, int pwlen) /* The password could be either NTLM or plain LM. Try NTLM first, but fall-through as required. */ - if (NT_STATUS_IS_OK(pass_check_smb(user, lp_workgroup(), NULL, 0, (unsigned char *)password, pwlen))) { + if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, lp_workgroup(), NULL, 0, (unsigned char *)password, pwlen))) { return True; } - if (NT_STATUS_IS_OK(pass_check_smb(user, lp_workgroup(), (unsigned char *)password, pwlen, NULL, 0))) { + if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, lp_workgroup(), (unsigned char *)password, pwlen, NULL, 0))) { return True; } diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index b447bed5d1..2492a2a68b 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -174,7 +174,7 @@ NTSTATUS check_rhosts_security(const auth_usersupplied_info *user_info, NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; become_root(); - if (check_hosts_equiv(user_info->smb_username.str)) { + if (check_hosts_equiv(user_info->unix_username.str)) { nt_status = NT_STATUS_OK; } unbecome_root(); diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 33b0623643..111a35e068 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -152,7 +152,7 @@ NTSTATUS smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *use if (smb_pwd_check_ntlmv2( user_info->nt_resp.buffer, user_info->nt_resp.len, nt_pw, - user_info->chal, user_info->requested_username.str, + user_info->chal, user_info->smb_username.str, user_info->requested_domain.str, (char *)server_info->session_key)) { diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 1708320961..ea32a65457 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -73,9 +73,11 @@ NTSTATUS check_unix_security(const auth_usersupplied_info *user_info, auth_serve NTSTATUS nt_status; become_root(); - nt_status = (pass_check(user_info->smb_username.str, user_info->plaintext_password.str, + nt_status = (pass_check(user_info->unix_username.str, + user_info->plaintext_password.str, user_info->plaintext_password.len, - lp_update_encrypted() ? update_smbpassword_file : NULL) + lp_update_encrypted() ? + update_smbpassword_file : NULL) ? NT_STATUS_OK : NT_STATUS_LOGON_FAILURE); unbecome_root(); -- cgit From b7a0c132894e15712a55aaa92175df73fb8814a9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 14 Sep 2001 10:38:40 +0000 Subject: Now that we always get back an NTSTATUS code actually pass it on to the auth subsytem. Also kill off the (unneeded) wrapper fuction. Andrew Bartlett (This used to be commit 96f06b490ac5e9fd86debccf8d41675fa41f7726) --- source3/auth/auth_server.c | 20 ++++---------------- source3/auth/auth_util.c | 2 +- 2 files changed, 5 insertions(+), 17 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index b279152f74..7ed4cf60ad 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -110,10 +110,11 @@ struct cli_state *server_cryptkey(void) /**************************************************************************** - Validate a password with the password server. + Check for a valid username and password in security=server mode. + - Validate a password with the password server. ****************************************************************************/ -static NTSTATUS server_validate(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +NTSTATUS check_server_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) { struct cli_state *cli; static unsigned char badpass[24]; @@ -212,7 +213,7 @@ use this machine as the password server.\n")); user_info->domain.str)) { DEBUG(1,("password server %s rejected the password\n", cli->desthost)); /* Make this cli_nt_error() when the conversion is in */ - nt_status = NT_STATUS_LOGON_FAILURE; + nt_status = cli_nt_error(cli); } else { nt_status = NT_STATUS_OK; } @@ -228,17 +229,4 @@ use this machine as the password server.\n")); return(nt_status); } -/**************************************************************************** - Check for a valid username and password in security=server mode. -****************************************************************************/ - -NTSTATUS check_server_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) -{ - - if(lp_security() != SEC_SERVER) - return NT_STATUS_LOGON_FAILURE; - - return server_validate(user_info, server_info); -} - diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 28f58eb8ae..1967c32b9a 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -98,7 +98,7 @@ static int smb_delete_user(char *unix_user) } /**************************************************************************** - Add and Delete UNIX users on demand, based on NT_STATUS codes. + Add and Delete UNIX users on demand, based on NTSTATUS codes. ****************************************************************************/ void smb_user_control(char *unix_user, NTSTATUS nt_status) -- cgit From dec3cbcaf097a3d6fab9359e001279447a5f4def Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 16 Sep 2001 06:35:35 +0000 Subject: Fix up workstaion and kickoff time checks, moved to auth_smbpasswd.c where they can have general effect. Fixed up workstaion support in the rest of samba, so that we can do these checks. Pass through the workstation for cli_net_logon(), if supplied. (This used to be commit 7f04a139b2ee34b4c282590509cdf21395815a7a) --- source3/auth/auth.c | 23 +++++++++++++---------- source3/auth/auth_sam.c | 45 ++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 55 insertions(+), 13 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 0101aa65a2..5b6b2d4c42 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -25,8 +25,6 @@ extern int DEBUGLEVEL; -extern pstring global_myname; - /**************************************************************************** Check user is in correct domain if required ****************************************************************************/ @@ -63,7 +61,8 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; BOOL done_pam = False; - DEBUG(3, ("check_password: Checking password for smb user %s with the new password interface\n", user_info->smb_username.str)); + DEBUG(3, ("check_password: Checking password for smb user %s\\%s@%s with the new password interface\n", + user_info->smb_username.str, user_info->requested_domain.str, user_info->wksta_name.str)); if (!check_domain_match(user_info->smb_username.str, user_info->domain.str)) { return NT_STATUS_LOGON_FAILURE; } @@ -122,7 +121,8 @@ return True if the password is correct, False otherwise ****************************************************************************/ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user, - char *domain, uchar chal[8], + char *domain, char* workstation, + uchar chal[8], uchar *lm_pwd, int lm_pwd_len, uchar *nt_pwd, int nt_pwd_len) { @@ -158,8 +158,8 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user, user_info.unix_username = unix_username; user_info.smb_username = smb_username; - user_info.wksta_name.str = client_name(); - user_info.wksta_name.len = strlen(client_name()); + wksta_name.str = workstation; + wksta_name.len = strlen(workstation); user_info.wksta_name = wksta_name; @@ -204,7 +204,8 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user, return check_password(&user_info, &server_info); } -NTSTATUS pass_check_smb(char *smb_user, char *unix_user, char *domain, +NTSTATUS pass_check_smb(char *smb_user, char *unix_user, + char *domain, char *workstation, uchar *lm_pwd, int lm_pwd_len, uchar *nt_pwd, int nt_pwd_len) { @@ -214,7 +215,8 @@ NTSTATUS pass_check_smb(char *smb_user, char *unix_user, char *domain, generate_random_buffer( chal, 8, False); } - return pass_check_smb_with_chal(smb_user, unix_user, domain, chal, + return pass_check_smb_with_chal(smb_user, unix_user, + domain, workstation, chal, lm_pwd, lm_pwd_len, nt_pwd, nt_pwd_len); @@ -227,6 +229,7 @@ return True if the password is correct, False otherwise ****************************************************************************/ BOOL password_ok(char *user, char *password, int pwlen) { + extern fstring remote_machine; /* * This hack must die! But until I rewrite the rest of samba @@ -240,11 +243,11 @@ BOOL password_ok(char *user, char *password, int pwlen) /* The password could be either NTLM or plain LM. Try NTLM first, but fall-through as required. */ - if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, lp_workgroup(), NULL, 0, (unsigned char *)password, pwlen))) { + if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, remote_machine, lp_workgroup(), NULL, 0, (unsigned char *)password, pwlen))) { return True; } - if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, lp_workgroup(), (unsigned char *)password, pwlen, NULL, 0))) { + if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, remote_machine, lp_workgroup(), (unsigned char *)password, pwlen, NULL, 0))) { return True; } diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 111a35e068..b61fde4206 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -112,9 +112,9 @@ static BOOL smb_pwd_check_ntlmv2(const uchar *password, size_t pwd_len, NTSTATUS smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) { uint8 *nt_pw, *lm_pw; - uint16 acct_ctrl; - - acct_ctrl = pdb_get_acct_ctrl(sampass); + uint16 acct_ctrl = pdb_get_acct_ctrl(sampass); + char *workstation_list; + time_t kickoff_time; /* Quit if the account was disabled. */ if(acct_ctrl & ACB_DISABLED) { @@ -122,6 +122,45 @@ NTSTATUS smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *use return(NT_STATUS_ACCOUNT_DISABLED); } + /* Test account expire time */ + + kickoff_time = pdb_get_kickoff_time(sampass); + if (kickoff_time != (time_t)-1) { + if (time(NULL) > kickoff_time) { + return NT_STATUS_ACCOUNT_EXPIRED; + } + } + + /* Test workstation. Workstation list is comma separated. */ + + workstation_list = strdup(pdb_get_workstations(sampass)); + + if (workstation_list) { + if (*workstation_list) { + BOOL invalid_ws = True; + char *s = workstation_list; + + fstring tok; + + while (next_token(&s, tok, ",", sizeof(tok))) { + DEBUG(10,("checking for workstation match %s and %s (len=%d)\n", + tok, user_info->wksta_name.str, user_info->wksta_name.len)); + if(strequal(tok, user_info->wksta_name.str)) { + invalid_ws = False; + break; + } + } + + free(workstation_list); + if (invalid_ws) + return NT_STATUS_INVALID_WORKSTATION; + } else { + free(workstation_list); + } + } else { + return NT_STATUS_NO_MEMORY; + } + if (acct_ctrl & ACB_PWNOTREQ) { if (lp_null_passwords()) -- cgit From 4561e8a8ea35f3703ff607f604b5e25cd6144da1 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 17 Sep 2001 05:04:17 +0000 Subject: move to SAFE_FREE() (This used to be commit 64d35e94fe6f7e56353b286162f670c8595a90e6) --- source3/auth/pampass.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index fda4a54103..116ecaf95b 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -159,7 +159,7 @@ static int smb_pam_conv(int num_msg, default: /* Must be an error of some sort... */ - free(reply); + SAFE_FREE(reply); return PAM_CONV_ERR; } } @@ -250,7 +250,7 @@ static void free_pw_chat(struct chat_struct *list) while (list) { struct chat_struct *old_head = list; DLIST_REMOVE(list, list); - free(old_head); + SAFE_FREE(old_head); } } @@ -325,8 +325,7 @@ static int smb_pam_passchange_conv(int num_msg, if (!found) { DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg)); free_pw_chat(pw_chat); - free(reply); - reply = NULL; + SAFE_FREE(reply); return PAM_CONV_ERR; } break; @@ -358,8 +357,7 @@ static int smb_pam_passchange_conv(int num_msg, if (!found) { DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg)); free_pw_chat(pw_chat); - free(reply); - reply = NULL; + SAFE_FREE(reply); return PAM_CONV_ERR; } break; @@ -376,8 +374,7 @@ static int smb_pam_passchange_conv(int num_msg, default: /* Must be an error of some sort... */ free_pw_chat(pw_chat); - free(reply); - reply = NULL; + SAFE_FREE(reply); return PAM_CONV_ERR; } } @@ -395,9 +392,9 @@ static int smb_pam_passchange_conv(int num_msg, static void smb_free_pam_conv(struct pam_conv *pconv) { if (pconv) - safe_free(pconv->appdata_ptr); + SAFE_FREE(pconv->appdata_ptr); - safe_free(pconv); + SAFE_FREE(pconv); } /*************************************************************************** @@ -411,8 +408,8 @@ static struct pam_conv *smb_setup_pam_conv(smb_pam_conv_fn smb_pam_conv_fnptr, c struct smb_pam_userdata *udp = (struct smb_pam_userdata *)malloc(sizeof(struct smb_pam_userdata)); if (pconv == NULL || udp == NULL) { - safe_free(pconv); - safe_free(udp); + SAFE_FREE(pconv); + SAFE_FREE(udp); return NULL; } -- cgit From 61b2794968faa35dc91edce17e9b91e5366c3514 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 17 Sep 2001 11:25:41 +0000 Subject: move to SAFE_FREE() (This used to be commit a95943fde0ad89ae3f2deca2f7ba9cb5ab612b74) --- source3/auth/auth_sam.c | 4 ++-- source3/auth/auth_server.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index b61fde4206..fb77a7a5c6 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -151,11 +151,11 @@ NTSTATUS smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *use } } - free(workstation_list); + SAFE_FREE(workstation_list); if (invalid_ws) return NT_STATUS_INVALID_WORKSTATION; } else { - free(workstation_list); + SAFE_FREE(workstation_list); } } else { return NT_STATUS_NO_MEMORY; diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 7ed4cf60ad..e4c91c4dcb 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -77,7 +77,7 @@ struct cli_state *server_cryptkey(void) } } - free(pserver); + SAFE_FREE(pserver); if (!connected_ok) { DEBUG(0,("password server not available\n")); -- cgit From 6adafe50d4a9a75a6fe1f666232e0af1ac717513 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 19 Sep 2001 05:26:11 +0000 Subject: Remove the ugly hacks to get around the Get_Pwnam() calls in pass_check.c by simply not doing Get_Pwnam() calls in pass_check.c We now make *one* sys_getpnam() call in cgi.c and we always call PAM no matter what it returns. We also no longer run the password cracker for these logins. The truly parinod will note the slight difference in call paths, in that we only call crypt for valid password structs (if not --with-pam). The truly parinoid don't run SWAT either, so I don't think this is an issue. Andrew Bartlett (This used to be commit 9020d884935243f28c19cedc88f076f0709e12cb) --- source3/auth/auth_unix.c | 14 ++++++++++---- source3/auth/pass_check.c | 11 ++++++----- 2 files changed, 16 insertions(+), 9 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index ea32a65457..7c6c58cafa 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -71,13 +71,19 @@ in PLAIN TEXT NTSTATUS check_unix_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) { NTSTATUS nt_status; - + struct passwd *pass = NULL; + become_root(); - nt_status = (pass_check(user_info->unix_username.str, - user_info->plaintext_password.str, + + pass = Get_Pwnam(user_info->unix_username.str, False); + + nt_status = (pass_check(pass, + user_info->unix_username.str, + user_info->plaintext_password.str, user_info->plaintext_password.len, lp_update_encrypted() ? - update_smbpassword_file : NULL) + update_smbpassword_file : NULL, + True) ? NT_STATUS_OK : NT_STATUS_LOGON_FAILURE); unbecome_root(); diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 59fc9e2eac..7426bfcbe3 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -682,12 +682,11 @@ match is found and is used to update the encrypted password file return True on correct match, False otherwise ****************************************************************************/ -BOOL pass_check(char *user, char *password, int pwlen, - BOOL (*fn) (char *, char *)) +BOOL pass_check(struct passwd *pass, char *user, char *password, int pwlen, + BOOL (*fn) (char *, char *), BOOL run_cracker) { pstring pass2; int level = lp_passwordlevel(); - struct passwd *pass = NULL; if (password) password[pwlen] = 0; @@ -702,8 +701,6 @@ BOOL pass_check(char *user, char *password, int pwlen, if (((!*password) || (!pwlen)) && !lp_null_passwords()) return (False); - pass = Get_Pwnam(user, True); - #ifdef WITH_PAM /* @@ -819,6 +816,10 @@ BOOL pass_check(char *user, char *password, int pwlen, return (True); } + if (!run_cracker) { + return False; + } + /* if the password was given to us with mixed case then we don't need to proceed as we know it hasn't been case modified by the client */ -- cgit From 158a5b8399d8c0c5877f58719cf16b4f1e59eb55 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 19 Sep 2001 23:53:51 +0000 Subject: - Fix up to use sampass->username insted of user_info->smb_username - Fix initial lookup to use the mapped username. (This used to be commit 162b88e2313dbcf0b95300b8f18a3e9b6b6b29bd) --- source3/auth/auth_sam.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index fb77a7a5c6..2427b2d16e 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -118,7 +118,7 @@ NTSTATUS smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *use /* Quit if the account was disabled. */ if(acct_ctrl & ACB_DISABLED) { - DEBUG(1,("Account for user '%s' was disabled.\n", user_info->smb_username.str)); + DEBUG(1,("Account for user '%s' was disabled.\n", sampass->username)); return(NT_STATUS_ACCOUNT_DISABLED); } @@ -165,12 +165,12 @@ NTSTATUS smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *use { if (lp_null_passwords()) { - DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", user_info->smb_username.str)); + DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", sampass->username)); return(NT_STATUS_OK); } else { - DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", user_info->smb_username.str)); + DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", sampass->username)); return(NT_STATUS_LOGON_FAILURE); } } @@ -178,7 +178,7 @@ NTSTATUS smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *use if (!user_info || !sampass) return(NT_STATUS_LOGON_FAILURE); - DEBUG(4,("smb_password_ok: Checking SMB password for user %s\n",user_info->smb_username.str)); + DEBUG(4,("smb_password_ok: Checking SMB password for user %s\n",sampass->username)); nt_pw = pdb_get_nt_passwd(sampass); @@ -191,7 +191,7 @@ NTSTATUS smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *use if (smb_pwd_check_ntlmv2( user_info->nt_resp.buffer, user_info->nt_resp.len, nt_pw, - user_info->chal, user_info->smb_username.str, + user_info->chal, sampass->username, user_info->requested_domain.str, (char *)server_info->session_key)) { @@ -252,12 +252,12 @@ NTSTATUS check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_ /* get the account information */ become_root(); - ret = pdb_getsampwnam(sampass, user_info->smb_username.str); + ret = pdb_getsampwnam(sampass, user_info->unix_username.str); unbecome_root(); if (ret == False) { - DEBUG(1,("Couldn't find user '%s' in passdb file.\n", user_info->smb_username.str)); + DEBUG(1,("Couldn't find user '%s' in passdb file.\n", user_info->unix_username.str)); pdb_free_sam(sampass); return NT_STATUS_NO_SUCH_USER; } -- cgit From 79009d6afa421b39a61050e1c970ce0b9d0474d6 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 20 Sep 2001 00:19:55 +0000 Subject: Revert this one: The NTLMv2 checks need the original username as found on the wire. (This used to be commit 7c9ae76b3ff4f1ba88ddad570648f32f99e38944) --- source3/auth/auth_sam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 2427b2d16e..cb8d711770 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -191,7 +191,7 @@ NTSTATUS smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *use if (smb_pwd_check_ntlmv2( user_info->nt_resp.buffer, user_info->nt_resp.len, nt_pw, - user_info->chal, sampass->username, + user_info->chal, user_info->smb_username.str, user_info->requested_domain.str, (char *)server_info->session_key)) { -- cgit From 395454db5d7e911ea418b88250778749463f7247 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 20 Sep 2001 03:31:57 +0000 Subject: Fix for MiXed and UPPER case usernames with plaintext PAM passwords. (This used to be commit ba1b411f556bfac8b953c44c81257c7d8fb9817d) --- source3/auth/auth_unix.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 7c6c58cafa..4740f7fb0d 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -78,7 +78,7 @@ NTSTATUS check_unix_security(const auth_usersupplied_info *user_info, auth_serve pass = Get_Pwnam(user_info->unix_username.str, False); nt_status = (pass_check(pass, - user_info->unix_username.str, + pass ? pass->pw_name : user_info->unix_username.str, user_info->plaintext_password.str, user_info->plaintext_password.len, lp_update_encrypted() ? -- cgit From 994a4497032084cb744a644382e68cde464d19be Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 20 Sep 2001 10:26:50 +0000 Subject: We are not meant to touch the username, so use the pass->pw_name output rather than Get_Pwnam(user, True). (This used to be commit bf81f0021328da97afe58cc17317b15ec1b3cc96) --- source3/auth/auth_rhosts.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index 2492a2a68b..e319d8d5f8 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -29,7 +29,7 @@ extern int DEBUGLEVEL; allows this user from this machine. ****************************************************************************/ -static BOOL check_user_equiv(char *user, char *remote, char *equiv_file) +static BOOL check_user_equiv(const char *user, const char *remote, const char *equiv_file) { int plus_allowed = 1; char *file_host; @@ -134,11 +134,11 @@ static BOOL check_user_equiv(char *user, char *remote, char *equiv_file) /**************************************************************************** check for a possible hosts equiv or rhosts entry for the user ****************************************************************************/ -static BOOL check_hosts_equiv(char *user) +static BOOL check_hosts_equiv(char *user) /* should be const... */ { char *fname = NULL; pstring rhostsfile; - struct passwd *pass = Get_Pwnam(user,True); + struct passwd *pass = Get_Pwnam(user,False); if (!pass) return(False); @@ -147,16 +147,16 @@ static BOOL check_hosts_equiv(char *user) /* note: don't allow hosts.equiv on root */ if (fname && *fname && (pass->pw_uid != 0)) { - if (check_user_equiv(user,client_name(),fname)) + if (check_user_equiv(pass->pw_name,client_name(),fname)) return(True); } if (lp_use_rhosts()) { - char *home = get_user_home_dir(user); + char *home = pass->pw_dir; if (home) { slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home); - if (check_user_equiv(user,client_name(),rhostsfile)) + if (check_user_equiv(pass->pw_name,client_name(),rhostsfile)) return(True); } } -- cgit From fa6713bf8b121a45e59235786eec3cee29e92e67 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 20 Sep 2001 13:15:35 +0000 Subject: Move pass_check.c over to NTSTATUS, allowing full NTSTATUS from PAM to wire! Add the ability for swat to run in non-root-mode (ie non-root from inetd). - we still need some of the am_root() calls fixed however. (This used to be commit 2c2317c56ee13abdbdbc866363c3b52dab826e3c) --- source3/auth/auth_unix.c | 6 +- source3/auth/pass_check.c | 198 +++++++++++++++++++++++++++------------------- 2 files changed, 121 insertions(+), 83 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 4740f7fb0d..5582682d98 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -77,14 +77,14 @@ NTSTATUS check_unix_security(const auth_usersupplied_info *user_info, auth_serve pass = Get_Pwnam(user_info->unix_username.str, False); - nt_status = (pass_check(pass, + nt_status = pass_check(pass, pass ? pass->pw_name : user_info->unix_username.str, user_info->plaintext_password.str, user_info->plaintext_password.len, lp_update_encrypted() ? update_smbpassword_file : NULL, - True) - ? NT_STATUS_OK : NT_STATUS_LOGON_FAILURE); + True); + unbecome_root(); return nt_status; diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 7426bfcbe3..594983e53b 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -28,8 +28,10 @@ extern int DEBUGLEVEL; /* these are kept here to keep the string_combinations function simple */ static fstring this_user; +#if !(defined(WITH_PAM) || defined(KRB4_AUTH) || defined(KRB5_AUTH)) static fstring this_salt; static fstring this_crypted; +#endif #ifdef WITH_AFS @@ -550,11 +552,12 @@ try all combinations with N uppercase letters. offset is the first char to try and change (start with 0) it assumes the string starts lowercased ****************************************************************************/ -static BOOL string_combinations2(char *s, int offset, BOOL (*fn) (char *), +static NTSTATUS string_combinations2(char *s, int offset, NTSTATUS (*fn) (char *), int N) { int len = strlen(s); int i; + NTSTATUS nt_status; #ifdef PASSWORD_LENGTH len = MIN(len, PASSWORD_LENGTH); @@ -568,11 +571,12 @@ static BOOL string_combinations2(char *s, int offset, BOOL (*fn) (char *), if (!islower(c)) continue; s[i] = toupper(c); - if (string_combinations2(s, i + 1, fn, N - 1)) - return (True); + if (!NT_STATUS_EQUAL(nt_status = string_combinations2(s, i + 1, fn, N - 1),NT_STATUS_WRONG_PASSWORD)) { + return (nt_status); + } s[i] = c; } - return (False); + return (NT_STATUS_WRONG_PASSWORD); } /**************************************************************************** @@ -582,71 +586,80 @@ try all combinations with up to N uppercase letters. offset is the first char to try and change (start with 0) it assumes the string starts lowercased ****************************************************************************/ -static BOOL string_combinations(char *s, BOOL (*fn) (char *), int N) +static NTSTATUS string_combinations(char *s, NTSTATUS (*fn) (char *), int N) { int n; + NTSTATUS nt_status; for (n = 1; n <= N; n++) - if (string_combinations2(s, 0, fn, n)) - return (True); - return (False); + if (!NT_STATUS_EQUAL(nt_status = string_combinations2(s, 0, fn, n), NT_STATUS_WRONG_PASSWORD)) + return nt_status; + return NT_STATUS_WRONG_PASSWORD; } /**************************************************************************** core of password checking routine ****************************************************************************/ -static BOOL password_check(char *password) +static NTSTATUS password_check(char *password) { - #ifdef WITH_PAM - return NT_STATUS_IS_OK(smb_pam_passcheck(this_user, password)); -#endif /* WITH_PAM */ + return smb_pam_passcheck(this_user, password); +#elif defined(KRB5_AUTH) + return krb5_auth(this_user, password) ? NT_STATUS_WRONG_PASSWORD : NT_STATUS_OK; +#elif defined(KRB4_AUTH) + return krb4_auth(this_user, password) ? NT_STATUS_WRONG_PASSWORD : NT_STATUS_OK; +#else + + BOOL ret; #ifdef WITH_AFS if (afs_auth(this_user, password)) - return (True); + return NT_STATUS_OK; #endif /* WITH_AFS */ #ifdef WITH_DFS if (dfs_auth(this_user, password)) - return (True); + return NT_STATUS_OK; #endif /* WITH_DFS */ -#ifdef KRB5_AUTH - if (krb5_auth(this_user, password)) - return (True); -#endif /* KRB5_AUTH */ - -#ifdef KRB4_AUTH - if (krb4_auth(this_user, password)) - return (True); -#endif /* KRB4_AUTH */ - #ifdef OSF1_ENH_SEC - { - BOOL ret = - (strcmp - (osf1_bigcrypt(password, this_salt), - this_crypted) == 0); - if (!ret) { - DEBUG(2, - ("OSF1_ENH_SEC failed. Trying normal crypt.\n")); - ret = (strcmp((char *)crypt(password, this_salt), this_crypted) == 0); - } - return ret; - } + + ret = (strcmp(osf1_bigcrypt(password, this_salt), + this_crypted) == 0); + if (!ret) { + DEBUG(2, + ("OSF1_ENH_SEC failed. Trying normal crypt.\n")); + ret = (strcmp((char *)crypt(password, this_salt), this_crypted) == 0); + } + if (ret) { + return NT_STATUS_OK; + } else { + return NT_STATUS_WRONG_PASSWORD; + } + #endif /* OSF1_ENH_SEC */ - + #ifdef ULTRIX_AUTH - return (strcmp((char *)crypt16(password, this_salt), this_crypted) == 0); + ret = (strcmp((char *)crypt16(password, this_salt), this_crypted) == 0); + if (ret) { + return NT_STATUS_OK; + } else { + return NT_STATUS_WRONG_PASSWORD; + } + #endif /* ULTRIX_AUTH */ - + #ifdef LINUX_BIGCRYPT - return (linux_bigcrypt(password, this_salt, this_crypted)); + ret = (linux_bigcrypt(password, this_salt, this_crypted)); + if (ret) { + return NT_STATUS_OK; + } else { + return NT_STATUS_WRONG_PASSWORD; + } #endif /* LINUX_BIGCRYPT */ - + #if defined(HAVE_BIGCRYPT) && defined(HAVE_CRYPT) && defined(USE_BOTH_CRYPT_CALLS) - + /* * Some systems have bigcrypt in the C library but might not * actually use it for the password hashes (HPUX 10.20) is @@ -655,39 +668,56 @@ static BOOL password_check(char *password) */ if (strcmp(bigcrypt(password, this_salt), this_crypted) == 0) - return True; + return NT_STATUS_OK; else - return (strcmp((char *)crypt(password, this_salt), this_crypted) == 0); + ret = (strcmp((char *)crypt(password, this_salt), this_crypted) == 0); + if (ret) { + return NT_STATUS_OK; + } else { + return NT_STATUS_WRONG_PASSWORD; + } #else /* HAVE_BIGCRYPT && HAVE_CRYPT && USE_BOTH_CRYPT_CALLS */ - + #ifdef HAVE_BIGCRYPT - return (strcmp(bigcrypt(password, this_salt), this_crypted) == 0); + ret = (strcmp(bigcrypt(password, this_salt), this_crypted) == 0); + if (ret) { + return NT_STATUS_OK; + } else { + return NT_STATUS_WRONG_PASSWORD; + } #endif /* HAVE_BIGCRYPT */ - + #ifndef HAVE_CRYPT DEBUG(1, ("Warning - no crypt available\n")); - return (False); + return NT_STATUS_LOGON_FAILURE; #else /* HAVE_CRYPT */ - return (strcmp((char *)crypt(password, this_salt), this_crypted) == 0); + ret = (strcmp((char *)crypt(password, this_salt), this_crypted) == 0); + if (ret) { + return NT_STATUS_OK; + } else { + return NT_STATUS_WRONG_PASSWORD; + } #endif /* HAVE_CRYPT */ #endif /* HAVE_BIGCRYPT && HAVE_CRYPT && USE_BOTH_CRYPT_CALLS */ +#endif /* WITH_PAM || KRB4_AUTH || KRB5_AUTH */ } /**************************************************************************** -check if a username/password is OK +CHECK if a username/password is OK the function pointer fn() points to a function to call when a successful match is found and is used to update the encrypted password file -return True on correct match, False otherwise +return NT_STATUS_OK on correct match, appropriate error otherwise ****************************************************************************/ -BOOL pass_check(struct passwd *pass, char *user, char *password, int pwlen, - BOOL (*fn) (char *, char *), BOOL run_cracker) +NTSTATUS pass_check(struct passwd *pass, char *user, char *password, + int pwlen, BOOL (*fn) (char *, char *), BOOL run_cracker) { pstring pass2; int level = lp_passwordlevel(); + NTSTATUS nt_status; if (password) password[pwlen] = 0; @@ -696,12 +726,12 @@ BOOL pass_check(struct passwd *pass, char *user, char *password, int pwlen, #endif if (!password) - return (False); + return NT_STATUS_LOGON_FAILURE; if (((!*password) || (!pwlen)) && !lp_null_passwords()) - return (False); + return NT_STATUS_LOGON_FAILURE; -#ifdef WITH_PAM +#if defined(WITH_PAM) || defined(KRB4_AUTH) || defined(KRB5_AUTH) /* * If we're using PAM we want to short-circuit all the @@ -712,13 +742,13 @@ BOOL pass_check(struct passwd *pass, char *user, char *password, int pwlen, DEBUG(4, ("pass_check: Checking (PAM) password for user %s (l=%d)\n", user, pwlen)); -#else /* Not using PAM */ +#else /* Not using PAM or Kerebos */ DEBUG(4, ("pass_check: Checking password for user %s (l=%d)\n", user, pwlen)); if (!pass) { DEBUG(3, ("Couldn't find user %s\n", user)); - return (False); + return NT_STATUS_NO_SUCH_USER; } #ifdef HAVE_GETSPNAM @@ -782,7 +812,6 @@ BOOL pass_check(struct passwd *pass, char *user, char *password, int pwlen, #endif /* extract relevant info */ - fstrcpy(this_user, pass->pw_name); fstrcpy(this_salt, pass->pw_passwd); #if defined(HAVE_TRUNCATED_SALT) @@ -797,34 +826,39 @@ BOOL pass_check(struct passwd *pass, char *user, char *password, int pwlen, if (!lp_null_passwords()) { DEBUG(2, ("Disallowing %s with null password\n", this_user)); - return (False); + return NT_STATUS_LOGON_FAILURE; } if (!*password) { DEBUG(3, ("Allowing access to %s with null password\n", this_user)); - return (True); + return NT_STATUS_OK; } } -#endif /* WITH_PAM */ +#endif /* defined(WITH_PAM) || defined(KRB4_AUTH) || defined(KRB5_AUTH) */ /* try it as it came to us */ - if (password_check(password)) { - if (fn) - fn(user, password); - return (True); - } + nt_status = password_check(password); + if NT_STATUS_IS_OK(nt_status) { + if (fn) { + fn(user, password); + } + return (nt_status); + } else if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) { + /* No point continuing if its not the password thats to blame (ie PAM disabled). */ + return (nt_status); + } if (!run_cracker) { - return False; + return (nt_status); } /* if the password was given to us with mixed case then we don't - need to proceed as we know it hasn't been case modified by the - client */ + * need to proceed as we know it hasn't been case modified by the + * client */ if (strhasupper(password) && strhaslower(password)) { - return (False); + return nt_status; } /* make a copy of it */ @@ -833,10 +867,10 @@ BOOL pass_check(struct passwd *pass, char *user, char *password, int pwlen, /* try all lowercase if it's currently all uppercase */ if (strhasupper(password)) { strlower(password); - if (password_check(password)) { - if (fn) + if NT_STATUS_IS_OK(nt_status = password_check(password)) { + if (fn) fn(user, password); - return (True); + return (nt_status); } } @@ -844,20 +878,24 @@ BOOL pass_check(struct passwd *pass, char *user, char *password, int pwlen, if (level < 1) { /* restore it */ fstrcpy(password, pass2); - return (False); + return NT_STATUS_WRONG_PASSWORD; } /* last chance - all combinations of up to level chars upper! */ strlower(password); - if (string_combinations(password, password_check, level)) { - if (fn) + + if NT_STATUS_IS_OK(nt_status = string_combinations(password, password_check, level)) { + if (fn) fn(user, password); - return (True); + return nt_status; } - + /* restore it */ fstrcpy(password, pass2); - return (False); + return NT_STATUS_WRONG_PASSWORD; } + + + -- cgit From 71850be47edf5e1c3d36eec45c006a9f94c7f6ce Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 26 Sep 2001 12:28:46 +0000 Subject: Rearrange the order of the checks in auth_smbpasswd.c, always check passwords first. Add password expiry and 'must change before first logon' support. - This requires that the passdb be up to the job to supply the info. (This used to be commit 53c1c5091ea4e3ccc294f8b6f132be78c11c431f) --- source3/auth/auth_sam.c | 184 +++++++++++++++++++++++++++++------------------- 1 file changed, 111 insertions(+), 73 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index cb8d711770..7a21c3111b 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -31,7 +31,7 @@ core of smb password checking routine. static BOOL smb_pwd_check_ntlmv1(const uchar *password, const uchar *part_passwd, const uchar *c8, - uchar user_sess_key[16]) + char user_sess_key[16]) { /* Finish the encryption of part_passwd. */ uchar p24[24]; @@ -45,7 +45,7 @@ static BOOL smb_pwd_check_ntlmv1(const uchar *password, SMBOWFencrypt(part_passwd, c8, p24); if (user_sess_key != NULL) { - SMBsesskeygen_ntv1(part_passwd, NULL, (char *)user_sess_key); + SMBsesskeygen_ntv1(part_passwd, NULL, user_sess_key); } @@ -70,7 +70,7 @@ static BOOL smb_pwd_check_ntlmv2(const uchar *password, size_t pwd_len, uchar *part_passwd, uchar const *c8, const char *user, const char *domain, - char *user_sess_key) + char user_sess_key[16]) { /* Finish the encryption of part_passwd. */ uchar kr[16]; @@ -109,17 +109,104 @@ static BOOL smb_pwd_check_ntlmv2(const uchar *password, size_t pwd_len, Do a specific test for an smb password being correct, given a smb_password and the lanman and NT responses. ****************************************************************************/ -NTSTATUS smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +NTSTATUS sam_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info, char user_sess_key[16]) { uint8 *nt_pw, *lm_pw; uint16 acct_ctrl = pdb_get_acct_ctrl(sampass); + + if (!user_info || !sampass) + return NT_STATUS_LOGON_FAILURE; + + if (acct_ctrl & ACB_PWNOTREQ) + { + if (lp_null_passwords()) + { + DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", sampass->username)); + return(NT_STATUS_OK); + } + else + { + DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", sampass->username)); + return(NT_STATUS_LOGON_FAILURE); + } + } else { + nt_pw = pdb_get_nt_passwd(sampass); + lm_pw = pdb_get_lanman_passwd(sampass); + + if (nt_pw != NULL && user_info->nt_resp.len > 0) { + if ((user_info->nt_resp.len > 24 )) { + /* We have the NT MD4 hash challenge available - see if we can + use it (ie. does it exist in the smbpasswd file). + */ + DEBUG(4,("smb_password_ok: Checking NTLMv2 password\n")); + if (smb_pwd_check_ntlmv2( user_info->nt_resp.buffer, + user_info->nt_resp.len, + nt_pw, + user_info->chal, user_info->smb_username.str, + user_info->requested_domain.str, + user_sess_key)) + { + return NT_STATUS_OK; + } else { + DEBUG(4,("smb_password_ok: NTLMv2 password check failed\n")); + return NT_STATUS_WRONG_PASSWORD; + } + + } else if (lp_ntlm_auth() && (user_info->nt_resp.len == 24)) { + /* We have the NT MD4 hash challenge available - see if we can + use it (ie. does it exist in the smbpasswd file). + */ + DEBUG(4,("smb_password_ok: Checking NT MD4 password\n")); + if (smb_pwd_check_ntlmv1(user_info->nt_resp.buffer, + nt_pw, user_info->chal, + user_sess_key)) + { + return NT_STATUS_OK; + } else { + DEBUG(4,("smb_password_ok: NT MD4 password check failed\n")); + return NT_STATUS_WRONG_PASSWORD; + } + } else { + return NT_STATUS_LOGON_FAILURE; + } + } else if (lm_pw != NULL && user_info->lm_resp.len == 24) { + if (lp_lanman_auth()) { + DEBUG(4,("smb_password_ok: Checking LM password\n")); + if (smb_pwd_check_ntlmv1(user_info->lm_resp.buffer, + lm_pw, user_info->chal, + user_sess_key)) + { + return NT_STATUS_OK; + } else { + DEBUG(4,("smb_password_ok: LM password check failed\n")); + return NT_STATUS_WRONG_PASSWORD; + } + } + } + } + /* Should not be reached */ + return NT_STATUS_LOGON_FAILURE; +} + +/**************************************************************************** + Do a specific test for a SAM_ACCOUNT being vaild for this connection + (ie not disabled, expired and the like). +****************************************************************************/ +NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info) +{ + uint16 acct_ctrl = pdb_get_acct_ctrl(sampass); char *workstation_list; time_t kickoff_time; + if (!user_info || !sampass) + return NT_STATUS_LOGON_FAILURE; + + DEBUG(4,("smb_password_ok: Checking SMB password for user %s\n",sampass->username)); + /* Quit if the account was disabled. */ if(acct_ctrl & ACB_DISABLED) { DEBUG(1,("Account for user '%s' was disabled.\n", sampass->username)); - return(NT_STATUS_ACCOUNT_DISABLED); + return NT_STATUS_ACCOUNT_DISABLED; } /* Test account expire time */ @@ -127,6 +214,8 @@ NTSTATUS smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *use kickoff_time = pdb_get_kickoff_time(sampass); if (kickoff_time != (time_t)-1) { if (time(NULL) > kickoff_time) { + DEBUG(1,("Account for user '%s' has expried.\n", sampass->username)); + DEBUG(3,("Account expired at '%d' unix time.\n", kickoff_time)); return NT_STATUS_ACCOUNT_EXPIRED; } } @@ -161,77 +250,21 @@ NTSTATUS smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *use return NT_STATUS_NO_MEMORY; } - if (acct_ctrl & ACB_PWNOTREQ) { - if (lp_null_passwords()) - { - DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", sampass->username)); - return(NT_STATUS_OK); - } - else - { - DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", sampass->username)); - return(NT_STATUS_LOGON_FAILURE); - } - } - - if (!user_info || !sampass) - return(NT_STATUS_LOGON_FAILURE); - - DEBUG(4,("smb_password_ok: Checking SMB password for user %s\n",sampass->username)); - - nt_pw = pdb_get_nt_passwd(sampass); - - if (nt_pw != NULL) { - if ((user_info->nt_resp.len > 24 )) { - /* We have the NT MD4 hash challenge available - see if we can - use it (ie. does it exist in the smbpasswd file). - */ - DEBUG(4,("smb_password_ok: Checking NTLMv2 password\n")); - if (smb_pwd_check_ntlmv2( user_info->nt_resp.buffer, - user_info->nt_resp.len, - nt_pw, - user_info->chal, user_info->smb_username.str, - user_info->requested_domain.str, - (char *)server_info->session_key)) - { - return NT_STATUS_OK; - } - DEBUG(4,("smb_password_ok: NTLMv2 password check failed\n")); - - } else if (lp_ntlm_auth() && (user_info->nt_resp.len == 24 )) { - /* We have the NT MD4 hash challenge available - see if we can - use it (ie. does it exist in the smbpasswd file). - */ - DEBUG(4,("smb_password_ok: Checking NT MD4 password\n")); - if (smb_pwd_check_ntlmv1(user_info->nt_resp.buffer, - nt_pw, user_info->chal, - server_info->session_key)) { - DEBUG(4,("smb_password_ok: NT MD4 password check succeeded\n")); - return NT_STATUS_OK; - } else { - DEBUG(4,("smb_password_ok: NT MD4 password check failed\n")); - return NT_STATUS_WRONG_PASSWORD; - } + time_t must_change_time = pdb_get_pass_must_change_time(sampass); + if (must_change_time == 0) { + DEBUG(1,("Account for user '%s' must change password at next logon! (ie now).\n", sampass->username)); + return NT_STATUS_PASSWORD_MUST_CHANGE; } - } - - lm_pw = pdb_get_lanman_passwd(sampass); - - if(lp_lanman_auth() && (lm_pw != NULL) && (user_info->lm_resp.len == 24 )) { - DEBUG(4,("smb_password_ok: Checking LM password\n")); - if (smb_pwd_check_ntlmv1(user_info->lm_resp.buffer, - lm_pw, user_info->chal, - server_info->session_key)) { - DEBUG(4,("smb_password_ok: LM password check succeeded\n")); - return NT_STATUS_OK; - } else { - DEBUG(4,("smb_password_ok: LM password check failed\n")); - return NT_STATUS_WRONG_PASSWORD; + + if (must_change_time != (time_t)-1 && must_change_time < time(NULL)) { + DEBUG(1,("Account for user '%s' password expired!.\n", sampass->username)); + DEBUG(1,("Password expired at '%d' unix time.\n", must_change_time)); + return NT_STATUS_PASSWORD_EXPIRED; } } - return NT_STATUS_LOGON_FAILURE; + return NT_STATUS_OK; } @@ -262,10 +295,15 @@ NTSTATUS check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_ return NT_STATUS_NO_SUCH_USER; } - nt_status = smb_password_ok(sampass, user_info, server_info); - + nt_status = sam_password_ok(sampass, user_info, server_info->session_key); + + if NT_STATUS_IS_OK(nt_status) { + nt_status = sam_account_ok(sampass, user_info); + } + pdb_free_sam(sampass); return nt_status; } + -- cgit From 865467c82f39a98afa3c65f25b7e24137f904e93 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 26 Sep 2001 13:11:22 +0000 Subject: Process the workstation trust account code INSIDE the authenticaion subsystem, just like any other logon. Matching code removal in reply.c to follow. Andrew Bartlett (This used to be commit da4873d889928e9bd88e736e26e4e77e87bcd931) --- source3/auth/auth_sam.c | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 7a21c3111b..567414d1a2 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -215,15 +215,15 @@ NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user if (kickoff_time != (time_t)-1) { if (time(NULL) > kickoff_time) { DEBUG(1,("Account for user '%s' has expried.\n", sampass->username)); - DEBUG(3,("Account expired at '%d' unix time.\n", kickoff_time)); + DEBUG(3,("Account expired at '%ld' unix time.\n", (long)kickoff_time)); return NT_STATUS_ACCOUNT_EXPIRED; } } - + /* Test workstation. Workstation list is comma separated. */ - + workstation_list = strdup(pdb_get_workstations(sampass)); - + if (workstation_list) { if (*workstation_list) { BOOL invalid_ws = True; @@ -259,10 +259,25 @@ NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user if (must_change_time != (time_t)-1 && must_change_time < time(NULL)) { DEBUG(1,("Account for user '%s' password expired!.\n", sampass->username)); - DEBUG(1,("Password expired at '%d' unix time.\n", must_change_time)); + DEBUG(1,("Password expired at '%ld' unix time.\n", (long)must_change_time)); return NT_STATUS_PASSWORD_EXPIRED; } } + + if (acct_ctrl & ACB_DOMTRUST) { + DEBUG(0,("session_trust_account: Domain trust account %s denied by server\n", sampass->username)); + return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT; + } + + if (acct_ctrl & ACB_SVRTRUST) { + DEBUG(0,("session_trust_account: Server trust account %s denied by server\n", sampass->username)); + return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT; + } + + if (acct_ctrl & ACB_WSTRUST) { + DEBUG(4,("session_trust_account: Wksta trust account %s denied by server\n", sampass->username)); + return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT; + } return NT_STATUS_OK; } -- cgit From 81697d5ebe33ad95dedfc376118fcdf0367cf052 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 29 Sep 2001 13:08:26 +0000 Subject: Fix up a number of intertwined issues: The big one is a global change to allow us to NULLify the free'ed pointer to a former passdb object. This was done to allow idra's SAFE_FREE() macro to do its magic, and to satisfy the input test in pdb_init_sam() for a NULL pointer to start with. This NULL pointer test was what was breaking the adding of accounts up until now, and this code has been reworked to avoid duplicating work - I hope this will avoid a similar mess-up in future. Finally, I fixed a few nasty bugs where the pdb_ fuctions's return codes were being ignored. Some of these functions malloc() and are permitted to fail. Also, this caught a nasty bug where pdb_set_lanman_password(sam, NULL) acheived precisely didilly-squat, just returning False. Now that we check the returns this bug was spotted. This could allow different LM and NT passwords. - the pdbedit code needs to start checking these too, but I havn't had a chance to fix it. I have also fixed up where some of the password changing code was using the pdb_set functions to store *internal* data. I assume this is from a previous lot of mass conversion work... Most likally (and going on past experience) I have missed somthing, probably in the LanMan password change code which I havn't yet been able to test, but this lot is in much better shape than it was before. If all this is too much to swallow (particularly for 2.2.2) then just adding a sam_pass = NULL to the particular line of passdb.c should do the trick for the ovbious bug. Andrew Bartlett (This used to be commit 762c8758a7869809d89b4da9c2a5249678942930) --- source3/auth/auth.c | 4 ++++ source3/auth/auth_sam.c | 4 ++-- source3/auth/auth_unix.c | 32 ++++++++++++++++++++++++-------- 3 files changed, 30 insertions(+), 10 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 5b6b2d4c42..6aa2714b0b 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -189,6 +189,10 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user, user_info.lm_resp.buffer = (uint8 *)local_lm_response; user_info.lm_resp.len = 24; + + /* WATCH OUT. This doesn't work if the incoming password is incorrectly cased. + We might want to add a check here and only do an LM in that case */ + /* This encrypts the lm_pwd feild, which actualy contains the password rather than the nt_pwd field becouse that contains nothing */ SMBNTencrypt((uchar *)lm_pwd, user_info.chal, local_nt_response); diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 567414d1a2..8159ad988f 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -306,7 +306,7 @@ NTSTATUS check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_ if (ret == False) { DEBUG(1,("Couldn't find user '%s' in passdb file.\n", user_info->unix_username.str)); - pdb_free_sam(sampass); + pdb_free_sam(&sampass); return NT_STATUS_NO_SUCH_USER; } @@ -316,7 +316,7 @@ NTSTATUS check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_ nt_status = sam_account_ok(sampass, user_info); } - pdb_free_sam(sampass); + pdb_free_sam(&sampass); return nt_status; } diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 5582682d98..0d73988d8a 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -31,7 +31,7 @@ this ugly hack needs to die, but not quite yet... static BOOL update_smbpassword_file(char *user, char *password) { SAM_ACCOUNT *sampass = NULL; - BOOL ret; + BOOL ret; pdb_init_sam(&sampass); @@ -41,7 +41,7 @@ static BOOL update_smbpassword_file(char *user, char *password) if(ret == False) { DEBUG(0,("pdb_getsampwnam returned NULL\n")); - pdb_free_sam(sampass); + pdb_free_sam(&sampass); return False; } @@ -49,16 +49,32 @@ static BOOL update_smbpassword_file(char *user, char *password) * Remove the account disabled flag - we are updating the * users password from a login. */ - pdb_set_acct_ctrl(sampass, pdb_get_acct_ctrl(sampass) & ~ACB_DISABLED); + if (!pdb_set_acct_ctrl(sampass, pdb_get_acct_ctrl(sampass) & ~ACB_DISABLED)) { + pdb_free_sam(&sampass); + return False; + } + + if (!pdb_set_plaintext_passwd (sampass, password)) { + pdb_free_sam(&sampass); + return False; + } - /* Here, the flag is one, because we want to ignore the + /* Now write it into the file. */ + become_root(); + + /* Here, the override flag is True, because we want to ignore the XXXXXXX'd out password */ - ret = change_oem_password( sampass, password, True); - if (ret == False) { - DEBUG(3,("change_oem_password returned False\n")); + ret = pdb_update_sam_account (sampass, True); + + unbecome_root(); + + if (ret) { + DEBUG(3,("pdb_update_sam_account returned %d\n",ret)); } - pdb_free_sam(sampass); + memset(password, '\0', strlen(password)); + + pdb_free_sam(&sampass); return ret; } -- cgit From c6d1e756649408412d72e5ad2789804b2908b6f2 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 1 Oct 2001 10:54:11 +0000 Subject: - fix handling of 0 last_change_time and must_change_time - move the arbitrary 21 day timeout to local.h (This used to be commit 11075f543470c3283accce0246d0b2983420695a) --- source3/auth/auth_sam.c | 63 +++++++++++++++++++++++++------------------------ 1 file changed, 32 insertions(+), 31 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 8159ad988f..304e5be44b 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -204,7 +204,7 @@ NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user DEBUG(4,("smb_password_ok: Checking SMB password for user %s\n",sampass->username)); /* Quit if the account was disabled. */ - if(acct_ctrl & ACB_DISABLED) { + if (acct_ctrl & ACB_DISABLED) { DEBUG(1,("Account for user '%s' was disabled.\n", sampass->username)); return NT_STATUS_ACCOUNT_DISABLED; } @@ -212,52 +212,53 @@ NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user /* Test account expire time */ kickoff_time = pdb_get_kickoff_time(sampass); - if (kickoff_time != (time_t)-1) { - if (time(NULL) > kickoff_time) { - DEBUG(1,("Account for user '%s' has expried.\n", sampass->username)); - DEBUG(3,("Account expired at '%ld' unix time.\n", (long)kickoff_time)); - return NT_STATUS_ACCOUNT_EXPIRED; - } + if (kickoff_time != 0 && time(NULL) > kickoff_time) { + DEBUG(1,("Account for user '%s' has expried.\n", sampass->username)); + DEBUG(3,("Account expired at '%ld' unix time.\n", (long)kickoff_time)); + return NT_STATUS_ACCOUNT_EXPIRED; } /* Test workstation. Workstation list is comma separated. */ workstation_list = strdup(pdb_get_workstations(sampass)); - if (workstation_list) { - if (*workstation_list) { - BOOL invalid_ws = True; - char *s = workstation_list; + if (!workstation_list) return NT_STATUS_NO_MEMORY; + + if (*workstation_list) { + BOOL invalid_ws = True; + char *s = workstation_list; - fstring tok; + fstring tok; - while (next_token(&s, tok, ",", sizeof(tok))) { - DEBUG(10,("checking for workstation match %s and %s (len=%d)\n", - tok, user_info->wksta_name.str, user_info->wksta_name.len)); - if(strequal(tok, user_info->wksta_name.str)) { - invalid_ws = False; - break; - } + while (next_token(&s, tok, ",", sizeof(tok))) { + DEBUG(10,("checking for workstation match %s and %s (len=%d)\n", + tok, user_info->wksta_name.str, user_info->wksta_name.len)); + if(strequal(tok, user_info->wksta_name.str)) { + invalid_ws = False; + break; } - - SAFE_FREE(workstation_list); - if (invalid_ws) - return NT_STATUS_INVALID_WORKSTATION; - } else { - SAFE_FREE(workstation_list); } + + SAFE_FREE(workstation_list); + if (invalid_ws) + return NT_STATUS_INVALID_WORKSTATION; } else { - return NT_STATUS_NO_MEMORY; + SAFE_FREE(workstation_list); } + { time_t must_change_time = pdb_get_pass_must_change_time(sampass); - if (must_change_time == 0) { - DEBUG(1,("Account for user '%s' must change password at next logon! (ie now).\n", sampass->username)); + time_t last_set_time = pdb_get_pass_last_set_time(sampass); + + /* check for immediate expiry "must change at next logon" */ + if (must_change_time == 0 && last_set_time != 0) { + DEBUG(1,("Account for user '%s' password must change!.\n", sampass->username)); return NT_STATUS_PASSWORD_MUST_CHANGE; } - if (must_change_time != (time_t)-1 && must_change_time < time(NULL)) { + /* check for expired password */ + if (must_change_time < time(NULL) && must_change_time != 0) { DEBUG(1,("Account for user '%s' password expired!.\n", sampass->username)); DEBUG(1,("Password expired at '%ld' unix time.\n", (long)must_change_time)); return NT_STATUS_PASSWORD_EXPIRED; @@ -265,12 +266,12 @@ NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user } if (acct_ctrl & ACB_DOMTRUST) { - DEBUG(0,("session_trust_account: Domain trust account %s denied by server\n", sampass->username)); + DEBUG(2,("session_trust_account: Domain trust account %s denied by server\n", sampass->username)); return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT; } if (acct_ctrl & ACB_SVRTRUST) { - DEBUG(0,("session_trust_account: Server trust account %s denied by server\n", sampass->username)); + DEBUG(2,("session_trust_account: Server trust account %s denied by server\n", sampass->username)); return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT; } -- cgit From cf2ec80d4e8733bbfd98d9737fa7e99712b72eb3 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 1 Oct 2001 13:07:46 +0000 Subject: honor the ACB_PWNOEXP flag in smbpasswd (This used to be commit 70b7c900c907c4620faa7d82845296298b3820ff) --- source3/auth/auth_sam.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 304e5be44b..835ade739f 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -246,8 +246,7 @@ NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user SAFE_FREE(workstation_list); } - - { + if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOEXP)) { time_t must_change_time = pdb_get_pass_must_change_time(sampass); time_t last_set_time = pdb_get_pass_last_set_time(sampass); -- cgit From dc1fc3ee8ec2199bc73bb5d7ec711c6800f61d65 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 2 Oct 2001 04:29:50 +0000 Subject: Removed 'extern int DEBUGLEVEL' as it is now in the smb.h header. (This used to be commit 2d0922b0eabfdc0aaf1d0797482fef47ed7fde8e) --- source3/auth/auth.c | 3 --- source3/auth/auth_domain.c | 2 -- source3/auth/auth_rhosts.c | 6 ------ source3/auth/auth_sam.c | 5 ----- source3/auth/auth_server.c | 4 ---- source3/auth/auth_unix.c | 4 ---- source3/auth/auth_util.c | 3 +-- source3/auth/pampass.c | 2 -- source3/auth/pass_check.c | 5 ----- 9 files changed, 1 insertion(+), 33 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 6aa2714b0b..e76324213e 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -23,8 +23,6 @@ #include "includes.h" -extern int DEBUGLEVEL; - /**************************************************************************** Check user is in correct domain if required ****************************************************************************/ @@ -257,4 +255,3 @@ BOOL password_ok(char *user, char *password, int pwlen) return False; } - diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 111f0f143c..bcd41bacdb 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -22,8 +22,6 @@ #include "includes.h" -extern int DEBUGLEVEL; - BOOL global_machine_password_needs_changing = False; /**************************************************************************** diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index e319d8d5f8..cd1bf57f86 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -21,9 +21,6 @@ #include "includes.h" -extern int DEBUGLEVEL; - - /**************************************************************************** Read the a hosts.equiv or .rhosts file and check if it allows this user from this machine. @@ -181,6 +178,3 @@ NTSTATUS check_rhosts_security(const auth_usersupplied_info *user_info, return nt_status; } - - - diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 835ade739f..da223368b8 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -23,8 +23,6 @@ #include "includes.h" -extern int DEBUGLEVEL; - /**************************************************************************** core of smb password checking routine. ****************************************************************************/ @@ -319,6 +317,3 @@ NTSTATUS check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_ pdb_free_sam(&sampass); return nt_status; } - - - diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index e4c91c4dcb..2574a52ef3 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -22,8 +22,6 @@ #include "includes.h" -extern int DEBUGLEVEL; - extern pstring global_myname; /**************************************************************************** @@ -228,5 +226,3 @@ use this machine as the password server.\n")); return(nt_status); } - - diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 0d73988d8a..2f9034e3e5 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -21,8 +21,6 @@ #include "includes.h" -extern int DEBUGLEVEL; - /**************************************************************************** update the encrypted smbpasswd file from the plaintext username and password @@ -105,5 +103,3 @@ NTSTATUS check_unix_security(const auth_usersupplied_info *user_info, auth_serve return nt_status; } - - diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1967c32b9a..d3b9aa7001 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -19,9 +19,8 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ -#include "includes.h" -extern int DEBUGLEVEL; +#include "includes.h" /* Data to do lanman1/2 password challenge. */ static unsigned char saved_challenge[8]; diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 116ecaf95b..6d0dabcd9d 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -30,8 +30,6 @@ #include "includes.h" -extern int DEBUGLEVEL; - #ifdef WITH_PAM /******************************************************************* diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 594983e53b..a57cb2ff06 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -24,8 +24,6 @@ #include "includes.h" -extern int DEBUGLEVEL; - /* these are kept here to keep the string_combinations function simple */ static fstring this_user; #if !(defined(WITH_PAM) || defined(KRB4_AUTH) || defined(KRB5_AUTH)) @@ -896,6 +894,3 @@ NTSTATUS pass_check(struct passwd *pass, char *user, char *password, return NT_STATUS_WRONG_PASSWORD; } - - - -- cgit From facbdd692dc7d4b87fcc59b369ae445153146c13 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 2 Oct 2001 21:58:09 +0000 Subject: Fixed up the change password bug when not using PAM. The problem is we were trying to use mask_match as a generic wildcard matcher for UNIX strings (like the password prompts). We can't do that - we need a unix_wild_match (re-added into lib/util.c) as the ms_fnmatch semantics for empty strings are completely wrong. This caused partial reads to be accepted as correct passwd change responses when they were not.... Also added paranioa test to stop passwd change being done as root with no %u in the passwd program string. Jeremy. (This used to be commit 9333bbeb7627c8b21a3eaeae1683c34e17d14bf0) --- source3/auth/pampass.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 6d0dabcd9d..0c7c4f1291 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -306,7 +306,7 @@ static int smb_pam_passchange_conv(int num_msg, DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: trying to match |%s| to |%s|\n", t->prompt, current_prompt )); - if (wild_match(t->prompt, current_prompt) == 0) { + if (unix_wild_match(t->prompt, current_prompt) == 0) { fstrcpy(current_reply, t->reply); DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We sent: %s\n", current_reply)); pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword); @@ -337,7 +337,7 @@ static int smb_pam_passchange_conv(int num_msg, DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |%s| to |%s|\n", t->prompt, current_prompt )); - if (wild_match(t->prompt, current_prompt) == 0) { + if (unix_wild_match(t->prompt, current_prompt) == 0) { fstrcpy(current_reply, t->reply); DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We sent: %s\n", current_reply)); pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword); -- cgit From 36c7d52ed8997739008156239af570c46feb3aed Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 6 Oct 2001 01:51:57 +0000 Subject: Fix up indenting in out SAM password check code. (This used to be commit ac11a23125270dd136290370b1cf0124e943a101) --- source3/auth/auth_sam.c | 95 +++++++++++++++++++++++++------------------------ 1 file changed, 49 insertions(+), 46 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index da223368b8..26b9001bf6 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -127,61 +127,64 @@ NTSTATUS sam_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *use DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", sampass->username)); return(NT_STATUS_LOGON_FAILURE); } - } else { - nt_pw = pdb_get_nt_passwd(sampass); - lm_pw = pdb_get_lanman_passwd(sampass); - - if (nt_pw != NULL && user_info->nt_resp.len > 0) { - if ((user_info->nt_resp.len > 24 )) { - /* We have the NT MD4 hash challenge available - see if we can - use it (ie. does it exist in the smbpasswd file). - */ - DEBUG(4,("smb_password_ok: Checking NTLMv2 password\n")); - if (smb_pwd_check_ntlmv2( user_info->nt_resp.buffer, - user_info->nt_resp.len, - nt_pw, - user_info->chal, user_info->smb_username.str, - user_info->requested_domain.str, - user_sess_key)) - { - return NT_STATUS_OK; - } else { - DEBUG(4,("smb_password_ok: NTLMv2 password check failed\n")); + } + + nt_pw = pdb_get_nt_passwd(sampass); + lm_pw = pdb_get_lanman_passwd(sampass); + + if (nt_pw != NULL && user_info->nt_resp.len > 0) { + if ((user_info->nt_resp.len > 24 )) { + /* We have the NT MD4 hash challenge available - see if we can + use it (ie. does it exist in the smbpasswd file). + */ + DEBUG(4,("smb_password_ok: Checking NTLMv2 password\n")); + if (smb_pwd_check_ntlmv2( user_info->nt_resp.buffer, + user_info->nt_resp.len, + nt_pw, + user_info->chal, user_info->smb_username.str, + user_info->requested_domain.str, + user_sess_key)) + { + return NT_STATUS_OK; + } else { + DEBUG(4,("smb_password_ok: NTLMv2 password check failed\n")); return NT_STATUS_WRONG_PASSWORD; - } + } - } else if (lp_ntlm_auth() && (user_info->nt_resp.len == 24)) { + } else if (lp_ntlm_auth() && (user_info->nt_resp.len == 24)) { /* We have the NT MD4 hash challenge available - see if we can use it (ie. does it exist in the smbpasswd file). */ - DEBUG(4,("smb_password_ok: Checking NT MD4 password\n")); - if (smb_pwd_check_ntlmv1(user_info->nt_resp.buffer, - nt_pw, user_info->chal, - user_sess_key)) - { - return NT_STATUS_OK; - } else { - DEBUG(4,("smb_password_ok: NT MD4 password check failed\n")); - return NT_STATUS_WRONG_PASSWORD; - } + DEBUG(4,("smb_password_ok: Checking NT MD4 password\n")); + if (smb_pwd_check_ntlmv1(user_info->nt_resp.buffer, + nt_pw, user_info->chal, + user_sess_key)) + { + return NT_STATUS_OK; } else { - return NT_STATUS_LOGON_FAILURE; - } - } else if (lm_pw != NULL && user_info->lm_resp.len == 24) { - if (lp_lanman_auth()) { - DEBUG(4,("smb_password_ok: Checking LM password\n")); - if (smb_pwd_check_ntlmv1(user_info->lm_resp.buffer, - lm_pw, user_info->chal, - user_sess_key)) - { - return NT_STATUS_OK; - } else { - DEBUG(4,("smb_password_ok: LM password check failed\n")); - return NT_STATUS_WRONG_PASSWORD; - } + DEBUG(4,("smb_password_ok: NT MD4 password check failed\n")); + return NT_STATUS_WRONG_PASSWORD; } + } else { + return NT_STATUS_LOGON_FAILURE; + } + } + + if (lm_pw != NULL && user_info->lm_resp.len == 24) { + if (lp_lanman_auth()) { + DEBUG(4,("smb_password_ok: Checking LM password\n")); + if (smb_pwd_check_ntlmv1(user_info->lm_resp.buffer, + lm_pw, user_info->chal, + user_sess_key)) + { + return NT_STATUS_OK; + } else { + DEBUG(4,("smb_password_ok: LM password check failed\n")); + return NT_STATUS_WRONG_PASSWORD; + } } } + /* Should not be reached */ return NT_STATUS_LOGON_FAILURE; } -- cgit From c416ff851b4ecc7a44aee9d00d07dd481d8ae2a7 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 18 Oct 2001 20:15:12 +0000 Subject: Merge the become_XXX -> change_to_XXX fixes from 2.2.2 to HEAD. Ensure make_conection() can only be called as root. Jeremy. (This used to be commit 8d23a7441b4687458ee021bfe8880558506eddba) --- source3/auth/pass_check.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index a57cb2ff06..44b3b9a237 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -233,7 +233,7 @@ static BOOL dfs_auth(char *user, char *password) } /* - * NB. I'd like to change these to call something like become_user() + * NB. I'd like to change these to call something like change_to_user() * instead but currently we don't have a connection * context to become the correct user. This is already * fairly platform specific code however, so I think -- cgit From 4be5c040b6463b066ca5adec7a85dc6f87d9fb97 Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Fri, 19 Oct 2001 17:30:05 +0000 Subject: print in a human readable format when the password expired. J.F. (This used to be commit 255b197a5c92bfc18a567613bbffb013fd0a834d) --- source3/auth/auth_sam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 26b9001bf6..a525248461 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -260,7 +260,7 @@ NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user /* check for expired password */ if (must_change_time < time(NULL) && must_change_time != 0) { DEBUG(1,("Account for user '%s' password expired!.\n", sampass->username)); - DEBUG(1,("Password expired at '%ld' unix time.\n", (long)must_change_time)); + DEBUG(1,("Password expired at '%s' (%ld) unix time.\n", http_timestring(must_change_time), (long)must_change_time)); return NT_STATUS_PASSWORD_EXPIRED; } } -- cgit From b8fe0f6711977412f8a7103022b01f3428d9c3a0 Mon Sep 17 00:00:00 2001 From: Herb Lewis Date: Tue, 23 Oct 2001 20:39:38 +0000 Subject: more compiler warnings (This used to be commit 12c10e876ea528fdf33e8ecfe42ab0ebb346b143) --- source3/auth/auth_rhosts.c | 2 +- source3/auth/auth_sam.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index cd1bf57f86..d6ca01936f 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -86,7 +86,7 @@ static BOOL check_user_equiv(const char *user, const char *remote, const char *e static char *mydomain = NULL; if (!mydomain) yp_get_default_domain(&mydomain); - if (mydomain && innetgr(file_host,remote,user,mydomain)) + if (mydomain && innetgr(file_host,(char *)remote,(char *)user,mydomain)) host_ok = True; } #else diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index a525248461..2070f09fd6 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -311,7 +311,7 @@ NTSTATUS check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_ return NT_STATUS_NO_SUCH_USER; } - nt_status = sam_password_ok(sampass, user_info, server_info->session_key); + nt_status = sam_password_ok(sampass, user_info, (char *)(server_info->session_key)); if NT_STATUS_IS_OK(nt_status) { nt_status = sam_account_ok(sampass, user_info); -- cgit From 2038649e51f48a489aeec49947e1b791f0b3df43 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 29 Oct 2001 07:28:32 +0000 Subject: This commit is number 3 of 4. In particular this commit focuses on: Changing the Get_Pwnam code so that it can work in a const-enforced environment. While these changes have been mildly tested, and are pretty small, any assistance in this is appreciated. ---- These changes allow for 'const' in the Samba tree. There are a number of good reasons to do this: - I want to allow the SAM_ACCOUNT structure to move from wasteful pstrings and fstrings to allocated strings. We can't do that if people are modifying these outputs, as they may well make assumptions about getting pstrings and fstrings - I want --with-pam_smbpass to compile with a slightly sane volume of warnings, currently its pretty bad, even in 2.2 where is compiles at all. - Tridge assures me that he no longer opposes 'const religion' based on the ability to #define const the problem away. - Changed Get_Pwnam(x,y) into two variants (so that the const parameter can work correctly): - Get_Pwnam(const x) and Get_Pwnam_Modify(x). - Reworked smbd/chgpasswd.c to work with these mods, passing around a 'struct passwd' rather than the modified username (This used to be commit e7634f81c5116ff4addfb7e495f54b6bb78e8f77) --- source3/auth/auth_rhosts.c | 4 ++-- source3/auth/auth_unix.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index d6ca01936f..9f5f1e10e5 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -86,7 +86,7 @@ static BOOL check_user_equiv(const char *user, const char *remote, const char *e static char *mydomain = NULL; if (!mydomain) yp_get_default_domain(&mydomain); - if (mydomain && innetgr(file_host,(char *)remote,(char *)user,mydomain)) + if (mydomain && innetgr(file_host,remote,user,mydomain)) host_ok = True; } #else @@ -135,7 +135,7 @@ static BOOL check_hosts_equiv(char *user) /* should be const... */ { char *fname = NULL; pstring rhostsfile; - struct passwd *pass = Get_Pwnam(user,False); + struct passwd *pass = Get_Pwnam(user); if (!pass) return(False); diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 2f9034e3e5..29a2a6eafb 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -89,7 +89,7 @@ NTSTATUS check_unix_security(const auth_usersupplied_info *user_info, auth_serve become_root(); - pass = Get_Pwnam(user_info->unix_username.str, False); + pass = Get_Pwnam(user_info->unix_username.str); nt_status = pass_check(pass, pass ? pass->pw_name : user_info->unix_username.str, -- cgit From d9d7f023d8d11943ca0375e1573e6ec9921889bc Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 29 Oct 2001 07:35:11 +0000 Subject: This commit is number 4 of 4. In particular this commit focuses on: Actually adding the 'const' to the passdb interface, and the flow-on changes. Also kill off the 'disp_info' stuff, as its no longer used. While these changes have been mildly tested, and are pretty small, any assistance in this is appreciated. ---- These changes introduces a large dose of 'const' to the Samba tree. There are a number of good reasons to do this: - I want to allow the SAM_ACCOUNT structure to move from wasteful pstrings and fstrings to allocated strings. We can't do that if people are modifying these outputs, as they may well make assumptions about getting pstrings and fstrings - I want --with-pam_smbpass to compile with a slightly sane volume of warnings, currently its pretty bad, even in 2.2 where is compiles at all. - Tridge assures me that he no longer opposes 'const religion' based on the ability to #define const the problem away. - Changed Get_Pwnam(x,y) into two variants (so that the const parameter can work correctly): - Get_Pwnam(const x) and Get_Pwnam_Modify(x). - Reworked smbd/chgpasswd.c to work with these mods, passing around a 'struct passwd' rather than the modified username --- This finishes this line of commits off, your tree should now compile again :-) Andrew Bartlett (This used to be commit c95f5aeb9327347674589ae313b75bee3bf8e317) --- source3/auth/auth_sam.c | 6 +++--- source3/auth/pampass.c | 29 ++++++++++++++++------------- 2 files changed, 19 insertions(+), 16 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 2070f09fd6..6bc3793666 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -65,8 +65,8 @@ static BOOL smb_pwd_check_ntlmv1(const uchar *password, core of smb password checking routine. ****************************************************************************/ static BOOL smb_pwd_check_ntlmv2(const uchar *password, size_t pwd_len, - uchar *part_passwd, - uchar const *c8, + const uchar *part_passwd, + const uchar *c8, const char *user, const char *domain, char user_sess_key[16]) { @@ -109,7 +109,7 @@ static BOOL smb_pwd_check_ntlmv2(const uchar *password, size_t pwd_len, ****************************************************************************/ NTSTATUS sam_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info, char user_sess_key[16]) { - uint8 *nt_pw, *lm_pw; + const uint8 *nt_pw, *lm_pw; uint16 acct_ctrl = pdb_get_acct_ctrl(sampass); if (!user_info || !sampass) diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 0c7c4f1291..6980b14f46 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -47,9 +47,9 @@ */ struct smb_pam_userdata { - char *PAM_username; - char *PAM_password; - char *PAM_newpassword; + const char *PAM_username; + const char *PAM_password; + const char *PAM_newpassword; }; typedef int (*smb_pam_conv_fn)(int, const struct pam_message **, struct pam_response **, void *appdata_ptr); @@ -180,7 +180,7 @@ static void special_char_sub(char *buf) all_string_sub(buf, "\\t", "\t", 0); } -static void pwd_sub(char *buf, char *username, char *oldpass, char *newpass) +static void pwd_sub(char *buf, const char *username, const char *oldpass, const char *newpass) { pstring_sub(buf, "%u", username); all_string_sub(buf, "%o", oldpass, sizeof(fstring)); @@ -399,8 +399,8 @@ static void smb_free_pam_conv(struct pam_conv *pconv) Allocate a pam_conv struct. ****************************************************************************/ -static struct pam_conv *smb_setup_pam_conv(smb_pam_conv_fn smb_pam_conv_fnptr, char *user, - char *passwd, char *newpass) +static struct pam_conv *smb_setup_pam_conv(smb_pam_conv_fn smb_pam_conv_fnptr, const char *user, + const char *passwd, const char *newpass) { struct pam_conv *pconv = (struct pam_conv *)malloc(sizeof(struct pam_conv)); struct smb_pam_userdata *udp = (struct smb_pam_userdata *)malloc(sizeof(struct smb_pam_userdata)); @@ -445,9 +445,10 @@ static BOOL smb_pam_end(pam_handle_t *pamh, struct pam_conv *smb_pam_conv_ptr) * Start PAM authentication for specified account */ -static BOOL smb_pam_start(pam_handle_t **pamh, char *user, char *rhost, struct pam_conv *pconv) +static BOOL smb_pam_start(pam_handle_t **pamh, const char *user, const char *rhost, struct pam_conv *pconv) { int pam_error; + const char *our_rhost; *pamh = (pam_handle_t *)NULL; @@ -460,14 +461,16 @@ static BOOL smb_pam_start(pam_handle_t **pamh, char *user, char *rhost, struct p } if (rhost == NULL) { - rhost = client_name(); + our_rhost = client_name(); if (strequal(rhost,"UNKNOWN")) - rhost = client_addr(); + our_rhost = client_addr(); + } else { + our_rhost = rhost; } #ifdef PAM_RHOST - DEBUG(4,("smb_pam_start: PAM: setting rhost to: %s\n", rhost)); - pam_error = pam_set_item(*pamh, PAM_RHOST, rhost); + DEBUG(4,("smb_pam_start: PAM: setting rhost to: %s\n", our_rhost)); + pam_error = pam_set_item(*pamh, PAM_RHOST, our_rhost); if(!smb_pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) { smb_pam_end(*pamh, pconv); *pamh = (pam_handle_t *)NULL; @@ -664,7 +667,7 @@ static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty, * Internal PAM Password Changer. */ -static BOOL smb_pam_chauthtok(pam_handle_t *pamh, char * user) +static BOOL smb_pam_chauthtok(pam_handle_t *pamh, const char * user) { int pam_error; @@ -846,7 +849,7 @@ NTSTATUS smb_pam_passcheck(char * user, char * password) * PAM Password Change Suite */ -BOOL smb_pam_passchange(char * user, char * oldpassword, char * newpassword) +BOOL smb_pam_passchange(const char * user, const char * oldpassword, const char * newpassword) { /* Appropriate quantities of root should be obtained BEFORE calling this function */ struct pam_conv *pconv = NULL; -- cgit From 11dc29786ed7844440827aca6a07901ebcb56157 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 29 Oct 2001 22:28:21 +0000 Subject: Fix up auth_smbpasswd.c to use the password interface, rather than the structures directly. Andrew Bartlett (This used to be commit c2dc24ab6370236437b72b929e2a56e174163d78) --- source3/auth/auth_sam.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 6bc3793666..84ca8d03be 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -202,11 +202,11 @@ NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user if (!user_info || !sampass) return NT_STATUS_LOGON_FAILURE; - DEBUG(4,("smb_password_ok: Checking SMB password for user %s\n",sampass->username)); + DEBUG(4,("smb_password_ok: Checking SMB password for user %s\n",pdb_get_username(sampass))); /* Quit if the account was disabled. */ if (acct_ctrl & ACB_DISABLED) { - DEBUG(1,("Account for user '%s' was disabled.\n", sampass->username)); + DEBUG(1,("Account for user '%s' was disabled.\n", pdb_get_username(sampass))); return NT_STATUS_ACCOUNT_DISABLED; } @@ -214,7 +214,7 @@ NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user kickoff_time = pdb_get_kickoff_time(sampass); if (kickoff_time != 0 && time(NULL) > kickoff_time) { - DEBUG(1,("Account for user '%s' has expried.\n", sampass->username)); + DEBUG(1,("Account for user '%s' has expried.\n", pdb_get_username(sampass))); DEBUG(3,("Account expired at '%ld' unix time.\n", (long)kickoff_time)); return NT_STATUS_ACCOUNT_EXPIRED; } @@ -253,30 +253,30 @@ NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user /* check for immediate expiry "must change at next logon" */ if (must_change_time == 0 && last_set_time != 0) { - DEBUG(1,("Account for user '%s' password must change!.\n", sampass->username)); + DEBUG(1,("Account for user '%s' password must change!.\n", pdb_get_username(sampass))); return NT_STATUS_PASSWORD_MUST_CHANGE; } /* check for expired password */ if (must_change_time < time(NULL) && must_change_time != 0) { - DEBUG(1,("Account for user '%s' password expired!.\n", sampass->username)); + DEBUG(1,("Account for user '%s' password expired!.\n", pdb_get_username(sampass))); DEBUG(1,("Password expired at '%s' (%ld) unix time.\n", http_timestring(must_change_time), (long)must_change_time)); return NT_STATUS_PASSWORD_EXPIRED; } } if (acct_ctrl & ACB_DOMTRUST) { - DEBUG(2,("session_trust_account: Domain trust account %s denied by server\n", sampass->username)); + DEBUG(2,("session_trust_account: Domain trust account %s denied by server\n", pdb_get_username(sampass))); return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT; } if (acct_ctrl & ACB_SVRTRUST) { - DEBUG(2,("session_trust_account: Server trust account %s denied by server\n", sampass->username)); + DEBUG(2,("session_trust_account: Server trust account %s denied by server\n", pdb_get_username(sampass))); return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT; } if (acct_ctrl & ACB_WSTRUST) { - DEBUG(4,("session_trust_account: Wksta trust account %s denied by server\n", sampass->username)); + DEBUG(4,("session_trust_account: Wksta trust account %s denied by server\n", pdb_get_username(sampass))); return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT; } -- cgit From 1f829e19eb3b81ad1c4451fe9a90617e6cee7dd7 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 30 Oct 2001 13:54:54 +0000 Subject: Spnego on the 'server' end of security=server just does not work, so set the flags so we just do a 'normal' session setup. Also add some parinoia code to detect when sombody attempts to do a 'normal' session setup when spnego had been negoitiated. Andrew Bartlett (This used to be commit 190898586fa218c952fbd5bea56155d04e6f248b) --- source3/auth/auth_server.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 2574a52ef3..520417e3e0 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -51,6 +51,9 @@ struct cli_state *server_cryptkey(void) if (!cli_initialise(cli)) return NULL; + /* security = server just can't function with spnego */ + cli->use_spnego = False; + pserver = strdup(lp_passwordserver()); p = pserver; -- cgit From 6f0b8a38ec036a0027e9f938834e241b41db40c5 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 31 Oct 2001 06:20:58 +0000 Subject: Added some extra fields to the auth_serversupplied_info structure. To obtain the full group membership of a user (i.e nested groups on a win2k native mode server) it is necessary to merge this list of groups with the groups returned by winbindd when creating an nt access token. This breaks winbindd linking while AB and I sync up our changes to the authentication subsystem. (This used to be commit 4eeb7bcd783d7cfb3ac232f1faa035773007401d) --- source3/auth/auth.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index e76324213e..4bdbdf5555 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -129,6 +129,7 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user, auth_serversupplied_info server_info; AUTH_STR ourdomain, theirdomain, unix_username, smb_username, wksta_name; + NTSTATUS result; ZERO_STRUCT(user_info); ZERO_STRUCT(ourdomain); @@ -203,7 +204,11 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user, } - return check_password(&user_info, &server_info); + result = check_password(&user_info, &server_info); + + free_serversupplied_info(&server_info); /* No info needed */ + + return result; } NTSTATUS pass_check_smb(char *smb_user, char *unix_user, @@ -255,3 +260,10 @@ BOOL password_ok(char *user, char *password, int pwlen) return False; } + +/* Free a auth_serversupplied_info structure */ + +void free_serversupplied_info(auth_serversupplied_info *server_info) +{ + SAFE_FREE(server_info->group_rids); +} -- cgit From 6ab678d42b46eccee080de415985a8a1e3c29dc3 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 31 Oct 2001 06:22:19 +0000 Subject: Small 'const' updates ahead of some AuthRewrite merging. (This used to be commit 3b5e72bda3263c6bdf81dfface4fae4f06b71032) --- source3/auth/pampass.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 6980b14f46..018eae3a07 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -547,7 +547,7 @@ static NTSTATUS smb_pam_auth(pam_handle_t *pamh, char *user) /* * PAM Account Handler */ -static NTSTATUS smb_pam_account(pam_handle_t *pamh, char * user) +static NTSTATUS smb_pam_account(pam_handle_t *pamh, const char * user) { int pam_error; NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED; @@ -777,7 +777,7 @@ BOOL smb_pam_close_session(char *user, char *tty, char *rhost) * PAM Externally accessible Account handler */ -NTSTATUS smb_pam_accountcheck(char * user) +NTSTATUS smb_pam_accountcheck(const char * user) { NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED; pam_handle_t *pamh = NULL; @@ -873,19 +873,19 @@ BOOL smb_pam_passchange(const char * user, const char * oldpassword, const char #else /* If PAM not used, no PAM restrictions on accounts. */ - NTSTATUS smb_pam_accountcheck(char * user) +NTSTATUS smb_pam_accountcheck(const char * user) { return NT_STATUS_OK; } /* If PAM not used, also no PAM restrictions on sessions. */ - BOOL smb_pam_claim_session(char *user, char *tty, char *rhost) +BOOL smb_pam_claim_session(char *user, char *tty, char *rhost) { return True; } /* If PAM not used, also no PAM restrictions on sessions. */ - BOOL smb_pam_close_session(char *in_user, char *tty, char *rhost) +BOOL smb_pam_close_session(char *in_user, char *tty, char *rhost) { return True; } -- cgit From 60f0627afb167faad57385d44f0b587186a7ac2b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 31 Oct 2001 10:46:25 +0000 Subject: This is a farily large patch (3300 lines) and reworks most of the AuthRewrite code. In particular this assists tpot in some of his work, becouse it provides the connection between the authenticaion and the vuid generation. Major Changes: - Fully malloc'ed structures. - Massive rework of the code so that all structures are made and destroyed using malloc and free, rather than hanging around on the stack. - SAM_ACCOUNT unix uids and gids are now pointers to the same, to allow them to be declared 'invalid' without the chance that people might get ROOT by default. - kill off some of the "DOMAIN\user" lookups. These can be readded at a more appropriate place (probably domain_client_validate.c) in the future. They don't belong in session setups. - Massive introduction of DATA_BLOB structures, particularly for passwords. - Use NTLMSSP flags to tell the backend what its getting, rather than magic lenghths. - Fix winbind back up again, but tpot is redoing this soon anyway. - Abstract much of the work in srv_netlog_nt back into auth helper functions. This is a LARGE change, and any assistance is testing it is appriciated. Domain logons are still broken (as far as I can tell) but other functionality seems intact. Needs testing with a wide variety of MS clients. Andrew Bartlett (This used to be commit f70fb819b2f57bd57232b51808345e2319d52f6c) --- source3/auth/auth.c | 263 ++++++++++----------- source3/auth/auth_domain.c | 2 +- source3/auth/auth_rhosts.c | 40 ++-- source3/auth/auth_sam.c | 228 ++++++++++++------ source3/auth/auth_server.c | 27 ++- source3/auth/auth_unix.c | 17 +- source3/auth/auth_util.c | 564 +++++++++++++++++++++++++++++++++++++++++++-- 7 files changed, 868 insertions(+), 273 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 4bdbdf5555..4d1a566833 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -50,183 +50,160 @@ static BOOL check_domain_match(char *user, char *domain) This functions does NOT need to be in a become_root()/unbecome_root() pair as it makes the calls itself when needed. + + The return value takes precedence over the contents of the server_info + struct. When the return is other than NT_STATUS_NOPROBLEMO the contents + of that structure is undefined. + ****************************************************************************/ NTSTATUS check_password(const auth_usersupplied_info *user_info, - auth_serversupplied_info *server_info) + auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; BOOL done_pam = False; - - DEBUG(3, ("check_password: Checking password for smb user %s\\%s@%s with the new password interface\n", - user_info->smb_username.str, user_info->requested_domain.str, user_info->wksta_name.str)); - if (!check_domain_match(user_info->smb_username.str, user_info->domain.str)) { + + DEBUG(3, ("check_password: Checking password for unmapped user %s\\%s@%s with the new password interface\n", + user_info->smb_name.str, user_info->client_domain.str, user_info->wksta_name.str)); + + /* This needs to be sorted: If it doesn't match, what should we do? */ + if (!check_domain_match(user_info->smb_name.str, user_info->domain.str)) { return NT_STATUS_LOGON_FAILURE; } if (!NT_STATUS_IS_OK(nt_status)) { nt_status = check_rhosts_security(user_info, server_info); + if (NT_STATUS_IS_OK(nt_status)) { + DEBUG(7, ("check_password: Password (rhosts) for user %s suceeded\n", user_info->smb_name.str)); + } else { + DEBUG(5, ("check_password: Password (rhosts)for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + + } } if ((lp_security() == SEC_DOMAIN) && !NT_STATUS_IS_OK(nt_status)) { nt_status = check_domain_security(user_info, server_info); + if (NT_STATUS_IS_OK(nt_status)) { + DEBUG(7, ("check_password: Password (domain) for user %s suceeded\n", user_info->smb_name.str)); + } else { + DEBUG(5, ("check_password: Password (domain) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + + } } if ((lp_security() == SEC_SERVER) && !NT_STATUS_IS_OK(nt_status)) { nt_status = check_server_security(user_info, server_info); + if (NT_STATUS_IS_OK(nt_status)) { + DEBUG(7, ("check_password: Password (server) for user %s suceeded\n", user_info->smb_name.str)); + } else { + DEBUG(5, ("check_password: Password (server) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + + } } if (lp_security() >= SEC_SERVER) { - smb_user_control(user_info->unix_username.str, nt_status); + smb_user_control(user_info, *server_info, nt_status); } if (!NT_STATUS_IS_OK(nt_status)) { - if ((user_info->plaintext_password.len > 0) - && (!lp_plaintext_to_smbpasswd())) { + if (user_info->encrypted || lp_plaintext_to_smbpasswd()) { + nt_status = check_smbpasswd_security(user_info, server_info); + } else { nt_status = check_unix_security(user_info, server_info); done_pam = True; - } else { - nt_status = check_smbpasswd_security(user_info, server_info); } + + if (NT_STATUS_IS_OK(nt_status)) { + DEBUG(7, ("check_password: Password (unix/smbpasswd) for user %s suceeded\n", user_info->smb_name.str)); + } else { + DEBUG(5, ("check_password: Password (unix/smbpasswd) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + + } } + if (NT_STATUS_IS_OK(nt_status) && !done_pam) { /* We might not be root if we are an RPC call */ become_root(); - nt_status = smb_pam_accountcheck(user_info->unix_username.str); + nt_status = smb_pam_accountcheck(pdb_get_username((*server_info)->sam_account)); unbecome_root(); - } + if (NT_STATUS_IS_OK(nt_status)) { + DEBUG(5, ("check_password: PAM Account for user %s suceeded\n", user_info->smb_name.str)); + } else { + DEBUG(3, ("check_password: PAM Account for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + + } + } + if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(5, ("check_password: Password for smb user %s suceeded\n", user_info->smb_username.str)); + DEBUG(5, ("check_password: Password for smb user %s suceeded\n", user_info->smb_name.str)); } else { - DEBUG(3, ("check_password: Password for smb user %s FAILED with error %s\n", user_info->smb_username.str, get_nt_error_msg(nt_status))); - + DEBUG(3, ("check_password: Password for smb user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + ZERO_STRUCTP(server_info); } + return nt_status; } /**************************************************************************** - COMPATABILITY INTERFACES: - ***************************************************************************/ - -/**************************************************************************** -check if a username/password is OK assuming the password is a 24 byte -SMB hash -return True if the password is correct, False otherwise + Squash an NT_STATUS return in line with requirements for unauthenticated + connections. (session setups in particular) ****************************************************************************/ -NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user, - char *domain, char* workstation, - uchar chal[8], - uchar *lm_pwd, int lm_pwd_len, - uchar *nt_pwd, int nt_pwd_len) +NTSTATUS nt_status_squash(NTSTATUS nt_status) { - - auth_usersupplied_info user_info; - auth_serversupplied_info server_info; - AUTH_STR ourdomain, theirdomain, unix_username, smb_username, - wksta_name; - NTSTATUS result; + if NT_STATUS_IS_OK(nt_status) { + return nt_status; + } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) { + /* Match WinXP and don't give the game away */ + return NT_STATUS_LOGON_FAILURE; - ZERO_STRUCT(user_info); - ZERO_STRUCT(ourdomain); - ZERO_STRUCT(theirdomain); - ZERO_STRUCT(smb_username); - ZERO_STRUCT(wksta_name); - - ourdomain.str = lp_workgroup(); - ourdomain.len = strlen(ourdomain.str); - - theirdomain.str = domain; - theirdomain.len = strlen(theirdomain.str); - - user_info.requested_domain = theirdomain; - user_info.domain = ourdomain; - - smb_username.str = smb_user; - smb_username.len = strlen(smb_username.str); - - /* If unix user is NULL, use smb user */ - - unix_username.str = unix_user ? unix_user : smb_user; - unix_username.len = strlen(unix_username.str); - - user_info.unix_username = unix_username; - user_info.smb_username = smb_username; - - wksta_name.str = workstation; - wksta_name.len = strlen(workstation); - - user_info.wksta_name = wksta_name; - - memcpy(user_info.chal, chal, 8); - - if ((lm_pwd_len >= 24 || nt_pwd_len >= 24) || - (lp_encrypted_passwords() && (lm_pwd_len == 0) && lp_null_passwords())) { - /* if 24 bytes long assume it is an encrypted password */ - - user_info.lm_resp.buffer = (uint8 *)lm_pwd; - user_info.lm_resp.len = lm_pwd_len; - user_info.nt_resp.buffer = (uint8 *)nt_pwd; - user_info.nt_resp.len = nt_pwd_len; - + } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) { + /* Match WinXP and don't give the game away */ + return NT_STATUS_LOGON_FAILURE; } else { - unsigned char local_lm_response[24]; - unsigned char local_nt_response[24]; - - /* - * Not encrypted - do so. - */ - - DEBUG(5,("pass_check_smb: User passwords not in encrypted format.\n")); - - if (lm_pwd_len > 0) { - SMBencrypt( (uchar *)lm_pwd, user_info.chal, local_lm_response); - user_info.lm_resp.buffer = (uint8 *)local_lm_response; - user_info.lm_resp.len = 24; - - - /* WATCH OUT. This doesn't work if the incoming password is incorrectly cased. - We might want to add a check here and only do an LM in that case */ + return nt_status; + } +} - /* This encrypts the lm_pwd feild, which actualy contains the password - rather than the nt_pwd field becouse that contains nothing */ - SMBNTencrypt((uchar *)lm_pwd, user_info.chal, local_nt_response); - user_info.nt_resp.buffer = (uint8 *)local_nt_response; - user_info.nt_resp.len = 24; - } - - user_info.plaintext_password.str = (char *)lm_pwd; - user_info.plaintext_password.len = lm_pwd_len; - } - result = check_password(&user_info, &server_info); +/**************************************************************************** + COMPATABILITY INTERFACES: + ***************************************************************************/ - free_serversupplied_info(&server_info); /* No info needed */ +/**************************************************************************** +check if a username/password is OK assuming the password is a 24 byte +SMB hash +return True if the password is correct, False otherwise +****************************************************************************/ - return result; -} +static NTSTATUS pass_check_smb(char *smb_name, + char *domain, + DATA_BLOB lm_pwd, + DATA_BLOB nt_pwd, + DATA_BLOB plaintext_password, + BOOL encrypted) -NTSTATUS pass_check_smb(char *smb_user, char *unix_user, - char *domain, char *workstation, - uchar *lm_pwd, int lm_pwd_len, - uchar *nt_pwd, int nt_pwd_len) { - uchar chal[8]; - - if (!last_challenge(chal)) { - generate_random_buffer( chal, 8, False); - } - - return pass_check_smb_with_chal(smb_user, unix_user, - domain, workstation, chal, - lm_pwd, lm_pwd_len, - nt_pwd, nt_pwd_len); - + NTSTATUS nt_status; + auth_usersupplied_info *user_info = NULL; + auth_serversupplied_info *server_info = NULL; + + make_user_info_for_reply(&user_info, smb_name, + domain, + lm_pwd, + nt_pwd, + plaintext_password, + encrypted); + + nt_status = check_password(user_info, &server_info); + free_user_info(&user_info); + free_server_info(&server_info); + return nt_status; } /**************************************************************************** @@ -234,36 +211,32 @@ check if a username/password pair is OK either via the system password database or the encrypted SMB password database return True if the password is correct, False otherwise ****************************************************************************/ -BOOL password_ok(char *user, char *password, int pwlen) +BOOL password_ok(char *smb_name, DATA_BLOB password_blob) { - extern fstring remote_machine; - /* - * This hack must die! But until I rewrite the rest of samba - * it must stay - abartlet 2001-08-03 - */ - - if ((pwlen == 0) && !lp_null_passwords()) { - DEBUG(4,("Null passwords not allowed.\n")); - return False; - } - - /* The password could be either NTLM or plain LM. Try NTLM first, but fall-through as - required. */ - if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, remote_machine, lp_workgroup(), NULL, 0, (unsigned char *)password, pwlen))) { - return True; - } + DATA_BLOB null_password = data_blob(NULL, 0); + extern BOOL global_encrypted_passwords_negotiated; - if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, remote_machine, lp_workgroup(), (unsigned char *)password, pwlen, NULL, 0))) { - return True; + if (global_encrypted_passwords_negotiated) { + /* + * The password could be either NTLM or plain LM. Try NTLM first, + * but fall-through as required. + * NTLMv2 makes no sense here. + */ + if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), null_password, password_blob, null_password, global_encrypted_passwords_negotiated))) { + return True; + } + + if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), password_blob, null_password, null_password, global_encrypted_passwords_negotiated))) { + return True; + } + } else { + if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), null_password, null_password, password_blob, global_encrypted_passwords_negotiated))) { + return True; + } } return False; } -/* Free a auth_serversupplied_info structure */ -void free_serversupplied_info(auth_serversupplied_info *server_info) -{ - SAFE_FREE(server_info->group_rids); -} diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index bcd41bacdb..f20da19607 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -29,7 +29,7 @@ BOOL global_machine_password_needs_changing = False; ****************************************************************************/ NTSTATUS check_domain_security(const auth_usersupplied_info *user_info, - auth_serversupplied_info *server_info) + auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; char *p, *pserver; diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index 9f5f1e10e5..9c07e48a9b 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -131,11 +131,11 @@ static BOOL check_user_equiv(const char *user, const char *remote, const char *e /**************************************************************************** check for a possible hosts equiv or rhosts entry for the user ****************************************************************************/ -static BOOL check_hosts_equiv(char *user) /* should be const... */ + +static BOOL check_hosts_equiv(struct passwd *pass) { char *fname = NULL; pstring rhostsfile; - struct passwd *pass = Get_Pwnam(user); if (!pass) return(False); @@ -149,15 +149,15 @@ static BOOL check_hosts_equiv(char *user) /* should be const... */ } if (lp_use_rhosts()) - { - char *home = pass->pw_dir; - if (home) { - slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home); - if (check_user_equiv(pass->pw_name,client_name(),rhostsfile)) - return(True); - } - } - + { + char *home = pass->pw_dir; + if (home) { + slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home); + if (check_user_equiv(pass->pw_name,client_name(),rhostsfile)) + return(True); + } + } + return(False); } @@ -166,15 +166,21 @@ static BOOL check_hosts_equiv(char *user) /* should be const... */ ****************************************************************************/ NTSTATUS check_rhosts_security(const auth_usersupplied_info *user_info, - auth_serversupplied_info *server_info) + auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; - - become_root(); - if (check_hosts_equiv(user_info->unix_username.str)) { - nt_status = NT_STATUS_OK; + struct passwd *pass = Get_Pwnam(user_info->internal_username.str); + + if (pass) { + become_root(); + if (check_hosts_equiv(pass)) { + nt_status = NT_STATUS_OK; + make_server_info_pw(server_info, pass); + } + unbecome_root(); + } else { + nt_status = NT_STATUS_NO_SUCH_USER; } - unbecome_root(); return nt_status; } diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 84ca8d03be..d4283429ce 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -26,53 +26,65 @@ /**************************************************************************** core of smb password checking routine. ****************************************************************************/ -static BOOL smb_pwd_check_ntlmv1(const uchar *password, +static BOOL smb_pwd_check_ntlmv1(DATA_BLOB nt_response, const uchar *part_passwd, - const uchar *c8, - char user_sess_key[16]) + DATA_BLOB sec_blob, + uint8 user_sess_key[16]) { - /* Finish the encryption of part_passwd. */ - uchar p24[24]; - - if (part_passwd == NULL) { - DEBUG(10,("No password set - DISALLOWING access\n")); - /* No password set - always false ! */ - return False; - } + /* Finish the encryption of part_passwd. */ + uchar p24[24]; + + if (part_passwd == NULL) { + DEBUG(10,("No password set - DISALLOWING access\n")); + /* No password set - always false ! */ + return False; + } + + if (sec_blob.length != 8) { + DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect challange size (%d)\n", sec_blob.length)); + return False; + } + + if (nt_response.length != 24) { + DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect password length (%d)\n", nt_response.length)); + return False; + } - SMBOWFencrypt(part_passwd, c8, p24); + SMBOWFencrypt(part_passwd, sec_blob.data, p24); if (user_sess_key != NULL) { SMBsesskeygen_ntv1(part_passwd, NULL, user_sess_key); } - - - + + + #if DEBUG_PASSWORD DEBUG(100,("Part password (P16) was |")); dump_data(100, part_passwd, 16); DEBUG(100,("Password from client was |")); - dump_data(100, password, 24); + dump_data(100, nt_response.data, nt_response.length); DEBUG(100,("Given challenge was |")); - dump_data(100, c8, 8); + dump_data(100, sec_blob.data, sec_blob.length); DEBUG(100,("Value from encryption was |")); dump_data(100, p24, 24); #endif - return (memcmp(p24, password, 24) == 0); + return (memcmp(p24, nt_response.data, 24) == 0); } /**************************************************************************** core of smb password checking routine. ****************************************************************************/ -static BOOL smb_pwd_check_ntlmv2(const uchar *password, size_t pwd_len, +static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB ntv2_response, const uchar *part_passwd, - const uchar *c8, + const DATA_BLOB sec_blob, const char *user, const char *domain, - char user_sess_key[16]) + uint8 user_sess_key[16]) { /* Finish the encryption of part_passwd. */ uchar kr[16]; - uchar resp[16]; + uchar value_from_encryption[16]; + uchar client_response[16]; + DATA_BLOB client_key_data; if (part_passwd == NULL) { @@ -81,25 +93,42 @@ static BOOL smb_pwd_check_ntlmv2(const uchar *password, size_t pwd_len, return False; } + if (ntv2_response.length < 16) { + /* We MUST have more than 16 bytes, or the stuff below will go + crazy... */ + DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect password length (%d)\n", + ntv2_response.length)); + return False; + } + + client_key_data = data_blob(ntv2_response.data+16, ntv2_response.length-16); + memcpy(client_response, ntv2_response.data, ntv2_response.length); + + if (!client_key_data.data) { + return False; + } + ntv2_owf_gen(part_passwd, user, domain, kr); - SMBOWFencrypt_ntv2(kr, c8, 8, password+16, pwd_len-16, (char *)resp); + SMBOWFencrypt_ntv2(kr, sec_blob, client_key_data, (char *)value_from_encryption); if (user_sess_key != NULL) { - SMBsesskeygen_ntv2(kr, resp, user_sess_key); + SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key); } #if DEBUG_PASSWORD DEBUG(100,("Part password (P16) was |")); dump_data(100, part_passwd, 16); DEBUG(100,("Password from client was |")); - dump_data(100, password, pwd_len); + dump_data(100, ntv2_response.data, ntv2_response.length); + DEBUG(100,("Variable data from client was |")); + dump_data(100, ntv2_response.data, ntv2_response.length); DEBUG(100,("Given challenge was |")); - dump_data(100, c8, 8); + dump_data(100, sec_blob.data, sec_blob.length); DEBUG(100,("Value from encryption was |")); - dump_data(100, resp, 16); + dump_data(100, value_from_encryption, 16); #endif - - return (memcmp(resp, password, 16) == 0); + data_blob_clear_free(&client_key_data); + return (memcmp(value_from_encryption, client_response, 16) == 0); } @@ -107,11 +136,12 @@ static BOOL smb_pwd_check_ntlmv2(const uchar *password, size_t pwd_len, Do a specific test for an smb password being correct, given a smb_password and the lanman and NT responses. ****************************************************************************/ -NTSTATUS sam_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info, char user_sess_key[16]) +NTSTATUS sam_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info, uint8 user_sess_key[16]) { const uint8 *nt_pw, *lm_pw; uint16 acct_ctrl = pdb_get_acct_ctrl(sampass); - + uint32 ntlmssp_flags; + if (!user_info || !sampass) return NT_STATUS_LOGON_FAILURE; @@ -119,12 +149,12 @@ NTSTATUS sam_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *use { if (lp_null_passwords()) { - DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", sampass->username)); + DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", pdb_get_username(sampass))); return(NT_STATUS_OK); } else { - DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", sampass->username)); + DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", pdb_get_username(sampass))); return(NT_STATUS_LOGON_FAILURE); } } @@ -132,61 +162,84 @@ NTSTATUS sam_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *use nt_pw = pdb_get_nt_passwd(sampass); lm_pw = pdb_get_lanman_passwd(sampass); - if (nt_pw != NULL && user_info->nt_resp.len > 0) { - if ((user_info->nt_resp.len > 24 )) { + ntlmssp_flags = user_info->ntlmssp_flags; + + if (nt_pw == NULL) { + DEBUG(3,("smb_password_ok: NO NT password stored for user %s.\n", + pdb_get_username(sampass))); + /* No return, we want to check the LM hash below in this case */ + ntlmssp_flags &= (~(NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_NTLM2)); + } + + if (ntlmssp_flags & NTLMSSP_NEGOTIATE_NTLM2) { /* We have the NT MD4 hash challenge available - see if we can use it (ie. does it exist in the smbpasswd file). */ DEBUG(4,("smb_password_ok: Checking NTLMv2 password\n")); - if (smb_pwd_check_ntlmv2( user_info->nt_resp.buffer, - user_info->nt_resp.len, + if (smb_pwd_check_ntlmv2( user_info->nt_resp, nt_pw, - user_info->chal, user_info->smb_username.str, - user_info->requested_domain.str, + user_info->sec_blob, user_info->smb_name.str, + user_info->client_domain.str, user_sess_key)) { return NT_STATUS_OK; } else { - DEBUG(4,("smb_password_ok: NTLMv2 password check failed\n")); - return NT_STATUS_WRONG_PASSWORD; + DEBUG(3,("smb_password_ok: NTLMv2 password check failed\n")); + return NT_STATUS_WRONG_PASSWORD; } - - } else if (lp_ntlm_auth() && (user_info->nt_resp.len == 24)) { + } else if (ntlmssp_flags & NTLMSSP_NEGOTIATE_NTLM) { + if (lp_ntlm_auth()) { /* We have the NT MD4 hash challenge available - see if we can use it (ie. does it exist in the smbpasswd file). */ - DEBUG(4,("smb_password_ok: Checking NT MD4 password\n")); - if (smb_pwd_check_ntlmv1(user_info->nt_resp.buffer, - nt_pw, user_info->chal, - user_sess_key)) - { - return NT_STATUS_OK; + DEBUG(4,("smb_password_ok: Checking NT MD4 password\n")); + if (smb_pwd_check_ntlmv1(user_info->nt_resp, + nt_pw, user_info->sec_blob, + user_sess_key)) + { + return NT_STATUS_OK; + } else { + DEBUG(3,("smb_password_ok: NT MD4 password check failed for user %s\n",pdb_get_username(sampass))); + return NT_STATUS_WRONG_PASSWORD; + } } else { - DEBUG(4,("smb_password_ok: NT MD4 password check failed\n")); - return NT_STATUS_WRONG_PASSWORD; + DEBUG(2,("smb_password_ok: NTLMv1 passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass))); + /* No return, we want to check the LM hash below in this case */ } - } else { - return NT_STATUS_LOGON_FAILURE; - } } - if (lm_pw != NULL && user_info->lm_resp.len == 24) { - if (lp_lanman_auth()) { - DEBUG(4,("smb_password_ok: Checking LM password\n")); - if (smb_pwd_check_ntlmv1(user_info->lm_resp.buffer, - lm_pw, user_info->chal, - user_sess_key)) - { - return NT_STATUS_OK; - } else { - DEBUG(4,("smb_password_ok: LM password check failed\n")); - return NT_STATUS_WRONG_PASSWORD; - } + if (lm_pw == NULL) { + DEBUG(3,("smb_password_ok: NO LanMan password set for user %s (and no NT password supplied)\n",pdb_get_username(sampass))); + ntlmssp_flags &= (~NTLMSSP_NEGOTIATE_OEM); + } + + if (ntlmssp_flags & NTLMSSP_NEGOTIATE_OEM) { + + if (user_info->lm_resp.length != 24) { + DEBUG(2,("smb_password_ok: invalid LanMan password length (%d) for user %s\n", + user_info->nt_resp.length, pdb_get_username(sampass))); } + + if (!lp_lanman_auth()) { + DEBUG(3,("smb_password_ok: Lanman passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass))); + return NT_STATUS_LOGON_FAILURE; + } + + DEBUG(4,("smb_password_ok: Checking LM password\n")); + if (smb_pwd_check_ntlmv1(user_info->lm_resp, + lm_pw, user_info->sec_blob, + user_sess_key)) + { + return NT_STATUS_OK; + } else { + DEBUG(4,("smb_password_ok: LM password check failed for user %s\n",pdb_get_username(sampass))); + return NT_STATUS_WRONG_PASSWORD; + } } - /* Should not be reached */ - return NT_STATUS_LOGON_FAILURE; + /* Should not be reached, but if they send nothing... */ + DEBUG(3,("smb_password_ok: NEITHER LanMan nor NT password supplied for user %s\n",pdb_get_username(sampass))); + return NT_STATUS_WRONG_PASSWORD; } /**************************************************************************** @@ -290,33 +343,58 @@ SMB hash supplied in the user_info structure return an NT_STATUS constant. ****************************************************************************/ -NTSTATUS check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +NTSTATUS check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_serversupplied_info **server_info) { SAM_ACCOUNT *sampass=NULL; BOOL ret; NTSTATUS nt_status; + uint8 user_sess_key[16]; + const uint8* lm_hash; pdb_init_sam(&sampass); /* get the account information */ become_root(); - ret = pdb_getsampwnam(sampass, user_info->unix_username.str); + ret = pdb_getsampwnam(sampass, user_info->internal_username.str); unbecome_root(); if (ret == False) { - DEBUG(1,("Couldn't find user '%s' in passdb file.\n", user_info->unix_username.str)); + DEBUG(1,("Couldn't find user '%s' in passdb file.\n", user_info->internal_username.str)); pdb_free_sam(&sampass); return NT_STATUS_NO_SUCH_USER; } - nt_status = sam_password_ok(sampass, user_info, (char *)(server_info->session_key)); + nt_status = sam_password_ok(sampass, user_info, user_sess_key); - if NT_STATUS_IS_OK(nt_status) { - nt_status = sam_account_ok(sampass, user_info); + if (!NT_STATUS_IS_OK(nt_status)) { + pdb_free_sam(&sampass); + return nt_status; } - pdb_free_sam(&sampass); + nt_status = sam_account_ok(sampass, user_info); + + if (!NT_STATUS_IS_OK(nt_status)) { + pdb_free_sam(&sampass); + return nt_status; + } + + if (!make_server_info_sam(server_info, sampass)) { + DEBUG(0,("failed to malloc memory for server_info\n")); + return NT_STATUS_NO_MEMORY; + } + + lm_hash = pdb_get_lanman_passwd((*server_info)->sam_account); + if (lm_hash) { + memcpy((*server_info)->first_8_lm_hash, lm_hash, 8); + } + + memcpy((*server_info)->session_key, user_sess_key, sizeof(user_sess_key)); + return nt_status; } + + + + diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 520417e3e0..ddbc284d50 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -115,7 +115,7 @@ struct cli_state *server_cryptkey(void) - Validate a password with the password server. ****************************************************************************/ -NTSTATUS check_server_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +NTSTATUS check_server_security(const auth_usersupplied_info *user_info, auth_serversupplied_info **server_info) { struct cli_state *cli; static unsigned char badpass[24]; @@ -134,8 +134,8 @@ NTSTATUS check_server_security(const auth_usersupplied_info *user_info, auth_ser if(badpass[0] == 0) memset(badpass, 0x1f, sizeof(badpass)); - if((user_info->nt_resp.len == sizeof(badpass)) && - !memcmp(badpass, user_info->nt_resp.buffer, sizeof(badpass))) { + if((user_info->nt_resp.length == sizeof(badpass)) && + !memcmp(badpass, user_info->nt_resp.data, sizeof(badpass))) { /* * Very unlikely, our random bad password is the same as the users * password. @@ -206,11 +206,11 @@ use this machine as the password server.\n")); * not guest enabled, we can try with the real password. */ - if (!cli_session_setup(cli, user_info->smb_username.str, - (char *)user_info->lm_resp.buffer, - user_info->lm_resp.len, - (char *)user_info->nt_resp.buffer, - user_info->nt_resp.len, + if (!cli_session_setup(cli, user_info->smb_name.str, + (char *)user_info->lm_resp.data, + user_info->lm_resp.length, + (char *)user_info->nt_resp.data, + user_info->nt_resp.length, user_info->domain.str)) { DEBUG(1,("password server %s rejected the password\n", cli->desthost)); /* Make this cli_nt_error() when the conversion is in */ @@ -227,5 +227,16 @@ use this machine as the password server.\n")); cli_ulogoff(cli); + if NT_STATUS_IS_OK(nt_status) { + struct passwd *pass = Get_Pwnam(user_info->internal_username.str); + if (pass) { + if (!make_server_info_pw(server_info, pass)) { + nt_status = NT_STATUS_NO_MEMORY; + } + } else { + nt_status = NT_STATUS_NO_SUCH_USER; + } + } + return(nt_status); } diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 29a2a6eafb..d456da1fdf 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -82,22 +82,27 @@ check if a username/password is OK assuming the password in PLAIN TEXT ****************************************************************************/ -NTSTATUS check_unix_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +NTSTATUS check_unix_security(const auth_usersupplied_info *user_info, auth_serversupplied_info **server_info) { NTSTATUS nt_status; struct passwd *pass = NULL; become_root(); - - pass = Get_Pwnam(user_info->unix_username.str); + pass = Get_Pwnam(user_info->internal_username.str); nt_status = pass_check(pass, - pass ? pass->pw_name : user_info->unix_username.str, - user_info->plaintext_password.str, - user_info->plaintext_password.len, + pass ? pass->pw_name : user_info->internal_username.str, + (char *)user_info->plaintext_password.data, + user_info->plaintext_password.length-1, lp_update_encrypted() ? update_smbpassword_file : NULL, True); + + if NT_STATUS_IS_OK(nt_status) { + if (pass) { + make_server_info_pw(server_info, pass); + } + } unbecome_root(); diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d3b9aa7001..297c482af5 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -25,6 +25,8 @@ /* Data to do lanman1/2 password challenge. */ static unsigned char saved_challenge[8]; static BOOL challenge_sent=False; +extern fstring remote_machine; +extern pstring global_myname; /******************************************************************* Get the next challenge value - no repeats. @@ -64,7 +66,7 @@ BOOL last_challenge(unsigned char *challenge) Create a UNIX user on demand. ****************************************************************************/ -static int smb_create_user(char *unix_user, char *homedir) +static int smb_create_user(const char *unix_user, const char *homedir) { pstring add_script; int ret; @@ -100,40 +102,560 @@ static int smb_delete_user(char *unix_user) Add and Delete UNIX users on demand, based on NTSTATUS codes. ****************************************************************************/ -void smb_user_control(char *unix_user, NTSTATUS nt_status) +void smb_user_control(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info, NTSTATUS nt_status) { struct passwd *pwd=NULL; if (NT_STATUS_IS_OK(nt_status)) { - /* - * User validated ok against Domain controller. - * If the admin wants us to try and create a UNIX - * user on the fly, do so. - */ - if(lp_adduser_script() && !(pwd = smb_getpwnam(unix_user,True))) - smb_create_user(unix_user, NULL); - - if(lp_adduser_script() && pwd) { - SMB_STRUCT_STAT st; + if (!(server_info->sam_fill_level & SAM_FILL_UNIX)) { + /* - * Also call smb_create_user if the users home directory - * doesn't exist. Used with winbindd to allow the script to - * create the home directory for a user mapped with winbindd. + * User validated ok against Domain controller. + * If the admin wants us to try and create a UNIX + * user on the fly, do so. */ + + if(lp_adduser_script() && !(pwd = Get_Pwnam(user_info->internal_username.str))) { + smb_create_user(user_info->internal_username.str, NULL); + } + } else { + if(lp_adduser_script()) { + SMB_STRUCT_STAT st; + const char *home_dir = pdb_get_homedir(server_info->sam_account); + /* + * Also call smb_create_user if the users home directory + * doesn't exist. Used with winbindd to allow the script to + * create the home directory for a user mapped with winbindd. + */ - if (pwd->pw_dir && (sys_stat(pwd->pw_dir, &st) == -1) && (errno == ENOENT)) - smb_create_user(unix_user, pwd->pw_dir); + if (home_dir && + (sys_stat(home_dir, &st) == -1) && (errno == ENOENT)) { + smb_create_user(user_info->internal_username.str, home_dir); + } + } } - - } else if (NT_STATUS_V(nt_status) == NT_STATUS_V(NT_STATUS_NO_SUCH_USER)) { + } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { /* * User failed to validate ok against Domain controller. * If the failure was "user doesn't exist" and admin * wants us to try and delete that UNIX user on the fly, * do so. */ - if(lp_deluser_script() && smb_getpwnam(unix_user,True)) - smb_delete_user(unix_user); + if (lp_deluser_script()) { + smb_delete_user(user_info->internal_username.str); + } + } +} + +/**************************************************************************** + Create an auth_usersupplied_data structure +****************************************************************************/ + +BOOL make_user_info(auth_usersupplied_info **user_info, + char *smb_name, char *internal_username, + char *client_domain, char *domain, + char *wksta_name, DATA_BLOB sec_blob, + DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, + DATA_BLOB plaintext, + uint32 ntlmssp_flags, BOOL encrypted) +{ + + DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name)); + + *user_info = malloc(sizeof(**user_info)); + if (!user_info) { + DEBUG(0,("malloc failed for user_info (size %d)\n", sizeof(*user_info))); + return False; + } + + ZERO_STRUCTP(*user_info); + + DEBUG(5,("makeing strings for %s's user_info struct\n", internal_username)); + + (*user_info)->smb_name.str = strdup(smb_name); + if ((*user_info)->smb_name.str) { + (*user_info)->smb_name.len = strlen(smb_name); + } else { + free_user_info(user_info); + return False; + } + + (*user_info)->internal_username.str = strdup(internal_username); + if ((*user_info)->internal_username.str) { + (*user_info)->internal_username.len = strlen(internal_username); + } else { + free_user_info(user_info); + return False; + } + + (*user_info)->domain.str = strdup(domain); + if ((*user_info)->domain.str) { + (*user_info)->domain.len = strlen(domain); + } else { + free_user_info(user_info); + return False; + } + + (*user_info)->client_domain.str = strdup(client_domain); + if ((*user_info)->client_domain.str) { + (*user_info)->client_domain.len = strlen(client_domain); + } else { + free_user_info(user_info); + return False; + } + + (*user_info)->wksta_name.str = strdup(wksta_name); + if ((*user_info)->wksta_name.str) { + (*user_info)->wksta_name.len = strlen(wksta_name); + } else { + free_user_info(user_info); + return False; } + + DEBUG(5,("makeing blobs for %s's user_info struct\n", internal_username)); + + (*user_info)->sec_blob = data_blob(sec_blob.data, sec_blob.length); + (*user_info)->lm_resp = data_blob(lm_pwd.data, lm_pwd.length); + (*user_info)->nt_resp = data_blob(nt_pwd.data, nt_pwd.length); + (*user_info)->plaintext_password = data_blob(plaintext.data, plaintext.length); + + (*user_info)->encrypted = encrypted; + (*user_info)->ntlmssp_flags = ntlmssp_flags; + + DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name)); + + return True; } + +/**************************************************************************** + Create an auth_usersupplied_data structure after appropriate mapping. +****************************************************************************/ + +BOOL make_user_info_map(auth_usersupplied_info **user_info, + char *smb_name, + char *client_domain, + char *wksta_name, DATA_BLOB sec_blob, + DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, + DATA_BLOB plaintext, + uint32 ntlmssp_flags, BOOL encrypted) +{ + char *domain; + fstring internal_username; + fstrcpy(internal_username, smb_name); + map_username(internal_username); + + if (lp_allow_trusted_domains()) { + domain = client_domain; + } else { + domain = lp_workgroup(); + } + + return make_user_info(user_info, + smb_name, internal_username, + client_domain, domain, + wksta_name, sec_blob, + lm_pwd, nt_pwd, + plaintext, + ntlmssp_flags, encrypted); + +} + +/**************************************************************************** + Create an auth_usersupplied_data, making the DATA_BLOBs here. + Decrupt and encrypt the passwords. +****************************************************************************/ + +BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, + char *smb_name, + char *client_domain, + char *wksta_name, uchar chal[8], + uchar *lm_network_pwd, int lm_pwd_len, + uchar *nt_network_pwd, int nt_pwd_len) +{ + BOOL ret; + DATA_BLOB sec_blob = data_blob(chal, sizeof(chal)); + DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); + DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); + DATA_BLOB plaintext_blob = data_blob(NULL, 0); + uint32 ntlmssp_flags = 0; + + if (lm_pwd_len) + ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM; + if (nt_pwd_len) + ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; + + ret = make_user_info_map(user_info, + smb_name, client_domain, + wksta_name, sec_blob, + nt_blob, lm_blob, + plaintext_blob, + ntlmssp_flags, True); + + data_blob_free(&lm_blob); + data_blob_free(&nt_blob); + return ret; +} + +/**************************************************************************** + Create an auth_usersupplied_data, making the DATA_BLOBs here. + Decrupt and encrypt the passwords. +****************************************************************************/ + +BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, + char *smb_name, + char *client_domain, + char *wksta_name, + uchar *lm_interactive_pwd, int lm_pwd_len, + uchar *nt_interactive_pwd, int nt_pwd_len, + uchar *dc_sess_key) +{ + char nt_pwd[16]; + char lm_pwd[16]; + unsigned char local_lm_response[24]; + unsigned char local_nt_response[24]; + unsigned char key[16]; + uint8 chal[8]; + uint32 ntlmssp_flags = 0; + + generate_random_buffer(chal, 8, False); + + memset(key, 0, 16); + memcpy(key, dc_sess_key, 8); + + memcpy(lm_pwd, lm_interactive_pwd, 16); + memcpy(nt_pwd, nt_interactive_pwd, 16); + +#ifdef DEBUG_PASSWORD + DEBUG(100,("key:")); + dump_data(100, (char *)key, 16); + + DEBUG(100,("lm owf password:")); + dump_data(100, lm_pwd, 16); + + DEBUG(100,("nt owf password:")); + dump_data(100, nt_pwd, 16); +#endif + + SamOEMhash((uchar *)lm_pwd, key, 16); + SamOEMhash((uchar *)nt_pwd, key, 16); + +#ifdef DEBUG_PASSWORD + DEBUG(100,("decrypt of lm owf password:")); + dump_data(100, lm_pwd, 16); + + DEBUG(100,("decrypt of nt owf password:")); + dump_data(100, nt_pwd, 16); +#endif + + generate_random_buffer(chal, 8, False); + SMBOWFencrypt((const unsigned char *)lm_pwd, chal, local_lm_response); + SMBOWFencrypt((const unsigned char *)nt_pwd, chal, local_nt_response); + + /* Password info parinoia */ + ZERO_STRUCT(lm_pwd); + ZERO_STRUCT(nt_pwd); + ZERO_STRUCT(key); + + { + BOOL ret; + DATA_BLOB sec_blob = data_blob(chal, sizeof(chal)); + DATA_BLOB local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response)); + DATA_BLOB local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response)); + DATA_BLOB plaintext_blob = data_blob(NULL, 0); + + ntlmssp_flags = NTLMSSP_NEGOTIATE_OEM | NTLMSSP_NEGOTIATE_NTLM; + ret = make_user_info_map(user_info, + smb_name, client_domain, + wksta_name, sec_blob, + local_nt_blob, + local_lm_blob, + plaintext_blob, + ntlmssp_flags, True); + + data_blob_free(&local_lm_blob); + data_blob_free(&local_nt_blob); + return ret; + } +} + +/**************************************************************************** + Create an auth_usersupplied_data structure +****************************************************************************/ + +BOOL make_user_info_for_winbind(auth_usersupplied_info **user_info, + char *username, + char *domain, + char *password) +{ + unsigned char local_lm_response[24]; + unsigned char local_nt_response[24]; + char chal[8]; + DATA_BLOB local_lm_blob; + DATA_BLOB local_nt_blob; + DATA_BLOB plaintext_blob; + uint32 ntlmssp_flags = 0; + + /* + * Not encrypted - do so. + */ + + DEBUG(5,("pass_check_smb: User passwords not in encrypted format.\n")); + + generate_random_buffer(chal, 8, False); + + if (*password) { + SMBencrypt( (uchar *)password, chal, local_lm_response); + + /* This encrypts the lm_pwd feild, which actualy contains the password + rather than the nt_pwd field becouse that contains nothing */ + + /* WATCH OUT. This doesn't work if the incoming password is incorrectly cased. + We might want to add a check here and only do an LM in that case */ + + SMBNTencrypt((uchar *)password, chal, local_nt_response); + + local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response)); + local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response)); + plaintext_blob = data_blob(password, strlen(password)+1); + if ((!local_lm_blob.data) || (!local_nt_blob.data)|| (!plaintext_blob.data)) { + data_blob_free(&local_lm_blob); + data_blob_free(&local_nt_blob); + data_blob_clear_free(&plaintext_blob); + return False; + } + ntlmssp_flags = NTLMSSP_NEGOTIATE_OEM | NTLMSSP_NEGOTIATE_NTLM; + } else { + local_lm_blob = data_blob(NULL, 0); + local_nt_blob = data_blob(NULL, 0); + plaintext_blob = data_blob(NULL, 0); + } + + { + BOOL ret; + DATA_BLOB sec_blob = data_blob(chal, sizeof(chal)); + + if (!sec_blob.data) { + return False; + } + + ret = make_user_info(user_info, + username, username, + domain, domain, + global_myname, sec_blob, + local_nt_blob, + local_lm_blob, + plaintext_blob, + ntlmssp_flags, False); + + data_blob_free(&local_lm_blob); + data_blob_free(&local_nt_blob); + data_blob_clear_free(&plaintext_blob); + return ret; + } +} + +/**************************************************************************** + Create an auth_usersupplied_data, making the DATA_BLOBs here. + Decrupt and encrypt the passwords. +****************************************************************************/ + +BOOL make_user_info_winbind_crap(auth_usersupplied_info **user_info, + char *smb_name, + char *client_domain, + uchar chal[8], + uchar *lm_network_pwd, int lm_pwd_len, + uchar *nt_network_pwd, int nt_pwd_len) +{ + BOOL ret; + DATA_BLOB sec_blob = data_blob(chal, sizeof(chal)); + DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); + DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); + DATA_BLOB plaintext_blob = data_blob(NULL, 0); + uint32 ntlmssp_flags = 0; + + if (lm_pwd_len) + ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM; + if (nt_pwd_len) + ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; + + ret = make_user_info(user_info, + smb_name, smb_name, + client_domain, client_domain, + global_myname, sec_blob, + nt_blob, lm_blob, + plaintext_blob, + ntlmssp_flags, True); + + data_blob_free(&lm_blob); + data_blob_free(&nt_blob); + return ret; +} + +/**************************************************************************** + Create an auth_usersupplied_data structure +****************************************************************************/ + +BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, + char *smb_name, + char *client_domain, + DATA_BLOB lm_resp, DATA_BLOB nt_resp, + DATA_BLOB plaintext_password, + BOOL encrypted) +{ + uchar chal[8]; + + DATA_BLOB local_lm_blob; + DATA_BLOB local_nt_blob; + DATA_BLOB sec_blob; + BOOL ret = False; + uint32 ntlmssp_flags = 0; + + if (encrypted) { + DATA_BLOB no_plaintext_blob = data_blob(NULL, 0); + if (!last_challenge(chal)) { + DEBUG(0,("Encrypted login but no challange set!\n")); + return False; + } + sec_blob = data_blob(chal, 8); + + if (lm_resp.length == 24) { + ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM; + } + if (nt_resp.length == 0) { + } else if (nt_resp.length == 24) { + ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; + } else { + ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM2; + } + + return make_user_info_map(user_info, smb_name, + client_domain, + remote_machine, sec_blob, + lm_resp, + nt_resp, + no_plaintext_blob, + ntlmssp_flags, encrypted); + } + + generate_random_buffer(chal, 8, False); + + sec_blob = data_blob(chal, 8); + + /* + * Not encrypted - do so. + */ + + DEBUG(5,("pass_check_smb: User passwords not in encrypted format.\n")); + + if (plaintext_password.data) { + unsigned char local_lm_response[24]; + + SMBencrypt( (uchar *)plaintext_password.data, chal, local_lm_response); + local_lm_blob = data_blob(local_lm_response, 24); + + /* We can't do an NT hash here, as the password needs to be case insensitive */ + local_nt_blob = data_blob(NULL, 0); + + ntlmssp_flags = NTLMSSP_NEGOTIATE_OEM; + } else { + local_lm_blob = data_blob(NULL, 0); + local_nt_blob = data_blob(NULL, 0); + } + + ret = make_user_info_map(user_info, smb_name, + client_domain, + remote_machine, + sec_blob, + local_lm_blob, + local_nt_blob, + plaintext_password, + ntlmssp_flags, encrypted); + + data_blob_free(&local_lm_blob); + return ret; +} + +BOOL make_server_info(auth_serversupplied_info **server_info) +{ + *server_info = malloc(sizeof(**server_info)); + if (!*server_info) { + DEBUG(0,("make_server_info_sam: malloc failed!\n")); + return False; + } + ZERO_STRUCTP(*server_info); + return True; +} + +BOOL make_server_info_sam(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass) +{ + if (!make_server_info(server_info)) { + return False; + } + + (*server_info)->sam_fill_level = SAM_FILL_ALL; + (*server_info)->sam_account = sampass; + + DEBUG(5,("make_server_info_sam: made sever info for user %s\n", + pdb_get_username((*server_info)->sam_account))); + return True; +} + +BOOL make_server_info_pw(auth_serversupplied_info **server_info, struct passwd *pwd) +{ + SAM_ACCOUNT *sampass = NULL; + if (!pdb_init_sam_pw(&sampass, pwd)) { + return False; + } + return make_server_info_sam(server_info, sampass); +} + +void free_user_info(auth_usersupplied_info **user_info) +{ + DEBUG(5,("attempting to free (and zero) a user_info structure\n")); + if (*user_info != NULL) { + if ((*user_info)->smb_name.str) { + DEBUG(10,("structure was created for %s\n", (*user_info)->smb_name.str)); + } + SAFE_FREE((*user_info)->smb_name.str); + SAFE_FREE((*user_info)->internal_username.str); + SAFE_FREE((*user_info)->client_domain.str); + SAFE_FREE((*user_info)->domain.str); + data_blob_free(&(*user_info)->sec_blob); + data_blob_free(&(*user_info)->lm_resp); + data_blob_free(&(*user_info)->nt_resp); + SAFE_FREE((*user_info)->interactive_password); + data_blob_clear_free(&(*user_info)->plaintext_password); + ZERO_STRUCT(**user_info); + } + SAFE_FREE(*user_info); +} + +/*************************************************************************** + Clear out a server_info struct that has been allocated +***************************************************************************/ +void free_server_info(auth_serversupplied_info **server_info) +{ + if (*server_info != NULL) { + pdb_free_sam(&(*server_info)->sam_account); + + /* call pam_end here, unless we know we are keeping it */ + SAFE_FREE((*server_info)->group_rids); + + ZERO_STRUCT(**server_info); + } + SAFE_FREE(*server_info); +} + +/*************************************************************************** + Make a server_info struct for a guest user +***************************************************************************/ +void make_server_info_guest(auth_serversupplied_info **server_info) +{ + struct passwd *pass = sys_getpwnam(lp_guestaccount(-1)); + + if (pass) { + make_server_info_pw(server_info, pass); + } +} + -- cgit From be93100240c4d81e9465015e82d5b71a5e4bf193 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 31 Oct 2001 12:07:59 +0000 Subject: Fix up domain logons. Tested with NT4. (This used to be commit c8b2718adfe114b74a155116c5e74f014d6df887) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 297c482af5..85f01605ab 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -368,8 +368,8 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, ret = make_user_info_map(user_info, smb_name, client_domain, wksta_name, sec_blob, - local_nt_blob, local_lm_blob, + local_nt_blob, plaintext_blob, ntlmssp_flags, True); -- cgit From acb81fe408f0e674088f0952aaba442ddb494b0c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 1 Nov 2001 05:02:41 +0000 Subject: Various post AuthRewrite cleanups, fixups and tidyups. Zero out some of the plaintext passwords for paranoia Fix up some of the other passdb backends with the change to *uid_t rather than uid_t. Make some of the code in srv_netlog_nt.c clearer, is passing an array around, so pass its lenght in is definition, not as a seperate paramater. Use sizeof() rather than magic numbers, it makes things easier to read. Cope with a PAM authenticated user who is not in /etc/passwd - currently by saying NO_SUCH_USER, but this can change in future. Andrew Bartlett (This used to be commit 514c91b16baca639bb04638042bf9894d881172a) --- source3/auth/auth_unix.c | 6 ++++-- source3/auth/auth_util.c | 47 +++++++++++++++++++++++++++-------------------- 2 files changed, 31 insertions(+), 22 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index d456da1fdf..8c4a520350 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -98,13 +98,15 @@ NTSTATUS check_unix_security(const auth_usersupplied_info *user_info, auth_serve update_smbpassword_file : NULL, True); + unbecome_root(); + if NT_STATUS_IS_OK(nt_status) { if (pass) { make_server_info_pw(server_info, pass); + } else { + nt_status = NT_STATUS_NO_SUCH_USER; } } - unbecome_root(); - return nt_status; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 85f01605ab..9de8142578 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -282,9 +282,12 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, if (lm_pwd_len) ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM; - if (nt_pwd_len) + if (nt_pwd_len == 24) { ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; - + } else if (nt_pwd_len != 0) { + ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM2; + } + ret = make_user_info_map(user_info, smb_name, client_domain, wksta_name, sec_blob, @@ -303,15 +306,15 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, ****************************************************************************/ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, - char *smb_name, - char *client_domain, - char *wksta_name, - uchar *lm_interactive_pwd, int lm_pwd_len, - uchar *nt_interactive_pwd, int nt_pwd_len, - uchar *dc_sess_key) + char *smb_name, + char *client_domain, + char *wksta_name, + uchar lm_interactive_pwd[16], + uchar nt_interactive_pwd[16], + uchar *dc_sess_key) { - char nt_pwd[16]; char lm_pwd[16]; + char nt_pwd[16]; unsigned char local_lm_response[24]; unsigned char local_nt_response[24]; unsigned char key[16]; @@ -320,32 +323,32 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, generate_random_buffer(chal, 8, False); - memset(key, 0, 16); + ZERO_STRUCT(key); memcpy(key, dc_sess_key, 8); - memcpy(lm_pwd, lm_interactive_pwd, 16); - memcpy(nt_pwd, nt_interactive_pwd, 16); + if (lm_interactive_pwd) memcpy(lm_pwd, lm_interactive_pwd, sizeof(lm_pwd)); + if (nt_interactive_pwd) memcpy(nt_pwd, nt_interactive_pwd, sizeof(nt_pwd)); #ifdef DEBUG_PASSWORD DEBUG(100,("key:")); - dump_data(100, (char *)key, 16); + dump_data(100, (char *)key, sizeof(key)); DEBUG(100,("lm owf password:")); - dump_data(100, lm_pwd, 16); + dump_data(100, lm_pwd, sizeof(lm_pwd)); DEBUG(100,("nt owf password:")); - dump_data(100, nt_pwd, 16); + dump_data(100, nt_pwd, sizeof(nt_pwd)); #endif - SamOEMhash((uchar *)lm_pwd, key, 16); - SamOEMhash((uchar *)nt_pwd, key, 16); + SamOEMhash((uchar *)lm_pwd, key, sizeof(lm_pwd)); + SamOEMhash((uchar *)nt_pwd, key, sizeof(nt_pwd)); #ifdef DEBUG_PASSWORD DEBUG(100,("decrypt of lm owf password:")); - dump_data(100, lm_pwd, 16); + dump_data(100, lm_pwd, sizeof(lm_pwd)); DEBUG(100,("decrypt of nt owf password:")); - dump_data(100, nt_pwd, 16); + dump_data(100, nt_pwd, sizeof(nt_pwd)); #endif generate_random_buffer(chal, 8, False); @@ -364,7 +367,11 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, DATA_BLOB local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response)); DATA_BLOB plaintext_blob = data_blob(NULL, 0); - ntlmssp_flags = NTLMSSP_NEGOTIATE_OEM | NTLMSSP_NEGOTIATE_NTLM; + if (lm_interactive_pwd) + ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM; + if (nt_interactive_pwd) + ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; + ret = make_user_info_map(user_info, smb_name, client_domain, wksta_name, sec_blob, -- cgit From b3014b1840d6a1b5d8dc595c2f9b9dd64909f83e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 3 Nov 2001 00:20:31 +0000 Subject: Minor cleanups/fixes in the NTLMv2 code (This used to be commit 253790f6d71653b572c0174113b8559820de6bdd) --- source3/auth/auth_sam.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index d4283429ce..63c22f50b9 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -102,11 +102,7 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB ntv2_response, } client_key_data = data_blob(ntv2_response.data+16, ntv2_response.length-16); - memcpy(client_response, ntv2_response.data, ntv2_response.length); - - if (!client_key_data.data) { - return False; - } + memcpy(client_response, ntv2_response.data, sizeof(client_response)); ntv2_owf_gen(part_passwd, user, domain, kr); SMBOWFencrypt_ntv2(kr, sec_blob, client_key_data, (char *)value_from_encryption); @@ -121,7 +117,7 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB ntv2_response, DEBUG(100,("Password from client was |")); dump_data(100, ntv2_response.data, ntv2_response.length); DEBUG(100,("Variable data from client was |")); - dump_data(100, ntv2_response.data, ntv2_response.length); + dump_data(100, client_key_data.data, client_key_data.length); DEBUG(100,("Given challenge was |")); dump_data(100, sec_blob.data, sec_blob.length); DEBUG(100,("Value from encryption was |")); -- cgit From f8e2baf39eb864481dd48f61404136b325cd73c2 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 3 Nov 2001 23:34:24 +0000 Subject: Added NT_USER_TOKEN into server_info to fix extra groups problem. Got "medieval on our ass" about const warnings (as many as I could :-). Jeremy. (This used to be commit ee5e7ca547eff016818ba5c43b8ea0c9fa69b808) --- source3/auth/auth_util.c | 70 +++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 58 insertions(+), 12 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 9de8142578..9a99b2643e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -4,6 +4,7 @@ Authentication utility functions Copyright (C) Andrew Tridgell 1992-1998 Copyright (C) Andrew Bartlett 2001 + Copyright (C) Jeremy Allison 2000-2001 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -29,21 +30,23 @@ extern fstring remote_machine; extern pstring global_myname; /******************************************************************* -Get the next challenge value - no repeats. + Get the next challenge value - no repeats. ********************************************************************/ + void generate_next_challenge(char *challenge) { - unsigned char buf[8]; + unsigned char buf[8]; - generate_random_buffer(buf,8,False); + generate_random_buffer(buf,8,False); memcpy(saved_challenge, buf, 8); memcpy(challenge,buf,8); challenge_sent = True; } /******************************************************************* -set the last challenge sent, usually from a password server + Set the last challenge sent, usually from a password server. ********************************************************************/ + BOOL set_challenge(unsigned char *challenge) { memcpy(saved_challenge,challenge,8); @@ -52,16 +55,17 @@ BOOL set_challenge(unsigned char *challenge) } /******************************************************************* -get the last challenge sent + Get the last challenge sent. ********************************************************************/ + BOOL last_challenge(unsigned char *challenge) { - if (!challenge_sent) return(False); + if (!challenge_sent) + return(False); memcpy(challenge,saved_challenge,8); return(True); } - /**************************************************************************** Create a UNIX user on demand. ****************************************************************************/ @@ -72,7 +76,8 @@ static int smb_create_user(const char *unix_user, const char *homedir) int ret; pstrcpy(add_script, lp_adduser_script()); - if (! *add_script) return -1; + if (! *add_script) + return -1; all_string_sub(add_script, "%u", unix_user, sizeof(pstring)); if (homedir) all_string_sub(add_script, "%H", homedir, sizeof(pstring)); @@ -91,7 +96,8 @@ static int smb_delete_user(char *unix_user) int ret; pstrcpy(del_script, lp_deluser_script()); - if (! *del_script) return -1; + if (! *del_script) + return -1; all_string_sub(del_script, "%u", unix_user, sizeof(pstring)); ret = smbrun(del_script,NULL); DEBUG(3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret)); @@ -131,7 +137,7 @@ void smb_user_control(const auth_usersupplied_info *user_info, auth_serversuppli if (home_dir && (sys_stat(home_dir, &st) == -1) && (errno == ENOENT)) { - smb_create_user(user_info->internal_username.str, home_dir); + smb_create_user(user_info->internal_username.str, home_dir); } } } @@ -641,14 +647,14 @@ void free_user_info(auth_usersupplied_info **user_info) /*************************************************************************** Clear out a server_info struct that has been allocated ***************************************************************************/ + void free_server_info(auth_serversupplied_info **server_info) { if (*server_info != NULL) { pdb_free_sam(&(*server_info)->sam_account); /* call pam_end here, unless we know we are keeping it */ - SAFE_FREE((*server_info)->group_rids); - + delete_nt_token( &(*server_info)->ptok ); ZERO_STRUCT(**server_info); } SAFE_FREE(*server_info); @@ -657,6 +663,7 @@ void free_server_info(auth_serversupplied_info **server_info) /*************************************************************************** Make a server_info struct for a guest user ***************************************************************************/ + void make_server_info_guest(auth_serversupplied_info **server_info) { struct passwd *pass = sys_getpwnam(lp_guestaccount(-1)); @@ -666,3 +673,42 @@ void make_server_info_guest(auth_serversupplied_info **server_info) } } +/**************************************************************************** + Delete a SID token. +****************************************************************************/ + +void delete_nt_token(NT_USER_TOKEN **pptoken) +{ + if (*pptoken) { + NT_USER_TOKEN *ptoken = *pptoken; + SAFE_FREE( ptoken->user_sids ); + ZERO_STRUCTP(ptoken); + } + SAFE_FREE(*pptoken); +} + +/**************************************************************************** + Duplicate a SID token. +****************************************************************************/ + +NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) +{ + NT_USER_TOKEN *token; + + if (!ptoken) + return NULL; + + if ((token = (NT_USER_TOKEN *)malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) + return NULL; + + ZERO_STRUCTP(token); + + if ((token->user_sids = (DOM_SID *)memdup( ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids )) == NULL) { + SAFE_FREE(token); + return NULL; + } + + token->num_sids = ptoken->num_sids; + + return token; +} -- cgit From 9d56e23591f64d8b0f4378e64615fe018f3a6d68 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 5 Nov 2001 01:04:45 +0000 Subject: Renamed make_user_info_for_winbindd() to be more consistent with the names of the other functions in this file. (This used to be commit 4880f37e4ee08b6363314a3fb67051a6708988d0) --- source3/auth/auth_util.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 9a99b2643e..421ab3f1e4 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -396,10 +396,10 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, Create an auth_usersupplied_data structure ****************************************************************************/ -BOOL make_user_info_for_winbind(auth_usersupplied_info **user_info, - char *username, - char *domain, - char *password) +BOOL make_user_info_winbind(auth_usersupplied_info **user_info, + char *username, + char *domain, + char *password) { unsigned char local_lm_response[24]; unsigned char local_nt_response[24]; -- cgit From 55dfb66079333acd8e0aee91c0ee90d0a413a8e6 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 8 Nov 2001 22:19:01 +0000 Subject: Change to guest logon code. This changes the way we process guest logons - we now treat them as normal logons, but set the 'guest' flag. In particular this is needed becouse Win2k will do an NTLMSSP login with username "", therefore missing our previous guest connection code - this is getting a pain to do as a special case all over the shop. Tridge: We don't seem to be setting a guest bit for NTLMSSP, in either the anonymous or authenticated case, can you take a look at this? Also some cleanups in the check_password() code that should make some of the debugs clearer. Various other minor cleanups: - change the session code to just take a vuser, rather than having to do a vuid lookup on vuser.vuid - Change some of the global_client_caps linking - Better debug in authorise_login(): show the vuid. Andrew Bartlett (This used to be commit 62f4e4bd0aef9ade653b3f8d575d2864c166ab4d) --- source3/auth/auth.c | 67 +++++++++++++++++++++++++++++++----------------- source3/auth/auth_util.c | 53 ++++++++++++++++++++++++++++++++++++-- 2 files changed, 94 insertions(+), 26 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 4d1a566833..67f80afdda 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -63,9 +63,23 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; BOOL done_pam = False; + const char *pdb_username; - DEBUG(3, ("check_password: Checking password for unmapped user %s\\%s@%s with the new password interface\n", - user_info->smb_name.str, user_info->client_domain.str, user_info->wksta_name.str)); + DEBUG(3, ("check_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", + user_info->client_domain.str, user_info->smb_name.str, user_info->wksta_name.str)); + + DEBUG(3, ("check_password: mapped user is: [%s]\\[%s]@[%s]\n", + user_info->domain.str, user_info->internal_username.str, user_info->wksta_name.str)); + + if (!NT_STATUS_IS_OK(nt_status)) { + nt_status = check_guest_security(user_info, server_info); + if (NT_STATUS_IS_OK(nt_status)) { + DEBUG(5, ("check_password: checking guest-account for user [%s] suceeded\n", user_info->smb_name.str)); + } else { + DEBUG(10, ("check_password: checking gusst-account for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + + } + } /* This needs to be sorted: If it doesn't match, what should we do? */ if (!check_domain_match(user_info->smb_name.str, user_info->domain.str)) { @@ -75,9 +89,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, if (!NT_STATUS_IS_OK(nt_status)) { nt_status = check_rhosts_security(user_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (rhosts) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(3, ("check_password: Password (rhosts) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (rhosts)for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(10, ("check_password: Password (rhosts) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } @@ -85,9 +99,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, if ((lp_security() == SEC_DOMAIN) && !NT_STATUS_IS_OK(nt_status)) { nt_status = check_domain_security(user_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (domain) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(7, ("check_password: Password (domain) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (domain) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(5, ("check_password: Password (domain) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } @@ -95,9 +109,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, if ((lp_security() == SEC_SERVER) && !NT_STATUS_IS_OK(nt_status)) { nt_status = check_server_security(user_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (server) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(7, ("check_password: Password (server) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (server) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(5, ("check_password: Password (server) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } @@ -115,32 +129,37 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, } if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (unix/smbpasswd) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(7, ("check_password: Password (unix/smbpasswd) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (unix/smbpasswd) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(5, ("check_password: Password (unix/smbpasswd) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } - - if (NT_STATUS_IS_OK(nt_status) && !done_pam) { - /* We might not be root if we are an RPC call */ - become_root(); - nt_status = smb_pam_accountcheck(pdb_get_username((*server_info)->sam_account)); - unbecome_root(); - - if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(5, ("check_password: PAM Account for user %s suceeded\n", user_info->smb_name.str)); - } else { - DEBUG(3, ("check_password: PAM Account for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + if (NT_STATUS_IS_OK(nt_status)) { + pdb_username = pdb_get_username((*server_info)->sam_account); + if (!done_pam && !(*server_info)->guest) { + /* We might not be root if we are an RPC call */ + become_root(); + nt_status = smb_pam_accountcheck(pdb_username); + unbecome_root(); - } + if (NT_STATUS_IS_OK(nt_status)) { + DEBUG(5, ("check_password: PAM Account for user [%s] suceeded\n", pdb_username)); + } else { + DEBUG(3, ("check_password: PAM Account for user [%s] FAILED with error %s\n", pdb_username, get_nt_error_msg(nt_status))); + } + } } if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(5, ("check_password: Password for smb user %s suceeded\n", user_info->smb_name.str)); + DEBUG(3, ("check_password: %sauthenticaion for user [%s] -> [%s] -> [%s] suceeded\n", + (*server_info)->guest ? "guest " : "", + user_info->smb_name.str, + user_info->internal_username.str, + pdb_username)); } else { - DEBUG(3, ("check_password: Password for smb user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(3, ("check_password: Authenticaion for user [%s] -> [%s] FAILED with error %s\n", user_info->smb_name.str, user_info->internal_username.str, get_nt_error_msg(nt_status))); ZERO_STRUCTP(server_info); } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 421ab3f1e4..cfdf3a6acc 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -589,6 +589,27 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, return ret; } +/**************************************************************************** + Create a guest user_info blob, for anonymous authenticaion. +****************************************************************************/ + +BOOL make_user_info_guest(auth_usersupplied_info **user_info) +{ + DATA_BLOB sec_blob = data_blob(NULL, 0); + DATA_BLOB lm_blob = data_blob(NULL, 0); + DATA_BLOB nt_blob = data_blob(NULL, 0); + DATA_BLOB plaintext_blob = data_blob(NULL, 0); + uint32 ntlmssp_flags = 0; + + return make_user_info(user_info, + "","", + "","", + "", sec_blob, + nt_blob, lm_blob, + plaintext_blob, + ntlmssp_flags, True); +} + BOOL make_server_info(auth_serversupplied_info **server_info) { *server_info = malloc(sizeof(**server_info)); @@ -664,13 +685,19 @@ void free_server_info(auth_serversupplied_info **server_info) Make a server_info struct for a guest user ***************************************************************************/ -void make_server_info_guest(auth_serversupplied_info **server_info) +BOOL make_server_info_guest(auth_serversupplied_info **server_info) { struct passwd *pass = sys_getpwnam(lp_guestaccount(-1)); if (pass) { - make_server_info_pw(server_info, pass); + if (!make_server_info_pw(server_info, pass)) { + return False; + } + (*server_info)->guest = True; + return True; } + DEBUG(0,("make_server_info_guest: sys_getpwnam() failed on guest account!\n")); + return False; } /**************************************************************************** @@ -712,3 +739,25 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) return token; } + +/**************************************************************************** + Check for a guest logon (username = "") and if so create the required + structure. +****************************************************************************/ + +NTSTATUS check_guest_security(const auth_usersupplied_info *user_info, + auth_serversupplied_info **server_info) +{ + NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; + + if (!(user_info->internal_username.str + && *user_info->internal_username.str)) { + if (make_server_info_guest(server_info)) { + nt_status = NT_STATUS_OK; + } else { + nt_status = NT_STATUS_NO_SUCH_USER; + } + } + + return nt_status; +} -- cgit From 395aa946cd4fb9d5e07dd2fee418045a8064dfab Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 9 Nov 2001 11:16:06 +0000 Subject: This change updates lp_guestaccount() to be a *global* paramater, rather than per-share. I beleive that almost all the things that this could have done on a per-share basis can be done with other tools, like 'force user'. Almost all the user's of this paramater used it as a global anyway... While this is one step at a time, I hope it will allow me to considerably simplfy the make_connection() code, particularly for the user-level security case. This already removes an absolute truckload of extra attempted password lookups on the guest account. Andrew Bartlett (This used to be commit 8e708332eded210c1d1fe0cebca3c9c19f054b71) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index cfdf3a6acc..d442f73a93 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -687,7 +687,7 @@ void free_server_info(auth_serversupplied_info **server_info) BOOL make_server_info_guest(auth_serversupplied_info **server_info) { - struct passwd *pass = sys_getpwnam(lp_guestaccount(-1)); + struct passwd *pass = sys_getpwnam(lp_guestaccount()); if (pass) { if (!make_server_info_pw(server_info, pass)) { -- cgit From 7de42a4faf74678c35b2013200466e75b1430524 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 11 Nov 2001 10:42:07 +0000 Subject: Remove built-in support for clear-text kerberos authentication. This should remove some confusion from the ./configure, but does not affect the 'real' kerberos support currently residing in smbd/sesssetup.c. This code is vunerable to a spoofed KDC, and is best replaced by --with-pam and the pam_krb5 module. This module includes measures to prevent such spoofing. Andrew Bartlett (This used to be commit 3235880b41ee5dd5ef171195489fb9254f5d89b0) --- source3/auth/pass_check.c | 126 ++-------------------------------------------- 1 file changed, 3 insertions(+), 123 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 44b3b9a237..77839e4bb0 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -26,7 +26,7 @@ /* these are kept here to keep the string_combinations function simple */ static fstring this_user; -#if !(defined(WITH_PAM) || defined(KRB4_AUTH) || defined(KRB5_AUTH)) +#if !defined(WITH_PAM) static fstring this_salt; static fstring this_crypted; #endif @@ -370,122 +370,6 @@ void dfs_unlogin(void) } #endif -#ifdef KRB5_AUTH - -#include - -/******************************************************************* -check on Kerberos authentication -********************************************************************/ -static BOOL krb5_auth(char *user, char *password) -{ - krb5_data tgtname = { - 0, - KRB5_TGS_NAME_SIZE, - KRB5_TGS_NAME - }; - krb5_context kcontext; - krb5_principal kprinc; - krb5_principal server; - krb5_creds kcreds; - int options = 0; - krb5_address **addrs = (krb5_address **) 0; - krb5_preauthtype *preauth = NULL; - krb5_keytab keytab = NULL; - krb5_timestamp now; - krb5_ccache ccache = NULL; - int retval; - char *name; - - if (retval = krb5_init_context(&kcontext)) - { - return (False); - } - - if (retval = krb5_timeofday(kcontext, &now)) - { - return (False); - } - - if (retval = krb5_cc_default(kcontext, &ccache)) - { - return (False); - } - - if (retval = krb5_parse_name(kcontext, user, &kprinc)) - { - return (False); - } - - ZERO_STRUCT(kcreds); - - kcreds.client = kprinc; - - if ((retval = krb5_build_principal_ext(kcontext, &server, - krb5_princ_realm(kcontext, - kprinc)-> - length, - krb5_princ_realm(kcontext, - kprinc)->data, - tgtname.length, tgtname.data, - krb5_princ_realm(kcontext, - kprinc)-> - length, - krb5_princ_realm(kcontext, - kprinc)->data, - 0))) - { - return (False); - } - - kcreds.server = server; - - retval = krb5_get_in_tkt_with_password(kcontext, - options, - addrs, - NULL, - preauth, - password, 0, &kcreds, 0); - - if (retval) - { - return (False); - } - - return (True); -} -#endif /* KRB5_AUTH */ - -#ifdef KRB4_AUTH -#include - -/******************************************************************* -check on Kerberos authentication -********************************************************************/ -static BOOL krb4_auth(char *user, char *password) -{ - char realm[REALM_SZ]; - char tkfile[MAXPATHLEN]; - - if (krb_get_lrealm(realm, 1) != KSUCCESS) - { - (void)safe_strcpy(realm, KRB_REALM, sizeof(realm) - 1); - } - - (void)slprintf(tkfile, sizeof(tkfile) - 1, "/tmp/samba_tkt_%d", - (int)sys_getpid()); - - krb_set_tkt_string(tkfile); - if (krb_verify_user(user, "", realm, password, 0, "rmcd") == KSUCCESS) - { - unlink(tkfile); - return 1; - } - unlink(tkfile); - return 0; -} -#endif /* KRB4_AUTH */ - #ifdef LINUX_BIGCRYPT /**************************************************************************** an enhanced crypt for Linux to handle password longer than 8 characters @@ -602,10 +486,6 @@ static NTSTATUS password_check(char *password) { #ifdef WITH_PAM return smb_pam_passcheck(this_user, password); -#elif defined(KRB5_AUTH) - return krb5_auth(this_user, password) ? NT_STATUS_WRONG_PASSWORD : NT_STATUS_OK; -#elif defined(KRB4_AUTH) - return krb4_auth(this_user, password) ? NT_STATUS_WRONG_PASSWORD : NT_STATUS_OK; #else BOOL ret; @@ -729,7 +609,7 @@ NTSTATUS pass_check(struct passwd *pass, char *user, char *password, if (((!*password) || (!pwlen)) && !lp_null_passwords()) return NT_STATUS_LOGON_FAILURE; -#if defined(WITH_PAM) || defined(KRB4_AUTH) || defined(KRB5_AUTH) +#if defined(WITH_PAM) /* * If we're using PAM we want to short-circuit all the @@ -834,7 +714,7 @@ NTSTATUS pass_check(struct passwd *pass, char *user, char *password, } } -#endif /* defined(WITH_PAM) || defined(KRB4_AUTH) || defined(KRB5_AUTH) */ +#endif /* defined(WITH_PAM) */ /* try it as it came to us */ nt_status = password_check(password); -- cgit From e903a34b2ecf6bca515dbe57274f4186d7f3955e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 11 Nov 2001 11:00:38 +0000 Subject: Minor updates. A small dose of const. (This used to be commit 80667cb0dd1a2cdef17711c8580af9f524971cea) --- source3/auth/auth.c | 2 +- source3/auth/auth_util.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 67f80afdda..95c97182b8 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -36,7 +36,7 @@ static BOOL check_domain_match(char *user, char *domain) */ if (!lp_allow_trusted_domains() && - !strequal(lp_workgroup(), domain) ) { + (!strequal(lp_workgroup(), domain) || strequal("", domain))) { DEBUG(1, ("check_domain_match: Attempt to connect as user %s from domain %s denied.\n", user, domain)); return False; } else { diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d442f73a93..3f03097de4 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -426,7 +426,7 @@ BOOL make_user_info_winbind(auth_usersupplied_info **user_info, /* WATCH OUT. This doesn't work if the incoming password is incorrectly cased. We might want to add a check here and only do an LM in that case */ - SMBNTencrypt((uchar *)password, chal, local_nt_response); + SMBNTencrypt((const uchar *)password, chal, local_nt_response); local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response)); local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response)); -- cgit From 2d07327a9595908370b901d52a85355fc668dcad Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 11 Nov 2001 11:11:56 +0000 Subject: This extra check isn't needed, we can only get here if secuirty=domain (This used to be commit 600d83e43f61eb138115731ce089ba42d63e0924) --- source3/auth/auth_domain.c | 3 --- 1 file changed, 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index f20da19607..4ada7d4a56 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -36,9 +36,6 @@ NTSTATUS check_domain_security(const auth_usersupplied_info *user_info, unsigned char trust_passwd[16]; time_t last_change_time; - if(lp_security() != SEC_DOMAIN) - return NT_STATUS_LOGON_FAILURE; - become_root(); /* -- cgit From 63a8a2ebe880b4cf893ac3e97a5de52b74a39e1c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 11 Nov 2001 11:15:28 +0000 Subject: make sam_account_ok static. remove rudundent not null checks fix indenting (This used to be commit 3eada888fddb1f0cb7c0ed7037eb1c60e7988ad9) --- source3/auth/auth_sam.c | 61 +++++++++++++++++++++++-------------------------- 1 file changed, 29 insertions(+), 32 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 63c22f50b9..717e30eda7 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -166,44 +166,44 @@ NTSTATUS sam_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *use /* No return, we want to check the LM hash below in this case */ ntlmssp_flags &= (~(NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_NTLM2)); } - + if (ntlmssp_flags & NTLMSSP_NEGOTIATE_NTLM2) { + /* We have the NT MD4 hash challenge available - see if we can + use it (ie. does it exist in the smbpasswd file). + */ + DEBUG(4,("smb_password_ok: Checking NTLMv2 password\n")); + if (smb_pwd_check_ntlmv2( user_info->nt_resp, + nt_pw, + user_info->sec_blob, user_info->smb_name.str, + user_info->client_domain.str, + user_sess_key)) + { + return NT_STATUS_OK; + } else { + DEBUG(3,("smb_password_ok: NTLMv2 password check failed\n")); + return NT_STATUS_WRONG_PASSWORD; + } + } else if (ntlmssp_flags & NTLMSSP_NEGOTIATE_NTLM) { + if (lp_ntlm_auth()) { /* We have the NT MD4 hash challenge available - see if we can use it (ie. does it exist in the smbpasswd file). */ - DEBUG(4,("smb_password_ok: Checking NTLMv2 password\n")); - if (smb_pwd_check_ntlmv2( user_info->nt_resp, - nt_pw, - user_info->sec_blob, user_info->smb_name.str, - user_info->client_domain.str, - user_sess_key)) + DEBUG(4,("smb_password_ok: Checking NT MD4 password\n")); + if (smb_pwd_check_ntlmv1(user_info->nt_resp, + nt_pw, user_info->sec_blob, + user_sess_key)) { return NT_STATUS_OK; } else { - DEBUG(3,("smb_password_ok: NTLMv2 password check failed\n")); + DEBUG(3,("smb_password_ok: NT MD4 password check failed for user %s\n",pdb_get_username(sampass))); return NT_STATUS_WRONG_PASSWORD; } - } else if (ntlmssp_flags & NTLMSSP_NEGOTIATE_NTLM) { - if (lp_ntlm_auth()) { - /* We have the NT MD4 hash challenge available - see if we can - use it (ie. does it exist in the smbpasswd file). - */ - DEBUG(4,("smb_password_ok: Checking NT MD4 password\n")); - if (smb_pwd_check_ntlmv1(user_info->nt_resp, - nt_pw, user_info->sec_blob, - user_sess_key)) - { - return NT_STATUS_OK; - } else { - DEBUG(3,("smb_password_ok: NT MD4 password check failed for user %s\n",pdb_get_username(sampass))); - return NT_STATUS_WRONG_PASSWORD; - } - } else { - DEBUG(2,("smb_password_ok: NTLMv1 passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass))); + } else { + DEBUG(2,("smb_password_ok: NTLMv1 passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass))); /* No return, we want to check the LM hash below in this case */ - } - } - + } + } + if (lm_pw == NULL) { DEBUG(3,("smb_password_ok: NO LanMan password set for user %s (and no NT password supplied)\n",pdb_get_username(sampass))); ntlmssp_flags &= (~NTLMSSP_NEGOTIATE_OEM); @@ -242,15 +242,12 @@ NTSTATUS sam_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *use Do a specific test for a SAM_ACCOUNT being vaild for this connection (ie not disabled, expired and the like). ****************************************************************************/ -NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info) +static NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info) { uint16 acct_ctrl = pdb_get_acct_ctrl(sampass); char *workstation_list; time_t kickoff_time; - if (!user_info || !sampass) - return NT_STATUS_LOGON_FAILURE; - DEBUG(4,("smb_password_ok: Checking SMB password for user %s\n",pdb_get_username(sampass))); /* Quit if the account was disabled. */ -- cgit From 5edc5977866a5bfdf8e689e90b73483a7b1e3246 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 11 Nov 2001 11:18:45 +0000 Subject: Add back the not null checks in a better place. Check the pdb_init_sam() for failure. (This used to be commit 1808cd5210258bddc349f13a7bcf20a3f46aa672) --- source3/auth/auth_sam.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 717e30eda7..70632fb5df 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -344,7 +344,13 @@ NTSTATUS check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_ uint8 user_sess_key[16]; const uint8* lm_hash; - pdb_init_sam(&sampass); + if (!user_info) { + return NT_STATUS_LOGON_FAILURE; + } + + if (!pdb_init_sam(&sampass)) { + return NT_STATUS_NO_MEMORY; + } /* get the account information */ -- cgit From 989e0409ba581eb2ed2031a72b9d32a41417f860 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 11 Nov 2001 11:34:46 +0000 Subject: Fix up some DEBUG()s Add and fix comments Add 'const' to some more input paramaters. (This used to be commit 0c7eefcb5c5db63294d0584029e0d32cd1523e80) --- source3/auth/auth_util.c | 54 +++++++++++++++++++++++++++++++++--------------- 1 file changed, 37 insertions(+), 17 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 3f03097de4..e6ce7d186e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -158,13 +158,16 @@ void smb_user_control(const auth_usersupplied_info *user_info, auth_serversuppli Create an auth_usersupplied_data structure ****************************************************************************/ -BOOL make_user_info(auth_usersupplied_info **user_info, - char *smb_name, char *internal_username, - char *client_domain, char *domain, - char *wksta_name, DATA_BLOB sec_blob, - DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, - DATA_BLOB plaintext, - uint32 ntlmssp_flags, BOOL encrypted) +static BOOL make_user_info(auth_usersupplied_info **user_info, + const char *smb_name, + const char *internal_username, + const char *client_domain, + const char *domain, + const char *wksta_name, + DATA_BLOB sec_blob, + DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, + DATA_BLOB plaintext, + uint32 ntlmssp_flags, BOOL encrypted) { DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name)); @@ -239,14 +242,14 @@ BOOL make_user_info(auth_usersupplied_info **user_info, ****************************************************************************/ BOOL make_user_info_map(auth_usersupplied_info **user_info, - char *smb_name, - char *client_domain, - char *wksta_name, DATA_BLOB sec_blob, + const char *smb_name, + const char *client_domain, + const char *wksta_name, DATA_BLOB sec_blob, DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, DATA_BLOB plaintext, uint32 ntlmssp_flags, BOOL encrypted) { - char *domain; + const char *domain; fstring internal_username; fstrcpy(internal_username, smb_name); map_username(internal_username); @@ -418,7 +421,7 @@ BOOL make_user_info_winbind(auth_usersupplied_info **user_info, generate_random_buffer(chal, 8, False); if (*password) { - SMBencrypt( (uchar *)password, chal, local_lm_response); + SMBencrypt( (const uchar *)password, chal, local_lm_response); /* This encrypts the lm_pwd feild, which actualy contains the password rather than the nt_pwd field becouse that contains nothing */ @@ -564,7 +567,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, if (plaintext_password.data) { unsigned char local_lm_response[24]; - SMBencrypt( (uchar *)plaintext_password.data, chal, local_lm_response); + SMBencrypt( (const uchar *)plaintext_password.data, chal, local_lm_response); local_lm_blob = data_blob(local_lm_response, 24); /* We can't do an NT hash here, as the password needs to be case insensitive */ @@ -604,23 +607,31 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info) return make_user_info(user_info, "","", "","", - "", sec_blob, + "", sec_blob, nt_blob, lm_blob, plaintext_blob, ntlmssp_flags, True); } +/*************************************************************************** + Make a user_info struct +***************************************************************************/ + BOOL make_server_info(auth_serversupplied_info **server_info) { *server_info = malloc(sizeof(**server_info)); if (!*server_info) { - DEBUG(0,("make_server_info_sam: malloc failed!\n")); + DEBUG(0,("make_server_info: malloc failed!\n")); return False; } ZERO_STRUCTP(*server_info); return True; } +/*************************************************************************** + Make (and fill) a user_info struct from a SAM_ACCOUNT +***************************************************************************/ + BOOL make_server_info_sam(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass) { if (!make_server_info(server_info)) { @@ -630,12 +641,17 @@ BOOL make_server_info_sam(auth_serversupplied_info **server_info, SAM_ACCOUNT *s (*server_info)->sam_fill_level = SAM_FILL_ALL; (*server_info)->sam_account = sampass; - DEBUG(5,("make_server_info_sam: made sever info for user %s\n", + DEBUG(5,("make_server_info_sam: made server info for user %s\n", pdb_get_username((*server_info)->sam_account))); return True; } -BOOL make_server_info_pw(auth_serversupplied_info **server_info, struct passwd *pwd) +/*************************************************************************** + Make (and fill) a user_info struct from a 'struct passwd' by conversion + to a SAM_ACCOUNT +***************************************************************************/ + +BOOL make_server_info_pw(auth_serversupplied_info **server_info, const struct passwd *pwd) { SAM_ACCOUNT *sampass = NULL; if (!pdb_init_sam_pw(&sampass, pwd)) { @@ -644,6 +660,10 @@ BOOL make_server_info_pw(auth_serversupplied_info **server_info, struct passwd * return make_server_info_sam(server_info, sampass); } +/*************************************************************************** + Free a user_info struct +***************************************************************************/ + void free_user_info(auth_usersupplied_info **user_info) { DEBUG(5,("attempting to free (and zero) a user_info structure\n")); -- cgit From 96d884cc0f42ea694f7648ae12a3643bd1322a2b Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 20 Nov 2001 23:20:00 +0000 Subject: Fixed sizeof vs array length bug in make_user_info_winbind_crap() Spelling fix. (This used to be commit 3d87c1a2444c3b9267e0dda7a2da77657fba143e) --- source3/auth/auth_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index e6ce7d186e..16efdbc54e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -473,7 +473,7 @@ BOOL make_user_info_winbind(auth_usersupplied_info **user_info, /**************************************************************************** Create an auth_usersupplied_data, making the DATA_BLOBs here. - Decrupt and encrypt the passwords. + Decrypt and encrypt the passwords. ****************************************************************************/ BOOL make_user_info_winbind_crap(auth_usersupplied_info **user_info, @@ -484,7 +484,7 @@ BOOL make_user_info_winbind_crap(auth_usersupplied_info **user_info, uchar *nt_network_pwd, int nt_pwd_len) { BOOL ret; - DATA_BLOB sec_blob = data_blob(chal, sizeof(chal)); + DATA_BLOB sec_blob = data_blob(chal, 8); DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); DATA_BLOB plaintext_blob = data_blob(NULL, 0); -- cgit From 54432c412958ca4cafcc033c2d311cfccc1603f2 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 21 Nov 2001 20:14:25 +0000 Subject: Spelling fix, reformatted comment. (This used to be commit 096868bd35b374f97e570676fc23c006b6c7a1d3) --- source3/auth/auth_util.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 16efdbc54e..5a86e02928 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -423,11 +423,13 @@ BOOL make_user_info_winbind(auth_usersupplied_info **user_info, if (*password) { SMBencrypt( (const uchar *)password, chal, local_lm_response); - /* This encrypts the lm_pwd feild, which actualy contains the password - rather than the nt_pwd field becouse that contains nothing */ + /* This encrypts the lm_pwd field, which actualy contains + the password rather than the nt_pwd field becouse that + contains nothing */ - /* WATCH OUT. This doesn't work if the incoming password is incorrectly cased. - We might want to add a check here and only do an LM in that case */ + /* WATCH OUT. This doesn't work if the incoming password is + incorrectly cased. We might want to add a check here + and only do an LM in that case */ SMBNTencrypt((const uchar *)password, chal, local_nt_response); -- cgit From 646f8ca3e822290897e6298dd16ad3b4be78c07a Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 21 Nov 2001 21:10:13 +0000 Subject: More spelling fixes, comment reformatting. (This used to be commit edb556b47446f75dc4987eee15276661eb6cec8d) --- source3/auth/auth_util.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5a86e02928..25e0830fc7 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -130,9 +130,11 @@ void smb_user_control(const auth_usersupplied_info *user_info, auth_serversuppli SMB_STRUCT_STAT st; const char *home_dir = pdb_get_homedir(server_info->sam_account); /* - * Also call smb_create_user if the users home directory - * doesn't exist. Used with winbindd to allow the script to - * create the home directory for a user mapped with winbindd. + * Also call smb_create_user if the users + * home directory doesn't exist. Used with + * winbindd to allow the script to create + * the home directory for a user mapped + * with winbindd. */ if (home_dir && @@ -272,7 +274,7 @@ BOOL make_user_info_map(auth_usersupplied_info **user_info, /**************************************************************************** Create an auth_usersupplied_data, making the DATA_BLOBs here. - Decrupt and encrypt the passwords. + Decrypt and encrypt the passwords. ****************************************************************************/ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, @@ -311,7 +313,7 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, /**************************************************************************** Create an auth_usersupplied_data, making the DATA_BLOBs here. - Decrupt and encrypt the passwords. + Decrypt and encrypt the passwords. ****************************************************************************/ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, @@ -423,8 +425,8 @@ BOOL make_user_info_winbind(auth_usersupplied_info **user_info, if (*password) { SMBencrypt( (const uchar *)password, chal, local_lm_response); - /* This encrypts the lm_pwd field, which actualy contains - the password rather than the nt_pwd field becouse that + /* This encrypts the lm_pwd field, which actually contains + the password rather than the nt_pwd field because that contains nothing */ /* WATCH OUT. This doesn't work if the incoming password is @@ -572,7 +574,8 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, SMBencrypt( (const uchar *)plaintext_password.data, chal, local_lm_response); local_lm_blob = data_blob(local_lm_response, 24); - /* We can't do an NT hash here, as the password needs to be case insensitive */ + /* We can't do an NT hash here, as the password needs to be + case insensitive */ local_nt_blob = data_blob(NULL, 0); ntlmssp_flags = NTLMSSP_NEGOTIATE_OEM; -- cgit From d0a2faf78d316fec200497f5f7997df4c477a1e1 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 24 Nov 2001 12:12:38 +0000 Subject: This is another rather major change to the samba authenticaion subystem. The particular aim is to modularized the interface - so that we can have arbitrary password back-ends. This code adds one such back-end, a 'winbind' module to authenticate against the winbind_auth_crap functionality. While fully-functional this code is mainly useful as a demonstration, because we don't get back the info3 as we would for direct ntdomain authentication. This commit introduced the new 'auth methods' parameter, in the spirit of the 'auth order' discussed on the lists. It is renamed because not all the methods may be consulted, even if previous methods fail - they may not have a suitable challenge for example. Also, we have a 'local' authentication method, for old-style 'unix if plaintext, sam if encrypted' authentication and a 'guest' module to handle guest logins in a single place. While this current design is not ideal, I feel that it does provide a better infrastructure than the current design, and can be built upon. The following parameters have changed: - use rhosts = This has been replaced by the 'rhosts' authentication method, and can be specified like 'auth methods = guest rhosts' - hosts equiv = This needs both this parameter and an 'auth methods' entry to be effective. (auth methods = guest hostsequiv ....) - plaintext to smbpasswd = This is replaced by specifying 'sam' rather than 'local' in the auth methods. The security = parameter is unchanged, and now provides defaults for the 'auth methods' parameter. The available auth methods are: guest rhosts hostsequiv sam (passdb direct hash access) unix (PAM, crypt() etc) local (the combination of the above, based on encryption) smbserver (old security=server) ntdomain (old security=domain) winbind (use winbind to cache DC connections) Assistance in testing, or the production of new and interesting authentication modules is always appreciated. Andrew Bartlett (This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99) --- source3/auth/auth.c | 165 +++++++++++++------------- source3/auth/auth_builtin.c | 87 ++++++++++++++ source3/auth/auth_domain.c | 18 ++- source3/auth/auth_info.c | 279 ++++++++++++++++++++++++++++++++++++++++++++ source3/auth/auth_rhosts.c | 72 +++++++++--- source3/auth/auth_sam.c | 75 +++++++----- source3/auth/auth_server.c | 172 ++++++++++++++++++++++----- source3/auth/auth_unix.c | 15 ++- source3/auth/auth_util.c | 208 ++++++++++++--------------------- 9 files changed, 799 insertions(+), 292 deletions(-) create mode 100644 source3/auth/auth_builtin.c create mode 100644 source3/auth/auth_info.c (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 95c97182b8..c62e2ed5a0 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -58,27 +58,50 @@ static BOOL check_domain_match(char *user, char *domain) ****************************************************************************/ NTSTATUS check_password(const auth_usersupplied_info *user_info, + const auth_authsupplied_info *auth_info, auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; - BOOL done_pam = False; const char *pdb_username; + auth_methods *auth_method; + + if (!user_info || !auth_info || !server_info) { + return NT_STATUS_LOGON_FAILURE; + } DEBUG(3, ("check_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", user_info->client_domain.str, user_info->smb_name.str, user_info->wksta_name.str)); DEBUG(3, ("check_password: mapped user is: [%s]\\[%s]@[%s]\n", user_info->domain.str, user_info->internal_username.str, user_info->wksta_name.str)); - - if (!NT_STATUS_IS_OK(nt_status)) { - nt_status = check_guest_security(user_info, server_info); + DEBUG(10, ("auth_info challange created by %s\n", auth_info->challange_set_by)); + DEBUG(10, ("challange is: \n")); + dump_data(5, (auth_info)->challange.data, (auth_info)->challange.length); + +#ifdef DEBUG_PASSWORD + DEBUG(100, ("user_info has passwords of length %d and %d\n", + user_info->lm_resp.length, user_info->nt_resp.length)); + DEBUG(100, ("lm:\n")); + dump_data(100, user_info->lm_resp.data, user_info->lm_resp.length); + DEBUG(100, ("nt:\n")); + dump_data(100, user_info->nt_resp.data, user_info->nt_resp.length); +#endif + + for (auth_method = auth_info->auth_method_list;auth_method; auth_method = auth_method->next) + { + nt_status = auth_method->auth(auth_method->private_data, user_info, auth_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(5, ("check_password: checking guest-account for user [%s] suceeded\n", user_info->smb_name.str)); + DEBUG(3, ("check_password: %s authentication for user [%s] suceeded\n", + auth_method->name, user_info->smb_name.str)); } else { - DEBUG(10, ("check_password: checking gusst-account for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); - - } + DEBUG(5, ("check_password: %s authentication for user [%s] FAILED with error %s\n", + auth_method->name, user_info->smb_name.str, get_nt_error_msg(nt_status))); + } + + if (NT_STATUS_IS_OK(nt_status)) { + break; + } } /* This needs to be sorted: If it doesn't match, what should we do? */ @@ -86,83 +109,47 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, return NT_STATUS_LOGON_FAILURE; } - if (!NT_STATUS_IS_OK(nt_status)) { - nt_status = check_rhosts_security(user_info, server_info); - if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(3, ("check_password: Password (rhosts) for user [%s] suceeded\n", user_info->smb_name.str)); - } else { - DEBUG(10, ("check_password: Password (rhosts) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); - - } - } - - if ((lp_security() == SEC_DOMAIN) && !NT_STATUS_IS_OK(nt_status)) { - nt_status = check_domain_security(user_info, server_info); - if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (domain) for user [%s] suceeded\n", user_info->smb_name.str)); - } else { - DEBUG(5, ("check_password: Password (domain) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); - - } - } - - if ((lp_security() == SEC_SERVER) && !NT_STATUS_IS_OK(nt_status)) { - nt_status = check_server_security(user_info, server_info); - if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (server) for user [%s] suceeded\n", user_info->smb_name.str)); - } else { - DEBUG(5, ("check_password: Password (server) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); - - } - } + /* This is one of the few places the *relies* (rather than just sets defaults + on the value of lp_security(). This needs to change. A new paramater + perhaps? */ if (lp_security() >= SEC_SERVER) { smb_user_control(user_info, *server_info, nt_status); } - if (!NT_STATUS_IS_OK(nt_status)) { - if (user_info->encrypted || lp_plaintext_to_smbpasswd()) { - nt_status = check_smbpasswd_security(user_info, server_info); - } else { - nt_status = check_unix_security(user_info, server_info); - done_pam = True; - } - - if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (unix/smbpasswd) for user [%s] suceeded\n", user_info->smb_name.str)); - } else { - DEBUG(5, ("check_password: Password (unix/smbpasswd) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); - - } - } - if (NT_STATUS_IS_OK(nt_status)) { pdb_username = pdb_get_username((*server_info)->sam_account); - if (!done_pam && !(*server_info)->guest) { + if (!(*server_info)->guest) { /* We might not be root if we are an RPC call */ become_root(); nt_status = smb_pam_accountcheck(pdb_username); unbecome_root(); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(5, ("check_password: PAM Account for user [%s] suceeded\n", pdb_username)); + DEBUG(5, ("check_password: PAM Account for user [%s] suceeded\n", + pdb_username)); } else { - DEBUG(3, ("check_password: PAM Account for user [%s] FAILED with error %s\n", pdb_username, get_nt_error_msg(nt_status))); + DEBUG(3, ("check_password: PAM Account for user [%s] FAILED with error %s\n", + pdb_username, get_nt_error_msg(nt_status))); } } + + if (NT_STATUS_IS_OK(nt_status)) { + DEBUG((*server_info)->guest ? 5 : 2, + ("check_password: %sauthenticaion for user [%s] -> [%s] -> [%s] suceeded\n", + (*server_info)->guest ? "guest " : "", + user_info->smb_name.str, + user_info->internal_username.str, + pdb_username)); + } } - if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(3, ("check_password: %sauthenticaion for user [%s] -> [%s] -> [%s] suceeded\n", - (*server_info)->guest ? "guest " : "", - user_info->smb_name.str, - user_info->internal_username.str, - pdb_username)); - } else { - DEBUG(3, ("check_password: Authenticaion for user [%s] -> [%s] FAILED with error %s\n", user_info->smb_name.str, user_info->internal_username.str, get_nt_error_msg(nt_status))); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(2, ("check_password: Authenticaion for user [%s] -> [%s] FAILED with error %s\n", + user_info->smb_name.str, user_info->internal_username.str, + get_nt_error_msg(nt_status))); ZERO_STRUCTP(server_info); - } - + } return nt_status; } @@ -210,16 +197,35 @@ static NTSTATUS pass_check_smb(char *smb_name, { NTSTATUS nt_status; auth_usersupplied_info *user_info = NULL; + extern auth_authsupplied_info *negprot_global_auth_info; auth_serversupplied_info *server_info = NULL; + if (encrypted) { + make_user_info_for_reply_enc(&user_info, smb_name, + domain, + lm_pwd, + nt_pwd, + plaintext_password); + nt_status = check_password(user_info, negprot_global_auth_info, &server_info); + } else { + auth_authsupplied_info *plaintext_auth_info = NULL; + DATA_BLOB chal; + if (!make_auth_info_subsystem(&plaintext_auth_info)) { + return NT_STATUS_NO_MEMORY; + } - make_user_info_for_reply(&user_info, smb_name, - domain, - lm_pwd, - nt_pwd, - plaintext_password, - encrypted); - - nt_status = check_password(user_info, &server_info); + chal = auth_get_challange(plaintext_auth_info); + + if (!make_user_info_for_reply(&user_info, + smb_name, domain, chal.data, + plaintext_password)) { + return NT_STATUS_NO_MEMORY; + } + + nt_status = check_password(user_info, plaintext_auth_info, &server_info); + + data_blob_free(&chal); + free_auth_info(&plaintext_auth_info); + } free_user_info(&user_info); free_server_info(&server_info); return nt_status; @@ -235,22 +241,23 @@ BOOL password_ok(char *smb_name, DATA_BLOB password_blob) DATA_BLOB null_password = data_blob(NULL, 0); extern BOOL global_encrypted_passwords_negotiated; - - if (global_encrypted_passwords_negotiated) { + BOOL encrypted = (global_encrypted_passwords_negotiated && password_blob.length == 24); + + if (encrypted) { /* * The password could be either NTLM or plain LM. Try NTLM first, * but fall-through as required. * NTLMv2 makes no sense here. */ - if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), null_password, password_blob, null_password, global_encrypted_passwords_negotiated))) { + if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), null_password, password_blob, null_password, encrypted))) { return True; } - if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), password_blob, null_password, null_password, global_encrypted_passwords_negotiated))) { + if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), password_blob, null_password, null_password, encrypted))) { return True; } } else { - if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), null_password, null_password, password_blob, global_encrypted_passwords_negotiated))) { + if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), null_password, null_password, password_blob, encrypted))) { return True; } } diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c new file mode 100644 index 0000000000..6ea6d0bbe0 --- /dev/null +++ b/source3/auth/auth_builtin.c @@ -0,0 +1,87 @@ +/* + Unix SMB/Netbios implementation. + Version 3.0. + Generic authenticaion types + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +/**************************************************************************** + Check for a guest logon (username = "") and if so create the required + structure. +****************************************************************************/ + +static NTSTATUS check_guest_security(void *my_private_data, + const auth_usersupplied_info *user_info, + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) +{ + NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; + + if (!(user_info->internal_username.str + && *user_info->internal_username.str)) { + if (make_server_info_guest(server_info)) { + nt_status = NT_STATUS_OK; + } else { + nt_status = NT_STATUS_NO_SUCH_USER; + } + } + + return nt_status; +} + +BOOL auth_init_guest(auth_methods **auth_method) +{ + if (!make_auth_methods(auth_method)) { + return False; + } + + (*auth_method)->auth = check_guest_security; + return True; +} + +/**************************************************************************** + Check against either sam or unix, depending on encryption. +****************************************************************************/ + +static NTSTATUS check_local_security(void *my_private_data, + const auth_usersupplied_info *user_info, + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) +{ + NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; + + if (user_info->encrypted) { + nt_status = check_sam_security(my_private_data, user_info, auth_info, server_info); + } else { + nt_status = check_unix_security(my_private_data, user_info, auth_info, server_info); + } + + return nt_status; +} + +BOOL auth_init_local(auth_methods **auth_method) +{ + if (!make_auth_methods(auth_method)) { + return False; + } + + (*auth_method)->auth = check_local_security; + return True; +} + diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 4ada7d4a56..ef0e5b2f10 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -28,8 +28,10 @@ BOOL global_machine_password_needs_changing = False; Check for a valid username and password in security=domain mode. ****************************************************************************/ -NTSTATUS check_domain_security(const auth_usersupplied_info *user_info, - auth_serversupplied_info **server_info) +static NTSTATUS check_ntdomain_security(void *my_private_data, + const auth_usersupplied_info *user_info, + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; char *p, *pserver; @@ -66,8 +68,18 @@ NTSTATUS check_domain_security(const auth_usersupplied_info *user_info, if (! *pserver) pserver = "*"; p = pserver; - nt_status = domain_client_validate(user_info, server_info, + nt_status = domain_client_validate(user_info, (uchar *)auth_info->challange.data,server_info, p, trust_passwd, last_change_time); return nt_status; } + +BOOL auth_init_ntdomain(auth_methods **auth_method) +{ + if (!make_auth_methods(auth_method)) { + return False; + } + + (*auth_method)->auth = check_ntdomain_security; + return True; +} diff --git a/source3/auth/auth_info.c b/source3/auth/auth_info.c new file mode 100644 index 0000000000..12b843d781 --- /dev/null +++ b/source3/auth/auth_info.c @@ -0,0 +1,279 @@ +/* + Unix SMB/Netbios implementation. + Version 3.0. + Authentication utility functions + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +const struct auth_init_function builtin_auth_init_functions[] = { + { "guest", auth_init_guest }, + { "rhosts", auth_init_rhosts }, + { "hostsequiv", auth_init_hostsequiv }, + { "sam", auth_init_sam }, + { "unix", auth_init_unix }, + { "local", auth_init_local }, + { "smbserver", auth_init_smbserver }, + { "ntdomain", auth_init_ntdomain }, + { "winbind", auth_init_winbind }, + { NULL, NULL} +}; + +/*************************************************************************** + Make a auth_info struct +***************************************************************************/ + +static BOOL make_auth_info(auth_authsupplied_info **auth_info) +{ + *auth_info = malloc(sizeof(**auth_info)); + if (!*auth_info) { + DEBUG(0,("make_auth_info: malloc failed!\n")); + return False; + } + ZERO_STRUCTP(*auth_info); + + return True; +} + +/*************************************************************************** + Make a auth_info struct with a specified list. +***************************************************************************/ + +BOOL make_auth_info_list(auth_authsupplied_info **auth_info, auth_methods *list) +{ + if (!make_auth_info(auth_info)) { + return False; + } + + (*auth_info)->auth_method_list = list; + + return True; +} + +/*************************************************************************** + Make a auth_info struct for the auth subsystem +***************************************************************************/ + +static BOOL make_auth_info_text_list(auth_authsupplied_info **auth_info, char **text_list) +{ + auth_methods *list = NULL; + auth_methods *t = NULL; + auth_methods *tmp; + int i; + + for (;*text_list; text_list++) + { + DEBUG(5,("Attempting to find an auth method to match %s\n", *text_list)); + for (i = 0; builtin_auth_init_functions[i].name; i++) + { + if (strequal(builtin_auth_init_functions[i].name, *text_list)) + { + DEBUG(5,("Found auth method %s (at pos %d)\n", *text_list, i)); + /* Malloc entry, fill it, link it */ + t = (auth_methods *)malloc(sizeof(*t)); + if (!t) { + DEBUG(0,("make_pw_chat: malloc failed!\n")); + return False; + } + + ZERO_STRUCTP(t); + + if (builtin_auth_init_functions[i].init(&t)) { + DEBUG(5,("auth method %s has a valid init\n", *text_list)); + t->name = builtin_auth_init_functions[i].name; + DLIST_ADD_END(list, t, tmp); + } else { + DEBUG(5,("auth method %s DOES NOT have a valid init\n", *text_list)); + } + break; + } + } + } + + make_auth_info_list(auth_info, list); + + return True; +} + +/*************************************************************************** + Make a auth_info struct for the auth subsystem +***************************************************************************/ + +BOOL make_auth_info_subsystem(auth_authsupplied_info **auth_info) +{ + char **auth_method_list = NULL; + + if (!make_auth_info(auth_info)) { + return False; + } + + if (lp_auth_methods() && !lp_list_copy(&auth_method_list, lp_auth_methods())) { + return False; + } + + if (auth_method_list == NULL) { + switch (lp_security()) + { + case SEC_DOMAIN: + DEBUG(5,("Making default auth method list for security=domain\n")); + auth_method_list = lp_list_make("guest ntdomain local"); + break; + case SEC_SERVER: + DEBUG(5,("Making default auth method list for security=server\n")); + auth_method_list = lp_list_make("guest smbserver local"); + break; + case SEC_USER: + DEBUG(5,("Making default auth method list for security=user\n")); + auth_method_list = lp_list_make("guest local"); + break; + case SEC_SHARE: + DEBUG(5,("Making default auth method list for security=share\n")); + auth_method_list = lp_list_make("guest local"); + break; + } + } else { + DEBUG(5,("Using specified auth order\n")); + } + + if (!make_auth_info_text_list(auth_info, auth_method_list)) { + lp_list_free(&auth_method_list); + return False; + } + + lp_list_free(&auth_method_list); + return True; +} + +/*************************************************************************** + Make a auth_info struct with a random challange +***************************************************************************/ + +BOOL make_auth_info_random(auth_authsupplied_info **auth_info) +{ + uchar chal[8]; + if (!make_auth_info_subsystem(auth_info)) { + return False; + } + + generate_random_buffer(chal, sizeof(chal), False); + (*auth_info)->challange = data_blob(chal, sizeof(chal)); + + (*auth_info)->challange_set_by = "random"; + + return True; +} + +/*************************************************************************** + Make a auth_info struct with a fixed challange +***************************************************************************/ + +BOOL make_auth_info_fixed(auth_authsupplied_info **auth_info, uchar chal[8]) +{ + if (!make_auth_info_subsystem(auth_info)) { + return False; + } + + (*auth_info)->challange = data_blob(chal, 8); + return True; +} + +/*************************************************************************** + Clear out a auth_info struct that has been allocated +***************************************************************************/ + +void free_auth_info(auth_authsupplied_info **auth_info) +{ + auth_methods *list; + if (*auth_info != NULL) { + list = (*auth_info)->auth_method_list; + while (list) { + auth_methods *old_head = list; + if (list->free_private_data) { + list->free_private_data(&(list->private_data)); + } + DLIST_REMOVE(list, list); + SAFE_FREE(old_head); + } + + data_blob_free(&(*auth_info)->challange); + ZERO_STRUCT(**auth_info); + } + SAFE_FREE(*auth_info); +} + +/**************************************************************************** + Try to get a challange out of the various authenticaion modules. + It is up to the caller to free it. +****************************************************************************/ + +DATA_BLOB auth_get_challange(auth_authsupplied_info *auth_info) +{ + DATA_BLOB challange = data_blob(NULL, 0); + char *challange_set_by = NULL; + auth_methods *auth_method; + + if (auth_info->challange.length) { + DEBUG(5, ("auth_get_challange: returning previous challange (normal)\n")); + return data_blob(auth_info->challange.data, auth_info->challange.length); + } + + for (auth_method = auth_info->auth_method_list; auth_method; auth_method = auth_method->next) + { + if (auth_method->get_chal) { + DEBUG(5, ("auth_get_challange: getting challange from module %s\n", auth_method->name)); + if (challange_set_by) { + DEBUG(1, ("auth_get_challange: CONFIGURATION ERROR: authenticaion method %s has already specified a challange. Challange by %s ignored.\n", + challange_set_by, auth_method->name)); + } else { + challange = auth_method->get_chal(&auth_method->private_data, auth_info); + if (challange.length) { + DEBUG(5, ("auth_get_challange: sucessfully got challange from module %s\n", auth_method->name)); + auth_info->challange = challange; + challange_set_by = auth_method->name; + auth_info->challange_set_method = auth_method; + } else { + DEBUG(3, ("auth_get_challange: getting challange from authenticaion method %s FAILED.\n", + auth_method->name)); + } + } + } else { + DEBUG(5, ("auth_get_challange: module %s did not want to specify a challange\n", auth_method->name)); + } + } + + if (!challange_set_by) { + uchar chal[8]; + + generate_random_buffer(chal, sizeof(chal), False); + auth_info->challange = data_blob(chal, sizeof(chal)); + + challange_set_by = "random"; + } + + DEBUG(5, ("auth_info challange created by %s\n", challange_set_by)); + DEBUG(5, ("challange is: \n")); + dump_data(5, auth_info->challange.data, (auth_info)->challange.length); + + SMB_ASSERT(auth_info->challange.length == 8); + + auth_info->challange_set_by=challange_set_by; + + return data_blob(auth_info->challange.data, auth_info->challange.length); +} + + diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index 9c07e48a9b..2605f0770a 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -135,7 +135,6 @@ check for a possible hosts equiv or rhosts entry for the user static BOOL check_hosts_equiv(struct passwd *pass) { char *fname = NULL; - pstring rhostsfile; if (!pass) return(False); @@ -148,39 +147,82 @@ static BOOL check_hosts_equiv(struct passwd *pass) return(True); } - if (lp_use_rhosts()) - { - char *home = pass->pw_dir; - if (home) { - slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home); - if (check_user_equiv(pass->pw_name,client_name(),rhostsfile)) - return(True); - } - } - return(False); } + /**************************************************************************** Check for a valid .rhosts/hosts.equiv entry for this user ****************************************************************************/ -NTSTATUS check_rhosts_security(const auth_usersupplied_info *user_info, - auth_serversupplied_info **server_info) +static NTSTATUS check_hostsequiv_security(void *my_private_data, + const auth_usersupplied_info *user_info, + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; struct passwd *pass = Get_Pwnam(user_info->internal_username.str); if (pass) { - become_root(); if (check_hosts_equiv(pass)) { nt_status = NT_STATUS_OK; make_server_info_pw(server_info, pass); } - unbecome_root(); } else { nt_status = NT_STATUS_NO_SUCH_USER; } return nt_status; } + + +/**************************************************************************** + Check for a valid .rhosts/hosts.equiv entry for this user +****************************************************************************/ + +static NTSTATUS check_rhosts_security(void *my_private_data, + const auth_usersupplied_info *user_info, + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) +{ + NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; + struct passwd *pass = Get_Pwnam(user_info->internal_username.str); + pstring rhostsfile; + + if (pass) { + char *home = pass->pw_dir; + if (home) { + slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home); + become_root(); + if (check_user_equiv(pass->pw_name,client_name(),rhostsfile)) { + nt_status = NT_STATUS_OK; + make_server_info_pw(server_info, pass); + } + unbecome_root(); + } + } else { + nt_status = NT_STATUS_NO_SUCH_USER; + } + + return nt_status; +} + +BOOL auth_init_hostsequiv(auth_methods **auth_method) +{ + + if (!make_auth_methods(auth_method)) { + return False; + } + (*auth_method)->auth = check_hostsequiv_security; + return True; +} + +BOOL auth_init_rhosts(auth_methods **auth_method) +{ + + if (!make_auth_methods(auth_method)) { + return False; + } + (*auth_method)->auth = check_rhosts_security; + return True; +} diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 70632fb5df..24a4d4e4e4 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -96,7 +96,7 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB ntv2_response, if (ntv2_response.length < 16) { /* We MUST have more than 16 bytes, or the stuff below will go crazy... */ - DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect password length (%d)\n", + DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect password length (%d)\n", ntv2_response.length)); return False; } @@ -132,15 +132,16 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB ntv2_response, Do a specific test for an smb password being correct, given a smb_password and the lanman and NT responses. ****************************************************************************/ -NTSTATUS sam_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info, uint8 user_sess_key[16]) +static NTSTATUS sam_password_ok(SAM_ACCOUNT *sampass, + const auth_usersupplied_info *user_info, + const auth_authsupplied_info *auth_info, + uint8 user_sess_key[16]) { + uint16 acct_ctrl; const uint8 *nt_pw, *lm_pw; - uint16 acct_ctrl = pdb_get_acct_ctrl(sampass); uint32 ntlmssp_flags; - if (!user_info || !sampass) - return NT_STATUS_LOGON_FAILURE; - + acct_ctrl = pdb_get_acct_ctrl(sampass); if (acct_ctrl & ACB_PWNOTREQ) { if (lp_null_passwords()) @@ -173,8 +174,8 @@ NTSTATUS sam_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *use */ DEBUG(4,("smb_password_ok: Checking NTLMv2 password\n")); if (smb_pwd_check_ntlmv2( user_info->nt_resp, - nt_pw, - user_info->sec_blob, user_info->smb_name.str, + nt_pw, auth_info->challange, + user_info->smb_name.str, user_info->client_domain.str, user_sess_key)) { @@ -190,7 +191,7 @@ NTSTATUS sam_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *use */ DEBUG(4,("smb_password_ok: Checking NT MD4 password\n")); if (smb_pwd_check_ntlmv1(user_info->nt_resp, - nt_pw, user_info->sec_blob, + nt_pw, auth_info->challange, user_sess_key)) { return NT_STATUS_OK; @@ -223,7 +224,7 @@ NTSTATUS sam_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *use DEBUG(4,("smb_password_ok: Checking LM password\n")); if (smb_pwd_check_ntlmv1(user_info->lm_resp, - lm_pw, user_info->sec_blob, + lm_pw, auth_info->challange, user_sess_key)) { return NT_STATUS_OK; @@ -265,6 +266,24 @@ static NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_inf return NT_STATUS_ACCOUNT_EXPIRED; } + if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOEXP)) { + time_t must_change_time = pdb_get_pass_must_change_time(sampass); + time_t last_set_time = pdb_get_pass_last_set_time(sampass); + + /* check for immediate expiry "must change at next logon" */ + if (must_change_time == 0 && last_set_time != 0) { + DEBUG(1,("Account for user '%s' password must change!.\n", pdb_get_username(sampass))); + return NT_STATUS_PASSWORD_MUST_CHANGE; + } + + /* check for expired password */ + if (must_change_time < time(NULL) && must_change_time != 0) { + DEBUG(1,("Account for user '%s' password expired!.\n", pdb_get_username(sampass))); + DEBUG(1,("Password expired at '%s' (%ld) unix time.\n", http_timestring(must_change_time), (long)must_change_time)); + return NT_STATUS_PASSWORD_EXPIRED; + } + } + /* Test workstation. Workstation list is comma separated. */ workstation_list = strdup(pdb_get_workstations(sampass)); @@ -293,24 +312,6 @@ static NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_inf SAFE_FREE(workstation_list); } - if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOEXP)) { - time_t must_change_time = pdb_get_pass_must_change_time(sampass); - time_t last_set_time = pdb_get_pass_last_set_time(sampass); - - /* check for immediate expiry "must change at next logon" */ - if (must_change_time == 0 && last_set_time != 0) { - DEBUG(1,("Account for user '%s' password must change!.\n", pdb_get_username(sampass))); - return NT_STATUS_PASSWORD_MUST_CHANGE; - } - - /* check for expired password */ - if (must_change_time < time(NULL) && must_change_time != 0) { - DEBUG(1,("Account for user '%s' password expired!.\n", pdb_get_username(sampass))); - DEBUG(1,("Password expired at '%s' (%ld) unix time.\n", http_timestring(must_change_time), (long)must_change_time)); - return NT_STATUS_PASSWORD_EXPIRED; - } - } - if (acct_ctrl & ACB_DOMTRUST) { DEBUG(2,("session_trust_account: Domain trust account %s denied by server\n", pdb_get_username(sampass))); return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT; @@ -336,7 +337,10 @@ SMB hash supplied in the user_info structure return an NT_STATUS constant. ****************************************************************************/ -NTSTATUS check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_serversupplied_info **server_info) +NTSTATUS check_sam_security(void *my_private_dat, + const auth_usersupplied_info *user_info, + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) { SAM_ACCOUNT *sampass=NULL; BOOL ret; @@ -344,7 +348,7 @@ NTSTATUS check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_ uint8 user_sess_key[16]; const uint8* lm_hash; - if (!user_info) { + if (!user_info || !auth_info) { return NT_STATUS_LOGON_FAILURE; } @@ -365,7 +369,7 @@ NTSTATUS check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_ return NT_STATUS_NO_SUCH_USER; } - nt_status = sam_password_ok(sampass, user_info, user_sess_key); + nt_status = sam_password_ok(sampass, user_info, auth_info, user_sess_key); if (!NT_STATUS_IS_OK(nt_status)) { pdb_free_sam(&sampass); @@ -394,6 +398,15 @@ NTSTATUS check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_ return nt_status; } +BOOL auth_init_sam(auth_methods **auth_method) +{ + if (!make_auth_methods(auth_method)) { + return False; + } + + (*auth_method)->auth = check_sam_security; + return True; +} diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index ddbc284d50..067b5b2997 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -24,31 +24,19 @@ extern pstring global_myname; -/**************************************************************************** - Return the client state structure. -****************************************************************************/ - -struct cli_state *server_client(void) -{ - static struct cli_state pw_cli; - return &pw_cli; -} - /**************************************************************************** Support for server level security. ****************************************************************************/ -struct cli_state *server_cryptkey(void) +static struct cli_state *server_cryptkey(void) { - struct cli_state *cli; + struct cli_state *cli = NULL; fstring desthost; struct in_addr dest_ip; char *p, *pserver; BOOL connected_ok = False; - cli = server_client(); - - if (!cli_initialise(cli)) + if (!(cli = cli_initialise(cli))) return NULL; /* security = server just can't function with spnego */ @@ -88,7 +76,11 @@ struct cli_state *server_cryptkey(void) if (!attempt_netbios_session_request(cli, global_myname, desthost, &dest_ip)) return NULL; - + + if (strequal(desthost,myhostname())) { + exit_server("Password server loop!"); + } + DEBUG(3,("got session\n")); if (!cli_negprot(cli)) { @@ -109,13 +101,82 @@ struct cli_state *server_cryptkey(void) return cli; } +/**************************************************************************** + Clean up our allocated cli. +****************************************************************************/ + +static void free_server_private_data(void **private_data_pointer) +{ + struct cli_state **cli = (struct cli_state **)private_data_pointer; + if (*cli && (*cli)->initialised) { + cli_shutdown(*cli); + + SAFE_FREE(*cli); + } +} + +/**************************************************************************** + Send a 'keepalive' packet down the cli pipe. +****************************************************************************/ + +static void send_server_keepalive(void **private_data_pointer) +{ + struct cli_state **cli = (struct cli_state **)private_data_pointer; + + /* also send a keepalive to the password server if its still + connected */ + if (cli && *cli && (*cli)->initialised) { + if (!send_keepalive((*cli)->fd)) { + DEBUG( 2, ( "password server keepalive failed.\n")); + cli_shutdown(*cli); + SAFE_FREE(*cli); + } + } +} + +/**************************************************************************** + Get the challange out of a password server. +****************************************************************************/ + +static DATA_BLOB auth_get_challange_server(void **my_private_data, const struct authsupplied_info *auth_info) +{ + struct cli_state *cli = server_cryptkey(); + + if (cli) { + DEBUG(3,("using password server validation\n")); + if ((cli->sec_mode & 2) == 0) { + /* We can't work with unencrypted password servers + unless 'encrypt passwords = no' */ + DEBUG(5,("make_auth_info_server: Server is unencrypted, no challange available..\n")); + + *my_private_data = (void *)cli; + return data_blob(NULL, 0); + + } else if (cli->secblob.length < 8) { + /* We can't do much if we don't get a full challange */ + DEBUG(2,("make_auth_info_server: Didn't receive a full challange from server\n")); + cli_shutdown(cli); + return data_blob(NULL, 0); + } + + *my_private_data = (void *)cli; + + return data_blob(cli->secblob.data,8); + } else { + return data_blob(NULL, 0); + } +} + /**************************************************************************** Check for a valid username and password in security=server mode. - Validate a password with the password server. ****************************************************************************/ -NTSTATUS check_server_security(const auth_usersupplied_info *user_info, auth_serversupplied_info **server_info) +static NTSTATUS check_smbserver_security(void *my_private_data, + const auth_usersupplied_info *user_info, + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) { struct cli_state *cli; static unsigned char badpass[24]; @@ -123,13 +184,32 @@ NTSTATUS check_server_security(const auth_usersupplied_info *user_info, auth_ser static BOOL tested_password_server = False; static BOOL bad_password_server = False; NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; + BOOL locally_made_cli = False; - cli = server_client(); + cli = my_private_data; + + if (cli) { + } else { + cli = server_cryptkey(); + locally_made_cli = True; + } - if (!cli->initialised) { + if (!cli || !cli->initialised) { DEBUG(1,("password server %s is not connected\n", cli->desthost)); - return(NT_STATUS_LOGON_FAILURE); + return NT_STATUS_LOGON_FAILURE; } + + if ((cli->sec_mode & 2) == 0) { + if (user_info->encrypted) { + DEBUG(1,("password server %s is plaintext, but we are encrypted. This just can't work :-(\n", cli->desthost)); + return NT_STATUS_LOGON_FAILURE; + } + } else { + if (memcmp(cli->secblob.data, auth_info->challange.data, 8) != 0) { + DEBUG(1,("the challange that the password server (%s) supplied us is not the one we gave our client. This just can't work :-(\n", cli->desthost)); + return NT_STATUS_LOGON_FAILURE; + } + } if(badpass[0] == 0) memset(badpass, 0x1f, sizeof(badpass)); @@ -206,17 +286,32 @@ use this machine as the password server.\n")); * not guest enabled, we can try with the real password. */ - if (!cli_session_setup(cli, user_info->smb_name.str, - (char *)user_info->lm_resp.data, - user_info->lm_resp.length, - (char *)user_info->nt_resp.data, - user_info->nt_resp.length, - user_info->domain.str)) { - DEBUG(1,("password server %s rejected the password\n", cli->desthost)); - /* Make this cli_nt_error() when the conversion is in */ - nt_status = cli_nt_error(cli); + if (!user_info->encrypted) { + /* Plaintext available */ + if (!cli_session_setup(cli, user_info->smb_name.str, + (char *)user_info->plaintext_password.data, + user_info->plaintext_password.length, + NULL, 0, + user_info->domain.str)) { + DEBUG(1,("password server %s rejected the password\n", cli->desthost)); + /* Make this cli_nt_error() when the conversion is in */ + nt_status = cli_nt_error(cli); + } else { + nt_status = NT_STATUS_OK; + } } else { - nt_status = NT_STATUS_OK; + if (!cli_session_setup(cli, user_info->smb_name.str, + (char *)user_info->lm_resp.data, + user_info->lm_resp.length, + (char *)user_info->nt_resp.data, + user_info->nt_resp.length, + user_info->domain.str)) { + DEBUG(1,("password server %s rejected the password\n", cli->desthost)); + /* Make this cli_nt_error() when the conversion is in */ + nt_status = cli_nt_error(cli); + } else { + nt_status = NT_STATUS_OK; + } } /* if logged in as guest then reject */ @@ -238,5 +333,22 @@ use this machine as the password server.\n")); } } + if (locally_made_cli) { + cli_shutdown(cli); + SAFE_FREE(cli); + } + return(nt_status); } + +BOOL auth_init_smbserver(auth_methods **auth_method) +{ + if (!make_auth_methods(auth_method)) { + return False; + } + (*auth_method)->auth = check_smbserver_security; + (*auth_method)->get_chal = auth_get_challange_server; + (*auth_method)->send_keepalive = send_server_keepalive; + (*auth_method)->free_private_data = free_server_private_data; + return True; +} diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 8c4a520350..d134ce6909 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -82,7 +82,10 @@ check if a username/password is OK assuming the password in PLAIN TEXT ****************************************************************************/ -NTSTATUS check_unix_security(const auth_usersupplied_info *user_info, auth_serversupplied_info **server_info) +NTSTATUS check_unix_security(void *my_private_data, + const auth_usersupplied_info *user_info, + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) { NTSTATUS nt_status; struct passwd *pass = NULL; @@ -104,9 +107,19 @@ NTSTATUS check_unix_security(const auth_usersupplied_info *user_info, auth_serve if (pass) { make_server_info_pw(server_info, pass); } else { + /* we need to do somthing more useful here */ nt_status = NT_STATUS_NO_SUCH_USER; } } return nt_status; } + +BOOL auth_init_unix(auth_methods **auth_method) +{ + if (!make_auth_methods(auth_method)) { + return False; + } + (*auth_method)->auth = check_unix_security; + return True; +} diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 25e0830fc7..d1b2cc92e5 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -23,49 +23,9 @@ #include "includes.h" -/* Data to do lanman1/2 password challenge. */ -static unsigned char saved_challenge[8]; -static BOOL challenge_sent=False; extern fstring remote_machine; extern pstring global_myname; -/******************************************************************* - Get the next challenge value - no repeats. -********************************************************************/ - -void generate_next_challenge(char *challenge) -{ - unsigned char buf[8]; - - generate_random_buffer(buf,8,False); - memcpy(saved_challenge, buf, 8); - memcpy(challenge,buf,8); - challenge_sent = True; -} - -/******************************************************************* - Set the last challenge sent, usually from a password server. -********************************************************************/ - -BOOL set_challenge(unsigned char *challenge) -{ - memcpy(saved_challenge,challenge,8); - challenge_sent = True; - return(True); -} - -/******************************************************************* - Get the last challenge sent. -********************************************************************/ - -BOOL last_challenge(unsigned char *challenge) -{ - if (!challenge_sent) - return(False); - memcpy(challenge,saved_challenge,8); - return(True); -} - /**************************************************************************** Create a UNIX user on demand. ****************************************************************************/ @@ -166,7 +126,6 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, const char *client_domain, const char *domain, const char *wksta_name, - DATA_BLOB sec_blob, DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, DATA_BLOB plaintext, uint32 ntlmssp_flags, BOOL encrypted) @@ -226,7 +185,6 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, DEBUG(5,("makeing blobs for %s's user_info struct\n", internal_username)); - (*user_info)->sec_blob = data_blob(sec_blob.data, sec_blob.length); (*user_info)->lm_resp = data_blob(lm_pwd.data, lm_pwd.length); (*user_info)->nt_resp = data_blob(nt_pwd.data, nt_pwd.length); (*user_info)->plaintext_password = data_blob(plaintext.data, plaintext.length); @@ -246,7 +204,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, BOOL make_user_info_map(auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, - const char *wksta_name, DATA_BLOB sec_blob, + const char *wksta_name, DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, DATA_BLOB plaintext, uint32 ntlmssp_flags, BOOL encrypted) @@ -265,7 +223,7 @@ BOOL make_user_info_map(auth_usersupplied_info **user_info, return make_user_info(user_info, smb_name, internal_username, client_domain, domain, - wksta_name, sec_blob, + wksta_name, lm_pwd, nt_pwd, plaintext, ntlmssp_flags, encrypted); @@ -280,12 +238,11 @@ BOOL make_user_info_map(auth_usersupplied_info **user_info, BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, char *smb_name, char *client_domain, - char *wksta_name, uchar chal[8], + char *wksta_name, uchar *lm_network_pwd, int lm_pwd_len, uchar *nt_network_pwd, int nt_pwd_len) { BOOL ret; - DATA_BLOB sec_blob = data_blob(chal, sizeof(chal)); DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); DATA_BLOB plaintext_blob = data_blob(NULL, 0); @@ -301,8 +258,8 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, ret = make_user_info_map(user_info, smb_name, client_domain, - wksta_name, sec_blob, - nt_blob, lm_blob, + wksta_name, + lm_blob, nt_blob, plaintext_blob, ntlmssp_flags, True); @@ -320,6 +277,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, char *smb_name, char *client_domain, char *wksta_name, + char chal[8], uchar lm_interactive_pwd[16], uchar nt_interactive_pwd[16], uchar *dc_sess_key) @@ -329,11 +287,8 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, unsigned char local_lm_response[24]; unsigned char local_nt_response[24]; unsigned char key[16]; - uint8 chal[8]; uint32 ntlmssp_flags = 0; - generate_random_buffer(chal, 8, False); - ZERO_STRUCT(key); memcpy(key, dc_sess_key, 8); @@ -362,7 +317,6 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, dump_data(100, nt_pwd, sizeof(nt_pwd)); #endif - generate_random_buffer(chal, 8, False); SMBOWFencrypt((const unsigned char *)lm_pwd, chal, local_lm_response); SMBOWFencrypt((const unsigned char *)nt_pwd, chal, local_nt_response); @@ -373,7 +327,6 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, { BOOL ret; - DATA_BLOB sec_blob = data_blob(chal, sizeof(chal)); DATA_BLOB local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response)); DATA_BLOB local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response)); DATA_BLOB plaintext_blob = data_blob(NULL, 0); @@ -385,7 +338,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, ret = make_user_info_map(user_info, smb_name, client_domain, - wksta_name, sec_blob, + wksta_name, local_lm_blob, local_nt_blob, plaintext_blob, @@ -402,13 +355,14 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, ****************************************************************************/ BOOL make_user_info_winbind(auth_usersupplied_info **user_info, - char *username, - char *domain, - char *password) + const char *username, + const char *domain, + const char *password, + char chal[8] /* Give winbind back the challange we used */ + ) { unsigned char local_lm_response[24]; unsigned char local_nt_response[24]; - char chal[8]; DATA_BLOB local_lm_blob; DATA_BLOB local_nt_blob; DATA_BLOB plaintext_blob; @@ -453,16 +407,11 @@ BOOL make_user_info_winbind(auth_usersupplied_info **user_info, { BOOL ret; - DATA_BLOB sec_blob = data_blob(chal, sizeof(chal)); - - if (!sec_blob.data) { - return False; - } ret = make_user_info(user_info, username, username, domain, domain, - global_myname, sec_blob, + global_myname, local_nt_blob, local_lm_blob, plaintext_blob, @@ -483,12 +432,10 @@ BOOL make_user_info_winbind(auth_usersupplied_info **user_info, BOOL make_user_info_winbind_crap(auth_usersupplied_info **user_info, char *smb_name, char *client_domain, - uchar chal[8], uchar *lm_network_pwd, int lm_pwd_len, uchar *nt_network_pwd, int nt_pwd_len) { BOOL ret; - DATA_BLOB sec_blob = data_blob(chal, 8); DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); DATA_BLOB plaintext_blob = data_blob(NULL, 0); @@ -502,7 +449,7 @@ BOOL make_user_info_winbind_crap(auth_usersupplied_info **user_info, ret = make_user_info(user_info, smb_name, smb_name, client_domain, client_domain, - global_myname, sec_blob, + global_myname, nt_blob, lm_blob, plaintext_blob, ntlmssp_flags, True); @@ -517,59 +464,30 @@ BOOL make_user_info_winbind_crap(auth_usersupplied_info **user_info, ****************************************************************************/ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, - char *smb_name, - char *client_domain, - DATA_BLOB lm_resp, DATA_BLOB nt_resp, - DATA_BLOB plaintext_password, - BOOL encrypted) + char *smb_name, + char *client_domain, + char chal[8], + DATA_BLOB plaintext_password) { - uchar chal[8]; DATA_BLOB local_lm_blob; DATA_BLOB local_nt_blob; - DATA_BLOB sec_blob; BOOL ret = False; uint32 ntlmssp_flags = 0; - if (encrypted) { - DATA_BLOB no_plaintext_blob = data_blob(NULL, 0); - if (!last_challenge(chal)) { - DEBUG(0,("Encrypted login but no challange set!\n")); - return False; - } - sec_blob = data_blob(chal, 8); - - if (lm_resp.length == 24) { - ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM; - } - if (nt_resp.length == 0) { - } else if (nt_resp.length == 24) { - ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; - } else { - ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM2; - } - - return make_user_info_map(user_info, smb_name, - client_domain, - remote_machine, sec_blob, - lm_resp, - nt_resp, - no_plaintext_blob, - ntlmssp_flags, encrypted); - } - - generate_random_buffer(chal, 8, False); - - sec_blob = data_blob(chal, 8); - /* * Not encrypted - do so. */ - DEBUG(5,("pass_check_smb: User passwords not in encrypted format.\n")); + DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted format.\n")); if (plaintext_password.data) { unsigned char local_lm_response[24]; + +#ifdef DEBUG_PASSWORD + DEBUG(10,("Unencrypted password (len %d):\n",plaintext_password.length)); + dump_data(100, plaintext_password.data, plaintext_password.length); +#endif SMBencrypt( (const uchar *)plaintext_password.data, chal, local_lm_response); local_lm_blob = data_blob(local_lm_response, 24); @@ -587,23 +505,54 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, ret = make_user_info_map(user_info, smb_name, client_domain, remote_machine, - sec_blob, local_lm_blob, local_nt_blob, plaintext_password, - ntlmssp_flags, encrypted); + ntlmssp_flags, False); data_blob_free(&local_lm_blob); return ret; } +/**************************************************************************** + Create an auth_usersupplied_data structure +****************************************************************************/ + +BOOL make_user_info_for_reply_enc(auth_usersupplied_info **user_info, + char *smb_name, + char *client_domain, + DATA_BLOB lm_resp, DATA_BLOB nt_resp, + DATA_BLOB plaintext_password) +{ + uint32 ntlmssp_flags = 0; + + DATA_BLOB no_plaintext_blob = data_blob(NULL, 0); + + if (lm_resp.length == 24) { + ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM; + } + if (nt_resp.length == 0) { + } else if (nt_resp.length == 24) { + ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; + } else { + ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM2; + } + + return make_user_info_map(user_info, smb_name, + client_domain, + remote_machine, + lm_resp, + nt_resp, + no_plaintext_blob, + ntlmssp_flags, True); +} + /**************************************************************************** Create a guest user_info blob, for anonymous authenticaion. ****************************************************************************/ BOOL make_user_info_guest(auth_usersupplied_info **user_info) { - DATA_BLOB sec_blob = data_blob(NULL, 0); DATA_BLOB lm_blob = data_blob(NULL, 0); DATA_BLOB nt_blob = data_blob(NULL, 0); DATA_BLOB plaintext_blob = data_blob(NULL, 0); @@ -612,7 +561,7 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info) return make_user_info(user_info, "","", "","", - "", sec_blob, + "", nt_blob, lm_blob, plaintext_blob, ntlmssp_flags, True); @@ -680,7 +629,6 @@ void free_user_info(auth_usersupplied_info **user_info) SAFE_FREE((*user_info)->internal_username.str); SAFE_FREE((*user_info)->client_domain.str); SAFE_FREE((*user_info)->domain.str); - data_blob_free(&(*user_info)->sec_blob); data_blob_free(&(*user_info)->lm_resp); data_blob_free(&(*user_info)->nt_resp); SAFE_FREE((*user_info)->interactive_password); @@ -725,6 +673,22 @@ BOOL make_server_info_guest(auth_serversupplied_info **server_info) return False; } +/*************************************************************************** + Make an auth_methods struct +***************************************************************************/ + +BOOL make_auth_methods(auth_methods **auth_method) +{ + *auth_method = malloc(sizeof(**auth_method)); + if (!*auth_method) { + DEBUG(0,("make_auth_method: malloc failed!\n")); + return False; + } + ZERO_STRUCTP(*auth_method); + + return True; +} + /**************************************************************************** Delete a SID token. ****************************************************************************/ @@ -764,25 +728,3 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) return token; } - -/**************************************************************************** - Check for a guest logon (username = "") and if so create the required - structure. -****************************************************************************/ - -NTSTATUS check_guest_security(const auth_usersupplied_info *user_info, - auth_serversupplied_info **server_info) -{ - NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; - - if (!(user_info->internal_username.str - && *user_info->internal_username.str)) { - if (make_server_info_guest(server_info)) { - nt_status = NT_STATUS_OK; - } else { - nt_status = NT_STATUS_NO_SUCH_USER; - } - } - - return nt_status; -} -- cgit From 4f37307452ff77e8058dd2107f0b88fe64b3ba5e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 24 Nov 2001 12:16:27 +0000 Subject: And add the winbind module I missed in the last run. (large change to modularise the auth subsystem) Andrew Bartlett (This used to be commit 324c4676280641fee0647221dba1e826e03ba9ab) --- source3/auth/auth_winbind.c | 111 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 111 insertions(+) create mode 100644 source3/auth/auth_winbind.c (limited to 'source3/auth') diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c new file mode 100644 index 0000000000..c29d008f4a --- /dev/null +++ b/source3/auth/auth_winbind.c @@ -0,0 +1,111 @@ +/* + Unix SMB/Netbios implementation. + Version 2.0 + + Winbind authentication mechnism + + Copyright (C) Tim Potter 2000 + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +/* Prototypes from common.h */ + +NSS_STATUS winbindd_request(int req_type, + struct winbindd_request *request, + struct winbindd_response *response); + + +/* Authenticate a user with a challenge/response */ + +static NTSTATUS check_winbind_security(void *my_private_data, + const auth_usersupplied_info *user_info, + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) +{ + struct winbindd_request request; + struct winbindd_response response; + NSS_STATUS result; + struct passwd *pw; + NTSTATUS nt_status; + + if (!user_info) { + return NT_STATUS_LOGON_FAILURE; + } + + if (!auth_info) { + DEBUG(3,("Password for user %s cannot be checked becouse we have no auth_info to get the challange from.\n", + user_info->internal_username.str)); + return NT_STATUS_LOGON_FAILURE; + } + + /* Send off request */ + + ZERO_STRUCT(request); + ZERO_STRUCT(response); + + snprintf(request.data.auth_crap.user, sizeof(request.data.auth_crap.user), + "%s\\%s", user_info->domain.str, user_info->smb_name.str); + + memcpy(request.data.auth_crap.chal, auth_info->challange.data, sizeof(request.data.auth_crap.chal)); + + request.data.auth_crap.lm_resp_len = MIN(user_info->lm_resp.length, + sizeof(request.data.auth_crap.lm_resp)); + request.data.auth_crap.nt_resp_len = MIN(user_info->nt_resp.length, + sizeof(request.data.auth_crap.nt_resp)); + + memcpy(request.data.auth_crap.lm_resp, user_info->lm_resp.data, + sizeof(request.data.auth_crap.lm_resp_len)); + memcpy(request.data.auth_crap.nt_resp, user_info->nt_resp.data, + request.data.auth_crap.lm_resp_len); + + result = winbindd_request(WINBINDD_PAM_AUTH_CRAP, &request, &response); + + if (result == NSS_STATUS_SUCCESS) { + + pw = Get_Pwnam(user_info->internal_username.str); + + if (pw) { + if (make_server_info_pw(server_info, pw)) { + nt_status = NT_STATUS_OK; + } else { + nt_status = NT_STATUS_NO_MEMORY; + } + } else { + nt_status = NT_STATUS_NO_SUCH_USER; + } + } else { + nt_status = NT_STATUS_LOGON_FAILURE; + } + + return nt_status; +} + +BOOL auth_init_winbind(auth_methods **auth_method) +{ + if (!make_auth_methods(auth_method)) { + return False; + } + + (*auth_method)->auth = check_winbind_security; + return True; +} + + + + -- cgit From 1b1b8e39b2ce4bf32517e7178ca18b3fd8fecd03 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 25 Nov 2001 03:01:14 +0000 Subject: Add the PDC end of the smbtorture test for creating an NT_STATUS -> DOS error map. This little authentication module is #ifdef DEVELOPER, becouse it really is of no use execept as a development tool invoke by setting: auth methods = guest sam name_to_ntstatus in the smb.conf file (the SAM and guest elements are required for the member server to authenticate itself). Andrew Bartlett (This used to be commit 9807e66f34c1088399657060977e384c5a7f0664) --- source3/auth/auth_builtin.c | 33 +++++++++++++++++++++++++++++++++ source3/auth/auth_info.c | 3 +++ 2 files changed, 36 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index 6ea6d0bbe0..482ae6dee1 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -85,3 +85,36 @@ BOOL auth_init_local(auth_methods **auth_method) return True; } +/**************************************************************************** + Return an error based on username +****************************************************************************/ + +static NTSTATUS check_name_to_ntstatus_security(void *my_private_data, + const auth_usersupplied_info *user_info, + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) +{ + NTSTATUS nt_status; + fstring user; + long error_num; + fstrcpy(user, user_info->smb_name.str); + strlower(user); + error_num = strtoul(user, NULL, 16); + + DEBUG(5,("Error for user %s was %lx\n", user, error_num)); + + nt_status = NT_STATUS(error_num); + + return nt_status; +} + +BOOL auth_init_name_to_ntstatus(auth_methods **auth_method) +{ + if (!make_auth_methods(auth_method)) { + return False; + } + + (*auth_method)->auth = check_name_to_ntstatus_security; + return True; +} + diff --git a/source3/auth/auth_info.c b/source3/auth/auth_info.c index 12b843d781..b1c994d54f 100644 --- a/source3/auth/auth_info.c +++ b/source3/auth/auth_info.c @@ -31,6 +31,9 @@ const struct auth_init_function builtin_auth_init_functions[] = { { "smbserver", auth_init_smbserver }, { "ntdomain", auth_init_ntdomain }, { "winbind", auth_init_winbind }, +#ifdef DEVELOPER + { "name_to_ntstatus", auth_init_name_to_ntstatus }, +#endif { NULL, NULL} }; -- cgit From e75ad578d2578d756b7672fbf12d16f0823d472b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 26 Nov 2001 01:37:01 +0000 Subject: This compleats the of the authenticaion subystem into the new 'auth' subdirectory. (The insertion of these files was done with some CVS backend magic, hence the lack of a commit message). This also moves libsmb/domain_client_validate.c back into auth_domain.c, becouse we no longer share it with winbind. Andrew Bartlett (This used to be commit 782835470cb68da2188a57007d6f55c17b094d08) --- source3/auth/auth_domain.c | 411 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 410 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index ef0e5b2f10..fa6093a592 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -1,6 +1,6 @@ /* Unix SMB/Netbios implementation. - Version 1.9. + Version 3.0. Authenticate against a remote domain Copyright (C) Andrew Tridgell 1992-1998 Copyright (C) Andrew Bartlett 2001 @@ -24,6 +24,415 @@ BOOL global_machine_password_needs_changing = False; +extern struct in_addr ipzero; + +extern pstring global_myname; + +/*********************************************************************** + Connect to a remote machine for domain security authentication + given a name or IP address. + ***********************************************************************/ + +static BOOL connect_to_domain_password_server(struct cli_state *pcli, + char *server, unsigned char *trust_passwd) +{ + struct in_addr dest_ip; + fstring remote_machine; + NTSTATUS result; + + if(cli_initialise(pcli) == NULL) { + DEBUG(0,("connect_to_domain_password_server: unable to initialize client connection.\n")); + return False; + } + + if (is_ipaddress(server)) { + struct in_addr to_ip; + + /* we shouldn't have 255.255.255.255 forthe IP address of + a password server anyways */ + if ((to_ip.s_addr=inet_addr(server)) == 0xFFFFFFFF) { + DEBUG (0,("connect_to_domain_password_server: inet_addr(%s) returned 0xFFFFFFFF!\n", server)); + return False; + } + + if (!name_status_find("*", 0x20, 0x20, to_ip, remote_machine)) { + DEBUG(0, ("connect_to_domain_password_server: Can't " + "resolve name for IP %s\n", server)); + return False; + } + } else { + fstrcpy(remote_machine, server); + } + + standard_sub_basic(remote_machine); + strupper(remote_machine); + + if(!resolve_name( remote_machine, &dest_ip, 0x20)) { + DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", remote_machine)); + cli_shutdown(pcli); + return False; + } + + if (ismyip(dest_ip)) { + DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n", + remote_machine)); + cli_shutdown(pcli); + return False; + } + + if (!cli_connect(pcli, remote_machine, &dest_ip)) { + DEBUG(0,("connect_to_domain_password_server: unable to connect to SMB server on \ +machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + cli_shutdown(pcli); + return False; + } + + if (!attempt_netbios_session_request(pcli, global_myname, remote_machine, &dest_ip)) { + DEBUG(0,("connect_to_password_server: machine %s rejected the NetBIOS \ +session request. Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + return False; + } + + pcli->protocol = PROTOCOL_NT1; + + if (!cli_negprot(pcli)) { + DEBUG(0,("connect_to_domain_password_server: machine %s rejected the negotiate protocol. \ +Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + cli_shutdown(pcli); + return False; + } + + if (pcli->protocol != PROTOCOL_NT1) { + DEBUG(0,("connect_to_domain_password_server: machine %s didn't negotiate NT protocol.\n", + remote_machine)); + cli_shutdown(pcli); + return False; + } + + /* + * Do an anonymous session setup. + */ + + if (!cli_session_setup(pcli, "", "", 0, "", 0, "")) { + DEBUG(0,("connect_to_domain_password_server: machine %s rejected the session setup. \ +Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + cli_shutdown(pcli); + return False; + } + + if (!(pcli->sec_mode & 1)) { + DEBUG(1,("connect_to_domain_password_server: machine %s isn't in user level security mode\n", + remote_machine)); + cli_shutdown(pcli); + return False; + } + + if (!cli_send_tconX(pcli, "IPC$", "IPC", "", 1)) { + DEBUG(0,("connect_to_domain_password_server: machine %s rejected the tconX on the IPC$ share. \ +Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + cli_shutdown(pcli); + return False; + } + + /* + * We now have an anonymous connection to IPC$ on the domain password server. + */ + + /* + * Even if the connect succeeds we need to setup the netlogon + * pipe here. We do this as we may just have changed the domain + * account password on the PDC and yet we may be talking to + * a BDC that doesn't have this replicated yet. In this case + * a successful connect to a DC needs to take the netlogon connect + * into account also. This patch from "Bjart Kvarme" . + */ + + if(cli_nt_session_open(pcli, PIPE_NETLOGON) == False) { + DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ +machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli))); + cli_nt_session_close(pcli); + cli_ulogoff(pcli); + cli_shutdown(pcli); + return False; + } + + result = cli_nt_setup_creds(pcli, trust_passwd); + + if (!NT_STATUS_IS_OK(result)) { + DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ +%s. Error was : %s.\n", remote_machine, get_nt_error_msg(result))); + cli_nt_session_close(pcli); + cli_ulogoff(pcli); + cli_shutdown(pcli); + return(False); + } + + return True; +} + +/*********************************************************************** + Utility function to attempt a connection to an IP address of a DC. +************************************************************************/ + +static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, + unsigned char *trust_passwd) +{ + fstring dc_name; + + /* + * Ignore addresses we have already tried. + */ + + if (ip_equal(ipzero, *ip)) + return False; + + if (!lookup_pdc_name(global_myname, lp_workgroup(), ip, dc_name)) + return False; + + return connect_to_domain_password_server(pcli, dc_name, trust_passwd); +} + +/*********************************************************************** + We have been asked to dynamcially determine the IP addresses of + the PDC and BDC's for this DOMAIN, and query them in turn. +************************************************************************/ +static BOOL find_connect_pdc(struct cli_state *pcli, + unsigned char *trust_passwd, + time_t last_change_time) +{ + struct in_addr *ip_list = NULL; + int count = 0; + int i; + BOOL connected_ok = False; + time_t time_now = time(NULL); + BOOL use_pdc_only = False; + + /* + * If the time the machine password has changed + * was less than an hour ago then we need to contact + * the PDC only, as we cannot be sure domain replication + * has yet taken place. Bug found by Gerald (way to go + * Gerald !). JRA. + */ + + if (time_now - last_change_time < 3600) + use_pdc_only = True; + + if (!get_dc_list(use_pdc_only, lp_workgroup(), &ip_list, &count)) + return False; + + /* + * Firstly try and contact a PDC/BDC who has the same + * network address as any of our interfaces. + */ + for(i = 0; i < count; i++) { + if(!is_local_net(ip_list[i])) + continue; + + if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + break; + + ip_list[i] = ipzero; /* Tried and failed. */ + } + + /* + * Secondly try and contact a random PDC/BDC. + */ + if(!connected_ok) { + i = (sys_random() % count); + + if (!(connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + ip_list[i] = ipzero; /* Tried and failed. */ + } + + /* + * Finally go through the IP list in turn, ignoring any addresses + * we have already tried. + */ + if(!connected_ok) { + /* + * Try and connect to any of the other IP addresses in the PDC/BDC list. + * Note that from a WINS server the #1 IP address is the PDC. + */ + for(i = 0; i < count; i++) { + if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + break; + } + } + + SAFE_FREE(ip_list); + + + return connected_ok; +} + +/*********************************************************************** + Do the same as security=server, but using NT Domain calls and a session + key from the machine password. If the server parameter is specified + use it, otherwise figure out a server from the 'password server' param. +************************************************************************/ + +static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, + uchar chal[8], + auth_serversupplied_info **server_info, + char *server, unsigned char *trust_passwd, + time_t last_change_time) +{ + fstring remote_machine; + NET_ID_INFO_CTR ctr; + NET_USER_INFO_3 info3; + struct cli_state cli; + uint32 smb_uid_low; + BOOL connected_ok = False; + NTSTATUS status; + struct passwd *pass; + + /* + * Check that the requested domain is not our own machine name. + * If it is, we should never check the PDC here, we use our own local + * password file. + */ + + if(strequal(user_info->domain.str, global_myname)) { + DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n")); + return NT_STATUS_LOGON_FAILURE; + } + + /* + * At this point, smb_apasswd points to the lanman response to + * the challenge in local_challenge, and smb_ntpasswd points to + * the NT response to the challenge in local_challenge. Ship + * these over the secure channel to a domain controller and + * see if they were valid. + */ + + ZERO_STRUCT(cli); + + while (!connected_ok && + next_token(&server,remote_machine,LIST_SEP,sizeof(remote_machine))) { + if(strequal(remote_machine, "*")) { + connected_ok = find_connect_pdc(&cli, trust_passwd, last_change_time); + } else { + connected_ok = connect_to_domain_password_server(&cli, remote_machine, trust_passwd); + } + } + + if (!connected_ok) { + DEBUG(0,("domain_client_validate: Domain password server not available.\n")); + cli_shutdown(&cli); + return NT_STATUS_LOGON_FAILURE; + } + + /* We really don't care what LUID we give the user. */ + generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False); + + ZERO_STRUCT(info3); + + /* + * If this call succeeds, we now have lots of info about the user + * in the info3 structure. + */ + + status = cli_nt_login_network(&cli, user_info, chal, smb_uid_low, + &ctr, &info3); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0,("domain_client_validate: unable to validate password " + "for user %s in domain %s to Domain controller %s. " + "Error was %s.\n", user_info->smb_name.str, + user_info->domain.str, cli.srv_name_slash, + get_nt_error_msg(status))); + } else { + char *dom_user; + + /* Check DOMAIN\username first to catch winbind users, then + just the username for local users. */ + + asprintf(&dom_user, "%s%s%s", user_info->domain.str, + lp_winbind_separator(), + user_info->internal_username.str); + + if (!(pass = Get_Pwnam(dom_user))) + pass = Get_Pwnam(user_info->internal_username.str); + + free(dom_user); + + if (pass) { + make_server_info_pw(server_info, pass); + if (!server_info) { + status = NT_STATUS_NO_MEMORY; + } + } else { + status = NT_STATUS_NO_SUCH_USER; + } + } + + /* Store the user group information in the server_info returned to the caller. */ + + if (NT_STATUS_IS_OK(status) && (info3.num_groups2 != 0)) { + DOM_SID domain_sid; + int i; + NT_USER_TOKEN *ptok; + auth_serversupplied_info *pserver_info = *server_info; + + if ((pserver_info->ptok = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) { + DEBUG(0, ("domain_client_validate: out of memory allocating rid group membership\n")); + status = NT_STATUS_NO_MEMORY; + free_server_info(server_info); + goto done; + } + + ptok = pserver_info->ptok; + ptok->num_sids = (size_t)info3.num_groups2; + + if ((ptok->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptok->num_sids )) == NULL) { + DEBUG(0, ("domain_client_validate: Out of memory allocating group SIDS\n")); + status = NT_STATUS_NO_MEMORY; + free_server_info(server_info); + goto done; + } + + if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) { + DEBUG(0, ("domain_client_validate: unable to fetch domain sid.\n")); + status = NT_STATUS_NO_MEMORY; + free_server_info(server_info); + goto done; + } + + for (i = 0; i < ptok->num_sids; i++) { + sid_copy(&ptok->user_sids[i], &domain_sid); + sid_append_rid(&ptok->user_sids[i], info3.gids[i].g_rid); + } + } + +#if 0 + /* + * We don't actually need to do this - plus it fails currently with + * NT_STATUS_INVALID_INFO_CLASS - we need to know *exactly* what to + * send here. JRA. + */ + + if (NT_STATUS_IS_OK(status)) { + if(cli_nt_logoff(&cli, &ctr) == False) { + DEBUG(0,("domain_client_validate: unable to log off user %s in domain \ +%s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli))); + status = NT_STATUS_LOGON_FAILURE; + } + } +#endif /* 0 */ + + done: + + /* Note - once the cli stream is shutdown the mem_ctx used + to allocate the other_sids and gids structures has been deleted - so + these pointers are no longer valid..... */ + + cli_nt_session_close(&cli); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return status; +} + /**************************************************************************** Check for a valid username and password in security=domain mode. ****************************************************************************/ -- cgit From 585d0efbc6428e5876d354fee49c241c1bad809d Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 26 Nov 2001 03:11:44 +0000 Subject: Got medieval on another pointless extern. Removed extern struct ipzero and replaced with two functions: void zero_ip(struct in_adder *ip); BOOL is_zero_ip(struct in_addr ip); (This used to be commit 778f5f77a66cda76348a7c6f64cd63afe2bfe077) --- source3/auth/auth_domain.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index fa6093a592..f3c2fa97e4 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -24,8 +24,6 @@ BOOL global_machine_password_needs_changing = False; -extern struct in_addr ipzero; - extern pstring global_myname; /*********************************************************************** @@ -183,7 +181,7 @@ static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, * Ignore addresses we have already tried. */ - if (ip_equal(ipzero, *ip)) + if (is_zero_ip(*ip)) return False; if (!lookup_pdc_name(global_myname, lp_workgroup(), ip, dc_name)) @@ -232,7 +230,7 @@ static BOOL find_connect_pdc(struct cli_state *pcli, if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) break; - ip_list[i] = ipzero; /* Tried and failed. */ + zero_ip(&ip_list[i]); /* Tried and failed. */ } /* @@ -242,7 +240,7 @@ static BOOL find_connect_pdc(struct cli_state *pcli, i = (sys_random() % count); if (!(connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) - ip_list[i] = ipzero; /* Tried and failed. */ + zero_ip(&ip_list[i]); /* Tried and failed. */ } /* -- cgit From 178f6a64b26d828db6b516392d7072e9c29f6233 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 26 Nov 2001 04:05:28 +0000 Subject: challange -> challenge (This used to be commit d6318add27f6bca5be00cbedf2226b642341297a) --- source3/auth/auth.c | 8 +++--- source3/auth/auth_domain.c | 2 +- source3/auth/auth_info.c | 68 ++++++++++++++++++++++----------------------- source3/auth/auth_sam.c | 8 +++--- source3/auth/auth_server.c | 16 +++++------ source3/auth/auth_util.c | 2 +- source3/auth/auth_winbind.c | 4 +-- 7 files changed, 54 insertions(+), 54 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index c62e2ed5a0..e68f4a1aac 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -75,9 +75,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, DEBUG(3, ("check_password: mapped user is: [%s]\\[%s]@[%s]\n", user_info->domain.str, user_info->internal_username.str, user_info->wksta_name.str)); - DEBUG(10, ("auth_info challange created by %s\n", auth_info->challange_set_by)); - DEBUG(10, ("challange is: \n")); - dump_data(5, (auth_info)->challange.data, (auth_info)->challange.length); + DEBUG(10, ("auth_info challenge created by %s\n", auth_info->challenge_set_by)); + DEBUG(10, ("challenge is: \n")); + dump_data(5, (auth_info)->challenge.data, (auth_info)->challenge.length); #ifdef DEBUG_PASSWORD DEBUG(100, ("user_info has passwords of length %d and %d\n", @@ -213,7 +213,7 @@ static NTSTATUS pass_check_smb(char *smb_name, return NT_STATUS_NO_MEMORY; } - chal = auth_get_challange(plaintext_auth_info); + chal = auth_get_challenge(plaintext_auth_info); if (!make_user_info_for_reply(&user_info, smb_name, domain, chal.data, diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index f3c2fa97e4..c605356af8 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -475,7 +475,7 @@ static NTSTATUS check_ntdomain_security(void *my_private_data, if (! *pserver) pserver = "*"; p = pserver; - nt_status = domain_client_validate(user_info, (uchar *)auth_info->challange.data,server_info, + nt_status = domain_client_validate(user_info, (uchar *)auth_info->challenge.data,server_info, p, trust_passwd, last_change_time); return nt_status; diff --git a/source3/auth/auth_info.c b/source3/auth/auth_info.c index b1c994d54f..a68ffefb5d 100644 --- a/source3/auth/auth_info.c +++ b/source3/auth/auth_info.c @@ -163,7 +163,7 @@ BOOL make_auth_info_subsystem(auth_authsupplied_info **auth_info) } /*************************************************************************** - Make a auth_info struct with a random challange + Make a auth_info struct with a random challenge ***************************************************************************/ BOOL make_auth_info_random(auth_authsupplied_info **auth_info) @@ -174,15 +174,15 @@ BOOL make_auth_info_random(auth_authsupplied_info **auth_info) } generate_random_buffer(chal, sizeof(chal), False); - (*auth_info)->challange = data_blob(chal, sizeof(chal)); + (*auth_info)->challenge = data_blob(chal, sizeof(chal)); - (*auth_info)->challange_set_by = "random"; + (*auth_info)->challenge_set_by = "random"; return True; } /*************************************************************************** - Make a auth_info struct with a fixed challange + Make a auth_info struct with a fixed challenge ***************************************************************************/ BOOL make_auth_info_fixed(auth_authsupplied_info **auth_info, uchar chal[8]) @@ -191,7 +191,7 @@ BOOL make_auth_info_fixed(auth_authsupplied_info **auth_info, uchar chal[8]) return False; } - (*auth_info)->challange = data_blob(chal, 8); + (*auth_info)->challenge = data_blob(chal, 8); return True; } @@ -213,70 +213,70 @@ void free_auth_info(auth_authsupplied_info **auth_info) SAFE_FREE(old_head); } - data_blob_free(&(*auth_info)->challange); + data_blob_free(&(*auth_info)->challenge); ZERO_STRUCT(**auth_info); } SAFE_FREE(*auth_info); } /**************************************************************************** - Try to get a challange out of the various authenticaion modules. + Try to get a challenge out of the various authenticaion modules. It is up to the caller to free it. ****************************************************************************/ -DATA_BLOB auth_get_challange(auth_authsupplied_info *auth_info) +DATA_BLOB auth_get_challenge(auth_authsupplied_info *auth_info) { - DATA_BLOB challange = data_blob(NULL, 0); - char *challange_set_by = NULL; + DATA_BLOB challenge = data_blob(NULL, 0); + char *challenge_set_by = NULL; auth_methods *auth_method; - if (auth_info->challange.length) { - DEBUG(5, ("auth_get_challange: returning previous challange (normal)\n")); - return data_blob(auth_info->challange.data, auth_info->challange.length); + if (auth_info->challenge.length) { + DEBUG(5, ("auth_get_challenge: returning previous challenge (normal)\n")); + return data_blob(auth_info->challenge.data, auth_info->challenge.length); } for (auth_method = auth_info->auth_method_list; auth_method; auth_method = auth_method->next) { if (auth_method->get_chal) { - DEBUG(5, ("auth_get_challange: getting challange from module %s\n", auth_method->name)); - if (challange_set_by) { - DEBUG(1, ("auth_get_challange: CONFIGURATION ERROR: authenticaion method %s has already specified a challange. Challange by %s ignored.\n", - challange_set_by, auth_method->name)); + DEBUG(5, ("auth_get_challenge: getting challenge from module %s\n", auth_method->name)); + if (challenge_set_by) { + DEBUG(1, ("auth_get_challenge: CONFIGURATION ERROR: authenticaion method %s has already specified a challenge. Challenge by %s ignored.\n", + challenge_set_by, auth_method->name)); } else { - challange = auth_method->get_chal(&auth_method->private_data, auth_info); - if (challange.length) { - DEBUG(5, ("auth_get_challange: sucessfully got challange from module %s\n", auth_method->name)); - auth_info->challange = challange; - challange_set_by = auth_method->name; - auth_info->challange_set_method = auth_method; + challenge = auth_method->get_chal(&auth_method->private_data, auth_info); + if (challenge.length) { + DEBUG(5, ("auth_get_challenge: sucessfully got challenge from module %s\n", auth_method->name)); + auth_info->challenge = challenge; + challenge_set_by = auth_method->name; + auth_info->challenge_set_method = auth_method; } else { - DEBUG(3, ("auth_get_challange: getting challange from authenticaion method %s FAILED.\n", + DEBUG(3, ("auth_get_challenge: getting challenge from authenticaion method %s FAILED.\n", auth_method->name)); } } } else { - DEBUG(5, ("auth_get_challange: module %s did not want to specify a challange\n", auth_method->name)); + DEBUG(5, ("auth_get_challenge: module %s did not want to specify a challenge\n", auth_method->name)); } } - if (!challange_set_by) { + if (!challenge_set_by) { uchar chal[8]; generate_random_buffer(chal, sizeof(chal), False); - auth_info->challange = data_blob(chal, sizeof(chal)); + auth_info->challenge = data_blob(chal, sizeof(chal)); - challange_set_by = "random"; + challenge_set_by = "random"; } - DEBUG(5, ("auth_info challange created by %s\n", challange_set_by)); - DEBUG(5, ("challange is: \n")); - dump_data(5, auth_info->challange.data, (auth_info)->challange.length); + DEBUG(5, ("auth_info challenge created by %s\n", challenge_set_by)); + DEBUG(5, ("challenge is: \n")); + dump_data(5, auth_info->challenge.data, (auth_info)->challenge.length); - SMB_ASSERT(auth_info->challange.length == 8); + SMB_ASSERT(auth_info->challenge.length == 8); - auth_info->challange_set_by=challange_set_by; + auth_info->challenge_set_by=challenge_set_by; - return data_blob(auth_info->challange.data, auth_info->challange.length); + return data_blob(auth_info->challenge.data, auth_info->challenge.length); } diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 24a4d4e4e4..421349a765 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -41,7 +41,7 @@ static BOOL smb_pwd_check_ntlmv1(DATA_BLOB nt_response, } if (sec_blob.length != 8) { - DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect challange size (%d)\n", sec_blob.length)); + DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect challenge size (%d)\n", sec_blob.length)); return False; } @@ -174,7 +174,7 @@ static NTSTATUS sam_password_ok(SAM_ACCOUNT *sampass, */ DEBUG(4,("smb_password_ok: Checking NTLMv2 password\n")); if (smb_pwd_check_ntlmv2( user_info->nt_resp, - nt_pw, auth_info->challange, + nt_pw, auth_info->challenge, user_info->smb_name.str, user_info->client_domain.str, user_sess_key)) @@ -191,7 +191,7 @@ static NTSTATUS sam_password_ok(SAM_ACCOUNT *sampass, */ DEBUG(4,("smb_password_ok: Checking NT MD4 password\n")); if (smb_pwd_check_ntlmv1(user_info->nt_resp, - nt_pw, auth_info->challange, + nt_pw, auth_info->challenge, user_sess_key)) { return NT_STATUS_OK; @@ -224,7 +224,7 @@ static NTSTATUS sam_password_ok(SAM_ACCOUNT *sampass, DEBUG(4,("smb_password_ok: Checking LM password\n")); if (smb_pwd_check_ntlmv1(user_info->lm_resp, - lm_pw, auth_info->challange, + lm_pw, auth_info->challenge, user_sess_key)) { return NT_STATUS_OK; diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 067b5b2997..a3cfc3a0e6 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -135,10 +135,10 @@ static void send_server_keepalive(void **private_data_pointer) } /**************************************************************************** - Get the challange out of a password server. + Get the challenge out of a password server. ****************************************************************************/ -static DATA_BLOB auth_get_challange_server(void **my_private_data, const struct authsupplied_info *auth_info) +static DATA_BLOB auth_get_challenge_server(void **my_private_data, const struct authsupplied_info *auth_info) { struct cli_state *cli = server_cryptkey(); @@ -147,14 +147,14 @@ static DATA_BLOB auth_get_challange_server(void **my_private_data, const struct if ((cli->sec_mode & 2) == 0) { /* We can't work with unencrypted password servers unless 'encrypt passwords = no' */ - DEBUG(5,("make_auth_info_server: Server is unencrypted, no challange available..\n")); + DEBUG(5,("make_auth_info_server: Server is unencrypted, no challenge available..\n")); *my_private_data = (void *)cli; return data_blob(NULL, 0); } else if (cli->secblob.length < 8) { - /* We can't do much if we don't get a full challange */ - DEBUG(2,("make_auth_info_server: Didn't receive a full challange from server\n")); + /* We can't do much if we don't get a full challenge */ + DEBUG(2,("make_auth_info_server: Didn't receive a full challenge from server\n")); cli_shutdown(cli); return data_blob(NULL, 0); } @@ -205,8 +205,8 @@ static NTSTATUS check_smbserver_security(void *my_private_data, return NT_STATUS_LOGON_FAILURE; } } else { - if (memcmp(cli->secblob.data, auth_info->challange.data, 8) != 0) { - DEBUG(1,("the challange that the password server (%s) supplied us is not the one we gave our client. This just can't work :-(\n", cli->desthost)); + if (memcmp(cli->secblob.data, auth_info->challenge.data, 8) != 0) { + DEBUG(1,("the challenge that the password server (%s) supplied us is not the one we gave our client. This just can't work :-(\n", cli->desthost)); return NT_STATUS_LOGON_FAILURE; } } @@ -347,7 +347,7 @@ BOOL auth_init_smbserver(auth_methods **auth_method) return False; } (*auth_method)->auth = check_smbserver_security; - (*auth_method)->get_chal = auth_get_challange_server; + (*auth_method)->get_chal = auth_get_challenge_server; (*auth_method)->send_keepalive = send_server_keepalive; (*auth_method)->free_private_data = free_server_private_data; return True; diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d1b2cc92e5..b7927e970c 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -358,7 +358,7 @@ BOOL make_user_info_winbind(auth_usersupplied_info **user_info, const char *username, const char *domain, const char *password, - char chal[8] /* Give winbind back the challange we used */ + char chal[8] /* Give winbind back the challenge we used */ ) { unsigned char local_lm_response[24]; diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index c29d008f4a..9ca87fe0dd 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -49,7 +49,7 @@ static NTSTATUS check_winbind_security(void *my_private_data, } if (!auth_info) { - DEBUG(3,("Password for user %s cannot be checked becouse we have no auth_info to get the challange from.\n", + DEBUG(3,("Password for user %s cannot be checked because we have no auth_info to get the challenge from.\n", user_info->internal_username.str)); return NT_STATUS_LOGON_FAILURE; } @@ -62,7 +62,7 @@ static NTSTATUS check_winbind_security(void *my_private_data, snprintf(request.data.auth_crap.user, sizeof(request.data.auth_crap.user), "%s\\%s", user_info->domain.str, user_info->smb_name.str); - memcpy(request.data.auth_crap.chal, auth_info->challange.data, sizeof(request.data.auth_crap.chal)); + memcpy(request.data.auth_crap.chal, auth_info->challenge.data, sizeof(request.data.auth_crap.chal)); request.data.auth_crap.lm_resp_len = MIN(user_info->lm_resp.length, sizeof(request.data.auth_crap.lm_resp)); -- cgit From a131c2cfdcd4e10d85e21bcf4b3e45b99054a96c Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 26 Nov 2001 06:21:24 +0000 Subject: add SEC_ADS auth method (This used to be commit b175c42080b15f27589cb6b6d61af5cbbedf5d02) --- source3/auth/auth_info.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_info.c b/source3/auth/auth_info.c index a68ffefb5d..8087be48f2 100644 --- a/source3/auth/auth_info.c +++ b/source3/auth/auth_info.c @@ -78,6 +78,11 @@ static BOOL make_auth_info_text_list(auth_authsupplied_info **auth_info, char ** auth_methods *t = NULL; auth_methods *tmp; int i; + + if (!text_list) { + DEBUG(2,("No auth method list!?\n")); + return False; + } for (;*text_list; text_list++) { @@ -148,6 +153,13 @@ BOOL make_auth_info_subsystem(auth_authsupplied_info **auth_info) DEBUG(5,("Making default auth method list for security=share\n")); auth_method_list = lp_list_make("guest local"); break; + case SEC_ADS: + DEBUG(5,("Making default auth method list for security=ADS\n")); + auth_method_list = lp_list_make("guest ads ntdomain local"); + break; + default: + DEBUG(5,("Unknown auth method!\n")); + return False; } } else { DEBUG(5,("Using specified auth order\n")); -- cgit From 4499007e45637f172c4afb0ec2e048cf795a3cbe Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 26 Nov 2001 06:47:04 +0000 Subject: A number of things to clean up the auth subsytem a bit... We now default encrypt passwords = yes We now check plaintext passwords (however aquired) with the 'sam' backend rather than unix, if encrypt passwords = yes. (this kills off the 'local' backed. The sam backend may be renamed in its place) The new 'samstrict' wrapper backend checks that the user's domain is one of our netbios aliases - this ensures that we don't get fallback crazies with security = domain. Similarly, the code in the 'ntdomain' and 'smbserver' backends now checks that the user was not local before contacting the DC. The default ordering has changed, we now check the local stuff first - but becouse of the changes above, we will really only ever contact one auth source. Andrew Bartlett (This used to be commit e89b47f65e7eaf5eb288a3d6ba2d3d115c628e7e) --- source3/auth/auth.c | 2 +- source3/auth/auth_builtin.c | 30 ------------------------------ source3/auth/auth_domain.c | 27 ++++++++++++++++----------- source3/auth/auth_info.c | 28 +++++++++++++++++++--------- source3/auth/auth_sam.c | 37 ++++++++++++++++++++++++++++++++++++- source3/auth/auth_server.c | 11 +++++++++++ 6 files changed, 83 insertions(+), 52 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index e68f4a1aac..e22c52702c 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -36,7 +36,7 @@ static BOOL check_domain_match(char *user, char *domain) */ if (!lp_allow_trusted_domains() && - (!strequal(lp_workgroup(), domain) || strequal("", domain))) { + (strequal("", domain) || strequal(lp_workgroup(), domain) || is_netbios_alias_or_name(domain))) { DEBUG(1, ("check_domain_match: Attempt to connect as user %s from domain %s denied.\n", user, domain)); return False; } else { diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index 482ae6dee1..2bba36f754 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -55,36 +55,6 @@ BOOL auth_init_guest(auth_methods **auth_method) return True; } -/**************************************************************************** - Check against either sam or unix, depending on encryption. -****************************************************************************/ - -static NTSTATUS check_local_security(void *my_private_data, - const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, - auth_serversupplied_info **server_info) -{ - NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; - - if (user_info->encrypted) { - nt_status = check_sam_security(my_private_data, user_info, auth_info, server_info); - } else { - nt_status = check_unix_security(my_private_data, user_info, auth_info, server_info); - } - - return nt_status; -} - -BOOL auth_init_local(auth_methods **auth_method) -{ - if (!make_auth_methods(auth_method)) { - return False; - } - - (*auth_method)->auth = check_local_security; - return True; -} - /**************************************************************************** Return an error based on username ****************************************************************************/ diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index c605356af8..a41e43bd82 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -285,17 +285,6 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, NTSTATUS status; struct passwd *pass; - /* - * Check that the requested domain is not our own machine name. - * If it is, we should never check the PDC here, we use our own local - * password file. - */ - - if(strequal(user_info->domain.str, global_myname)) { - DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n")); - return NT_STATUS_LOGON_FAILURE; - } - /* * At this point, smb_apasswd points to the lanman response to * the challenge in local_challenge, and smb_ntpasswd points to @@ -445,6 +434,22 @@ static NTSTATUS check_ntdomain_security(void *my_private_data, unsigned char trust_passwd[16]; time_t last_change_time; + if (!user_info || !server_info || !auth_info) { + DEBUG(1,("check_ntdomain_security: Critical variables not present. Failing.\n")); + return NT_STATUS_LOGON_FAILURE; + } + + /* + * Check that the requested domain is not our own machine name. + * If it is, we should never check the PDC here, we use our own local + * password file. + */ + + if(is_netbios_alias_or_name(user_info->domain.str)) { + DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n")); + return NT_STATUS_LOGON_FAILURE; + } + become_root(); /* diff --git a/source3/auth/auth_info.c b/source3/auth/auth_info.c index 8087be48f2..99648aba8d 100644 --- a/source3/auth/auth_info.c +++ b/source3/auth/auth_info.c @@ -25,9 +25,9 @@ const struct auth_init_function builtin_auth_init_functions[] = { { "guest", auth_init_guest }, { "rhosts", auth_init_rhosts }, { "hostsequiv", auth_init_hostsequiv }, - { "sam", auth_init_sam }, + { "sam", auth_init_sam }, + { "samstrict", auth_init_samstrict }, { "unix", auth_init_unix }, - { "local", auth_init_local }, { "smbserver", auth_init_smbserver }, { "ntdomain", auth_init_ntdomain }, { "winbind", auth_init_winbind }, @@ -139,23 +139,33 @@ BOOL make_auth_info_subsystem(auth_authsupplied_info **auth_info) { case SEC_DOMAIN: DEBUG(5,("Making default auth method list for security=domain\n")); - auth_method_list = lp_list_make("guest ntdomain local"); + auth_method_list = lp_list_make("guest samstrict ntdomain"); break; case SEC_SERVER: DEBUG(5,("Making default auth method list for security=server\n")); - auth_method_list = lp_list_make("guest smbserver local"); + auth_method_list = lp_list_make("guest samstrict smbserver"); break; case SEC_USER: - DEBUG(5,("Making default auth method list for security=user\n")); - auth_method_list = lp_list_make("guest local"); + if (lp_encrypted_passwords()) { + DEBUG(5,("Making default auth method list for security=user, encrypt passwords = yes\n")); + auth_method_list = lp_list_make("guest sam"); + } else { + DEBUG(5,("Making default auth method list for security=user, encrypt passwords = no\n")); + auth_method_list = lp_list_make("guest unix"); + } break; case SEC_SHARE: - DEBUG(5,("Making default auth method list for security=share\n")); - auth_method_list = lp_list_make("guest local"); + if (lp_encrypted_passwords()) { + DEBUG(5,("Making default auth method list for security=share, encrypt passwords = yes\n")); + auth_method_list = lp_list_make("guest sam"); + } else { + DEBUG(5,("Making default auth method list for security=share, encrypt passwords = no\n")); + auth_method_list = lp_list_make("guest unix"); + } break; case SEC_ADS: DEBUG(5,("Making default auth method list for security=ADS\n")); - auth_method_list = lp_list_make("guest ads ntdomain local"); + auth_method_list = lp_list_make("guest samstrict ads ntdomain"); break; default: DEBUG(5,("Unknown auth method!\n")); diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 421349a765..d899006cf8 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -337,7 +337,7 @@ SMB hash supplied in the user_info structure return an NT_STATUS constant. ****************************************************************************/ -NTSTATUS check_sam_security(void *my_private_dat, +static NTSTATUS check_sam_security(void *my_private_data, const auth_usersupplied_info *user_info, const auth_authsupplied_info *auth_info, auth_serversupplied_info **server_info) @@ -408,5 +408,40 @@ BOOL auth_init_sam(auth_methods **auth_method) return True; } +/**************************************************************************** +check if a username/password is OK assuming the password is a 24 byte +SMB hash supplied in the user_info structure +return an NT_STATUS constant. +****************************************************************************/ + +static NTSTATUS check_samstrict_security(void *my_private_data, + const auth_usersupplied_info *user_info, + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) +{ + + if (!user_info || !auth_info) { + return NT_STATUS_LOGON_FAILURE; + } + + /* If we are a domain member, we must not + attempt to check the password locally, + unless it is one of our aliases. */ + + if (!is_netbios_alias_or_name(user_info->domain.str)) { + return NT_STATUS_NO_SUCH_USER; + } + + return check_sam_security(my_private_data, user_info, auth_info, server_info); +} + +BOOL auth_init_samstrict(auth_methods **auth_method) +{ + if (!make_auth_methods(auth_method)) { + return False; + } + (*auth_method)->auth = check_samstrict_security; + return True; +} diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index a3cfc3a0e6..d061a5a84f 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -186,6 +186,17 @@ static NTSTATUS check_smbserver_security(void *my_private_data, NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; BOOL locally_made_cli = False; + /* + * Check that the requested domain is not our own machine name. + * If it is, we should never check the PDC here, we use our own local + * password file. + */ + + if(is_netbios_alias_or_name(user_info->domain.str)) { + DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n")); + return NT_STATUS_LOGON_FAILURE; + } + cli = my_private_data; if (cli) { -- cgit From f1db6a0c6cb6898699426700a10721acc4ad4407 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 26 Nov 2001 07:23:51 +0000 Subject: Fix debug (This used to be commit 44224ae156394dac1055c68764c84f758cea6540) --- source3/auth/auth_server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index d061a5a84f..628e672608 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -193,7 +193,7 @@ static NTSTATUS check_smbserver_security(void *my_private_data, */ if(is_netbios_alias_or_name(user_info->domain.str)) { - DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n")); + DEBUG(3,("check_smbserver_security: Requested domain was for this machine.\n")); return NT_STATUS_LOGON_FAILURE; } -- cgit From 097d46653632855edd429fb8cd44d80f3e30c86c Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 27 Nov 2001 03:25:31 +0000 Subject: fix sense of lp_allow_trusted_domains() fix a memory leak (This used to be commit 1421f2fbcb296a894cb4e7548e0275e35e055b98) --- source3/auth/auth.c | 2 +- source3/auth/auth_domain.c | 2 +- source3/auth/auth_info.c | 9 --------- 3 files changed, 2 insertions(+), 11 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index e22c52702c..a32d607e97 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -36,7 +36,7 @@ static BOOL check_domain_match(char *user, char *domain) */ if (!lp_allow_trusted_domains() && - (strequal("", domain) || strequal(lp_workgroup(), domain) || is_netbios_alias_or_name(domain))) { + !(strequal("", domain) || strequal(lp_workgroup(), domain) || is_netbios_alias_or_name(domain))) { DEBUG(1, ("check_domain_match: Attempt to connect as user %s from domain %s denied.\n", user, domain)); return False; } else { diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index a41e43bd82..a779a7e9c0 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -38,7 +38,7 @@ static BOOL connect_to_domain_password_server(struct cli_state *pcli, fstring remote_machine; NTSTATUS result; - if(cli_initialise(pcli) == NULL) { + if (cli_initialise(pcli) == NULL) { DEBUG(0,("connect_to_domain_password_server: unable to initialize client connection.\n")); return False; } diff --git a/source3/auth/auth_info.c b/source3/auth/auth_info.c index 99648aba8d..4b372c1632 100644 --- a/source3/auth/auth_info.c +++ b/source3/auth/auth_info.c @@ -92,15 +92,6 @@ static BOOL make_auth_info_text_list(auth_authsupplied_info **auth_info, char ** if (strequal(builtin_auth_init_functions[i].name, *text_list)) { DEBUG(5,("Found auth method %s (at pos %d)\n", *text_list, i)); - /* Malloc entry, fill it, link it */ - t = (auth_methods *)malloc(sizeof(*t)); - if (!t) { - DEBUG(0,("make_pw_chat: malloc failed!\n")); - return False; - } - - ZERO_STRUCTP(t); - if (builtin_auth_init_functions[i].init(&t)) { DEBUG(5,("auth method %s has a valid init\n", *text_list)); t->name = builtin_auth_init_functions[i].name; -- cgit From 6b120378399400d0cec126e3d4dc85bbf95d2d31 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 27 Nov 2001 04:05:28 +0000 Subject: another memory leak bites the dust (This used to be commit 982d6d447add2d4079c28c0b8ecb0e499f391a2a) --- source3/auth/auth_info.c | 4 ---- 1 file changed, 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_info.c b/source3/auth/auth_info.c index 4b372c1632..cc13d5a8b9 100644 --- a/source3/auth/auth_info.c +++ b/source3/auth/auth_info.c @@ -117,10 +117,6 @@ BOOL make_auth_info_subsystem(auth_authsupplied_info **auth_info) { char **auth_method_list = NULL; - if (!make_auth_info(auth_info)) { - return False; - } - if (lp_auth_methods() && !lp_list_copy(&auth_method_list, lp_auth_methods())) { return False; } -- cgit From 32a811ce762bc9061ac71633cd299160ea955737 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 27 Nov 2001 04:07:57 +0000 Subject: fixed leak in free_user_info() (This used to be commit 8eb4277b12b600cdbf8a5205ebc76d1d9d52f1aa) --- source3/auth/auth_util.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index b7927e970c..fed4efd36c 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -629,6 +629,7 @@ void free_user_info(auth_usersupplied_info **user_info) SAFE_FREE((*user_info)->internal_username.str); SAFE_FREE((*user_info)->client_domain.str); SAFE_FREE((*user_info)->domain.str); + SAFE_FREE((*user_info)->wksta_name.str); data_blob_free(&(*user_info)->lm_resp); data_blob_free(&(*user_info)->nt_resp); SAFE_FREE((*user_info)->interactive_password); -- cgit From 40203ea0fcd96c9d9fc070bb5a04977012263f22 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 27 Nov 2001 13:29:14 +0000 Subject: fixed the panics on basicsmb-sharelist on sun1 (This used to be commit 1bd3235744bebefa6ba09795438400b4674c165c) --- source3/auth/auth.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index a32d607e97..fc5a88ad64 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -75,7 +75,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, DEBUG(3, ("check_password: mapped user is: [%s]\\[%s]@[%s]\n", user_info->domain.str, user_info->internal_username.str, user_info->wksta_name.str)); - DEBUG(10, ("auth_info challenge created by %s\n", auth_info->challenge_set_by)); + if (auth_info->challenge_set_by) { + DEBUG(10, ("auth_info challenge created by %s\n", auth_info->challenge_set_by)); + } DEBUG(10, ("challenge is: \n")); dump_data(5, (auth_info)->challenge.data, (auth_info)->challenge.length); -- cgit From eec9e8a052407611df223fec982588e7a2bd7f49 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 28 Nov 2001 03:56:30 +0000 Subject: fix a bunch of places where we can double-free a cli structure (This used to be commit e2ba2383c9f679c076749a8f4fccefc3559e37ec) --- source3/auth/auth_server.c | 4 ---- 1 file changed, 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 628e672608..4608c639eb 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -110,8 +110,6 @@ static void free_server_private_data(void **private_data_pointer) struct cli_state **cli = (struct cli_state **)private_data_pointer; if (*cli && (*cli)->initialised) { cli_shutdown(*cli); - - SAFE_FREE(*cli); } } @@ -129,7 +127,6 @@ static void send_server_keepalive(void **private_data_pointer) if (!send_keepalive((*cli)->fd)) { DEBUG( 2, ( "password server keepalive failed.\n")); cli_shutdown(*cli); - SAFE_FREE(*cli); } } } @@ -346,7 +343,6 @@ use this machine as the password server.\n")); if (locally_made_cli) { cli_shutdown(cli); - SAFE_FREE(cli); } return(nt_status); -- cgit From ff27a326f17223cba12b7e0b41ec84aad8238385 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Thu, 29 Nov 2001 05:50:32 +0000 Subject: I think the lookup_pdc_name() should be called lookup_dc_name() and the name_status_find() call here should look up a #1c name instead of #1d. This fixes some bugs currently with BDC authentication in winbindd and in smbd as you can't query the #1d name with the ip address of a BDC. Who is Uncle Tom Cobbley anyway? (This used to be commit 4215048f7b20a8f9e5877bdbb2f54841b2f7fa64) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index a779a7e9c0..125b3aa029 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -184,7 +184,7 @@ static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, if (is_zero_ip(*ip)) return False; - if (!lookup_pdc_name(global_myname, lp_workgroup(), ip, dc_name)) + if (!lookup_dc_name(global_myname, lp_workgroup(), ip, dc_name)) return False; return connect_to_domain_password_server(pcli, dc_name, trust_passwd); -- cgit From e0066d2dd4d9a657d1fbcb474e66a304a64e2a31 Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Thu, 6 Dec 2001 13:09:15 +0000 Subject: again an intrusive patch: - removed the ugly as hell sam_logon_in_ssb variable, I changed a bit the definition of standard_sub_basic() to cope with that. - removed the smb.conf: 'domain admin group' and 'domain guest group' parameters ! We're not playing anymore with the user's group RIDs ! - in get_domain_user_groups(), if the user's gid is a group, put it first in the group RID list. I just have to write an HOWTO now ;-) J.F. (This used to be commit fef52c4b96c987115fb1818c00c2352c67790e50) --- source3/auth/auth_domain.c | 3 ++- source3/auth/auth_server.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 125b3aa029..6b048e5021 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -25,6 +25,7 @@ BOOL global_machine_password_needs_changing = False; extern pstring global_myname; +extern userdom_struct current_user_info; /*********************************************************************** Connect to a remote machine for domain security authentication @@ -62,7 +63,7 @@ static BOOL connect_to_domain_password_server(struct cli_state *pcli, fstrcpy(remote_machine, server); } - standard_sub_basic(remote_machine); + standard_sub_basic(current_user_info.smb_name, remote_machine); strupper(remote_machine); if(!resolve_name( remote_machine, &dest_ip, 0x20)) { diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 4608c639eb..8d9b9f9819 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -23,6 +23,7 @@ #include "includes.h" extern pstring global_myname; +extern userdom_struct current_user_info; /**************************************************************************** Support for server level security. @@ -46,7 +47,7 @@ static struct cli_state *server_cryptkey(void) p = pserver; while(next_token( &p, desthost, LIST_SEP, sizeof(desthost))) { - standard_sub_basic(desthost); + standard_sub_basic(current_user_info.smb_name, desthost); strupper(desthost); if(!resolve_name( desthost, &dest_ip, 0x20)) { -- cgit From 22a76a063213bdc514816440d3838e145c4ec340 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 8 Dec 2001 02:25:25 +0000 Subject: Fix segfault, and add a comment. (This used to be commit ff91131ef9b384765de3e4f22202d1e493f02efc) --- source3/auth/auth_server.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 8d9b9f9819..7e43d529d2 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -142,11 +142,14 @@ static DATA_BLOB auth_get_challenge_server(void **my_private_data, const struct if (cli) { DEBUG(3,("using password server validation\n")); + if ((cli->sec_mode & 2) == 0) { /* We can't work with unencrypted password servers unless 'encrypt passwords = no' */ DEBUG(5,("make_auth_info_server: Server is unencrypted, no challenge available..\n")); - + + /* However, it is still a perfectly fine connection + to pass that unencrypted password over */ *my_private_data = (void *)cli; return data_blob(NULL, 0); @@ -204,7 +207,7 @@ static NTSTATUS check_smbserver_security(void *my_private_data, } if (!cli || !cli->initialised) { - DEBUG(1,("password server %s is not connected\n", cli->desthost)); + DEBUG(1,("password server is not connected (cli not initilised)\n")); return NT_STATUS_LOGON_FAILURE; } -- cgit From 0ff1a9568b4bc0220cf90ea78f2657a92682307d Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Mon, 10 Dec 2001 15:03:16 +0000 Subject: added info level 3 to samrgetgroupinfo. I don't know what the value is. It's just to keep usermanager happy ;-) clean up a bit samr_query_aliasinfo to return the group description added: samr_del_aliasmem, samr_del_groupmem and samr_del_domuser with the correct scripts, you can now entirely manage the users from usermanager ! Closer to full PDC every day ;-) J.F. (This used to be commit 0a727afc669704cda9b44d44dbac9e989e906ae3) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index fed4efd36c..04b3cbbecf 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -50,7 +50,7 @@ static int smb_create_user(const char *unix_user, const char *homedir) Delete a UNIX user on demand. ****************************************************************************/ -static int smb_delete_user(char *unix_user) +int smb_delete_user(char *unix_user) { pstring del_script; int ret; -- cgit From d6b2d2867343cab82937aec791708baba37aef1f Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Fri, 14 Dec 2001 21:37:56 +0000 Subject: If domain SID can't be fetched, we shouldn't return NT_STATUS_NO_MEMORY. It causes a confusing client error. Changed to NT_STATUS_CANT_ACCESS_DOMAIN_INFO. (This used to be commit 07ea83e6f0f03ba4706c98abb58346a4f4ec983c) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 6b048e5021..a5e90aff39 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -382,7 +382,7 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) { DEBUG(0, ("domain_client_validate: unable to fetch domain sid.\n")); - status = NT_STATUS_NO_MEMORY; + status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO; free_server_info(server_info); goto done; } -- cgit From db9d6374a312ba5acb89d80bb41dbd5fdc8d0b17 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Mon, 17 Dec 2001 18:53:57 +0000 Subject: make sure we pass the lm and nt data in the right order. They were swapped, and somehow this worked when both were provided, but not when only one was. (This used to be commit 477309b1e653761b291daa4693976d341880beab) --- source3/auth/auth_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 04b3cbbecf..60495ad23b 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -412,8 +412,8 @@ BOOL make_user_info_winbind(auth_usersupplied_info **user_info, username, username, domain, domain, global_myname, - local_nt_blob, local_lm_blob, + local_nt_blob, plaintext_blob, ntlmssp_flags, False); @@ -450,7 +450,7 @@ BOOL make_user_info_winbind_crap(auth_usersupplied_info **user_info, smb_name, smb_name, client_domain, client_domain, global_myname, - nt_blob, lm_blob, + lm_blob, nt_blob, plaintext_blob, ntlmssp_flags, True); -- cgit From 9126a40e2c33e0eb4cd57ab381634e08fa59e7a7 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 19 Dec 2001 09:53:30 +0000 Subject: added trusted realm support to ADS authentication the method used for checking if a domain is a trusted domain is very crude, we should really call a backend fn of some sort. For now I'm using winbindd to do the dirty work. (This used to be commit adf44a9bd0d997ba4dcfadc564a29149531525af) --- source3/auth/auth.c | 28 +++++++++++++++------------- source3/auth/auth_util.c | 21 ++++++++++++++++++++- 2 files changed, 35 insertions(+), 14 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index fc5a88ad64..710b5f27fb 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -29,19 +29,21 @@ static BOOL check_domain_match(char *user, char *domain) { - /* - * If we aren't serving to trusted domains, we must make sure that - * the validation request comes from an account in the same domain - * as the Samba server - */ - - if (!lp_allow_trusted_domains() && - !(strequal("", domain) || strequal(lp_workgroup(), domain) || is_netbios_alias_or_name(domain))) { - DEBUG(1, ("check_domain_match: Attempt to connect as user %s from domain %s denied.\n", user, domain)); - return False; - } else { - return True; - } + /* + * If we aren't serving to trusted domains, we must make sure that + * the validation request comes from an account in the same domain + * as the Samba server + */ + + if (!lp_allow_trusted_domains() && + !(strequal("", domain) || + strequal(lp_workgroup(), domain) || + is_netbios_alias_or_name(domain))) { + DEBUG(1, ("check_domain_match: Attempt to connect as user %s from domain %s denied.\n", user, domain)); + return False; + } else { + return True; + } } /**************************************************************************** diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 60495ad23b..3e480b4fd1 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -215,7 +215,26 @@ BOOL make_user_info_map(auth_usersupplied_info **user_info, map_username(internal_username); if (lp_allow_trusted_domains()) { - domain = client_domain; + char *user; + /* the client could have given us a workstation name + or other crap for the workgroup - we really need a + way of telling if this domain name is one of our + trusted domain names + + The way I do it here is by checking if the fully + qualified username exists. This is rather reliant + on winbind, but until we have a better method this + will have to do + */ + asprintf(&user, "%s%s%s", + client_domain, lp_winbind_separator(), + smb_name); + if (Get_Pwnam(user) != NULL) { + domain = client_domain; + } else { + domain = lp_workgroup(); + } + free(user); } else { domain = lp_workgroup(); } -- cgit From 11b14e838988e71880e707174493da5fd3b0b75a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 29 Dec 2001 20:29:43 +0000 Subject: Removed extra lp_adduser() call. Fixed up error returns in get_correct_cversion(). Jeremy. (This used to be commit 7ce2d1fe37d2be26c407f3dc9427851d00ca216a) --- source3/auth/auth_util.c | 17 ----------------- 1 file changed, 17 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 3e480b4fd1..6f7ec8c0d7 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -85,23 +85,6 @@ void smb_user_control(const auth_usersupplied_info *user_info, auth_serversuppli if(lp_adduser_script() && !(pwd = Get_Pwnam(user_info->internal_username.str))) { smb_create_user(user_info->internal_username.str, NULL); } - } else { - if(lp_adduser_script()) { - SMB_STRUCT_STAT st; - const char *home_dir = pdb_get_homedir(server_info->sam_account); - /* - * Also call smb_create_user if the users - * home directory doesn't exist. Used with - * winbindd to allow the script to create - * the home directory for a user mapped - * with winbindd. - */ - - if (home_dir && - (sys_stat(home_dir, &st) == -1) && (errno == ENOENT)) { - smb_create_user(user_info->internal_username.str, home_dir); - } - } } } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { /* -- cgit From f6e6c678ad5338264496de43e9e1ab2fe4a28e64 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 30 Dec 2001 10:54:58 +0000 Subject: Add a pile of doxygen style comments to various parts of Samba. Many of these probably will never actually be genearted, but I like the style in any case. Also fix a segfault in 'net rpc' when the login failed and a small memory leak on failure in the auth_info.c code. Andrew Bartlett (This used to be commit 2efae7cc522651c22fb120835bc800645559b63e) --- source3/auth/auth.c | 85 +++++++++++++++++++++++++++++---------------- source3/auth/auth_builtin.c | 31 +++++++++++++---- source3/auth/auth_info.c | 37 ++++++++++++++------ source3/auth/auth_unix.c | 22 +++++++----- 4 files changed, 119 insertions(+), 56 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 710b5f27fb..94927fe96e 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -23,11 +23,18 @@ #include "includes.h" -/**************************************************************************** - Check user is in correct domain if required -****************************************************************************/ - -static BOOL check_domain_match(char *user, char *domain) +/** + * Check user is in correct domain (if required) + * + * @param user Only used to fill in the debug message + * + * @param domain The domain to be verified + * + * @return True if the user can connect with that domain, + * False otherwise. +**/ + +static BOOL check_domain_match(const char *user, const char *domain) { /* * If we aren't serving to trusted domains, we must make sure that @@ -46,22 +53,37 @@ static BOOL check_domain_match(char *user, char *domain) } } -/**************************************************************************** - Check a users password, as given in the user-info struct and return various - interesting details in the server_info struct. - - This functions does NOT need to be in a become_root()/unbecome_root() pair - as it makes the calls itself when needed. - - The return value takes precedence over the contents of the server_info - struct. When the return is other than NT_STATUS_NOPROBLEMO the contents - of that structure is undefined. - -****************************************************************************/ +/** + * Check a user's Plaintext, LM or NTLM password. + * + * Check a user's password, as given in the user_info struct and return various + * interesting details in the server_info struct. + * + * This function does NOT need to be in a become_root()/unbecome_root() pair + * as it makes the calls itself when needed. + * + * The return value takes precedence over the contents of the server_info + * struct. When the return is other than NT_STATUS_OK the contents + * of that structure is undefined. + * + * @param user_info Contains the user supplied components, including the passwords. + * Must be created with make_user_info() or one of its wrappers. + * + * @param auth_info Supplies the challanges and some other data. + * Must be created with make_auth_info(), and the challanges should be + * filled in, either at creation or by calling the challange geneation + * function auth_get_challange(). + * + * @param server_info If successful, contains information about the authenticaion, + * including a SAM_ACCOUNT struct describing the user. + * + * @return An NTSTATUS with NT_STATUS_OK or an appropriate error. + * + **/ NTSTATUS check_password(const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, - auth_serversupplied_info **server_info) + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; @@ -92,6 +114,11 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, dump_data(100, user_info->nt_resp.data, user_info->nt_resp.length); #endif + /* This needs to be sorted: If it doesn't match, what should we do? */ + if (!check_domain_match(user_info->smb_name.str, user_info->domain.str)) { + return NT_STATUS_LOGON_FAILURE; + } + for (auth_method = auth_info->auth_method_list;auth_method; auth_method = auth_method->next) { nt_status = auth_method->auth(auth_method->private_data, user_info, auth_info, server_info); @@ -108,12 +135,6 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, } } - /* This needs to be sorted: If it doesn't match, what should we do? */ - if (!check_domain_match(user_info->smb_name.str, user_info->domain.str)) { - return NT_STATUS_LOGON_FAILURE; - } - - /* This is one of the few places the *relies* (rather than just sets defaults on the value of lp_security(). This needs to change. A new paramater perhaps? */ @@ -158,10 +179,16 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, } -/**************************************************************************** - Squash an NT_STATUS return in line with requirements for unauthenticated - connections. (session setups in particular) -****************************************************************************/ +/** + * Squash an NT_STATUS in line with security requirements. + * In an attempt to avoid giving the whole game away when users + * are authenticating, NT replaces both NT_STATUS_NO_SUCH_USER and + * NT_STATUS_WRONG_PASSWORD with NT_STATUS_LOGON_FAILURE in certain situations + * (session setups in particular). + * + * @param nt_status NTSTATUS input for squashing. + * @return the 'squashed' nt_status + **/ NTSTATUS nt_status_squash(NTSTATUS nt_status) { diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index 2bba36f754..8f283fd856 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -21,10 +21,13 @@ #include "includes.h" -/**************************************************************************** - Check for a guest logon (username = "") and if so create the required - structure. -****************************************************************************/ +/** + * Return a guest logon for guest users (username = "") + * + * Typically used as the first module in the auth chain, this allows + * guest logons to be delt with in one place. Non-gust logons 'fail' + * and pass onto the next module. + **/ static NTSTATUS check_guest_security(void *my_private_data, const auth_usersupplied_info *user_info, @@ -45,6 +48,7 @@ static NTSTATUS check_guest_security(void *my_private_data, return nt_status; } +/* Guest modules initialisation */ BOOL auth_init_guest(auth_methods **auth_method) { if (!make_auth_methods(auth_method)) { @@ -55,9 +59,18 @@ BOOL auth_init_guest(auth_methods **auth_method) return True; } -/**************************************************************************** - Return an error based on username -****************************************************************************/ +/** + * Return an error based on username + * + * This function allows the testing of obsure errors, as well as the generation + * of NT_STATUS -> DOS error mapping tables. + * + * This module is of no value to end-users. + * + * The password is ignored. + * + * @return An NTSTATUS value based on the username + **/ static NTSTATUS check_name_to_ntstatus_security(void *my_private_data, const auth_usersupplied_info *user_info, @@ -78,6 +91,7 @@ static NTSTATUS check_name_to_ntstatus_security(void *my_private_data, return nt_status; } +/** Module initailisation function */ BOOL auth_init_name_to_ntstatus(auth_methods **auth_method) { if (!make_auth_methods(auth_method)) { @@ -88,3 +102,6 @@ BOOL auth_init_name_to_ntstatus(auth_methods **auth_method) return True; } + + + diff --git a/source3/auth/auth_info.c b/source3/auth/auth_info.c index cc13d5a8b9..bdd490d3ef 100644 --- a/source3/auth/auth_info.c +++ b/source3/auth/auth_info.c @@ -21,6 +21,8 @@ #include "includes.h" +/** List of various built-in authenticaion modules */ + const struct auth_init_function builtin_auth_init_functions[] = { { "guest", auth_init_guest }, { "rhosts", auth_init_rhosts }, @@ -37,6 +39,25 @@ const struct auth_init_function builtin_auth_init_functions[] = { { NULL, NULL} }; +/*************************************************************************** + Free a linked list of auth methods +***************************************************************************/ + +static void free_auth_methods_list(auth_methods **list) +{ + if (list != NULL) { + while (*list) { + auth_methods *old_head = *list; + if ((*list)->free_private_data) { + (*list)->free_private_data(&((*list)->private_data)); + } + DLIST_REMOVE(*list, *list); + SAFE_FREE(old_head); + } + + } +} + /*************************************************************************** Make a auth_info struct ***************************************************************************/ @@ -104,7 +125,10 @@ static BOOL make_auth_info_text_list(auth_authsupplied_info **auth_info, char ** } } - make_auth_info_list(auth_info, list); + if (!make_auth_info_list(auth_info, list)) { + free_auth_methods_list(&list); + return False; + } return True; } @@ -210,17 +234,8 @@ BOOL make_auth_info_fixed(auth_authsupplied_info **auth_info, uchar chal[8]) void free_auth_info(auth_authsupplied_info **auth_info) { - auth_methods *list; if (*auth_info != NULL) { - list = (*auth_info)->auth_method_list; - while (list) { - auth_methods *old_head = list; - if (list->free_private_data) { - list->free_private_data(&(list->private_data)); - } - DLIST_REMOVE(list, list); - SAFE_FREE(old_head); - } + free_auth_methods_list(&(*auth_info)->auth_method_list); data_blob_free(&(*auth_info)->challenge); ZERO_STRUCT(**auth_info); diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index d134ce6909..2e753cb29c 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -21,11 +21,11 @@ #include "includes.h" -/**************************************************************************** -update the encrypted smbpasswd file from the plaintext username and password - -this ugly hack needs to die, but not quite yet... -*****************************************************************************/ +/** + * update the encrypted smbpasswd file from the plaintext username and password + * + * this ugly hack needs to die, but not quite yet, I think people still use it... + **/ static BOOL update_smbpassword_file(char *user, char *password) { SAM_ACCOUNT *sampass = NULL; @@ -77,10 +77,11 @@ static BOOL update_smbpassword_file(char *user, char *password) } -/**************************************************************************** -check if a username/password is OK assuming the password -in PLAIN TEXT -****************************************************************************/ +/** Check a plaintext username/password + * + * Cannot deal with an encrupted password in any manner whatsoever, + * unless the account has a null password. + **/ NTSTATUS check_unix_security(void *my_private_data, const auth_usersupplied_info *user_info, @@ -93,6 +94,9 @@ NTSTATUS check_unix_security(void *my_private_data, become_root(); pass = Get_Pwnam(user_info->internal_username.str); + + /** This call assumes a ASCII password, no charset transformation is + done. We may need to revisit this **/ nt_status = pass_check(pass, pass ? pass->pw_name : user_info->internal_username.str, (char *)user_info->plaintext_password.data, -- cgit From eb4e10115310b6ed23b92abac2e79454c80930b1 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 31 Dec 2001 13:46:26 +0000 Subject: - portablitity fixes for cc -64 on irix - fixed gid* bug in rpc_server (This used to be commit 48aa90c48c5f0e3054c4acdc49668e222e7c0d36) --- source3/auth/auth_util.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 6f7ec8c0d7..4265e77093 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -279,7 +279,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, char *smb_name, char *client_domain, char *wksta_name, - char chal[8], + uchar chal[8], uchar lm_interactive_pwd[16], uchar nt_interactive_pwd[16], uchar *dc_sess_key) @@ -360,7 +360,7 @@ BOOL make_user_info_winbind(auth_usersupplied_info **user_info, const char *username, const char *domain, const char *password, - char chal[8] /* Give winbind back the challenge we used */ + uchar chal[8] /* Give winbind back the challenge we used */ ) { unsigned char local_lm_response[24]; @@ -468,7 +468,7 @@ BOOL make_user_info_winbind_crap(auth_usersupplied_info **user_info, BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, char *smb_name, char *client_domain, - char chal[8], + unsigned char chal[8], DATA_BLOB plaintext_password) { -- cgit From 4a6d1318bd9123f5a9c1d72721a9175320356fbe Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 1 Jan 2002 03:10:32 +0000 Subject: A farily large commit: - Move rpc_client/cli_trust.c to smbd/change_trust_pw.c - It hasn't been used by anything else since smbpasswd lost its -j - Add a TALLOC_CTX to the auth subsytem. These are only valid for the length of the calls to the individual modules, if you want a longer context hide it in your private data. Similarly, all returns (like the server_info) should still be malloced. - Move the 'ntdomain' module (security=domain in oldspeak) over to use the new libsmb domain logon code. Also rework much of the code to use some better helper functions for the connection - getting us much better error returns (the new code is NTSTATUS). The only remaining thing to do is to figure out if tpot's 0xdead 0xbeef for the LUID feilds is sufficient, or if we should do random LUIDs as per the old code. Similarly, I'll move winbind over to this when I get a chance. This leaves the SPOOLSS code and some cli_pipe code as the only stuff still in rpc_client, at least as far as smbd is concerned. While I've given this a basic rundown, any testing is as always appriciated. Andrew Bartlett (This used to be commit d870edce76ecca259230fbdbdacd0c86793b4837) --- source3/auth/auth.c | 14 ++- source3/auth/auth_builtin.c | 8 +- source3/auth/auth_domain.c | 246 ++++++++++++++++++-------------------------- source3/auth/auth_info.c | 9 +- source3/auth/auth_rhosts.c | 2 + source3/auth/auth_sam.c | 32 +++--- source3/auth/auth_server.c | 21 ++-- source3/auth/auth_unix.c | 3 +- source3/auth/auth_winbind.c | 7 +- 9 files changed, 158 insertions(+), 184 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 94927fe96e..bfd15dff34 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -82,13 +82,14 @@ static BOOL check_domain_match(const char *user, const char *domain) **/ NTSTATUS check_password(const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, - auth_serversupplied_info **server_info) + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; const char *pdb_username; auth_methods *auth_method; + TALLOC_CTX *mem_ctx; if (!user_info || !auth_info || !server_info) { return NT_STATUS_LOGON_FAILURE; @@ -121,7 +122,10 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, for (auth_method = auth_info->auth_method_list;auth_method; auth_method = auth_method->next) { - nt_status = auth_method->auth(auth_method->private_data, user_info, auth_info, server_info); + mem_ctx = talloc_init_named("%s authentication for user %s\\%s", auth_method->name, + user_info->domain.str, user_info->smb_name.str); + + nt_status = auth_method->auth(auth_method->private_data, mem_ctx, user_info, auth_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { DEBUG(3, ("check_password: %s authentication for user [%s] suceeded\n", auth_method->name, user_info->smb_name.str)); @@ -129,7 +133,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, DEBUG(5, ("check_password: %s authentication for user [%s] FAILED with error %s\n", auth_method->name, user_info->smb_name.str, get_nt_error_msg(nt_status))); } - + + talloc_destroy(mem_ctx); + if (NT_STATUS_IS_OK(nt_status)) { break; } diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index 8f283fd856..b5bb673e2c 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -30,9 +30,10 @@ **/ static NTSTATUS check_guest_security(void *my_private_data, - const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, - auth_serversupplied_info **server_info) + TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; @@ -73,6 +74,7 @@ BOOL auth_init_guest(auth_methods **auth_method) **/ static NTSTATUS check_name_to_ntstatus_security(void *my_private_data, + TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, const auth_authsupplied_info *auth_info, auth_serversupplied_info **server_info) diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index a5e90aff39..6e3eb643d8 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -27,23 +27,24 @@ BOOL global_machine_password_needs_changing = False; extern pstring global_myname; extern userdom_struct current_user_info; -/*********************************************************************** - Connect to a remote machine for domain security authentication - given a name or IP address. - ***********************************************************************/ - -static BOOL connect_to_domain_password_server(struct cli_state *pcli, - char *server, unsigned char *trust_passwd) +/** + * Connect to a remote server for domain security authenticaion. + * + * @param cli the cli to return containing the active connection + * @param server either a machine name or text IP address to + * connect to. + * @param trust_password the trust password to establish the + * credentials with. + * + **/ + +static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, + char *server, unsigned char *trust_passwd) { struct in_addr dest_ip; fstring remote_machine; NTSTATUS result; - if (cli_initialise(pcli) == NULL) { - DEBUG(0,("connect_to_domain_password_server: unable to initialize client connection.\n")); - return False; - } - if (is_ipaddress(server)) { struct in_addr to_ip; @@ -51,13 +52,13 @@ static BOOL connect_to_domain_password_server(struct cli_state *pcli, a password server anyways */ if ((to_ip.s_addr=inet_addr(server)) == 0xFFFFFFFF) { DEBUG (0,("connect_to_domain_password_server: inet_addr(%s) returned 0xFFFFFFFF!\n", server)); - return False; + return NT_STATUS_UNSUCCESSFUL; } if (!name_status_find("*", 0x20, 0x20, to_ip, remote_machine)) { DEBUG(0, ("connect_to_domain_password_server: Can't " "resolve name for IP %s\n", server)); - return False; + return NT_STATUS_UNSUCCESSFUL; } } else { fstrcpy(remote_machine, server); @@ -68,69 +69,20 @@ static BOOL connect_to_domain_password_server(struct cli_state *pcli, if(!resolve_name( remote_machine, &dest_ip, 0x20)) { DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", remote_machine)); - cli_shutdown(pcli); - return False; + return NT_STATUS_UNSUCCESSFUL; } if (ismyip(dest_ip)) { DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n", remote_machine)); - cli_shutdown(pcli); - return False; - } - - if (!cli_connect(pcli, remote_machine, &dest_ip)) { - DEBUG(0,("connect_to_domain_password_server: unable to connect to SMB server on \ -machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; - } - - if (!attempt_netbios_session_request(pcli, global_myname, remote_machine, &dest_ip)) { - DEBUG(0,("connect_to_password_server: machine %s rejected the NetBIOS \ -session request. Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - return False; + return NT_STATUS_UNSUCCESSFUL; } - pcli->protocol = PROTOCOL_NT1; - - if (!cli_negprot(pcli)) { - DEBUG(0,("connect_to_domain_password_server: machine %s rejected the negotiate protocol. \ -Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; - } - - if (pcli->protocol != PROTOCOL_NT1) { - DEBUG(0,("connect_to_domain_password_server: machine %s didn't negotiate NT protocol.\n", - remote_machine)); - cli_shutdown(pcli); - return False; - } - - /* - * Do an anonymous session setup. - */ - - if (!cli_session_setup(pcli, "", "", 0, "", 0, "")) { - DEBUG(0,("connect_to_domain_password_server: machine %s rejected the session setup. \ -Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; - } - - if (!(pcli->sec_mode & 1)) { - DEBUG(1,("connect_to_domain_password_server: machine %s isn't in user level security mode\n", - remote_machine)); - cli_shutdown(pcli); - return False; - } - - if (!cli_send_tconX(pcli, "IPC$", "IPC", "", 1)) { - DEBUG(0,("connect_to_domain_password_server: machine %s rejected the tconX on the IPC$ share. \ -Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; + result = cli_full_connection(cli, global_myname, server, + &dest_ip, 0, "IPC$", "IPC", "", "", "", 0); + + if (!NT_STATUS_IS_OK(result)) { + return result; } /* @@ -146,34 +98,34 @@ Error was : %s.\n", remote_machine, cli_errstr(pcli) )); * into account also. This patch from "Bjart Kvarme" . */ - if(cli_nt_session_open(pcli, PIPE_NETLOGON) == False) { + if(cli_nt_session_open(*cli, PIPE_NETLOGON) == False) { DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ -machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli))); - cli_nt_session_close(pcli); - cli_ulogoff(pcli); - cli_shutdown(pcli); - return False; +machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); + cli_nt_session_close(*cli); + cli_ulogoff(*cli); + cli_shutdown(*cli); + return NT_STATUS_UNSUCCESSFUL; } - result = cli_nt_setup_creds(pcli, trust_passwd); + result = new_cli_nt_setup_creds(*cli, trust_passwd); if (!NT_STATUS_IS_OK(result)) { DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ %s. Error was : %s.\n", remote_machine, get_nt_error_msg(result))); - cli_nt_session_close(pcli); - cli_ulogoff(pcli); - cli_shutdown(pcli); - return(False); + cli_nt_session_close(*cli); + cli_ulogoff(*cli); + cli_shutdown(*cli); + return result; } - return True; + return NT_STATUS_OK; } /*********************************************************************** Utility function to attempt a connection to an IP address of a DC. ************************************************************************/ -static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, +static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, struct in_addr *ip, unsigned char *trust_passwd) { fstring dc_name; @@ -183,26 +135,26 @@ static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, */ if (is_zero_ip(*ip)) - return False; + return NT_STATUS_UNSUCCESSFUL; if (!lookup_dc_name(global_myname, lp_workgroup(), ip, dc_name)) - return False; + return NT_STATUS_UNSUCCESSFUL; - return connect_to_domain_password_server(pcli, dc_name, trust_passwd); + return connect_to_domain_password_server(cli, dc_name, trust_passwd); } /*********************************************************************** We have been asked to dynamcially determine the IP addresses of the PDC and BDC's for this DOMAIN, and query them in turn. ************************************************************************/ -static BOOL find_connect_pdc(struct cli_state *pcli, - unsigned char *trust_passwd, - time_t last_change_time) +static NTSTATUS find_connect_pdc(struct cli_state **cli, + unsigned char *trust_passwd, + time_t last_change_time) { struct in_addr *ip_list = NULL; int count = 0; int i; - BOOL connected_ok = False; + NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; time_t time_now = time(NULL); BOOL use_pdc_only = False; @@ -218,7 +170,7 @@ static BOOL find_connect_pdc(struct cli_state *pcli, use_pdc_only = True; if (!get_dc_list(use_pdc_only, lp_workgroup(), &ip_list, &count)) - return False; + return NT_STATUS_UNSUCCESSFUL; /* * Firstly try and contact a PDC/BDC who has the same @@ -228,7 +180,7 @@ static BOOL find_connect_pdc(struct cli_state *pcli, if(!is_local_net(ip_list[i])) continue; - if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + if(NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, &ip_list[i], trust_passwd))) break; zero_ip(&ip_list[i]); /* Tried and failed. */ @@ -237,10 +189,10 @@ static BOOL find_connect_pdc(struct cli_state *pcli, /* * Secondly try and contact a random PDC/BDC. */ - if(!connected_ok) { + if(!NT_STATUS_IS_OK(nt_status)) { i = (sys_random() % count); - if (!(connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + if (!NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, &ip_list[i], trust_passwd))) zero_ip(&ip_list[i]); /* Tried and failed. */ } @@ -248,21 +200,20 @@ static BOOL find_connect_pdc(struct cli_state *pcli, * Finally go through the IP list in turn, ignoring any addresses * we have already tried. */ - if(!connected_ok) { + if(!NT_STATUS_IS_OK(nt_status)) { /* * Try and connect to any of the other IP addresses in the PDC/BDC list. * Note that from a WINS server the #1 IP address is the PDC. */ for(i = 0; i < count; i++) { - if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + if (NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, &ip_list[i], trust_passwd))) break; } } SAFE_FREE(ip_list); - - return connected_ok; + return nt_status; } /*********************************************************************** @@ -271,19 +222,17 @@ static BOOL find_connect_pdc(struct cli_state *pcli, use it, otherwise figure out a server from the 'password server' param. ************************************************************************/ -static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, +static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, uchar chal[8], auth_serversupplied_info **server_info, char *server, unsigned char *trust_passwd, time_t last_change_time) { fstring remote_machine; - NET_ID_INFO_CTR ctr; NET_USER_INFO_3 info3; - struct cli_state cli; - uint32 smb_uid_low; - BOOL connected_ok = False; - NTSTATUS status; + struct cli_state *cli; + NTSTATUS nt_status; struct passwd *pass; /* @@ -294,26 +243,21 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, * see if they were valid. */ - ZERO_STRUCT(cli); - - while (!connected_ok && + while (!NT_STATUS_IS_OK(nt_status) && next_token(&server,remote_machine,LIST_SEP,sizeof(remote_machine))) { if(strequal(remote_machine, "*")) { - connected_ok = find_connect_pdc(&cli, trust_passwd, last_change_time); + nt_status = find_connect_pdc(&cli, trust_passwd, last_change_time); } else { - connected_ok = connect_to_domain_password_server(&cli, remote_machine, trust_passwd); + nt_status = connect_to_domain_password_server(&cli, remote_machine, trust_passwd); } } - if (!connected_ok) { + if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0,("domain_client_validate: Domain password server not available.\n")); - cli_shutdown(&cli); - return NT_STATUS_LOGON_FAILURE; + cli_shutdown(cli); + return nt_status; } - /* We really don't care what LUID we give the user. */ - generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False); - ZERO_STRUCT(info3); /* @@ -321,43 +265,50 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, * in the info3 structure. */ - status = cli_nt_login_network(&cli, user_info, chal, smb_uid_low, - &ctr, &info3); + nt_status = cli_netlogon_sam_network_logon(cli, mem_ctx, + user_info->internal_username.str, user_info->domain.str, + user_info->wksta_name.str, chal, + user_info->lm_resp, user_info->nt_resp, + &info3); - if (!NT_STATUS_IS_OK(status)) { + if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0,("domain_client_validate: unable to validate password " "for user %s in domain %s to Domain controller %s. " "Error was %s.\n", user_info->smb_name.str, - user_info->domain.str, cli.srv_name_slash, - get_nt_error_msg(status))); + user_info->domain.str, cli->srv_name_slash, + get_nt_error_msg(nt_status))); } else { char *dom_user; /* Check DOMAIN\username first to catch winbind users, then just the username for local users. */ - asprintf(&dom_user, "%s%s%s", user_info->domain.str, - lp_winbind_separator(), - user_info->internal_username.str); - - if (!(pass = Get_Pwnam(dom_user))) - pass = Get_Pwnam(user_info->internal_username.str); - - free(dom_user); - - if (pass) { - make_server_info_pw(server_info, pass); - if (!server_info) { - status = NT_STATUS_NO_MEMORY; + dom_user = talloc_asprintf(mem_ctx, "%s%s%s", user_info->domain.str, + lp_winbind_separator(), + user_info->internal_username.str); + + if (!dom_user) { + DEBUG(0, ("talloc_asprintf failed!\n")); + nt_status = NT_STATUS_NO_MEMORY; + } else { + + if (!(pass = Get_Pwnam(dom_user))) + pass = Get_Pwnam(user_info->internal_username.str); + + if (pass) { + make_server_info_pw(server_info, pass); + if (!server_info) { + nt_status = NT_STATUS_NO_MEMORY; + } + } else { + nt_status = NT_STATUS_NO_SUCH_USER; } - } else { - status = NT_STATUS_NO_SUCH_USER; } } /* Store the user group information in the server_info returned to the caller. */ - if (NT_STATUS_IS_OK(status) && (info3.num_groups2 != 0)) { + if (NT_STATUS_IS_OK(nt_status) && (info3.num_groups2 != 0)) { DOM_SID domain_sid; int i; NT_USER_TOKEN *ptok; @@ -365,7 +316,7 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, if ((pserver_info->ptok = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) { DEBUG(0, ("domain_client_validate: out of memory allocating rid group membership\n")); - status = NT_STATUS_NO_MEMORY; + nt_status = NT_STATUS_NO_MEMORY; free_server_info(server_info); goto done; } @@ -375,14 +326,14 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, if ((ptok->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptok->num_sids )) == NULL) { DEBUG(0, ("domain_client_validate: Out of memory allocating group SIDS\n")); - status = NT_STATUS_NO_MEMORY; + nt_status = NT_STATUS_NO_MEMORY; free_server_info(server_info); goto done; } if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) { DEBUG(0, ("domain_client_validate: unable to fetch domain sid.\n")); - status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + nt_status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO; free_server_info(server_info); goto done; } @@ -404,7 +355,7 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, if(cli_nt_logoff(&cli, &ctr) == False) { DEBUG(0,("domain_client_validate: unable to log off user %s in domain \ %s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli))); - status = NT_STATUS_LOGON_FAILURE; + nt_status = NT_STATUS_LOGON_FAILURE; } } #endif /* 0 */ @@ -415,10 +366,10 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, to allocate the other_sids and gids structures has been deleted - so these pointers are no longer valid..... */ - cli_nt_session_close(&cli); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return status; + cli_nt_session_close(cli); + cli_ulogoff(cli); + cli_shutdown(cli); + return nt_status; } /**************************************************************************** @@ -426,6 +377,7 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, ****************************************************************************/ static NTSTATUS check_ntdomain_security(void *my_private_data, + TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, const auth_authsupplied_info *auth_info, auth_serversupplied_info **server_info) @@ -461,7 +413,7 @@ static NTSTATUS check_ntdomain_security(void *my_private_data, { DEBUG(0, ("check_domain_security: could not fetch trust account password for domain %s\n", lp_workgroup())); unbecome_root(); - return NT_STATUS_LOGON_FAILURE; + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } unbecome_root(); @@ -481,9 +433,9 @@ static NTSTATUS check_ntdomain_security(void *my_private_data, if (! *pserver) pserver = "*"; p = pserver; - nt_status = domain_client_validate(user_info, (uchar *)auth_info->challenge.data,server_info, + nt_status = domain_client_validate(mem_ctx, user_info, (uchar *)auth_info->challenge.data,server_info, p, trust_passwd, last_change_time); - + return nt_status; } diff --git a/source3/auth/auth_info.c b/source3/auth/auth_info.c index bdd490d3ef..9d399a88eb 100644 --- a/source3/auth/auth_info.c +++ b/source3/auth/auth_info.c @@ -253,6 +253,7 @@ DATA_BLOB auth_get_challenge(auth_authsupplied_info *auth_info) DATA_BLOB challenge = data_blob(NULL, 0); char *challenge_set_by = NULL; auth_methods *auth_method; + TALLOC_CTX *mem_ctx; if (auth_info->challenge.length) { DEBUG(5, ("auth_get_challenge: returning previous challenge (normal)\n")); @@ -267,7 +268,12 @@ DATA_BLOB auth_get_challenge(auth_authsupplied_info *auth_info) DEBUG(1, ("auth_get_challenge: CONFIGURATION ERROR: authenticaion method %s has already specified a challenge. Challenge by %s ignored.\n", challenge_set_by, auth_method->name)); } else { - challenge = auth_method->get_chal(&auth_method->private_data, auth_info); + mem_ctx = talloc_init_named("auth_get_challange for module %s", auth_method->name); + if (!mem_ctx) { + smb_panic("talloc_init_named() failed!"); + } + + challenge = auth_method->get_chal(&auth_method->private_data, mem_ctx, auth_info); if (challenge.length) { DEBUG(5, ("auth_get_challenge: sucessfully got challenge from module %s\n", auth_method->name)); auth_info->challenge = challenge; @@ -277,6 +283,7 @@ DATA_BLOB auth_get_challenge(auth_authsupplied_info *auth_info) DEBUG(3, ("auth_get_challenge: getting challenge from authenticaion method %s FAILED.\n", auth_method->name)); } + talloc_destroy(mem_ctx); } } else { DEBUG(5, ("auth_get_challenge: module %s did not want to specify a challenge\n", auth_method->name)); diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index 2605f0770a..1dd97872da 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -156,6 +156,7 @@ static BOOL check_hosts_equiv(struct passwd *pass) ****************************************************************************/ static NTSTATUS check_hostsequiv_security(void *my_private_data, + TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, const auth_authsupplied_info *auth_info, auth_serversupplied_info **server_info) @@ -181,6 +182,7 @@ static NTSTATUS check_hostsequiv_security(void *my_private_data, ****************************************************************************/ static NTSTATUS check_rhosts_security(void *my_private_data, + TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, const auth_authsupplied_info *auth_info, auth_serversupplied_info **server_info) diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index d899006cf8..b75e300655 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -132,7 +132,8 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB ntv2_response, Do a specific test for an smb password being correct, given a smb_password and the lanman and NT responses. ****************************************************************************/ -static NTSTATUS sam_password_ok(SAM_ACCOUNT *sampass, +static NTSTATUS sam_password_ok(TALLOC_CTX *mem_ctx, + SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info, const auth_authsupplied_info *auth_info, uint8 user_sess_key[16]) @@ -243,7 +244,9 @@ static NTSTATUS sam_password_ok(SAM_ACCOUNT *sampass, Do a specific test for a SAM_ACCOUNT being vaild for this connection (ie not disabled, expired and the like). ****************************************************************************/ -static NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info) +static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, + SAM_ACCOUNT *sampass, + const auth_usersupplied_info *user_info) { uint16 acct_ctrl = pdb_get_acct_ctrl(sampass); char *workstation_list; @@ -286,7 +289,7 @@ static NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_inf /* Test workstation. Workstation list is comma separated. */ - workstation_list = strdup(pdb_get_workstations(sampass)); + workstation_list = talloc_strdup(mem_ctx, pdb_get_workstations(sampass)); if (!workstation_list) return NT_STATUS_NO_MEMORY; @@ -305,11 +308,8 @@ static NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_inf } } - SAFE_FREE(workstation_list); if (invalid_ws) return NT_STATUS_INVALID_WORKSTATION; - } else { - SAFE_FREE(workstation_list); } if (acct_ctrl & ACB_DOMTRUST) { @@ -338,9 +338,10 @@ return an NT_STATUS constant. ****************************************************************************/ static NTSTATUS check_sam_security(void *my_private_data, - const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, - auth_serversupplied_info **server_info) + TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) { SAM_ACCOUNT *sampass=NULL; BOOL ret; @@ -369,14 +370,14 @@ static NTSTATUS check_sam_security(void *my_private_data, return NT_STATUS_NO_SUCH_USER; } - nt_status = sam_password_ok(sampass, user_info, auth_info, user_sess_key); + nt_status = sam_password_ok(mem_ctx, sampass, user_info, auth_info, user_sess_key); if (!NT_STATUS_IS_OK(nt_status)) { pdb_free_sam(&sampass); return nt_status; } - nt_status = sam_account_ok(sampass, user_info); + nt_status = sam_account_ok(mem_ctx, sampass, user_info); if (!NT_STATUS_IS_OK(nt_status)) { pdb_free_sam(&sampass); @@ -415,9 +416,10 @@ return an NT_STATUS constant. ****************************************************************************/ static NTSTATUS check_samstrict_security(void *my_private_data, - const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, - auth_serversupplied_info **server_info) + TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) { if (!user_info || !auth_info) { @@ -432,7 +434,7 @@ static NTSTATUS check_samstrict_security(void *my_private_data, return NT_STATUS_NO_SUCH_USER; } - return check_sam_security(my_private_data, user_info, auth_info, server_info); + return check_sam_security(my_private_data, mem_ctx, user_info, auth_info, server_info); } BOOL auth_init_samstrict(auth_methods **auth_method) diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 7e43d529d2..7178e3147c 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -29,7 +29,7 @@ extern userdom_struct current_user_info; Support for server level security. ****************************************************************************/ -static struct cli_state *server_cryptkey(void) +static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) { struct cli_state *cli = NULL; fstring desthost; @@ -43,7 +43,7 @@ static struct cli_state *server_cryptkey(void) /* security = server just can't function with spnego */ cli->use_spnego = False; - pserver = strdup(lp_passwordserver()); + pserver = talloc_strdup(mem_ctx, lp_passwordserver()); p = pserver; while(next_token( &p, desthost, LIST_SEP, sizeof(desthost))) { @@ -67,8 +67,6 @@ static struct cli_state *server_cryptkey(void) } } - SAFE_FREE(pserver); - if (!connected_ok) { DEBUG(0,("password server not available\n")); cli_shutdown(cli); @@ -136,9 +134,11 @@ static void send_server_keepalive(void **private_data_pointer) Get the challenge out of a password server. ****************************************************************************/ -static DATA_BLOB auth_get_challenge_server(void **my_private_data, const struct authsupplied_info *auth_info) +static DATA_BLOB auth_get_challenge_server(void **my_private_data, + TALLOC_CTX *mem_ctx, + const struct authsupplied_info *auth_info) { - struct cli_state *cli = server_cryptkey(); + struct cli_state *cli = server_cryptkey(mem_ctx); if (cli) { DEBUG(3,("using password server validation\n")); @@ -175,9 +175,10 @@ static DATA_BLOB auth_get_challenge_server(void **my_private_data, const struct ****************************************************************************/ static NTSTATUS check_smbserver_security(void *my_private_data, - const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, - auth_serversupplied_info **server_info) + TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) { struct cli_state *cli; static unsigned char badpass[24]; @@ -202,7 +203,7 @@ static NTSTATUS check_smbserver_security(void *my_private_data, if (cli) { } else { - cli = server_cryptkey(); + cli = server_cryptkey(mem_ctx); locally_made_cli = True; } diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 2e753cb29c..fa889af5f6 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -83,7 +83,8 @@ static BOOL update_smbpassword_file(char *user, char *password) * unless the account has a null password. **/ -NTSTATUS check_unix_security(void *my_private_data, +NTSTATUS check_unix_security(void *my_private_data, + TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, const auth_authsupplied_info *auth_info, auth_serversupplied_info **server_info) diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 9ca87fe0dd..74654f8bba 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -34,9 +34,10 @@ NSS_STATUS winbindd_request(int req_type, /* Authenticate a user with a challenge/response */ static NTSTATUS check_winbind_security(void *my_private_data, - const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, - auth_serversupplied_info **server_info) + TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) { struct winbindd_request request; struct winbindd_response response; -- cgit From 62d528520b543b63419e76f3e32219c987f7756a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 1 Jan 2002 05:49:27 +0000 Subject: Now that winbind doesn't rely on this, we may as well remove it... Andrew Bartlett (This used to be commit 6673fdda3cb6b90189d8f82274fdffa89f68101b) --- source3/auth/auth_util.c | 108 ----------------------------------------------- 1 file changed, 108 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 4265e77093..13dfdb59cc 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -352,114 +352,6 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, } } -/**************************************************************************** - Create an auth_usersupplied_data structure -****************************************************************************/ - -BOOL make_user_info_winbind(auth_usersupplied_info **user_info, - const char *username, - const char *domain, - const char *password, - uchar chal[8] /* Give winbind back the challenge we used */ - ) -{ - unsigned char local_lm_response[24]; - unsigned char local_nt_response[24]; - DATA_BLOB local_lm_blob; - DATA_BLOB local_nt_blob; - DATA_BLOB plaintext_blob; - uint32 ntlmssp_flags = 0; - - /* - * Not encrypted - do so. - */ - - DEBUG(5,("pass_check_smb: User passwords not in encrypted format.\n")); - - generate_random_buffer(chal, 8, False); - - if (*password) { - SMBencrypt( (const uchar *)password, chal, local_lm_response); - - /* This encrypts the lm_pwd field, which actually contains - the password rather than the nt_pwd field because that - contains nothing */ - - /* WATCH OUT. This doesn't work if the incoming password is - incorrectly cased. We might want to add a check here - and only do an LM in that case */ - - SMBNTencrypt((const uchar *)password, chal, local_nt_response); - - local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response)); - local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response)); - plaintext_blob = data_blob(password, strlen(password)+1); - if ((!local_lm_blob.data) || (!local_nt_blob.data)|| (!plaintext_blob.data)) { - data_blob_free(&local_lm_blob); - data_blob_free(&local_nt_blob); - data_blob_clear_free(&plaintext_blob); - return False; - } - ntlmssp_flags = NTLMSSP_NEGOTIATE_OEM | NTLMSSP_NEGOTIATE_NTLM; - } else { - local_lm_blob = data_blob(NULL, 0); - local_nt_blob = data_blob(NULL, 0); - plaintext_blob = data_blob(NULL, 0); - } - - { - BOOL ret; - - ret = make_user_info(user_info, - username, username, - domain, domain, - global_myname, - local_lm_blob, - local_nt_blob, - plaintext_blob, - ntlmssp_flags, False); - - data_blob_free(&local_lm_blob); - data_blob_free(&local_nt_blob); - data_blob_clear_free(&plaintext_blob); - return ret; - } -} - -/**************************************************************************** - Create an auth_usersupplied_data, making the DATA_BLOBs here. - Decrypt and encrypt the passwords. -****************************************************************************/ - -BOOL make_user_info_winbind_crap(auth_usersupplied_info **user_info, - char *smb_name, - char *client_domain, - uchar *lm_network_pwd, int lm_pwd_len, - uchar *nt_network_pwd, int nt_pwd_len) -{ - BOOL ret; - DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); - DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); - DATA_BLOB plaintext_blob = data_blob(NULL, 0); - uint32 ntlmssp_flags = 0; - - if (lm_pwd_len) - ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM; - if (nt_pwd_len) - ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; - - ret = make_user_info(user_info, - smb_name, smb_name, - client_domain, client_domain, - global_myname, - lm_blob, nt_blob, - plaintext_blob, - ntlmssp_flags, True); - - data_blob_free(&lm_blob); - data_blob_free(&nt_blob); - return ret; -} /**************************************************************************** Create an auth_usersupplied_data structure -- cgit From 03aea8fc9001495d47481d988e5f4823ee4e4827 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 1 Jan 2002 05:51:03 +0000 Subject: Allow usernames in the form of 'NT_STATUS_....' to map to that as the error when using the 'name_to_ntstatus' auth module. This could be useful in testing. Andrew Bartlett (This used to be commit 5cdc67d0bda8ef41305cae9c5be70d11593ffdd8) --- source3/auth/auth_builtin.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index b5bb673e2c..f76987f685 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -83,6 +83,12 @@ static NTSTATUS check_name_to_ntstatus_security(void *my_private_data, fstring user; long error_num; fstrcpy(user, user_info->smb_name.str); + + if (strncasecmp("NT_STATUS", user, strlen("NT_STATUS")) == 0) { + strupper(user); + return nt_status_string_to_code(user); + } + strlower(user); error_num = strtoul(user, NULL, 16); -- cgit From 493c34b8f3de4b402d9496424e250faa4743e310 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 2 Jan 2002 06:55:21 +0000 Subject: Another touch of 'const' (This used to be commit 3d812aacff98eec62c748cb89109a2e58806d92d) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 13dfdb59cc..d9f3098e7c 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -50,7 +50,7 @@ static int smb_create_user(const char *unix_user, const char *homedir) Delete a UNIX user on demand. ****************************************************************************/ -int smb_delete_user(char *unix_user) +int smb_delete_user(const char *unix_user) { pstring del_script; int ret; -- cgit From 4178f211d1d2d133b96b420361944f5e197ec556 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 2 Jan 2002 23:28:55 +0000 Subject: debug statement fixups. Merge SAFE_FREE fix in tdb from 2.2, and IRIX fix. Jeremy. (This used to be commit eb6607466565bcd5b3800492d0bc1ae8a44da4f6) --- source3/auth/auth_sam.c | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index b75e300655..c8b5386f7a 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -163,7 +163,7 @@ static NTSTATUS sam_password_ok(TALLOC_CTX *mem_ctx, ntlmssp_flags = user_info->ntlmssp_flags; if (nt_pw == NULL) { - DEBUG(3,("smb_password_ok: NO NT password stored for user %s.\n", + DEBUG(3,("sam_password_ok: NO NT password stored for user %s.\n", pdb_get_username(sampass))); /* No return, we want to check the LM hash below in this case */ ntlmssp_flags &= (~(NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_NTLM2)); @@ -173,7 +173,7 @@ static NTSTATUS sam_password_ok(TALLOC_CTX *mem_ctx, /* We have the NT MD4 hash challenge available - see if we can use it (ie. does it exist in the smbpasswd file). */ - DEBUG(4,("smb_password_ok: Checking NTLMv2 password\n")); + DEBUG(4,("sam_password_ok: Checking NTLMv2 password\n")); if (smb_pwd_check_ntlmv2( user_info->nt_resp, nt_pw, auth_info->challenge, user_info->smb_name.str, @@ -182,7 +182,7 @@ static NTSTATUS sam_password_ok(TALLOC_CTX *mem_ctx, { return NT_STATUS_OK; } else { - DEBUG(3,("smb_password_ok: NTLMv2 password check failed\n")); + DEBUG(3,("sam_password_ok: NTLMv2 password check failed\n")); return NT_STATUS_WRONG_PASSWORD; } } else if (ntlmssp_flags & NTLMSSP_NEGOTIATE_NTLM) { @@ -190,53 +190,53 @@ static NTSTATUS sam_password_ok(TALLOC_CTX *mem_ctx, /* We have the NT MD4 hash challenge available - see if we can use it (ie. does it exist in the smbpasswd file). */ - DEBUG(4,("smb_password_ok: Checking NT MD4 password\n")); + DEBUG(4,("sam_password_ok: Checking NT MD4 password\n")); if (smb_pwd_check_ntlmv1(user_info->nt_resp, nt_pw, auth_info->challenge, user_sess_key)) { return NT_STATUS_OK; } else { - DEBUG(3,("smb_password_ok: NT MD4 password check failed for user %s\n",pdb_get_username(sampass))); + DEBUG(3,("sam_password_ok: NT MD4 password check failed for user %s\n",pdb_get_username(sampass))); return NT_STATUS_WRONG_PASSWORD; } } else { - DEBUG(2,("smb_password_ok: NTLMv1 passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass))); + DEBUG(2,("sam_password_ok: NTLMv1 passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass))); /* No return, we want to check the LM hash below in this case */ } } if (lm_pw == NULL) { - DEBUG(3,("smb_password_ok: NO LanMan password set for user %s (and no NT password supplied)\n",pdb_get_username(sampass))); + DEBUG(3,("sam_password_ok: NO LanMan password set for user %s (and no NT password supplied)\n",pdb_get_username(sampass))); ntlmssp_flags &= (~NTLMSSP_NEGOTIATE_OEM); } if (ntlmssp_flags & NTLMSSP_NEGOTIATE_OEM) { if (user_info->lm_resp.length != 24) { - DEBUG(2,("smb_password_ok: invalid LanMan password length (%d) for user %s\n", + DEBUG(2,("sam_password_ok: invalid LanMan password length (%d) for user %s\n", user_info->nt_resp.length, pdb_get_username(sampass))); } if (!lp_lanman_auth()) { - DEBUG(3,("smb_password_ok: Lanman passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass))); + DEBUG(3,("sam_password_ok: Lanman passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass))); return NT_STATUS_LOGON_FAILURE; } - DEBUG(4,("smb_password_ok: Checking LM password\n")); + DEBUG(4,("sam_password_ok: Checking LM password\n")); if (smb_pwd_check_ntlmv1(user_info->lm_resp, lm_pw, auth_info->challenge, user_sess_key)) { return NT_STATUS_OK; } else { - DEBUG(4,("smb_password_ok: LM password check failed for user %s\n",pdb_get_username(sampass))); + DEBUG(4,("sam_password_ok: LM password check failed for user %s\n",pdb_get_username(sampass))); return NT_STATUS_WRONG_PASSWORD; } } /* Should not be reached, but if they send nothing... */ - DEBUG(3,("smb_password_ok: NEITHER LanMan nor NT password supplied for user %s\n",pdb_get_username(sampass))); + DEBUG(3,("sam_password_ok: NEITHER LanMan nor NT password supplied for user %s\n",pdb_get_username(sampass))); return NT_STATUS_WRONG_PASSWORD; } @@ -252,7 +252,7 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, char *workstation_list; time_t kickoff_time; - DEBUG(4,("smb_password_ok: Checking SMB password for user %s\n",pdb_get_username(sampass))); + DEBUG(4,("sam_account_ok: Checking SMB password for user %s\n",pdb_get_username(sampass))); /* Quit if the account was disabled. */ if (acct_ctrl & ACB_DISABLED) { @@ -313,17 +313,17 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, } if (acct_ctrl & ACB_DOMTRUST) { - DEBUG(2,("session_trust_account: Domain trust account %s denied by server\n", pdb_get_username(sampass))); + DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", pdb_get_username(sampass))); return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT; } if (acct_ctrl & ACB_SVRTRUST) { - DEBUG(2,("session_trust_account: Server trust account %s denied by server\n", pdb_get_username(sampass))); + DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", pdb_get_username(sampass))); return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT; } if (acct_ctrl & ACB_WSTRUST) { - DEBUG(4,("session_trust_account: Wksta trust account %s denied by server\n", pdb_get_username(sampass))); + DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", pdb_get_username(sampass))); return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT; } -- cgit From 2e28f8ff0e3bb50ac5b2742c7678c39cb65bcd95 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 5 Jan 2002 04:55:41 +0000 Subject: I've decided to move the auth code around a bit more... The auth_authsupplied_info typedef is now just a plain struct - auth_context, but it has been modified to contain the function pointers to the rest of the auth subsystem's components. (Who needs non-static functions anyway?) In working all this mess out, I fixed a number of memory leaks and moved the entire auth subsystem over to talloc(). Note that the TALLOC_CTX attached to the auth_context can be rather long-lived, it is provided for things that are intended to live as long. (The global_negprot_auth_context lasts the whole life of the smbd). I've also adjusted a few things in auth_domain.c, mainly passing the domain as a paramater to a few functions instead of looking up lp_workgroup(). I'm hopign to make this entire thing a bit more trusted domains (as PDC) freindly in the near future. Other than that, I moved a bit of the code around, hence the rather messy diff. Andrew Bartlett (This used to be commit 12f5515f556cf39fea98134fe3e2ac4540501048) --- source3/auth/auth.c | 365 +++++++++++++++++++++++++++++++------------- source3/auth/auth_builtin.c | 19 +-- source3/auth/auth_compat.c | 111 ++++++++++++++ source3/auth/auth_domain.c | 51 ++++--- source3/auth/auth_info.c | 313 ------------------------------------- source3/auth/auth_rhosts.c | 34 +++-- source3/auth/auth_sam.c | 58 +++---- source3/auth/auth_server.c | 22 +-- source3/auth/auth_unix.c | 10 +- source3/auth/auth_util.c | 63 ++++++-- source3/auth/auth_winbind.c | 21 ++- 11 files changed, 535 insertions(+), 532 deletions(-) create mode 100644 source3/auth/auth_compat.c delete mode 100644 source3/auth/auth_info.c (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index bfd15dff34..6b68fa631a 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -1,10 +1,8 @@ /* Unix SMB/Netbios implementation. - Version 1.9. + Version 3.0. Password and authentication handling - Copyright (C) Andrew Tridgell 1992-2000 - Copyright (C) Luke Kenneth Casson Leighton 1996-2000 - Copyright (C) Andrew Bartlett 2001 + Copyright (C) Andrew Bartlett 2001-2002 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -23,6 +21,95 @@ #include "includes.h" +/** List of various built-in authenticaion modules */ + +const struct auth_init_function builtin_auth_init_functions[] = { + { "guest", auth_init_guest }, + { "rhosts", auth_init_rhosts }, + { "hostsequiv", auth_init_hostsequiv }, + { "sam", auth_init_sam }, + { "samstrict", auth_init_samstrict }, + { "unix", auth_init_unix }, + { "smbserver", auth_init_smbserver }, + { "ntdomain", auth_init_ntdomain }, + { "winbind", auth_init_winbind }, +#ifdef DEVELOPER + { "name_to_ntstatus", auth_init_name_to_ntstatus }, +#endif + { NULL, NULL} +}; + +/**************************************************************************** + Try to get a challenge out of the various authenticaion modules. + Returns a const char of length 8 bytes. +****************************************************************************/ + +static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) +{ + DATA_BLOB challenge = data_blob(NULL, 0); + char *challenge_set_by = NULL; + auth_methods *auth_method; + TALLOC_CTX *mem_ctx; + + if (auth_context->challenge.length) { + DEBUG(5, ("get_ntlm_challange (auth subsystem): returning previous challenge (normal)\n")); + return auth_context->challenge.data; + } + + for (auth_method = auth_context->auth_method_list; auth_method; auth_method = auth_method->next) + { + if (auth_method->get_chal == NULL) { + DEBUG(5, ("auth_get_challenge: module %s did not want to specify a challenge\n", auth_method->name)); + continue; + } + + DEBUG(5, ("auth_get_challenge: getting challenge from module %s\n", auth_method->name)); + if (challenge_set_by != NULL) { + DEBUG(1, ("auth_get_challenge: CONFIGURATION ERROR: authenticaion method %s has already specified a challenge. Challenge by %s ignored.\n", + challenge_set_by, auth_method->name)); + continue; + } + + mem_ctx = talloc_init_named("auth_get_challange for module %s", auth_method->name); + if (!mem_ctx) { + smb_panic("talloc_init_named() failed!"); + } + + challenge = auth_method->get_chal(auth_context, &auth_method->private_data, mem_ctx); + if (!challenge.length) { + DEBUG(3, ("auth_get_challenge: getting challenge from authenticaion method %s FAILED.\n", + auth_method->name)); + } else { + DEBUG(5, ("auth_get_challenge: sucessfully got challenge from module %s\n", auth_method->name)); + auth_context->challenge = challenge; + challenge_set_by = auth_method->name; + auth_context->challenge_set_method = auth_method; + } + talloc_destroy(mem_ctx); + } + + if (!challenge_set_by) { + uchar chal[8]; + + generate_random_buffer(chal, sizeof(chal), False); + auth_context->challenge = data_blob_talloc(auth_context->mem_ctx, + chal, sizeof(chal)); + + challenge_set_by = "random"; + } + + DEBUG(5, ("auth_context challenge created by %s\n", challenge_set_by)); + DEBUG(5, ("challenge is: \n")); + dump_data(5, auth_context->challenge.data, auth_context->challenge.length); + + SMB_ASSERT(auth_context->challenge.length == 8); + + auth_context->challenge_set_by=challenge_set_by; + + return auth_context->challenge.data; +} + + /** * Check user is in correct domain (if required) * @@ -81,9 +168,9 @@ static BOOL check_domain_match(const char *user, const char *domain) * **/ -NTSTATUS check_password(const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, - auth_serversupplied_info **server_info) +static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, + const struct auth_usersupplied_info *user_info, + struct auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; @@ -91,7 +178,7 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, auth_methods *auth_method; TALLOC_CTX *mem_ctx; - if (!user_info || !auth_info || !server_info) { + if (!user_info || !auth_context || !server_info) { return NT_STATUS_LOGON_FAILURE; } @@ -100,11 +187,11 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, DEBUG(3, ("check_password: mapped user is: [%s]\\[%s]@[%s]\n", user_info->domain.str, user_info->internal_username.str, user_info->wksta_name.str)); - if (auth_info->challenge_set_by) { - DEBUG(10, ("auth_info challenge created by %s\n", auth_info->challenge_set_by)); + if (auth_context->challenge_set_by) { + DEBUG(10, ("auth_context challenge created by %s\n", auth_context->challenge_set_by)); } DEBUG(10, ("challenge is: \n")); - dump_data(5, (auth_info)->challenge.data, (auth_info)->challenge.length); + dump_data(5, auth_context->challenge.data, auth_context->challenge.length); #ifdef DEBUG_PASSWORD DEBUG(100, ("user_info has passwords of length %d and %d\n", @@ -120,12 +207,12 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, return NT_STATUS_LOGON_FAILURE; } - for (auth_method = auth_info->auth_method_list;auth_method; auth_method = auth_method->next) + for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) { mem_ctx = talloc_init_named("%s authentication for user %s\\%s", auth_method->name, user_info->domain.str, user_info->smb_name.str); - nt_status = auth_method->auth(auth_method->private_data, mem_ctx, user_info, auth_info, server_info); + nt_status = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { DEBUG(3, ("check_password: %s authentication for user [%s] suceeded\n", auth_method->name, user_info->smb_name.str)); @@ -182,124 +269,188 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, ZERO_STRUCTP(server_info); } return nt_status; - } -/** - * Squash an NT_STATUS in line with security requirements. - * In an attempt to avoid giving the whole game away when users - * are authenticating, NT replaces both NT_STATUS_NO_SUCH_USER and - * NT_STATUS_WRONG_PASSWORD with NT_STATUS_LOGON_FAILURE in certain situations - * (session setups in particular). - * - * @param nt_status NTSTATUS input for squashing. - * @return the 'squashed' nt_status - **/ +/*************************************************************************** + Clear out a auth_context, and destroy the attached TALLOC_CTX +***************************************************************************/ -NTSTATUS nt_status_squash(NTSTATUS nt_status) +static void free_auth_context(struct auth_context **auth_context) { - if NT_STATUS_IS_OK(nt_status) { - return nt_status; - } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) { - /* Match WinXP and don't give the game away */ - return NT_STATUS_LOGON_FAILURE; - - } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) { - /* Match WinXP and don't give the game away */ - return NT_STATUS_LOGON_FAILURE; - } else { - return nt_status; - } + if (*auth_context != NULL) { + talloc_destroy((*auth_context)->mem_ctx); + } + *auth_context = NULL; } +/*************************************************************************** + Make a auth_info struct +***************************************************************************/ +static NTSTATUS make_auth_context(struct auth_context **auth_context) +{ + TALLOC_CTX *mem_ctx; -/**************************************************************************** - COMPATABILITY INTERFACES: - ***************************************************************************/ + mem_ctx = talloc_init_named("authentication context"); + + *auth_context = talloc(mem_ctx, sizeof(**auth_context)); + if (!*auth_context) { + DEBUG(0,("make_auth_context: talloc failed!\n")); + talloc_destroy(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + ZERO_STRUCTP(*auth_context); -/**************************************************************************** -check if a username/password is OK assuming the password is a 24 byte -SMB hash -return True if the password is correct, False otherwise -****************************************************************************/ + (*auth_context)->mem_ctx = mem_ctx; + (*auth_context)->check_ntlm_password = check_ntlm_password; + (*auth_context)->get_ntlm_challenge = get_ntlm_challenge; + (*auth_context)->free = free_auth_context; + + return NT_STATUS_OK; +} -static NTSTATUS pass_check_smb(char *smb_name, - char *domain, - DATA_BLOB lm_pwd, - DATA_BLOB nt_pwd, - DATA_BLOB plaintext_password, - BOOL encrypted) +/*************************************************************************** + Make a auth_info struct for the auth subsystem +***************************************************************************/ +static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context, char **text_list) { + auth_methods *list = NULL; + auth_methods *t = NULL; + auth_methods *tmp; + int i; NTSTATUS nt_status; - auth_usersupplied_info *user_info = NULL; - extern auth_authsupplied_info *negprot_global_auth_info; - auth_serversupplied_info *server_info = NULL; - if (encrypted) { - make_user_info_for_reply_enc(&user_info, smb_name, - domain, - lm_pwd, - nt_pwd, - plaintext_password); - nt_status = check_password(user_info, negprot_global_auth_info, &server_info); - } else { - auth_authsupplied_info *plaintext_auth_info = NULL; - DATA_BLOB chal; - if (!make_auth_info_subsystem(&plaintext_auth_info)) { - return NT_STATUS_NO_MEMORY; - } - - chal = auth_get_challenge(plaintext_auth_info); - if (!make_user_info_for_reply(&user_info, - smb_name, domain, chal.data, - plaintext_password)) { - return NT_STATUS_NO_MEMORY; + if (!text_list) { + DEBUG(2,("No auth method list!?\n")); + return NT_STATUS_UNSUCCESSFUL; + } + + if (!NT_STATUS_IS_OK(nt_status = make_auth_context(auth_context))) { + return nt_status; + } + + for (;*text_list; text_list++) + { + DEBUG(5,("Attempting to find an auth method to match %s\n", *text_list)); + for (i = 0; builtin_auth_init_functions[i].name; i++) + { + if (strequal(builtin_auth_init_functions[i].name, *text_list)) + { + DEBUG(5,("Found auth method %s (at pos %d)\n", *text_list, i)); + if (builtin_auth_init_functions[i].init(*auth_context, &t)) { + DEBUG(5,("auth method %s has a valid init\n", *text_list)); + t->name = builtin_auth_init_functions[i].name; + DLIST_ADD_END(list, t, tmp); + } else { + DEBUG(0,("auth method %s did not correctly init\n", *text_list)); + } + break; + } } - - nt_status = check_password(user_info, plaintext_auth_info, &server_info); - - data_blob_free(&chal); - free_auth_info(&plaintext_auth_info); - } - free_user_info(&user_info); - free_server_info(&server_info); + } + + (*auth_context)->auth_method_list = list; + return nt_status; } -/**************************************************************************** -check if a username/password pair is OK either via the system password -database or the encrypted SMB password database -return True if the password is correct, False otherwise -****************************************************************************/ -BOOL password_ok(char *smb_name, DATA_BLOB password_blob) +/*************************************************************************** + Make a auth_context struct for the auth subsystem +***************************************************************************/ + +NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) { + char **auth_method_list = NULL; + NTSTATUS nt_status; - DATA_BLOB null_password = data_blob(NULL, 0); - extern BOOL global_encrypted_passwords_negotiated; - BOOL encrypted = (global_encrypted_passwords_negotiated && password_blob.length == 24); - - if (encrypted) { - /* - * The password could be either NTLM or plain LM. Try NTLM first, - * but fall-through as required. - * NTLMv2 makes no sense here. - */ - if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), null_password, password_blob, null_password, encrypted))) { - return True; - } - - if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), password_blob, null_password, null_password, encrypted))) { - return True; + if (lp_auth_methods() && !lp_list_copy(&auth_method_list, lp_auth_methods())) { + return NT_STATUS_NO_MEMORY; + } + + if (auth_method_list == NULL) { + switch (lp_security()) + { + case SEC_DOMAIN: + DEBUG(5,("Making default auth method list for security=domain\n")); + auth_method_list = lp_list_make("guest samstrict ntdomain"); + break; + case SEC_SERVER: + DEBUG(5,("Making default auth method list for security=server\n")); + auth_method_list = lp_list_make("guest samstrict smbserver"); + break; + case SEC_USER: + if (lp_encrypted_passwords()) { + DEBUG(5,("Making default auth method list for security=user, encrypt passwords = yes\n")); + auth_method_list = lp_list_make("guest sam"); + } else { + DEBUG(5,("Making default auth method list for security=user, encrypt passwords = no\n")); + auth_method_list = lp_list_make("guest unix"); + } + break; + case SEC_SHARE: + if (lp_encrypted_passwords()) { + DEBUG(5,("Making default auth method list for security=share, encrypt passwords = yes\n")); + auth_method_list = lp_list_make("guest sam"); + } else { + DEBUG(5,("Making default auth method list for security=share, encrypt passwords = no\n")); + auth_method_list = lp_list_make("guest unix"); + } + break; + case SEC_ADS: + DEBUG(5,("Making default auth method list for security=ADS\n")); + auth_method_list = lp_list_make("guest samstrict ads ntdomain"); + break; + default: + DEBUG(5,("Unknown auth method!\n")); + return NT_STATUS_UNSUCCESSFUL; } } else { - if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), null_password, null_password, password_blob, encrypted))) { - return True; - } + DEBUG(5,("Using specified auth order\n")); + } + + if (!NT_STATUS_IS_OK(nt_status = make_auth_context_text_list(auth_context, auth_method_list))) { + lp_list_free(&auth_method_list); + return nt_status; + } + + lp_list_free(&auth_method_list); + return nt_status; +} + +/*************************************************************************** + Make a auth_info struct with a random challenge +***************************************************************************/ + +NTSTATUS make_auth_context_random(struct auth_context **auth_context) +{ + uchar chal[8]; + NTSTATUS nt_status; + if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(auth_context))) { + return nt_status; } + + generate_random_buffer(chal, sizeof(chal), False); + (*auth_context)->challenge = data_blob(chal, sizeof(chal)); + + (*auth_context)->challenge_set_by = "random"; + + return nt_status; +} + +/*************************************************************************** + Make a auth_info struct with a fixed challenge +***************************************************************************/ - return False; +NTSTATUS make_auth_context_fixed(struct auth_context **auth_context, uchar chal[8]) +{ + NTSTATUS nt_status; + if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(auth_context))) { + return nt_status; + } + + (*auth_context)->challenge = data_blob(chal, 8); + return nt_status; } diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index f76987f685..f1c89689fa 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -29,10 +29,10 @@ * and pass onto the next module. **/ -static NTSTATUS check_guest_security(void *my_private_data, +static NTSTATUS check_guest_security(const struct auth_context *auth_context, + void *my_private_data, TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; @@ -50,9 +50,9 @@ static NTSTATUS check_guest_security(void *my_private_data, } /* Guest modules initialisation */ -BOOL auth_init_guest(auth_methods **auth_method) +BOOL auth_init_guest(struct auth_context *auth_context, auth_methods **auth_method) { - if (!make_auth_methods(auth_method)) { + if (!make_auth_methods(auth_context, auth_method)) { return False; } @@ -73,10 +73,10 @@ BOOL auth_init_guest(auth_methods **auth_method) * @return An NTSTATUS value based on the username **/ -static NTSTATUS check_name_to_ntstatus_security(void *my_private_data, +static NTSTATUS check_name_to_ntstatus_security(const struct auth_context *auth_context, + void *my_private_data, TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, auth_serversupplied_info **server_info) { NTSTATUS nt_status; @@ -100,9 +100,9 @@ static NTSTATUS check_name_to_ntstatus_security(void *my_private_data, } /** Module initailisation function */ -BOOL auth_init_name_to_ntstatus(auth_methods **auth_method) +BOOL auth_init_name_to_ntstatus(struct auth_context *auth_context, auth_methods **auth_method) { - if (!make_auth_methods(auth_method)) { + if (!make_auth_methods(auth_context, auth_method)) { return False; } @@ -110,6 +110,3 @@ BOOL auth_init_name_to_ntstatus(auth_methods **auth_method) return True; } - - - diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c new file mode 100644 index 0000000000..4039f0cc1e --- /dev/null +++ b/source3/auth/auth_compat.c @@ -0,0 +1,111 @@ +/* + Unix SMB/Netbios implementation. + Version 3.0. + Password and authentication handling + Copyright (C) Andrew Bartlett 2001-2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +/**************************************************************************** + COMPATABILITY INTERFACES: + ***************************************************************************/ + +/**************************************************************************** +check if a username/password is OK assuming the password is a 24 byte +SMB hash +return True if the password is correct, False otherwise +****************************************************************************/ + +static NTSTATUS pass_check_smb(char *smb_name, + char *domain, + DATA_BLOB lm_pwd, + DATA_BLOB nt_pwd, + DATA_BLOB plaintext_password, + BOOL encrypted) + +{ + NTSTATUS nt_status; + auth_usersupplied_info *user_info = NULL; + extern struct auth_context *negprot_global_auth_context; + auth_serversupplied_info *server_info = NULL; + if (encrypted) { + make_user_info_for_reply_enc(&user_info, smb_name, + domain, + lm_pwd, + nt_pwd); + nt_status = negprot_global_auth_context->check_ntlm_password(negprot_global_auth_context, + user_info, &server_info); + } else { + struct auth_context *plaintext_auth_context = NULL; + const uint8 *chal; + if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(&plaintext_auth_context))) { + return nt_status; + } + + chal = plaintext_auth_context->get_ntlm_challenge(plaintext_auth_context); + + if (!make_user_info_for_reply(&user_info, + smb_name, domain, chal, + plaintext_password)) { + return NT_STATUS_NO_MEMORY; + } + + nt_status = plaintext_auth_context->check_ntlm_password(plaintext_auth_context, + user_info, &server_info); + + plaintext_auth_context->free(&plaintext_auth_context); + } + free_user_info(&user_info); + free_server_info(&server_info); + return nt_status; +} + +/**************************************************************************** +check if a username/password pair is ok via the auth subsystem. +return True if the password is correct, False otherwise +****************************************************************************/ +BOOL password_ok(char *smb_name, DATA_BLOB password_blob) +{ + + DATA_BLOB null_password = data_blob(NULL, 0); + extern BOOL global_encrypted_passwords_negotiated; + BOOL encrypted = (global_encrypted_passwords_negotiated && password_blob.length == 24); + + if (encrypted) { + /* + * The password could be either NTLM or plain LM. Try NTLM first, + * but fall-through as required. + * NTLMv2 makes no sense here. + */ + if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), null_password, password_blob, null_password, encrypted))) { + return True; + } + + if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), password_blob, null_password, null_password, encrypted))) { + return True; + } + } else { + if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), null_password, null_password, password_blob, encrypted))) { + return True; + } + } + + return False; +} + + diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 6e3eb643d8..e836375406 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -125,8 +125,10 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); Utility function to attempt a connection to an IP address of a DC. ************************************************************************/ -static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, struct in_addr *ip, - unsigned char *trust_passwd) +static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, + const char *domain, + struct in_addr *ip, + unsigned char *trust_passwd) { fstring dc_name; @@ -137,7 +139,7 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, struct in_addr *ip if (is_zero_ip(*ip)) return NT_STATUS_UNSUCCESSFUL; - if (!lookup_dc_name(global_myname, lp_workgroup(), ip, dc_name)) + if (!lookup_dc_name(global_myname, domain, ip, dc_name)) return NT_STATUS_UNSUCCESSFUL; return connect_to_domain_password_server(cli, dc_name, trust_passwd); @@ -145,11 +147,12 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, struct in_addr *ip /*********************************************************************** We have been asked to dynamcially determine the IP addresses of - the PDC and BDC's for this DOMAIN, and query them in turn. + the PDC and BDC's for DOMAIN, and query them in turn. ************************************************************************/ static NTSTATUS find_connect_pdc(struct cli_state **cli, - unsigned char *trust_passwd, - time_t last_change_time) + const char *domain, + unsigned char *trust_passwd, + time_t last_change_time) { struct in_addr *ip_list = NULL; int count = 0; @@ -169,7 +172,7 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, if (time_now - last_change_time < 3600) use_pdc_only = True; - if (!get_dc_list(use_pdc_only, lp_workgroup(), &ip_list, &count)) + if (!get_dc_list(use_pdc_only, domain, &ip_list, &count)) return NT_STATUS_UNSUCCESSFUL; /* @@ -180,7 +183,9 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, if(!is_local_net(ip_list[i])) continue; - if(NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, &ip_list[i], trust_passwd))) + if(NT_STATUS_IS_OK(nt_status = + attempt_connect_to_dc(cli, domain, + &ip_list[i], trust_passwd))) break; zero_ip(&ip_list[i]); /* Tried and failed. */ @@ -192,7 +197,9 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, if(!NT_STATUS_IS_OK(nt_status)) { i = (sys_random() % count); - if (!NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, &ip_list[i], trust_passwd))) + if (!NT_STATUS_IS_OK(nt_status = + attempt_connect_to_dc(cli, domain, + &ip_list[i], trust_passwd))) zero_ip(&ip_list[i]); /* Tried and failed. */ } @@ -206,7 +213,9 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, * Note that from a WINS server the #1 IP address is the PDC. */ for(i = 0; i < count; i++) { - if (NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, &ip_list[i], trust_passwd))) + if (NT_STATUS_IS_OK(nt_status = + attempt_connect_to_dc(cli, domain, + &ip_list[i], trust_passwd))) break; } } @@ -224,6 +233,7 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, + const char *domain, uchar chal[8], auth_serversupplied_info **server_info, char *server, unsigned char *trust_passwd, @@ -246,7 +256,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, while (!NT_STATUS_IS_OK(nt_status) && next_token(&server,remote_machine,LIST_SEP,sizeof(remote_machine))) { if(strequal(remote_machine, "*")) { - nt_status = find_connect_pdc(&cli, trust_passwd, last_change_time); + nt_status = find_connect_pdc(&cli, domain, trust_passwd, last_change_time); } else { nt_status = connect_to_domain_password_server(&cli, remote_machine, trust_passwd); } @@ -376,18 +386,19 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, Check for a valid username and password in security=domain mode. ****************************************************************************/ -static NTSTATUS check_ntdomain_security(void *my_private_data, +static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, + void *my_private_data, TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; char *p, *pserver; unsigned char trust_passwd[16]; time_t last_change_time; + char *domain = lp_workgroup(); - if (!user_info || !server_info || !auth_info) { + if (!user_info || !server_info || !auth_context) { DEBUG(1,("check_ntdomain_security: Critical variables not present. Failing.\n")); return NT_STATUS_LOGON_FAILURE; } @@ -409,7 +420,7 @@ static NTSTATUS check_ntdomain_security(void *my_private_data, * Get the machine account password for our primary domain */ - if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, &last_change_time)) + if (!secrets_fetch_trust_account_password(domain, trust_passwd, &last_change_time)) { DEBUG(0, ("check_domain_security: could not fetch trust account password for domain %s\n", lp_workgroup())); unbecome_root(); @@ -433,18 +444,22 @@ static NTSTATUS check_ntdomain_security(void *my_private_data, if (! *pserver) pserver = "*"; p = pserver; - nt_status = domain_client_validate(mem_ctx, user_info, (uchar *)auth_info->challenge.data,server_info, + nt_status = domain_client_validate(mem_ctx, user_info, domain, + (uchar *)auth_context->challenge.data, + server_info, p, trust_passwd, last_change_time); return nt_status; } -BOOL auth_init_ntdomain(auth_methods **auth_method) +/* module initialisation */ +BOOL auth_init_ntdomain(struct auth_context *auth_context, auth_methods **auth_method) { - if (!make_auth_methods(auth_method)) { + if (!make_auth_methods(auth_context, auth_method)) { return False; } (*auth_method)->auth = check_ntdomain_security; return True; } + diff --git a/source3/auth/auth_info.c b/source3/auth/auth_info.c deleted file mode 100644 index 9d399a88eb..0000000000 --- a/source3/auth/auth_info.c +++ /dev/null @@ -1,313 +0,0 @@ -/* - Unix SMB/Netbios implementation. - Version 3.0. - Authentication utility functions - Copyright (C) Andrew Bartlett 2001 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" - -/** List of various built-in authenticaion modules */ - -const struct auth_init_function builtin_auth_init_functions[] = { - { "guest", auth_init_guest }, - { "rhosts", auth_init_rhosts }, - { "hostsequiv", auth_init_hostsequiv }, - { "sam", auth_init_sam }, - { "samstrict", auth_init_samstrict }, - { "unix", auth_init_unix }, - { "smbserver", auth_init_smbserver }, - { "ntdomain", auth_init_ntdomain }, - { "winbind", auth_init_winbind }, -#ifdef DEVELOPER - { "name_to_ntstatus", auth_init_name_to_ntstatus }, -#endif - { NULL, NULL} -}; - -/*************************************************************************** - Free a linked list of auth methods -***************************************************************************/ - -static void free_auth_methods_list(auth_methods **list) -{ - if (list != NULL) { - while (*list) { - auth_methods *old_head = *list; - if ((*list)->free_private_data) { - (*list)->free_private_data(&((*list)->private_data)); - } - DLIST_REMOVE(*list, *list); - SAFE_FREE(old_head); - } - - } -} - -/*************************************************************************** - Make a auth_info struct -***************************************************************************/ - -static BOOL make_auth_info(auth_authsupplied_info **auth_info) -{ - *auth_info = malloc(sizeof(**auth_info)); - if (!*auth_info) { - DEBUG(0,("make_auth_info: malloc failed!\n")); - return False; - } - ZERO_STRUCTP(*auth_info); - - return True; -} - -/*************************************************************************** - Make a auth_info struct with a specified list. -***************************************************************************/ - -BOOL make_auth_info_list(auth_authsupplied_info **auth_info, auth_methods *list) -{ - if (!make_auth_info(auth_info)) { - return False; - } - - (*auth_info)->auth_method_list = list; - - return True; -} - -/*************************************************************************** - Make a auth_info struct for the auth subsystem -***************************************************************************/ - -static BOOL make_auth_info_text_list(auth_authsupplied_info **auth_info, char **text_list) -{ - auth_methods *list = NULL; - auth_methods *t = NULL; - auth_methods *tmp; - int i; - - if (!text_list) { - DEBUG(2,("No auth method list!?\n")); - return False; - } - - for (;*text_list; text_list++) - { - DEBUG(5,("Attempting to find an auth method to match %s\n", *text_list)); - for (i = 0; builtin_auth_init_functions[i].name; i++) - { - if (strequal(builtin_auth_init_functions[i].name, *text_list)) - { - DEBUG(5,("Found auth method %s (at pos %d)\n", *text_list, i)); - if (builtin_auth_init_functions[i].init(&t)) { - DEBUG(5,("auth method %s has a valid init\n", *text_list)); - t->name = builtin_auth_init_functions[i].name; - DLIST_ADD_END(list, t, tmp); - } else { - DEBUG(5,("auth method %s DOES NOT have a valid init\n", *text_list)); - } - break; - } - } - } - - if (!make_auth_info_list(auth_info, list)) { - free_auth_methods_list(&list); - return False; - } - - return True; -} - -/*************************************************************************** - Make a auth_info struct for the auth subsystem -***************************************************************************/ - -BOOL make_auth_info_subsystem(auth_authsupplied_info **auth_info) -{ - char **auth_method_list = NULL; - - if (lp_auth_methods() && !lp_list_copy(&auth_method_list, lp_auth_methods())) { - return False; - } - - if (auth_method_list == NULL) { - switch (lp_security()) - { - case SEC_DOMAIN: - DEBUG(5,("Making default auth method list for security=domain\n")); - auth_method_list = lp_list_make("guest samstrict ntdomain"); - break; - case SEC_SERVER: - DEBUG(5,("Making default auth method list for security=server\n")); - auth_method_list = lp_list_make("guest samstrict smbserver"); - break; - case SEC_USER: - if (lp_encrypted_passwords()) { - DEBUG(5,("Making default auth method list for security=user, encrypt passwords = yes\n")); - auth_method_list = lp_list_make("guest sam"); - } else { - DEBUG(5,("Making default auth method list for security=user, encrypt passwords = no\n")); - auth_method_list = lp_list_make("guest unix"); - } - break; - case SEC_SHARE: - if (lp_encrypted_passwords()) { - DEBUG(5,("Making default auth method list for security=share, encrypt passwords = yes\n")); - auth_method_list = lp_list_make("guest sam"); - } else { - DEBUG(5,("Making default auth method list for security=share, encrypt passwords = no\n")); - auth_method_list = lp_list_make("guest unix"); - } - break; - case SEC_ADS: - DEBUG(5,("Making default auth method list for security=ADS\n")); - auth_method_list = lp_list_make("guest samstrict ads ntdomain"); - break; - default: - DEBUG(5,("Unknown auth method!\n")); - return False; - } - } else { - DEBUG(5,("Using specified auth order\n")); - } - - if (!make_auth_info_text_list(auth_info, auth_method_list)) { - lp_list_free(&auth_method_list); - return False; - } - - lp_list_free(&auth_method_list); - return True; -} - -/*************************************************************************** - Make a auth_info struct with a random challenge -***************************************************************************/ - -BOOL make_auth_info_random(auth_authsupplied_info **auth_info) -{ - uchar chal[8]; - if (!make_auth_info_subsystem(auth_info)) { - return False; - } - - generate_random_buffer(chal, sizeof(chal), False); - (*auth_info)->challenge = data_blob(chal, sizeof(chal)); - - (*auth_info)->challenge_set_by = "random"; - - return True; -} - -/*************************************************************************** - Make a auth_info struct with a fixed challenge -***************************************************************************/ - -BOOL make_auth_info_fixed(auth_authsupplied_info **auth_info, uchar chal[8]) -{ - if (!make_auth_info_subsystem(auth_info)) { - return False; - } - - (*auth_info)->challenge = data_blob(chal, 8); - return True; -} - -/*************************************************************************** - Clear out a auth_info struct that has been allocated -***************************************************************************/ - -void free_auth_info(auth_authsupplied_info **auth_info) -{ - if (*auth_info != NULL) { - free_auth_methods_list(&(*auth_info)->auth_method_list); - - data_blob_free(&(*auth_info)->challenge); - ZERO_STRUCT(**auth_info); - } - SAFE_FREE(*auth_info); -} - -/**************************************************************************** - Try to get a challenge out of the various authenticaion modules. - It is up to the caller to free it. -****************************************************************************/ - -DATA_BLOB auth_get_challenge(auth_authsupplied_info *auth_info) -{ - DATA_BLOB challenge = data_blob(NULL, 0); - char *challenge_set_by = NULL; - auth_methods *auth_method; - TALLOC_CTX *mem_ctx; - - if (auth_info->challenge.length) { - DEBUG(5, ("auth_get_challenge: returning previous challenge (normal)\n")); - return data_blob(auth_info->challenge.data, auth_info->challenge.length); - } - - for (auth_method = auth_info->auth_method_list; auth_method; auth_method = auth_method->next) - { - if (auth_method->get_chal) { - DEBUG(5, ("auth_get_challenge: getting challenge from module %s\n", auth_method->name)); - if (challenge_set_by) { - DEBUG(1, ("auth_get_challenge: CONFIGURATION ERROR: authenticaion method %s has already specified a challenge. Challenge by %s ignored.\n", - challenge_set_by, auth_method->name)); - } else { - mem_ctx = talloc_init_named("auth_get_challange for module %s", auth_method->name); - if (!mem_ctx) { - smb_panic("talloc_init_named() failed!"); - } - - challenge = auth_method->get_chal(&auth_method->private_data, mem_ctx, auth_info); - if (challenge.length) { - DEBUG(5, ("auth_get_challenge: sucessfully got challenge from module %s\n", auth_method->name)); - auth_info->challenge = challenge; - challenge_set_by = auth_method->name; - auth_info->challenge_set_method = auth_method; - } else { - DEBUG(3, ("auth_get_challenge: getting challenge from authenticaion method %s FAILED.\n", - auth_method->name)); - } - talloc_destroy(mem_ctx); - } - } else { - DEBUG(5, ("auth_get_challenge: module %s did not want to specify a challenge\n", auth_method->name)); - } - } - - if (!challenge_set_by) { - uchar chal[8]; - - generate_random_buffer(chal, sizeof(chal), False); - auth_info->challenge = data_blob(chal, sizeof(chal)); - - challenge_set_by = "random"; - } - - DEBUG(5, ("auth_info challenge created by %s\n", challenge_set_by)); - DEBUG(5, ("challenge is: \n")); - dump_data(5, auth_info->challenge.data, (auth_info)->challenge.length); - - SMB_ASSERT(auth_info->challenge.length == 8); - - auth_info->challenge_set_by=challenge_set_by; - - return data_blob(auth_info->challenge.data, auth_info->challenge.length); -} - - diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index 1dd97872da..55ff7aa060 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -155,10 +155,10 @@ static BOOL check_hosts_equiv(struct passwd *pass) Check for a valid .rhosts/hosts.equiv entry for this user ****************************************************************************/ -static NTSTATUS check_hostsequiv_security(void *my_private_data, +static NTSTATUS check_hostsequiv_security(const struct auth_context *auth_context, + void *my_private_data, TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; @@ -176,15 +176,26 @@ static NTSTATUS check_hostsequiv_security(void *my_private_data, return nt_status; } +/* module initialisation */ +BOOL auth_init_hostsequiv(struct auth_context *auth_context, auth_methods **auth_method) +{ + if (!make_auth_methods(auth_context, auth_method)) { + return False; + } + + (*auth_method)->auth = check_hostsequiv_security; + return True; +} + /**************************************************************************** Check for a valid .rhosts/hosts.equiv entry for this user ****************************************************************************/ -static NTSTATUS check_rhosts_security(void *my_private_data, +static NTSTATUS check_rhosts_security(const struct auth_context *auth_context, + void *my_private_data, TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; @@ -209,22 +220,13 @@ static NTSTATUS check_rhosts_security(void *my_private_data, return nt_status; } -BOOL auth_init_hostsequiv(auth_methods **auth_method) +/* module initialisation */ +BOOL auth_init_rhosts(struct auth_context *auth_context, auth_methods **auth_method) { - - if (!make_auth_methods(auth_method)) { + if (!make_auth_methods(auth_context, auth_method)) { return False; } - (*auth_method)->auth = check_hostsequiv_security; - return True; -} -BOOL auth_init_rhosts(auth_methods **auth_method) -{ - - if (!make_auth_methods(auth_method)) { - return False; - } (*auth_method)->auth = check_rhosts_security; return True; } diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index c8b5386f7a..f1bcae461e 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -27,9 +27,9 @@ core of smb password checking routine. ****************************************************************************/ static BOOL smb_pwd_check_ntlmv1(DATA_BLOB nt_response, - const uchar *part_passwd, - DATA_BLOB sec_blob, - uint8 user_sess_key[16]) + const uchar *part_passwd, + DATA_BLOB sec_blob, + uint8 user_sess_key[16]) { /* Finish the encryption of part_passwd. */ uchar p24[24]; @@ -75,10 +75,10 @@ static BOOL smb_pwd_check_ntlmv1(DATA_BLOB nt_response, core of smb password checking routine. ****************************************************************************/ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB ntv2_response, - const uchar *part_passwd, - const DATA_BLOB sec_blob, - const char *user, const char *domain, - uint8 user_sess_key[16]) + const uchar *part_passwd, + const DATA_BLOB sec_blob, + const char *user, const char *domain, + uint8 user_sess_key[16]) { /* Finish the encryption of part_passwd. */ uchar kr[16]; @@ -132,10 +132,10 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB ntv2_response, Do a specific test for an smb password being correct, given a smb_password and the lanman and NT responses. ****************************************************************************/ -static NTSTATUS sam_password_ok(TALLOC_CTX *mem_ctx, +static NTSTATUS sam_password_ok(const struct auth_context *auth_context, + TALLOC_CTX *mem_ctx, SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, uint8 user_sess_key[16]) { uint16 acct_ctrl; @@ -175,7 +175,7 @@ static NTSTATUS sam_password_ok(TALLOC_CTX *mem_ctx, */ DEBUG(4,("sam_password_ok: Checking NTLMv2 password\n")); if (smb_pwd_check_ntlmv2( user_info->nt_resp, - nt_pw, auth_info->challenge, + nt_pw, auth_context->challenge, user_info->smb_name.str, user_info->client_domain.str, user_sess_key)) @@ -192,7 +192,7 @@ static NTSTATUS sam_password_ok(TALLOC_CTX *mem_ctx, */ DEBUG(4,("sam_password_ok: Checking NT MD4 password\n")); if (smb_pwd_check_ntlmv1(user_info->nt_resp, - nt_pw, auth_info->challenge, + nt_pw, auth_context->challenge, user_sess_key)) { return NT_STATUS_OK; @@ -225,7 +225,7 @@ static NTSTATUS sam_password_ok(TALLOC_CTX *mem_ctx, DEBUG(4,("sam_password_ok: Checking LM password\n")); if (smb_pwd_check_ntlmv1(user_info->lm_resp, - lm_pw, auth_info->challenge, + lm_pw, auth_context->challenge, user_sess_key)) { return NT_STATUS_OK; @@ -337,10 +337,10 @@ SMB hash supplied in the user_info structure return an NT_STATUS constant. ****************************************************************************/ -static NTSTATUS check_sam_security(void *my_private_data, +static NTSTATUS check_sam_security(const struct auth_context *auth_context, + void *my_private_data, TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, auth_serversupplied_info **server_info) { SAM_ACCOUNT *sampass=NULL; @@ -349,8 +349,8 @@ static NTSTATUS check_sam_security(void *my_private_data, uint8 user_sess_key[16]; const uint8* lm_hash; - if (!user_info || !auth_info) { - return NT_STATUS_LOGON_FAILURE; + if (!user_info || !auth_context) { + return NT_STATUS_UNSUCCESSFUL; } if (!pdb_init_sam(&sampass)) { @@ -370,7 +370,7 @@ static NTSTATUS check_sam_security(void *my_private_data, return NT_STATUS_NO_SUCH_USER; } - nt_status = sam_password_ok(mem_ctx, sampass, user_info, auth_info, user_sess_key); + nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info, user_sess_key); if (!NT_STATUS_IS_OK(nt_status)) { pdb_free_sam(&sampass); @@ -399,9 +399,10 @@ static NTSTATUS check_sam_security(void *my_private_data, return nt_status; } -BOOL auth_init_sam(auth_methods **auth_method) +/* module initialisation */ +BOOL auth_init_sam(struct auth_context *auth_context, auth_methods **auth_method) { - if (!make_auth_methods(auth_method)) { + if (!make_auth_methods(auth_context, auth_method)) { return False; } @@ -409,20 +410,19 @@ BOOL auth_init_sam(auth_methods **auth_method) return True; } + /**************************************************************************** -check if a username/password is OK assuming the password is a 24 byte -SMB hash supplied in the user_info structure -return an NT_STATUS constant. +Check SAM security (above) but with a few extra checks. ****************************************************************************/ -static NTSTATUS check_samstrict_security(void *my_private_data, +static NTSTATUS check_samstrict_security(const struct auth_context *auth_context, + void *my_private_data, TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, auth_serversupplied_info **server_info) { - if (!user_info || !auth_info) { + if (!user_info || !auth_context) { return NT_STATUS_LOGON_FAILURE; } @@ -434,12 +434,13 @@ static NTSTATUS check_samstrict_security(void *my_private_data, return NT_STATUS_NO_SUCH_USER; } - return check_sam_security(my_private_data, mem_ctx, user_info, auth_info, server_info); + return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, server_info); } -BOOL auth_init_samstrict(auth_methods **auth_method) +/* module initialisation */ +BOOL auth_init_samstrict(struct auth_context *auth_context, auth_methods **auth_method) { - if (!make_auth_methods(auth_method)) { + if (!make_auth_methods(auth_context, auth_method)) { return False; } @@ -447,3 +448,4 @@ BOOL auth_init_samstrict(auth_methods **auth_method) return True; } + diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 7178e3147c..c83230b716 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -134,9 +134,9 @@ static void send_server_keepalive(void **private_data_pointer) Get the challenge out of a password server. ****************************************************************************/ -static DATA_BLOB auth_get_challenge_server(void **my_private_data, - TALLOC_CTX *mem_ctx, - const struct authsupplied_info *auth_info) +static DATA_BLOB auth_get_challenge_server(const struct auth_context *auth_context, + void **my_private_data, + TALLOC_CTX *mem_ctx) { struct cli_state *cli = server_cryptkey(mem_ctx); @@ -161,8 +161,10 @@ static DATA_BLOB auth_get_challenge_server(void **my_private_data, } *my_private_data = (void *)cli; - - return data_blob(cli->secblob.data,8); + + /* The return must be allocated on the caller's mem_ctx, as our own will be + destoyed just after the call. */ + return data_blob_talloc(auth_context->mem_ctx, cli->secblob.data,8); } else { return data_blob(NULL, 0); } @@ -174,10 +176,10 @@ static DATA_BLOB auth_get_challenge_server(void **my_private_data, - Validate a password with the password server. ****************************************************************************/ -static NTSTATUS check_smbserver_security(void *my_private_data, +static NTSTATUS check_smbserver_security(const struct auth_context *auth_context, + void *my_private_data, TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, auth_serversupplied_info **server_info) { struct cli_state *cli; @@ -218,7 +220,7 @@ static NTSTATUS check_smbserver_security(void *my_private_data, return NT_STATUS_LOGON_FAILURE; } } else { - if (memcmp(cli->secblob.data, auth_info->challenge.data, 8) != 0) { + if (memcmp(cli->secblob.data, auth_context->challenge.data, 8) != 0) { DEBUG(1,("the challenge that the password server (%s) supplied us is not the one we gave our client. This just can't work :-(\n", cli->desthost)); return NT_STATUS_LOGON_FAILURE; } @@ -353,9 +355,9 @@ use this machine as the password server.\n")); return(nt_status); } -BOOL auth_init_smbserver(auth_methods **auth_method) +BOOL auth_init_smbserver(struct auth_context *auth_context, auth_methods **auth_method) { - if (!make_auth_methods(auth_method)) { + if (!make_auth_methods(auth_context, auth_method)) { return False; } (*auth_method)->auth = check_smbserver_security; diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index fa889af5f6..69c24b8213 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -83,10 +83,10 @@ static BOOL update_smbpassword_file(char *user, char *password) * unless the account has a null password. **/ -NTSTATUS check_unix_security(void *my_private_data, +static NTSTATUS check_unix_security(const struct auth_context *auth_context, + void *my_private_data, TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, auth_serversupplied_info **server_info) { NTSTATUS nt_status; @@ -120,11 +120,13 @@ NTSTATUS check_unix_security(void *my_private_data, return nt_status; } -BOOL auth_init_unix(auth_methods **auth_method) +/* module initialisation */ +BOOL auth_init_unix(struct auth_context *auth_context, auth_methods **auth_method) { - if (!make_auth_methods(auth_method)) { + if (!make_auth_methods(auth_context, auth_method)) { return False; } + (*auth_method)->auth = check_unix_security; return True; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d9f3098e7c..a479f52ab2 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -276,13 +276,13 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, ****************************************************************************/ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, - char *smb_name, - char *client_domain, - char *wksta_name, - uchar chal[8], - uchar lm_interactive_pwd[16], - uchar nt_interactive_pwd[16], - uchar *dc_sess_key) + const char *smb_name, + const char *client_domain, + const char *wksta_name, + const uchar chal[8], + const uchar lm_interactive_pwd[16], + const uchar nt_interactive_pwd[16], + const uchar *dc_sess_key) { char lm_pwd[16]; char nt_pwd[16]; @@ -360,7 +360,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, char *smb_name, char *client_domain, - unsigned char chal[8], + const uint8 chal[8], DATA_BLOB plaintext_password) { @@ -383,7 +383,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, dump_data(100, plaintext_password.data, plaintext_password.length); #endif - SMBencrypt( (const uchar *)plaintext_password.data, chal, local_lm_response); + SMBencrypt( (const uchar *)plaintext_password.data, (const uchar*)chal, local_lm_response); local_lm_blob = data_blob(local_lm_response, 24); /* We can't do an NT hash here, as the password needs to be @@ -415,8 +415,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, BOOL make_user_info_for_reply_enc(auth_usersupplied_info **user_info, char *smb_name, char *client_domain, - DATA_BLOB lm_resp, DATA_BLOB nt_resp, - DATA_BLOB plaintext_password) + DATA_BLOB lm_resp, DATA_BLOB nt_resp) { uint32 ntlmssp_flags = 0; @@ -572,9 +571,17 @@ BOOL make_server_info_guest(auth_serversupplied_info **server_info) Make an auth_methods struct ***************************************************************************/ -BOOL make_auth_methods(auth_methods **auth_method) +BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_method) { - *auth_method = malloc(sizeof(**auth_method)); + if (!auth_context) { + smb_panic("no auth_context supplied to make_auth_methods()!\n"); + } + + if (!auth_method) { + smb_panic("make_auth_methods: pointer to auth_method pointer is NULL!\n"); + } + + *auth_method = talloc(auth_context->mem_ctx, sizeof(**auth_method)); if (!*auth_method) { DEBUG(0,("make_auth_method: malloc failed!\n")); return False; @@ -623,3 +630,33 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) return token; } + +/** + * Squash an NT_STATUS in line with security requirements. + * In an attempt to avoid giving the whole game away when users + * are authenticating, NT replaces both NT_STATUS_NO_SUCH_USER and + * NT_STATUS_WRONG_PASSWORD with NT_STATUS_LOGON_FAILURE in certain situations + * (session setups in particular). + * + * @param nt_status NTSTATUS input for squashing. + * @return the 'squashed' nt_status + **/ + +NTSTATUS nt_status_squash(NTSTATUS nt_status) +{ + if NT_STATUS_IS_OK(nt_status) { + return nt_status; + } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) { + /* Match WinXP and don't give the game away */ + return NT_STATUS_LOGON_FAILURE; + + } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) { + /* Match WinXP and don't give the game away */ + return NT_STATUS_LOGON_FAILURE; + } else { + return nt_status; + } +} + + + diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 74654f8bba..175e14a9d6 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -33,10 +33,10 @@ NSS_STATUS winbindd_request(int req_type, /* Authenticate a user with a challenge/response */ -static NTSTATUS check_winbind_security(void *my_private_data, +static NTSTATUS check_winbind_security(const struct auth_context *auth_context, + void *my_private_data, TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, auth_serversupplied_info **server_info) { struct winbindd_request request; @@ -46,13 +46,13 @@ static NTSTATUS check_winbind_security(void *my_private_data, NTSTATUS nt_status; if (!user_info) { - return NT_STATUS_LOGON_FAILURE; + return NT_STATUS_UNSUCCESSFUL; } - if (!auth_info) { + if (!auth_context) { DEBUG(3,("Password for user %s cannot be checked because we have no auth_info to get the challenge from.\n", user_info->internal_username.str)); - return NT_STATUS_LOGON_FAILURE; + return NT_STATUS_UNSUCCESSFUL; } /* Send off request */ @@ -63,7 +63,7 @@ static NTSTATUS check_winbind_security(void *my_private_data, snprintf(request.data.auth_crap.user, sizeof(request.data.auth_crap.user), "%s\\%s", user_info->domain.str, user_info->smb_name.str); - memcpy(request.data.auth_crap.chal, auth_info->challenge.data, sizeof(request.data.auth_crap.chal)); + memcpy(request.data.auth_crap.chal, auth_context->challenge.data, sizeof(request.data.auth_crap.chal)); request.data.auth_crap.lm_resp_len = MIN(user_info->lm_resp.length, sizeof(request.data.auth_crap.lm_resp)); @@ -97,16 +97,13 @@ static NTSTATUS check_winbind_security(void *my_private_data, return nt_status; } -BOOL auth_init_winbind(auth_methods **auth_method) +/* module initialisation */ +BOOL auth_init_winbind(struct auth_context *auth_context, auth_methods **auth_method) { - if (!make_auth_methods(auth_method)) { + if (!make_auth_methods(auth_context, auth_method)) { return False; } (*auth_method)->auth = check_winbind_security; return True; } - - - - -- cgit From f5bc0e92a66b418b2bd8f3669a9642b4d46bc8d1 Mon Sep 17 00:00:00 2001 From: Martin Pool Date: Wed, 9 Jan 2002 07:52:51 +0000 Subject: Better explanation message for dmalloc. Also more insertion of parenthesis to handle struct members called 'free'. You can now get useful dmalloc output, as long as it is compatible with your C library. On RH7.1 it looks like you have to rebuild dmalloc to allow free(0) by default, because something in libcrypt does that. (sigh) (This used to be commit 391cbb690196537c8b6292b42c2e27408cc7e249) --- source3/auth/auth_compat.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c index 4039f0cc1e..28a9780d3f 100644 --- a/source3/auth/auth_compat.c +++ b/source3/auth/auth_compat.c @@ -68,7 +68,7 @@ static NTSTATUS pass_check_smb(char *smb_name, nt_status = plaintext_auth_context->check_ntlm_password(plaintext_auth_context, user_info, &server_info); - plaintext_auth_context->free(&plaintext_auth_context); + (plaintext_auth_context->free)(&plaintext_auth_context); } free_user_info(&user_info); free_server_info(&server_info); -- cgit From 5047a66d39fdd56a5895037de8c519a828a03b19 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 11 Jan 2002 05:29:09 +0000 Subject: Back out the crazy notion that the NTLMSSP flags actually mean anything... Replace this with some flags that *we* define. We can do a mapping later if we actually get some more reliable info about what passwords are actually valid. Andrew Bartlett (This used to be commit 7f7a42c3e4d5798ac87ea16a42e4976c3778a76b) --- source3/auth/auth_sam.c | 14 +++++++------- source3/auth/auth_util.c | 42 +++++++++++++++++++++--------------------- 2 files changed, 28 insertions(+), 28 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index f1bcae461e..107e33c600 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -140,7 +140,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, { uint16 acct_ctrl; const uint8 *nt_pw, *lm_pw; - uint32 ntlmssp_flags; + uint32 auth_flags; acct_ctrl = pdb_get_acct_ctrl(sampass); if (acct_ctrl & ACB_PWNOTREQ) @@ -160,16 +160,16 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, nt_pw = pdb_get_nt_passwd(sampass); lm_pw = pdb_get_lanman_passwd(sampass); - ntlmssp_flags = user_info->ntlmssp_flags; + auth_flags = user_info->auth_flags; if (nt_pw == NULL) { DEBUG(3,("sam_password_ok: NO NT password stored for user %s.\n", pdb_get_username(sampass))); /* No return, we want to check the LM hash below in this case */ - ntlmssp_flags &= (~(NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_NTLM2)); + auth_flags &= (~(AUTH_FLAG_NTLMv2_RESP | AUTH_FLAG_NTLM_RESP)); } - if (ntlmssp_flags & NTLMSSP_NEGOTIATE_NTLM2) { + if (auth_flags & AUTH_FLAG_NTLMv2_RESP) { /* We have the NT MD4 hash challenge available - see if we can use it (ie. does it exist in the smbpasswd file). */ @@ -185,7 +185,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, DEBUG(3,("sam_password_ok: NTLMv2 password check failed\n")); return NT_STATUS_WRONG_PASSWORD; } - } else if (ntlmssp_flags & NTLMSSP_NEGOTIATE_NTLM) { + } else if (auth_flags & AUTH_FLAG_NTLM_RESP) { if (lp_ntlm_auth()) { /* We have the NT MD4 hash challenge available - see if we can use it (ie. does it exist in the smbpasswd file). @@ -208,10 +208,10 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, if (lm_pw == NULL) { DEBUG(3,("sam_password_ok: NO LanMan password set for user %s (and no NT password supplied)\n",pdb_get_username(sampass))); - ntlmssp_flags &= (~NTLMSSP_NEGOTIATE_OEM); + auth_flags &= (~AUTH_FLAG_LM_RESP); } - if (ntlmssp_flags & NTLMSSP_NEGOTIATE_OEM) { + if (auth_flags & AUTH_FLAG_LM_RESP) { if (user_info->lm_resp.length != 24) { DEBUG(2,("sam_password_ok: invalid LanMan password length (%d) for user %s\n", diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index a479f52ab2..a747cf8a35 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -111,7 +111,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, const char *wksta_name, DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, DATA_BLOB plaintext, - uint32 ntlmssp_flags, BOOL encrypted) + uint32 auth_flags, BOOL encrypted) { DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name)); @@ -173,7 +173,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, (*user_info)->plaintext_password = data_blob(plaintext.data, plaintext.length); (*user_info)->encrypted = encrypted; - (*user_info)->ntlmssp_flags = ntlmssp_flags; + (*user_info)->auth_flags = auth_flags; DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name)); @@ -248,14 +248,14 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); DATA_BLOB plaintext_blob = data_blob(NULL, 0); - uint32 ntlmssp_flags = 0; + uint32 auth_flags = AUTH_FLAG_NONE; if (lm_pwd_len) - ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM; + auth_flags |= AUTH_FLAG_LM_RESP; if (nt_pwd_len == 24) { - ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; + auth_flags |= AUTH_FLAG_NTLM_RESP; } else if (nt_pwd_len != 0) { - ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM2; + auth_flags |= AUTH_FLAG_NTLMv2_RESP; } ret = make_user_info_map(user_info, @@ -263,7 +263,7 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, wksta_name, lm_blob, nt_blob, plaintext_blob, - ntlmssp_flags, True); + auth_flags, True); data_blob_free(&lm_blob); data_blob_free(&nt_blob); @@ -289,7 +289,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, unsigned char local_lm_response[24]; unsigned char local_nt_response[24]; unsigned char key[16]; - uint32 ntlmssp_flags = 0; + uint32 auth_flags = AUTH_FLAG_NONE; ZERO_STRUCT(key); memcpy(key, dc_sess_key, 8); @@ -334,9 +334,9 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, DATA_BLOB plaintext_blob = data_blob(NULL, 0); if (lm_interactive_pwd) - ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM; + auth_flags |= AUTH_FLAG_LM_RESP; if (nt_interactive_pwd) - ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; + auth_flags |= AUTH_FLAG_NTLM_RESP; ret = make_user_info_map(user_info, smb_name, client_domain, @@ -344,7 +344,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, local_lm_blob, local_nt_blob, plaintext_blob, - ntlmssp_flags, True); + auth_flags, True); data_blob_free(&local_lm_blob); data_blob_free(&local_nt_blob); @@ -367,7 +367,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, DATA_BLOB local_lm_blob; DATA_BLOB local_nt_blob; BOOL ret = False; - uint32 ntlmssp_flags = 0; + uint32 auth_flags = AUTH_FLAG_NONE; /* * Not encrypted - do so. @@ -390,7 +390,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, case insensitive */ local_nt_blob = data_blob(NULL, 0); - ntlmssp_flags = NTLMSSP_NEGOTIATE_OEM; + auth_flags = (AUTH_FLAG_PLAINTEXT | AUTH_FLAG_LM_RESP); } else { local_lm_blob = data_blob(NULL, 0); local_nt_blob = data_blob(NULL, 0); @@ -402,7 +402,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, local_lm_blob, local_nt_blob, plaintext_password, - ntlmssp_flags, False); + auth_flags, False); data_blob_free(&local_lm_blob); return ret; @@ -417,18 +417,18 @@ BOOL make_user_info_for_reply_enc(auth_usersupplied_info **user_info, char *client_domain, DATA_BLOB lm_resp, DATA_BLOB nt_resp) { - uint32 ntlmssp_flags = 0; + uint32 auth_flags = AUTH_FLAG_NONE; DATA_BLOB no_plaintext_blob = data_blob(NULL, 0); if (lm_resp.length == 24) { - ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM; + auth_flags |= AUTH_FLAG_LM_RESP; } if (nt_resp.length == 0) { } else if (nt_resp.length == 24) { - ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; + auth_flags |= AUTH_FLAG_NTLM_RESP; } else { - ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM2; + auth_flags |= AUTH_FLAG_NTLMv2_RESP; } return make_user_info_map(user_info, smb_name, @@ -437,7 +437,7 @@ BOOL make_user_info_for_reply_enc(auth_usersupplied_info **user_info, lm_resp, nt_resp, no_plaintext_blob, - ntlmssp_flags, True); + auth_flags, True); } /**************************************************************************** @@ -449,7 +449,7 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info) DATA_BLOB lm_blob = data_blob(NULL, 0); DATA_BLOB nt_blob = data_blob(NULL, 0); DATA_BLOB plaintext_blob = data_blob(NULL, 0); - uint32 ntlmssp_flags = 0; + uint32 auth_flags = AUTH_FLAG_NONE; return make_user_info(user_info, "","", @@ -457,7 +457,7 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info) "", nt_blob, lm_blob, plaintext_blob, - ntlmssp_flags, True); + auth_flags, True); } /*************************************************************************** -- cgit From 7f8ae6e35c2733c0560d73266dc5d7c589b9a143 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 11 Jan 2002 06:22:42 +0000 Subject: The DC is meant to be sent the *unmapped* username... Andrew Bartlett (This used to be commit d7fca1806a304cb6eeecfe34d6c5c012c745114f) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index e836375406..a81af3b738 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -276,7 +276,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, */ nt_status = cli_netlogon_sam_network_logon(cli, mem_ctx, - user_info->internal_username.str, user_info->domain.str, + user_info->smb_name.str, user_info->domain.str, user_info->wksta_name.str, chal, user_info->lm_resp, user_info->nt_resp, &info3); -- cgit From 27655be3c1708d447b046a2b0d8b2013eeb21835 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 11 Jan 2002 13:14:28 +0000 Subject: fixed a crash bug in domain auth caused by an uninitialised nt_status (This used to be commit 0b0b937b58f4bf4e005fb622f0db19175fc46a47) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index a81af3b738..eba61114d6 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -242,7 +242,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, fstring remote_machine; NET_USER_INFO_3 info3; struct cli_state *cli; - NTSTATUS nt_status; + NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; struct passwd *pass; /* -- cgit From e895b9004e57c62d7517198618f9fd788107629e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 12 Jan 2002 23:57:10 +0000 Subject: Many thanks to Alexander Bokovoy . This work was sponsored by Optifacio Software Services, Inc. Andrew Bartlett (various e-mails announcements merged into some form of commit message below:) This patch which adds basics of universal groups support into Samba 3. Currently, only Winbind with RPC calls supports this, ADS support requires additional (possibly huge) work on KRB5 PAC. However, basic infrastructure is here. This patch adds: 1. Storing of universal groups for particular user logged into Samba software (smbd/ two winbind-pam methods) into netlogon_unigrp.tdb as array of uint32 supplemental group rids keyed as DOMAIN_SID/USER_RID in tdb. 2. Fetching of unversal groups for given user rid and domain sid from netlogon_unigrp.tdb. Since this is used in both smbd and winbindd, main code is in source/lib/netlogon_uingrp.c. Dependencies are added to AUTH_OBJ as UNIGRP_OBJ and WINBINDD_OBJ as UNIGRP_OBJ. This patch has had a few versions, the final version in particular: Many thanks to Andrew Bartlett for critics and comments, and partly rewritten code. New: - updated fetching code to changed byte order macros - moved functions to proper namespace - optimized memory usage by reusing caller's memory context - enhanced code to more follow Samba coding rules Todo: - proper universal group expiration after timeout (This used to be commit 80c2aefbe7c1aa363dd286a47d50c5d8b4595f43) --- source3/auth/auth_domain.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index eba61114d6..6dcf3119ea 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -352,6 +352,10 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, sid_copy(&ptok->user_sids[i], &domain_sid); sid_append_rid(&ptok->user_sids[i], info3.gids[i].g_rid); } + + become_root(); + uni_group_cache_store_netlogon(mem_ctx, &info3); + unbecome_root(); } #if 0 -- cgit From dd0f0f043f740a4099ed17a43fd7d5cbe1142540 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 14 Jan 2002 21:52:25 +0000 Subject: Fix a segfault in auth/auth_domain.c error cases. This occured when the attempt to contact the PDC failed. The connection code has already shut down the connection, and 'free'ed the cli or has never initialised it in the first place. Andrew Bartlett (This used to be commit 37ce7630434c1afae5164c64438f428dd8e1b731) --- source3/auth/auth_domain.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 6dcf3119ea..2b5104bf92 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -241,7 +241,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, { fstring remote_machine; NET_USER_INFO_3 info3; - struct cli_state *cli; + struct cli_state *cli = NULL; NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; struct passwd *pass; @@ -264,7 +264,6 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0,("domain_client_validate: Domain password server not available.\n")); - cli_shutdown(cli); return nt_status; } -- cgit From 90558370ab9019c425019083a6dcb129a808a5ed Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 15 Jan 2002 01:14:58 +0000 Subject: Commit the auth associated changes I missed from the last commit. Also set the default value of all the allocated strings to "" to avoid changing the interface (becouse pdb_get...() would point to a null string, rather than a null pointer and parts of samba rely on that). Andrew Bartlett (This used to be commit 5b4079f748e25f21162e21b439063249baf8dca6) --- source3/auth/auth_sam.c | 6 ++++-- source3/auth/auth_util.c | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 107e33c600..01f41fce44 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -353,8 +353,10 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, return NT_STATUS_UNSUCCESSFUL; } - if (!pdb_init_sam(&sampass)) { - return NT_STATUS_NO_MEMORY; + /* Can't use the talloc version here, becouse the returned struct gets + kept on the server_info */ + if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sampass))) { + return nt_status; } /* get the account information */ diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index a747cf8a35..d2748e30d4 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -501,7 +501,7 @@ BOOL make_server_info_sam(auth_serversupplied_info **server_info, SAM_ACCOUNT *s BOOL make_server_info_pw(auth_serversupplied_info **server_info, const struct passwd *pwd) { SAM_ACCOUNT *sampass = NULL; - if (!pdb_init_sam_pw(&sampass, pwd)) { + if (!NT_STATUS_IS_OK(pdb_init_sam_pw(&sampass, pwd))) { return False; } return make_server_info_sam(server_info, sampass); -- cgit From c311d24ce32d2a8aa244f126bcec67ec03549727 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 17 Jan 2002 08:45:58 +0000 Subject: A nice *big* change to the fundemental way we do things. Samba (ab)uses the returns from getpwnam() a lot - in particular it keeps them around for a long time - often past the next call... This adds a getpwnam_alloc and a getpwuid_alloc to the collection. These function as expected, returning a malloced structure that can be free()ed with passwd_free(&passwd). This patch also cuts down on the number of calls to getpwnam - mostly by taking advantage of the fact that the passdb interface is already case-insensiteve. With this patch most of the recursive cases have been removed (that I know of) and the problems are reduced further by not using the sys_ interface in the new code. This means that pointers to the cache won't be affected. (This is a tempoary HACK, I intend to kill the password cache entirly). The only change I'm a little worried about is the change to rpc_server/srv_samr_nt.c for private groups. In this case we are getting groups from the new group mapping DB. Do we still need to check for private groups? I've toned down the check to a case sensitve match with the new code, but we might be able to kill it entirly. I've also added a make_modifyable_passwd() function, that copies a passwd struct into the form that the old sys_getpw* code provided. As far as I can tell this is only actually used in the pass_check.c crazies, where I moved the final 'special case' for shadow passwords (out of _Get_Pwnam()). The matching case for getpwent() is dealt with already, in lib/util_getent.c Also included in here is a small change to register the [homes] share at vuid creation rather than just in one varient of the session setup. (This picks up the SPNEGO cases). The home directory is now stored on the vuid, and I am hoping this might provide a saner way to do %H substitions. TODO: Kill off remaining Get_Pwnam_Modify calls (they are not needed), change the remaining sys_getpwnam() callers to use getpwnam_alloc() and move Get_Pwnam to return an allocated struct. Andrew Bartlett (This used to be commit 1d86c7f94230bc53daebd4d2cd829da6292e05da) --- source3/auth/auth_unix.c | 2 +- source3/auth/auth_util.c | 6 ++++-- source3/auth/pass_check.c | 24 +++++++++++++++++++++--- 3 files changed, 26 insertions(+), 6 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 69c24b8213..73a4c51b4f 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -96,7 +96,7 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context, pass = Get_Pwnam(user_info->internal_username.str); - /** This call assumes a ASCII password, no charset transformation is + /** @todo This call assumes a ASCII password, no charset transformation is done. We may need to revisit this **/ nt_status = pass_check(pass, pass ? pass->pw_name : user_info->internal_username.str, diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d2748e30d4..643c2e1996 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -554,16 +554,18 @@ void free_server_info(auth_serversupplied_info **server_info) BOOL make_server_info_guest(auth_serversupplied_info **server_info) { - struct passwd *pass = sys_getpwnam(lp_guestaccount()); + struct passwd *pass = getpwnam_alloc(lp_guestaccount()); if (pass) { if (!make_server_info_pw(server_info, pass)) { + passwd_free(&pass); return False; } (*server_info)->guest = True; + passwd_free(&pass); return True; } - DEBUG(0,("make_server_info_guest: sys_getpwnam() failed on guest account!\n")); + DEBUG(0,("make_server_info_guest: getpwnam_alloc() failed on guest account!\n")); return False; } diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 77839e4bb0..0101e0fe18 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -589,9 +589,10 @@ match is found and is used to update the encrypted password file return NT_STATUS_OK on correct match, appropriate error otherwise ****************************************************************************/ -NTSTATUS pass_check(struct passwd *pass, char *user, char *password, +NTSTATUS pass_check(const struct passwd *input_pass, char *user, char *password, int pwlen, BOOL (*fn) (char *, char *), BOOL run_cracker) { + struct passwd *pass; pstring pass2; int level = lp_passwordlevel(); @@ -620,15 +621,17 @@ NTSTATUS pass_check(struct passwd *pass, char *user, char *password, DEBUG(4, ("pass_check: Checking (PAM) password for user %s (l=%d)\n", user, pwlen)); -#else /* Not using PAM or Kerebos */ +#else /* Not using PAM */ DEBUG(4, ("pass_check: Checking password for user %s (l=%d)\n", user, pwlen)); - if (!pass) { + if (!input_pass) { DEBUG(3, ("Couldn't find user %s\n", user)); return NT_STATUS_NO_SUCH_USER; } + pass = make_modifyable_passwd(input_pass); + #ifdef HAVE_GETSPNAM { struct spwd *spass; @@ -662,6 +665,15 @@ NTSTATUS pass_check(struct passwd *pass, char *user, char *password, } #endif +#ifdef HAVE_GETPWANAM + { + struct passwd_adjunct *pwret; + pwret = getpwanam(s); + if (pwret && pwret->pwa_passwd) + pstrcpy(pass->pw_passwd,pwret->pwa_passwd); + } +#endif + #ifdef OSF1_ENH_SEC { struct pr_passwd *mypasswd; @@ -698,22 +710,27 @@ NTSTATUS pass_check(struct passwd *pass, char *user, char *password, this_salt[2] = 0; #endif + /* Copy into global for the convenience of looping code */ fstrcpy(this_crypted, pass->pw_passwd); if (!*this_crypted) { if (!lp_null_passwords()) { DEBUG(2, ("Disallowing %s with null password\n", this_user)); + passwd_free(&pass); return NT_STATUS_LOGON_FAILURE; } if (!*password) { DEBUG(3, ("Allowing access to %s with null password\n", this_user)); + passwd_free(&pass); return NT_STATUS_OK; } } + passwd_free(&pass); + #endif /* defined(WITH_PAM) */ /* try it as it came to us */ @@ -736,6 +753,7 @@ NTSTATUS pass_check(struct passwd *pass, char *user, char *password, * need to proceed as we know it hasn't been case modified by the * client */ if (strhasupper(password) && strhaslower(password)) { + passwd_free(&pass); return nt_status; } -- cgit From aea134de2c4d3e67c17263bdc8545bd6f6167199 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 18 Jan 2002 08:12:10 +0000 Subject: Don't do tridge's crazy 'am I a trusted domain' lookup for guests. Andrew Bartlett (This used to be commit 9bfe54a3d484919fe830f9c6ae01f67663974af2) --- source3/auth/auth_util.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 643c2e1996..0839b19665 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -198,7 +198,6 @@ BOOL make_user_info_map(auth_usersupplied_info **user_info, map_username(internal_username); if (lp_allow_trusted_domains()) { - char *user; /* the client could have given us a workstation name or other crap for the workgroup - we really need a way of telling if this domain name is one of our @@ -209,15 +208,19 @@ BOOL make_user_info_map(auth_usersupplied_info **user_info, on winbind, but until we have a better method this will have to do */ - asprintf(&user, "%s%s%s", - client_domain, lp_winbind_separator(), - smb_name); - if (Get_Pwnam(user) != NULL) { - domain = client_domain; - } else { - domain = lp_workgroup(); + + domain = client_domain; + + if ((smb_name) && (*smb_name)) { /* Don't do this for guests */ + char *user; + asprintf(&user, "%s%s%s", + client_domain, lp_winbind_separator(), + smb_name); + if (Get_Pwnam(user) == NULL) { + domain = lp_workgroup(); + } + free(user); } - free(user); } else { domain = lp_workgroup(); } -- cgit From 2d06adc3f02ba18b832886bf4cda95679b13a39b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 20 Jan 2002 08:58:21 +0000 Subject: Add a touch of 'const' to some auth components, and move the simple plaintext password check into its own helper funciton. (This will allow it to be called from other places). Andrew Bartlett (This used to be commit 9e96f438057da21254f40facdd9a31dd20652f35) --- source3/auth/auth_compat.c | 53 +++++++++++++++++++++++++++------------------- source3/auth/auth_util.c | 20 ++++++++--------- 2 files changed, 41 insertions(+), 32 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c index 28a9780d3f..8cf304a071 100644 --- a/source3/auth/auth_compat.c +++ b/source3/auth/auth_compat.c @@ -31,8 +31,34 @@ SMB hash return True if the password is correct, False otherwise ****************************************************************************/ -static NTSTATUS pass_check_smb(char *smb_name, - char *domain, +NTSTATUS check_plaintext_password(const char *smb_name, DATA_BLOB plaintext_password, auth_serversupplied_info **server_info) +{ + struct auth_context *plaintext_auth_context = NULL; + auth_usersupplied_info *user_info = NULL; + const uint8 *chal; + NTSTATUS nt_status; + if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(&plaintext_auth_context))) { + return nt_status; + } + + chal = plaintext_auth_context->get_ntlm_challenge(plaintext_auth_context); + + if (!make_user_info_for_reply(&user_info, + smb_name, lp_workgroup(), chal, + plaintext_password)) { + return NT_STATUS_NO_MEMORY; + } + + nt_status = plaintext_auth_context->check_ntlm_password(plaintext_auth_context, + user_info, server_info); + + (plaintext_auth_context->free)(&plaintext_auth_context); + free_user_info(&user_info); + return nt_status; +} + +static NTSTATUS pass_check_smb(const char *smb_name, + const char *domain, DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, DATA_BLOB plaintext_password, @@ -40,37 +66,20 @@ static NTSTATUS pass_check_smb(char *smb_name, { NTSTATUS nt_status; - auth_usersupplied_info *user_info = NULL; extern struct auth_context *negprot_global_auth_context; auth_serversupplied_info *server_info = NULL; if (encrypted) { + auth_usersupplied_info *user_info = NULL; make_user_info_for_reply_enc(&user_info, smb_name, domain, lm_pwd, nt_pwd); nt_status = negprot_global_auth_context->check_ntlm_password(negprot_global_auth_context, user_info, &server_info); + free_user_info(&user_info); } else { - struct auth_context *plaintext_auth_context = NULL; - const uint8 *chal; - if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(&plaintext_auth_context))) { - return nt_status; - } - - chal = plaintext_auth_context->get_ntlm_challenge(plaintext_auth_context); - - if (!make_user_info_for_reply(&user_info, - smb_name, domain, chal, - plaintext_password)) { - return NT_STATUS_NO_MEMORY; - } - - nt_status = plaintext_auth_context->check_ntlm_password(plaintext_auth_context, - user_info, &server_info); - - (plaintext_auth_context->free)(&plaintext_auth_context); + nt_status = check_plaintext_password(smb_name, plaintext_password, &server_info); } - free_user_info(&user_info); free_server_info(&server_info); return nt_status; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 0839b19665..5b252f42cd 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -241,11 +241,11 @@ BOOL make_user_info_map(auth_usersupplied_info **user_info, ****************************************************************************/ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, - char *smb_name, - char *client_domain, - char *wksta_name, - uchar *lm_network_pwd, int lm_pwd_len, - uchar *nt_network_pwd, int nt_pwd_len) + const char *smb_name, + const char *client_domain, + const char *wksta_name, + const uchar *lm_network_pwd, int lm_pwd_len, + const uchar *nt_network_pwd, int nt_pwd_len) { BOOL ret; DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); @@ -361,8 +361,8 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, ****************************************************************************/ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, - char *smb_name, - char *client_domain, + const char *smb_name, + const char *client_domain, const uint8 chal[8], DATA_BLOB plaintext_password) { @@ -416,9 +416,9 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, ****************************************************************************/ BOOL make_user_info_for_reply_enc(auth_usersupplied_info **user_info, - char *smb_name, - char *client_domain, - DATA_BLOB lm_resp, DATA_BLOB nt_resp) + const char *smb_name, + const char *client_domain, + DATA_BLOB lm_resp, DATA_BLOB nt_resp) { uint32 auth_flags = AUTH_FLAG_NONE; -- cgit From 1a74d8d1f0758d15c5c35d20e33d9868565812cf Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 20 Jan 2002 14:30:58 +0000 Subject: This is another *BIG* change... Samba now features a pluggable passdb interface, along the same lines as the one in use in the auth subsystem. In this case, only one backend may be active at a time by the 'normal' interface, and only one backend per passdb_context is permitted outside that. This pluggable interface is designed to allow any number of passdb backends to be compiled in, with the selection at runtime. The 'passdb backend' paramater has been created (and documented!) to support this. As such, configure has been modfied to allow (for example) --with-ldap and the old smbpasswd to be selected at the same time. This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua. These two backends accept 'non unix accounts', where the user does *not* exist in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to avoid conflicts in the algroitmic mapping of RIDs, they use the values specified in the 'non unix account range' paramter - in the same way as the winbind ranges are specifed. While I was at it, I cleaned up some of the code in pdb_tdb (code copied directly from smbpasswd and not really considered properly). Most of this was to do with % macro expansion on stored data. It isn't easy to get the macros into the tdb, and the first password change will 'expand' them. tdbsam needs to use a similar system to pdb_ldap in this regard. This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I don't have the test facilities for these. I plan to incoroprate at least pdb_ldap into this scheme after consultation with Jerry. Each (converted) passdb module now no longer has any 'static' variables, and only exports 1 init function outside its .c file. The non-unix-account support in this patch has been proven! It is now possible to join a win2k machine to a Samba PDC without an account in /etc/passwd! Other changes: Minor interface adjustments: pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*. pdb_update_sam_account() no longer takes the 'override' argument that was being ignored so often (every other passdb backend). Extra checks have been added in some places. Minor code changes: smbpasswd no longer attempts to initialise the passdb at startup, this is now done on first use. pdbedit has lost some of its 'machine account' logic, as this behaviour is now controlled by the passdb subsystem directly. The samr subsystem no longer calls 'local password change', but does the pdb interactions directly. This allow the ACB_ flags specifed to be transferred direct to the backend, without interference. Doco: I've updated the doco to reflect some of the changes, and removed some paramters no longer applicable to HEAD. (This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b) --- source3/auth/auth_unix.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 73a4c51b4f..b2e202552c 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -60,9 +60,7 @@ static BOOL update_smbpassword_file(char *user, char *password) /* Now write it into the file. */ become_root(); - /* Here, the override flag is True, because we want to ignore the - XXXXXXX'd out password */ - ret = pdb_update_sam_account (sampass, True); + ret = pdb_update_sam_account (sampass); unbecome_root(); -- cgit From 1f670cfb275ee34e66f504cd35b1c790840999bf Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Sun, 20 Jan 2002 22:50:23 +0000 Subject: Spelling fixes. (This used to be commit e67c7c5852624bcdd5c565ea5f00b143aaf7fee4) --- source3/auth/auth.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 6b68fa631a..892102a5ef 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -52,7 +52,7 @@ static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) TALLOC_CTX *mem_ctx; if (auth_context->challenge.length) { - DEBUG(5, ("get_ntlm_challange (auth subsystem): returning previous challenge (normal)\n")); + DEBUG(5, ("get_ntlm_challenge (auth subsystem): returning previous challenge (normal)\n")); return auth_context->challenge.data; } @@ -70,7 +70,7 @@ static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) continue; } - mem_ctx = talloc_init_named("auth_get_challange for module %s", auth_method->name); + mem_ctx = talloc_init_named("auth_get_challenge for module %s", auth_method->name); if (!mem_ctx) { smb_panic("talloc_init_named() failed!"); } @@ -156,10 +156,10 @@ static BOOL check_domain_match(const char *user, const char *domain) * @param user_info Contains the user supplied components, including the passwords. * Must be created with make_user_info() or one of its wrappers. * - * @param auth_info Supplies the challanges and some other data. - * Must be created with make_auth_info(), and the challanges should be - * filled in, either at creation or by calling the challange geneation - * function auth_get_challange(). + * @param auth_info Supplies the challenges and some other data. + * Must be created with make_auth_info(), and the challenges should be + * filled in, either at creation or by calling the challenge geneation + * function auth_get_challenge(). * * @param server_info If successful, contains information about the authenticaion, * including a SAM_ACCOUNT struct describing the user. -- cgit From 5fb852d0477a40393c980c5a26e6d2ae8d0c1e9f Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 25 Jan 2002 05:17:49 +0000 Subject: Remove check for passwordserver = "*" as we now initialise it. Added TODO about perhaps doing a SAMLOGON udp/138 request before a cli_full_connection in connect_to_domain_password_server() (This used to be commit b61e40a5be3b8bacc74399902169755dbc4c7fca) --- source3/auth/auth_domain.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 2b5104bf92..e84d4e4724 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -78,6 +78,12 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, return NT_STATUS_UNSUCCESSFUL; } + /* TODO: Send a SAMLOGON request to determine whether this is a valid + logonserver. We can avoid a 30-second timeout if the DC is down + if the SAMLOGON request fails as it is only over UDP. */ + + /* Attempt connection */ + result = cli_full_connection(cli, global_myname, server, &dest_ip, 0, "IPC$", "IPC", "", "", "", 0); @@ -444,7 +450,6 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, */ pserver = lp_passwordserver(); - if (! *pserver) pserver = "*"; p = pserver; nt_status = domain_client_validate(mem_ctx, user_info, domain, -- cgit From 24dc27b4b97806f5e23326f34ff54f85d3074b45 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 25 Jan 2002 10:16:20 +0000 Subject: Bring auth_winbind into line with the protocol changes Andrew Bartlett (This used to be commit c796799afd69fe627b1c8e51fb47957d30da9fae) --- source3/auth/auth_winbind.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 175e14a9d6..2d8e5066a2 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -63,6 +63,9 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, snprintf(request.data.auth_crap.user, sizeof(request.data.auth_crap.user), "%s\\%s", user_info->domain.str, user_info->smb_name.str); + fstrcpy(request.data.auth_crap.user, user_info->smb_name.str); + fstrcpy(request.data.auth_crap.domain, user_info->domain.str); + memcpy(request.data.auth_crap.chal, auth_context->challenge.data, sizeof(request.data.auth_crap.chal)); request.data.auth_crap.lm_resp_len = MIN(user_info->lm_resp.length, -- cgit From 714cdd47cb3e0e1f683c0a22396f9167a85e7df3 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 26 Jan 2002 06:24:53 +0000 Subject: Fix up a security issue with the way we handle domain groups retuned on the info3. These are RIDs, and it only makes sense to combine them with the domain SID returned with them. This is important for trusted domains, where that sid might be other than the one we currently reterive from the secrets.tdb. Also remove the become_root()/unbecome_root() wrapper from around both remaining TDB users: Both are now initialised at smbd startup. Andrew Bartlett (This used to be commit 554842e0a55155193f25aefca6480b89d5c512ca) --- source3/auth/auth_domain.c | 18 ++---------------- 1 file changed, 2 insertions(+), 16 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index e84d4e4724..704f600c66 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -324,7 +324,6 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, /* Store the user group information in the server_info returned to the caller. */ if (NT_STATUS_IS_OK(nt_status) && (info3.num_groups2 != 0)) { - DOM_SID domain_sid; int i; NT_USER_TOKEN *ptok; auth_serversupplied_info *pserver_info = *server_info; @@ -346,21 +345,12 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, goto done; } - if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) { - DEBUG(0, ("domain_client_validate: unable to fetch domain sid.\n")); - nt_status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO; - free_server_info(server_info); - goto done; - } - for (i = 0; i < ptok->num_sids; i++) { - sid_copy(&ptok->user_sids[i], &domain_sid); + sid_copy(&ptok->user_sids[i], &info3.dom_sid.sid); sid_append_rid(&ptok->user_sids[i], info3.gids[i].g_rid); } - become_root(); uni_group_cache_store_netlogon(mem_ctx, &info3); - unbecome_root(); } #if 0 @@ -423,10 +413,9 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, return NT_STATUS_LOGON_FAILURE; } - become_root(); - /* * Get the machine account password for our primary domain + * No need to become_root() as secrets_init() is done at startup. */ if (!secrets_fetch_trust_account_password(domain, trust_passwd, &last_change_time)) @@ -436,8 +425,6 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } - unbecome_root(); - /* Test if machine password is expired and need to be changed */ if (time(NULL) > last_change_time + lp_machine_password_timeout()) { @@ -470,4 +457,3 @@ BOOL auth_init_ntdomain(struct auth_context *auth_context, auth_methods **auth_m (*auth_method)->auth = check_ntdomain_security; return True; } - -- cgit From cd68afe31256ad60748b34f7318a180cfc2127cc Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 30 Jan 2002 06:08:46 +0000 Subject: Removed version number from file header. Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa) --- source3/auth/auth.c | 3 +-- source3/auth/auth_builtin.c | 3 +-- source3/auth/auth_compat.c | 3 +-- source3/auth/auth_domain.c | 3 +-- source3/auth/auth_rhosts.c | 3 +-- source3/auth/auth_sam.c | 3 +-- source3/auth/auth_server.c | 3 +-- source3/auth/auth_unix.c | 3 +-- source3/auth/auth_util.c | 3 +-- source3/auth/auth_winbind.c | 3 +-- source3/auth/pampass.c | 3 +-- source3/auth/pass_check.c | 3 +-- 12 files changed, 12 insertions(+), 24 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 892102a5ef..9b78cec95b 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -1,6 +1,5 @@ /* - Unix SMB/Netbios implementation. - Version 3.0. + Unix SMB/CIFS implementation. Password and authentication handling Copyright (C) Andrew Bartlett 2001-2002 diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index f1c89689fa..6e999b0d14 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -1,6 +1,5 @@ /* - Unix SMB/Netbios implementation. - Version 3.0. + Unix SMB/CIFS implementation. Generic authenticaion types Copyright (C) Andrew Bartlett 2001 diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c index 8cf304a071..eadfb0392b 100644 --- a/source3/auth/auth_compat.c +++ b/source3/auth/auth_compat.c @@ -1,6 +1,5 @@ /* - Unix SMB/Netbios implementation. - Version 3.0. + Unix SMB/CIFS implementation. Password and authentication handling Copyright (C) Andrew Bartlett 2001-2002 diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 704f600c66..9e5f32c9a3 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -1,6 +1,5 @@ /* - Unix SMB/Netbios implementation. - Version 3.0. + Unix SMB/CIFS implementation. Authenticate against a remote domain Copyright (C) Andrew Tridgell 1992-1998 Copyright (C) Andrew Bartlett 2001 diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index 55ff7aa060..9586d1d65e 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -1,6 +1,5 @@ /* - Unix SMB/Netbios implementation. - Version 1.9. + Unix SMB/CIFS implementation. Main SMB reply routines Copyright (C) Andrew Tridgell 1992-1998 diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 01f41fce44..8fe9dfbdc8 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -1,6 +1,5 @@ /* - Unix SMB/Netbios implementation. - Version 1.9. + Unix SMB/CIFS implementation. Password and authentication handling Copyright (C) Andrew Tridgell 1992-2000 Copyright (C) Luke Kenneth Casson Leighton 1996-2000 diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index c83230b716..5190d45c20 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -1,6 +1,5 @@ /* - Unix SMB/Netbios implementation. - Version 1.9. + Unix SMB/CIFS implementation. Authenticate to a remote server Copyright (C) Andrew Tridgell 1992-1998 Copyright (C) Andrew Bartlett 2001 diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index b2e202552c..05646f554e 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -1,6 +1,5 @@ /* - Unix SMB/Netbios implementation. - Version 2.2 + Unix SMB/CIFS implementation. Password and authentication handling Copyright (C) Andrew Bartlett 2001 diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5b252f42cd..cd53b6b7c2 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1,6 +1,5 @@ /* - Unix SMB/Netbios implementation. - Version 1.9. + Unix SMB/CIFS implementation. Authentication utility functions Copyright (C) Andrew Tridgell 1992-1998 Copyright (C) Andrew Bartlett 2001 diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 2d8e5066a2..bc19b36b54 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -1,6 +1,5 @@ /* - Unix SMB/Netbios implementation. - Version 2.0 + Unix SMB/CIFS implementation. Winbind authentication mechnism diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 018eae3a07..5db844eb55 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -1,6 +1,5 @@ /* - Unix SMB/Netbios implementation. - Version 2.2. + Unix SMB/CIFS implementation. PAM Password checking Copyright (C) Andrew Tridgell 1992-2001 Copyright (C) John H Terpsta 1999-2001 diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 0101e0fe18..47c9664a74 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -1,6 +1,5 @@ /* - Unix SMB/Netbios implementation. - Version 1.9. + Unix SMB/CIFS implementation. Password checking Copyright (C) Andrew Tridgell 1992-1998 -- cgit From ed389ee8dc9246b2d6c4e483cee16f7255b9a7f5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 5 Feb 2002 09:40:36 +0000 Subject: Drastic impromvents to pam_winbind. This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error conversions, and uses them to make the error handling in pam_winbind sane. In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...' stuff, and logs the NTSTATUS error that winbind now sends over the pipe. Added code to wbinfo to display these - makes a big difference in debugging winbindd. The main change here is the code to allow pam_winbind password changing to correctly stack - This code ripped from pam_unix, and the copyright attached. (Same as for all pam modules, including pam_winbind) Andrew Bartlett (This used to be commit dc1a72f896b83bc1ad3c7bf6c12c36ace3967280) --- source3/auth/pampass.c | 23 ++--------------------- 1 file changed, 2 insertions(+), 21 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 5db844eb55..c21a5b5319 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -86,6 +86,8 @@ static BOOL smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error, if (smb_pam_error_handler(pamh, pam_error, msg, dbglvl)) return True; + *nt_status = pam_to_nt_status(pam_error); + if (NT_STATUS_IS_OK(*nt_status)) { /* Complain LOUDLY */ DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: BUG: PAM and NT_STATUS \ @@ -507,35 +509,27 @@ static NTSTATUS smb_pam_auth(pam_handle_t *pamh, char *user) switch( pam_error ){ case PAM_AUTH_ERR: DEBUG(2, ("smb_pam_auth: PAM: Athentication Error for user %s\n", user)); - nt_status = NT_STATUS_WRONG_PASSWORD; break; case PAM_CRED_INSUFFICIENT: DEBUG(2, ("smb_pam_auth: PAM: Insufficient Credentials for user %s\n", user)); - nt_status = NT_STATUS_INSUFFICIENT_LOGON_INFO; break; case PAM_AUTHINFO_UNAVAIL: DEBUG(2, ("smb_pam_auth: PAM: Authentication Information Unavailable for user %s\n", user)); - nt_status = NT_STATUS_LOGON_FAILURE; break; case PAM_USER_UNKNOWN: DEBUG(2, ("smb_pam_auth: PAM: Username %s NOT known to Authentication system\n", user)); - nt_status = NT_STATUS_NO_SUCH_USER; break; case PAM_MAXTRIES: DEBUG(2, ("smb_pam_auth: PAM: One or more authentication modules reports user limit for user %s exceeeded\n", user)); - nt_status = NT_STATUS_REMOTE_SESSION_LIMIT; break; case PAM_ABORT: DEBUG(0, ("smb_pam_auth: PAM: One or more PAM modules failed to load for user %s\n", user)); - nt_status = NT_STATUS_LOGON_FAILURE; break; case PAM_SUCCESS: DEBUG(4, ("smb_pam_auth: PAM: User %s Authenticated OK\n", user)); - nt_status = NT_STATUS_OK; break; default: DEBUG(0, ("smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user %s\n", user)); - nt_status = NT_STATUS_LOGON_FAILURE; break; } @@ -556,30 +550,23 @@ static NTSTATUS smb_pam_account(pam_handle_t *pamh, const char * user) switch( pam_error ) { case PAM_AUTHTOK_EXPIRED: DEBUG(2, ("smb_pam_account: PAM: User %s is valid but password is expired\n", user)); - nt_status = NT_STATUS_PASSWORD_EXPIRED; break; case PAM_ACCT_EXPIRED: DEBUG(2, ("smb_pam_account: PAM: User %s no longer permitted to access system\n", user)); - nt_status = NT_STATUS_ACCOUNT_EXPIRED; break; case PAM_AUTH_ERR: DEBUG(2, ("smb_pam_account: PAM: There was an authentication error for user %s\n", user)); - nt_status = NT_STATUS_LOGON_FAILURE; break; case PAM_PERM_DENIED: DEBUG(0, ("smb_pam_account: PAM: User %s is NOT permitted to access system at this time\n", user)); - nt_status = NT_STATUS_ACCOUNT_RESTRICTION; break; case PAM_USER_UNKNOWN: DEBUG(0, ("smb_pam_account: PAM: User \"%s\" is NOT known to account management\n", user)); - nt_status = NT_STATUS_NO_SUCH_USER; break; case PAM_SUCCESS: DEBUG(4, ("smb_pam_account: PAM: Account OK for User: %s\n", user)); - nt_status = NT_STATUS_OK; break; default: - nt_status = NT_STATUS_ACCOUNT_DISABLED; DEBUG(0, ("smb_pam_account: PAM: UNKNOWN PAM ERROR (%d) during Account Management for User: %s\n", pam_error, user)); break; } @@ -607,27 +594,21 @@ static NTSTATUS smb_pam_setcred(pam_handle_t *pamh, char * user) switch( pam_error ) { case PAM_CRED_UNAVAIL: DEBUG(0, ("smb_pam_setcred: PAM: Credentials not found for user:%s\n", user )); - nt_status = NT_STATUS_NO_TOKEN; break; case PAM_CRED_EXPIRED: DEBUG(0, ("smb_pam_setcred: PAM: Credentials for user: \"%s\" EXPIRED!\n", user )); - nt_status = NT_STATUS_PASSWORD_EXPIRED; break; case PAM_USER_UNKNOWN: DEBUG(0, ("smb_pam_setcred: PAM: User: \"%s\" is NOT known so can not set credentials!\n", user )); - nt_status = NT_STATUS_NO_SUCH_USER; break; case PAM_CRED_ERR: DEBUG(0, ("smb_pam_setcred: PAM: Unknown setcredentials error - unable to set credentials for %s\n", user )); - nt_status = NT_STATUS_LOGON_FAILURE; break; case PAM_SUCCESS: DEBUG(4, ("smb_pam_setcred: PAM: SetCredentials OK for User: %s\n", user)); - nt_status = NT_STATUS_OK; break; default: DEBUG(0, ("smb_pam_setcred: PAM: UNKNOWN PAM ERROR (%d) during SetCredentials for User: %s\n", pam_error, user)); - nt_status = NT_STATUS_NO_TOKEN; break; } -- cgit From 4f442bc0112a701fec9df7c5ae8132fc73c0f74c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 5 Feb 2002 23:45:29 +0000 Subject: Fix use of uninitialsed variable in PAM code (This used to be commit 6c08c233e6675056c0ee0bbc4ecdcbc205950f54) --- source3/auth/pampass.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index c21a5b5319..1428e929f1 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -83,11 +83,11 @@ static BOOL smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl, NTSTATUS *nt_status) { + *nt_status = pam_to_nt_status(pam_error); + if (smb_pam_error_handler(pamh, pam_error, msg, dbglvl)) return True; - *nt_status = pam_to_nt_status(pam_error); - if (NT_STATUS_IS_OK(*nt_status)) { /* Complain LOUDLY */ DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: BUG: PAM and NT_STATUS \ -- cgit From c2729d59a631822c7e5545d13a2eff8ed237401b Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 18 Feb 2002 11:07:57 +0000 Subject: serialise all domain auth requests this is needed because W2K will send a TCP reset to any open connections that have not done a negprot when a second connection is made. This meant that under heavy netlogon load a Samba domain member would fail authentications. Jeremy, you may wish to port this to 2.2.x (This used to be commit eb196070e62b45b113e5712f27198c50c5c95657) --- source3/auth/auth_domain.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 9e5f32c9a3..947cd41a26 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -81,10 +81,19 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, logonserver. We can avoid a 30-second timeout if the DC is down if the SAMLOGON request fails as it is only over UDP. */ + /* we use a mutex to prevent two connections at once - when a NT PDC gets + two connections where one hasn't completed a negprot yet it will send a + TCP reset to the first connection (tridge) */ + if (!message_named_mutex(server)) { + DEBUG(1,("domain mutex failed for %s\n", server)); + return NT_STATUS_UNSUCCESSFUL; + } + /* Attempt connection */ - result = cli_full_connection(cli, global_myname, server, &dest_ip, 0, "IPC$", "IPC", "", "", "", 0); + + message_named_mutex_release(server); if (!NT_STATUS_IS_OK(result)) { return result; -- cgit From 90d264fa76e3608027aa7e854c40804d3e99c84f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 27 Feb 2002 12:59:05 +0000 Subject: "user doesn't exist" isn't worthy of a level 1 debug. Make it level 3. (This used to be commit 339e3982bc1d2998022545e02456ec35c3b278a8) --- source3/auth/auth_sam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 8fe9dfbdc8..6753951c89 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -366,7 +366,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, if (ret == False) { - DEBUG(1,("Couldn't find user '%s' in passdb file.\n", user_info->internal_username.str)); + DEBUG(3,("Couldn't find user '%s' in passdb file.\n", user_info->internal_username.str)); pdb_free_sam(&sampass); return NT_STATUS_NO_SUCH_USER; } -- cgit From df43f3d41009f170295f93f6d6df1b6e84077616 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 28 Feb 2002 01:05:15 +0000 Subject: Ensure that winbindd and smbd both use identical logic to find dc's. Fix bug where zeroip addresses were being checked. Jeremy. (This used to be commit 8ed49fe0df201833329c17b2afe1e3aa70646558) --- source3/auth/auth_domain.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 947cd41a26..c7bfea4f6a 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -197,9 +197,8 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, if(!is_local_net(ip_list[i])) continue; - if(NT_STATUS_IS_OK(nt_status = - attempt_connect_to_dc(cli, domain, - &ip_list[i], trust_passwd))) + if(NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, domain, + &ip_list[i], trust_passwd))) break; zero_ip(&ip_list[i]); /* Tried and failed. */ @@ -211,10 +210,11 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, if(!NT_STATUS_IS_OK(nt_status)) { i = (sys_random() % count); - if (!NT_STATUS_IS_OK(nt_status = - attempt_connect_to_dc(cli, domain, - &ip_list[i], trust_passwd))) - zero_ip(&ip_list[i]); /* Tried and failed. */ + if (!is_zero_ip(ip_list[i])) { + if (!NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, domain, + &ip_list[i], trust_passwd))) + zero_ip(&ip_list[i]); /* Tried and failed. */ + } } /* @@ -227,15 +227,16 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, * Note that from a WINS server the #1 IP address is the PDC. */ for(i = 0; i < count; i++) { - if (NT_STATUS_IS_OK(nt_status = - attempt_connect_to_dc(cli, domain, - &ip_list[i], trust_passwd))) + if (is_zero_ip(ip_list[i])) + continue; + + if (NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, domain, + &ip_list[i], trust_passwd))) break; } } SAFE_FREE(ip_list); - return nt_status; } -- cgit From d79e11ad6d4be78a4140d0f33acea702cbd1d944 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 1 Mar 2002 01:24:30 +0000 Subject: Various comment fixes from Rafal Szczesniak (This used to be commit 3bf4b42771d115500941be374bfdd9b8c2fdba4a) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index cd53b6b7c2..a4dea39d2d 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -123,7 +123,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, ZERO_STRUCTP(*user_info); - DEBUG(5,("makeing strings for %s's user_info struct\n", internal_username)); + DEBUG(5,("making strings for %s's user_info struct\n", internal_username)); (*user_info)->smb_name.str = strdup(smb_name); if ((*user_info)->smb_name.str) { -- cgit From a07e040c8c8515d0ffc2a6cce31a4f0124e42023 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 1 Mar 2002 22:45:23 +0000 Subject: SECURITY FIXES: Remove a stray 'unbecome_root()' in the ntdomain an auth failure case. Only allow trust accounts to request a challange in srv_netlogon_nt.c. Currently any user can be the 'machine' for the domain logon. MERGE for 2.2. Andrew Bartlett (This used to be commit 0242d0e17827b05d8cd270f675d2595fa67fd5b9) --- source3/auth/auth_domain.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index c7bfea4f6a..6c858e056c 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -401,14 +401,14 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; - char *p, *pserver; + char *password_server; unsigned char trust_passwd[16]; time_t last_change_time; char *domain = lp_workgroup(); if (!user_info || !server_info || !auth_context) { DEBUG(1,("check_ntdomain_security: Critical variables not present. Failing.\n")); - return NT_STATUS_LOGON_FAILURE; + return NT_STATUS_INVALID_PARAMETER; } /* @@ -430,7 +430,6 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, if (!secrets_fetch_trust_account_password(domain, trust_passwd, &last_change_time)) { DEBUG(0, ("check_domain_security: could not fetch trust account password for domain %s\n", lp_workgroup())); - unbecome_root(); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -445,13 +444,12 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, * PDC/BDC. Contact each in turn and try and authenticate. */ - pserver = lp_passwordserver(); - p = pserver; + password_server = lp_passwordserver(); nt_status = domain_client_validate(mem_ctx, user_info, domain, (uchar *)auth_context->challenge.data, server_info, - p, trust_passwd, last_change_time); + password_server, trust_passwd, last_change_time); return nt_status; } -- cgit From 81b2d66c970c0df94823ad96f50b992fff0c8b94 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 2 Mar 2002 08:25:44 +0000 Subject: Allow Samba to trust NT4 Domains. This commit builds on the auth subsystem to give Samba support for trusting NT4 domains. It is off by default, but is enabled by adding 'trustdomain' to the 'auth methods' smb.conf paramater. Tested against NT4 only - there are still some issues with the join code for Win2k servers (spnego stuff). The main work TODO involves enumerating the trusted domains (including the RPC calls to match), and getting winbind to run on the PDC correctly. Similarly, work remains on getting NT4 to trust Samba domains. Andrew Bartlett (This used to be commit ac8c24a9a888a3f916e8b40238b936e6ad743ef7) --- source3/auth/auth.c | 1 + source3/auth/auth_domain.c | 137 +++++++++++++++++++++++++++++++++++++++------ 2 files changed, 122 insertions(+), 16 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 9b78cec95b..e3af9dada6 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -31,6 +31,7 @@ const struct auth_init_function builtin_auth_init_functions[] = { { "unix", auth_init_unix }, { "smbserver", auth_init_smbserver }, { "ntdomain", auth_init_ntdomain }, + { "trustdomain", auth_init_trustdomain }, { "winbind", auth_init_winbind }, #ifdef DEVELOPER { "name_to_ntstatus", auth_init_name_to_ntstatus }, diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 6c858e056c..b57bd2bfcc 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -38,7 +38,10 @@ extern userdom_struct current_user_info; **/ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, - char *server, unsigned char *trust_passwd) + const char *server, + const char *setup_creds_as, + uint16 sec_chan, + const unsigned char *trust_passwd) { struct in_addr dest_ip; fstring remote_machine; @@ -121,7 +124,13 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); return NT_STATUS_UNSUCCESSFUL; } - result = new_cli_nt_setup_creds(*cli, trust_passwd); + snprintf((*cli)->mach_acct, sizeof((*cli)->mach_acct) - 1, "%s$", setup_creds_as); + + if (!(*cli)->mach_acct) { + return NT_STATUS_NO_MEMORY; + } + + result = new_cli_nt_setup_creds(*cli, sec_chan, trust_passwd); if (!NT_STATUS_IS_OK(result)) { DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ @@ -142,7 +151,9 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, const char *domain, struct in_addr *ip, - unsigned char *trust_passwd) + const char *setup_creds_as, + uint16 sec_chan, + const unsigned char *trust_passwd) { fstring dc_name; @@ -156,7 +167,7 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, if (!lookup_dc_name(global_myname, domain, ip, dc_name)) return NT_STATUS_UNSUCCESSFUL; - return connect_to_domain_password_server(cli, dc_name, trust_passwd); + return connect_to_domain_password_server(cli, dc_name, setup_creds_as, sec_chan, trust_passwd); } /*********************************************************************** @@ -165,6 +176,8 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, ************************************************************************/ static NTSTATUS find_connect_pdc(struct cli_state **cli, const char *domain, + const char *setup_creds_as, + uint16 sec_chan, unsigned char *trust_passwd, time_t last_change_time) { @@ -197,8 +210,10 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, if(!is_local_net(ip_list[i])) continue; - if(NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, domain, - &ip_list[i], trust_passwd))) + if(NT_STATUS_IS_OK(nt_status = + attempt_connect_to_dc(cli, domain, + &ip_list[i], setup_creds_as, + sec_chan, trust_passwd))) break; zero_ip(&ip_list[i]); /* Tried and failed. */ @@ -211,9 +226,11 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, i = (sys_random() % count); if (!is_zero_ip(ip_list[i])) { - if (!NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, domain, - &ip_list[i], trust_passwd))) - zero_ip(&ip_list[i]); /* Tried and failed. */ + if (!NT_STATUS_IS_OK(nt_status = + attempt_connect_to_dc(cli, domain, + &ip_list[i], setup_creds_as, + sec_chan, trust_passwd))) + zero_ip(&ip_list[i]); /* Tried and failed. */ } } @@ -231,7 +248,7 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, continue; if (NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, domain, - &ip_list[i], trust_passwd))) + &ip_list[i], setup_creds_as, sec_chan, trust_passwd))) break; } } @@ -251,7 +268,9 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, const char *domain, uchar chal[8], auth_serversupplied_info **server_info, - char *server, unsigned char *trust_passwd, + char *server, char *setup_creds_as, + uint16 sec_chan, + unsigned char *trust_passwd, time_t last_change_time) { fstring remote_machine; @@ -271,9 +290,9 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, while (!NT_STATUS_IS_OK(nt_status) && next_token(&server,remote_machine,LIST_SEP,sizeof(remote_machine))) { if(strequal(remote_machine, "*")) { - nt_status = find_connect_pdc(&cli, domain, trust_passwd, last_change_time); + nt_status = find_connect_pdc(&cli, domain, setup_creds_as, sec_chan, trust_passwd, last_change_time); } else { - nt_status = connect_to_domain_password_server(&cli, remote_machine, trust_passwd); + nt_status = connect_to_domain_password_server(&cli, remote_machine, setup_creds_as, sec_chan, trust_passwd); } } @@ -429,7 +448,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, if (!secrets_fetch_trust_account_password(domain, trust_passwd, &last_change_time)) { - DEBUG(0, ("check_domain_security: could not fetch trust account password for domain %s\n", lp_workgroup())); + DEBUG(0, ("check_ntdomain_security: could not fetch trust account password for domain %s\n", lp_workgroup())); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -449,8 +468,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, nt_status = domain_client_validate(mem_ctx, user_info, domain, (uchar *)auth_context->challenge.data, server_info, - password_server, trust_passwd, last_change_time); - + password_server, global_myname, SEC_CHAN_WKSTA, trust_passwd, last_change_time); return nt_status; } @@ -464,3 +482,90 @@ BOOL auth_init_ntdomain(struct auth_context *auth_context, auth_methods **auth_m (*auth_method)->auth = check_ntdomain_security; return True; } + + +/**************************************************************************** + Check for a valid username and password in a trusted domain +****************************************************************************/ + +static NTSTATUS check_trustdomain_security(const struct auth_context *auth_context, + void *my_private_data, + TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, + auth_serversupplied_info **server_info) +{ + NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; + unsigned char trust_md4_password[16]; + char *trust_password; + time_t last_change_time; + DOM_SID sid; + + if (!user_info || !server_info || !auth_context) { + DEBUG(1,("check_trustdomain_security: Critical variables not present. Failing.\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + /* + * Check that the requested domain is not our own machine name. + * If it is, we should never check the PDC here, we use our own local + * password file. + */ + + if(is_netbios_alias_or_name(user_info->domain.str)) { + DEBUG(3,("check_trustdomain_security: Requested domain was for this machine.\n")); + return NT_STATUS_LOGON_FAILURE; + } + + /* + * Check that the requested domain is not our own domain, + * If it is, we should use our own local password file. + */ + + if(strequal(lp_workgroup(), (user_info->domain.str))) { + DEBUG(3,("check_trustdomain_security: Requested domain was for this domain.\n")); + return NT_STATUS_LOGON_FAILURE; + } + + /* + * Get the machine account password for the trusted domain + * No need to become_root() as secrets_init() is done at startup. + */ + + if (!secrets_fetch_trusted_domain_password(user_info->domain.str, &trust_password, &sid, &last_change_time)) + { + DEBUG(0, ("check_trustdomain_security: could not fetch trust account password for domain %s\n", user_info->domain.str)); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + +#ifdef DEBUG_PASSWORD + DEBUG(100, ("Trust password for domain %s is %s\n", user_info->domain.str, trust_password)); +#endif + E_md4hash((uchar *)trust_password, trust_md4_password); + SAFE_FREE(trust_password); + +#if 0 + /* Test if machine password is expired and need to be changed */ + if (time(NULL) > last_change_time + lp_machine_password_timeout()) + { + global_machine_password_needs_changing = True; + } +#endif + + nt_status = domain_client_validate(mem_ctx, user_info, user_info->domain.str, + (uchar *)auth_context->challenge.data, + server_info, "*" /* Do a lookup */, + lp_workgroup(), SEC_CHAN_DOMAIN, trust_md4_password, last_change_time); + + return nt_status; +} + +/* module initialisation */ +BOOL auth_init_trustdomain(struct auth_context *auth_context, auth_methods **auth_method) +{ + if (!make_auth_methods(auth_context, auth_method)) { + return False; + } + + (*auth_method)->auth = check_trustdomain_security; + return True; +} -- cgit From 9802310b2aa919964f4f312cd99349d02cc12afc Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 13 Mar 2002 01:51:01 +0000 Subject: Ensure we never use "" as a domain name (Win9X apparently does this for 'net use' duirng login). Picked up from a post to a TNG list by Volker. Andrew Bartlett (This used to be commit f81882fc9510aadd7d1db77753b307800ab50f9b) --- source3/auth/auth_util.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index a4dea39d2d..587273d9b6 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -196,12 +196,17 @@ BOOL make_user_info_map(auth_usersupplied_info **user_info, fstrcpy(internal_username, smb_name); map_username(internal_username); - if (lp_allow_trusted_domains()) { + if (lp_allow_trusted_domains() && *client_domain) { + /* the client could have given us a workstation name or other crap for the workgroup - we really need a way of telling if this domain name is one of our trusted domain names + Also don't allow "" as a domain, fixes a Win9X bug + where it doens't supply a domain for logon script + 'net use' commands. + The way I do it here is by checking if the fully qualified username exists. This is rather reliant on winbind, but until we have a better method this -- cgit From ab13654dc9ac23872e4d1384e1c54e336f113009 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Sun, 17 Mar 2002 04:36:35 +0000 Subject: Renamed get_nt_error_msg() to nt_errstr(). (This used to be commit 1f007d3ed41c1b71a89fa6be7d173e67e927c302) --- source3/auth/auth.c | 6 +++--- source3/auth/auth_domain.c | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index e3af9dada6..c7b9fcc1d8 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -218,7 +218,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, auth_method->name, user_info->smb_name.str)); } else { DEBUG(5, ("check_password: %s authentication for user [%s] FAILED with error %s\n", - auth_method->name, user_info->smb_name.str, get_nt_error_msg(nt_status))); + auth_method->name, user_info->smb_name.str, nt_errstr(nt_status))); } talloc_destroy(mem_ctx); @@ -248,7 +248,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, pdb_username)); } else { DEBUG(3, ("check_password: PAM Account for user [%s] FAILED with error %s\n", - pdb_username, get_nt_error_msg(nt_status))); + pdb_username, nt_errstr(nt_status))); } } @@ -265,7 +265,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(2, ("check_password: Authenticaion for user [%s] -> [%s] FAILED with error %s\n", user_info->smb_name.str, user_info->internal_username.str, - get_nt_error_msg(nt_status))); + nt_errstr(nt_status))); ZERO_STRUCTP(server_info); } return nt_status; diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index b57bd2bfcc..5e3a4cd95b 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -134,7 +134,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); if (!NT_STATUS_IS_OK(result)) { DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ -%s. Error was : %s.\n", remote_machine, get_nt_error_msg(result))); +%s. Error was : %s.\n", remote_machine, nt_errstr(result))); cli_nt_session_close(*cli); cli_ulogoff(*cli); cli_shutdown(*cli); @@ -319,7 +319,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, "for user %s in domain %s to Domain controller %s. " "Error was %s.\n", user_info->smb_name.str, user_info->domain.str, cli->srv_name_slash, - get_nt_error_msg(nt_status))); + nt_errstr(nt_status))); } else { char *dom_user; -- cgit From bf281ae3e5d686efc49c57952b9ffde52d3d8abf Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 23 Mar 2002 09:01:30 +0000 Subject: Extra parinoa and DEBUG()s for the make_user_info_map() code. (This used to be commit aa5f125bc0efeee99254e03f36426420db676527) --- source3/auth/auth_util.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 587273d9b6..a834227e1f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -195,6 +195,9 @@ BOOL make_user_info_map(auth_usersupplied_info **user_info, fstring internal_username; fstrcpy(internal_username, smb_name); map_username(internal_username); + + DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n", + client_domain, smb_name, wksta_name)); if (lp_allow_trusted_domains() && *client_domain) { @@ -216,14 +219,25 @@ BOOL make_user_info_map(auth_usersupplied_info **user_info, domain = client_domain; if ((smb_name) && (*smb_name)) { /* Don't do this for guests */ - char *user; - asprintf(&user, "%s%s%s", + char *user = NULL; + if (asprintf(&user, "%s%s%s", client_domain, lp_winbind_separator(), - smb_name); + smb_name) < 0) { + DEBUG(0, ("make_user_info_map: asprintf() failed!\n")); + return False; + } + + DEBUG(5, ("make_user_info_map: testing for user %s\n", user)); + if (Get_Pwnam(user) == NULL) { + DEBUG(5, ("make_user_info_map: test for user %s failed\n", user)); domain = lp_workgroup(); + DEBUG(5, ("make_user_info_map: trusted domain %s doesn't appear to exist, using %s\n", + client_domain, domain)); + } else { + DEBUG(5, ("make_user_info_map: using trusted domain %s\n", domain)); } - free(user); + SAFE_FREE(user); } } else { domain = lp_workgroup(); -- cgit From 1d582af3c0dcbfad9a158f3ed38219c95424b045 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Sun, 24 Mar 2002 23:25:05 +0000 Subject: Spelling fixes. (This used to be commit a5ac2ac4ada48ee3be061a32ba40bd8c4b3b3865) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index a834227e1f..d80c927c19 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -343,7 +343,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, SMBOWFencrypt((const unsigned char *)lm_pwd, chal, local_lm_response); SMBOWFencrypt((const unsigned char *)nt_pwd, chal, local_nt_response); - /* Password info parinoia */ + /* Password info paranoia */ ZERO_STRUCT(lm_pwd); ZERO_STRUCT(nt_pwd); ZERO_STRUCT(key); -- cgit From 64d20453d97f08e412a2dc51d8d131d630f63999 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 26 Mar 2002 22:36:27 +0000 Subject: Don't hold the mutex for more than 20 seconds. Jeremy. (This used to be commit 1b9f1a368f2f37700cef357ab4bbc0389ec06378) --- source3/auth/auth_domain.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 5e3a4cd95b..38b48d85ad 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -87,11 +87,13 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, /* we use a mutex to prevent two connections at once - when a NT PDC gets two connections where one hasn't completed a negprot yet it will send a TCP reset to the first connection (tridge) */ - if (!message_named_mutex(server)) { - DEBUG(1,("domain mutex failed for %s\n", server)); + if (!message_named_mutex(server, 20)) { + DEBUG(1,("connect_to_domain_password_server: domain mutex failed for %s\n", server)); return NT_STATUS_UNSUCCESSFUL; } + DEBUG(10,("connect_to_domain_password_server: got mutex for %s\n", server)); + /* Attempt connection */ result = cli_full_connection(cli, global_myname, server, &dest_ip, 0, "IPC$", "IPC", "", "", "", 0); -- cgit From 94c52a00525c55db83d48c0ef76c3eb12de0af2b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 27 Mar 2002 00:02:49 +0000 Subject: Moved debug messages for grabbing/releasing mutex. Jeremy. (This used to be commit e144c174eafc18f236c848b8f3a2c6382796f5a9) --- source3/auth/auth_domain.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 38b48d85ad..af353ef812 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -92,8 +92,6 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, return NT_STATUS_UNSUCCESSFUL; } - DEBUG(10,("connect_to_domain_password_server: got mutex for %s\n", server)); - /* Attempt connection */ result = cli_full_connection(cli, global_myname, server, &dest_ip, 0, "IPC$", "IPC", "", "", "", 0); -- cgit From b10b3be01c84dfcf63970b8d67be3a2170403d94 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Sun, 7 Apr 2002 23:41:55 +0000 Subject: Spelling. (This used to be commit 423985ed569ac9692f3cb5872a15c74f983121b6) --- source3/auth/auth_compat.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c index eadfb0392b..857cf2b7d9 100644 --- a/source3/auth/auth_compat.c +++ b/source3/auth/auth_compat.c @@ -21,7 +21,7 @@ #include "includes.h" /**************************************************************************** - COMPATABILITY INTERFACES: + COMPATIBILITY INTERFACES: ***************************************************************************/ /**************************************************************************** -- cgit From 07e6ff5fcfe337bb65a7c3a4493a92a7761cf2ed Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 14 Apr 2002 09:44:16 +0000 Subject: Partly based on the work by mimir (Rafal Szczesniak ) this patch allows samba to correctly enumerate its trusted domains - by exaimining the keys in the secrets.tdb file. This patch has been tested with both NT4 and rpcclient/wbinfo, and adds some extra functionality to talloc and rpc_parse to allow it to deal with already unicode strings. Finally, this cleans up some const warnings that were in net_rpc.c by pushing another dash of const into the rpc client code. Andrew Bartlett (This used to be commit 0bdd94cb992b40942aaf2e5e0efd2868b4686296) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index af353ef812..a77bbeade3 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -527,7 +527,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte } /* - * Get the machine account password for the trusted domain + * Get the trusted account password for the trusted domain * No need to become_root() as secrets_init() is done at startup. */ -- cgit From 4df4aca784db3aef5395a2aed311823ba5ffe97b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 22 Apr 2002 22:44:44 +0000 Subject: Ensure auth requests from the same machine are completely serialized. NT4.x DC's require this. Jeremy. (This used to be commit d162b6285d549370a24a926ab1c46cef7e7f630a) --- source3/auth/auth_domain.c | 45 ++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 40 insertions(+), 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index a77bbeade3..32949a575e 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -26,6 +26,32 @@ BOOL global_machine_password_needs_changing = False; extern pstring global_myname; extern userdom_struct current_user_info; +static char *mutex_server_name; + +static BOOL grab_server_mutex(const char *name) +{ + mutex_server_name = strdup(name); + if (!mutex_server_name) { + DEBUG(0,("grab_server_mutex: malloc failed for %s\n", name)); + return False; + } + if (!message_named_mutex(name, 20)) { + DEBUG(10,("grab_server_mutex: failed for %s\n", name)); + SAFE_FREE(mutex_server_name); + return False; + } + + return True; +} + +static void release_server_mutex(void) +{ + if (mutex_server_name) { + message_named_mutex_release(mutex_server_name); + SAFE_FREE(mutex_server_name); + } +} + /** * Connect to a remote server for domain security authenticaion. * @@ -87,18 +113,21 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, /* we use a mutex to prevent two connections at once - when a NT PDC gets two connections where one hasn't completed a negprot yet it will send a TCP reset to the first connection (tridge) */ - if (!message_named_mutex(server, 20)) { - DEBUG(1,("connect_to_domain_password_server: domain mutex failed for %s\n", server)); + + /* + * With NT4.x DC's *all* authentication must be serialized to avoid + * ACCESS_DENIED errors if 2 auths are done from the same machine. JRA. + */ + + if (!grab_server_mutex(server)) return NT_STATUS_UNSUCCESSFUL; - } /* Attempt connection */ result = cli_full_connection(cli, global_myname, server, &dest_ip, 0, "IPC$", "IPC", "", "", "", 0); - message_named_mutex_release(server); - if (!NT_STATUS_IS_OK(result)) { + release_server_mutex(); return result; } @@ -121,12 +150,14 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); cli_nt_session_close(*cli); cli_ulogoff(*cli); cli_shutdown(*cli); + release_server_mutex(); return NT_STATUS_UNSUCCESSFUL; } snprintf((*cli)->mach_acct, sizeof((*cli)->mach_acct) - 1, "%s$", setup_creds_as); if (!(*cli)->mach_acct) { + release_server_mutex(); return NT_STATUS_NO_MEMORY; } @@ -138,9 +169,12 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); cli_nt_session_close(*cli); cli_ulogoff(*cli); cli_shutdown(*cli); + release_server_mutex(); return result; } + /* We exit here with the mutex *locked*. JRA */ + return NT_STATUS_OK; } @@ -406,6 +440,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, cli_nt_session_close(cli); cli_ulogoff(cli); cli_shutdown(cli); + release_server_mutex(); return nt_status; } -- cgit From e00dbecb88de54086988624b7d4a12d95c788ddb Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 21 May 2002 07:53:28 +0000 Subject: debug classized (This used to be commit ae5d24873ad0fb3df970cc9912e18e6a5067ae2d) --- source3/auth/auth.c | 3 +++ source3/auth/auth_builtin.c | 3 +++ source3/auth/auth_compat.c | 3 +++ source3/auth/auth_domain.c | 3 +++ source3/auth/auth_rhosts.c | 3 +++ source3/auth/auth_sam.c | 3 +++ source3/auth/auth_server.c | 3 +++ source3/auth/auth_unix.c | 3 +++ source3/auth/auth_util.c | 3 +++ source3/auth/auth_winbind.c | 3 +++ source3/auth/pampass.c | 3 +++ source3/auth/pass_check.c | 3 +++ 12 files changed, 36 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index c7b9fcc1d8..394b696cf6 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -20,6 +20,9 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DGBC_AUTH + /** List of various built-in authenticaion modules */ const struct auth_init_function builtin_auth_init_functions[] = { diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index 6e999b0d14..c7af07cc48 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -20,6 +20,9 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DGBC_AUTH + /** * Return a guest logon for guest users (username = "") * diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c index 857cf2b7d9..c049b3867b 100644 --- a/source3/auth/auth_compat.c +++ b/source3/auth/auth_compat.c @@ -20,6 +20,9 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DGBC_AUTH + /**************************************************************************** COMPATIBILITY INTERFACES: ***************************************************************************/ diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 32949a575e..92b2714cf0 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -21,6 +21,9 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DGBC_AUTH + BOOL global_machine_password_needs_changing = False; extern pstring global_myname; diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index 9586d1d65e..b2c9bc7ba8 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -20,6 +20,9 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DGBC_AUTH + /**************************************************************************** Read the a hosts.equiv or .rhosts file and check if it allows this user from this machine. diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 6753951c89..3e25af3c97 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -22,6 +22,9 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DGBC_AUTH + /**************************************************************************** core of smb password checking routine. ****************************************************************************/ diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 5190d45c20..5bbc5e1489 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -21,6 +21,9 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DGBC_AUTH + extern pstring global_myname; extern userdom_struct current_user_info; diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 05646f554e..409090a09c 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -20,6 +20,9 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DGBC_AUTH + /** * update the encrypted smbpasswd file from the plaintext username and password * diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d80c927c19..d7c748982d 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -22,6 +22,9 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DGBC_AUTH + extern fstring remote_machine; extern pstring global_myname; diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index bc19b36b54..565b2de063 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -23,6 +23,9 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DGBC_AUTH + /* Prototypes from common.h */ NSS_STATUS winbindd_request(int req_type, diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 1428e929f1..a2e7e4c4c3 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -29,6 +29,9 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DGBC_AUTH + #ifdef WITH_PAM /******************************************************************* diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 47c9664a74..a98fe6b7c7 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -23,6 +23,9 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DGBC_AUTH + /* these are kept here to keep the string_combinations function simple */ static fstring this_user; #if !defined(WITH_PAM) -- cgit From 66f1182adc0d025cd023c7430b0b0764629c1092 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 21 May 2002 13:49:08 +0000 Subject: typo, sorry (This used to be commit d222bc8c4b620095a21ba327940d4750d5dee753) --- source3/auth/auth.c | 2 +- source3/auth/auth_compat.c | 2 +- source3/auth/auth_domain.c | 2 +- source3/auth/auth_rhosts.c | 2 +- source3/auth/auth_sam.c | 2 +- source3/auth/auth_server.c | 2 +- source3/auth/auth_unix.c | 2 +- source3/auth/auth_util.c | 2 +- source3/auth/auth_winbind.c | 2 +- source3/auth/pampass.c | 2 +- source3/auth/pass_check.c | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 394b696cf6..148826fa6e 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -21,7 +21,7 @@ #include "includes.h" #undef DBGC_CLASS -#define DBGC_CLASS DGBC_AUTH +#define DBGC_CLASS DBGC_AUTH /** List of various built-in authenticaion modules */ diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c index c049b3867b..a70f1e98b7 100644 --- a/source3/auth/auth_compat.c +++ b/source3/auth/auth_compat.c @@ -21,7 +21,7 @@ #include "includes.h" #undef DBGC_CLASS -#define DBGC_CLASS DGBC_AUTH +#define DBGC_CLASS DBGC_AUTH /**************************************************************************** COMPATIBILITY INTERFACES: diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 92b2714cf0..d520dabbb2 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -22,7 +22,7 @@ #include "includes.h" #undef DBGC_CLASS -#define DBGC_CLASS DGBC_AUTH +#define DBGC_CLASS DBGC_AUTH BOOL global_machine_password_needs_changing = False; diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index b2c9bc7ba8..7730f50a3c 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -21,7 +21,7 @@ #include "includes.h" #undef DBGC_CLASS -#define DBGC_CLASS DGBC_AUTH +#define DBGC_CLASS DBGC_AUTH /**************************************************************************** Read the a hosts.equiv or .rhosts file and check if it diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 3e25af3c97..7e0cd513da 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -23,7 +23,7 @@ #include "includes.h" #undef DBGC_CLASS -#define DBGC_CLASS DGBC_AUTH +#define DBGC_CLASS DBGC_AUTH /**************************************************************************** core of smb password checking routine. diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 5bbc5e1489..bcb7d5059b 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -22,7 +22,7 @@ #include "includes.h" #undef DBGC_CLASS -#define DBGC_CLASS DGBC_AUTH +#define DBGC_CLASS DBGC_AUTH extern pstring global_myname; extern userdom_struct current_user_info; diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 409090a09c..69504ebb41 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -21,7 +21,7 @@ #include "includes.h" #undef DBGC_CLASS -#define DBGC_CLASS DGBC_AUTH +#define DBGC_CLASS DBGC_AUTH /** * update the encrypted smbpasswd file from the plaintext username and password diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d7c748982d..7179252ce7 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -23,7 +23,7 @@ #include "includes.h" #undef DBGC_CLASS -#define DBGC_CLASS DGBC_AUTH +#define DBGC_CLASS DBGC_AUTH extern fstring remote_machine; extern pstring global_myname; diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 565b2de063..1a72c2df0f 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -24,7 +24,7 @@ #include "includes.h" #undef DBGC_CLASS -#define DBGC_CLASS DGBC_AUTH +#define DBGC_CLASS DBGC_AUTH /* Prototypes from common.h */ diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index a2e7e4c4c3..3831d1b1e7 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -30,7 +30,7 @@ #include "includes.h" #undef DBGC_CLASS -#define DBGC_CLASS DGBC_AUTH +#define DBGC_CLASS DBGC_AUTH #ifdef WITH_PAM diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index a98fe6b7c7..50ad20f113 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -24,7 +24,7 @@ #include "includes.h" #undef DBGC_CLASS -#define DBGC_CLASS DGBC_AUTH +#define DBGC_CLASS DBGC_AUTH /* these are kept here to keep the string_combinations function simple */ static fstring this_user; -- cgit From 195d578c8de4dfa8045f8f1495e7cd3df985d3f6 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 21 May 2002 15:04:05 +0000 Subject: typo day :-( (This used to be commit 5b3b65aafe38e767e9b7206ffe6d7c89edb267ba) --- source3/auth/auth_builtin.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index c7af07cc48..0cca6b8e15 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -21,7 +21,7 @@ #include "includes.h" #undef DBGC_CLASS -#define DBGC_CLASS DGBC_AUTH +#define DBGC_CLASS DBGC_AUTH /** * Return a guest logon for guest users (username = "") -- cgit From daec6cbbeee8401ef1aa0a3424ee05a3148d7ec8 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 22 May 2002 12:14:28 +0000 Subject: Cleanups! Make some code static, add some const to the PAM code, and make the plaintext password code actually function - particulary without the requirement to modify the 'struct passwd' (which it assumed was made up of fstrings) This kills some particularly ugly code in lib/util_pw.c Andrew Bartlett (This used to be commit 302dad4990ba5194f072e435465d9adaa089ae06) --- source3/auth/auth_unix.c | 4 +-- source3/auth/pampass.c | 8 +++--- source3/auth/pass_check.c | 62 +++++++++++++++++++---------------------------- 3 files changed, 30 insertions(+), 44 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 69504ebb41..d624cb1261 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -28,7 +28,7 @@ * * this ugly hack needs to die, but not quite yet, I think people still use it... **/ -static BOOL update_smbpassword_file(char *user, char *password) +static BOOL update_smbpassword_file(const char *user, const char *password) { SAM_ACCOUNT *sampass = NULL; BOOL ret; @@ -70,8 +70,6 @@ static BOOL update_smbpassword_file(char *user, char *password) DEBUG(3,("pdb_update_sam_account returned %d\n",ret)); } - memset(password, '\0', strlen(password)); - pdb_free_sam(&sampass); return ret; } diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 3831d1b1e7..211e8bce15 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -497,7 +497,7 @@ static BOOL smb_pam_start(pam_handle_t **pamh, const char *user, const char *rho /* * PAM Authentication Handler */ -static NTSTATUS smb_pam_auth(pam_handle_t *pamh, char *user) +static NTSTATUS smb_pam_auth(pam_handle_t *pamh, const char *user) { int pam_error; NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; @@ -582,7 +582,7 @@ static NTSTATUS smb_pam_account(pam_handle_t *pamh, const char * user) * PAM Credential Setting */ -static NTSTATUS smb_pam_setcred(pam_handle_t *pamh, char * user) +static NTSTATUS smb_pam_setcred(pam_handle_t *pamh, const char * user) { int pam_error; NTSTATUS nt_status = NT_STATUS_NO_TOKEN; @@ -622,7 +622,7 @@ static NTSTATUS smb_pam_setcred(pam_handle_t *pamh, char * user) /* * PAM Internal Session Handler */ -static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL flag) +static BOOL smb_internal_pam_session(pam_handle_t *pamh, const char *user, const char *tty, BOOL flag) { int pam_error; @@ -788,7 +788,7 @@ NTSTATUS smb_pam_accountcheck(const char * user) * PAM Password Validation Suite */ -NTSTATUS smb_pam_passcheck(char * user, char * password) +NTSTATUS smb_pam_passcheck(const char * user, const char * password) { pam_handle_t *pamh = NULL; NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 50ad20f113..63918796ef 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -436,7 +436,7 @@ try all combinations with N uppercase letters. offset is the first char to try and change (start with 0) it assumes the string starts lowercased ****************************************************************************/ -static NTSTATUS string_combinations2(char *s, int offset, NTSTATUS (*fn) (char *), +static NTSTATUS string_combinations2(char *s, int offset, NTSTATUS (*fn) (const char *), int N) { int len = strlen(s); @@ -470,7 +470,7 @@ try all combinations with up to N uppercase letters. offset is the first char to try and change (start with 0) it assumes the string starts lowercased ****************************************************************************/ -static NTSTATUS string_combinations(char *s, NTSTATUS (*fn) (char *), int N) +static NTSTATUS string_combinations(char *s, NTSTATUS (*fn) (const char *), int N) { int n; NTSTATUS nt_status; @@ -484,7 +484,7 @@ static NTSTATUS string_combinations(char *s, NTSTATUS (*fn) (char *), int N) /**************************************************************************** core of password checking routine ****************************************************************************/ -static NTSTATUS password_check(char *password) +static NTSTATUS password_check(const char *password) { #ifdef WITH_PAM return smb_pam_passcheck(this_user, password); @@ -591,16 +591,13 @@ match is found and is used to update the encrypted password file return NT_STATUS_OK on correct match, appropriate error otherwise ****************************************************************************/ -NTSTATUS pass_check(const struct passwd *input_pass, char *user, char *password, - int pwlen, BOOL (*fn) (char *, char *), BOOL run_cracker) +NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *password, + int pwlen, BOOL (*fn) (const char *, const char *), BOOL run_cracker) { - struct passwd *pass; pstring pass2; int level = lp_passwordlevel(); NTSTATUS nt_status; - if (password) - password[pwlen] = 0; #if DEBUG_PASSWORD DEBUG(100, ("checking user=[%s] pass=[%s]\n", user, password)); @@ -627,12 +624,16 @@ NTSTATUS pass_check(const struct passwd *input_pass, char *user, char *password, DEBUG(4, ("pass_check: Checking password for user %s (l=%d)\n", user, pwlen)); - if (!input_pass) { + if (!pass) { DEBUG(3, ("Couldn't find user %s\n", user)); return NT_STATUS_NO_SUCH_USER; } - pass = make_modifyable_passwd(input_pass); + + /* Copy into global for the convenience of looping code */ + /* Also the place to keep the 'password' no matter what + crazy struct it started in... */ + fstrcpy(this_crypted, pass->pw_passwd); #ifdef HAVE_GETSPNAM { @@ -645,7 +646,7 @@ NTSTATUS pass_check(const struct passwd *input_pass, char *user, char *password, spass = getspnam(pass->pw_name); if (spass && spass->sp_pwdp) - pstrcpy(pass->pw_passwd, spass->sp_pwdp); + fstrcpy(this_crypted, spass->sp_pwdp); } #elif defined(IA_UINFO) { @@ -663,7 +664,7 @@ NTSTATUS pass_check(const struct passwd *input_pass, char *user, char *password, { struct pr_passwd *pr_pw = getprpwnam(pass->pw_name); if (pr_pw && pr_pw->ufld.fd_encrypt) - pstrcpy(pass->pw_passwd, pr_pw->ufld.fd_encrypt); + fstrcpy(this_crypted, pr_pw->ufld.fd_encrypt); } #endif @@ -672,7 +673,7 @@ NTSTATUS pass_check(const struct passwd *input_pass, char *user, char *password, struct passwd_adjunct *pwret; pwret = getpwanam(s); if (pwret && pwret->pwa_passwd) - pstrcpy(pass->pw_passwd,pwret->pwa_passwd); + fstrcpy(this_crypted, pwret->pwa_passwd); } #endif @@ -683,8 +684,8 @@ NTSTATUS pass_check(const struct passwd *input_pass, char *user, char *password, user)); mypasswd = getprpwnam(user); if (mypasswd) { - fstrcpy(pass->pw_name, mypasswd->ufld.fd_name); - fstrcpy(pass->pw_passwd, mypasswd->ufld.fd_encrypt); + fstrcpy(this_user, mypasswd->ufld.fd_name); + fstrcpy(this_crypted, mypasswd->ufld.fd_encrypt); } else { DEBUG(5, ("OSF1_ENH_SEC: No entry for user %s in protected database !\n", @@ -697,7 +698,7 @@ NTSTATUS pass_check(const struct passwd *input_pass, char *user, char *password, { AUTHORIZATION *ap = getauthuid(pass->pw_uid); if (ap) { - fstrcpy(pass->pw_passwd, ap->a_password); + fstrcpy(this_crypted, ap->a_password); endauthent(); } } @@ -712,27 +713,20 @@ NTSTATUS pass_check(const struct passwd *input_pass, char *user, char *password, this_salt[2] = 0; #endif - /* Copy into global for the convenience of looping code */ - fstrcpy(this_crypted, pass->pw_passwd); - if (!*this_crypted) { if (!lp_null_passwords()) { DEBUG(2, ("Disallowing %s with null password\n", this_user)); - passwd_free(&pass); return NT_STATUS_LOGON_FAILURE; } if (!*password) { DEBUG(3, ("Allowing access to %s with null password\n", this_user)); - passwd_free(&pass); return NT_STATUS_OK; } } - passwd_free(&pass); - #endif /* defined(WITH_PAM) */ /* try it as it came to us */ @@ -755,42 +749,36 @@ NTSTATUS pass_check(const struct passwd *input_pass, char *user, char *password, * need to proceed as we know it hasn't been case modified by the * client */ if (strhasupper(password) && strhaslower(password)) { - passwd_free(&pass); return nt_status; } /* make a copy of it */ - StrnCpy(pass2, password, sizeof(pstring) - 1); + pstrcpy(pass2, password); /* try all lowercase if it's currently all uppercase */ - if (strhasupper(password)) { - strlower(password); - if NT_STATUS_IS_OK(nt_status = password_check(password)) { + if (strhasupper(pass2)) { + strlower(pass2); + if NT_STATUS_IS_OK(nt_status = password_check(pass2)) { if (fn) - fn(user, password); + fn(user, pass2); return (nt_status); } } /* give up? */ if (level < 1) { - /* restore it */ - fstrcpy(password, pass2); return NT_STATUS_WRONG_PASSWORD; } /* last chance - all combinations of up to level chars upper! */ - strlower(password); + strlower(pass2); - if NT_STATUS_IS_OK(nt_status = string_combinations(password, password_check, level)) { + if (NT_STATUS_IS_OK(nt_status = string_combinations(pass2, password_check, level))) { if (fn) - fn(user, password); + fn(user, pass2); return nt_status; } - /* restore it */ - fstrcpy(password, pass2); - return NT_STATUS_WRONG_PASSWORD; } -- cgit From 2e136b4438379c0dea33898c24bf2fbf670b8770 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 22 May 2002 12:56:32 +0000 Subject: Nobody uses this function, and there really doesn't seem much point to it, so we may as well reduce the complexity. Andrew Bartlett (This used to be commit 31e074cea50111a150db220603c3cfccaaf4339c) --- source3/auth/auth.c | 20 -------------------- 1 file changed, 20 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 148826fa6e..c40cef5519 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -421,26 +421,6 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) return nt_status; } -/*************************************************************************** - Make a auth_info struct with a random challenge -***************************************************************************/ - -NTSTATUS make_auth_context_random(struct auth_context **auth_context) -{ - uchar chal[8]; - NTSTATUS nt_status; - if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(auth_context))) { - return nt_status; - } - - generate_random_buffer(chal, sizeof(chal), False); - (*auth_context)->challenge = data_blob(chal, sizeof(chal)); - - (*auth_context)->challenge_set_by = "random"; - - return nt_status; -} - /*************************************************************************** Make a auth_info struct with a fixed challenge ***************************************************************************/ -- cgit From 40669777a5f74617fdd80dea3ff5a45a9e9a1aa4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 24 May 2002 03:43:52 +0000 Subject: Move the authenticaion subsystem over to the same 'module:options' syntax that the passdb code now uses. Similarly, move the 'pluggable' stuff over from passdb as well, allowing runtime loading of new authenticaion modules. (NOTE: The interfaces here can *and do* change - module writers are not assured source-level compatibilty, and certainly not binary compatibility). (This used to be commit 3897cf5e048f50be91ae434f636affc6d539d0d1) --- source3/auth/auth.c | 23 ++++++++++++++--- source3/auth/auth_builtin.c | 63 ++++++++++++++++++++++++++++++++++++++++----- source3/auth/auth_domain.c | 12 ++++----- source3/auth/auth_rhosts.c | 12 ++++----- source3/auth/auth_sam.c | 16 +++++++----- source3/auth/auth_server.c | 6 ++--- source3/auth/auth_unix.c | 6 ++--- source3/auth/auth_winbind.c | 6 ++--- 8 files changed, 106 insertions(+), 38 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index c40cef5519..55695fa9c2 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -25,7 +25,7 @@ /** List of various built-in authenticaion modules */ -const struct auth_init_function builtin_auth_init_functions[] = { +const struct auth_init_function_entry builtin_auth_init_functions[] = { { "guest", auth_init_guest }, { "rhosts", auth_init_rhosts }, { "hostsequiv", auth_init_hostsequiv }, @@ -340,14 +340,31 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context, { if (strequal(builtin_auth_init_functions[i].name, *text_list)) { + + char *module_name = smb_xstrdup(*text_list); + char *module_params = NULL; + char *p; + + p = strchr(module_name, ':'); + + if (p) { + *p = 0; + + module_params = p+1; + + trim_string(module_params, " ", " "); + } + + trim_string(module_name, " ", " "); + DEBUG(5,("Found auth method %s (at pos %d)\n", *text_list, i)); - if (builtin_auth_init_functions[i].init(*auth_context, &t)) { + if (NT_STATUS_IS_OK(builtin_auth_init_functions[i].init(*auth_context, module_params, &t))) { DEBUG(5,("auth method %s has a valid init\n", *text_list)); - t->name = builtin_auth_init_functions[i].name; DLIST_ADD_END(list, t, tmp); } else { DEBUG(0,("auth method %s did not correctly init\n", *text_list)); } + SAFE_FREE(module_name); break; } } diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index 0cca6b8e15..d2c60ae64f 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -1,7 +1,8 @@ /* Unix SMB/CIFS implementation. Generic authenticaion types - Copyright (C) Andrew Bartlett 2001 + Copyright (C) Andrew Bartlett 2001-2002 + Copyright (C) Jelmer Vernooij 2002 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -52,14 +53,15 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context, } /* Guest modules initialisation */ -BOOL auth_init_guest(struct auth_context *auth_context, auth_methods **auth_method) +NTSTATUS auth_init_guest(struct auth_context *auth_context, const char *options, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { - return False; + return NT_STATUS_NO_MEMORY; } (*auth_method)->auth = check_guest_security; - return True; + (*auth_method)->name = "guest"; + return NT_STATUS_OK; } /** @@ -102,13 +104,60 @@ static NTSTATUS check_name_to_ntstatus_security(const struct auth_context *auth_ } /** Module initailisation function */ -BOOL auth_init_name_to_ntstatus(struct auth_context *auth_context, auth_methods **auth_method) +NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { - return False; + return NT_STATUS_NO_MEMORY; } (*auth_method)->auth = check_name_to_ntstatus_security; - return True; + (*auth_method)->name = "name_to_ntstatus"; + return NT_STATUS_OK; } +/** + * Outsorce an auth module to an external loadable .so + * + * Only works on systems with dlopen() etc. + **/ + +/* Plugin modules initialisation */ +NTSTATUS auth_init_plugin(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +{ + void * dl_handle; + char *plugin_param, *plugin_name, *p; + auth_init_function plugin_init; + + if (param == NULL) { + DEBUG(0, ("The plugin module needs an argument!\n")); + return NT_STATUS_UNSUCCESSFUL; + } + + plugin_name = smb_xstrdup(param); + p = strchr(plugin_name, ':'); + if (p) { + *p = 0; + plugin_param = p+1; + trim_string(plugin_param, " ", " "); + } else plugin_param = NULL; + + trim_string(plugin_name, " ", " "); + + DEBUG(5, ("Trying to load auth plugin %s\n", plugin_name)); + dl_handle = sys_dlopen(plugin_name, RTLD_NOW | RTLD_GLOBAL ); + if (!dl_handle) { + DEBUG(0, ("Failed to load auth plugin %s using sys_dlopen (%s)\n", plugin_name, sys_dlerror())); + return NT_STATUS_UNSUCCESSFUL; + } + + plugin_init = sys_dlsym(dl_handle, "auth_init"); + if (!plugin_init){ + DEBUG(0, ("Failed to find function 'pdb_init' using sys_dlsym in sam plugin %s (%s)\n", plugin_name, sys_dlerror())); + return NT_STATUS_UNSUCCESSFUL; + } + + DEBUG(5, ("Starting sam plugin %s with paramater %s\n", plugin_name, plugin_param?plugin_param:"(null)")); + return plugin_init(auth_context, plugin_param, auth_method); +} + + diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index d520dabbb2..91c111b557 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -511,14 +511,14 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, } /* module initialisation */ -BOOL auth_init_ntdomain(struct auth_context *auth_context, auth_methods **auth_method) +NTSTATUS auth_init_ntdomain(struct auth_context *auth_context, const char* param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { - return False; + return NT_STATUS_NO_MEMORY; } (*auth_method)->auth = check_ntdomain_security; - return True; + return NT_STATUS_OK; } @@ -598,12 +598,12 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte } /* module initialisation */ -BOOL auth_init_trustdomain(struct auth_context *auth_context, auth_methods **auth_method) +NTSTATUS auth_init_trustdomain(struct auth_context *auth_context, const char* param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { - return False; + return NT_STATUS_NO_MEMORY; } (*auth_method)->auth = check_trustdomain_security; - return True; + return NT_STATUS_OK; } diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index 7730f50a3c..4ed0e6bbc4 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -179,14 +179,14 @@ static NTSTATUS check_hostsequiv_security(const struct auth_context *auth_contex } /* module initialisation */ -BOOL auth_init_hostsequiv(struct auth_context *auth_context, auth_methods **auth_method) +NTSTATUS auth_init_hostsequiv(struct auth_context *auth_context, const char* param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { - return False; + return NT_STATUS_NO_MEMORY; } (*auth_method)->auth = check_hostsequiv_security; - return True; + return NT_STATUS_OK; } @@ -223,12 +223,12 @@ static NTSTATUS check_rhosts_security(const struct auth_context *auth_context, } /* module initialisation */ -BOOL auth_init_rhosts(struct auth_context *auth_context, auth_methods **auth_method) +NTSTATUS auth_init_rhosts(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { - return False; + return NT_STATUS_NO_MEMORY; } (*auth_method)->auth = check_rhosts_security; - return True; + return NT_STATUS_OK; } diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 7e0cd513da..76579150ce 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -404,14 +404,15 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, } /* module initialisation */ -BOOL auth_init_sam(struct auth_context *auth_context, auth_methods **auth_method) +NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { - return False; + return NT_STATUS_NO_MEMORY; } - (*auth_method)->auth = check_sam_security; - return True; + (*auth_method)->auth = check_sam_security; + (*auth_method)->name = "sam"; + return NT_STATUS_OK; } @@ -442,14 +443,15 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context } /* module initialisation */ -BOOL auth_init_samstrict(struct auth_context *auth_context, auth_methods **auth_method) +NTSTATUS auth_init_samstrict(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { - return False; + return NT_STATUS_NO_MEMORY; } (*auth_method)->auth = check_samstrict_security; - return True; + (*auth_method)->name = "samstrict"; + return NT_STATUS_OK; } diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index bcb7d5059b..0d366a4c0d 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -357,14 +357,14 @@ use this machine as the password server.\n")); return(nt_status); } -BOOL auth_init_smbserver(struct auth_context *auth_context, auth_methods **auth_method) +NTSTATUS auth_init_smbserver(struct auth_context *auth_context, const char* param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { - return False; + return NT_STATUS_NO_MEMORY; } (*auth_method)->auth = check_smbserver_security; (*auth_method)->get_chal = auth_get_challenge_server; (*auth_method)->send_keepalive = send_server_keepalive; (*auth_method)->free_private_data = free_server_private_data; - return True; + return NT_STATUS_OK; } diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index d624cb1261..9f85bf11fe 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -119,12 +119,12 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context, } /* module initialisation */ -BOOL auth_init_unix(struct auth_context *auth_context, auth_methods **auth_method) +NTSTATUS auth_init_unix(struct auth_context *auth_context, const char* param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { - return False; + return NT_STATUS_NO_MEMORY; } (*auth_method)->auth = check_unix_security; - return True; + return NT_STATUS_OK; } diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 1a72c2df0f..2d214c7aca 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -103,12 +103,12 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, } /* module initialisation */ -BOOL auth_init_winbind(struct auth_context *auth_context, auth_methods **auth_method) +NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { - return False; + return NT_STATUS_NO_MEMORY; } (*auth_method)->auth = check_winbind_security; - return True; + return NT_STATUS_OK; } -- cgit From 9c3d5d6fd0dd9e2e62a33d0822a72d5209fe3ffb Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 24 May 2002 05:14:16 +0000 Subject: Remove the password length paramater from cli_full_connection - it really didn't make any sense, and its was always just strlen(password) anyway. This fixes it to be strlen(password)+1 Andrew Bartlett (This used to be commit c205b18bd6b9b69200ff3db55f2c641631d4ab40) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 91c111b557..69d922db12 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -127,7 +127,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, /* Attempt connection */ result = cli_full_connection(cli, global_myname, server, - &dest_ip, 0, "IPC$", "IPC", "", "", "", 0); + &dest_ip, 0, "IPC$", "IPC", "", "", ""); if (!NT_STATUS_IS_OK(result)) { release_server_mutex(); -- cgit From 7ff439756685a8a0b69b25f58e866e03ba0e8699 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 24 May 2002 13:55:05 +0000 Subject: Name the authentication modules, and therfore fix up both the build farm and secuirty=server. I *love* automated testing... Andrew Bartlett (This used to be commit c92f4f4d72ffd307ca2d4d792b5e4154f1b85b91) --- source3/auth/auth_domain.c | 2 ++ source3/auth/auth_server.c | 1 + source3/auth/auth_unix.c | 2 ++ source3/auth/auth_winbind.c | 1 + 4 files changed, 6 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 69d922db12..b41848076d 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -517,6 +517,7 @@ NTSTATUS auth_init_ntdomain(struct auth_context *auth_context, const char* param return NT_STATUS_NO_MEMORY; } + (*auth_method)->name = "ntdomain"; (*auth_method)->auth = check_ntdomain_security; return NT_STATUS_OK; } @@ -604,6 +605,7 @@ NTSTATUS auth_init_trustdomain(struct auth_context *auth_context, const char* pa return NT_STATUS_NO_MEMORY; } + (*auth_method)->name = "trustdomain"; (*auth_method)->auth = check_trustdomain_security; return NT_STATUS_OK; } diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 0d366a4c0d..b31bf7d996 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -362,6 +362,7 @@ NTSTATUS auth_init_smbserver(struct auth_context *auth_context, const char* para if (!make_auth_methods(auth_context, auth_method)) { return NT_STATUS_NO_MEMORY; } + (*auth_method)->name = "smbserver"; (*auth_method)->auth = check_smbserver_security; (*auth_method)->get_chal = auth_get_challenge_server; (*auth_method)->send_keepalive = send_server_keepalive; diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 9f85bf11fe..6f4b3f8b15 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -125,6 +125,8 @@ NTSTATUS auth_init_unix(struct auth_context *auth_context, const char* param, au return NT_STATUS_NO_MEMORY; } + (*auth_method)->name = "unix"; (*auth_method)->auth = check_unix_security; return NT_STATUS_OK; } + diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 2d214c7aca..671e198bf5 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -109,6 +109,7 @@ NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char *param, return NT_STATUS_NO_MEMORY; } + (*auth_method)->name = "winbind"; (*auth_method)->auth = check_winbind_security; return NT_STATUS_OK; } -- cgit From 20efe2fe6cbc4b5cf861a3296e29f5495637f79c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 25 May 2002 07:37:44 +0000 Subject: Clean up a few unused functions, add a bit of static etc. Importantly: The removal of the silly 'delete user script' behaviour when secuity=domain. I have left the name the same - as it still does the (previously documented, but not in smb.conf(5)) sane behaviour of deleting users on request. When we decide what to do with the 'add user' functionality, we might rename it. Andrew Bartlett (This used to be commit cdcfe3671eb7570e15649b77f708e6579055e7bc) --- source3/auth/auth_util.c | 28 ---------------------------- 1 file changed, 28 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7179252ce7..0d7a952c04 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -48,24 +48,6 @@ static int smb_create_user(const char *unix_user, const char *homedir) return ret; } -/**************************************************************************** - Delete a UNIX user on demand. -****************************************************************************/ - -int smb_delete_user(const char *unix_user) -{ - pstring del_script; - int ret; - - pstrcpy(del_script, lp_deluser_script()); - if (! *del_script) - return -1; - all_string_sub(del_script, "%u", unix_user, sizeof(pstring)); - ret = smbrun(del_script,NULL); - DEBUG(3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret)); - return ret; -} - /**************************************************************************** Add and Delete UNIX users on demand, based on NTSTATUS codes. ****************************************************************************/ @@ -88,16 +70,6 @@ void smb_user_control(const auth_usersupplied_info *user_info, auth_serversuppli smb_create_user(user_info->internal_username.str, NULL); } } - } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { - /* - * User failed to validate ok against Domain controller. - * If the failure was "user doesn't exist" and admin - * wants us to try and delete that UNIX user on the fly, - * do so. - */ - if (lp_deluser_script()) { - smb_delete_user(user_info->internal_username.str); - } } } -- cgit From 84a9a6a1be123ad31d21e743ef5b37f58122333a Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 28 May 2002 23:22:05 +0000 Subject: Spelling fixes. (This used to be commit 3d0f4acad2f0c57d0a255e90e5f674ba582251e2) --- source3/auth/auth.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 55695fa9c2..1919a69df2 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -23,7 +23,7 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -/** List of various built-in authenticaion modules */ +/** List of various built-in authentication modules */ const struct auth_init_function_entry builtin_auth_init_functions[] = { { "guest", auth_init_guest }, @@ -43,7 +43,7 @@ const struct auth_init_function_entry builtin_auth_init_functions[] = { }; /**************************************************************************** - Try to get a challenge out of the various authenticaion modules. + Try to get a challenge out of the various authentication modules. Returns a const char of length 8 bytes. ****************************************************************************/ @@ -68,7 +68,7 @@ static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) DEBUG(5, ("auth_get_challenge: getting challenge from module %s\n", auth_method->name)); if (challenge_set_by != NULL) { - DEBUG(1, ("auth_get_challenge: CONFIGURATION ERROR: authenticaion method %s has already specified a challenge. Challenge by %s ignored.\n", + DEBUG(1, ("auth_get_challenge: CONFIGURATION ERROR: authentication method %s has already specified a challenge. Challenge by %s ignored.\n", challenge_set_by, auth_method->name)); continue; } @@ -80,7 +80,7 @@ static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) challenge = auth_method->get_chal(auth_context, &auth_method->private_data, mem_ctx); if (!challenge.length) { - DEBUG(3, ("auth_get_challenge: getting challenge from authenticaion method %s FAILED.\n", + DEBUG(3, ("auth_get_challenge: getting challenge from authentication method %s FAILED.\n", auth_method->name)); } else { DEBUG(5, ("auth_get_challenge: sucessfully got challenge from module %s\n", auth_method->name)); @@ -164,7 +164,7 @@ static BOOL check_domain_match(const char *user, const char *domain) * filled in, either at creation or by calling the challenge geneation * function auth_get_challenge(). * - * @param server_info If successful, contains information about the authenticaion, + * @param server_info If successful, contains information about the authentication, * including a SAM_ACCOUNT struct describing the user. * * @return An NTSTATUS with NT_STATUS_OK or an appropriate error. @@ -257,7 +257,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, if (NT_STATUS_IS_OK(nt_status)) { DEBUG((*server_info)->guest ? 5 : 2, - ("check_password: %sauthenticaion for user [%s] -> [%s] -> [%s] suceeded\n", + ("check_password: %sauthentication for user [%s] -> [%s] -> [%s] suceeded\n", (*server_info)->guest ? "guest " : "", user_info->smb_name.str, user_info->internal_username.str, @@ -266,7 +266,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, } if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(2, ("check_password: Authenticaion for user [%s] -> [%s] FAILED with error %s\n", + DEBUG(2, ("check_password: Authentication for user [%s] -> [%s] FAILED with error %s\n", user_info->smb_name.str, user_info->internal_username.str, nt_errstr(nt_status))); ZERO_STRUCTP(server_info); -- cgit From 654273856863d861c8be7b46c39e68a81ea3807a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 1 Jun 2002 00:10:08 +0000 Subject: More cleanup work preparing for SMB signing. Jeremy. (This used to be commit 3c05f7c06fc8c45307ea75128b160a5945fc5197) --- source3/auth/auth_server.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index b31bf7d996..0e650aa6e3 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -91,7 +91,7 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) } if (cli->protocol < PROTOCOL_LANMAN2 || - !(cli->sec_mode & 1)) { + !(cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) { DEBUG(1,("%s isn't in user level security mode\n",desthost)); cli_shutdown(cli); return NULL; @@ -145,7 +145,7 @@ static DATA_BLOB auth_get_challenge_server(const struct auth_context *auth_conte if (cli) { DEBUG(3,("using password server validation\n")); - if ((cli->sec_mode & 2) == 0) { + if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) { /* We can't work with unencrypted password servers unless 'encrypt passwords = no' */ DEBUG(5,("make_auth_info_server: Server is unencrypted, no challenge available..\n")); @@ -216,7 +216,7 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context return NT_STATUS_LOGON_FAILURE; } - if ((cli->sec_mode & 2) == 0) { + if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) { if (user_info->encrypted) { DEBUG(1,("password server %s is plaintext, but we are encrypted. This just can't work :-(\n", cli->desthost)); return NT_STATUS_LOGON_FAILURE; -- cgit From 58a3a5720def44d5bf053ece272ebd18f245d18f Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 12 Jun 2002 05:10:19 +0000 Subject: Spelling fixes. (This used to be commit de18c785ab9a253cc8bf8d7e4066de0133225c6c) --- source3/auth/auth_builtin.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index d2c60ae64f..c1ce1de242 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -28,7 +28,7 @@ * Return a guest logon for guest users (username = "") * * Typically used as the first module in the auth chain, this allows - * guest logons to be delt with in one place. Non-gust logons 'fail' + * guest logons to be dealt with in one place. Non-guest logons 'fail' * and pass onto the next module. **/ -- cgit From ba590d3dc33da1bd16c518729c7b723c779a1569 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 12 Jun 2002 05:50:03 +0000 Subject: Spelling. (This used to be commit bfd8a33c68a3747cbad21667d7515aebd61ec537) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 0d7a952c04..785815814d 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -140,7 +140,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, return False; } - DEBUG(5,("makeing blobs for %s's user_info struct\n", internal_username)); + DEBUG(5,("making blobs for %s's user_info struct\n", internal_username)); (*user_info)->lm_resp = data_blob(lm_pwd.data, lm_pwd.length); (*user_info)->nt_resp = data_blob(nt_pwd.data, nt_pwd.length); -- cgit From e69fba09846f9bfd1564c4c684bb5d4fc059b02d Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 14 Jun 2002 16:02:59 +0000 Subject: moved lp_list_* functions away from param/loadparm.c, put int lib/util_str.c and renamed to str_list_* as it is a better name. Elrond should be satisfied now :) (This used to be commit 4ae260adb9505384fcccfb4c9929cb60a45f2e84) --- source3/auth/auth.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 1919a69df2..3bd36da15b 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -384,7 +384,7 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) char **auth_method_list = NULL; NTSTATUS nt_status; - if (lp_auth_methods() && !lp_list_copy(&auth_method_list, lp_auth_methods())) { + if (lp_auth_methods() && !str_list_copy(&auth_method_list, lp_auth_methods())) { return NT_STATUS_NO_MEMORY; } @@ -393,33 +393,33 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) { case SEC_DOMAIN: DEBUG(5,("Making default auth method list for security=domain\n")); - auth_method_list = lp_list_make("guest samstrict ntdomain"); + auth_method_list = str_list_make("guest samstrict ntdomain"); break; case SEC_SERVER: DEBUG(5,("Making default auth method list for security=server\n")); - auth_method_list = lp_list_make("guest samstrict smbserver"); + auth_method_list = str_list_make("guest samstrict smbserver"); break; case SEC_USER: if (lp_encrypted_passwords()) { DEBUG(5,("Making default auth method list for security=user, encrypt passwords = yes\n")); - auth_method_list = lp_list_make("guest sam"); + auth_method_list = str_list_make("guest sam"); } else { DEBUG(5,("Making default auth method list for security=user, encrypt passwords = no\n")); - auth_method_list = lp_list_make("guest unix"); + auth_method_list = str_list_make("guest unix"); } break; case SEC_SHARE: if (lp_encrypted_passwords()) { DEBUG(5,("Making default auth method list for security=share, encrypt passwords = yes\n")); - auth_method_list = lp_list_make("guest sam"); + auth_method_list = str_list_make("guest sam"); } else { DEBUG(5,("Making default auth method list for security=share, encrypt passwords = no\n")); - auth_method_list = lp_list_make("guest unix"); + auth_method_list = str_list_make("guest unix"); } break; case SEC_ADS: DEBUG(5,("Making default auth method list for security=ADS\n")); - auth_method_list = lp_list_make("guest samstrict ads ntdomain"); + auth_method_list = str_list_make("guest samstrict ads ntdomain"); break; default: DEBUG(5,("Unknown auth method!\n")); @@ -430,11 +430,11 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) } if (!NT_STATUS_IS_OK(nt_status = make_auth_context_text_list(auth_context, auth_method_list))) { - lp_list_free(&auth_method_list); + str_list_free(&auth_method_list); return nt_status; } - lp_list_free(&auth_method_list); + str_list_free(&auth_method_list); return nt_status; } -- cgit From e2ed473f571aeb01472ca4c5b91f2e784a30c761 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 15 Jun 2002 11:07:25 +0000 Subject: It appears that to match NT we should not use the 'samstrict' behaviour, and that local accounts are perfectly fine. (This used to be commit 9fe8da6dd1b7fecfee0a2778fec0b7dd0fd40bfb) --- source3/auth/auth.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 3bd36da15b..4f7a5c24a0 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -38,7 +38,9 @@ const struct auth_init_function_entry builtin_auth_init_functions[] = { { "winbind", auth_init_winbind }, #ifdef DEVELOPER { "name_to_ntstatus", auth_init_name_to_ntstatus }, + { "fixed_challenge", auth_init_fixed_challenge }, #endif + { "plugin", auth_init_plugin }, { NULL, NULL} }; @@ -393,11 +395,11 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) { case SEC_DOMAIN: DEBUG(5,("Making default auth method list for security=domain\n")); - auth_method_list = str_list_make("guest samstrict ntdomain"); + auth_method_list = str_list_make("guest sam ntdomain"); break; case SEC_SERVER: DEBUG(5,("Making default auth method list for security=server\n")); - auth_method_list = str_list_make("guest samstrict smbserver"); + auth_method_list = str_list_make("guest sam smbserver"); break; case SEC_USER: if (lp_encrypted_passwords()) { @@ -419,7 +421,7 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) break; case SEC_ADS: DEBUG(5,("Making default auth method list for security=ADS\n")); - auth_method_list = str_list_make("guest samstrict ads ntdomain"); + auth_method_list = str_list_make("guest sam ads ntdomain"); break; default: DEBUG(5,("Unknown auth method!\n")); -- cgit From 209fcbfb92dadbe82c7355a7104d4dbd3398096b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 15 Jun 2002 11:08:46 +0000 Subject: Add another 'trivial' built in authentication module - this one is a deveopers hack to always send a fixed challange, for the benifit of tutorials and packet sniffing etc. Enabling this module removes all security, so its a --enable-developer option. Andrew Bartlett (This used to be commit 622e6b64dfb0a2c53d2c9dbd7b8ff438492eaf02) --- source3/auth/auth_builtin.c | 50 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index c1ce1de242..5ce7075ab9 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -115,6 +115,56 @@ NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, const cha return NT_STATUS_OK; } +/** + * Return a 'fixed' challenge instead of a varaible one. + * + * The idea of this function is to make packet snifs consistant + * with a fixed challenge, so as to aid debugging. + * + * This module is of no value to end-users. + * + * This module does not actually authenticate the user, but + * just pretenteds to need a specified challenge. + * This module removes *all* security from the challenge-response system + * + * @return NT_STATUS_UNSUCCESSFUL + **/ + +static NTSTATUS check_fixed_challenge_security(const struct auth_context *auth_context, + void *my_private_data, + TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, + auth_serversupplied_info **server_info) +{ + return NT_STATUS_UNSUCCESSFUL; +} + +/**************************************************************************** + Get the challenge out of a password server. +****************************************************************************/ + +static DATA_BLOB auth_get_fixed_challenge(const struct auth_context *auth_context, + void **my_private_data, + TALLOC_CTX *mem_ctx) +{ + const char *challenge = "I am a teapot"; + return data_blob(challenge, 8); +} + + +/** Module initailisation function */ +NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +{ + if (!make_auth_methods(auth_context, auth_method)) { + return NT_STATUS_NO_MEMORY; + } + + (*auth_method)->auth = check_fixed_challenge_security; + (*auth_method)->get_chal = auth_get_fixed_challenge; + (*auth_method)->name = "fixed_challenge"; + return NT_STATUS_OK; +} + /** * Outsorce an auth module to an external loadable .so * -- cgit From b075458ee7f7632dfa57c1ad8e35d5818f1bcc12 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 15 Jun 2002 11:15:31 +0000 Subject: This patch does 2 things: It extends the 'server mutex' to conver security=server, becouse the connection race condition exists here too, and while people *should* use security=domain, some sites don't.... (This probably should be done in 2.2 as well). Also, start to actually extract and use the information that the remote server returns in the info3 struct. The server mutex code is now in a new file. Andrew Bartlett (This used to be commit 9b0dabdf4ec3bb45879caae76e03b57ccdad8b4b) --- source3/auth/auth_domain.c | 101 +++---------------------- source3/auth/auth_server.c | 39 +++++++++- source3/auth/auth_util.c | 181 ++++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 225 insertions(+), 96 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index b41848076d..8c6bb8908f 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -29,32 +29,6 @@ BOOL global_machine_password_needs_changing = False; extern pstring global_myname; extern userdom_struct current_user_info; -static char *mutex_server_name; - -static BOOL grab_server_mutex(const char *name) -{ - mutex_server_name = strdup(name); - if (!mutex_server_name) { - DEBUG(0,("grab_server_mutex: malloc failed for %s\n", name)); - return False; - } - if (!message_named_mutex(name, 20)) { - DEBUG(10,("grab_server_mutex: failed for %s\n", name)); - SAFE_FREE(mutex_server_name); - return False; - } - - return True; -} - -static void release_server_mutex(void) -{ - if (mutex_server_name) { - message_named_mutex_release(mutex_server_name); - SAFE_FREE(mutex_server_name); - } -} - /** * Connect to a remote server for domain security authenticaion. * @@ -113,9 +87,10 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, logonserver. We can avoid a 30-second timeout if the DC is down if the SAMLOGON request fails as it is only over UDP. */ - /* we use a mutex to prevent two connections at once - when a NT PDC gets - two connections where one hasn't completed a negprot yet it will send a - TCP reset to the first connection (tridge) */ + /* we use a mutex to prevent two connections at once - when a + Win2k PDC get two connections where one hasn't completed a + session setup yet it will send a TCP reset to the first + connection (tridge) */ /* * With NT4.x DC's *all* authentication must be serialized to avoid @@ -307,14 +282,13 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, auth_serversupplied_info **server_info, char *server, char *setup_creds_as, uint16 sec_chan, - unsigned char *trust_passwd, + unsigned char trust_passwd[16], time_t last_change_time) { fstring remote_machine; NET_USER_INFO_3 info3; struct cli_state *cli = NULL; NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; - struct passwd *pass; /* * At this point, smb_apasswd points to the lanman response to @@ -358,63 +332,14 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, user_info->domain.str, cli->srv_name_slash, nt_errstr(nt_status))); } else { - char *dom_user; - - /* Check DOMAIN\username first to catch winbind users, then - just the username for local users. */ + nt_status = make_server_info_info3(mem_ctx, domain, server_info, &info3); +#if 0 + /* The stuff doesn't work right yet */ + SMB_ASSERT(sizeof((*server_info)->session_key) == sizeof(info3.user_sess_key)); + memcpy((*server_info)->session_key, info3.user_sess_key, sizeof((*server_info)->session_key)/* 16 */); + SamOEMhash((*server_info)->session_key, trust_passwd, sizeof((*server_info)->session_key)); +#endif - dom_user = talloc_asprintf(mem_ctx, "%s%s%s", user_info->domain.str, - lp_winbind_separator(), - user_info->internal_username.str); - - if (!dom_user) { - DEBUG(0, ("talloc_asprintf failed!\n")); - nt_status = NT_STATUS_NO_MEMORY; - } else { - - if (!(pass = Get_Pwnam(dom_user))) - pass = Get_Pwnam(user_info->internal_username.str); - - if (pass) { - make_server_info_pw(server_info, pass); - if (!server_info) { - nt_status = NT_STATUS_NO_MEMORY; - } - } else { - nt_status = NT_STATUS_NO_SUCH_USER; - } - } - } - - /* Store the user group information in the server_info returned to the caller. */ - - if (NT_STATUS_IS_OK(nt_status) && (info3.num_groups2 != 0)) { - int i; - NT_USER_TOKEN *ptok; - auth_serversupplied_info *pserver_info = *server_info; - - if ((pserver_info->ptok = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) { - DEBUG(0, ("domain_client_validate: out of memory allocating rid group membership\n")); - nt_status = NT_STATUS_NO_MEMORY; - free_server_info(server_info); - goto done; - } - - ptok = pserver_info->ptok; - ptok->num_sids = (size_t)info3.num_groups2; - - if ((ptok->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptok->num_sids )) == NULL) { - DEBUG(0, ("domain_client_validate: Out of memory allocating group SIDS\n")); - nt_status = NT_STATUS_NO_MEMORY; - free_server_info(server_info); - goto done; - } - - for (i = 0; i < ptok->num_sids; i++) { - sid_copy(&ptok->user_sids[i], &info3.dom_sid.sid); - sid_append_rid(&ptok->user_sids[i], info3.gids[i].g_rid); - } - uni_group_cache_store_netlogon(mem_ctx, &info3); } @@ -434,8 +359,6 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, } #endif /* 0 */ - done: - /* Note - once the cli stream is shutdown the mem_ctx used to allocate the other_sids and gids structures has been deleted - so these pointers are no longer valid..... */ diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 0e650aa6e3..919cc8d3d8 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -62,6 +62,15 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) continue; } + /* we use a mutex to prevent two connections at once - when a + Win2k PDC get two connections where one hasn't completed a + session setup yet it will send a TCP reset to the first + connection (tridge) */ + + if (!grab_server_mutex(desthost)) { + return NULL; + } + if (cli_connect(cli, desthost, &dest_ip)) { DEBUG(3,("connected to password server %s\n",desthost)); connected_ok = True; @@ -70,13 +79,19 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) } if (!connected_ok) { + release_server_mutex(); DEBUG(0,("password server not available\n")); cli_shutdown(cli); return NULL; } - - if (!attempt_netbios_session_request(cli, global_myname, desthost, &dest_ip)) + + if (!attempt_netbios_session_request(cli, global_myname, + desthost, &dest_ip)) { + release_server_mutex(); + DEBUG(1,("password server fails session request\n")); + cli_shutdown(cli); return NULL; + } if (strequal(desthost,myhostname())) { exit_server("Password server loop!"); @@ -86,6 +101,7 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) if (!cli_negprot(cli)) { DEBUG(1,("%s rejected the negprot\n",desthost)); + release_server_mutex(); cli_shutdown(cli); return NULL; } @@ -93,12 +109,29 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) if (cli->protocol < PROTOCOL_LANMAN2 || !(cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) { DEBUG(1,("%s isn't in user level security mode\n",desthost)); + release_server_mutex(); cli_shutdown(cli); return NULL; } - DEBUG(3,("password server OK\n")); + /* Get the first session setup done quickly, to avoid silly + Win2k bugs. (The next connection to the server will kill + this one... + */ + if (!cli_session_setup(cli, "", "", 0, "", 0, + "")) { + DEBUG(0,("%s rejected the initial session setup (%s)\n", + desthost, cli_errstr(cli))); + release_server_mutex(); + cli_shutdown(cli); + return NULL; + } + + release_server_mutex(); + + DEBUG(3,("password server OK\n")); + return cli; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 785815814d..a66cd6ffc7 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -460,7 +460,7 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info) Make a user_info struct ***************************************************************************/ -BOOL make_server_info(auth_serversupplied_info **server_info) +static BOOL make_server_info(auth_serversupplied_info **server_info) { *server_info = malloc(sizeof(**server_info)); if (!*server_info) { @@ -565,6 +565,179 @@ BOOL make_server_info_guest(auth_serversupplied_info **server_info) return False; } +/*************************************************************************** + Make a server_info struct from the info3 returned by a domain logon +***************************************************************************/ + +NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, + const char *domain, + auth_serversupplied_info **server_info, + NET_USER_INFO_3 *info3) +{ + NTSTATUS nt_status = NT_STATUS_OK; + + char *nt_domain; + char *nt_username; + + SAM_ACCOUNT *sam_account = NULL; + DOM_SID user_sid; + DOM_SID group_sid; + + struct passwd *passwd; + + uid_t uid; + gid_t gid; + + /* + Here is where we should check the list of + trusted domains, and verify that the SID + matches. + */ + + sid_copy(&user_sid, &info3->dom_sid.sid); + if (!sid_append_rid(&user_sid, info3->user_rid)) { + return NT_STATUS_INVALID_PARAMETER; + } + + sid_copy(&group_sid, &info3->dom_sid.sid); + if (!sid_append_rid(&group_sid, info3->group_rid)) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (!(nt_username = unistr2_tdup(mem_ctx, &(info3->uni_user_name)))) { + return NT_STATUS_NO_MEMORY; + } + + if (!(nt_domain = unistr2_tdup(mem_ctx, &(info3->uni_logon_dom)))) { + return NT_STATUS_NO_MEMORY; + } + + if (winbind_sid_to_uid(&uid, &user_sid) + && winbind_sid_to_gid(&gid, &group_sid) + && ((passwd = getpwuid_alloc(uid)))) { + nt_status = pdb_init_sam_pw(&sam_account, passwd); + passwd_free(&passwd); + } else { + char *dom_user; + dom_user = talloc_asprintf(mem_ctx, "%s%s%s", + nt_domain, + lp_winbind_separator(), + nt_username); + + if (!dom_user) { + DEBUG(0, ("talloc_asprintf failed!\n")); + return NT_STATUS_NO_MEMORY; + } else { + + if (!(passwd = Get_Pwnam(dom_user)) + /* Only lookup local for the local + domain, we don't want this for + trusted domains */ + && strequal(nt_domain, lp_workgroup())) { + passwd = Get_Pwnam(nt_username); + } + + if (passwd) { + return NT_STATUS_NO_SUCH_USER; + } else { + nt_status = pdb_init_sam_pw(&sam_account, passwd); + } + } + } + + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0, ("make_server_info_info3: pdb_init_sam failed!\n")); + return nt_status; + } + + if (!pdb_set_user_sid(sam_account, &user_sid)) { + pdb_free_sam(&sam_account); + return NT_STATUS_UNSUCCESSFUL; + } + + if (!pdb_set_group_sid(sam_account, &group_sid)) { + pdb_free_sam(&sam_account); + return NT_STATUS_UNSUCCESSFUL; + } + + if (!pdb_set_nt_username(sam_account, nt_username)) { + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_domain(sam_account, nt_domain)) { + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_fullname(sam_account, pdb_unistr2_convert(&(info3->uni_full_name)))) { + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_logon_script(sam_account, pdb_unistr2_convert(&(info3->uni_logon_script)), True)) { + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_profile_path(sam_account, pdb_unistr2_convert(&(info3->uni_profile_path)), True)) { + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_homedir(sam_account, pdb_unistr2_convert(&(info3->uni_home_dir)), True)) { + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_dir_drive(sam_account, pdb_unistr2_convert(&(info3->uni_dir_drive)), True)) { + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + if (!make_server_info_sam(server_info, sam_account)) { + DEBUG(0, ("make_server_info_info3: make_server_info_sam failed!\n")); + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + /* Store the user group information in the server_info + returned to the caller. */ + + if (info3->num_groups2 != 0) { + int i; + NT_USER_TOKEN *ptok; + auth_serversupplied_info *pserver_info = *server_info; + + if ((pserver_info->ptok = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) { + DEBUG(0, ("domain_client_validate: out of memory allocating rid group membership\n")); + nt_status = NT_STATUS_NO_MEMORY; + free_server_info(server_info); + return nt_status; + } + + ptok = pserver_info->ptok; + ptok->num_sids = (size_t)info3->num_groups2; + + if ((ptok->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptok->num_sids )) == NULL) { + DEBUG(0, ("domain_client_validate: Out of memory allocating group SIDS\n")); + nt_status = NT_STATUS_NO_MEMORY; + free_server_info(server_info); + return nt_status; + } + + for (i = 0; i < ptok->num_sids; i++) { + sid_copy(&ptok->user_sids[i], &(info3->dom_sid.sid)); + if (!sid_append_rid(&ptok->user_sids[i], info3->gids[i].g_rid)) { + nt_status = NT_STATUS_INVALID_PARAMETER; + free_server_info(server_info); + return nt_status; + } + } + } + return NT_STATUS_OK; +} + /*************************************************************************** Make an auth_methods struct ***************************************************************************/ @@ -596,9 +769,9 @@ BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_me void delete_nt_token(NT_USER_TOKEN **pptoken) { if (*pptoken) { - NT_USER_TOKEN *ptoken = *pptoken; - SAFE_FREE( ptoken->user_sids ); - ZERO_STRUCTP(ptoken); + NT_USER_TOKEN *ptoken = *pptoken; + SAFE_FREE( ptoken->user_sids ); + ZERO_STRUCTP(ptoken); } SAFE_FREE(*pptoken); } -- cgit From 4f7a02d5ded64e8c845f0c094a58be5bfb0171e8 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 24 Jun 2002 01:51:11 +0000 Subject: Try to get security=domain at least slightly working. The previous code both had basic logic flaws in it, and some subtle issues regarding the Win2k info3 response. I've tested this against Samba (it looks like that was missed last time due to the 'called name' corruption - which broke my testsuite) and accomidated what I've seen from a info3 printout jmcd gave me. I'll get this tested fully as soon as I get my VMware going again. Andrew Bartlett (This used to be commit 87eba4c811293d2428bfb9bc36de22e66dce7f8b) --- source3/auth/auth_domain.c | 3 ++- source3/auth/auth_util.c | 18 +++++++++++------- 2 files changed, 13 insertions(+), 8 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 8c6bb8908f..ee486d3f30 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -332,7 +332,8 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, user_info->domain.str, cli->srv_name_slash, nt_errstr(nt_status))); } else { - nt_status = make_server_info_info3(mem_ctx, domain, server_info, &info3); + nt_status = make_server_info_info3(mem_ctx, user_info->internal_username.str, + user_info->smb_name.str, domain, server_info, &info3); #if 0 /* The stuff doesn't work right yet */ SMB_ASSERT(sizeof((*server_info)->session_key) == sizeof(info3.user_sess_key)); diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index a66cd6ffc7..3ade220c0f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -570,14 +570,16 @@ BOOL make_server_info_guest(auth_serversupplied_info **server_info) ***************************************************************************/ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, + const char *internal_username, + const char *sent_nt_username, const char *domain, auth_serversupplied_info **server_info, NET_USER_INFO_3 *info3) { NTSTATUS nt_status = NT_STATUS_OK; - char *nt_domain; - char *nt_username; + const char *nt_domain; + const char *nt_username; SAM_ACCOUNT *sam_account = NULL; DOM_SID user_sid; @@ -605,11 +607,13 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, } if (!(nt_username = unistr2_tdup(mem_ctx, &(info3->uni_user_name)))) { - return NT_STATUS_NO_MEMORY; + /* If the server didn't give us one, just use the one we sent them */ + nt_username = sent_nt_username; } if (!(nt_domain = unistr2_tdup(mem_ctx, &(info3->uni_logon_dom)))) { - return NT_STATUS_NO_MEMORY; + /* If the server didn't give us one, just use the one we sent them */ + domain = domain; } if (winbind_sid_to_uid(&uid, &user_sid) @@ -622,7 +626,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, dom_user = talloc_asprintf(mem_ctx, "%s%s%s", nt_domain, lp_winbind_separator(), - nt_username); + internal_username); if (!dom_user) { DEBUG(0, ("talloc_asprintf failed!\n")); @@ -634,10 +638,10 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, domain, we don't want this for trusted domains */ && strequal(nt_domain, lp_workgroup())) { - passwd = Get_Pwnam(nt_username); + passwd = Get_Pwnam(internal_username); } - if (passwd) { + if (!passwd) { return NT_STATUS_NO_SUCH_USER; } else { nt_status = pdb_init_sam_pw(&sam_account, passwd); -- cgit From 07465761137adf756d771fa1f8592c294488e779 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 25 Jun 2002 08:57:24 +0000 Subject: Update cli_full_connection() to take a 'flags' paramater, and try to get a few more places to use it. Andrew Bartlett (This used to be commit 23689b0746d5ab030d8693abf71dd2e80ec1d7c7) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index ee486d3f30..9997507757 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -102,7 +102,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, /* Attempt connection */ result = cli_full_connection(cli, global_myname, server, - &dest_ip, 0, "IPC$", "IPC", "", "", ""); + &dest_ip, 0, "IPC$", "IPC", "", "", "", 0); if (!NT_STATUS_IS_OK(result)) { release_server_mutex(); -- cgit From 82176f4d85225c2aae15f9ce3e03730f019934f5 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 2 Jul 2002 06:34:27 +0000 Subject: Address the string_sub problem by changing len = 0 to mean "no expand". Went through and checked all string_subs I could to ensure they're being used correctly. Jeremy. (This used to be commit 17cae0d683be404be69554cd0e84117bdcc56c87) --- source3/auth/auth_domain.c | 2 +- source3/auth/auth_server.c | 2 +- source3/auth/pampass.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 9997507757..f9f250c26a 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -69,7 +69,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, fstrcpy(remote_machine, server); } - standard_sub_basic(current_user_info.smb_name, remote_machine); + standard_sub_basic(current_user_info.smb_name, remote_machine, sizeof(remote_machine)); strupper(remote_machine); if(!resolve_name( remote_machine, &dest_ip, 0x20)) { diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 919cc8d3d8..23faedc0ba 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -49,7 +49,7 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) p = pserver; while(next_token( &p, desthost, LIST_SEP, sizeof(desthost))) { - standard_sub_basic(current_user_info.smb_name, desthost); + standard_sub_basic(current_user_info.smb_name, desthost, sizeof(desthost)); strupper(desthost); if(!resolve_name( desthost, &dest_ip, 0x20)) { diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 211e8bce15..1a3e55dd44 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -186,7 +186,7 @@ static void special_char_sub(char *buf) static void pwd_sub(char *buf, const char *username, const char *oldpass, const char *newpass) { - pstring_sub(buf, "%u", username); + fstring_sub(buf, "%u", username); all_string_sub(buf, "%o", oldpass, sizeof(fstring)); all_string_sub(buf, "%n", newpass, sizeof(fstring)); } -- cgit From 71b04673bbf665d1ee558a08614fbaaf77095152 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 9 Jul 2002 13:12:27 +0000 Subject: Make it clear that the debug comment is the same as the command being tested for failure. Andrew Bartlett (This used to be commit 6e22f39df8c386781a4f51207a3ccd9c94d151f1) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index f9f250c26a..3352c5f9c8 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -410,7 +410,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, if (!secrets_fetch_trust_account_password(domain, trust_passwd, &last_change_time)) { - DEBUG(0, ("check_ntdomain_security: could not fetch trust account password for domain %s\n", lp_workgroup())); + DEBUG(0, ("check_ntdomain_security: could not fetch trust account password for domain '%s'\n", domain)); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } -- cgit From e90b65284812aaa5ff9e9935ce9bbad7791cbbcd Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 15 Jul 2002 10:35:28 +0000 Subject: updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce) --- source3/auth/auth.c | 82 +++++++++-------- source3/auth/auth_builtin.c | 118 ++++++++++++++++++++++-- source3/auth/auth_compat.c | 3 + source3/auth/auth_domain.c | 118 +++++++++--------------- source3/auth/auth_rhosts.c | 15 +-- source3/auth/auth_sam.c | 19 ++-- source3/auth/auth_server.c | 57 ++++++++++-- source3/auth/auth_unix.c | 15 +-- source3/auth/auth_util.c | 218 +++++++++++++++++++++++++++++++++++++------- source3/auth/auth_winbind.c | 10 +- source3/auth/pampass.c | 13 ++- source3/auth/pass_check.c | 65 ++++++------- 12 files changed, 501 insertions(+), 232 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index c7b9fcc1d8..4f7a5c24a0 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -20,9 +20,12 @@ #include "includes.h" -/** List of various built-in authenticaion modules */ +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH -const struct auth_init_function builtin_auth_init_functions[] = { +/** List of various built-in authentication modules */ + +const struct auth_init_function_entry builtin_auth_init_functions[] = { { "guest", auth_init_guest }, { "rhosts", auth_init_rhosts }, { "hostsequiv", auth_init_hostsequiv }, @@ -35,12 +38,14 @@ const struct auth_init_function builtin_auth_init_functions[] = { { "winbind", auth_init_winbind }, #ifdef DEVELOPER { "name_to_ntstatus", auth_init_name_to_ntstatus }, + { "fixed_challenge", auth_init_fixed_challenge }, #endif + { "plugin", auth_init_plugin }, { NULL, NULL} }; /**************************************************************************** - Try to get a challenge out of the various authenticaion modules. + Try to get a challenge out of the various authentication modules. Returns a const char of length 8 bytes. ****************************************************************************/ @@ -65,7 +70,7 @@ static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) DEBUG(5, ("auth_get_challenge: getting challenge from module %s\n", auth_method->name)); if (challenge_set_by != NULL) { - DEBUG(1, ("auth_get_challenge: CONFIGURATION ERROR: authenticaion method %s has already specified a challenge. Challenge by %s ignored.\n", + DEBUG(1, ("auth_get_challenge: CONFIGURATION ERROR: authentication method %s has already specified a challenge. Challenge by %s ignored.\n", challenge_set_by, auth_method->name)); continue; } @@ -77,7 +82,7 @@ static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) challenge = auth_method->get_chal(auth_context, &auth_method->private_data, mem_ctx); if (!challenge.length) { - DEBUG(3, ("auth_get_challenge: getting challenge from authenticaion method %s FAILED.\n", + DEBUG(3, ("auth_get_challenge: getting challenge from authentication method %s FAILED.\n", auth_method->name)); } else { DEBUG(5, ("auth_get_challenge: sucessfully got challenge from module %s\n", auth_method->name)); @@ -161,7 +166,7 @@ static BOOL check_domain_match(const char *user, const char *domain) * filled in, either at creation or by calling the challenge geneation * function auth_get_challenge(). * - * @param server_info If successful, contains information about the authenticaion, + * @param server_info If successful, contains information about the authentication, * including a SAM_ACCOUNT struct describing the user. * * @return An NTSTATUS with NT_STATUS_OK or an appropriate error. @@ -254,7 +259,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, if (NT_STATUS_IS_OK(nt_status)) { DEBUG((*server_info)->guest ? 5 : 2, - ("check_password: %sauthenticaion for user [%s] -> [%s] -> [%s] suceeded\n", + ("check_password: %sauthentication for user [%s] -> [%s] -> [%s] suceeded\n", (*server_info)->guest ? "guest " : "", user_info->smb_name.str, user_info->internal_username.str, @@ -263,7 +268,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, } if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(2, ("check_password: Authenticaion for user [%s] -> [%s] FAILED with error %s\n", + DEBUG(2, ("check_password: Authentication for user [%s] -> [%s] FAILED with error %s\n", user_info->smb_name.str, user_info->internal_username.str, nt_errstr(nt_status))); ZERO_STRUCTP(server_info); @@ -337,14 +342,31 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context, { if (strequal(builtin_auth_init_functions[i].name, *text_list)) { + + char *module_name = smb_xstrdup(*text_list); + char *module_params = NULL; + char *p; + + p = strchr(module_name, ':'); + + if (p) { + *p = 0; + + module_params = p+1; + + trim_string(module_params, " ", " "); + } + + trim_string(module_name, " ", " "); + DEBUG(5,("Found auth method %s (at pos %d)\n", *text_list, i)); - if (builtin_auth_init_functions[i].init(*auth_context, &t)) { + if (NT_STATUS_IS_OK(builtin_auth_init_functions[i].init(*auth_context, module_params, &t))) { DEBUG(5,("auth method %s has a valid init\n", *text_list)); - t->name = builtin_auth_init_functions[i].name; DLIST_ADD_END(list, t, tmp); } else { DEBUG(0,("auth method %s did not correctly init\n", *text_list)); } + SAFE_FREE(module_name); break; } } @@ -364,7 +386,7 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) char **auth_method_list = NULL; NTSTATUS nt_status; - if (lp_auth_methods() && !lp_list_copy(&auth_method_list, lp_auth_methods())) { + if (lp_auth_methods() && !str_list_copy(&auth_method_list, lp_auth_methods())) { return NT_STATUS_NO_MEMORY; } @@ -373,33 +395,33 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) { case SEC_DOMAIN: DEBUG(5,("Making default auth method list for security=domain\n")); - auth_method_list = lp_list_make("guest samstrict ntdomain"); + auth_method_list = str_list_make("guest sam ntdomain"); break; case SEC_SERVER: DEBUG(5,("Making default auth method list for security=server\n")); - auth_method_list = lp_list_make("guest samstrict smbserver"); + auth_method_list = str_list_make("guest sam smbserver"); break; case SEC_USER: if (lp_encrypted_passwords()) { DEBUG(5,("Making default auth method list for security=user, encrypt passwords = yes\n")); - auth_method_list = lp_list_make("guest sam"); + auth_method_list = str_list_make("guest sam"); } else { DEBUG(5,("Making default auth method list for security=user, encrypt passwords = no\n")); - auth_method_list = lp_list_make("guest unix"); + auth_method_list = str_list_make("guest unix"); } break; case SEC_SHARE: if (lp_encrypted_passwords()) { DEBUG(5,("Making default auth method list for security=share, encrypt passwords = yes\n")); - auth_method_list = lp_list_make("guest sam"); + auth_method_list = str_list_make("guest sam"); } else { DEBUG(5,("Making default auth method list for security=share, encrypt passwords = no\n")); - auth_method_list = lp_list_make("guest unix"); + auth_method_list = str_list_make("guest unix"); } break; case SEC_ADS: DEBUG(5,("Making default auth method list for security=ADS\n")); - auth_method_list = lp_list_make("guest samstrict ads ntdomain"); + auth_method_list = str_list_make("guest sam ads ntdomain"); break; default: DEBUG(5,("Unknown auth method!\n")); @@ -410,31 +432,11 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) } if (!NT_STATUS_IS_OK(nt_status = make_auth_context_text_list(auth_context, auth_method_list))) { - lp_list_free(&auth_method_list); + str_list_free(&auth_method_list); return nt_status; } - lp_list_free(&auth_method_list); - return nt_status; -} - -/*************************************************************************** - Make a auth_info struct with a random challenge -***************************************************************************/ - -NTSTATUS make_auth_context_random(struct auth_context **auth_context) -{ - uchar chal[8]; - NTSTATUS nt_status; - if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(auth_context))) { - return nt_status; - } - - generate_random_buffer(chal, sizeof(chal), False); - (*auth_context)->challenge = data_blob(chal, sizeof(chal)); - - (*auth_context)->challenge_set_by = "random"; - + str_list_free(&auth_method_list); return nt_status; } diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index 6e999b0d14..5ce7075ab9 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -1,7 +1,8 @@ /* Unix SMB/CIFS implementation. Generic authenticaion types - Copyright (C) Andrew Bartlett 2001 + Copyright (C) Andrew Bartlett 2001-2002 + Copyright (C) Jelmer Vernooij 2002 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -20,11 +21,14 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + /** * Return a guest logon for guest users (username = "") * * Typically used as the first module in the auth chain, this allows - * guest logons to be delt with in one place. Non-gust logons 'fail' + * guest logons to be dealt with in one place. Non-guest logons 'fail' * and pass onto the next module. **/ @@ -49,14 +53,15 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context, } /* Guest modules initialisation */ -BOOL auth_init_guest(struct auth_context *auth_context, auth_methods **auth_method) +NTSTATUS auth_init_guest(struct auth_context *auth_context, const char *options, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { - return False; + return NT_STATUS_NO_MEMORY; } (*auth_method)->auth = check_guest_security; - return True; + (*auth_method)->name = "guest"; + return NT_STATUS_OK; } /** @@ -99,13 +104,110 @@ static NTSTATUS check_name_to_ntstatus_security(const struct auth_context *auth_ } /** Module initailisation function */ -BOOL auth_init_name_to_ntstatus(struct auth_context *auth_context, auth_methods **auth_method) +NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { - return False; + return NT_STATUS_NO_MEMORY; } (*auth_method)->auth = check_name_to_ntstatus_security; - return True; + (*auth_method)->name = "name_to_ntstatus"; + return NT_STATUS_OK; +} + +/** + * Return a 'fixed' challenge instead of a varaible one. + * + * The idea of this function is to make packet snifs consistant + * with a fixed challenge, so as to aid debugging. + * + * This module is of no value to end-users. + * + * This module does not actually authenticate the user, but + * just pretenteds to need a specified challenge. + * This module removes *all* security from the challenge-response system + * + * @return NT_STATUS_UNSUCCESSFUL + **/ + +static NTSTATUS check_fixed_challenge_security(const struct auth_context *auth_context, + void *my_private_data, + TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, + auth_serversupplied_info **server_info) +{ + return NT_STATUS_UNSUCCESSFUL; +} + +/**************************************************************************** + Get the challenge out of a password server. +****************************************************************************/ + +static DATA_BLOB auth_get_fixed_challenge(const struct auth_context *auth_context, + void **my_private_data, + TALLOC_CTX *mem_ctx) +{ + const char *challenge = "I am a teapot"; + return data_blob(challenge, 8); +} + + +/** Module initailisation function */ +NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +{ + if (!make_auth_methods(auth_context, auth_method)) { + return NT_STATUS_NO_MEMORY; + } + + (*auth_method)->auth = check_fixed_challenge_security; + (*auth_method)->get_chal = auth_get_fixed_challenge; + (*auth_method)->name = "fixed_challenge"; + return NT_STATUS_OK; +} + +/** + * Outsorce an auth module to an external loadable .so + * + * Only works on systems with dlopen() etc. + **/ + +/* Plugin modules initialisation */ +NTSTATUS auth_init_plugin(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +{ + void * dl_handle; + char *plugin_param, *plugin_name, *p; + auth_init_function plugin_init; + + if (param == NULL) { + DEBUG(0, ("The plugin module needs an argument!\n")); + return NT_STATUS_UNSUCCESSFUL; + } + + plugin_name = smb_xstrdup(param); + p = strchr(plugin_name, ':'); + if (p) { + *p = 0; + plugin_param = p+1; + trim_string(plugin_param, " ", " "); + } else plugin_param = NULL; + + trim_string(plugin_name, " ", " "); + + DEBUG(5, ("Trying to load auth plugin %s\n", plugin_name)); + dl_handle = sys_dlopen(plugin_name, RTLD_NOW | RTLD_GLOBAL ); + if (!dl_handle) { + DEBUG(0, ("Failed to load auth plugin %s using sys_dlopen (%s)\n", plugin_name, sys_dlerror())); + return NT_STATUS_UNSUCCESSFUL; + } + + plugin_init = sys_dlsym(dl_handle, "auth_init"); + if (!plugin_init){ + DEBUG(0, ("Failed to find function 'pdb_init' using sys_dlsym in sam plugin %s (%s)\n", plugin_name, sys_dlerror())); + return NT_STATUS_UNSUCCESSFUL; + } + + DEBUG(5, ("Starting sam plugin %s with paramater %s\n", plugin_name, plugin_param?plugin_param:"(null)")); + return plugin_init(auth_context, plugin_param, auth_method); } + diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c index 857cf2b7d9..a70f1e98b7 100644 --- a/source3/auth/auth_compat.c +++ b/source3/auth/auth_compat.c @@ -20,6 +20,9 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + /**************************************************************************** COMPATIBILITY INTERFACES: ***************************************************************************/ diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index af353ef812..3352c5f9c8 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -21,6 +21,9 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + BOOL global_machine_password_needs_changing = False; extern pstring global_myname; @@ -66,7 +69,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, fstrcpy(remote_machine, server); } - standard_sub_basic(current_user_info.smb_name, remote_machine); + standard_sub_basic(current_user_info.smb_name, remote_machine, sizeof(remote_machine)); strupper(remote_machine); if(!resolve_name( remote_machine, &dest_ip, 0x20)) { @@ -84,21 +87,25 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, logonserver. We can avoid a 30-second timeout if the DC is down if the SAMLOGON request fails as it is only over UDP. */ - /* we use a mutex to prevent two connections at once - when a NT PDC gets - two connections where one hasn't completed a negprot yet it will send a - TCP reset to the first connection (tridge) */ - if (!message_named_mutex(server, 20)) { - DEBUG(1,("connect_to_domain_password_server: domain mutex failed for %s\n", server)); + /* we use a mutex to prevent two connections at once - when a + Win2k PDC get two connections where one hasn't completed a + session setup yet it will send a TCP reset to the first + connection (tridge) */ + + /* + * With NT4.x DC's *all* authentication must be serialized to avoid + * ACCESS_DENIED errors if 2 auths are done from the same machine. JRA. + */ + + if (!grab_server_mutex(server)) return NT_STATUS_UNSUCCESSFUL; - } /* Attempt connection */ result = cli_full_connection(cli, global_myname, server, &dest_ip, 0, "IPC$", "IPC", "", "", "", 0); - message_named_mutex_release(server); - if (!NT_STATUS_IS_OK(result)) { + release_server_mutex(); return result; } @@ -121,12 +128,14 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); cli_nt_session_close(*cli); cli_ulogoff(*cli); cli_shutdown(*cli); + release_server_mutex(); return NT_STATUS_UNSUCCESSFUL; } snprintf((*cli)->mach_acct, sizeof((*cli)->mach_acct) - 1, "%s$", setup_creds_as); if (!(*cli)->mach_acct) { + release_server_mutex(); return NT_STATUS_NO_MEMORY; } @@ -138,9 +147,12 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); cli_nt_session_close(*cli); cli_ulogoff(*cli); cli_shutdown(*cli); + release_server_mutex(); return result; } + /* We exit here with the mutex *locked*. JRA */ + return NT_STATUS_OK; } @@ -270,14 +282,13 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, auth_serversupplied_info **server_info, char *server, char *setup_creds_as, uint16 sec_chan, - unsigned char *trust_passwd, + unsigned char trust_passwd[16], time_t last_change_time) { fstring remote_machine; NET_USER_INFO_3 info3; struct cli_state *cli = NULL; NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; - struct passwd *pass; /* * At this point, smb_apasswd points to the lanman response to @@ -321,63 +332,15 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, user_info->domain.str, cli->srv_name_slash, nt_errstr(nt_status))); } else { - char *dom_user; - - /* Check DOMAIN\username first to catch winbind users, then - just the username for local users. */ - - dom_user = talloc_asprintf(mem_ctx, "%s%s%s", user_info->domain.str, - lp_winbind_separator(), - user_info->internal_username.str); - - if (!dom_user) { - DEBUG(0, ("talloc_asprintf failed!\n")); - nt_status = NT_STATUS_NO_MEMORY; - } else { - - if (!(pass = Get_Pwnam(dom_user))) - pass = Get_Pwnam(user_info->internal_username.str); - - if (pass) { - make_server_info_pw(server_info, pass); - if (!server_info) { - nt_status = NT_STATUS_NO_MEMORY; - } - } else { - nt_status = NT_STATUS_NO_SUCH_USER; - } - } - } + nt_status = make_server_info_info3(mem_ctx, user_info->internal_username.str, + user_info->smb_name.str, domain, server_info, &info3); +#if 0 + /* The stuff doesn't work right yet */ + SMB_ASSERT(sizeof((*server_info)->session_key) == sizeof(info3.user_sess_key)); + memcpy((*server_info)->session_key, info3.user_sess_key, sizeof((*server_info)->session_key)/* 16 */); + SamOEMhash((*server_info)->session_key, trust_passwd, sizeof((*server_info)->session_key)); +#endif - /* Store the user group information in the server_info returned to the caller. */ - - if (NT_STATUS_IS_OK(nt_status) && (info3.num_groups2 != 0)) { - int i; - NT_USER_TOKEN *ptok; - auth_serversupplied_info *pserver_info = *server_info; - - if ((pserver_info->ptok = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) { - DEBUG(0, ("domain_client_validate: out of memory allocating rid group membership\n")); - nt_status = NT_STATUS_NO_MEMORY; - free_server_info(server_info); - goto done; - } - - ptok = pserver_info->ptok; - ptok->num_sids = (size_t)info3.num_groups2; - - if ((ptok->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptok->num_sids )) == NULL) { - DEBUG(0, ("domain_client_validate: Out of memory allocating group SIDS\n")); - nt_status = NT_STATUS_NO_MEMORY; - free_server_info(server_info); - goto done; - } - - for (i = 0; i < ptok->num_sids; i++) { - sid_copy(&ptok->user_sids[i], &info3.dom_sid.sid); - sid_append_rid(&ptok->user_sids[i], info3.gids[i].g_rid); - } - uni_group_cache_store_netlogon(mem_ctx, &info3); } @@ -397,8 +360,6 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, } #endif /* 0 */ - done: - /* Note - once the cli stream is shutdown the mem_ctx used to allocate the other_sids and gids structures has been deleted - so these pointers are no longer valid..... */ @@ -406,6 +367,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, cli_nt_session_close(cli); cli_ulogoff(cli); cli_shutdown(cli); + release_server_mutex(); return nt_status; } @@ -448,7 +410,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, if (!secrets_fetch_trust_account_password(domain, trust_passwd, &last_change_time)) { - DEBUG(0, ("check_ntdomain_security: could not fetch trust account password for domain %s\n", lp_workgroup())); + DEBUG(0, ("check_ntdomain_security: could not fetch trust account password for domain '%s'\n", domain)); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -473,14 +435,15 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, } /* module initialisation */ -BOOL auth_init_ntdomain(struct auth_context *auth_context, auth_methods **auth_method) +NTSTATUS auth_init_ntdomain(struct auth_context *auth_context, const char* param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { - return False; + return NT_STATUS_NO_MEMORY; } + (*auth_method)->name = "ntdomain"; (*auth_method)->auth = check_ntdomain_security; - return True; + return NT_STATUS_OK; } @@ -527,7 +490,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte } /* - * Get the machine account password for the trusted domain + * Get the trusted account password for the trusted domain * No need to become_root() as secrets_init() is done at startup. */ @@ -560,12 +523,13 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte } /* module initialisation */ -BOOL auth_init_trustdomain(struct auth_context *auth_context, auth_methods **auth_method) +NTSTATUS auth_init_trustdomain(struct auth_context *auth_context, const char* param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { - return False; + return NT_STATUS_NO_MEMORY; } + (*auth_method)->name = "trustdomain"; (*auth_method)->auth = check_trustdomain_security; - return True; + return NT_STATUS_OK; } diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index 9586d1d65e..4ed0e6bbc4 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -20,6 +20,9 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + /**************************************************************************** Read the a hosts.equiv or .rhosts file and check if it allows this user from this machine. @@ -176,14 +179,14 @@ static NTSTATUS check_hostsequiv_security(const struct auth_context *auth_contex } /* module initialisation */ -BOOL auth_init_hostsequiv(struct auth_context *auth_context, auth_methods **auth_method) +NTSTATUS auth_init_hostsequiv(struct auth_context *auth_context, const char* param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { - return False; + return NT_STATUS_NO_MEMORY; } (*auth_method)->auth = check_hostsequiv_security; - return True; + return NT_STATUS_OK; } @@ -220,12 +223,12 @@ static NTSTATUS check_rhosts_security(const struct auth_context *auth_context, } /* module initialisation */ -BOOL auth_init_rhosts(struct auth_context *auth_context, auth_methods **auth_method) +NTSTATUS auth_init_rhosts(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { - return False; + return NT_STATUS_NO_MEMORY; } (*auth_method)->auth = check_rhosts_security; - return True; + return NT_STATUS_OK; } diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 6753951c89..76579150ce 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -22,6 +22,9 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + /**************************************************************************** core of smb password checking routine. ****************************************************************************/ @@ -401,14 +404,15 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, } /* module initialisation */ -BOOL auth_init_sam(struct auth_context *auth_context, auth_methods **auth_method) +NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { - return False; + return NT_STATUS_NO_MEMORY; } - (*auth_method)->auth = check_sam_security; - return True; + (*auth_method)->auth = check_sam_security; + (*auth_method)->name = "sam"; + return NT_STATUS_OK; } @@ -439,14 +443,15 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context } /* module initialisation */ -BOOL auth_init_samstrict(struct auth_context *auth_context, auth_methods **auth_method) +NTSTATUS auth_init_samstrict(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { - return False; + return NT_STATUS_NO_MEMORY; } (*auth_method)->auth = check_samstrict_security; - return True; + (*auth_method)->name = "samstrict"; + return NT_STATUS_OK; } diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 5190d45c20..23faedc0ba 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -21,6 +21,9 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + extern pstring global_myname; extern userdom_struct current_user_info; @@ -46,7 +49,7 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) p = pserver; while(next_token( &p, desthost, LIST_SEP, sizeof(desthost))) { - standard_sub_basic(current_user_info.smb_name, desthost); + standard_sub_basic(current_user_info.smb_name, desthost, sizeof(desthost)); strupper(desthost); if(!resolve_name( desthost, &dest_ip, 0x20)) { @@ -59,6 +62,15 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) continue; } + /* we use a mutex to prevent two connections at once - when a + Win2k PDC get two connections where one hasn't completed a + session setup yet it will send a TCP reset to the first + connection (tridge) */ + + if (!grab_server_mutex(desthost)) { + return NULL; + } + if (cli_connect(cli, desthost, &dest_ip)) { DEBUG(3,("connected to password server %s\n",desthost)); connected_ok = True; @@ -67,13 +79,19 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) } if (!connected_ok) { + release_server_mutex(); DEBUG(0,("password server not available\n")); cli_shutdown(cli); return NULL; } - - if (!attempt_netbios_session_request(cli, global_myname, desthost, &dest_ip)) + + if (!attempt_netbios_session_request(cli, global_myname, + desthost, &dest_ip)) { + release_server_mutex(); + DEBUG(1,("password server fails session request\n")); + cli_shutdown(cli); return NULL; + } if (strequal(desthost,myhostname())) { exit_server("Password server loop!"); @@ -83,19 +101,37 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) if (!cli_negprot(cli)) { DEBUG(1,("%s rejected the negprot\n",desthost)); + release_server_mutex(); cli_shutdown(cli); return NULL; } if (cli->protocol < PROTOCOL_LANMAN2 || - !(cli->sec_mode & 1)) { + !(cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) { DEBUG(1,("%s isn't in user level security mode\n",desthost)); + release_server_mutex(); cli_shutdown(cli); return NULL; } - DEBUG(3,("password server OK\n")); + /* Get the first session setup done quickly, to avoid silly + Win2k bugs. (The next connection to the server will kill + this one... + */ + if (!cli_session_setup(cli, "", "", 0, "", 0, + "")) { + DEBUG(0,("%s rejected the initial session setup (%s)\n", + desthost, cli_errstr(cli))); + release_server_mutex(); + cli_shutdown(cli); + return NULL; + } + + release_server_mutex(); + + DEBUG(3,("password server OK\n")); + return cli; } @@ -142,7 +178,7 @@ static DATA_BLOB auth_get_challenge_server(const struct auth_context *auth_conte if (cli) { DEBUG(3,("using password server validation\n")); - if ((cli->sec_mode & 2) == 0) { + if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) { /* We can't work with unencrypted password servers unless 'encrypt passwords = no' */ DEBUG(5,("make_auth_info_server: Server is unencrypted, no challenge available..\n")); @@ -213,7 +249,7 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context return NT_STATUS_LOGON_FAILURE; } - if ((cli->sec_mode & 2) == 0) { + if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) { if (user_info->encrypted) { DEBUG(1,("password server %s is plaintext, but we are encrypted. This just can't work :-(\n", cli->desthost)); return NT_STATUS_LOGON_FAILURE; @@ -354,14 +390,15 @@ use this machine as the password server.\n")); return(nt_status); } -BOOL auth_init_smbserver(struct auth_context *auth_context, auth_methods **auth_method) +NTSTATUS auth_init_smbserver(struct auth_context *auth_context, const char* param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { - return False; + return NT_STATUS_NO_MEMORY; } + (*auth_method)->name = "smbserver"; (*auth_method)->auth = check_smbserver_security; (*auth_method)->get_chal = auth_get_challenge_server; (*auth_method)->send_keepalive = send_server_keepalive; (*auth_method)->free_private_data = free_server_private_data; - return True; + return NT_STATUS_OK; } diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 05646f554e..6f4b3f8b15 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -20,12 +20,15 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + /** * update the encrypted smbpasswd file from the plaintext username and password * * this ugly hack needs to die, but not quite yet, I think people still use it... **/ -static BOOL update_smbpassword_file(char *user, char *password) +static BOOL update_smbpassword_file(const char *user, const char *password) { SAM_ACCOUNT *sampass = NULL; BOOL ret; @@ -67,8 +70,6 @@ static BOOL update_smbpassword_file(char *user, char *password) DEBUG(3,("pdb_update_sam_account returned %d\n",ret)); } - memset(password, '\0', strlen(password)); - pdb_free_sam(&sampass); return ret; } @@ -118,12 +119,14 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context, } /* module initialisation */ -BOOL auth_init_unix(struct auth_context *auth_context, auth_methods **auth_method) +NTSTATUS auth_init_unix(struct auth_context *auth_context, const char* param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { - return False; + return NT_STATUS_NO_MEMORY; } + (*auth_method)->name = "unix"; (*auth_method)->auth = check_unix_security; - return True; + return NT_STATUS_OK; } + diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d80c927c19..3ade220c0f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -22,6 +22,9 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + extern fstring remote_machine; extern pstring global_myname; @@ -45,24 +48,6 @@ static int smb_create_user(const char *unix_user, const char *homedir) return ret; } -/**************************************************************************** - Delete a UNIX user on demand. -****************************************************************************/ - -int smb_delete_user(const char *unix_user) -{ - pstring del_script; - int ret; - - pstrcpy(del_script, lp_deluser_script()); - if (! *del_script) - return -1; - all_string_sub(del_script, "%u", unix_user, sizeof(pstring)); - ret = smbrun(del_script,NULL); - DEBUG(3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret)); - return ret; -} - /**************************************************************************** Add and Delete UNIX users on demand, based on NTSTATUS codes. ****************************************************************************/ @@ -85,16 +70,6 @@ void smb_user_control(const auth_usersupplied_info *user_info, auth_serversuppli smb_create_user(user_info->internal_username.str, NULL); } } - } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { - /* - * User failed to validate ok against Domain controller. - * If the failure was "user doesn't exist" and admin - * wants us to try and delete that UNIX user on the fly, - * do so. - */ - if (lp_deluser_script()) { - smb_delete_user(user_info->internal_username.str); - } } } @@ -165,7 +140,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, return False; } - DEBUG(5,("makeing blobs for %s's user_info struct\n", internal_username)); + DEBUG(5,("making blobs for %s's user_info struct\n", internal_username)); (*user_info)->lm_resp = data_blob(lm_pwd.data, lm_pwd.length); (*user_info)->nt_resp = data_blob(nt_pwd.data, nt_pwd.length); @@ -485,7 +460,7 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info) Make a user_info struct ***************************************************************************/ -BOOL make_server_info(auth_serversupplied_info **server_info) +static BOOL make_server_info(auth_serversupplied_info **server_info) { *server_info = malloc(sizeof(**server_info)); if (!*server_info) { @@ -590,6 +565,183 @@ BOOL make_server_info_guest(auth_serversupplied_info **server_info) return False; } +/*************************************************************************** + Make a server_info struct from the info3 returned by a domain logon +***************************************************************************/ + +NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, + const char *internal_username, + const char *sent_nt_username, + const char *domain, + auth_serversupplied_info **server_info, + NET_USER_INFO_3 *info3) +{ + NTSTATUS nt_status = NT_STATUS_OK; + + const char *nt_domain; + const char *nt_username; + + SAM_ACCOUNT *sam_account = NULL; + DOM_SID user_sid; + DOM_SID group_sid; + + struct passwd *passwd; + + uid_t uid; + gid_t gid; + + /* + Here is where we should check the list of + trusted domains, and verify that the SID + matches. + */ + + sid_copy(&user_sid, &info3->dom_sid.sid); + if (!sid_append_rid(&user_sid, info3->user_rid)) { + return NT_STATUS_INVALID_PARAMETER; + } + + sid_copy(&group_sid, &info3->dom_sid.sid); + if (!sid_append_rid(&group_sid, info3->group_rid)) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (!(nt_username = unistr2_tdup(mem_ctx, &(info3->uni_user_name)))) { + /* If the server didn't give us one, just use the one we sent them */ + nt_username = sent_nt_username; + } + + if (!(nt_domain = unistr2_tdup(mem_ctx, &(info3->uni_logon_dom)))) { + /* If the server didn't give us one, just use the one we sent them */ + domain = domain; + } + + if (winbind_sid_to_uid(&uid, &user_sid) + && winbind_sid_to_gid(&gid, &group_sid) + && ((passwd = getpwuid_alloc(uid)))) { + nt_status = pdb_init_sam_pw(&sam_account, passwd); + passwd_free(&passwd); + } else { + char *dom_user; + dom_user = talloc_asprintf(mem_ctx, "%s%s%s", + nt_domain, + lp_winbind_separator(), + internal_username); + + if (!dom_user) { + DEBUG(0, ("talloc_asprintf failed!\n")); + return NT_STATUS_NO_MEMORY; + } else { + + if (!(passwd = Get_Pwnam(dom_user)) + /* Only lookup local for the local + domain, we don't want this for + trusted domains */ + && strequal(nt_domain, lp_workgroup())) { + passwd = Get_Pwnam(internal_username); + } + + if (!passwd) { + return NT_STATUS_NO_SUCH_USER; + } else { + nt_status = pdb_init_sam_pw(&sam_account, passwd); + } + } + } + + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0, ("make_server_info_info3: pdb_init_sam failed!\n")); + return nt_status; + } + + if (!pdb_set_user_sid(sam_account, &user_sid)) { + pdb_free_sam(&sam_account); + return NT_STATUS_UNSUCCESSFUL; + } + + if (!pdb_set_group_sid(sam_account, &group_sid)) { + pdb_free_sam(&sam_account); + return NT_STATUS_UNSUCCESSFUL; + } + + if (!pdb_set_nt_username(sam_account, nt_username)) { + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_domain(sam_account, nt_domain)) { + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_fullname(sam_account, pdb_unistr2_convert(&(info3->uni_full_name)))) { + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_logon_script(sam_account, pdb_unistr2_convert(&(info3->uni_logon_script)), True)) { + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_profile_path(sam_account, pdb_unistr2_convert(&(info3->uni_profile_path)), True)) { + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_homedir(sam_account, pdb_unistr2_convert(&(info3->uni_home_dir)), True)) { + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_dir_drive(sam_account, pdb_unistr2_convert(&(info3->uni_dir_drive)), True)) { + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + if (!make_server_info_sam(server_info, sam_account)) { + DEBUG(0, ("make_server_info_info3: make_server_info_sam failed!\n")); + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + /* Store the user group information in the server_info + returned to the caller. */ + + if (info3->num_groups2 != 0) { + int i; + NT_USER_TOKEN *ptok; + auth_serversupplied_info *pserver_info = *server_info; + + if ((pserver_info->ptok = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) { + DEBUG(0, ("domain_client_validate: out of memory allocating rid group membership\n")); + nt_status = NT_STATUS_NO_MEMORY; + free_server_info(server_info); + return nt_status; + } + + ptok = pserver_info->ptok; + ptok->num_sids = (size_t)info3->num_groups2; + + if ((ptok->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptok->num_sids )) == NULL) { + DEBUG(0, ("domain_client_validate: Out of memory allocating group SIDS\n")); + nt_status = NT_STATUS_NO_MEMORY; + free_server_info(server_info); + return nt_status; + } + + for (i = 0; i < ptok->num_sids; i++) { + sid_copy(&ptok->user_sids[i], &(info3->dom_sid.sid)); + if (!sid_append_rid(&ptok->user_sids[i], info3->gids[i].g_rid)) { + nt_status = NT_STATUS_INVALID_PARAMETER; + free_server_info(server_info); + return nt_status; + } + } + } + return NT_STATUS_OK; +} + /*************************************************************************** Make an auth_methods struct ***************************************************************************/ @@ -621,9 +773,9 @@ BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_me void delete_nt_token(NT_USER_TOKEN **pptoken) { if (*pptoken) { - NT_USER_TOKEN *ptoken = *pptoken; - SAFE_FREE( ptoken->user_sids ); - ZERO_STRUCTP(ptoken); + NT_USER_TOKEN *ptoken = *pptoken; + SAFE_FREE( ptoken->user_sids ); + ZERO_STRUCTP(ptoken); } SAFE_FREE(*pptoken); } diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index bc19b36b54..671e198bf5 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -23,6 +23,9 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + /* Prototypes from common.h */ NSS_STATUS winbindd_request(int req_type, @@ -100,12 +103,13 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, } /* module initialisation */ -BOOL auth_init_winbind(struct auth_context *auth_context, auth_methods **auth_method) +NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { - return False; + return NT_STATUS_NO_MEMORY; } + (*auth_method)->name = "winbind"; (*auth_method)->auth = check_winbind_security; - return True; + return NT_STATUS_OK; } diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 1428e929f1..1a3e55dd44 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -29,6 +29,9 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + #ifdef WITH_PAM /******************************************************************* @@ -183,7 +186,7 @@ static void special_char_sub(char *buf) static void pwd_sub(char *buf, const char *username, const char *oldpass, const char *newpass) { - pstring_sub(buf, "%u", username); + fstring_sub(buf, "%u", username); all_string_sub(buf, "%o", oldpass, sizeof(fstring)); all_string_sub(buf, "%n", newpass, sizeof(fstring)); } @@ -494,7 +497,7 @@ static BOOL smb_pam_start(pam_handle_t **pamh, const char *user, const char *rho /* * PAM Authentication Handler */ -static NTSTATUS smb_pam_auth(pam_handle_t *pamh, char *user) +static NTSTATUS smb_pam_auth(pam_handle_t *pamh, const char *user) { int pam_error; NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; @@ -579,7 +582,7 @@ static NTSTATUS smb_pam_account(pam_handle_t *pamh, const char * user) * PAM Credential Setting */ -static NTSTATUS smb_pam_setcred(pam_handle_t *pamh, char * user) +static NTSTATUS smb_pam_setcred(pam_handle_t *pamh, const char * user) { int pam_error; NTSTATUS nt_status = NT_STATUS_NO_TOKEN; @@ -619,7 +622,7 @@ static NTSTATUS smb_pam_setcred(pam_handle_t *pamh, char * user) /* * PAM Internal Session Handler */ -static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL flag) +static BOOL smb_internal_pam_session(pam_handle_t *pamh, const char *user, const char *tty, BOOL flag) { int pam_error; @@ -785,7 +788,7 @@ NTSTATUS smb_pam_accountcheck(const char * user) * PAM Password Validation Suite */ -NTSTATUS smb_pam_passcheck(char * user, char * password) +NTSTATUS smb_pam_passcheck(const char * user, const char * password) { pam_handle_t *pamh = NULL; NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 47c9664a74..63918796ef 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -23,6 +23,9 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + /* these are kept here to keep the string_combinations function simple */ static fstring this_user; #if !defined(WITH_PAM) @@ -433,7 +436,7 @@ try all combinations with N uppercase letters. offset is the first char to try and change (start with 0) it assumes the string starts lowercased ****************************************************************************/ -static NTSTATUS string_combinations2(char *s, int offset, NTSTATUS (*fn) (char *), +static NTSTATUS string_combinations2(char *s, int offset, NTSTATUS (*fn) (const char *), int N) { int len = strlen(s); @@ -467,7 +470,7 @@ try all combinations with up to N uppercase letters. offset is the first char to try and change (start with 0) it assumes the string starts lowercased ****************************************************************************/ -static NTSTATUS string_combinations(char *s, NTSTATUS (*fn) (char *), int N) +static NTSTATUS string_combinations(char *s, NTSTATUS (*fn) (const char *), int N) { int n; NTSTATUS nt_status; @@ -481,7 +484,7 @@ static NTSTATUS string_combinations(char *s, NTSTATUS (*fn) (char *), int N) /**************************************************************************** core of password checking routine ****************************************************************************/ -static NTSTATUS password_check(char *password) +static NTSTATUS password_check(const char *password) { #ifdef WITH_PAM return smb_pam_passcheck(this_user, password); @@ -588,16 +591,13 @@ match is found and is used to update the encrypted password file return NT_STATUS_OK on correct match, appropriate error otherwise ****************************************************************************/ -NTSTATUS pass_check(const struct passwd *input_pass, char *user, char *password, - int pwlen, BOOL (*fn) (char *, char *), BOOL run_cracker) +NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *password, + int pwlen, BOOL (*fn) (const char *, const char *), BOOL run_cracker) { - struct passwd *pass; pstring pass2; int level = lp_passwordlevel(); NTSTATUS nt_status; - if (password) - password[pwlen] = 0; #if DEBUG_PASSWORD DEBUG(100, ("checking user=[%s] pass=[%s]\n", user, password)); @@ -624,12 +624,16 @@ NTSTATUS pass_check(const struct passwd *input_pass, char *user, char *password, DEBUG(4, ("pass_check: Checking password for user %s (l=%d)\n", user, pwlen)); - if (!input_pass) { + if (!pass) { DEBUG(3, ("Couldn't find user %s\n", user)); return NT_STATUS_NO_SUCH_USER; } - pass = make_modifyable_passwd(input_pass); + + /* Copy into global for the convenience of looping code */ + /* Also the place to keep the 'password' no matter what + crazy struct it started in... */ + fstrcpy(this_crypted, pass->pw_passwd); #ifdef HAVE_GETSPNAM { @@ -642,7 +646,7 @@ NTSTATUS pass_check(const struct passwd *input_pass, char *user, char *password, spass = getspnam(pass->pw_name); if (spass && spass->sp_pwdp) - pstrcpy(pass->pw_passwd, spass->sp_pwdp); + fstrcpy(this_crypted, spass->sp_pwdp); } #elif defined(IA_UINFO) { @@ -660,7 +664,7 @@ NTSTATUS pass_check(const struct passwd *input_pass, char *user, char *password, { struct pr_passwd *pr_pw = getprpwnam(pass->pw_name); if (pr_pw && pr_pw->ufld.fd_encrypt) - pstrcpy(pass->pw_passwd, pr_pw->ufld.fd_encrypt); + fstrcpy(this_crypted, pr_pw->ufld.fd_encrypt); } #endif @@ -669,7 +673,7 @@ NTSTATUS pass_check(const struct passwd *input_pass, char *user, char *password, struct passwd_adjunct *pwret; pwret = getpwanam(s); if (pwret && pwret->pwa_passwd) - pstrcpy(pass->pw_passwd,pwret->pwa_passwd); + fstrcpy(this_crypted, pwret->pwa_passwd); } #endif @@ -680,8 +684,8 @@ NTSTATUS pass_check(const struct passwd *input_pass, char *user, char *password, user)); mypasswd = getprpwnam(user); if (mypasswd) { - fstrcpy(pass->pw_name, mypasswd->ufld.fd_name); - fstrcpy(pass->pw_passwd, mypasswd->ufld.fd_encrypt); + fstrcpy(this_user, mypasswd->ufld.fd_name); + fstrcpy(this_crypted, mypasswd->ufld.fd_encrypt); } else { DEBUG(5, ("OSF1_ENH_SEC: No entry for user %s in protected database !\n", @@ -694,7 +698,7 @@ NTSTATUS pass_check(const struct passwd *input_pass, char *user, char *password, { AUTHORIZATION *ap = getauthuid(pass->pw_uid); if (ap) { - fstrcpy(pass->pw_passwd, ap->a_password); + fstrcpy(this_crypted, ap->a_password); endauthent(); } } @@ -709,27 +713,20 @@ NTSTATUS pass_check(const struct passwd *input_pass, char *user, char *password, this_salt[2] = 0; #endif - /* Copy into global for the convenience of looping code */ - fstrcpy(this_crypted, pass->pw_passwd); - if (!*this_crypted) { if (!lp_null_passwords()) { DEBUG(2, ("Disallowing %s with null password\n", this_user)); - passwd_free(&pass); return NT_STATUS_LOGON_FAILURE; } if (!*password) { DEBUG(3, ("Allowing access to %s with null password\n", this_user)); - passwd_free(&pass); return NT_STATUS_OK; } } - passwd_free(&pass); - #endif /* defined(WITH_PAM) */ /* try it as it came to us */ @@ -752,42 +749,36 @@ NTSTATUS pass_check(const struct passwd *input_pass, char *user, char *password, * need to proceed as we know it hasn't been case modified by the * client */ if (strhasupper(password) && strhaslower(password)) { - passwd_free(&pass); return nt_status; } /* make a copy of it */ - StrnCpy(pass2, password, sizeof(pstring) - 1); + pstrcpy(pass2, password); /* try all lowercase if it's currently all uppercase */ - if (strhasupper(password)) { - strlower(password); - if NT_STATUS_IS_OK(nt_status = password_check(password)) { + if (strhasupper(pass2)) { + strlower(pass2); + if NT_STATUS_IS_OK(nt_status = password_check(pass2)) { if (fn) - fn(user, password); + fn(user, pass2); return (nt_status); } } /* give up? */ if (level < 1) { - /* restore it */ - fstrcpy(password, pass2); return NT_STATUS_WRONG_PASSWORD; } /* last chance - all combinations of up to level chars upper! */ - strlower(password); + strlower(pass2); - if NT_STATUS_IS_OK(nt_status = string_combinations(password, password_check, level)) { + if (NT_STATUS_IS_OK(nt_status = string_combinations(pass2, password_check, level))) { if (fn) - fn(user, password); + fn(user, pass2); return nt_status; } - /* restore it */ - fstrcpy(password, pass2); - return NT_STATUS_WRONG_PASSWORD; } -- cgit From 5e0cffda3e2de6112f1b3f4046daa948f8d95e91 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 20 Jul 2002 04:55:42 +0000 Subject: NT_STATUS_UNSUCCESSFUL just gets clients confused - move to NO_LOGON_SERVERS becouse thats what Win2k gives when the PDC is down. Some of these might better go to other errors, but the Win2k text message for 'unsuccessful' is not particularly useful. (A device attached to the system is not functioning...) Andrew Bartlett (This used to be commit 656f1d68e8579f1bd0a7118caf9e0373d5980a69) --- source3/auth/auth_domain.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 3352c5f9c8..bc03528985 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -57,13 +57,13 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, a password server anyways */ if ((to_ip.s_addr=inet_addr(server)) == 0xFFFFFFFF) { DEBUG (0,("connect_to_domain_password_server: inet_addr(%s) returned 0xFFFFFFFF!\n", server)); - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_NO_LOGON_SERVERS; } if (!name_status_find("*", 0x20, 0x20, to_ip, remote_machine)) { DEBUG(0, ("connect_to_domain_password_server: Can't " "resolve name for IP %s\n", server)); - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_NO_LOGON_SERVERS; } } else { fstrcpy(remote_machine, server); @@ -74,13 +74,13 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, if(!resolve_name( remote_machine, &dest_ip, 0x20)) { DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", remote_machine)); - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_NO_LOGON_SERVERS; } if (ismyip(dest_ip)) { DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n", remote_machine)); - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_NO_LOGON_SERVERS; } /* TODO: Send a SAMLOGON request to determine whether this is a valid @@ -98,7 +98,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, */ if (!grab_server_mutex(server)) - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_NO_LOGON_SERVERS; /* Attempt connection */ result = cli_full_connection(cli, global_myname, server, @@ -129,7 +129,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); cli_ulogoff(*cli); cli_shutdown(*cli); release_server_mutex(); - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_NO_LOGON_SERVERS; } snprintf((*cli)->mach_acct, sizeof((*cli)->mach_acct) - 1, "%s$", setup_creds_as); @@ -174,10 +174,10 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, */ if (is_zero_ip(*ip)) - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_NO_LOGON_SERVERS; if (!lookup_dc_name(global_myname, domain, ip, dc_name)) - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_NO_LOGON_SERVERS; return connect_to_domain_password_server(cli, dc_name, setup_creds_as, sec_chan, trust_passwd); } @@ -196,7 +196,7 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, struct in_addr *ip_list = NULL; int count = 0; int i; - NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; + NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS; time_t time_now = time(NULL); BOOL use_pdc_only = False; @@ -212,7 +212,7 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, use_pdc_only = True; if (!get_dc_list(use_pdc_only, domain, &ip_list, &count)) - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_NO_LOGON_SERVERS; /* * Firstly try and contact a PDC/BDC who has the same @@ -288,7 +288,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, fstring remote_machine; NET_USER_INFO_3 info3; struct cli_state *cli = NULL; - NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; + NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS; /* * At this point, smb_apasswd points to the lanman response to -- cgit From 129b3966c04f4f1be33d35ca720e5946fbe76051 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 20 Jul 2002 06:55:05 +0000 Subject: Add support for a weird behaviour apparently used by Win9X pass-through authentication - we can have an NT hash in the LM hash feild. (I need to double-check this fix with tpot, who discovered it). Also remove silly casts back and forth between uchar and char. Andrew Bartlett (This used to be commit 07e2b36311f91d7a20865a2ccc94716772e53fd7) --- source3/auth/auth_sam.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 76579150ce..155370546a 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -107,7 +107,7 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB ntv2_response, memcpy(client_response, ntv2_response.data, sizeof(client_response)); ntv2_owf_gen(part_passwd, user, domain, kr); - SMBOWFencrypt_ntv2(kr, sec_blob, client_key_data, (char *)value_from_encryption); + SMBOWFencrypt_ntv2(kr, sec_blob, client_key_data, value_from_encryption); if (user_sess_key != NULL) { SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key); @@ -232,11 +232,26 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, { return NT_STATUS_OK; } else { + if (lp_ntlm_auth()) { + /* Apparently NT accepts NT responses in the LM feild + - I think this is related to Win9X pass-though authenticaion + */ + DEBUG(4,("sam_password_ok: Checking NT MD4 password in LM feild\n")); + if (smb_pwd_check_ntlmv1(user_info->lm_resp, + nt_pw, auth_context->challenge, + user_sess_key)) + { + return NT_STATUS_OK; + } else { + DEBUG(3,("sam_password_ok: NT MD4 password in LM feild failed for user %s\n",pdb_get_username(sampass))); + return NT_STATUS_WRONG_PASSWORD; + } + } DEBUG(4,("sam_password_ok: LM password check failed for user %s\n",pdb_get_username(sampass))); return NT_STATUS_WRONG_PASSWORD; } } - + /* Should not be reached, but if they send nothing... */ DEBUG(3,("sam_password_ok: NEITHER LanMan nor NT password supplied for user %s\n",pdb_get_username(sampass))); return NT_STATUS_WRONG_PASSWORD; -- cgit From ea9d3057e9cbd615176a7b98bcd935b6f9b434cb Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 20 Jul 2002 11:58:06 +0000 Subject: Try to fix up warnings - particularly on the IRIX 64 bit compiler (which had a distinction between uchar and char). Lots of const etc. Andrew Bartlett (This used to be commit 8196ee908e10db2119e480fe1b0a71b31a16febc) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index bc03528985..ee3793a6c1 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -503,7 +503,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte #ifdef DEBUG_PASSWORD DEBUG(100, ("Trust password for domain %s is %s\n", user_info->domain.str, trust_password)); #endif - E_md4hash((uchar *)trust_password, trust_md4_password); + E_md4hash(trust_password, trust_md4_password); SAFE_FREE(trust_password); #if 0 -- cgit From 035738863609b0762a18962f1c471bb385254f10 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Sun, 21 Jul 2002 00:49:16 +0000 Subject: Renamed all the new_cli_netlogon_* functions to cli_netlogon_* as they're no longer new! (This used to be commit 277f6bbb9a63541a473a80a7994e9bde5c6f22dc) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index ee3793a6c1..0f084dc1de 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -139,7 +139,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); return NT_STATUS_NO_MEMORY; } - result = new_cli_nt_setup_creds(*cli, sec_chan, trust_passwd); + result = cli_nt_setup_creds(*cli, sec_chan, trust_passwd); if (!NT_STATUS_IS_OK(result)) { DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ -- cgit From a4ec4acd61d58bca9c1f6d474ab16265e4113f7a Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sun, 28 Jul 2002 18:10:39 +0000 Subject: found nasty bug in intl/lang_tdb.c tdb structure was not tested to not be null before close this one fixes swat not working with browsers that set more then one language. along the way implemented language priority in web/neg_lang.c with bubble sort also changet str_list_make to be able to use a different separator string Simo. (This used to be commit 69765e4faa8aaae74c97afc917891fc72d80703d) --- source3/auth/auth.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 4f7a5c24a0..dca9c6c3c4 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -395,33 +395,33 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) { case SEC_DOMAIN: DEBUG(5,("Making default auth method list for security=domain\n")); - auth_method_list = str_list_make("guest sam ntdomain"); + auth_method_list = str_list_make("guest sam ntdomain", NULL); break; case SEC_SERVER: DEBUG(5,("Making default auth method list for security=server\n")); - auth_method_list = str_list_make("guest sam smbserver"); + auth_method_list = str_list_make("guest sam smbserver", NULL); break; case SEC_USER: if (lp_encrypted_passwords()) { DEBUG(5,("Making default auth method list for security=user, encrypt passwords = yes\n")); - auth_method_list = str_list_make("guest sam"); + auth_method_list = str_list_make("guest sam", NULL); } else { DEBUG(5,("Making default auth method list for security=user, encrypt passwords = no\n")); - auth_method_list = str_list_make("guest unix"); + auth_method_list = str_list_make("guest unix", NULL); } break; case SEC_SHARE: if (lp_encrypted_passwords()) { DEBUG(5,("Making default auth method list for security=share, encrypt passwords = yes\n")); - auth_method_list = str_list_make("guest sam"); + auth_method_list = str_list_make("guest sam", NULL); } else { DEBUG(5,("Making default auth method list for security=share, encrypt passwords = no\n")); - auth_method_list = str_list_make("guest unix"); + auth_method_list = str_list_make("guest unix", NULL); } break; case SEC_ADS: DEBUG(5,("Making default auth method list for security=ADS\n")); - auth_method_list = str_list_make("guest sam ads ntdomain"); + auth_method_list = str_list_make("guest sam ads ntdomain", NULL); break; default: DEBUG(5,("Unknown auth method!\n")); -- cgit From 2b975fda870e33dc7fd28510fb0ea670e6c92ed6 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 30 Jul 2002 11:21:42 +0000 Subject: - if we are in ADS mode then avoid an expensive netbios lookup to find the servers netbios name when we don't need it. This also fixes ADS mode when the DC has netbios disabled. - if the password server is specified as an IP then actually use that IP, don't do a lookup for the servers name :) (This used to be commit 72042e94ef0f6841afcfa48eafb9809545860725) --- source3/auth/auth_domain.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 0f084dc1de..9134a3fc63 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -60,22 +60,31 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, return NT_STATUS_NO_LOGON_SERVERS; } - if (!name_status_find("*", 0x20, 0x20, to_ip, remote_machine)) { + if (lp_security() == SEC_ADS) { + /* if in ADS mode then we know that port 445 + will work and *SMBSERVER will be recognised + anyway. This avoids an expensive netbios + lookup. */ + fstrcpy(remote_machine, "*SMBSERVER"); + } else if (!name_status_find("*", 0x20, 0x20, to_ip, remote_machine)) { DEBUG(0, ("connect_to_domain_password_server: Can't " "resolve name for IP %s\n", server)); return NT_STATUS_NO_LOGON_SERVERS; } + + /* we know the IP - smb.conf specified it! */ + dest_ip = to_ip; } else { fstrcpy(remote_machine, server); + strupper(remote_machine); + if (!resolve_name(remote_machine, &dest_ip, 0x20)) { + DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", + remote_machine)); + return NT_STATUS_NO_LOGON_SERVERS; + } } standard_sub_basic(current_user_info.smb_name, remote_machine, sizeof(remote_machine)); - strupper(remote_machine); - - if(!resolve_name( remote_machine, &dest_ip, 0x20)) { - DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", remote_machine)); - return NT_STATUS_NO_LOGON_SERVERS; - } if (ismyip(dest_ip)) { DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n", -- cgit From da44215ebb365adfdc82931b44cc43e2a663fb31 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 30 Jul 2002 11:30:13 +0000 Subject: removed a gratuitous standard_sub_basic() on the 'password server' field. This has got to be pointless. (This used to be commit fd02adab54b66a19c1b81b8ae91e66713691b060) --- source3/auth/auth_domain.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 9134a3fc63..50bad0bd30 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -84,8 +84,6 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, } } - standard_sub_basic(current_user_info.smb_name, remote_machine, sizeof(remote_machine)); - if (ismyip(dest_ip)) { DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n", remote_machine)); -- cgit From 0bd3a76f673de93dac4fa18a60612bc888c05df4 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 30 Jul 2002 12:42:41 +0000 Subject: 2nd try at a fix for netbiosless connections to a ADS DC. This also make the code a fair bit cleaner as it splits up the ADS and RPC cases, which really are very different. (This used to be commit 5a11c432afebe84b17820396476f48a6a6f6411b) --- source3/auth/auth_domain.c | 121 +++++++++++++++++++++++++++++++++------------ 1 file changed, 90 insertions(+), 31 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 50bad0bd30..d0b5b4db7f 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -29,6 +29,87 @@ BOOL global_machine_password_needs_changing = False; extern pstring global_myname; extern userdom_struct current_user_info; + +/* + resolve the name of a DC in ways appropriate for an ADS domain mode + an ADS domain may not have Netbios enabled at all, so this is + quite different from the RPC case + Note that we ignore the 'server' parameter here. That has the effect of using + the 'ADS server' smb.conf parameter, which is what we really want anyway + */ +static NTSTATUS ads_resolve_dc(const char *server, + fstring remote_machine, + struct in_addr *dest_ip) +{ + ADS_STRUCT *ads; + ads = ads_init_simple(); + if (!ads) { + return NT_STATUS_NO_LOGON_SERVERS; + } + +#ifdef HAVE_ADS + /* a full ads_connect() is actually overkill, as we don't srictly need + to do the SASL auth in order to get the info we need, but libads + doesn't offer a better way right now */ + if (!ADS_ERR_OK(ads_connect(ads))) { + return NT_STATUS_NO_LOGON_SERVERS; + } +#endif + + fstrcpy(remote_machine, ads->ldap_server_name); + strupper(remote_machine); + *dest_ip = *interpret_addr2(ads->ldap_server); + ads_destroy(&ads); + + if (!*remote_machine) { + return NT_STATUS_NO_LOGON_SERVERS; + } + + DEBUG(4,("ads_resolve_dc: using server='%s' IP=%s\n", + remote_machine, inet_ntoa(*dest_ip))); + + return NT_STATUS_OK; +} + +/* + resolve the name of a DC in ways appropriate for RPC domain mode + this relies on the server supporting netbios and port 137 not being + firewalled + */ +static NTSTATUS rpc_resolve_dc(const char *server, + fstring remote_machine, + struct in_addr *dest_ip) +{ + if (is_ipaddress(server)) { + struct in_addr to_ip = *interpret_addr2(server); + + /* we need to know the machines netbios name - this is a lousy + way to find it, but until we have a RPC call that does this + it will have to do */ + if (!name_status_find("*", 0x20, 0x20, to_ip, remote_machine)) { + DEBUG(2, ("connect_to_domain_password_server: Can't " + "resolve name for IP %s\n", server)); + return NT_STATUS_NO_LOGON_SERVERS; + } + + *dest_ip = to_ip; + return NT_STATUS_OK; + } + + fstrcpy(remote_machine, server); + strupper(remote_machine); + if (!resolve_name(remote_machine, dest_ip, 0x20)) { + DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", + remote_machine)); + return NT_STATUS_NO_LOGON_SERVERS; + } + + DEBUG(4,("rpc_resolve_dc: using server='%s' IP=%s\n", + remote_machine, inet_ntoa(*dest_ip))); + + return NT_STATUS_OK; +} + /** * Connect to a remote server for domain security authenticaion. * @@ -50,38 +131,16 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, fstring remote_machine; NTSTATUS result; - if (is_ipaddress(server)) { - struct in_addr to_ip; - - /* we shouldn't have 255.255.255.255 forthe IP address of - a password server anyways */ - if ((to_ip.s_addr=inet_addr(server)) == 0xFFFFFFFF) { - DEBUG (0,("connect_to_domain_password_server: inet_addr(%s) returned 0xFFFFFFFF!\n", server)); - return NT_STATUS_NO_LOGON_SERVERS; - } - - if (lp_security() == SEC_ADS) { - /* if in ADS mode then we know that port 445 - will work and *SMBSERVER will be recognised - anyway. This avoids an expensive netbios - lookup. */ - fstrcpy(remote_machine, "*SMBSERVER"); - } else if (!name_status_find("*", 0x20, 0x20, to_ip, remote_machine)) { - DEBUG(0, ("connect_to_domain_password_server: Can't " - "resolve name for IP %s\n", server)); - return NT_STATUS_NO_LOGON_SERVERS; - } - - /* we know the IP - smb.conf specified it! */ - dest_ip = to_ip; + if (lp_security() == SEC_ADS) { + result = ads_resolve_dc(server, remote_machine, &dest_ip); } else { - fstrcpy(remote_machine, server); - strupper(remote_machine); - if (!resolve_name(remote_machine, &dest_ip, 0x20)) { - DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", - remote_machine)); - return NT_STATUS_NO_LOGON_SERVERS; - } + result = rpc_resolve_dc(server, remote_machine, &dest_ip); + } + + if (!NT_STATUS_IS_OK(result)) { + DEBUG(2,("connect_to_domain_password_server: unable to resolve DC: %s\n", + nt_errstr(result))); + return result; } if (ismyip(dest_ip)) { -- cgit From 2edcc96c11c1f5c9294f1730973e7582b3a3acbd Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 30 Jul 2002 13:27:42 +0000 Subject: a couple more minor tweaks. This now allows us to operate in ADS mode without any 'realm =' or 'ads server =' options at all, as long as DNS is working right. (This used to be commit d3fecdd04241ed7b9248e52415693cd54a1faecf) --- source3/auth/auth_domain.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index d0b5b4db7f..f74f1bb9e8 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -37,8 +37,7 @@ extern userdom_struct current_user_info; Note that we ignore the 'server' parameter here. That has the effect of using the 'ADS server' smb.conf parameter, which is what we really want anyway */ -static NTSTATUS ads_resolve_dc(const char *server, - fstring remote_machine, +static NTSTATUS ads_resolve_dc(fstring remote_machine, struct in_addr *dest_ip) { ADS_STRUCT *ads; @@ -132,7 +131,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, NTSTATUS result; if (lp_security() == SEC_ADS) { - result = ads_resolve_dc(server, remote_machine, &dest_ip); + result = ads_resolve_dc(remote_machine, &dest_ip); } else { result = rpc_resolve_dc(server, remote_machine, &dest_ip); } @@ -366,7 +365,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, while (!NT_STATUS_IS_OK(nt_status) && next_token(&server,remote_machine,LIST_SEP,sizeof(remote_machine))) { - if(strequal(remote_machine, "*")) { + if(lp_security() != SEC_ADS && strequal(remote_machine, "*")) { nt_status = find_connect_pdc(&cli, domain, setup_creds_as, sec_chan, trust_passwd, last_change_time); } else { nt_status = connect_to_domain_password_server(&cli, remote_machine, setup_creds_as, sec_chan, trust_passwd); -- cgit From 55c978d85ea9b2fbd3eeb597d4b383399c5106a7 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 30 Jul 2002 15:34:10 +0000 Subject: net ads info now reports the IP of the LDAP server as well as its name - very useful in scripts (This used to be commit fc0d5479b575c1f495b9251413eed18ec1e37e02) --- source3/auth/auth_domain.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index f74f1bb9e8..327d49144f 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -46,6 +46,8 @@ static NTSTATUS ads_resolve_dc(fstring remote_machine, return NT_STATUS_NO_LOGON_SERVERS; } + DEBUG(4,("ads_resolve_dc: realm=%s\n", ads->realm)); + #ifdef HAVE_ADS /* a full ads_connect() is actually overkill, as we don't srictly need to do the SASL auth in order to get the info we need, but libads @@ -57,10 +59,10 @@ static NTSTATUS ads_resolve_dc(fstring remote_machine, fstrcpy(remote_machine, ads->ldap_server_name); strupper(remote_machine); - *dest_ip = *interpret_addr2(ads->ldap_server); + *dest_ip = ads->ldap_ip; ads_destroy(&ads); - if (!*remote_machine) { + if (!*remote_machine || is_zero_ip(*dest_ip)) { return NT_STATUS_NO_LOGON_SERVERS; } @@ -166,8 +168,8 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, return NT_STATUS_NO_LOGON_SERVERS; /* Attempt connection */ - result = cli_full_connection(cli, global_myname, server, - &dest_ip, 0, "IPC$", "IPC", "", "", "", 0); + result = cli_full_connection(cli, global_myname, remote_machine, + &dest_ip, 0, "IPC$", "IPC", "", "", ""); if (!NT_STATUS_IS_OK(result)) { release_server_mutex(); -- cgit From d0fe79b9ee16afae0bf7d306b7916d7aef0f59c8 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Tue, 30 Jul 2002 17:38:27 +0000 Subject: Fix the build for now.. Tridge, please look at this. Did you mean to take out the last parm? (This used to be commit f70886df942e8b37fecb503b2d87f39f19c9bdab) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 327d49144f..72c216581e 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -169,7 +169,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, /* Attempt connection */ result = cli_full_connection(cli, global_myname, remote_machine, - &dest_ip, 0, "IPC$", "IPC", "", "", ""); + &dest_ip, 0, "IPC$", "IPC", "", "", "",0); if (!NT_STATUS_IS_OK(result)) { release_server_mutex(); -- cgit From 81b69dc79cccd575d33b62ddf7941c5b3c44fdfe Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 31 Jul 2002 02:00:30 +0000 Subject: the ads_connect() here doesn't need to actually succeed, as its only needed to find the DC IP. Just don't check its return value! (This used to be commit ab144cd8af1622894d446ce48dde99babeb30bd6) --- source3/auth/auth_domain.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 72c216581e..b37ce2cc91 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -52,9 +52,7 @@ static NTSTATUS ads_resolve_dc(fstring remote_machine, /* a full ads_connect() is actually overkill, as we don't srictly need to do the SASL auth in order to get the info we need, but libads doesn't offer a better way right now */ - if (!ADS_ERR_OK(ads_connect(ads))) { - return NT_STATUS_NO_LOGON_SERVERS; - } + ads_connect(ads); #endif fstrcpy(remote_machine, ads->ldap_server_name); -- cgit From 2d67a683b735d50f411a4bee9ee5ec17e9a60015 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 31 Jul 2002 12:05:30 +0000 Subject: Winbind updates! This updates the 'winbind' authentication module and winbind's 'PAM' (actually netlogon) code to allow smbd to cache connections to the DC. This is particulary relevent when we need mutex locks already - there is no parallelism to be gained anyway. The winbind code authenticates the user, and if successful, passes back the 'info3' struct describing the user. smbd then interprets that in exactly the same way as an 'ntdomain' logon. Also, add parinoia to winbind about null termination. Andrew Bartlett (This used to be commit 167f122b670d4ef67d78e6f79a2bae3f6e8d67df) --- source3/auth/auth_winbind.c | 70 +++++++++++++++++++++++++++++++-------------- 1 file changed, 49 insertions(+), 21 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 671e198bf5..5bdccd39f3 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -32,6 +32,30 @@ NSS_STATUS winbindd_request(int req_type, struct winbindd_request *request, struct winbindd_response *response); +NTSTATUS get_info3_from_ndr(TALLOC_CTX *mem_ctx, struct winbindd_response *response, NET_USER_INFO_3 *info3) +{ + uint8 *info3_ndr; + size_t len = response->length - sizeof(response); + prs_struct ps; + if (len > 0) { + info3_ndr = response->extra_data; + if (!prs_init(&ps, len, mem_ctx, UNMARSHALL)) { + return NT_STATUS_NO_MEMORY; + } + prs_append_data(&ps, info3_ndr, len); + ps.data_offset = 0; + if (!net_io_user_info3("", info3, &ps, 1, 3)) { + DEBUG(2, ("get_info3_from_ndr: could not parse info3 struct!\n")); + return NT_STATUS_UNSUCCESSFUL; + } + prs_mem_free(&ps); + + return NT_STATUS_OK; + } else { + DEBUG(2, ("get_info3_from_ndr: No info3 struct found!\n")); + return NT_STATUS_UNSUCCESSFUL; + } +} /* Authenticate a user with a challenge/response */ @@ -44,11 +68,11 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, struct winbindd_request request; struct winbindd_response response; NSS_STATUS result; - struct passwd *pw; NTSTATUS nt_status; + NET_USER_INFO_3 info3; if (!user_info) { - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_INVALID_PARAMETER; } if (!auth_context) { @@ -62,11 +86,14 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, ZERO_STRUCT(request); ZERO_STRUCT(response); - snprintf(request.data.auth_crap.user, sizeof(request.data.auth_crap.user), - "%s\\%s", user_info->domain.str, user_info->smb_name.str); + request.data.auth_crap.flags = WINBIND_PAM_INFO3_NDR; - fstrcpy(request.data.auth_crap.user, user_info->smb_name.str); - fstrcpy(request.data.auth_crap.domain, user_info->domain.str); + push_utf8_fstring(request.data.auth_crap.user, + user_info->smb_name.str); + push_utf8_fstring(request.data.auth_crap.domain, + user_info->domain.str); + push_utf8_fstring(request.data.auth_crap.workstation, + user_info->wksta_name.str); memcpy(request.data.auth_crap.chal, auth_context->challenge.data, sizeof(request.data.auth_crap.chal)); @@ -76,27 +103,28 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, sizeof(request.data.auth_crap.nt_resp)); memcpy(request.data.auth_crap.lm_resp, user_info->lm_resp.data, - sizeof(request.data.auth_crap.lm_resp_len)); - memcpy(request.data.auth_crap.nt_resp, user_info->nt_resp.data, request.data.auth_crap.lm_resp_len); + memcpy(request.data.auth_crap.nt_resp, user_info->nt_resp.data, + request.data.auth_crap.nt_resp_len); result = winbindd_request(WINBINDD_PAM_AUTH_CRAP, &request, &response); - if (result == NSS_STATUS_SUCCESS) { - - pw = Get_Pwnam(user_info->internal_username.str); - - if (pw) { - if (make_server_info_pw(server_info, pw)) { - nt_status = NT_STATUS_OK; - } else { - nt_status = NT_STATUS_NO_MEMORY; + nt_status = NT_STATUS(response.data.auth.nt_status); + + if (result == NSS_STATUS_SUCCESS && response.extra_data) { + if (NT_STATUS_IS_OK(nt_status)) { + if (NT_STATUS_IS_OK(nt_status = get_info3_from_ndr(mem_ctx, &response, &info3))) { + nt_status = + make_server_info_info3(mem_ctx, + user_info->internal_username.str, + user_info->smb_name.str, + user_info->domain.str, + server_info, + &info3); } - } else { - nt_status = NT_STATUS_NO_SUCH_USER; } - } else { - nt_status = NT_STATUS_LOGON_FAILURE; + } else if (NT_STATUS_IS_OK(nt_status)) { + nt_status = NT_STATUS_UNSUCCESSFUL; } return nt_status; -- cgit From 640e1dd4465c099aaafeb5fda8326788c19510f6 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 31 Jul 2002 12:17:32 +0000 Subject: Let everybody enjoy my new toy - make it the default! Authenticaions will now attempt to use winbind, and only fall back to 'ntdomain' (the old security=domain) code if that fails (for any reason, including wrong password). I'll fix up the authenticaion code to better handle the different types of failures in the near future. Andrew Bartlett (This used to be commit 78f0d4337bd263d26d7b349eaf8148e863c62f69) --- source3/auth/auth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index dca9c6c3c4..d43afc71e1 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -395,7 +395,7 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) { case SEC_DOMAIN: DEBUG(5,("Making default auth method list for security=domain\n")); - auth_method_list = str_list_make("guest sam ntdomain", NULL); + auth_method_list = str_list_make("guest sam winbind ntdomain", NULL); break; case SEC_SERVER: DEBUG(5,("Making default auth method list for security=server\n")); @@ -421,7 +421,7 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) break; case SEC_ADS: DEBUG(5,("Making default auth method list for security=ADS\n")); - auth_method_list = str_list_make("guest sam ads ntdomain", NULL); + auth_method_list = str_list_make("guest sam ads winbind ntdomain", NULL); break; default: DEBUG(5,("Unknown auth method!\n")); -- cgit From ab9ff0fa73f33c064a39859e39fa79af77cc088f Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 5 Aug 2002 02:47:46 +0000 Subject: This fixes a number of ADS problems, particularly with netbiosless setups. - split up the ads structure into logical pieces. This makes it much easier to keep things like the authentication realm and the server realm separate (they can be different). - allow ads callers to specify that no sasl bind should be performed (used by "net ads info" for example) - fix an error with handing ADS_ERROR_SYSTEM() when errno is 0 - completely rewrote the code for finding the LDAP server. Now try DNS methods first, and try all DNS servers returned from the SRV DNS query, sorted by closeness to our interfaces (using the same sort code as we use in replies from WINS servers). This allows us to cope with ADS DCs that are down, and ensures we don't pick one that is on the other side of the country unless absolutely necessary. - recognise dnsRecords as binary when displaying them - cope with the realm not being configured in smb.conf (work it out from the LDAP server) - look at the trustDirection when looking up trusted domains and don't include trusts that trust our domains but we don't trust theirs. - use LDAP to query the alternate (netbios) name for a realm, and make sure that both and long and short forms of the name are accepted by winbindd. Use the short form by default for listing users/groups. - rescan the list of trusted domains every 5 minutes in case new trust relationships are added while winbindd is running - include transient trust relationships (ie. C trusts B, B trusts A, so C trusts A) in winbindd. - don't do a gratuituous node status lookup when finding an ADS DC (we don't need it and it could fail) - remove unused sid_to_distinguished_name function - make sure we find the allternate name of our primary domain when operating with a netbiosless ADS DC (using LDAP to do the lookup) - fixed the rpc trusted domain enumeration to support up to approx 2000 trusted domains (the old limit was 3) - use the IP for the remote_machine (%m) macro when the client doesn't supply us with a name via a netbios session request (eg. port 445) - if the client uses SPNEGO then use the machine name from the SPNEGO auth packet for remote_machine (%m) macro - add new 'net ads workgroup' command to find the netbios workgroup name for a realm (This used to be commit e358d7b24c86a46d8c361b9e32a25d4f71a6dc00) --- source3/auth/auth_domain.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index b37ce2cc91..d48cec5b29 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -46,7 +46,9 @@ static NTSTATUS ads_resolve_dc(fstring remote_machine, return NT_STATUS_NO_LOGON_SERVERS; } - DEBUG(4,("ads_resolve_dc: realm=%s\n", ads->realm)); + DEBUG(4,("ads_resolve_dc: realm=%s\n", ads->config.realm)); + + ads->auth.no_bind = 1; #ifdef HAVE_ADS /* a full ads_connect() is actually overkill, as we don't srictly need @@ -55,7 +57,7 @@ static NTSTATUS ads_resolve_dc(fstring remote_machine, ads_connect(ads); #endif - fstrcpy(remote_machine, ads->ldap_server_name); + fstrcpy(remote_machine, ads->config.ldap_server_name); strupper(remote_machine); *dest_ip = ads->ldap_ip; ads_destroy(&ads); -- cgit From dd5615c04241ec09e6b877a0670a957fa7702902 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 11 Aug 2002 02:30:35 +0000 Subject: Make 'remote_machine' private to lib/substitute.c, and fix all the user to use the new accessor functions. Andrew Bartlett (This used to be commit f393de2310e997d05674eb7f1268655373e03647) --- source3/auth/auth_util.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 3ade220c0f..f914d91871 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -25,7 +25,6 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -extern fstring remote_machine; extern pstring global_myname; /**************************************************************************** @@ -394,7 +393,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, ret = make_user_info_map(user_info, smb_name, client_domain, - remote_machine, + get_remote_machine_name(), local_lm_blob, local_nt_blob, plaintext_password, @@ -429,7 +428,7 @@ BOOL make_user_info_for_reply_enc(auth_usersupplied_info **user_info, return make_user_info_map(user_info, smb_name, client_domain, - remote_machine, + get_remote_machine_name(), lm_resp, nt_resp, no_plaintext_blob, -- cgit From b2edf254eda92f775e7d3d9b6793b4d77f9000b6 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 17 Aug 2002 17:00:51 +0000 Subject: sync 3.0 branch with head (This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290) --- source3/auth/auth.c | 14 ++--- source3/auth/auth_domain.c | 139 ++++++++++++++++++++++++++++++++------------ source3/auth/auth_sam.c | 19 +++++- source3/auth/auth_util.c | 5 +- source3/auth/auth_winbind.c | 70 +++++++++++++++------- 5 files changed, 178 insertions(+), 69 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 4f7a5c24a0..d43afc71e1 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -395,33 +395,33 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) { case SEC_DOMAIN: DEBUG(5,("Making default auth method list for security=domain\n")); - auth_method_list = str_list_make("guest sam ntdomain"); + auth_method_list = str_list_make("guest sam winbind ntdomain", NULL); break; case SEC_SERVER: DEBUG(5,("Making default auth method list for security=server\n")); - auth_method_list = str_list_make("guest sam smbserver"); + auth_method_list = str_list_make("guest sam smbserver", NULL); break; case SEC_USER: if (lp_encrypted_passwords()) { DEBUG(5,("Making default auth method list for security=user, encrypt passwords = yes\n")); - auth_method_list = str_list_make("guest sam"); + auth_method_list = str_list_make("guest sam", NULL); } else { DEBUG(5,("Making default auth method list for security=user, encrypt passwords = no\n")); - auth_method_list = str_list_make("guest unix"); + auth_method_list = str_list_make("guest unix", NULL); } break; case SEC_SHARE: if (lp_encrypted_passwords()) { DEBUG(5,("Making default auth method list for security=share, encrypt passwords = yes\n")); - auth_method_list = str_list_make("guest sam"); + auth_method_list = str_list_make("guest sam", NULL); } else { DEBUG(5,("Making default auth method list for security=share, encrypt passwords = no\n")); - auth_method_list = str_list_make("guest unix"); + auth_method_list = str_list_make("guest unix", NULL); } break; case SEC_ADS: DEBUG(5,("Making default auth method list for security=ADS\n")); - auth_method_list = str_list_make("guest sam ads ntdomain"); + auth_method_list = str_list_make("guest sam ads winbind ntdomain", NULL); break; default: DEBUG(5,("Unknown auth method!\n")); diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 3352c5f9c8..d48cec5b29 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -29,6 +29,88 @@ BOOL global_machine_password_needs_changing = False; extern pstring global_myname; extern userdom_struct current_user_info; + +/* + resolve the name of a DC in ways appropriate for an ADS domain mode + an ADS domain may not have Netbios enabled at all, so this is + quite different from the RPC case + Note that we ignore the 'server' parameter here. That has the effect of using + the 'ADS server' smb.conf parameter, which is what we really want anyway + */ +static NTSTATUS ads_resolve_dc(fstring remote_machine, + struct in_addr *dest_ip) +{ + ADS_STRUCT *ads; + ads = ads_init_simple(); + if (!ads) { + return NT_STATUS_NO_LOGON_SERVERS; + } + + DEBUG(4,("ads_resolve_dc: realm=%s\n", ads->config.realm)); + + ads->auth.no_bind = 1; + +#ifdef HAVE_ADS + /* a full ads_connect() is actually overkill, as we don't srictly need + to do the SASL auth in order to get the info we need, but libads + doesn't offer a better way right now */ + ads_connect(ads); +#endif + + fstrcpy(remote_machine, ads->config.ldap_server_name); + strupper(remote_machine); + *dest_ip = ads->ldap_ip; + ads_destroy(&ads); + + if (!*remote_machine || is_zero_ip(*dest_ip)) { + return NT_STATUS_NO_LOGON_SERVERS; + } + + DEBUG(4,("ads_resolve_dc: using server='%s' IP=%s\n", + remote_machine, inet_ntoa(*dest_ip))); + + return NT_STATUS_OK; +} + +/* + resolve the name of a DC in ways appropriate for RPC domain mode + this relies on the server supporting netbios and port 137 not being + firewalled + */ +static NTSTATUS rpc_resolve_dc(const char *server, + fstring remote_machine, + struct in_addr *dest_ip) +{ + if (is_ipaddress(server)) { + struct in_addr to_ip = *interpret_addr2(server); + + /* we need to know the machines netbios name - this is a lousy + way to find it, but until we have a RPC call that does this + it will have to do */ + if (!name_status_find("*", 0x20, 0x20, to_ip, remote_machine)) { + DEBUG(2, ("connect_to_domain_password_server: Can't " + "resolve name for IP %s\n", server)); + return NT_STATUS_NO_LOGON_SERVERS; + } + + *dest_ip = to_ip; + return NT_STATUS_OK; + } + + fstrcpy(remote_machine, server); + strupper(remote_machine); + if (!resolve_name(remote_machine, dest_ip, 0x20)) { + DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", + remote_machine)); + return NT_STATUS_NO_LOGON_SERVERS; + } + + DEBUG(4,("rpc_resolve_dc: using server='%s' IP=%s\n", + remote_machine, inet_ntoa(*dest_ip))); + + return NT_STATUS_OK; +} + /** * Connect to a remote server for domain security authenticaion. * @@ -50,37 +132,22 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, fstring remote_machine; NTSTATUS result; - if (is_ipaddress(server)) { - struct in_addr to_ip; - - /* we shouldn't have 255.255.255.255 forthe IP address of - a password server anyways */ - if ((to_ip.s_addr=inet_addr(server)) == 0xFFFFFFFF) { - DEBUG (0,("connect_to_domain_password_server: inet_addr(%s) returned 0xFFFFFFFF!\n", server)); - return NT_STATUS_UNSUCCESSFUL; - } - - if (!name_status_find("*", 0x20, 0x20, to_ip, remote_machine)) { - DEBUG(0, ("connect_to_domain_password_server: Can't " - "resolve name for IP %s\n", server)); - return NT_STATUS_UNSUCCESSFUL; - } + if (lp_security() == SEC_ADS) { + result = ads_resolve_dc(remote_machine, &dest_ip); } else { - fstrcpy(remote_machine, server); + result = rpc_resolve_dc(server, remote_machine, &dest_ip); } - standard_sub_basic(current_user_info.smb_name, remote_machine, sizeof(remote_machine)); - strupper(remote_machine); - - if(!resolve_name( remote_machine, &dest_ip, 0x20)) { - DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", remote_machine)); - return NT_STATUS_UNSUCCESSFUL; + if (!NT_STATUS_IS_OK(result)) { + DEBUG(2,("connect_to_domain_password_server: unable to resolve DC: %s\n", + nt_errstr(result))); + return result; } - + if (ismyip(dest_ip)) { DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n", remote_machine)); - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_NO_LOGON_SERVERS; } /* TODO: Send a SAMLOGON request to determine whether this is a valid @@ -98,11 +165,11 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, */ if (!grab_server_mutex(server)) - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_NO_LOGON_SERVERS; /* Attempt connection */ - result = cli_full_connection(cli, global_myname, server, - &dest_ip, 0, "IPC$", "IPC", "", "", "", 0); + result = cli_full_connection(cli, global_myname, remote_machine, + &dest_ip, 0, "IPC$", "IPC", "", "", "",0); if (!NT_STATUS_IS_OK(result)) { release_server_mutex(); @@ -129,7 +196,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); cli_ulogoff(*cli); cli_shutdown(*cli); release_server_mutex(); - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_NO_LOGON_SERVERS; } snprintf((*cli)->mach_acct, sizeof((*cli)->mach_acct) - 1, "%s$", setup_creds_as); @@ -139,7 +206,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); return NT_STATUS_NO_MEMORY; } - result = new_cli_nt_setup_creds(*cli, sec_chan, trust_passwd); + result = cli_nt_setup_creds(*cli, sec_chan, trust_passwd); if (!NT_STATUS_IS_OK(result)) { DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ @@ -174,10 +241,10 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, */ if (is_zero_ip(*ip)) - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_NO_LOGON_SERVERS; if (!lookup_dc_name(global_myname, domain, ip, dc_name)) - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_NO_LOGON_SERVERS; return connect_to_domain_password_server(cli, dc_name, setup_creds_as, sec_chan, trust_passwd); } @@ -196,7 +263,7 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, struct in_addr *ip_list = NULL; int count = 0; int i; - NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; + NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS; time_t time_now = time(NULL); BOOL use_pdc_only = False; @@ -212,7 +279,7 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, use_pdc_only = True; if (!get_dc_list(use_pdc_only, domain, &ip_list, &count)) - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_NO_LOGON_SERVERS; /* * Firstly try and contact a PDC/BDC who has the same @@ -288,7 +355,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, fstring remote_machine; NET_USER_INFO_3 info3; struct cli_state *cli = NULL; - NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; + NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS; /* * At this point, smb_apasswd points to the lanman response to @@ -300,7 +367,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, while (!NT_STATUS_IS_OK(nt_status) && next_token(&server,remote_machine,LIST_SEP,sizeof(remote_machine))) { - if(strequal(remote_machine, "*")) { + if(lp_security() != SEC_ADS && strequal(remote_machine, "*")) { nt_status = find_connect_pdc(&cli, domain, setup_creds_as, sec_chan, trust_passwd, last_change_time); } else { nt_status = connect_to_domain_password_server(&cli, remote_machine, setup_creds_as, sec_chan, trust_passwd); @@ -503,7 +570,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte #ifdef DEBUG_PASSWORD DEBUG(100, ("Trust password for domain %s is %s\n", user_info->domain.str, trust_password)); #endif - E_md4hash((uchar *)trust_password, trust_md4_password); + E_md4hash(trust_password, trust_md4_password); SAFE_FREE(trust_password); #if 0 diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 76579150ce..155370546a 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -107,7 +107,7 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB ntv2_response, memcpy(client_response, ntv2_response.data, sizeof(client_response)); ntv2_owf_gen(part_passwd, user, domain, kr); - SMBOWFencrypt_ntv2(kr, sec_blob, client_key_data, (char *)value_from_encryption); + SMBOWFencrypt_ntv2(kr, sec_blob, client_key_data, value_from_encryption); if (user_sess_key != NULL) { SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key); @@ -232,11 +232,26 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, { return NT_STATUS_OK; } else { + if (lp_ntlm_auth()) { + /* Apparently NT accepts NT responses in the LM feild + - I think this is related to Win9X pass-though authenticaion + */ + DEBUG(4,("sam_password_ok: Checking NT MD4 password in LM feild\n")); + if (smb_pwd_check_ntlmv1(user_info->lm_resp, + nt_pw, auth_context->challenge, + user_sess_key)) + { + return NT_STATUS_OK; + } else { + DEBUG(3,("sam_password_ok: NT MD4 password in LM feild failed for user %s\n",pdb_get_username(sampass))); + return NT_STATUS_WRONG_PASSWORD; + } + } DEBUG(4,("sam_password_ok: LM password check failed for user %s\n",pdb_get_username(sampass))); return NT_STATUS_WRONG_PASSWORD; } } - + /* Should not be reached, but if they send nothing... */ DEBUG(3,("sam_password_ok: NEITHER LanMan nor NT password supplied for user %s\n",pdb_get_username(sampass))); return NT_STATUS_WRONG_PASSWORD; diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 3ade220c0f..f914d91871 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -25,7 +25,6 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -extern fstring remote_machine; extern pstring global_myname; /**************************************************************************** @@ -394,7 +393,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, ret = make_user_info_map(user_info, smb_name, client_domain, - remote_machine, + get_remote_machine_name(), local_lm_blob, local_nt_blob, plaintext_password, @@ -429,7 +428,7 @@ BOOL make_user_info_for_reply_enc(auth_usersupplied_info **user_info, return make_user_info_map(user_info, smb_name, client_domain, - remote_machine, + get_remote_machine_name(), lm_resp, nt_resp, no_plaintext_blob, diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 671e198bf5..5bdccd39f3 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -32,6 +32,30 @@ NSS_STATUS winbindd_request(int req_type, struct winbindd_request *request, struct winbindd_response *response); +NTSTATUS get_info3_from_ndr(TALLOC_CTX *mem_ctx, struct winbindd_response *response, NET_USER_INFO_3 *info3) +{ + uint8 *info3_ndr; + size_t len = response->length - sizeof(response); + prs_struct ps; + if (len > 0) { + info3_ndr = response->extra_data; + if (!prs_init(&ps, len, mem_ctx, UNMARSHALL)) { + return NT_STATUS_NO_MEMORY; + } + prs_append_data(&ps, info3_ndr, len); + ps.data_offset = 0; + if (!net_io_user_info3("", info3, &ps, 1, 3)) { + DEBUG(2, ("get_info3_from_ndr: could not parse info3 struct!\n")); + return NT_STATUS_UNSUCCESSFUL; + } + prs_mem_free(&ps); + + return NT_STATUS_OK; + } else { + DEBUG(2, ("get_info3_from_ndr: No info3 struct found!\n")); + return NT_STATUS_UNSUCCESSFUL; + } +} /* Authenticate a user with a challenge/response */ @@ -44,11 +68,11 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, struct winbindd_request request; struct winbindd_response response; NSS_STATUS result; - struct passwd *pw; NTSTATUS nt_status; + NET_USER_INFO_3 info3; if (!user_info) { - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_INVALID_PARAMETER; } if (!auth_context) { @@ -62,11 +86,14 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, ZERO_STRUCT(request); ZERO_STRUCT(response); - snprintf(request.data.auth_crap.user, sizeof(request.data.auth_crap.user), - "%s\\%s", user_info->domain.str, user_info->smb_name.str); + request.data.auth_crap.flags = WINBIND_PAM_INFO3_NDR; - fstrcpy(request.data.auth_crap.user, user_info->smb_name.str); - fstrcpy(request.data.auth_crap.domain, user_info->domain.str); + push_utf8_fstring(request.data.auth_crap.user, + user_info->smb_name.str); + push_utf8_fstring(request.data.auth_crap.domain, + user_info->domain.str); + push_utf8_fstring(request.data.auth_crap.workstation, + user_info->wksta_name.str); memcpy(request.data.auth_crap.chal, auth_context->challenge.data, sizeof(request.data.auth_crap.chal)); @@ -76,27 +103,28 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, sizeof(request.data.auth_crap.nt_resp)); memcpy(request.data.auth_crap.lm_resp, user_info->lm_resp.data, - sizeof(request.data.auth_crap.lm_resp_len)); - memcpy(request.data.auth_crap.nt_resp, user_info->nt_resp.data, request.data.auth_crap.lm_resp_len); + memcpy(request.data.auth_crap.nt_resp, user_info->nt_resp.data, + request.data.auth_crap.nt_resp_len); result = winbindd_request(WINBINDD_PAM_AUTH_CRAP, &request, &response); - if (result == NSS_STATUS_SUCCESS) { - - pw = Get_Pwnam(user_info->internal_username.str); - - if (pw) { - if (make_server_info_pw(server_info, pw)) { - nt_status = NT_STATUS_OK; - } else { - nt_status = NT_STATUS_NO_MEMORY; + nt_status = NT_STATUS(response.data.auth.nt_status); + + if (result == NSS_STATUS_SUCCESS && response.extra_data) { + if (NT_STATUS_IS_OK(nt_status)) { + if (NT_STATUS_IS_OK(nt_status = get_info3_from_ndr(mem_ctx, &response, &info3))) { + nt_status = + make_server_info_info3(mem_ctx, + user_info->internal_username.str, + user_info->smb_name.str, + user_info->domain.str, + server_info, + &info3); } - } else { - nt_status = NT_STATUS_NO_SUCH_USER; } - } else { - nt_status = NT_STATUS_LOGON_FAILURE; + } else if (NT_STATUS_IS_OK(nt_status)) { + nt_status = NT_STATUS_UNSUCCESSFUL; } return nt_status; -- cgit From 64456bf3c037fb640d8a5f97cded2db5ca533bd3 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 19 Aug 2002 18:06:07 +0000 Subject: fix typo auth/auth_server.c remove unused 'max packet' and 'packet size' options (This used to be commit 6a787a695db65688916464a9b0e2a9024b131eee) --- source3/auth/auth_server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 23faedc0ba..f227c9125c 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -285,7 +285,7 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context * need to detect this as some versions of NT4.x are broken. JRA. */ - /* I sure as hell hope that there arn't servers out there that take + /* I sure as hell hope that there aren't servers out there that take * NTLMv2 and have this bug, as we don't test for that... * - abartlet@samba.org */ -- cgit From 8674440d81f703cb59979426c92ed54de8e5f2ed Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 20 Aug 2002 01:54:28 +0000 Subject: Based orginally by work by Kai, this patch moves our NT_TOKEN generation into our authenticaion code - removing some of the duplication from the current code. This also gets us *much* closer to supporting a real SAM backend, becouse the SAM can give us the right info then. This also changes our service.c code, so that we do a VUID (rather than uid) cache on the connection struct, and do full NT ACL/NT_TOKEN checks (or cached equivilant) on every packet, for the same r or rw mode the whole share was open for. Andrew Bartlett (This used to be commit d8122cee059fc7098bfa7e42e638a9958b3ac902) --- source3/auth/auth_builtin.c | 9 +- source3/auth/auth_sam.c | 6 +- source3/auth/auth_server.c | 4 +- source3/auth/auth_util.c | 494 +++++++++++++++++++++++++++++++++++--------- source3/auth/auth_winbind.c | 2 +- 5 files changed, 408 insertions(+), 107 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index 5ce7075ab9..bba1ad98bd 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -41,13 +41,8 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context, NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; if (!(user_info->internal_username.str - && *user_info->internal_username.str)) { - if (make_server_info_guest(server_info)) { - nt_status = NT_STATUS_OK; - } else { - nt_status = NT_STATUS_NO_SUCH_USER; - } - } + && *user_info->internal_username.str)) + nt_status = make_server_info_guest(server_info); return nt_status; } diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 155370546a..50f1e5dac9 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -403,9 +403,9 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, return nt_status; } - if (!make_server_info_sam(server_info, sampass)) { - DEBUG(0,("failed to malloc memory for server_info\n")); - return NT_STATUS_NO_MEMORY; + if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info, sampass))) { + DEBUG(0,("failed to malloc memory for server_info ret: %s\n", nt_errstr(nt_status))); + return nt_status; } lm_hash = pdb_get_lanman_passwd((*server_info)->sam_account); diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index f227c9125c..0ed905e79c 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -375,9 +375,7 @@ use this machine as the password server.\n")); if NT_STATUS_IS_OK(nt_status) { struct passwd *pass = Get_Pwnam(user_info->internal_username.str); if (pass) { - if (!make_server_info_pw(server_info, pass)) { - nt_status = NT_STATUS_NO_MEMORY; - } + nt_status = make_server_info_pw(server_info, pass); } else { nt_status = NT_STATUS_NO_SUCH_USER; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index f914d91871..51b8005634 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -26,6 +26,11 @@ #define DBGC_CLASS DBGC_AUTH extern pstring global_myname; +extern DOM_SID global_sid_World; +extern DOM_SID global_sid_Network; +extern DOM_SID global_sid_Builtin_Guests; +extern DOM_SID global_sid_Authenticated_Users; + /**************************************************************************** Create a UNIX user on demand. @@ -455,37 +460,298 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info) auth_flags, True); } +/**************************************************************************** + prints a NT_USER_TOKEN to debug output. +****************************************************************************/ + +void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) +{ + fstring sid_str; + int i; + + DEBUGC(dbg_class, dbg_lev, ("NT user token of user %s\n", + sid_to_string(sid_str, &token->user_sids[0]) )); + DEBUGADDC(dbg_class, dbg_lev, ("contains %i SIDs\n", token->num_sids)); + for (i = 0; i < token->num_sids; i++) + DEBUGADDC(dbg_class, dbg_lev, ("SID[%3i]: %s\n", i, + sid_to_string(sid_str, &token->user_sids[i]))); +} + +/**************************************************************************** + Create the SID list for this user. +****************************************************************************/ + +static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *group_sid, + int n_groupSIDs, DOM_SID *groupSIDs, + BOOL is_guest, NT_USER_TOKEN **token) +{ + NTSTATUS nt_status = NT_STATUS_OK; + NT_USER_TOKEN *ptoken; + int i; + int sid_ndx; + + if ((ptoken = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) { + DEBUG(0, ("create_nt_token: Out of memory allocating token\n")); + nt_status = NT_STATUS_NO_MEMORY; + return nt_status; + } + + ZERO_STRUCTP(ptoken); + + ptoken->num_sids = n_groupSIDs + 5; + + if ((ptoken->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptoken->num_sids )) == NULL) { + DEBUG(0, ("create_nt_token: Out of memory allocating SIDs\n")); + nt_status = NT_STATUS_NO_MEMORY; + return nt_status; + } + + memset((char*)ptoken->user_sids,0,sizeof(DOM_SID) * ptoken->num_sids); + + /* + * Note - user SID *MUST* be first in token ! + * se_access_check depends on this. + * + * Primary group SID is second in token. Convention. + */ + + sid_copy(&ptoken->user_sids[PRIMARY_USER_SID_INDEX], user_sid); + if (group_sid) + sid_copy(&ptoken->user_sids[PRIMARY_GROUP_SID_INDEX], group_sid); + + /* + * Finally add the "standard" SIDs. + * The only difference between guest and "anonymous" (which we + * don't really support) is the addition of Authenticated_Users. + */ + + sid_copy(&ptoken->user_sids[2], &global_sid_World); + sid_copy(&ptoken->user_sids[3], &global_sid_Network); + + if (is_guest) + sid_copy(&ptoken->user_sids[4], &global_sid_Builtin_Guests); + else + sid_copy(&ptoken->user_sids[4], &global_sid_Authenticated_Users); + + sid_ndx = 5; /* next available spot */ + + for (i = 0; i < n_groupSIDs; i++) { + int check_sid_idx; + for (check_sid_idx = 1; check_sid_idx < ptoken->num_sids; check_sid_idx++) { + if (sid_equal(&ptoken->user_sids[check_sid_idx], + &groupSIDs[i])) { + break; + } + } + + if (check_sid_idx >= ptoken->num_sids) /* Not found already */ { + sid_copy(&ptoken->user_sids[sid_ndx++], &groupSIDs[i]); + } else { + ptoken->num_sids--; + } + } + + debug_nt_user_token(DBGC_AUTH, 10, ptoken); + + *token = ptoken; + + return nt_status; +} + +/**************************************************************************** + Create the SID list for this user. +****************************************************************************/ + +NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, BOOL is_guest) +{ + DOM_SID user_sid; + DOM_SID group_sid; + DOM_SID *group_sids; + NT_USER_TOKEN *token; + int i; + + if (!uid_to_sid(&user_sid, uid)) { + return NULL; + } + if (!gid_to_sid(&group_sid, gid)) { + return NULL; + } + + group_sids = malloc(sizeof(DOM_SID) * ngroups); + if (!group_sids) { + DEBUG(0, ("create_nt_token: malloc() failed for DOM_SID list!\n")); + return NULL; + } + + for (i = 0; i < ngroups; i++) { + if (!gid_to_sid(&(group_sids)[i], (groups)[i])) { + DEBUG(1, ("create_nt_token: failed to convert gid %ld to a sid!\n", (long int)groups[i])); + SAFE_FREE(group_sids); + return NULL; + } + } + + if (!NT_STATUS_IS_OK(create_nt_user_token(&user_sid, &group_sid, + ngroups, group_sids, is_guest, &token))) { + SAFE_FREE(group_sids); + return NULL; + } + + SAFE_FREE(group_sids); + + return token; +} + +/****************************************************************************** + * this function returns the groups (SIDs) of the local SAM the user is in. + * If this samba server is a DC of the domain the user belongs to, it returns + * both domain groups and local / builtin groups. If the user is in a trusted + * domain, or samba is a member server of a domain, then this function returns + * local and builtin groups the user is a member of. + * + * currently this is a hack, as there is no sam implementation that is capable + * of groups. + ******************************************************************************/ + +static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, + int *n_groups, DOM_SID **groups, gid_t **unix_groups) +{ + uid_t uid; + enum SID_NAME_USE snu; + fstring str; + int n_unix_groups; + int i; + struct passwd *usr; + + *n_groups = 0; + *groups = NULL; + + if (!sid_to_uid(user_sid, &uid, &snu)) { + DEBUG(2, ("get_user_groups_from_local_sam: Failed to convert user SID %s to a uid!\n", sid_to_string(str, user_sid))); + return NT_STATUS_NO_SUCH_USER; + } + + usr = getpwuid_alloc(uid); + + n_unix_groups = groups_max(); + if ((*unix_groups = malloc( sizeof(gid_t) * groups_max() ) ) == NULL) { + DEBUG(0, ("get_user_groups_from_local_sam: Out of memory allocating unix group list\n")); + passwd_free(&usr); + return NT_STATUS_NO_MEMORY; + } + + if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { + *unix_groups = realloc(unix_groups, sizeof(gid_t) * n_unix_groups); + if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { + DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n")); + SAFE_FREE(unix_groups); + passwd_free(&usr); + return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ + } + } + + passwd_free(&usr); + + DEBUG(5,("get_user_groups_from_local_sam: user is in the unix following groups\n")); + for (i = 0; i < n_unix_groups; i++) + DEBUGADD(5,("supplementary group gid:%ld\n",(long int)(*unix_groups)[i])); + + *groups = malloc(sizeof(DOM_SID) * n_unix_groups); + if (!*groups) { + DEBUG(0, ("get_user_group_from_local_sam: malloc() failed for DOM_SID list!\n")); + SAFE_FREE(unix_groups); + return NT_STATUS_NO_MEMORY; + } + + *n_groups = n_unix_groups; + + for (i = 0; i < *n_groups; i++) { + if (!gid_to_sid(&(*groups)[i], (*unix_groups)[i])) { + DEBUG(1, ("get_user_groups_from_local_sam: failed to convert gid %ld to a sid!\n", (long int)unix_groups[i+1])); + SAFE_FREE(groups); + SAFE_FREE(unix_groups); + return NT_STATUS_NO_SUCH_USER; + } + } + + return NT_STATUS_OK; +} + /*************************************************************************** Make a user_info struct ***************************************************************************/ -static BOOL make_server_info(auth_serversupplied_info **server_info) +static NTSTATUS make_server_info(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass) { *server_info = malloc(sizeof(**server_info)); if (!*server_info) { DEBUG(0,("make_server_info: malloc failed!\n")); - return False; + return NT_STATUS_NO_MEMORY; } ZERO_STRUCTP(*server_info); - return True; + + (*server_info)->sam_fill_level = SAM_FILL_ALL; + (*server_info)->sam_account = sampass; + + return NT_STATUS_OK; } /*************************************************************************** Make (and fill) a user_info struct from a SAM_ACCOUNT ***************************************************************************/ -BOOL make_server_info_sam(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass) +NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, + SAM_ACCOUNT *sampass) { - if (!make_server_info(server_info)) { - return False; + NTSTATUS nt_status = NT_STATUS_OK; + const DOM_SID *user_sid = pdb_get_user_sid(sampass); + const DOM_SID *group_sid = pdb_get_group_sid(sampass); + int n_groupSIDs = 0; + DOM_SID *groupSIDs = NULL; + gid_t *unix_groups = NULL; + NT_USER_TOKEN *token; + BOOL is_guest; + uint32 rid; + + if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info, sampass))) { + return nt_status; } + + if (!NT_STATUS_IS_OK(nt_status + = get_user_groups_from_local_sam(pdb_get_user_sid(sampass), + &n_groupSIDs, &groupSIDs, &unix_groups))) + { + DEBUG(4,("get_user_groups_from_local_sam failed\n")); + free_server_info(server_info); + return nt_status; + } + + is_guest = (sid_peek_rid(user_sid, &rid) && rid == DOMAIN_USER_RID_GUEST); - (*server_info)->sam_fill_level = SAM_FILL_ALL; - (*server_info)->sam_account = sampass; + if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token(user_sid, group_sid, + n_groupSIDs, groupSIDs, is_guest, + &token))) + { + DEBUG(4,("create_nt_user_token failed\n")); + SAFE_FREE(groupSIDs); + SAFE_FREE(unix_groups); + free_server_info(server_info); + return nt_status; + } + + SAFE_FREE(groupSIDs); + + (*server_info)->n_groups = n_groupSIDs; + (*server_info)->groups = unix_groups; + + (*server_info)->ptok = token; + + debug_nt_user_token(DBGC_AUTH, 5, token); DEBUG(5,("make_server_info_sam: made server info for user %s\n", pdb_get_username((*server_info)->sam_account))); - return True; + + return nt_status; } /*************************************************************************** @@ -493,75 +759,42 @@ BOOL make_server_info_sam(auth_serversupplied_info **server_info, SAM_ACCOUNT *s to a SAM_ACCOUNT ***************************************************************************/ -BOOL make_server_info_pw(auth_serversupplied_info **server_info, const struct passwd *pwd) +NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, const struct passwd *pwd) { + NTSTATUS nt_status; SAM_ACCOUNT *sampass = NULL; - if (!NT_STATUS_IS_OK(pdb_init_sam_pw(&sampass, pwd))) { - return False; + if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sampass, pwd))) { + return nt_status; } return make_server_info_sam(server_info, sampass); } /*************************************************************************** - Free a user_info struct + Make (and fill) a user_info struct for a guest login. ***************************************************************************/ -void free_user_info(auth_usersupplied_info **user_info) +NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) { - DEBUG(5,("attempting to free (and zero) a user_info structure\n")); - if (*user_info != NULL) { - if ((*user_info)->smb_name.str) { - DEBUG(10,("structure was created for %s\n", (*user_info)->smb_name.str)); - } - SAFE_FREE((*user_info)->smb_name.str); - SAFE_FREE((*user_info)->internal_username.str); - SAFE_FREE((*user_info)->client_domain.str); - SAFE_FREE((*user_info)->domain.str); - SAFE_FREE((*user_info)->wksta_name.str); - data_blob_free(&(*user_info)->lm_resp); - data_blob_free(&(*user_info)->nt_resp); - SAFE_FREE((*user_info)->interactive_password); - data_blob_clear_free(&(*user_info)->plaintext_password); - ZERO_STRUCT(**user_info); + NTSTATUS nt_status; + SAM_ACCOUNT *sampass = NULL; + DOM_SID guest_sid; + + if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sampass))) { + return nt_status; } - SAFE_FREE(*user_info); -} -/*************************************************************************** - Clear out a server_info struct that has been allocated -***************************************************************************/ + sid_copy(&guest_sid, get_global_sam_sid()); + sid_append_rid(&guest_sid, DOMAIN_USER_RID_GUEST); -void free_server_info(auth_serversupplied_info **server_info) -{ - if (*server_info != NULL) { - pdb_free_sam(&(*server_info)->sam_account); - - /* call pam_end here, unless we know we are keeping it */ - delete_nt_token( &(*server_info)->ptok ); - ZERO_STRUCT(**server_info); + if (!pdb_getsampwsid(sampass, &guest_sid)) { + return NT_STATUS_NO_SUCH_USER; } - SAFE_FREE(*server_info); -} -/*************************************************************************** - Make a server_info struct for a guest user -***************************************************************************/ + nt_status = make_server_info_sam(server_info, sampass); -BOOL make_server_info_guest(auth_serversupplied_info **server_info) -{ - struct passwd *pass = getpwnam_alloc(lp_guestaccount()); - - if (pass) { - if (!make_server_info_pw(server_info, pass)) { - passwd_free(&pass); - return False; - } - (*server_info)->guest = True; - passwd_free(&pass); - return True; - } - DEBUG(0,("make_server_info_guest: getpwnam_alloc() failed on guest account!\n")); - return False; + (*server_info)->guest = True; + + return nt_status; } /*************************************************************************** @@ -589,6 +822,15 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, uid_t uid; gid_t gid; + int n_lgroupSIDs; + DOM_SID *lgroupSIDs = NULL; + + gid_t *unix_groups = NULL; + NT_USER_TOKEN *token; + + DOM_SID *all_group_SIDs; + int i; + /* Here is where we should check the list of trusted domains, and verify that the SID @@ -698,49 +940,115 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - if (!make_server_info_sam(server_info, sam_account)) { - DEBUG(0, ("make_server_info_info3: make_server_info_sam failed!\n")); + if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info, sam_account))) { + DEBUG(4, ("make_server_info failed!\n")); pdb_free_sam(&sam_account); - return NT_STATUS_NO_MEMORY; + return nt_status; } /* Store the user group information in the server_info returned to the caller. */ - if (info3->num_groups2 != 0) { - int i; - NT_USER_TOKEN *ptok; - auth_serversupplied_info *pserver_info = *server_info; - - if ((pserver_info->ptok = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) { - DEBUG(0, ("domain_client_validate: out of memory allocating rid group membership\n")); - nt_status = NT_STATUS_NO_MEMORY; - free_server_info(server_info); - return nt_status; - } - - ptok = pserver_info->ptok; - ptok->num_sids = (size_t)info3->num_groups2; - - if ((ptok->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptok->num_sids )) == NULL) { - DEBUG(0, ("domain_client_validate: Out of memory allocating group SIDS\n")); - nt_status = NT_STATUS_NO_MEMORY; - free_server_info(server_info); + if (!NT_STATUS_IS_OK(nt_status + = get_user_groups_from_local_sam(&user_sid, + &n_lgroupSIDs, + &lgroupSIDs, + &unix_groups))) + { + DEBUG(4,("get_user_groups_from_local_sam failed\n")); + return nt_status; + } + + (*server_info)->groups = unix_groups; + (*server_info)->n_groups = n_lgroupSIDs; + + /* Create a 'combined' list of all SIDs we might want in the SD */ + all_group_SIDs = malloc(sizeof(DOM_SID) * (n_lgroupSIDs+info3->num_groups2)); + if (!all_group_SIDs) { + DEBUG(0, ("create_nt_token_info3: malloc() failed for DOM_SID list!\n")); + SAFE_FREE(lgroupSIDs); + return NT_STATUS_NO_MEMORY; + } + + /* Copy the 'local' sids */ + memcpy(all_group_SIDs, lgroupSIDs, sizeof(DOM_SID) * n_lgroupSIDs); + SAFE_FREE(lgroupSIDs); + + /* and create (by appending rids) the 'domain' sids */ + for (i = 0; i < info3->num_groups2; i++) { + sid_copy(&all_group_SIDs[i+n_lgroupSIDs+1], &(info3->dom_sid.sid)); + if (!sid_append_rid(&all_group_SIDs[i+n_lgroupSIDs+1], info3->gids[i].g_rid)) { + nt_status = NT_STATUS_INVALID_PARAMETER; + DEBUG(3,("create_nt_token_info3: could not append additional group rid 0x%x\n", + info3->gids[i].g_rid)); + SAFE_FREE(lgroupSIDs); return nt_status; } - - for (i = 0; i < ptok->num_sids; i++) { - sid_copy(&ptok->user_sids[i], &(info3->dom_sid.sid)); - if (!sid_append_rid(&ptok->user_sids[i], info3->gids[i].g_rid)) { - nt_status = NT_STATUS_INVALID_PARAMETER; - free_server_info(server_info); - return nt_status; - } - } } + + /* Where are the 'global' sids... */ + + /* can the user be guest? if yes, where is it stored? */ + if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token(&user_sid, &group_sid, + n_lgroupSIDs+info3->num_groups2, all_group_SIDs, + False, &token))) { + DEBUG(4,("create_nt_user_token failed\n")); + SAFE_FREE(all_group_SIDs); + return nt_status; + } + + (*server_info)->ptok = token; + + SAFE_FREE(all_group_SIDs); + + debug_nt_user_token(DBGC_AUTH, 5, token); + return NT_STATUS_OK; } +/*************************************************************************** + Free a user_info struct +***************************************************************************/ + +void free_user_info(auth_usersupplied_info **user_info) +{ + DEBUG(5,("attempting to free (and zero) a user_info structure\n")); + if (*user_info != NULL) { + if ((*user_info)->smb_name.str) { + DEBUG(10,("structure was created for %s\n", (*user_info)->smb_name.str)); + } + SAFE_FREE((*user_info)->smb_name.str); + SAFE_FREE((*user_info)->internal_username.str); + SAFE_FREE((*user_info)->client_domain.str); + SAFE_FREE((*user_info)->domain.str); + SAFE_FREE((*user_info)->wksta_name.str); + data_blob_free(&(*user_info)->lm_resp); + data_blob_free(&(*user_info)->nt_resp); + SAFE_FREE((*user_info)->interactive_password); + data_blob_clear_free(&(*user_info)->plaintext_password); + ZERO_STRUCT(**user_info); + } + SAFE_FREE(*user_info); +} + +/*************************************************************************** + Clear out a server_info struct that has been allocated +***************************************************************************/ + +void free_server_info(auth_serversupplied_info **server_info) +{ + DEBUG(5,("attempting to free (and zero) a server_info structure\n")); + if (*server_info != NULL) { + pdb_free_sam(&(*server_info)->sam_account); + + /* call pam_end here, unless we know we are keeping it */ + delete_nt_token( &(*server_info)->ptok ); + SAFE_FREE((*server_info)->groups); + ZERO_STRUCT(**server_info); + } + SAFE_FREE(*server_info); +} + /*************************************************************************** Make an auth_methods struct ***************************************************************************/ diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 5bdccd39f3..10788721fd 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -4,7 +4,7 @@ Winbind authentication mechnism Copyright (C) Tim Potter 2000 - Copyright (C) Andrew Bartlett 2001 + Copyright (C) Andrew Bartlett 2001 - 2002 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by -- cgit From 07dbe5af57414d20a370920d0467d36a69b2f03a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 21 Aug 2002 11:34:05 +0000 Subject: Cope with non-unix accounts - we just won't get the groups for those users. Andrew Bartlett (This used to be commit 7cad7814555645aa3bee95fb48fbd694e6a9e313) --- source3/auth/auth_util.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 51b8005634..210c4d09f9 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -627,8 +627,10 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, *groups = NULL; if (!sid_to_uid(user_sid, &uid, &snu)) { - DEBUG(2, ("get_user_groups_from_local_sam: Failed to convert user SID %s to a uid!\n", sid_to_string(str, user_sid))); - return NT_STATUS_NO_SUCH_USER; + DEBUG(2, ("get_user_groups_from_local_sam: Failed to convert user SID %s to a uid!\n", + sid_to_string(str, user_sid))); + /* This might be a non-unix account */ + return NT_STATUS_OK; } usr = getpwuid_alloc(uid); -- cgit From 3276da43142bb4a0886747dabcfce6a436f11f25 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Thu, 22 Aug 2002 09:48:06 +0000 Subject: Spelling fixes. (This used to be commit 24fa84bda49a3a77fbc092652a0b6b132f06ff7c) --- source3/auth/auth_sam.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 50f1e5dac9..58def0567a 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -233,17 +233,17 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, return NT_STATUS_OK; } else { if (lp_ntlm_auth()) { - /* Apparently NT accepts NT responses in the LM feild - - I think this is related to Win9X pass-though authenticaion + /* Apparently NT accepts NT responses in the LM field + - I think this is related to Win9X pass-though authentication */ - DEBUG(4,("sam_password_ok: Checking NT MD4 password in LM feild\n")); + DEBUG(4,("sam_password_ok: Checking NT MD4 password in LM field\n")); if (smb_pwd_check_ntlmv1(user_info->lm_resp, nt_pw, auth_context->challenge, user_sess_key)) { return NT_STATUS_OK; } else { - DEBUG(3,("sam_password_ok: NT MD4 password in LM feild failed for user %s\n",pdb_get_username(sampass))); + DEBUG(3,("sam_password_ok: NT MD4 password in LM field failed for user %s\n",pdb_get_username(sampass))); return NT_STATUS_WRONG_PASSWORD; } } -- cgit From 9c7742727a03daa486d77a4ae5f7c4314ced6ad4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 26 Aug 2002 00:43:06 +0000 Subject: Try to support non-root-mode systems without getgrouplist(). Andrew Bartlett (This used to be commit 17096315a0f30f946ddecb79708604a111c37011) --- source3/auth/auth_sam.c | 2 +- source3/auth/auth_util.c | 16 +++++++++------- 2 files changed, 10 insertions(+), 8 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 58def0567a..ca611c46b9 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -404,7 +404,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, } if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info, sampass))) { - DEBUG(0,("failed to malloc memory for server_info ret: %s\n", nt_errstr(nt_status))); + DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status))); return nt_status; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 210c4d09f9..118126a275 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -643,7 +643,7 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, } if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { - *unix_groups = realloc(unix_groups, sizeof(gid_t) * n_unix_groups); + *unix_groups = Realloc(unix_groups, sizeof(gid_t) * n_unix_groups); if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n")); SAFE_FREE(unix_groups); @@ -657,12 +657,14 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, DEBUG(5,("get_user_groups_from_local_sam: user is in the unix following groups\n")); for (i = 0; i < n_unix_groups; i++) DEBUGADD(5,("supplementary group gid:%ld\n",(long int)(*unix_groups)[i])); - - *groups = malloc(sizeof(DOM_SID) * n_unix_groups); - if (!*groups) { - DEBUG(0, ("get_user_group_from_local_sam: malloc() failed for DOM_SID list!\n")); - SAFE_FREE(unix_groups); - return NT_STATUS_NO_MEMORY; + + if (n_unix_groups > 0) { + *groups = malloc(sizeof(DOM_SID) * n_unix_groups); + if (!*groups) { + DEBUG(0, ("get_user_group_from_local_sam: malloc() failed for DOM_SID list!\n")); + SAFE_FREE(unix_groups); + return NT_STATUS_NO_MEMORY; + } } *n_groups = n_unix_groups; -- cgit From 2560c73026ced1917a04f0e670f51ebcc984bb86 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 26 Aug 2002 03:08:37 +0000 Subject: Updates! - Don't print an uninitialised buffer in service.c - Change some charcnv.c functions to take smb_ucs2_t ** instead of void ** - Update NTLMv2 code to use dynamic buffers - Update experimental SMB signing code - still more work to do - Move sys_getgrouplist() to SAFE_FREE() and do a DEBUG() on initgroups() failure. Andrew Bartlett (This used to be commit de1964f7fa855022258a84556b266100b917444b) --- source3/auth/auth_sam.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index ca611c46b9..bc98f46dc2 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -106,7 +106,10 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB ntv2_response, client_key_data = data_blob(ntv2_response.data+16, ntv2_response.length-16); memcpy(client_response, ntv2_response.data, sizeof(client_response)); - ntv2_owf_gen(part_passwd, user, domain, kr); + if (!ntv2_owf_gen(part_passwd, user, domain, kr)) { + return False; + } + SMBOWFencrypt_ntv2(kr, sec_blob, client_key_data, value_from_encryption); if (user_sess_key != NULL) { -- cgit From bd11a63c5342a75c65117c596225555488cd2e2d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 29 Aug 2002 17:36:44 +0000 Subject: We don't need the RTLD_GLOBAL. (This used to be commit 0d562b81bfd176111a1046560c39b03d986f90ec) --- source3/auth/auth_builtin.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index bba1ad98bd..d54a8660b3 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -189,7 +189,7 @@ NTSTATUS auth_init_plugin(struct auth_context *auth_context, const char *param, trim_string(plugin_name, " ", " "); DEBUG(5, ("Trying to load auth plugin %s\n", plugin_name)); - dl_handle = sys_dlopen(plugin_name, RTLD_NOW | RTLD_GLOBAL ); + dl_handle = sys_dlopen(plugin_name, RTLD_NOW ); if (!dl_handle) { DEBUG(0, ("Failed to load auth plugin %s using sys_dlopen (%s)\n", plugin_name, sys_dlerror())); return NT_STATUS_UNSUCCESSFUL; -- cgit From cfb5e91178eb8befdb00780a819f9c5cd3eee8e4 Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Fri, 30 Aug 2002 10:46:59 +0000 Subject: added cli_net_auth_3 client code. changed cli_nt_setup_creds() to call cli_net_auth_2 or cli_net_auth_3 based on a switch. pass also the negociation flags all the way. all the places calling cli_nt_setup_creds() are still using cli_net_aut2(), it's just for future use and for rpcclient. in the future we will be able to call auth_2 or auth_3 as we want. J.F. (This used to be commit 4d38caca40f98d0584fefb9d66424a3db5b5789e) --- source3/auth/auth_domain.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index d48cec5b29..f7a268de1f 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -131,6 +131,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, struct in_addr dest_ip; fstring remote_machine; NTSTATUS result; + uint32 neg_flags = 0x000001ff; if (lp_security() == SEC_ADS) { result = ads_resolve_dc(remote_machine, &dest_ip); @@ -206,7 +207,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); return NT_STATUS_NO_MEMORY; } - result = cli_nt_setup_creds(*cli, sec_chan, trust_passwd); + result = cli_nt_setup_creds(*cli, sec_chan, trust_passwd, &neg_flags, 2); if (!NT_STATUS_IS_OK(result)) { DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ -- cgit From 39e21d4ef21152724f2fff573f88ee25216aef0e Mon Sep 17 00:00:00 2001 From: Herb Lewis Date: Fri, 30 Aug 2002 18:56:46 +0000 Subject: off by one in writing to malloced array. this fixes smbd crash I saw at the CIFS conference - finally got purify working (This used to be commit cf9bb66aa9c3217cb8394058c65c84ffc6ae269a) --- source3/auth/auth_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 118126a275..5ae942fac7 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -980,8 +980,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, /* and create (by appending rids) the 'domain' sids */ for (i = 0; i < info3->num_groups2; i++) { - sid_copy(&all_group_SIDs[i+n_lgroupSIDs+1], &(info3->dom_sid.sid)); - if (!sid_append_rid(&all_group_SIDs[i+n_lgroupSIDs+1], info3->gids[i].g_rid)) { + sid_copy(&all_group_SIDs[i+n_lgroupSIDs], &(info3->dom_sid.sid)); + if (!sid_append_rid(&all_group_SIDs[i+n_lgroupSIDs], info3->gids[i].g_rid)) { nt_status = NT_STATUS_INVALID_PARAMETER; DEBUG(3,("create_nt_token_info3: could not append additional group rid 0x%x\n", info3->gids[i].g_rid)); -- cgit From 789d51b42ceb2d99658c72bf55904083d451fcab Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 6 Sep 2002 13:37:11 +0000 Subject: This is the 'easy' parts of the trusted domains patch n+3 patch from Rafal Szczesniak It includes a conversion of make_user_info*() to NTSTATUS and some minor changes to other files. It also picks up on a nasty segfault that can occour in some security=domain cases. Andrew Bartlett (This used to be commit d1e1fc3e4bf72717b3593685f0ea5750d676952a) --- source3/auth/auth_domain.c | 2 +- source3/auth/auth_util.c | 122 +++++++++++++++++++++++++-------------------- 2 files changed, 70 insertions(+), 54 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index f7a268de1f..e8f11bb3d5 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -251,7 +251,7 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, } /*********************************************************************** - We have been asked to dynamcially determine the IP addresses of + We have been asked to dynamically determine the IP addresses of the PDC and BDC's for DOMAIN, and query them in turn. ************************************************************************/ static NTSTATUS find_connect_pdc(struct cli_state **cli, diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5ae942fac7..78dc0d4ee4 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -4,6 +4,7 @@ Copyright (C) Andrew Tridgell 1992-1998 Copyright (C) Andrew Bartlett 2001 Copyright (C) Jeremy Allison 2000-2001 + Copyright (C) Rafal Szczesniak 2002 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -56,7 +57,7 @@ static int smb_create_user(const char *unix_user, const char *homedir) Add and Delete UNIX users on demand, based on NTSTATUS codes. ****************************************************************************/ -void smb_user_control(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info, NTSTATUS nt_status) +void smb_user_control(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info, NTSTATUS nt_status) { struct passwd *pwd=NULL; @@ -81,15 +82,15 @@ void smb_user_control(const auth_usersupplied_info *user_info, auth_serversuppli Create an auth_usersupplied_data structure ****************************************************************************/ -static BOOL make_user_info(auth_usersupplied_info **user_info, - const char *smb_name, - const char *internal_username, - const char *client_domain, - const char *domain, - const char *wksta_name, - DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, - DATA_BLOB plaintext, - uint32 auth_flags, BOOL encrypted) +static NTSTATUS make_user_info(auth_usersupplied_info **user_info, + const char *smb_name, + const char *internal_username, + const char *client_domain, + const char *domain, + const char *wksta_name, + DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, + DATA_BLOB plaintext, + uint32 auth_flags, BOOL encrypted) { DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name)); @@ -97,7 +98,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, *user_info = malloc(sizeof(**user_info)); if (!user_info) { DEBUG(0,("malloc failed for user_info (size %d)\n", sizeof(*user_info))); - return False; + return NT_STATUS_NO_MEMORY; } ZERO_STRUCTP(*user_info); @@ -109,7 +110,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, (*user_info)->smb_name.len = strlen(smb_name); } else { free_user_info(user_info); - return False; + return NT_STATUS_NO_MEMORY; } (*user_info)->internal_username.str = strdup(internal_username); @@ -117,7 +118,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, (*user_info)->internal_username.len = strlen(internal_username); } else { free_user_info(user_info); - return False; + return NT_STATUS_NO_MEMORY; } (*user_info)->domain.str = strdup(domain); @@ -125,7 +126,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, (*user_info)->domain.len = strlen(domain); } else { free_user_info(user_info); - return False; + return NT_STATUS_NO_MEMORY; } (*user_info)->client_domain.str = strdup(client_domain); @@ -133,7 +134,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, (*user_info)->client_domain.len = strlen(client_domain); } else { free_user_info(user_info); - return False; + return NT_STATUS_NO_MEMORY; } (*user_info)->wksta_name.str = strdup(wksta_name); @@ -141,7 +142,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, (*user_info)->wksta_name.len = strlen(wksta_name); } else { free_user_info(user_info); - return False; + return NT_STATUS_NO_MEMORY; } DEBUG(5,("making blobs for %s's user_info struct\n", internal_username)); @@ -155,26 +156,26 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name)); - return True; + return NT_STATUS_OK; } /**************************************************************************** Create an auth_usersupplied_data structure after appropriate mapping. ****************************************************************************/ -BOOL make_user_info_map(auth_usersupplied_info **user_info, - const char *smb_name, - const char *client_domain, - const char *wksta_name, - DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, - DATA_BLOB plaintext, - uint32 ntlmssp_flags, BOOL encrypted) +NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, + const char *smb_name, + const char *client_domain, + const char *wksta_name, + DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, + DATA_BLOB plaintext, + uint32 ntlmssp_flags, BOOL encrypted) { const char *domain; fstring internal_username; fstrcpy(internal_username, smb_name); map_username(internal_username); - + DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n", client_domain, smb_name, wksta_name)); @@ -203,7 +204,7 @@ BOOL make_user_info_map(auth_usersupplied_info **user_info, client_domain, lp_winbind_separator(), smb_name) < 0) { DEBUG(0, ("make_user_info_map: asprintf() failed!\n")); - return False; + return NT_STATUS_NO_MEMORY; } DEBUG(5, ("make_user_info_map: testing for user %s\n", user)); @@ -245,6 +246,7 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, const uchar *nt_network_pwd, int nt_pwd_len) { BOOL ret; + NTSTATUS nt_status; DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); DATA_BLOB plaintext_blob = data_blob(NULL, 0); @@ -258,12 +260,14 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, auth_flags |= AUTH_FLAG_NTLMv2_RESP; } - ret = make_user_info_map(user_info, - smb_name, client_domain, - wksta_name, - lm_blob, nt_blob, - plaintext_blob, - auth_flags, True); + nt_status = make_user_info_map(user_info, + smb_name, client_domain, + wksta_name, + lm_blob, nt_blob, + plaintext_blob, + auth_flags, True); + + ret = NT_STATUS_IS_OK(nt_status) ? True : False; data_blob_free(&lm_blob); data_blob_free(&nt_blob); @@ -329,6 +333,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, { BOOL ret; + NTSTATUS nt_status; DATA_BLOB local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response)); DATA_BLOB local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response)); DATA_BLOB plaintext_blob = data_blob(NULL, 0); @@ -338,14 +343,15 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, if (nt_interactive_pwd) auth_flags |= AUTH_FLAG_NTLM_RESP; - ret = make_user_info_map(user_info, - smb_name, client_domain, - wksta_name, - local_lm_blob, - local_nt_blob, - plaintext_blob, - auth_flags, True); + nt_status = make_user_info_map(user_info, + smb_name, client_domain, + wksta_name, + local_lm_blob, + local_nt_blob, + plaintext_blob, + auth_flags, True); + ret = NT_STATUS_IS_OK(nt_status) ? True : False; data_blob_free(&local_lm_blob); data_blob_free(&local_nt_blob); return ret; @@ -366,7 +372,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, DATA_BLOB local_lm_blob; DATA_BLOB local_nt_blob; - BOOL ret = False; + NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; uint32 auth_flags = AUTH_FLAG_NONE; /* @@ -397,25 +403,25 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, } ret = make_user_info_map(user_info, smb_name, - client_domain, - get_remote_machine_name(), - local_lm_blob, - local_nt_blob, - plaintext_password, - auth_flags, False); + client_domain, + get_remote_machine_name(), + local_lm_blob, + local_nt_blob, + plaintext_password, + auth_flags, False); data_blob_free(&local_lm_blob); - return ret; + return NT_STATUS_IS_OK(ret) ? True : False; } /**************************************************************************** Create an auth_usersupplied_data structure ****************************************************************************/ -BOOL make_user_info_for_reply_enc(auth_usersupplied_info **user_info, - const char *smb_name, - const char *client_domain, - DATA_BLOB lm_resp, DATA_BLOB nt_resp) +NTSTATUS make_user_info_for_reply_enc(auth_usersupplied_info **user_info, + const char *smb_name, + const char *client_domain, + DATA_BLOB lm_resp, DATA_BLOB nt_resp) { uint32 auth_flags = AUTH_FLAG_NONE; @@ -450,14 +456,17 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info) DATA_BLOB nt_blob = data_blob(NULL, 0); DATA_BLOB plaintext_blob = data_blob(NULL, 0); uint32 auth_flags = AUTH_FLAG_NONE; + NTSTATUS nt_status; - return make_user_info(user_info, + nt_status = make_user_info(user_info, "","", "","", "", nt_blob, lm_blob, plaintext_blob, auth_flags, True); + + return NT_STATUS_IS_OK(nt_status) ? True : False; } /**************************************************************************** @@ -633,7 +642,14 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, return NT_STATUS_OK; } - usr = getpwuid_alloc(uid); + /* + * This is _essential_ to prevent occasional segfaults when + * winbind can't find uid -> username mapping + */ + if (!(usr = getpwuid_alloc(uid))) { + DEBUG(0, ("Couldn't find passdb structure for UID = %d ! Aborting.\n", uid)); + return NT_STATUS_NO_SUCH_USER; + }; n_unix_groups = groups_max(); if ((*unix_groups = malloc( sizeof(gid_t) * groups_max() ) ) == NULL) { -- cgit From f3008f5463dbb7691ca32d48edaeb078e8846274 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Sun, 15 Sep 2002 23:40:55 +0000 Subject: Merge of 'other_sids' patch from appliance. (This used to be commit 7decd4b3a9e6900ab35f7bf5b266361f308aa58d) --- source3/auth/auth_util.c | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 78dc0d4ee4..ca90fc6f72 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -983,7 +983,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, (*server_info)->n_groups = n_lgroupSIDs; /* Create a 'combined' list of all SIDs we might want in the SD */ - all_group_SIDs = malloc(sizeof(DOM_SID) * (n_lgroupSIDs+info3->num_groups2)); + all_group_SIDs = malloc(sizeof(DOM_SID) * + (n_lgroupSIDs + info3->num_groups2 + + info3->num_other_sids)); if (!all_group_SIDs) { DEBUG(0, ("create_nt_token_info3: malloc() failed for DOM_SID list!\n")); SAFE_FREE(lgroupSIDs); @@ -1006,12 +1008,25 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, } } + /* Copy 'other' sids. We need to do sid filtering here to + prevent possible elevation of privileges. See: + + http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp + */ + + for (i = 0; i < info3->num_other_sids; i++) + sid_copy(&all_group_SIDs[ + n_lgroupSIDs + info3->num_groups2 + i], + &info3->other_sids[i].sid); + /* Where are the 'global' sids... */ /* can the user be guest? if yes, where is it stored? */ - if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token(&user_sid, &group_sid, - n_lgroupSIDs+info3->num_groups2, all_group_SIDs, - False, &token))) { + if (!NT_STATUS_IS_OK( + nt_status = create_nt_user_token( + &user_sid, &group_sid, + n_lgroupSIDs + info3->num_groups2 + info3->num_other_sids, + all_group_SIDs, False, &token))) { DEBUG(4,("create_nt_user_token failed\n")); SAFE_FREE(all_group_SIDs); return nt_status; -- cgit From 3cc83a87392ebc19c5934ad2a6d0e59583aa8326 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Sun, 15 Sep 2002 23:42:59 +0000 Subject: Don't display debugs of the nt user token twice. (This used to be commit 2011a38f3bd1e51aa1ca0219a9e46da12426cbc3) --- source3/auth/auth_util.c | 4 ---- 1 file changed, 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index ca90fc6f72..c2d92a985f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -766,8 +766,6 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, (*server_info)->ptok = token; - debug_nt_user_token(DBGC_AUTH, 5, token); - DEBUG(5,("make_server_info_sam: made server info for user %s\n", pdb_get_username((*server_info)->sam_account))); @@ -1036,8 +1034,6 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, SAFE_FREE(all_group_SIDs); - debug_nt_user_token(DBGC_AUTH, 5, token); - return NT_STATUS_OK; } -- cgit From b33681fc0b8ef7b9fa91c154f7c3117afafa349e Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 17 Sep 2002 12:12:50 +0000 Subject: Add clock skew handling to our kerberos code. This allows us to cope with the DC being out of sync with the local machine. (This used to be commit 0d28d769472ea3b98ae4c8757093dfd4499f6dd1) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index e8f11bb3d5..2e51a85281 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -48,7 +48,7 @@ static NTSTATUS ads_resolve_dc(fstring remote_machine, DEBUG(4,("ads_resolve_dc: realm=%s\n", ads->config.realm)); - ads->auth.no_bind = 1; + ads->auth.flags |= ADS_AUTH_NO_BIND; #ifdef HAVE_ADS /* a full ads_connect() is actually overkill, as we don't srictly need -- cgit From 2bd2b243fcdd92979ad98baea55569005df21670 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 25 Sep 2002 09:34:43 +0000 Subject: Move to common user token debugging, and ensure we always print both the NT_TOKEN and the unix credentials - as we incresingly use the NT stuff we want to make it easy to check they don't get out of wack. Andrew Bartlett (This used to be commit a3882a19254811ace2f9545580c14ce3bd588095) --- source3/auth/auth_util.c | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index c2d92a985f..ce5fd32337 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -478,12 +478,32 @@ void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) fstring sid_str; int i; + if (!token) { + DEBUGC(dbg_class, dbg_lev, ("NT user token: (NULL)\n")); + return; + } + DEBUGC(dbg_class, dbg_lev, ("NT user token of user %s\n", - sid_to_string(sid_str, &token->user_sids[0]) )); + sid_to_string(sid_str, &token->user_sids[0]) )); DEBUGADDC(dbg_class, dbg_lev, ("contains %i SIDs\n", token->num_sids)); for (i = 0; i < token->num_sids; i++) DEBUGADDC(dbg_class, dbg_lev, ("SID[%3i]: %s\n", i, - sid_to_string(sid_str, &token->user_sids[i]))); + sid_to_string(sid_str, &token->user_sids[i]))); +} + +/**************************************************************************** + prints a UNIX 'token' to debug output. +****************************************************************************/ + +void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid, int n_groups, gid_t *groups) +{ + int i; + DEBUGC(dbg_class, dbg_lev, ("UNIX token of user %ld\n", (long int)uid)); + + DEBUGADDC(dbg_class, dbg_lev, ("Primary group is %ld and contains %i supplementary groups\n", (long int)gid, n_groups)); + for (i = 0; i < n_groups; i++) + DEBUGADDC(dbg_class, dbg_lev, ("Group[%3i]: %ld\n", i, + (long int)groups[i])); } /**************************************************************************** @@ -668,12 +688,10 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, } } + debug_unix_user_token(DBGC_CLASS, 5, usr->pw_uid, usr->pw_gid, n_unix_groups, *unix_groups); + passwd_free(&usr); - DEBUG(5,("get_user_groups_from_local_sam: user is in the unix following groups\n")); - for (i = 0; i < n_unix_groups; i++) - DEBUGADD(5,("supplementary group gid:%ld\n",(long int)(*unix_groups)[i])); - if (n_unix_groups > 0) { *groups = malloc(sizeof(DOM_SID) * n_unix_groups); if (!*groups) { -- cgit From a834a73e341059be154426390304a42e4a011f72 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 25 Sep 2002 15:19:00 +0000 Subject: sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139) --- source3/auth/auth_builtin.c | 11 +- source3/auth/auth_domain.c | 7 +- source3/auth/auth_sam.c | 19 +- source3/auth/auth_server.c | 6 +- source3/auth/auth_util.c | 647 ++++++++++++++++++++++++++++++++++---------- source3/auth/auth_winbind.c | 2 +- 6 files changed, 523 insertions(+), 169 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index 5ce7075ab9..d54a8660b3 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -41,13 +41,8 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context, NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; if (!(user_info->internal_username.str - && *user_info->internal_username.str)) { - if (make_server_info_guest(server_info)) { - nt_status = NT_STATUS_OK; - } else { - nt_status = NT_STATUS_NO_SUCH_USER; - } - } + && *user_info->internal_username.str)) + nt_status = make_server_info_guest(server_info); return nt_status; } @@ -194,7 +189,7 @@ NTSTATUS auth_init_plugin(struct auth_context *auth_context, const char *param, trim_string(plugin_name, " ", " "); DEBUG(5, ("Trying to load auth plugin %s\n", plugin_name)); - dl_handle = sys_dlopen(plugin_name, RTLD_NOW | RTLD_GLOBAL ); + dl_handle = sys_dlopen(plugin_name, RTLD_NOW ); if (!dl_handle) { DEBUG(0, ("Failed to load auth plugin %s using sys_dlopen (%s)\n", plugin_name, sys_dlerror())); return NT_STATUS_UNSUCCESSFUL; diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index d48cec5b29..2e51a85281 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -48,7 +48,7 @@ static NTSTATUS ads_resolve_dc(fstring remote_machine, DEBUG(4,("ads_resolve_dc: realm=%s\n", ads->config.realm)); - ads->auth.no_bind = 1; + ads->auth.flags |= ADS_AUTH_NO_BIND; #ifdef HAVE_ADS /* a full ads_connect() is actually overkill, as we don't srictly need @@ -131,6 +131,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, struct in_addr dest_ip; fstring remote_machine; NTSTATUS result; + uint32 neg_flags = 0x000001ff; if (lp_security() == SEC_ADS) { result = ads_resolve_dc(remote_machine, &dest_ip); @@ -206,7 +207,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); return NT_STATUS_NO_MEMORY; } - result = cli_nt_setup_creds(*cli, sec_chan, trust_passwd); + result = cli_nt_setup_creds(*cli, sec_chan, trust_passwd, &neg_flags, 2); if (!NT_STATUS_IS_OK(result)) { DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ @@ -250,7 +251,7 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, } /*********************************************************************** - We have been asked to dynamcially determine the IP addresses of + We have been asked to dynamically determine the IP addresses of the PDC and BDC's for DOMAIN, and query them in turn. ************************************************************************/ static NTSTATUS find_connect_pdc(struct cli_state **cli, diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 155370546a..bc98f46dc2 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -106,7 +106,10 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB ntv2_response, client_key_data = data_blob(ntv2_response.data+16, ntv2_response.length-16); memcpy(client_response, ntv2_response.data, sizeof(client_response)); - ntv2_owf_gen(part_passwd, user, domain, kr); + if (!ntv2_owf_gen(part_passwd, user, domain, kr)) { + return False; + } + SMBOWFencrypt_ntv2(kr, sec_blob, client_key_data, value_from_encryption); if (user_sess_key != NULL) { @@ -233,17 +236,17 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, return NT_STATUS_OK; } else { if (lp_ntlm_auth()) { - /* Apparently NT accepts NT responses in the LM feild - - I think this is related to Win9X pass-though authenticaion + /* Apparently NT accepts NT responses in the LM field + - I think this is related to Win9X pass-though authentication */ - DEBUG(4,("sam_password_ok: Checking NT MD4 password in LM feild\n")); + DEBUG(4,("sam_password_ok: Checking NT MD4 password in LM field\n")); if (smb_pwd_check_ntlmv1(user_info->lm_resp, nt_pw, auth_context->challenge, user_sess_key)) { return NT_STATUS_OK; } else { - DEBUG(3,("sam_password_ok: NT MD4 password in LM feild failed for user %s\n",pdb_get_username(sampass))); + DEBUG(3,("sam_password_ok: NT MD4 password in LM field failed for user %s\n",pdb_get_username(sampass))); return NT_STATUS_WRONG_PASSWORD; } } @@ -403,9 +406,9 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, return nt_status; } - if (!make_server_info_sam(server_info, sampass)) { - DEBUG(0,("failed to malloc memory for server_info\n")); - return NT_STATUS_NO_MEMORY; + if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info, sampass))) { + DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status))); + return nt_status; } lm_hash = pdb_get_lanman_passwd((*server_info)->sam_account); diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 23faedc0ba..0ed905e79c 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -285,7 +285,7 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context * need to detect this as some versions of NT4.x are broken. JRA. */ - /* I sure as hell hope that there arn't servers out there that take + /* I sure as hell hope that there aren't servers out there that take * NTLMv2 and have this bug, as we don't test for that... * - abartlet@samba.org */ @@ -375,9 +375,7 @@ use this machine as the password server.\n")); if NT_STATUS_IS_OK(nt_status) { struct passwd *pass = Get_Pwnam(user_info->internal_username.str); if (pass) { - if (!make_server_info_pw(server_info, pass)) { - nt_status = NT_STATUS_NO_MEMORY; - } + nt_status = make_server_info_pw(server_info, pass); } else { nt_status = NT_STATUS_NO_SUCH_USER; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index f914d91871..ce5fd32337 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -4,6 +4,7 @@ Copyright (C) Andrew Tridgell 1992-1998 Copyright (C) Andrew Bartlett 2001 Copyright (C) Jeremy Allison 2000-2001 + Copyright (C) Rafal Szczesniak 2002 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -26,6 +27,11 @@ #define DBGC_CLASS DBGC_AUTH extern pstring global_myname; +extern DOM_SID global_sid_World; +extern DOM_SID global_sid_Network; +extern DOM_SID global_sid_Builtin_Guests; +extern DOM_SID global_sid_Authenticated_Users; + /**************************************************************************** Create a UNIX user on demand. @@ -51,7 +57,7 @@ static int smb_create_user(const char *unix_user, const char *homedir) Add and Delete UNIX users on demand, based on NTSTATUS codes. ****************************************************************************/ -void smb_user_control(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info, NTSTATUS nt_status) +void smb_user_control(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info, NTSTATUS nt_status) { struct passwd *pwd=NULL; @@ -76,15 +82,15 @@ void smb_user_control(const auth_usersupplied_info *user_info, auth_serversuppli Create an auth_usersupplied_data structure ****************************************************************************/ -static BOOL make_user_info(auth_usersupplied_info **user_info, - const char *smb_name, - const char *internal_username, - const char *client_domain, - const char *domain, - const char *wksta_name, - DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, - DATA_BLOB plaintext, - uint32 auth_flags, BOOL encrypted) +static NTSTATUS make_user_info(auth_usersupplied_info **user_info, + const char *smb_name, + const char *internal_username, + const char *client_domain, + const char *domain, + const char *wksta_name, + DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, + DATA_BLOB plaintext, + uint32 auth_flags, BOOL encrypted) { DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name)); @@ -92,7 +98,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, *user_info = malloc(sizeof(**user_info)); if (!user_info) { DEBUG(0,("malloc failed for user_info (size %d)\n", sizeof(*user_info))); - return False; + return NT_STATUS_NO_MEMORY; } ZERO_STRUCTP(*user_info); @@ -104,7 +110,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, (*user_info)->smb_name.len = strlen(smb_name); } else { free_user_info(user_info); - return False; + return NT_STATUS_NO_MEMORY; } (*user_info)->internal_username.str = strdup(internal_username); @@ -112,7 +118,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, (*user_info)->internal_username.len = strlen(internal_username); } else { free_user_info(user_info); - return False; + return NT_STATUS_NO_MEMORY; } (*user_info)->domain.str = strdup(domain); @@ -120,7 +126,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, (*user_info)->domain.len = strlen(domain); } else { free_user_info(user_info); - return False; + return NT_STATUS_NO_MEMORY; } (*user_info)->client_domain.str = strdup(client_domain); @@ -128,7 +134,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, (*user_info)->client_domain.len = strlen(client_domain); } else { free_user_info(user_info); - return False; + return NT_STATUS_NO_MEMORY; } (*user_info)->wksta_name.str = strdup(wksta_name); @@ -136,7 +142,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, (*user_info)->wksta_name.len = strlen(wksta_name); } else { free_user_info(user_info); - return False; + return NT_STATUS_NO_MEMORY; } DEBUG(5,("making blobs for %s's user_info struct\n", internal_username)); @@ -150,26 +156,26 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name)); - return True; + return NT_STATUS_OK; } /**************************************************************************** Create an auth_usersupplied_data structure after appropriate mapping. ****************************************************************************/ -BOOL make_user_info_map(auth_usersupplied_info **user_info, - const char *smb_name, - const char *client_domain, - const char *wksta_name, - DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, - DATA_BLOB plaintext, - uint32 ntlmssp_flags, BOOL encrypted) +NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, + const char *smb_name, + const char *client_domain, + const char *wksta_name, + DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, + DATA_BLOB plaintext, + uint32 ntlmssp_flags, BOOL encrypted) { const char *domain; fstring internal_username; fstrcpy(internal_username, smb_name); map_username(internal_username); - + DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n", client_domain, smb_name, wksta_name)); @@ -198,7 +204,7 @@ BOOL make_user_info_map(auth_usersupplied_info **user_info, client_domain, lp_winbind_separator(), smb_name) < 0) { DEBUG(0, ("make_user_info_map: asprintf() failed!\n")); - return False; + return NT_STATUS_NO_MEMORY; } DEBUG(5, ("make_user_info_map: testing for user %s\n", user)); @@ -240,6 +246,7 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, const uchar *nt_network_pwd, int nt_pwd_len) { BOOL ret; + NTSTATUS nt_status; DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); DATA_BLOB plaintext_blob = data_blob(NULL, 0); @@ -253,12 +260,14 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, auth_flags |= AUTH_FLAG_NTLMv2_RESP; } - ret = make_user_info_map(user_info, - smb_name, client_domain, - wksta_name, - lm_blob, nt_blob, - plaintext_blob, - auth_flags, True); + nt_status = make_user_info_map(user_info, + smb_name, client_domain, + wksta_name, + lm_blob, nt_blob, + plaintext_blob, + auth_flags, True); + + ret = NT_STATUS_IS_OK(nt_status) ? True : False; data_blob_free(&lm_blob); data_blob_free(&nt_blob); @@ -324,6 +333,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, { BOOL ret; + NTSTATUS nt_status; DATA_BLOB local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response)); DATA_BLOB local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response)); DATA_BLOB plaintext_blob = data_blob(NULL, 0); @@ -333,14 +343,15 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, if (nt_interactive_pwd) auth_flags |= AUTH_FLAG_NTLM_RESP; - ret = make_user_info_map(user_info, - smb_name, client_domain, - wksta_name, - local_lm_blob, - local_nt_blob, - plaintext_blob, - auth_flags, True); + nt_status = make_user_info_map(user_info, + smb_name, client_domain, + wksta_name, + local_lm_blob, + local_nt_blob, + plaintext_blob, + auth_flags, True); + ret = NT_STATUS_IS_OK(nt_status) ? True : False; data_blob_free(&local_lm_blob); data_blob_free(&local_nt_blob); return ret; @@ -361,7 +372,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, DATA_BLOB local_lm_blob; DATA_BLOB local_nt_blob; - BOOL ret = False; + NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; uint32 auth_flags = AUTH_FLAG_NONE; /* @@ -392,25 +403,25 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, } ret = make_user_info_map(user_info, smb_name, - client_domain, - get_remote_machine_name(), - local_lm_blob, - local_nt_blob, - plaintext_password, - auth_flags, False); + client_domain, + get_remote_machine_name(), + local_lm_blob, + local_nt_blob, + plaintext_password, + auth_flags, False); data_blob_free(&local_lm_blob); - return ret; + return NT_STATUS_IS_OK(ret) ? True : False; } /**************************************************************************** Create an auth_usersupplied_data structure ****************************************************************************/ -BOOL make_user_info_for_reply_enc(auth_usersupplied_info **user_info, - const char *smb_name, - const char *client_domain, - DATA_BLOB lm_resp, DATA_BLOB nt_resp) +NTSTATUS make_user_info_for_reply_enc(auth_usersupplied_info **user_info, + const char *smb_name, + const char *client_domain, + DATA_BLOB lm_resp, DATA_BLOB nt_resp) { uint32 auth_flags = AUTH_FLAG_NONE; @@ -445,47 +456,338 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info) DATA_BLOB nt_blob = data_blob(NULL, 0); DATA_BLOB plaintext_blob = data_blob(NULL, 0); uint32 auth_flags = AUTH_FLAG_NONE; + NTSTATUS nt_status; - return make_user_info(user_info, + nt_status = make_user_info(user_info, "","", "","", "", nt_blob, lm_blob, plaintext_blob, auth_flags, True); + + return NT_STATUS_IS_OK(nt_status) ? True : False; +} + +/**************************************************************************** + prints a NT_USER_TOKEN to debug output. +****************************************************************************/ + +void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) +{ + fstring sid_str; + int i; + + if (!token) { + DEBUGC(dbg_class, dbg_lev, ("NT user token: (NULL)\n")); + return; + } + + DEBUGC(dbg_class, dbg_lev, ("NT user token of user %s\n", + sid_to_string(sid_str, &token->user_sids[0]) )); + DEBUGADDC(dbg_class, dbg_lev, ("contains %i SIDs\n", token->num_sids)); + for (i = 0; i < token->num_sids; i++) + DEBUGADDC(dbg_class, dbg_lev, ("SID[%3i]: %s\n", i, + sid_to_string(sid_str, &token->user_sids[i]))); +} + +/**************************************************************************** + prints a UNIX 'token' to debug output. +****************************************************************************/ + +void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid, int n_groups, gid_t *groups) +{ + int i; + DEBUGC(dbg_class, dbg_lev, ("UNIX token of user %ld\n", (long int)uid)); + + DEBUGADDC(dbg_class, dbg_lev, ("Primary group is %ld and contains %i supplementary groups\n", (long int)gid, n_groups)); + for (i = 0; i < n_groups; i++) + DEBUGADDC(dbg_class, dbg_lev, ("Group[%3i]: %ld\n", i, + (long int)groups[i])); +} + +/**************************************************************************** + Create the SID list for this user. +****************************************************************************/ + +static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *group_sid, + int n_groupSIDs, DOM_SID *groupSIDs, + BOOL is_guest, NT_USER_TOKEN **token) +{ + NTSTATUS nt_status = NT_STATUS_OK; + NT_USER_TOKEN *ptoken; + int i; + int sid_ndx; + + if ((ptoken = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) { + DEBUG(0, ("create_nt_token: Out of memory allocating token\n")); + nt_status = NT_STATUS_NO_MEMORY; + return nt_status; + } + + ZERO_STRUCTP(ptoken); + + ptoken->num_sids = n_groupSIDs + 5; + + if ((ptoken->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptoken->num_sids )) == NULL) { + DEBUG(0, ("create_nt_token: Out of memory allocating SIDs\n")); + nt_status = NT_STATUS_NO_MEMORY; + return nt_status; + } + + memset((char*)ptoken->user_sids,0,sizeof(DOM_SID) * ptoken->num_sids); + + /* + * Note - user SID *MUST* be first in token ! + * se_access_check depends on this. + * + * Primary group SID is second in token. Convention. + */ + + sid_copy(&ptoken->user_sids[PRIMARY_USER_SID_INDEX], user_sid); + if (group_sid) + sid_copy(&ptoken->user_sids[PRIMARY_GROUP_SID_INDEX], group_sid); + + /* + * Finally add the "standard" SIDs. + * The only difference between guest and "anonymous" (which we + * don't really support) is the addition of Authenticated_Users. + */ + + sid_copy(&ptoken->user_sids[2], &global_sid_World); + sid_copy(&ptoken->user_sids[3], &global_sid_Network); + + if (is_guest) + sid_copy(&ptoken->user_sids[4], &global_sid_Builtin_Guests); + else + sid_copy(&ptoken->user_sids[4], &global_sid_Authenticated_Users); + + sid_ndx = 5; /* next available spot */ + + for (i = 0; i < n_groupSIDs; i++) { + int check_sid_idx; + for (check_sid_idx = 1; check_sid_idx < ptoken->num_sids; check_sid_idx++) { + if (sid_equal(&ptoken->user_sids[check_sid_idx], + &groupSIDs[i])) { + break; + } + } + + if (check_sid_idx >= ptoken->num_sids) /* Not found already */ { + sid_copy(&ptoken->user_sids[sid_ndx++], &groupSIDs[i]); + } else { + ptoken->num_sids--; + } + } + + debug_nt_user_token(DBGC_AUTH, 10, ptoken); + + *token = ptoken; + + return nt_status; +} + +/**************************************************************************** + Create the SID list for this user. +****************************************************************************/ + +NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, BOOL is_guest) +{ + DOM_SID user_sid; + DOM_SID group_sid; + DOM_SID *group_sids; + NT_USER_TOKEN *token; + int i; + + if (!uid_to_sid(&user_sid, uid)) { + return NULL; + } + if (!gid_to_sid(&group_sid, gid)) { + return NULL; + } + + group_sids = malloc(sizeof(DOM_SID) * ngroups); + if (!group_sids) { + DEBUG(0, ("create_nt_token: malloc() failed for DOM_SID list!\n")); + return NULL; + } + + for (i = 0; i < ngroups; i++) { + if (!gid_to_sid(&(group_sids)[i], (groups)[i])) { + DEBUG(1, ("create_nt_token: failed to convert gid %ld to a sid!\n", (long int)groups[i])); + SAFE_FREE(group_sids); + return NULL; + } + } + + if (!NT_STATUS_IS_OK(create_nt_user_token(&user_sid, &group_sid, + ngroups, group_sids, is_guest, &token))) { + SAFE_FREE(group_sids); + return NULL; + } + + SAFE_FREE(group_sids); + + return token; +} + +/****************************************************************************** + * this function returns the groups (SIDs) of the local SAM the user is in. + * If this samba server is a DC of the domain the user belongs to, it returns + * both domain groups and local / builtin groups. If the user is in a trusted + * domain, or samba is a member server of a domain, then this function returns + * local and builtin groups the user is a member of. + * + * currently this is a hack, as there is no sam implementation that is capable + * of groups. + ******************************************************************************/ + +static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, + int *n_groups, DOM_SID **groups, gid_t **unix_groups) +{ + uid_t uid; + enum SID_NAME_USE snu; + fstring str; + int n_unix_groups; + int i; + struct passwd *usr; + + *n_groups = 0; + *groups = NULL; + + if (!sid_to_uid(user_sid, &uid, &snu)) { + DEBUG(2, ("get_user_groups_from_local_sam: Failed to convert user SID %s to a uid!\n", + sid_to_string(str, user_sid))); + /* This might be a non-unix account */ + return NT_STATUS_OK; + } + + /* + * This is _essential_ to prevent occasional segfaults when + * winbind can't find uid -> username mapping + */ + if (!(usr = getpwuid_alloc(uid))) { + DEBUG(0, ("Couldn't find passdb structure for UID = %d ! Aborting.\n", uid)); + return NT_STATUS_NO_SUCH_USER; + }; + + n_unix_groups = groups_max(); + if ((*unix_groups = malloc( sizeof(gid_t) * groups_max() ) ) == NULL) { + DEBUG(0, ("get_user_groups_from_local_sam: Out of memory allocating unix group list\n")); + passwd_free(&usr); + return NT_STATUS_NO_MEMORY; + } + + if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { + *unix_groups = Realloc(unix_groups, sizeof(gid_t) * n_unix_groups); + if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { + DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n")); + SAFE_FREE(unix_groups); + passwd_free(&usr); + return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ + } + } + + debug_unix_user_token(DBGC_CLASS, 5, usr->pw_uid, usr->pw_gid, n_unix_groups, *unix_groups); + + passwd_free(&usr); + + if (n_unix_groups > 0) { + *groups = malloc(sizeof(DOM_SID) * n_unix_groups); + if (!*groups) { + DEBUG(0, ("get_user_group_from_local_sam: malloc() failed for DOM_SID list!\n")); + SAFE_FREE(unix_groups); + return NT_STATUS_NO_MEMORY; + } + } + + *n_groups = n_unix_groups; + + for (i = 0; i < *n_groups; i++) { + if (!gid_to_sid(&(*groups)[i], (*unix_groups)[i])) { + DEBUG(1, ("get_user_groups_from_local_sam: failed to convert gid %ld to a sid!\n", (long int)unix_groups[i+1])); + SAFE_FREE(groups); + SAFE_FREE(unix_groups); + return NT_STATUS_NO_SUCH_USER; + } + } + + return NT_STATUS_OK; } /*************************************************************************** Make a user_info struct ***************************************************************************/ -static BOOL make_server_info(auth_serversupplied_info **server_info) +static NTSTATUS make_server_info(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass) { *server_info = malloc(sizeof(**server_info)); if (!*server_info) { DEBUG(0,("make_server_info: malloc failed!\n")); - return False; + return NT_STATUS_NO_MEMORY; } ZERO_STRUCTP(*server_info); - return True; + + (*server_info)->sam_fill_level = SAM_FILL_ALL; + (*server_info)->sam_account = sampass; + + return NT_STATUS_OK; } /*************************************************************************** Make (and fill) a user_info struct from a SAM_ACCOUNT ***************************************************************************/ -BOOL make_server_info_sam(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass) +NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, + SAM_ACCOUNT *sampass) { - if (!make_server_info(server_info)) { - return False; + NTSTATUS nt_status = NT_STATUS_OK; + const DOM_SID *user_sid = pdb_get_user_sid(sampass); + const DOM_SID *group_sid = pdb_get_group_sid(sampass); + int n_groupSIDs = 0; + DOM_SID *groupSIDs = NULL; + gid_t *unix_groups = NULL; + NT_USER_TOKEN *token; + BOOL is_guest; + uint32 rid; + + if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info, sampass))) { + return nt_status; } + + if (!NT_STATUS_IS_OK(nt_status + = get_user_groups_from_local_sam(pdb_get_user_sid(sampass), + &n_groupSIDs, &groupSIDs, &unix_groups))) + { + DEBUG(4,("get_user_groups_from_local_sam failed\n")); + free_server_info(server_info); + return nt_status; + } + + is_guest = (sid_peek_rid(user_sid, &rid) && rid == DOMAIN_USER_RID_GUEST); - (*server_info)->sam_fill_level = SAM_FILL_ALL; - (*server_info)->sam_account = sampass; + if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token(user_sid, group_sid, + n_groupSIDs, groupSIDs, is_guest, + &token))) + { + DEBUG(4,("create_nt_user_token failed\n")); + SAFE_FREE(groupSIDs); + SAFE_FREE(unix_groups); + free_server_info(server_info); + return nt_status; + } + + SAFE_FREE(groupSIDs); + (*server_info)->n_groups = n_groupSIDs; + (*server_info)->groups = unix_groups; + + (*server_info)->ptok = token; + DEBUG(5,("make_server_info_sam: made server info for user %s\n", pdb_get_username((*server_info)->sam_account))); - return True; + + return nt_status; } /*************************************************************************** @@ -493,75 +795,42 @@ BOOL make_server_info_sam(auth_serversupplied_info **server_info, SAM_ACCOUNT *s to a SAM_ACCOUNT ***************************************************************************/ -BOOL make_server_info_pw(auth_serversupplied_info **server_info, const struct passwd *pwd) +NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, const struct passwd *pwd) { + NTSTATUS nt_status; SAM_ACCOUNT *sampass = NULL; - if (!NT_STATUS_IS_OK(pdb_init_sam_pw(&sampass, pwd))) { - return False; + if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sampass, pwd))) { + return nt_status; } return make_server_info_sam(server_info, sampass); } /*************************************************************************** - Free a user_info struct + Make (and fill) a user_info struct for a guest login. ***************************************************************************/ -void free_user_info(auth_usersupplied_info **user_info) +NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) { - DEBUG(5,("attempting to free (and zero) a user_info structure\n")); - if (*user_info != NULL) { - if ((*user_info)->smb_name.str) { - DEBUG(10,("structure was created for %s\n", (*user_info)->smb_name.str)); - } - SAFE_FREE((*user_info)->smb_name.str); - SAFE_FREE((*user_info)->internal_username.str); - SAFE_FREE((*user_info)->client_domain.str); - SAFE_FREE((*user_info)->domain.str); - SAFE_FREE((*user_info)->wksta_name.str); - data_blob_free(&(*user_info)->lm_resp); - data_blob_free(&(*user_info)->nt_resp); - SAFE_FREE((*user_info)->interactive_password); - data_blob_clear_free(&(*user_info)->plaintext_password); - ZERO_STRUCT(**user_info); + NTSTATUS nt_status; + SAM_ACCOUNT *sampass = NULL; + DOM_SID guest_sid; + + if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sampass))) { + return nt_status; } - SAFE_FREE(*user_info); -} -/*************************************************************************** - Clear out a server_info struct that has been allocated -***************************************************************************/ + sid_copy(&guest_sid, get_global_sam_sid()); + sid_append_rid(&guest_sid, DOMAIN_USER_RID_GUEST); -void free_server_info(auth_serversupplied_info **server_info) -{ - if (*server_info != NULL) { - pdb_free_sam(&(*server_info)->sam_account); - - /* call pam_end here, unless we know we are keeping it */ - delete_nt_token( &(*server_info)->ptok ); - ZERO_STRUCT(**server_info); + if (!pdb_getsampwsid(sampass, &guest_sid)) { + return NT_STATUS_NO_SUCH_USER; } - SAFE_FREE(*server_info); -} -/*************************************************************************** - Make a server_info struct for a guest user -***************************************************************************/ + nt_status = make_server_info_sam(server_info, sampass); -BOOL make_server_info_guest(auth_serversupplied_info **server_info) -{ - struct passwd *pass = getpwnam_alloc(lp_guestaccount()); - - if (pass) { - if (!make_server_info_pw(server_info, pass)) { - passwd_free(&pass); - return False; - } - (*server_info)->guest = True; - passwd_free(&pass); - return True; - } - DEBUG(0,("make_server_info_guest: getpwnam_alloc() failed on guest account!\n")); - return False; + (*server_info)->guest = True; + + return nt_status; } /*************************************************************************** @@ -589,6 +858,15 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, uid_t uid; gid_t gid; + int n_lgroupSIDs; + DOM_SID *lgroupSIDs = NULL; + + gid_t *unix_groups = NULL; + NT_USER_TOKEN *token; + + DOM_SID *all_group_SIDs; + int i; + /* Here is where we should check the list of trusted domains, and verify that the SID @@ -698,49 +976,128 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - if (!make_server_info_sam(server_info, sam_account)) { - DEBUG(0, ("make_server_info_info3: make_server_info_sam failed!\n")); + if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info, sam_account))) { + DEBUG(4, ("make_server_info failed!\n")); pdb_free_sam(&sam_account); - return NT_STATUS_NO_MEMORY; + return nt_status; } /* Store the user group information in the server_info returned to the caller. */ - if (info3->num_groups2 != 0) { - int i; - NT_USER_TOKEN *ptok; - auth_serversupplied_info *pserver_info = *server_info; - - if ((pserver_info->ptok = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) { - DEBUG(0, ("domain_client_validate: out of memory allocating rid group membership\n")); - nt_status = NT_STATUS_NO_MEMORY; - free_server_info(server_info); - return nt_status; - } - - ptok = pserver_info->ptok; - ptok->num_sids = (size_t)info3->num_groups2; - - if ((ptok->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptok->num_sids )) == NULL) { - DEBUG(0, ("domain_client_validate: Out of memory allocating group SIDS\n")); - nt_status = NT_STATUS_NO_MEMORY; - free_server_info(server_info); + if (!NT_STATUS_IS_OK(nt_status + = get_user_groups_from_local_sam(&user_sid, + &n_lgroupSIDs, + &lgroupSIDs, + &unix_groups))) + { + DEBUG(4,("get_user_groups_from_local_sam failed\n")); + return nt_status; + } + + (*server_info)->groups = unix_groups; + (*server_info)->n_groups = n_lgroupSIDs; + + /* Create a 'combined' list of all SIDs we might want in the SD */ + all_group_SIDs = malloc(sizeof(DOM_SID) * + (n_lgroupSIDs + info3->num_groups2 + + info3->num_other_sids)); + if (!all_group_SIDs) { + DEBUG(0, ("create_nt_token_info3: malloc() failed for DOM_SID list!\n")); + SAFE_FREE(lgroupSIDs); + return NT_STATUS_NO_MEMORY; + } + + /* Copy the 'local' sids */ + memcpy(all_group_SIDs, lgroupSIDs, sizeof(DOM_SID) * n_lgroupSIDs); + SAFE_FREE(lgroupSIDs); + + /* and create (by appending rids) the 'domain' sids */ + for (i = 0; i < info3->num_groups2; i++) { + sid_copy(&all_group_SIDs[i+n_lgroupSIDs], &(info3->dom_sid.sid)); + if (!sid_append_rid(&all_group_SIDs[i+n_lgroupSIDs], info3->gids[i].g_rid)) { + nt_status = NT_STATUS_INVALID_PARAMETER; + DEBUG(3,("create_nt_token_info3: could not append additional group rid 0x%x\n", + info3->gids[i].g_rid)); + SAFE_FREE(lgroupSIDs); return nt_status; } - - for (i = 0; i < ptok->num_sids; i++) { - sid_copy(&ptok->user_sids[i], &(info3->dom_sid.sid)); - if (!sid_append_rid(&ptok->user_sids[i], info3->gids[i].g_rid)) { - nt_status = NT_STATUS_INVALID_PARAMETER; - free_server_info(server_info); - return nt_status; - } - } } + + /* Copy 'other' sids. We need to do sid filtering here to + prevent possible elevation of privileges. See: + + http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp + */ + + for (i = 0; i < info3->num_other_sids; i++) + sid_copy(&all_group_SIDs[ + n_lgroupSIDs + info3->num_groups2 + i], + &info3->other_sids[i].sid); + + /* Where are the 'global' sids... */ + + /* can the user be guest? if yes, where is it stored? */ + if (!NT_STATUS_IS_OK( + nt_status = create_nt_user_token( + &user_sid, &group_sid, + n_lgroupSIDs + info3->num_groups2 + info3->num_other_sids, + all_group_SIDs, False, &token))) { + DEBUG(4,("create_nt_user_token failed\n")); + SAFE_FREE(all_group_SIDs); + return nt_status; + } + + (*server_info)->ptok = token; + + SAFE_FREE(all_group_SIDs); + return NT_STATUS_OK; } +/*************************************************************************** + Free a user_info struct +***************************************************************************/ + +void free_user_info(auth_usersupplied_info **user_info) +{ + DEBUG(5,("attempting to free (and zero) a user_info structure\n")); + if (*user_info != NULL) { + if ((*user_info)->smb_name.str) { + DEBUG(10,("structure was created for %s\n", (*user_info)->smb_name.str)); + } + SAFE_FREE((*user_info)->smb_name.str); + SAFE_FREE((*user_info)->internal_username.str); + SAFE_FREE((*user_info)->client_domain.str); + SAFE_FREE((*user_info)->domain.str); + SAFE_FREE((*user_info)->wksta_name.str); + data_blob_free(&(*user_info)->lm_resp); + data_blob_free(&(*user_info)->nt_resp); + SAFE_FREE((*user_info)->interactive_password); + data_blob_clear_free(&(*user_info)->plaintext_password); + ZERO_STRUCT(**user_info); + } + SAFE_FREE(*user_info); +} + +/*************************************************************************** + Clear out a server_info struct that has been allocated +***************************************************************************/ + +void free_server_info(auth_serversupplied_info **server_info) +{ + DEBUG(5,("attempting to free (and zero) a server_info structure\n")); + if (*server_info != NULL) { + pdb_free_sam(&(*server_info)->sam_account); + + /* call pam_end here, unless we know we are keeping it */ + delete_nt_token( &(*server_info)->ptok ); + SAFE_FREE((*server_info)->groups); + ZERO_STRUCT(**server_info); + } + SAFE_FREE(*server_info); +} + /*************************************************************************** Make an auth_methods struct ***************************************************************************/ diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 5bdccd39f3..10788721fd 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -4,7 +4,7 @@ Winbind authentication mechnism Copyright (C) Tim Potter 2000 - Copyright (C) Andrew Bartlett 2001 + Copyright (C) Andrew Bartlett 2001 - 2002 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by -- cgit From 086dcdca76885c8cbd35499f0a3c801c9479eec7 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 27 Sep 2002 16:20:09 +0000 Subject: Sorry to touch such an internal function. But I was quite surprised that 'security = user', 'encrypt passwords = no' did not work anymore. This is on quite a standard SuSE 7.3, ./configure.developer --with-tdbsam. I can provide a config.log / config.h on demand. Please re-check for consequences, I don't really oversee that file. Thanks, Volker (This used to be commit ba754b57ddb78dadedcb7b5877cbee5bab08181e) --- source3/auth/pass_check.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 63918796ef..d98ee96edd 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -609,6 +609,8 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas if (((!*password) || (!pwlen)) && !lp_null_passwords()) return NT_STATUS_LOGON_FAILURE; + this_salt[0] = 0; + #if defined(WITH_PAM) /* @@ -645,8 +647,10 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas perhaps for IPC password changing requests */ spass = getspnam(pass->pw_name); - if (spass && spass->sp_pwdp) + if (spass && spass->sp_pwdp) { fstrcpy(this_crypted, spass->sp_pwdp); + fstrcpy(this_salt, spass->sp_pwdp); + } } #elif defined(IA_UINFO) { @@ -705,7 +709,8 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas #endif /* extract relevant info */ - fstrcpy(this_salt, pass->pw_passwd); + if (this_salt[0] == 0) + fstrcpy(this_salt, pass->pw_passwd); #if defined(HAVE_TRUNCATED_SALT) /* crypt on some platforms (HPUX in particular) -- cgit From 465d93b1c6dbd8547091a7dc4b114f48d4a79d40 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 27 Sep 2002 23:56:20 +0000 Subject: Back our volker's patch as was breaking the build. Volker, I would like to understand what you are trying to do here... I'll trust that it's broken (this code is certainly not well tested) but I do want to keep a close eye on the fixes... Andrew Bartlett (This used to be commit 4b72f84cf9bc3f7583318d5dff97257f9dc5b87f) --- source3/auth/pass_check.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index d98ee96edd..63918796ef 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -609,8 +609,6 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas if (((!*password) || (!pwlen)) && !lp_null_passwords()) return NT_STATUS_LOGON_FAILURE; - this_salt[0] = 0; - #if defined(WITH_PAM) /* @@ -647,10 +645,8 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas perhaps for IPC password changing requests */ spass = getspnam(pass->pw_name); - if (spass && spass->sp_pwdp) { + if (spass && spass->sp_pwdp) fstrcpy(this_crypted, spass->sp_pwdp); - fstrcpy(this_salt, spass->sp_pwdp); - } } #elif defined(IA_UINFO) { @@ -709,8 +705,7 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas #endif /* extract relevant info */ - if (this_salt[0] == 0) - fstrcpy(this_salt, pass->pw_passwd); + fstrcpy(this_salt, pass->pw_passwd); #if defined(HAVE_TRUNCATED_SALT) /* crypt on some platforms (HPUX in particular) -- cgit From ac625a8235bcee8f56d26899c6f0ad7b13deae9a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 28 Sep 2002 13:29:51 +0000 Subject: Second stab at Volker's 'make shadow passwords work' patch. Basicly, the password and the salt must be taken from the same place in both passwd and shadow based systems. Taking salt from one, and password from the other just doesn't work. So pull them from passwd, then overwrite them if need be. When modifying this file, watch the #ifdef hell - as vl found out, some variables are globals - but only with #ifndef WITH_PAM, and the code jumps all over the place with the password cracker. Getting double-reviews of any change to this file highly advised, it is one of our most system-specifc areas of code. (So now I get to take the blame for this one... :-) Andrew Bartlett (This used to be commit f39f167900db3f06ec3c52c3ddf61e8bf3d57f56) --- source3/auth/pass_check.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 63918796ef..e1783bfd1e 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -634,6 +634,7 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas /* Also the place to keep the 'password' no matter what crazy struct it started in... */ fstrcpy(this_crypted, pass->pw_passwd); + fstrcpy(this_salt, pass->pw_passwd); #ifdef HAVE_GETSPNAM { @@ -645,8 +646,10 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas perhaps for IPC password changing requests */ spass = getspnam(pass->pw_name); - if (spass && spass->sp_pwdp) + if (spass && spass->sp_pwdp) { fstrcpy(this_crypted, spass->sp_pwdp); + fstrcpy(this_salt, spass->sp_pwdp); + } } #elif defined(IA_UINFO) { @@ -704,9 +707,6 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas } #endif - /* extract relevant info */ - fstrcpy(this_salt, pass->pw_passwd); - #if defined(HAVE_TRUNCATED_SALT) /* crypt on some platforms (HPUX in particular) won't work with more than 2 salt characters. */ -- cgit From ad8a22e570c8970247dc76defc9be2b768bd102d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 1 Oct 2002 13:10:57 +0000 Subject: Updates from Samba HEAD: - Fix segfaults in the 'net ads' commands when no password is provided - Readd --with-ldapsam for 2.2 compatability. This conditionally compiles the old options, but the actual code is available on all ldap systems. - Fix shadow passwords (as per work with vl) - Fix sending plaintext passwords to unicode servers (again vl) - Add a bit of const to secrets.c functions - Fix some spelling and grammer by vance. - Document the -r option in smbgroupedit. There are more changes in HEAD, I'm only merging the changes I've been involved with. Andrew Bartlett (This used to be commit 83973c389355a5cc9ca74af467dfd8b5dabd2c8f) --- source3/auth/pass_check.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 63918796ef..e1783bfd1e 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -634,6 +634,7 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas /* Also the place to keep the 'password' no matter what crazy struct it started in... */ fstrcpy(this_crypted, pass->pw_passwd); + fstrcpy(this_salt, pass->pw_passwd); #ifdef HAVE_GETSPNAM { @@ -645,8 +646,10 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas perhaps for IPC password changing requests */ spass = getspnam(pass->pw_name); - if (spass && spass->sp_pwdp) + if (spass && spass->sp_pwdp) { fstrcpy(this_crypted, spass->sp_pwdp); + fstrcpy(this_salt, spass->sp_pwdp); + } } #elif defined(IA_UINFO) { @@ -704,9 +707,6 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas } #endif - /* extract relevant info */ - fstrcpy(this_salt, pass->pw_passwd); - #if defined(HAVE_TRUNCATED_SALT) /* crypt on some platforms (HPUX in particular) won't work with more than 2 salt characters. */ -- cgit From 83e58265b5595f5268bbcbda1a078a81d6fd5a40 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 4 Oct 2002 03:51:43 +0000 Subject: merge of new client side support the Win2k LSARPC UUID in rpcbind from APP_HEAD (This used to be commit 38c9e4299845fd77cc8629945ce2d259489f7437) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 2e51a85281..59b9233a2d 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -190,7 +190,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, * into account also. This patch from "Bjart Kvarme" . */ - if(cli_nt_session_open(*cli, PIPE_NETLOGON) == False) { + if(cli_nt_session_open(*cli, PI_NETLOGON) == False) { DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); cli_nt_session_close(*cli); -- cgit From 36ef82a52953384acedbd51f54ded9357fa8ca3e Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 4 Oct 2002 04:10:23 +0000 Subject: merge of new client side support the Win2k LSARPC UUID in rpcbind from APP_HEAD (This used to be commit 1cfd2ee433305e91e87804dd55d10e025d30a69e) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 2e51a85281..59b9233a2d 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -190,7 +190,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, * into account also. This patch from "Bjart Kvarme" . */ - if(cli_nt_session_open(*cli, PIPE_NETLOGON) == False) { + if(cli_nt_session_open(*cli, PI_NETLOGON) == False) { DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); cli_nt_session_close(*cli); -- cgit From 4ac9ccfde4d36e3b6065c65c92dd02dddb78b4f2 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 12 Oct 2002 03:38:07 +0000 Subject: Nice *big* patch from metze. The actual design change is relitivly small however: It all goes back to jerry's 'BOOL store', added to many of the elements in a SAM_ACCOUNT. This ensured that smb.conf defaults did not get 'fixed' into ldap. This was a great win for admins, and this patch follows in the same way. This patch extends the concept - we don't store values back into LDAP unless they have been changed. So if we read a value, but don't update it, or we read a value, find it's not there and use a default, we will not update ldap with that value. This reduced clutter in our LDAP DB, and makes it easier to change defaults later on. Metze's particular problem was that when we 'write back' an unchanged value, we would clear any muliple values in that feild. Now he can still have his mulitivalued 'uid' feild, without Samba changing it for *every* other operation. This also applies to many other attributes, and helps to eliminate a nasty race condition. (Time between get and set) This patch is big, and needs more testing, but metze has tested usrmgr, and I've fixed some pdbedit bugs, and tested domain joins, so it isn't compleatly flawed ;-). The same system will be introduced into the SAM code shortly, but this fixes bugs that people were coming across in production uses of Samba 3.0/HEAD, hence it's inclusion here. Andrew Bartlett (This used to be commit 7f237bde212eb188df84a5d8adb598a93fba8155) --- source3/auth/auth_unix.c | 2 +- source3/auth/auth_util.c | 18 +++++++++--------- 2 files changed, 10 insertions(+), 10 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 6f4b3f8b15..1251432b87 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -49,7 +49,7 @@ static BOOL update_smbpassword_file(const char *user, const char *password) * Remove the account disabled flag - we are updating the * users password from a login. */ - if (!pdb_set_acct_ctrl(sampass, pdb_get_acct_ctrl(sampass) & ~ACB_DISABLED)) { + if (!pdb_set_acct_ctrl(sampass, pdb_get_acct_ctrl(sampass) & ~ACB_DISABLED, PDB_CHANGED)) { pdb_free_sam(&sampass); return False; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index ce5fd32337..b14344ef50 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -931,47 +931,47 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return nt_status; } - if (!pdb_set_user_sid(sam_account, &user_sid)) { + if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_UNSUCCESSFUL; } - if (!pdb_set_group_sid(sam_account, &group_sid)) { + if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_UNSUCCESSFUL; } - if (!pdb_set_nt_username(sam_account, nt_username)) { + if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_domain(sam_account, nt_domain)) { + if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_fullname(sam_account, pdb_unistr2_convert(&(info3->uni_full_name)))) { + if (!pdb_set_fullname(sam_account, pdb_unistr2_convert(&(info3->uni_full_name)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_logon_script(sam_account, pdb_unistr2_convert(&(info3->uni_logon_script)), True)) { + if (!pdb_set_logon_script(sam_account, pdb_unistr2_convert(&(info3->uni_logon_script)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_profile_path(sam_account, pdb_unistr2_convert(&(info3->uni_profile_path)), True)) { + if (!pdb_set_profile_path(sam_account, pdb_unistr2_convert(&(info3->uni_profile_path)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_homedir(sam_account, pdb_unistr2_convert(&(info3->uni_home_dir)), True)) { + if (!pdb_set_homedir(sam_account, pdb_unistr2_convert(&(info3->uni_home_dir)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_dir_drive(sam_account, pdb_unistr2_convert(&(info3->uni_dir_drive)), True)) { + if (!pdb_set_dir_drive(sam_account, pdb_unistr2_convert(&(info3->uni_dir_drive)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } -- cgit From c53eb2ed540e79d6deae5f41e17febc5bf5dbf57 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 17 Oct 2002 17:10:24 +0000 Subject: Added new error codes. Fix up connection code to retry in the same way that app-head does. Jeremy. (This used to be commit ec7953f20145799f6286a295472df4826bfdfb8f) --- source3/auth/auth_domain.c | 33 +++++++++++++++++++++++---------- 1 file changed, 23 insertions(+), 10 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 59b9233a2d..129c486562 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -88,8 +88,7 @@ static NTSTATUS rpc_resolve_dc(const char *server, way to find it, but until we have a RPC call that does this it will have to do */ if (!name_status_find("*", 0x20, 0x20, to_ip, remote_machine)) { - DEBUG(2, ("connect_to_domain_password_server: Can't " - "resolve name for IP %s\n", server)); + DEBUG(2, ("rpc_resolve_dc: Can't resolve name for IP %s\n", server)); return NT_STATUS_NO_LOGON_SERVERS; } @@ -100,7 +99,7 @@ static NTSTATUS rpc_resolve_dc(const char *server, fstrcpy(remote_machine, server); strupper(remote_machine); if (!resolve_name(remote_machine, dest_ip, 0x20)) { - DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", + DEBUG(1,("rpc_resolve_dc: Can't resolve address for %s\n", remote_machine)); return NT_STATUS_NO_LOGON_SERVERS; } @@ -126,18 +125,20 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, const char *server, const char *setup_creds_as, uint16 sec_chan, - const unsigned char *trust_passwd) + const unsigned char *trust_passwd, + BOOL *retry) { struct in_addr dest_ip; fstring remote_machine; NTSTATUS result; uint32 neg_flags = 0x000001ff; - if (lp_security() == SEC_ADS) { + *retry = False; + + if (lp_security() == SEC_ADS) result = ads_resolve_dc(remote_machine, &dest_ip); - } else { + else result = rpc_resolve_dc(server, remote_machine, &dest_ip); - } if (!NT_STATUS_IS_OK(result)) { DEBUG(2,("connect_to_domain_password_server: unable to resolve DC: %s\n", @@ -165,12 +166,14 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, * ACCESS_DENIED errors if 2 auths are done from the same machine. JRA. */ + *retry = True; + if (!grab_server_mutex(server)) return NT_STATUS_NO_LOGON_SERVERS; /* Attempt connection */ result = cli_full_connection(cli, global_myname, remote_machine, - &dest_ip, 0, "IPC$", "IPC", "", "", "",0); + &dest_ip, 0, "IPC$", "IPC", "", "", "",0, retry); if (!NT_STATUS_IS_OK(result)) { release_server_mutex(); @@ -235,7 +238,10 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, uint16 sec_chan, const unsigned char *trust_passwd) { + NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; + BOOL retry = True; fstring dc_name; + int i; /* * Ignore addresses we have already tried. @@ -247,7 +253,10 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, if (!lookup_dc_name(global_myname, domain, ip, dc_name)) return NT_STATUS_NO_LOGON_SERVERS; - return connect_to_domain_password_server(cli, dc_name, setup_creds_as, sec_chan, trust_passwd); + for (i = 0; (!NT_STATUS_IS_OK(ret)) && retry && (i < 3); i++) + ret = connect_to_domain_password_server(cli, dc_name, setup_creds_as, + sec_chan, trust_passwd, &retry); + return ret; } /*********************************************************************** @@ -371,7 +380,11 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, if(lp_security() != SEC_ADS && strequal(remote_machine, "*")) { nt_status = find_connect_pdc(&cli, domain, setup_creds_as, sec_chan, trust_passwd, last_change_time); } else { - nt_status = connect_to_domain_password_server(&cli, remote_machine, setup_creds_as, sec_chan, trust_passwd); + int i; + BOOL retry = False; + for (i = 0; !NT_STATUS_IS_OK(nt_status) && retry && (i < 3); i++) + nt_status = connect_to_domain_password_server(&cli, remote_machine, setup_creds_as, + sec_chan, trust_passwd, &retry); } } -- cgit From 389a16d9d5331ddc7ae61d3d4ef3a4ee48734d4b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 17 Oct 2002 17:10:29 +0000 Subject: Added new error codes. Fix up connection code to retry in the same way that app-head does. Jeremy. (This used to be commit b521abd86b10573ca8f9116907c81e6deb55f049) --- source3/auth/auth_domain.c | 33 +++++++++++++++++++++++---------- 1 file changed, 23 insertions(+), 10 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 59b9233a2d..129c486562 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -88,8 +88,7 @@ static NTSTATUS rpc_resolve_dc(const char *server, way to find it, but until we have a RPC call that does this it will have to do */ if (!name_status_find("*", 0x20, 0x20, to_ip, remote_machine)) { - DEBUG(2, ("connect_to_domain_password_server: Can't " - "resolve name for IP %s\n", server)); + DEBUG(2, ("rpc_resolve_dc: Can't resolve name for IP %s\n", server)); return NT_STATUS_NO_LOGON_SERVERS; } @@ -100,7 +99,7 @@ static NTSTATUS rpc_resolve_dc(const char *server, fstrcpy(remote_machine, server); strupper(remote_machine); if (!resolve_name(remote_machine, dest_ip, 0x20)) { - DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", + DEBUG(1,("rpc_resolve_dc: Can't resolve address for %s\n", remote_machine)); return NT_STATUS_NO_LOGON_SERVERS; } @@ -126,18 +125,20 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, const char *server, const char *setup_creds_as, uint16 sec_chan, - const unsigned char *trust_passwd) + const unsigned char *trust_passwd, + BOOL *retry) { struct in_addr dest_ip; fstring remote_machine; NTSTATUS result; uint32 neg_flags = 0x000001ff; - if (lp_security() == SEC_ADS) { + *retry = False; + + if (lp_security() == SEC_ADS) result = ads_resolve_dc(remote_machine, &dest_ip); - } else { + else result = rpc_resolve_dc(server, remote_machine, &dest_ip); - } if (!NT_STATUS_IS_OK(result)) { DEBUG(2,("connect_to_domain_password_server: unable to resolve DC: %s\n", @@ -165,12 +166,14 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, * ACCESS_DENIED errors if 2 auths are done from the same machine. JRA. */ + *retry = True; + if (!grab_server_mutex(server)) return NT_STATUS_NO_LOGON_SERVERS; /* Attempt connection */ result = cli_full_connection(cli, global_myname, remote_machine, - &dest_ip, 0, "IPC$", "IPC", "", "", "",0); + &dest_ip, 0, "IPC$", "IPC", "", "", "",0, retry); if (!NT_STATUS_IS_OK(result)) { release_server_mutex(); @@ -235,7 +238,10 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, uint16 sec_chan, const unsigned char *trust_passwd) { + NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; + BOOL retry = True; fstring dc_name; + int i; /* * Ignore addresses we have already tried. @@ -247,7 +253,10 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, if (!lookup_dc_name(global_myname, domain, ip, dc_name)) return NT_STATUS_NO_LOGON_SERVERS; - return connect_to_domain_password_server(cli, dc_name, setup_creds_as, sec_chan, trust_passwd); + for (i = 0; (!NT_STATUS_IS_OK(ret)) && retry && (i < 3); i++) + ret = connect_to_domain_password_server(cli, dc_name, setup_creds_as, + sec_chan, trust_passwd, &retry); + return ret; } /*********************************************************************** @@ -371,7 +380,11 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, if(lp_security() != SEC_ADS && strequal(remote_machine, "*")) { nt_status = find_connect_pdc(&cli, domain, setup_creds_as, sec_chan, trust_passwd, last_change_time); } else { - nt_status = connect_to_domain_password_server(&cli, remote_machine, setup_creds_as, sec_chan, trust_passwd); + int i; + BOOL retry = False; + for (i = 0; !NT_STATUS_IS_OK(nt_status) && retry && (i < 3); i++) + nt_status = connect_to_domain_password_server(&cli, remote_machine, setup_creds_as, + sec_chan, trust_passwd, &retry); } } -- cgit From 6d7195d1d79c43f5ccc8dc4a9215c02177d5fa89 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 2 Nov 2002 03:47:48 +0000 Subject: Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f) --- source3/auth/auth_unix.c | 2 +- source3/auth/auth_util.c | 18 +++++++++--------- 2 files changed, 10 insertions(+), 10 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 6f4b3f8b15..1251432b87 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -49,7 +49,7 @@ static BOOL update_smbpassword_file(const char *user, const char *password) * Remove the account disabled flag - we are updating the * users password from a login. */ - if (!pdb_set_acct_ctrl(sampass, pdb_get_acct_ctrl(sampass) & ~ACB_DISABLED)) { + if (!pdb_set_acct_ctrl(sampass, pdb_get_acct_ctrl(sampass) & ~ACB_DISABLED, PDB_CHANGED)) { pdb_free_sam(&sampass); return False; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index ce5fd32337..b14344ef50 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -931,47 +931,47 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return nt_status; } - if (!pdb_set_user_sid(sam_account, &user_sid)) { + if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_UNSUCCESSFUL; } - if (!pdb_set_group_sid(sam_account, &group_sid)) { + if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_UNSUCCESSFUL; } - if (!pdb_set_nt_username(sam_account, nt_username)) { + if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_domain(sam_account, nt_domain)) { + if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_fullname(sam_account, pdb_unistr2_convert(&(info3->uni_full_name)))) { + if (!pdb_set_fullname(sam_account, pdb_unistr2_convert(&(info3->uni_full_name)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_logon_script(sam_account, pdb_unistr2_convert(&(info3->uni_logon_script)), True)) { + if (!pdb_set_logon_script(sam_account, pdb_unistr2_convert(&(info3->uni_logon_script)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_profile_path(sam_account, pdb_unistr2_convert(&(info3->uni_profile_path)), True)) { + if (!pdb_set_profile_path(sam_account, pdb_unistr2_convert(&(info3->uni_profile_path)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_homedir(sam_account, pdb_unistr2_convert(&(info3->uni_home_dir)), True)) { + if (!pdb_set_homedir(sam_account, pdb_unistr2_convert(&(info3->uni_home_dir)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_dir_drive(sam_account, pdb_unistr2_convert(&(info3->uni_dir_drive)), True)) { + if (!pdb_set_dir_drive(sam_account, pdb_unistr2_convert(&(info3->uni_dir_drive)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } -- cgit From 281284c819d0452c5d5db530ecdbd1267cd4e22c Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 3 Nov 2002 13:33:00 +0000 Subject: make_server_info_guest() can need root for the ldapsam backend (This used to be commit 918099f09618136c371e199803f5895f9cb702be) --- source3/auth/auth_builtin.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index d54a8660b3..09b9a36cdf 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -41,8 +41,11 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context, NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; if (!(user_info->internal_username.str - && *user_info->internal_username.str)) + && *user_info->internal_username.str)) { + become_root(); nt_status = make_server_info_guest(server_info); + unbecome_root(); + } return nt_status; } -- cgit From 0ead4ef3c20d402546b8845f1c3cc9419c394072 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 4 Nov 2002 12:36:37 +0000 Subject: Move to the use of the 'initialised' flag, rather than the fact the pointer is NULL. Andrew Bartlett (This used to be commit 2115335857acd2c4f5c89b95227b3762f4c052b0) --- source3/auth/auth_sam.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index bc98f46dc2..7252193c9a 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -162,12 +162,9 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, } } - nt_pw = pdb_get_nt_passwd(sampass); - lm_pw = pdb_get_lanman_passwd(sampass); - auth_flags = user_info->auth_flags; - if (nt_pw == NULL) { + if (IS_SAM_DEFAULT(sampass, PDB_NTPASSWD)) { DEBUG(3,("sam_password_ok: NO NT password stored for user %s.\n", pdb_get_username(sampass))); /* No return, we want to check the LM hash below in this case */ @@ -175,6 +172,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, } if (auth_flags & AUTH_FLAG_NTLMv2_RESP) { + nt_pw = pdb_get_nt_passwd(sampass); /* We have the NT MD4 hash challenge available - see if we can use it (ie. does it exist in the smbpasswd file). */ @@ -191,7 +189,8 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, return NT_STATUS_WRONG_PASSWORD; } } else if (auth_flags & AUTH_FLAG_NTLM_RESP) { - if (lp_ntlm_auth()) { + if (lp_ntlm_auth()) { + nt_pw = pdb_get_nt_passwd(sampass); /* We have the NT MD4 hash challenge available - see if we can use it (ie. does it exist in the smbpasswd file). */ @@ -211,13 +210,14 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, } } - if (lm_pw == NULL) { + if (IS_SAM_DEFAULT(sampass, PDB_LMPASSWD)) { DEBUG(3,("sam_password_ok: NO LanMan password set for user %s (and no NT password supplied)\n",pdb_get_username(sampass))); auth_flags &= (~AUTH_FLAG_LM_RESP); } if (auth_flags & AUTH_FLAG_LM_RESP) { - + lm_pw = pdb_get_lanman_passwd(sampass); + if (user_info->lm_resp.length != 24) { DEBUG(2,("sam_password_ok: invalid LanMan password length (%d) for user %s\n", user_info->nt_resp.length, pdb_get_username(sampass))); @@ -235,7 +235,8 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, { return NT_STATUS_OK; } else { - if (lp_ntlm_auth()) { + if (lp_ntlm_auth() && (!IS_SAM_DEFAULT(sampass, PDB_NTPASSWD))) { + nt_pw = pdb_get_nt_passwd(sampass); /* Apparently NT accepts NT responses in the LM field - I think this is related to Win9X pass-though authentication */ -- cgit From ea24bb2da8f643e043dc3af3ed3f16388878b57b Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 6 Nov 2002 01:29:07 +0000 Subject: Merge of get_dc_list() api change. This was slightly more intrusive than the version in APPLIANCE so watch out for boogs. (This used to be commit 1e054e3db654801fbb5580211529cdfdea9ed686) --- source3/auth/auth_domain.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 129c486562..e18d809efb 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -288,8 +288,23 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, if (time_now - last_change_time < 3600) use_pdc_only = True; - if (!get_dc_list(use_pdc_only, domain, &ip_list, &count)) - return NT_STATUS_NO_LOGON_SERVERS; + if (use_pdc_only) { + struct in_addr pdc_ip; + + if (!get_pdc_ip(domain, &pdc_ip)) + return NT_STATUS_NO_LOGON_SERVERS; + + if ((ip_list = (struct in_addr *) + malloc(sizeof(struct in_addr))) == NULL) + return NT_STATUS_NO_MEMORY; + + ip_list[0] = pdc_ip; + count = 1; + + } else { + if (!get_dc_list(domain, &ip_list, &count)) + return NT_STATUS_NO_LOGON_SERVERS; + } /* * Firstly try and contact a PDC/BDC who has the same -- cgit From ab1cf8d1cf447e85063b43b65fa05c8b4bfde2a9 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 6 Nov 2002 05:14:15 +0000 Subject: Merge of get_dc_list() api change from HEAD. (This used to be commit 6ba7847ce2756fde94e530fd0bf2a055f3e27373) --- source3/auth/auth_domain.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 129c486562..e18d809efb 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -288,8 +288,23 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, if (time_now - last_change_time < 3600) use_pdc_only = True; - if (!get_dc_list(use_pdc_only, domain, &ip_list, &count)) - return NT_STATUS_NO_LOGON_SERVERS; + if (use_pdc_only) { + struct in_addr pdc_ip; + + if (!get_pdc_ip(domain, &pdc_ip)) + return NT_STATUS_NO_LOGON_SERVERS; + + if ((ip_list = (struct in_addr *) + malloc(sizeof(struct in_addr))) == NULL) + return NT_STATUS_NO_MEMORY; + + ip_list[0] = pdc_ip; + count = 1; + + } else { + if (!get_dc_list(domain, &ip_list, &count)) + return NT_STATUS_NO_LOGON_SERVERS; + } /* * Firstly try and contact a PDC/BDC who has the same -- cgit From 5565aa9972bc47ae903a3186ac643b4651f49928 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 8 Nov 2002 01:34:58 +0000 Subject: Don't set global_machine_password_needs_changing if lp_machine_password_timeout() is set to zero. (This used to be commit 0fa87a68fea8b12242f644605aab7c2f81c1a4df) --- source3/auth/auth_domain.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index e18d809efb..f58e8bac47 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -510,10 +510,12 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } - /* Test if machine password is expired and need to be changed */ - if (time(NULL) > last_change_time + lp_machine_password_timeout()) - { - global_machine_password_needs_changing = True; + /* Test if machine password has expired and needs to be changed */ + if (lp_machine_password_timeout()) { + if (time(NULL) > (last_change_time + + lp_machine_password_timeout())) { + global_machine_password_needs_changing = True; + } } /* -- cgit From 66531104fed805080b53838eb720e81393675f98 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 8 Nov 2002 01:38:45 +0000 Subject: Don't set global_machine_password_needs_changing if lp_machine_password_timeout() is set to zero. (This used to be commit 3692919aee186498848715505047a1cde83758b7) --- source3/auth/auth_domain.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index e18d809efb..f58e8bac47 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -510,10 +510,12 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } - /* Test if machine password is expired and need to be changed */ - if (time(NULL) > last_change_time + lp_machine_password_timeout()) - { - global_machine_password_needs_changing = True; + /* Test if machine password has expired and needs to be changed */ + if (lp_machine_password_timeout()) { + if (time(NULL) > (last_change_time + + lp_machine_password_timeout())) { + global_machine_password_needs_changing = True; + } } /* -- cgit From c19598f2a6a3329e973e14e389e0577ebb914f3b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 8 Nov 2002 23:08:59 +0000 Subject: Merge from HEAD: - change auth_sam to use the initialisation flags to determine if the password attributes are set - add const to secrets.c, cliconnect.c - passdb: fix spelling in pdb_ldap, add group mapping back to smbpasswd - SAMR: add debugs to show what fails for group enum. Andrew Bartlett (This used to be commit 4e74d00b3634abf52aa24bfaa6dbe88202aa57a1) --- source3/auth/auth_sam.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index bc98f46dc2..7252193c9a 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -162,12 +162,9 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, } } - nt_pw = pdb_get_nt_passwd(sampass); - lm_pw = pdb_get_lanman_passwd(sampass); - auth_flags = user_info->auth_flags; - if (nt_pw == NULL) { + if (IS_SAM_DEFAULT(sampass, PDB_NTPASSWD)) { DEBUG(3,("sam_password_ok: NO NT password stored for user %s.\n", pdb_get_username(sampass))); /* No return, we want to check the LM hash below in this case */ @@ -175,6 +172,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, } if (auth_flags & AUTH_FLAG_NTLMv2_RESP) { + nt_pw = pdb_get_nt_passwd(sampass); /* We have the NT MD4 hash challenge available - see if we can use it (ie. does it exist in the smbpasswd file). */ @@ -191,7 +189,8 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, return NT_STATUS_WRONG_PASSWORD; } } else if (auth_flags & AUTH_FLAG_NTLM_RESP) { - if (lp_ntlm_auth()) { + if (lp_ntlm_auth()) { + nt_pw = pdb_get_nt_passwd(sampass); /* We have the NT MD4 hash challenge available - see if we can use it (ie. does it exist in the smbpasswd file). */ @@ -211,13 +210,14 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, } } - if (lm_pw == NULL) { + if (IS_SAM_DEFAULT(sampass, PDB_LMPASSWD)) { DEBUG(3,("sam_password_ok: NO LanMan password set for user %s (and no NT password supplied)\n",pdb_get_username(sampass))); auth_flags &= (~AUTH_FLAG_LM_RESP); } if (auth_flags & AUTH_FLAG_LM_RESP) { - + lm_pw = pdb_get_lanman_passwd(sampass); + if (user_info->lm_resp.length != 24) { DEBUG(2,("sam_password_ok: invalid LanMan password length (%d) for user %s\n", user_info->nt_resp.length, pdb_get_username(sampass))); @@ -235,7 +235,8 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, { return NT_STATUS_OK; } else { - if (lp_ntlm_auth()) { + if (lp_ntlm_auth() && (!IS_SAM_DEFAULT(sampass, PDB_NTPASSWD))) { + nt_pw = pdb_get_nt_passwd(sampass); /* Apparently NT accepts NT responses in the LM field - I think this is related to Win9X pass-though authentication */ -- cgit From d4c4b3f2605071e8515c09c8e9aeba57e4d0fe98 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 9 Nov 2002 03:48:39 +0000 Subject: Fix bug found by tpot with given password server. Jeremy. (This used to be commit d46b4cb563850c77ee23b95df35a7f752a235d35) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index f58e8bac47..9d4824fbc7 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -396,7 +396,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, nt_status = find_connect_pdc(&cli, domain, setup_creds_as, sec_chan, trust_passwd, last_change_time); } else { int i; - BOOL retry = False; + BOOL retry = True; for (i = 0; !NT_STATUS_IS_OK(nt_status) && retry && (i < 3); i++) nt_status = connect_to_domain_password_server(&cli, remote_machine, setup_creds_as, sec_chan, trust_passwd, &retry); -- cgit From 5a21d8021a487da81b4b3389ee628763c651edae Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 9 Nov 2002 03:57:28 +0000 Subject: Fix bug found by tpot with given password server. Jeremy. (This used to be commit 90ac8184a0ae1f702d39f947ef5267765f3d2f88) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index f58e8bac47..9d4824fbc7 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -396,7 +396,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, nt_status = find_connect_pdc(&cli, domain, setup_creds_as, sec_chan, trust_passwd, last_change_time); } else { int i; - BOOL retry = False; + BOOL retry = True; for (i = 0; !NT_STATUS_IS_OK(nt_status) && retry && (i < 3); i++) nt_status = connect_to_domain_password_server(&cli, remote_machine, setup_creds_as, sec_chan, trust_passwd, &retry); -- cgit From 250c9801197ea1c949bd94c1c891f81ab118b130 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 12 Nov 2002 23:15:52 +0000 Subject: Removed global_myworkgroup, global_myname, global_myscope. Added liberal dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit 82b8f749a36b42e22186297482aad2abb04fab8a) --- source3/auth/auth.c | 2 +- source3/auth/auth_domain.c | 15 +++++++-------- source3/auth/auth_sam.c | 4 ++-- source3/auth/auth_server.c | 10 +++++----- source3/auth/auth_util.c | 1 - 5 files changed, 15 insertions(+), 17 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index d43afc71e1..232d401a24 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -137,7 +137,7 @@ static BOOL check_domain_match(const char *user, const char *domain) if (!lp_allow_trusted_domains() && !(strequal("", domain) || strequal(lp_workgroup(), domain) || - is_netbios_alias_or_name(domain))) { + is_myname(domain))) { DEBUG(1, ("check_domain_match: Attempt to connect as user %s from domain %s denied.\n", user, domain)); return False; } else { diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 9d4824fbc7..2a6614e28e 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -26,7 +26,6 @@ BOOL global_machine_password_needs_changing = False; -extern pstring global_myname; extern userdom_struct current_user_info; @@ -172,7 +171,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, return NT_STATUS_NO_LOGON_SERVERS; /* Attempt connection */ - result = cli_full_connection(cli, global_myname, remote_machine, + result = cli_full_connection(cli, global_myname(), remote_machine, &dest_ip, 0, "IPC$", "IPC", "", "", "",0, retry); if (!NT_STATUS_IS_OK(result)) { @@ -250,7 +249,7 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, if (is_zero_ip(*ip)) return NT_STATUS_NO_LOGON_SERVERS; - if (!lookup_dc_name(global_myname, domain, ip, dc_name)) + if (!lookup_dc_name(global_myname(), domain, ip, dc_name)) return NT_STATUS_NO_LOGON_SERVERS; for (i = 0; (!NT_STATUS_IS_OK(ret)) && retry && (i < 3); i++) @@ -372,7 +371,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, const char *domain, uchar chal[8], auth_serversupplied_info **server_info, - char *server, char *setup_creds_as, + const char *server, const char *setup_creds_as, uint16 sec_chan, unsigned char trust_passwd[16], time_t last_change_time) @@ -481,7 +480,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, char *password_server; unsigned char trust_passwd[16]; time_t last_change_time; - char *domain = lp_workgroup(); + const char *domain = lp_workgroup(); if (!user_info || !server_info || !auth_context) { DEBUG(1,("check_ntdomain_security: Critical variables not present. Failing.\n")); @@ -494,7 +493,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, * password file. */ - if(is_netbios_alias_or_name(user_info->domain.str)) { + if(is_myname(user_info->domain.str)) { DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n")); return NT_STATUS_LOGON_FAILURE; } @@ -528,7 +527,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, nt_status = domain_client_validate(mem_ctx, user_info, domain, (uchar *)auth_context->challenge.data, server_info, - password_server, global_myname, SEC_CHAN_WKSTA, trust_passwd, last_change_time); + password_server, global_myname(), SEC_CHAN_WKSTA, trust_passwd, last_change_time); return nt_status; } @@ -572,7 +571,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte * password file. */ - if(is_netbios_alias_or_name(user_info->domain.str)) { + if(is_myname(user_info->domain.str)) { DEBUG(3,("check_trustdomain_security: Requested domain was for this machine.\n")); return NT_STATUS_LOGON_FAILURE; } diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 7252193c9a..9fa33dccf6 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -316,7 +316,7 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, if (*workstation_list) { BOOL invalid_ws = True; - char *s = workstation_list; + const char *s = workstation_list; fstring tok; @@ -454,7 +454,7 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context attempt to check the password locally, unless it is one of our aliases. */ - if (!is_netbios_alias_or_name(user_info->domain.str)) { + if (!is_myname(user_info->domain.str)) { return NT_STATUS_NO_SUCH_USER; } diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 0ed905e79c..5144852d3b 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -24,7 +24,6 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -extern pstring global_myname; extern userdom_struct current_user_info; /**************************************************************************** @@ -36,7 +35,8 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) struct cli_state *cli = NULL; fstring desthost; struct in_addr dest_ip; - char *p, *pserver; + const char *p; + char *pserver; BOOL connected_ok = False; if (!(cli = cli_initialise(cli))) @@ -85,7 +85,7 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) return NULL; } - if (!attempt_netbios_session_request(cli, global_myname, + if (!attempt_netbios_session_request(cli, global_myname(), desthost, &dest_ip)) { release_server_mutex(); DEBUG(1,("password server fails session request\n")); @@ -231,7 +231,7 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context * password file. */ - if(is_netbios_alias_or_name(user_info->domain.str)) { + if(is_myname(user_info->domain.str)) { DEBUG(3,("check_smbserver_security: Requested domain was for this machine.\n")); return NT_STATUS_LOGON_FAILURE; } @@ -275,7 +275,7 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context if(baduser[0] == 0) { fstrcpy(baduser, INVALID_USER_PREFIX); - fstrcat(baduser, global_myname); + fstrcat(baduser, global_myname()); } /* diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index b14344ef50..98b15f3fb6 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -26,7 +26,6 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -extern pstring global_myname; extern DOM_SID global_sid_World; extern DOM_SID global_sid_Network; extern DOM_SID global_sid_Builtin_Guests; -- cgit From 2f194322d419350f35a48dff750066894d68eccf Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 12 Nov 2002 23:20:50 +0000 Subject: Removed global_myworkgroup, global_myname, global_myscope. Added liberal dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89) --- source3/auth/auth.c | 2 +- source3/auth/auth_domain.c | 15 +++++++-------- source3/auth/auth_sam.c | 4 ++-- source3/auth/auth_server.c | 10 +++++----- source3/auth/auth_util.c | 1 - 5 files changed, 15 insertions(+), 17 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index d43afc71e1..232d401a24 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -137,7 +137,7 @@ static BOOL check_domain_match(const char *user, const char *domain) if (!lp_allow_trusted_domains() && !(strequal("", domain) || strequal(lp_workgroup(), domain) || - is_netbios_alias_or_name(domain))) { + is_myname(domain))) { DEBUG(1, ("check_domain_match: Attempt to connect as user %s from domain %s denied.\n", user, domain)); return False; } else { diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 9d4824fbc7..2a6614e28e 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -26,7 +26,6 @@ BOOL global_machine_password_needs_changing = False; -extern pstring global_myname; extern userdom_struct current_user_info; @@ -172,7 +171,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, return NT_STATUS_NO_LOGON_SERVERS; /* Attempt connection */ - result = cli_full_connection(cli, global_myname, remote_machine, + result = cli_full_connection(cli, global_myname(), remote_machine, &dest_ip, 0, "IPC$", "IPC", "", "", "",0, retry); if (!NT_STATUS_IS_OK(result)) { @@ -250,7 +249,7 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, if (is_zero_ip(*ip)) return NT_STATUS_NO_LOGON_SERVERS; - if (!lookup_dc_name(global_myname, domain, ip, dc_name)) + if (!lookup_dc_name(global_myname(), domain, ip, dc_name)) return NT_STATUS_NO_LOGON_SERVERS; for (i = 0; (!NT_STATUS_IS_OK(ret)) && retry && (i < 3); i++) @@ -372,7 +371,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, const char *domain, uchar chal[8], auth_serversupplied_info **server_info, - char *server, char *setup_creds_as, + const char *server, const char *setup_creds_as, uint16 sec_chan, unsigned char trust_passwd[16], time_t last_change_time) @@ -481,7 +480,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, char *password_server; unsigned char trust_passwd[16]; time_t last_change_time; - char *domain = lp_workgroup(); + const char *domain = lp_workgroup(); if (!user_info || !server_info || !auth_context) { DEBUG(1,("check_ntdomain_security: Critical variables not present. Failing.\n")); @@ -494,7 +493,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, * password file. */ - if(is_netbios_alias_or_name(user_info->domain.str)) { + if(is_myname(user_info->domain.str)) { DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n")); return NT_STATUS_LOGON_FAILURE; } @@ -528,7 +527,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, nt_status = domain_client_validate(mem_ctx, user_info, domain, (uchar *)auth_context->challenge.data, server_info, - password_server, global_myname, SEC_CHAN_WKSTA, trust_passwd, last_change_time); + password_server, global_myname(), SEC_CHAN_WKSTA, trust_passwd, last_change_time); return nt_status; } @@ -572,7 +571,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte * password file. */ - if(is_netbios_alias_or_name(user_info->domain.str)) { + if(is_myname(user_info->domain.str)) { DEBUG(3,("check_trustdomain_security: Requested domain was for this machine.\n")); return NT_STATUS_LOGON_FAILURE; } diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 7252193c9a..9fa33dccf6 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -316,7 +316,7 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, if (*workstation_list) { BOOL invalid_ws = True; - char *s = workstation_list; + const char *s = workstation_list; fstring tok; @@ -454,7 +454,7 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context attempt to check the password locally, unless it is one of our aliases. */ - if (!is_netbios_alias_or_name(user_info->domain.str)) { + if (!is_myname(user_info->domain.str)) { return NT_STATUS_NO_SUCH_USER; } diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 0ed905e79c..5144852d3b 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -24,7 +24,6 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -extern pstring global_myname; extern userdom_struct current_user_info; /**************************************************************************** @@ -36,7 +35,8 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) struct cli_state *cli = NULL; fstring desthost; struct in_addr dest_ip; - char *p, *pserver; + const char *p; + char *pserver; BOOL connected_ok = False; if (!(cli = cli_initialise(cli))) @@ -85,7 +85,7 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) return NULL; } - if (!attempt_netbios_session_request(cli, global_myname, + if (!attempt_netbios_session_request(cli, global_myname(), desthost, &dest_ip)) { release_server_mutex(); DEBUG(1,("password server fails session request\n")); @@ -231,7 +231,7 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context * password file. */ - if(is_netbios_alias_or_name(user_info->domain.str)) { + if(is_myname(user_info->domain.str)) { DEBUG(3,("check_smbserver_security: Requested domain was for this machine.\n")); return NT_STATUS_LOGON_FAILURE; } @@ -275,7 +275,7 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context if(baduser[0] == 0) { fstrcpy(baduser, INVALID_USER_PREFIX); - fstrcat(baduser, global_myname); + fstrcat(baduser, global_myname()); } /* diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index b14344ef50..98b15f3fb6 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -26,7 +26,6 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -extern pstring global_myname; extern DOM_SID global_sid_World; extern DOM_SID global_sid_Network; extern DOM_SID global_sid_Builtin_Guests; -- cgit From ac29d6b310d612f52b6200b0bb5320d09fc66039 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 15 Nov 2002 21:23:55 +0000 Subject: Small auth updates: - add static remove unnneded prototype - move become_root() to just around pdb calls, so as to make it easier to remove when we kill off this silly idea - Change auth_sam to do 'account before password' rather than 'password before account'. This means that we match Win2k in giving 'account disabled' instead of 'wrong password' if the wrong password to a disabled account is used. Andrew Bartlett (This used to be commit e6d2debaf6064c3229f41c06545a1ccb83695a77) --- source3/auth/auth_builtin.c | 2 -- source3/auth/auth_sam.c | 4 ++-- source3/auth/auth_util.c | 3 +++ source3/auth/auth_winbind.c | 8 +------- 4 files changed, 6 insertions(+), 11 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index 09b9a36cdf..f55f662a40 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -42,9 +42,7 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context, if (!(user_info->internal_username.str && *user_info->internal_username.str)) { - become_root(); nt_status = make_server_info_guest(server_info); - unbecome_root(); } return nt_status; diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 9fa33dccf6..02f8511d6a 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -393,6 +393,8 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, return NT_STATUS_NO_SUCH_USER; } + nt_status = sam_account_ok(mem_ctx, sampass, user_info); + nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info, user_sess_key); if (!NT_STATUS_IS_OK(nt_status)) { @@ -400,8 +402,6 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, return nt_status; } - nt_status = sam_account_ok(mem_ctx, sampass, user_info); - if (!NT_STATUS_IS_OK(nt_status)) { pdb_free_sam(&sampass); return nt_status; diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 98b15f3fb6..5696b8f2dc 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -821,9 +821,12 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) sid_copy(&guest_sid, get_global_sam_sid()); sid_append_rid(&guest_sid, DOMAIN_USER_RID_GUEST); + become_root(); if (!pdb_getsampwsid(sampass, &guest_sid)) { + unbecome_root(); return NT_STATUS_NO_SUCH_USER; } + unbecome_root(); nt_status = make_server_info_sam(server_info, sampass); diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 10788721fd..c6a1727ebe 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -26,13 +26,7 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -/* Prototypes from common.h */ - -NSS_STATUS winbindd_request(int req_type, - struct winbindd_request *request, - struct winbindd_response *response); - -NTSTATUS get_info3_from_ndr(TALLOC_CTX *mem_ctx, struct winbindd_response *response, NET_USER_INFO_3 *info3) +static NTSTATUS get_info3_from_ndr(TALLOC_CTX *mem_ctx, struct winbindd_response *response, NET_USER_INFO_3 *info3) { uint8 *info3_ndr; size_t len = response->length - sizeof(response); -- cgit From c64d762997c80bd9ad2d47d1799cf9ec870d455a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 15 Nov 2002 21:43:57 +0000 Subject: Updates from HEAD: - const for PACKS() in lanman.c - change auth to 'account before password' - add help to net rpc {vampire,samsync} - configure updates for sun workshop cc - become_root() around pdb_ calls in auth_util for guest login. Andrew Bartlett (This used to be commit 43e90eb6e331d478013a9c038292f245edc51bd0) --- source3/auth/auth_sam.c | 4 ++-- source3/auth/auth_util.c | 3 +++ source3/auth/auth_winbind.c | 8 +------- 3 files changed, 6 insertions(+), 9 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 9fa33dccf6..02f8511d6a 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -393,6 +393,8 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, return NT_STATUS_NO_SUCH_USER; } + nt_status = sam_account_ok(mem_ctx, sampass, user_info); + nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info, user_sess_key); if (!NT_STATUS_IS_OK(nt_status)) { @@ -400,8 +402,6 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, return nt_status; } - nt_status = sam_account_ok(mem_ctx, sampass, user_info); - if (!NT_STATUS_IS_OK(nt_status)) { pdb_free_sam(&sampass); return nt_status; diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 98b15f3fb6..5696b8f2dc 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -821,9 +821,12 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) sid_copy(&guest_sid, get_global_sam_sid()); sid_append_rid(&guest_sid, DOMAIN_USER_RID_GUEST); + become_root(); if (!pdb_getsampwsid(sampass, &guest_sid)) { + unbecome_root(); return NT_STATUS_NO_SUCH_USER; } + unbecome_root(); nt_status = make_server_info_sam(server_info, sampass); diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 10788721fd..c6a1727ebe 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -26,13 +26,7 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -/* Prototypes from common.h */ - -NSS_STATUS winbindd_request(int req_type, - struct winbindd_request *request, - struct winbindd_response *response); - -NTSTATUS get_info3_from_ndr(TALLOC_CTX *mem_ctx, struct winbindd_response *response, NET_USER_INFO_3 *info3) +static NTSTATUS get_info3_from_ndr(TALLOC_CTX *mem_ctx, struct winbindd_response *response, NET_USER_INFO_3 *info3) { uint8 *info3_ndr; size_t len = response->length - sizeof(response); -- cgit From 191dff2d279dd8315f093e313d8c149e786eb19f Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sat, 23 Nov 2002 14:27:56 +0000 Subject: [merge from APP_HEAD] 90% fix for CR 1076. The password server parameter will no take things like password server = DC1 * which means to contact DC1 first and the go to auto lookup if it fails. jerry (This used to be commit c31a17889e3e4daf7c1e807038efc2c0fba78be3) --- source3/auth/auth_domain.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 2a6614e28e..eebe647ec0 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -275,6 +275,7 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS; time_t time_now = time(NULL); BOOL use_pdc_only = False; + BOOL list_ordered; /* * If the time the machine password has changed @@ -301,7 +302,7 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, count = 1; } else { - if (!get_dc_list(domain, &ip_list, &count)) + if (!get_dc_list(domain, &ip_list, &count, &list_ordered)) return NT_STATUS_NO_LOGON_SERVERS; } @@ -310,7 +311,7 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, * network address as any of our interfaces. */ for(i = 0; i < count; i++) { - if(!is_local_net(ip_list[i])) + if( !list_ordered && !is_local_net(ip_list[i]) ) continue; if(NT_STATUS_IS_OK(nt_status = -- cgit From 3ab6fcc5c6160d322bdfd2ca771dcf7954e92df7 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sat, 23 Nov 2002 14:52:34 +0000 Subject: [merge from APP_HEAD] 90% fix for CR 1076. The password server parameter will no take things like password server = DC1 * which means to contact DC1 first and the go to auto lookup if it fails. jerry (This used to be commit 016ef8b36b30846311a5321803298f8e28719244) --- source3/auth/auth_domain.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 2a6614e28e..eebe647ec0 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -275,6 +275,7 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS; time_t time_now = time(NULL); BOOL use_pdc_only = False; + BOOL list_ordered; /* * If the time the machine password has changed @@ -301,7 +302,7 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, count = 1; } else { - if (!get_dc_list(domain, &ip_list, &count)) + if (!get_dc_list(domain, &ip_list, &count, &list_ordered)) return NT_STATUS_NO_LOGON_SERVERS; } @@ -310,7 +311,7 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, * network address as any of our interfaces. */ for(i = 0; i < count; i++) { - if(!is_local_net(ip_list[i])) + if( !list_ordered && !is_local_net(ip_list[i]) ) continue; if(NT_STATUS_IS_OK(nt_status = -- cgit From f3e3a56ea9085b186af24b0b4e911863fd9ceacc Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 29 Nov 2002 02:58:59 +0000 Subject: Merge a bunch of trivial changes from HEAD. The difference remaining should actual functional differences between HEAD and 3.0. - Mostly reformatting - Removal of unecessary #include "smb.h" - Merge of dyn_DRIVERFILE removal - Silly bug fix for python code (This used to be commit d3998307adc50ba50defe610cb656c73799ae3b9) --- source3/auth/auth_builtin.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index d54a8660b3..f55f662a40 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -41,8 +41,9 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context, NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; if (!(user_info->internal_username.str - && *user_info->internal_username.str)) + && *user_info->internal_username.str)) { nt_status = make_server_info_guest(server_info); + } return nt_status; } -- cgit From 969b569d84b0e9b147082ead68677f194d743e83 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 1 Dec 2002 03:11:53 +0000 Subject: Make it clear that we might not be talking to a PDC here. (This used to be commit 7d099e9a5b7164e8cdbdb93d8c4527f02c8bdefd) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index eebe647ec0..f3fd2284d2 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -212,7 +212,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); result = cli_nt_setup_creds(*cli, sec_chan, trust_passwd, &neg_flags, 2); if (!NT_STATUS_IS_OK(result)) { - DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ + DEBUG(0,("connect_to_domain_password_server: unable to setup the NETLOGON credentials to machine \ %s. Error was : %s.\n", remote_machine, nt_errstr(result))); cli_nt_session_close(*cli); cli_ulogoff(*cli); -- cgit From 39c78bf516f4db59fd3c218f67d13dd658daf558 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 11 Dec 2002 23:54:40 +0000 Subject: Fixed auth module code. Added VALGRIND defines to reduce spurious warnings. Jeremy. (This used to be commit ec4ed45563f9d8e25fcfd88840944a90b3139c3e) --- source3/auth/auth.c | 99 ++++++++++++++++++++------------------------- source3/auth/auth_builtin.c | 27 +++++++------ 2 files changed, 58 insertions(+), 68 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 232d401a24..d730e39f44 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -61,8 +61,7 @@ static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) return auth_context->challenge.data; } - for (auth_method = auth_context->auth_method_list; auth_method; auth_method = auth_method->next) - { + for (auth_method = auth_context->auth_method_list; auth_method; auth_method = auth_method->next) { if (auth_method->get_chal == NULL) { DEBUG(5, ("auth_get_challenge: module %s did not want to specify a challenge\n", auth_method->name)); continue; @@ -183,18 +182,18 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, auth_methods *auth_method; TALLOC_CTX *mem_ctx; - if (!user_info || !auth_context || !server_info) { + if (!user_info || !auth_context || !server_info) return NT_STATUS_LOGON_FAILURE; - } - DEBUG(3, ("check_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", + DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", user_info->client_domain.str, user_info->smb_name.str, user_info->wksta_name.str)); - DEBUG(3, ("check_password: mapped user is: [%s]\\[%s]@[%s]\n", + DEBUG(3, ("check_ntlm_password: mapped user is: [%s]\\[%s]@[%s]\n", user_info->domain.str, user_info->internal_username.str, user_info->wksta_name.str)); - if (auth_context->challenge_set_by) { - DEBUG(10, ("auth_context challenge created by %s\n", auth_context->challenge_set_by)); - } + if (auth_context->challenge_set_by) + DEBUG(10, ("check_ntlm_password: auth_context challenge created by %s\n", + auth_context->challenge_set_by)); + DEBUG(10, ("challenge is: \n")); dump_data(5, auth_context->challenge.data, auth_context->challenge.length); @@ -208,37 +207,33 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, #endif /* This needs to be sorted: If it doesn't match, what should we do? */ - if (!check_domain_match(user_info->smb_name.str, user_info->domain.str)) { + if (!check_domain_match(user_info->smb_name.str, user_info->domain.str)) return NT_STATUS_LOGON_FAILURE; - } - for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) - { + for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) { mem_ctx = talloc_init_named("%s authentication for user %s\\%s", auth_method->name, user_info->domain.str, user_info->smb_name.str); nt_status = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(3, ("check_password: %s authentication for user [%s] suceeded\n", + DEBUG(3, ("check_ntlm_password: %s authentication for user [%s] suceeded\n", auth_method->name, user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: %s authentication for user [%s] FAILED with error %s\n", + DEBUG(5, ("check_ntlm_password: %s authentication for user [%s] FAILED with error %s\n", auth_method->name, user_info->smb_name.str, nt_errstr(nt_status))); } talloc_destroy(mem_ctx); - if (NT_STATUS_IS_OK(nt_status)) { + if (NT_STATUS_IS_OK(nt_status)) break; - } } /* This is one of the few places the *relies* (rather than just sets defaults on the value of lp_security(). This needs to change. A new paramater perhaps? */ - if (lp_security() >= SEC_SERVER) { + if (lp_security() >= SEC_SERVER) smb_user_control(user_info, *server_info, nt_status); - } if (NT_STATUS_IS_OK(nt_status)) { pdb_username = pdb_get_username((*server_info)->sam_account); @@ -249,17 +244,17 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, unbecome_root(); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(5, ("check_password: PAM Account for user [%s] suceeded\n", + DEBUG(5, ("check_ntlm_password: PAM Account for user [%s] suceeded\n", pdb_username)); } else { - DEBUG(3, ("check_password: PAM Account for user [%s] FAILED with error %s\n", + DEBUG(3, ("check_ntlm_password: PAM Account for user [%s] FAILED with error %s\n", pdb_username, nt_errstr(nt_status))); } } if (NT_STATUS_IS_OK(nt_status)) { DEBUG((*server_info)->guest ? 5 : 2, - ("check_password: %sauthentication for user [%s] -> [%s] -> [%s] suceeded\n", + ("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] suceeded\n", (*server_info)->guest ? "guest " : "", user_info->smb_name.str, user_info->internal_username.str, @@ -268,7 +263,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, } if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(2, ("check_password: Authentication for user [%s] -> [%s] FAILED with error %s\n", + DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n", user_info->smb_name.str, user_info->internal_username.str, nt_errstr(nt_status))); ZERO_STRUCTP(server_info); @@ -282,9 +277,8 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, static void free_auth_context(struct auth_context **auth_context) { - if (*auth_context != NULL) { + if (*auth_context != NULL) talloc_destroy((*auth_context)->mem_ctx); - } *auth_context = NULL; } @@ -327,48 +321,43 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context, NTSTATUS nt_status; if (!text_list) { - DEBUG(2,("No auth method list!?\n")); + DEBUG(2,("make_auth_context_text_list: No auth method list!?\n")); return NT_STATUS_UNSUCCESSFUL; } - if (!NT_STATUS_IS_OK(nt_status = make_auth_context(auth_context))) { + if (!NT_STATUS_IS_OK(nt_status = make_auth_context(auth_context))) return nt_status; - } - for (;*text_list; text_list++) - { - DEBUG(5,("Attempting to find an auth method to match %s\n", *text_list)); - for (i = 0; builtin_auth_init_functions[i].name; i++) - { - if (strequal(builtin_auth_init_functions[i].name, *text_list)) - { - - char *module_name = smb_xstrdup(*text_list); - char *module_params = NULL; - char *p; - - p = strchr(module_name, ':'); - - if (p) { - *p = 0; - - module_params = p+1; - - trim_string(module_params, " ", " "); - } - - trim_string(module_name, " ", " "); + for (;*text_list; text_list++) { + DEBUG(5,("make_auth_context_text_list: Attempting to find an auth method to match %s\n", + *text_list)); + for (i = 0; builtin_auth_init_functions[i].name; i++) { + char *module_name = smb_xstrdup(*text_list); + char *module_params = NULL; + char *p; + + p = strchr(module_name, ':'); + if (p) { + *p = 0; + module_params = p+1; + trim_string(module_params, " ", " "); + } + + trim_string(module_name, " ", " "); - DEBUG(5,("Found auth method %s (at pos %d)\n", *text_list, i)); + if (strequal(builtin_auth_init_functions[i].name, module_name)) { + DEBUG(5,("make_auth_context_text_list: Found auth method %s (at pos %d)\n", *text_list, i)); if (NT_STATUS_IS_OK(builtin_auth_init_functions[i].init(*auth_context, module_params, &t))) { - DEBUG(5,("auth method %s has a valid init\n", *text_list)); + DEBUG(5,("make_auth_context_text_list: auth method %s has a valid init\n", + *text_list)); DLIST_ADD_END(list, t, tmp); } else { - DEBUG(0,("auth method %s did not correctly init\n", *text_list)); + DEBUG(0,("make_auth_context_text_list: auth method %s did not correctly init\n", + *text_list)); } - SAFE_FREE(module_name); break; } + SAFE_FREE(module_name); } } diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index f55f662a40..32f39311dc 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -49,11 +49,11 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context, } /* Guest modules initialisation */ + NTSTATUS auth_init_guest(struct auth_context *auth_context, const char *options, auth_methods **auth_method) { - if (!make_auth_methods(auth_context, auth_method)) { + if (!make_auth_methods(auth_context, auth_method)) return NT_STATUS_NO_MEMORY; - } (*auth_method)->auth = check_guest_security; (*auth_method)->name = "guest"; @@ -92,7 +92,7 @@ static NTSTATUS check_name_to_ntstatus_security(const struct auth_context *auth_ strlower(user); error_num = strtoul(user, NULL, 16); - DEBUG(5,("Error for user %s was %lx\n", user, error_num)); + DEBUG(5,("check_name_to_ntstatus_security: Error for user %s was %lx\n", user, error_num)); nt_status = NT_STATUS(error_num); @@ -100,11 +100,11 @@ static NTSTATUS check_name_to_ntstatus_security(const struct auth_context *auth_ } /** Module initailisation function */ + NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { - if (!make_auth_methods(auth_context, auth_method)) { + if (!make_auth_methods(auth_context, auth_method)) return NT_STATUS_NO_MEMORY; - } (*auth_method)->auth = check_name_to_ntstatus_security; (*auth_method)->name = "name_to_ntstatus"; @@ -149,11 +149,11 @@ static DATA_BLOB auth_get_fixed_challenge(const struct auth_context *auth_contex /** Module initailisation function */ + NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { - if (!make_auth_methods(auth_context, auth_method)) { + if (!make_auth_methods(auth_context, auth_method)) return NT_STATUS_NO_MEMORY; - } (*auth_method)->auth = check_fixed_challenge_security; (*auth_method)->get_chal = auth_get_fixed_challenge; @@ -168,6 +168,7 @@ NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char **/ /* Plugin modules initialisation */ + NTSTATUS auth_init_plugin(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { void * dl_handle; @@ -175,7 +176,7 @@ NTSTATUS auth_init_plugin(struct auth_context *auth_context, const char *param, auth_init_function plugin_init; if (param == NULL) { - DEBUG(0, ("The plugin module needs an argument!\n")); + DEBUG(0, ("auth_init_plugin: The plugin module needs an argument!\n")); return NT_STATUS_UNSUCCESSFUL; } @@ -189,21 +190,21 @@ NTSTATUS auth_init_plugin(struct auth_context *auth_context, const char *param, trim_string(plugin_name, " ", " "); - DEBUG(5, ("Trying to load auth plugin %s\n", plugin_name)); + DEBUG(5, ("auth_init_plugin: Trying to load auth plugin %s\n", plugin_name)); dl_handle = sys_dlopen(plugin_name, RTLD_NOW ); if (!dl_handle) { - DEBUG(0, ("Failed to load auth plugin %s using sys_dlopen (%s)\n", plugin_name, sys_dlerror())); + DEBUG(0, ("auth_init_plugin: Failed to load auth plugin %s using sys_dlopen (%s)\n", + plugin_name, sys_dlerror())); return NT_STATUS_UNSUCCESSFUL; } plugin_init = sys_dlsym(dl_handle, "auth_init"); if (!plugin_init){ - DEBUG(0, ("Failed to find function 'pdb_init' using sys_dlsym in sam plugin %s (%s)\n", plugin_name, sys_dlerror())); + DEBUG(0, ("Failed to find function 'auth_init' using sys_dlsym in sam plugin %s (%s)\n", + plugin_name, sys_dlerror())); return NT_STATUS_UNSUCCESSFUL; } DEBUG(5, ("Starting sam plugin %s with paramater %s\n", plugin_name, plugin_param?plugin_param:"(null)")); return plugin_init(auth_context, plugin_param, auth_method); } - - -- cgit From 7dd847ba9c10be196b5d02f9593c642666855470 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 11 Dec 2002 23:54:46 +0000 Subject: Fixed auth module code. Added VALGRIND defines to reduce spurious warnings. Jeremy. (This used to be commit ff3a8d37289216a2cb808406044a7abef1e564d0) --- source3/auth/auth.c | 99 ++++++++++++++++++++------------------------- source3/auth/auth_builtin.c | 27 +++++++------ 2 files changed, 58 insertions(+), 68 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 232d401a24..d730e39f44 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -61,8 +61,7 @@ static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) return auth_context->challenge.data; } - for (auth_method = auth_context->auth_method_list; auth_method; auth_method = auth_method->next) - { + for (auth_method = auth_context->auth_method_list; auth_method; auth_method = auth_method->next) { if (auth_method->get_chal == NULL) { DEBUG(5, ("auth_get_challenge: module %s did not want to specify a challenge\n", auth_method->name)); continue; @@ -183,18 +182,18 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, auth_methods *auth_method; TALLOC_CTX *mem_ctx; - if (!user_info || !auth_context || !server_info) { + if (!user_info || !auth_context || !server_info) return NT_STATUS_LOGON_FAILURE; - } - DEBUG(3, ("check_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", + DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", user_info->client_domain.str, user_info->smb_name.str, user_info->wksta_name.str)); - DEBUG(3, ("check_password: mapped user is: [%s]\\[%s]@[%s]\n", + DEBUG(3, ("check_ntlm_password: mapped user is: [%s]\\[%s]@[%s]\n", user_info->domain.str, user_info->internal_username.str, user_info->wksta_name.str)); - if (auth_context->challenge_set_by) { - DEBUG(10, ("auth_context challenge created by %s\n", auth_context->challenge_set_by)); - } + if (auth_context->challenge_set_by) + DEBUG(10, ("check_ntlm_password: auth_context challenge created by %s\n", + auth_context->challenge_set_by)); + DEBUG(10, ("challenge is: \n")); dump_data(5, auth_context->challenge.data, auth_context->challenge.length); @@ -208,37 +207,33 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, #endif /* This needs to be sorted: If it doesn't match, what should we do? */ - if (!check_domain_match(user_info->smb_name.str, user_info->domain.str)) { + if (!check_domain_match(user_info->smb_name.str, user_info->domain.str)) return NT_STATUS_LOGON_FAILURE; - } - for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) - { + for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) { mem_ctx = talloc_init_named("%s authentication for user %s\\%s", auth_method->name, user_info->domain.str, user_info->smb_name.str); nt_status = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(3, ("check_password: %s authentication for user [%s] suceeded\n", + DEBUG(3, ("check_ntlm_password: %s authentication for user [%s] suceeded\n", auth_method->name, user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: %s authentication for user [%s] FAILED with error %s\n", + DEBUG(5, ("check_ntlm_password: %s authentication for user [%s] FAILED with error %s\n", auth_method->name, user_info->smb_name.str, nt_errstr(nt_status))); } talloc_destroy(mem_ctx); - if (NT_STATUS_IS_OK(nt_status)) { + if (NT_STATUS_IS_OK(nt_status)) break; - } } /* This is one of the few places the *relies* (rather than just sets defaults on the value of lp_security(). This needs to change. A new paramater perhaps? */ - if (lp_security() >= SEC_SERVER) { + if (lp_security() >= SEC_SERVER) smb_user_control(user_info, *server_info, nt_status); - } if (NT_STATUS_IS_OK(nt_status)) { pdb_username = pdb_get_username((*server_info)->sam_account); @@ -249,17 +244,17 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, unbecome_root(); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(5, ("check_password: PAM Account for user [%s] suceeded\n", + DEBUG(5, ("check_ntlm_password: PAM Account for user [%s] suceeded\n", pdb_username)); } else { - DEBUG(3, ("check_password: PAM Account for user [%s] FAILED with error %s\n", + DEBUG(3, ("check_ntlm_password: PAM Account for user [%s] FAILED with error %s\n", pdb_username, nt_errstr(nt_status))); } } if (NT_STATUS_IS_OK(nt_status)) { DEBUG((*server_info)->guest ? 5 : 2, - ("check_password: %sauthentication for user [%s] -> [%s] -> [%s] suceeded\n", + ("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] suceeded\n", (*server_info)->guest ? "guest " : "", user_info->smb_name.str, user_info->internal_username.str, @@ -268,7 +263,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, } if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(2, ("check_password: Authentication for user [%s] -> [%s] FAILED with error %s\n", + DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n", user_info->smb_name.str, user_info->internal_username.str, nt_errstr(nt_status))); ZERO_STRUCTP(server_info); @@ -282,9 +277,8 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, static void free_auth_context(struct auth_context **auth_context) { - if (*auth_context != NULL) { + if (*auth_context != NULL) talloc_destroy((*auth_context)->mem_ctx); - } *auth_context = NULL; } @@ -327,48 +321,43 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context, NTSTATUS nt_status; if (!text_list) { - DEBUG(2,("No auth method list!?\n")); + DEBUG(2,("make_auth_context_text_list: No auth method list!?\n")); return NT_STATUS_UNSUCCESSFUL; } - if (!NT_STATUS_IS_OK(nt_status = make_auth_context(auth_context))) { + if (!NT_STATUS_IS_OK(nt_status = make_auth_context(auth_context))) return nt_status; - } - for (;*text_list; text_list++) - { - DEBUG(5,("Attempting to find an auth method to match %s\n", *text_list)); - for (i = 0; builtin_auth_init_functions[i].name; i++) - { - if (strequal(builtin_auth_init_functions[i].name, *text_list)) - { - - char *module_name = smb_xstrdup(*text_list); - char *module_params = NULL; - char *p; - - p = strchr(module_name, ':'); - - if (p) { - *p = 0; - - module_params = p+1; - - trim_string(module_params, " ", " "); - } - - trim_string(module_name, " ", " "); + for (;*text_list; text_list++) { + DEBUG(5,("make_auth_context_text_list: Attempting to find an auth method to match %s\n", + *text_list)); + for (i = 0; builtin_auth_init_functions[i].name; i++) { + char *module_name = smb_xstrdup(*text_list); + char *module_params = NULL; + char *p; + + p = strchr(module_name, ':'); + if (p) { + *p = 0; + module_params = p+1; + trim_string(module_params, " ", " "); + } + + trim_string(module_name, " ", " "); - DEBUG(5,("Found auth method %s (at pos %d)\n", *text_list, i)); + if (strequal(builtin_auth_init_functions[i].name, module_name)) { + DEBUG(5,("make_auth_context_text_list: Found auth method %s (at pos %d)\n", *text_list, i)); if (NT_STATUS_IS_OK(builtin_auth_init_functions[i].init(*auth_context, module_params, &t))) { - DEBUG(5,("auth method %s has a valid init\n", *text_list)); + DEBUG(5,("make_auth_context_text_list: auth method %s has a valid init\n", + *text_list)); DLIST_ADD_END(list, t, tmp); } else { - DEBUG(0,("auth method %s did not correctly init\n", *text_list)); + DEBUG(0,("make_auth_context_text_list: auth method %s did not correctly init\n", + *text_list)); } - SAFE_FREE(module_name); break; } + SAFE_FREE(module_name); } } diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index f55f662a40..32f39311dc 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -49,11 +49,11 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context, } /* Guest modules initialisation */ + NTSTATUS auth_init_guest(struct auth_context *auth_context, const char *options, auth_methods **auth_method) { - if (!make_auth_methods(auth_context, auth_method)) { + if (!make_auth_methods(auth_context, auth_method)) return NT_STATUS_NO_MEMORY; - } (*auth_method)->auth = check_guest_security; (*auth_method)->name = "guest"; @@ -92,7 +92,7 @@ static NTSTATUS check_name_to_ntstatus_security(const struct auth_context *auth_ strlower(user); error_num = strtoul(user, NULL, 16); - DEBUG(5,("Error for user %s was %lx\n", user, error_num)); + DEBUG(5,("check_name_to_ntstatus_security: Error for user %s was %lx\n", user, error_num)); nt_status = NT_STATUS(error_num); @@ -100,11 +100,11 @@ static NTSTATUS check_name_to_ntstatus_security(const struct auth_context *auth_ } /** Module initailisation function */ + NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { - if (!make_auth_methods(auth_context, auth_method)) { + if (!make_auth_methods(auth_context, auth_method)) return NT_STATUS_NO_MEMORY; - } (*auth_method)->auth = check_name_to_ntstatus_security; (*auth_method)->name = "name_to_ntstatus"; @@ -149,11 +149,11 @@ static DATA_BLOB auth_get_fixed_challenge(const struct auth_context *auth_contex /** Module initailisation function */ + NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { - if (!make_auth_methods(auth_context, auth_method)) { + if (!make_auth_methods(auth_context, auth_method)) return NT_STATUS_NO_MEMORY; - } (*auth_method)->auth = check_fixed_challenge_security; (*auth_method)->get_chal = auth_get_fixed_challenge; @@ -168,6 +168,7 @@ NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char **/ /* Plugin modules initialisation */ + NTSTATUS auth_init_plugin(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { void * dl_handle; @@ -175,7 +176,7 @@ NTSTATUS auth_init_plugin(struct auth_context *auth_context, const char *param, auth_init_function plugin_init; if (param == NULL) { - DEBUG(0, ("The plugin module needs an argument!\n")); + DEBUG(0, ("auth_init_plugin: The plugin module needs an argument!\n")); return NT_STATUS_UNSUCCESSFUL; } @@ -189,21 +190,21 @@ NTSTATUS auth_init_plugin(struct auth_context *auth_context, const char *param, trim_string(plugin_name, " ", " "); - DEBUG(5, ("Trying to load auth plugin %s\n", plugin_name)); + DEBUG(5, ("auth_init_plugin: Trying to load auth plugin %s\n", plugin_name)); dl_handle = sys_dlopen(plugin_name, RTLD_NOW ); if (!dl_handle) { - DEBUG(0, ("Failed to load auth plugin %s using sys_dlopen (%s)\n", plugin_name, sys_dlerror())); + DEBUG(0, ("auth_init_plugin: Failed to load auth plugin %s using sys_dlopen (%s)\n", + plugin_name, sys_dlerror())); return NT_STATUS_UNSUCCESSFUL; } plugin_init = sys_dlsym(dl_handle, "auth_init"); if (!plugin_init){ - DEBUG(0, ("Failed to find function 'pdb_init' using sys_dlsym in sam plugin %s (%s)\n", plugin_name, sys_dlerror())); + DEBUG(0, ("Failed to find function 'auth_init' using sys_dlsym in sam plugin %s (%s)\n", + plugin_name, sys_dlerror())); return NT_STATUS_UNSUCCESSFUL; } DEBUG(5, ("Starting sam plugin %s with paramater %s\n", plugin_name, plugin_param?plugin_param:"(null)")); return plugin_init(auth_context, plugin_param, auth_method); } - - -- cgit From f6c4f25e4319b47ac6c8dbf67a4b1c513148384c Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 12 Dec 2002 23:35:55 +0000 Subject: merge of get_dc_name()-like code from APP_HEAD; better support password server = DC1 * (This used to be commit 6b18ca9511ddcf1718f222af3f61491d1e5f3b60) --- source3/auth/auth_domain.c | 100 +++++---------------------------------------- 1 file changed, 10 insertions(+), 90 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index f3fd2284d2..79cf5b156d 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -262,103 +262,23 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, We have been asked to dynamically determine the IP addresses of the PDC and BDC's for DOMAIN, and query them in turn. ************************************************************************/ -static NTSTATUS find_connect_pdc(struct cli_state **cli, +static NTSTATUS find_connect_dc(struct cli_state **cli, const char *domain, const char *setup_creds_as, uint16 sec_chan, unsigned char *trust_passwd, time_t last_change_time) { - struct in_addr *ip_list = NULL; - int count = 0; - int i; - NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS; - time_t time_now = time(NULL); - BOOL use_pdc_only = False; - BOOL list_ordered; - - /* - * If the time the machine password has changed - * was less than an hour ago then we need to contact - * the PDC only, as we cannot be sure domain replication - * has yet taken place. Bug found by Gerald (way to go - * Gerald !). JRA. - */ - - if (time_now - last_change_time < 3600) - use_pdc_only = True; - - if (use_pdc_only) { - struct in_addr pdc_ip; - - if (!get_pdc_ip(domain, &pdc_ip)) - return NT_STATUS_NO_LOGON_SERVERS; - - if ((ip_list = (struct in_addr *) - malloc(sizeof(struct in_addr))) == NULL) - return NT_STATUS_NO_MEMORY; - - ip_list[0] = pdc_ip; - count = 1; - - } else { - if (!get_dc_list(domain, &ip_list, &count, &list_ordered)) - return NT_STATUS_NO_LOGON_SERVERS; - } + struct in_addr dc_ip; + fstring srv_name; - /* - * Firstly try and contact a PDC/BDC who has the same - * network address as any of our interfaces. - */ - for(i = 0; i < count; i++) { - if( !list_ordered && !is_local_net(ip_list[i]) ) - continue; - - if(NT_STATUS_IS_OK(nt_status = - attempt_connect_to_dc(cli, domain, - &ip_list[i], setup_creds_as, - sec_chan, trust_passwd))) - break; - - zero_ip(&ip_list[i]); /* Tried and failed. */ - } - - /* - * Secondly try and contact a random PDC/BDC. - */ - if(!NT_STATUS_IS_OK(nt_status)) { - i = (sys_random() % count); - - if (!is_zero_ip(ip_list[i])) { - if (!NT_STATUS_IS_OK(nt_status = - attempt_connect_to_dc(cli, domain, - &ip_list[i], setup_creds_as, - sec_chan, trust_passwd))) - zero_ip(&ip_list[i]); /* Tried and failed. */ - } - } - - /* - * Finally go through the IP list in turn, ignoring any addresses - * we have already tried. - */ - if(!NT_STATUS_IS_OK(nt_status)) { - /* - * Try and connect to any of the other IP addresses in the PDC/BDC list. - * Note that from a WINS server the #1 IP address is the PDC. - */ - for(i = 0; i < count; i++) { - if (is_zero_ip(ip_list[i])) - continue; - - if (NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, domain, - &ip_list[i], setup_creds_as, sec_chan, trust_passwd))) - break; - } + if ( !rpc_find_dc(lp_workgroup(), srv_name, &dc_ip) ) { + DEBUG(0,("find_connect_dc: Failed to find an DCs for %s\n", lp_workgroup())); + return NT_STATUS_NO_LOGON_SERVERS; } - - SAFE_FREE(ip_list); - return nt_status; + + return attempt_connect_to_dc( cli, domain, &dc_ip, setup_creds_as, + sec_chan, trust_passwd ); } /*********************************************************************** @@ -393,7 +313,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, while (!NT_STATUS_IS_OK(nt_status) && next_token(&server,remote_machine,LIST_SEP,sizeof(remote_machine))) { if(lp_security() != SEC_ADS && strequal(remote_machine, "*")) { - nt_status = find_connect_pdc(&cli, domain, setup_creds_as, sec_chan, trust_passwd, last_change_time); + nt_status = find_connect_dc(&cli, domain, setup_creds_as, sec_chan, trust_passwd, last_change_time); } else { int i; BOOL retry = True; -- cgit From 899b6e6d0facd1ef5865ce550fadd292514955d6 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 13 Dec 2002 02:07:05 +0000 Subject: merge of get_dc_name()-like code from APP_HEAD; better support password server = DC1 * (This used to be commit f49de4c5176bf635ac080e082fda412066b466c8) --- source3/auth/auth_domain.c | 96 ++++------------------------------------------ 1 file changed, 8 insertions(+), 88 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index eebe647ec0..8c56b4484e 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -262,103 +262,23 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, We have been asked to dynamically determine the IP addresses of the PDC and BDC's for DOMAIN, and query them in turn. ************************************************************************/ -static NTSTATUS find_connect_pdc(struct cli_state **cli, +static NTSTATUS find_connect_dc(struct cli_state **cli, const char *domain, const char *setup_creds_as, uint16 sec_chan, unsigned char *trust_passwd, time_t last_change_time) { - struct in_addr *ip_list = NULL; - int count = 0; - int i; - NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS; - time_t time_now = time(NULL); - BOOL use_pdc_only = False; - BOOL list_ordered; - - /* - * If the time the machine password has changed - * was less than an hour ago then we need to contact - * the PDC only, as we cannot be sure domain replication - * has yet taken place. Bug found by Gerald (way to go - * Gerald !). JRA. - */ - - if (time_now - last_change_time < 3600) - use_pdc_only = True; - - if (use_pdc_only) { - struct in_addr pdc_ip; + struct in_addr dc_ip; + fstring srv_name; - if (!get_pdc_ip(domain, &pdc_ip)) - return NT_STATUS_NO_LOGON_SERVERS; - - if ((ip_list = (struct in_addr *) - malloc(sizeof(struct in_addr))) == NULL) - return NT_STATUS_NO_MEMORY; - - ip_list[0] = pdc_ip; - count = 1; - - } else { - if (!get_dc_list(domain, &ip_list, &count, &list_ordered)) + if ( !rpc_find_dc(lp_workgroup(), srv_name, &dc_ip) ) { + DEBUG(0,("find_connect_dc: Failed to find an DCs for %s\n", lp_workgroup())); return NT_STATUS_NO_LOGON_SERVERS; } - /* - * Firstly try and contact a PDC/BDC who has the same - * network address as any of our interfaces. - */ - for(i = 0; i < count; i++) { - if( !list_ordered && !is_local_net(ip_list[i]) ) - continue; - - if(NT_STATUS_IS_OK(nt_status = - attempt_connect_to_dc(cli, domain, - &ip_list[i], setup_creds_as, - sec_chan, trust_passwd))) - break; - - zero_ip(&ip_list[i]); /* Tried and failed. */ - } - - /* - * Secondly try and contact a random PDC/BDC. - */ - if(!NT_STATUS_IS_OK(nt_status)) { - i = (sys_random() % count); - - if (!is_zero_ip(ip_list[i])) { - if (!NT_STATUS_IS_OK(nt_status = - attempt_connect_to_dc(cli, domain, - &ip_list[i], setup_creds_as, - sec_chan, trust_passwd))) - zero_ip(&ip_list[i]); /* Tried and failed. */ - } - } - - /* - * Finally go through the IP list in turn, ignoring any addresses - * we have already tried. - */ - if(!NT_STATUS_IS_OK(nt_status)) { - /* - * Try and connect to any of the other IP addresses in the PDC/BDC list. - * Note that from a WINS server the #1 IP address is the PDC. - */ - for(i = 0; i < count; i++) { - if (is_zero_ip(ip_list[i])) - continue; - - if (NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, domain, - &ip_list[i], setup_creds_as, sec_chan, trust_passwd))) - break; - } - } - - SAFE_FREE(ip_list); - return nt_status; + return attempt_connect_to_dc( cli, domain, &dc_ip, setup_creds_as, + sec_chan, trust_passwd ); } /*********************************************************************** @@ -393,7 +313,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, while (!NT_STATUS_IS_OK(nt_status) && next_token(&server,remote_machine,LIST_SEP,sizeof(remote_machine))) { if(lp_security() != SEC_ADS && strequal(remote_machine, "*")) { - nt_status = find_connect_pdc(&cli, domain, setup_creds_as, sec_chan, trust_passwd, last_change_time); + nt_status = find_connect_dc(&cli, domain, setup_creds_as, sec_chan, trust_passwd, last_change_time); } else { int i; BOOL retry = True; -- cgit From ef8bd7c4f7ae8192ea05db070962ecf0ff3615f3 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 20 Dec 2002 20:21:31 +0000 Subject: Forward port the change to talloc_init() to make all talloc contexts named. Ensure we can query them. Jeremy. (This used to be commit 09a218a9f6fb0bd922940467bf8500eb4f1bcf84) --- source3/auth/auth.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index d730e39f44..dce14ed468 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -74,9 +74,9 @@ static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) continue; } - mem_ctx = talloc_init_named("auth_get_challenge for module %s", auth_method->name); + mem_ctx = talloc_init("auth_get_challenge for module %s", auth_method->name); if (!mem_ctx) { - smb_panic("talloc_init_named() failed!"); + smb_panic("talloc_init() failed!"); } challenge = auth_method->get_chal(auth_context, &auth_method->private_data, mem_ctx); @@ -211,7 +211,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, return NT_STATUS_LOGON_FAILURE; for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) { - mem_ctx = talloc_init_named("%s authentication for user %s\\%s", auth_method->name, + mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name, user_info->domain.str, user_info->smb_name.str); nt_status = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info); @@ -290,7 +290,7 @@ static NTSTATUS make_auth_context(struct auth_context **auth_context) { TALLOC_CTX *mem_ctx; - mem_ctx = talloc_init_named("authentication context"); + mem_ctx = talloc_init("authentication context"); *auth_context = talloc(mem_ctx, sizeof(**auth_context)); if (!*auth_context) { -- cgit From 7f23546730e49569d41a5edd0c47bb559c4f812d Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 20 Dec 2002 20:23:06 +0000 Subject: Forward port the change to talloc_init() to make all talloc contexts named. Ensure we can query them. Jeremy. (This used to be commit 842e08e52a665ae678eea239759bb2de1a0d7b33) --- source3/auth/auth.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index d730e39f44..dce14ed468 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -74,9 +74,9 @@ static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) continue; } - mem_ctx = talloc_init_named("auth_get_challenge for module %s", auth_method->name); + mem_ctx = talloc_init("auth_get_challenge for module %s", auth_method->name); if (!mem_ctx) { - smb_panic("talloc_init_named() failed!"); + smb_panic("talloc_init() failed!"); } challenge = auth_method->get_chal(auth_context, &auth_method->private_data, mem_ctx); @@ -211,7 +211,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, return NT_STATUS_LOGON_FAILURE; for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) { - mem_ctx = talloc_init_named("%s authentication for user %s\\%s", auth_method->name, + mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name, user_info->domain.str, user_info->smb_name.str); nt_status = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info); @@ -290,7 +290,7 @@ static NTSTATUS make_auth_context(struct auth_context **auth_context) { TALLOC_CTX *mem_ctx; - mem_ctx = talloc_init_named("authentication context"); + mem_ctx = talloc_init("authentication context"); *auth_context = talloc(mem_ctx, sizeof(**auth_context)); if (!*auth_context) { -- cgit From 0fdf60f0512f1a4443e315d764d59636c2075fe7 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 23 Dec 2002 23:53:56 +0000 Subject: Finish adding strings to all talloc_init() calls. Jeremy. (This used to be commit 784d15761c3271bfd602866f8f9f880dac77671c) --- source3/auth/auth_winbind.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index c6a1727ebe..e45e2c879f 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -127,9 +127,8 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, /* module initialisation */ NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { - if (!make_auth_methods(auth_context, auth_method)) { + if (!make_auth_methods(auth_context, auth_method)) return NT_STATUS_NO_MEMORY; - } (*auth_method)->name = "winbind"; (*auth_method)->auth = check_winbind_security; -- cgit From 98ac4503aca8f5a5a4268d89791e9a4491ce8645 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 23 Dec 2002 23:54:10 +0000 Subject: Finish adding strings to all talloc_init() calls. Jeremy. (This used to be commit aa8439a49ec4b9f433745fefa1e769e45398f4df) --- source3/auth/auth_winbind.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index c6a1727ebe..e45e2c879f 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -127,9 +127,8 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, /* module initialisation */ NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { - if (!make_auth_methods(auth_context, auth_method)) { + if (!make_auth_methods(auth_context, auth_method)) return NT_STATUS_NO_MEMORY; - } (*auth_method)->name = "winbind"; (*auth_method)->auth = check_winbind_security; -- cgit From 6d66fb308ab85bd9691d541764e683e6040cf724 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 2 Jan 2003 09:07:17 +0000 Subject: BIG patch... This patch makes Samba compile cleanly with -Wwrite-strings. - That is, all string literals are marked as 'const'. These strings are always read only, this just marks them as such for passing to other functions. What is most supprising is that I didn't need to change more than a few lines of code (all in 'net', which got a small cleanup of net.h and extern variables). The rest is just adding a lot of 'const'. As far as I can tell, I have not added any new warnings - apart from making all of tdbutil.c's function const (so they warn for adding that const string to struct). Andrew Bartlett (This used to be commit 92a777d0eaa4fb3a1c7835816f93c6bdd456816d) --- source3/auth/auth.c | 4 ++-- source3/auth/pampass.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index dce14ed468..3c4448445a 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -25,7 +25,7 @@ /** List of various built-in authentication modules */ -const struct auth_init_function_entry builtin_auth_init_functions[] = { +static const struct auth_init_function_entry builtin_auth_init_functions[] = { { "guest", auth_init_guest }, { "rhosts", auth_init_rhosts }, { "hostsequiv", auth_init_hostsequiv }, @@ -52,7 +52,7 @@ const struct auth_init_function_entry builtin_auth_init_functions[] = { static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) { DATA_BLOB challenge = data_blob(NULL, 0); - char *challenge_set_by = NULL; + const char *challenge_set_by = NULL; auth_methods *auth_method; TALLOC_CTX *mem_ctx; diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 1a3e55dd44..045ceb7c72 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -65,7 +65,7 @@ typedef int (*smb_pam_conv_fn)(int, const struct pam_message **, struct pam_resp PAM error handler. *********************************************************************/ -static BOOL smb_pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl) +static BOOL smb_pam_error_handler(pam_handle_t *pamh, int pam_error, const char *msg, int dbglvl) { if( pam_error != PAM_SUCCESS) { @@ -83,7 +83,7 @@ static BOOL smb_pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, *********************************************************************/ static BOOL smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error, - char *msg, int dbglvl, + const char *msg, int dbglvl, NTSTATUS *nt_status) { *nt_status = pam_to_nt_status(pam_error); -- cgit From ff18825765440497a4eda97d6aaf7ff327db64bb Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 2 Jan 2003 13:10:25 +0000 Subject: We already have one function to move unistr2 -> multibyte-static, so we don't need a second just for pdb. Also, remove magic 'is lp_guest_account' test - the magic RID should be up to the passdb backend to set. Andrew Bartlett (This used to be commit f71c8338d35a2e8c73c3d8006ea6858cb522c715) --- source3/auth/auth_util.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5696b8f2dc..dd3f55539f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -953,27 +953,27 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - if (!pdb_set_fullname(sam_account, pdb_unistr2_convert(&(info3->uni_full_name)), PDB_CHANGED)) { + if (!pdb_set_fullname(sam_account, unistr2_static(&(info3->uni_full_name)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_logon_script(sam_account, pdb_unistr2_convert(&(info3->uni_logon_script)), PDB_CHANGED)) { + if (!pdb_set_logon_script(sam_account, unistr2_static(&(info3->uni_logon_script)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_profile_path(sam_account, pdb_unistr2_convert(&(info3->uni_profile_path)), PDB_CHANGED)) { + if (!pdb_set_profile_path(sam_account, unistr2_static(&(info3->uni_profile_path)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_homedir(sam_account, pdb_unistr2_convert(&(info3->uni_home_dir)), PDB_CHANGED)) { + if (!pdb_set_homedir(sam_account, unistr2_static(&(info3->uni_home_dir)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_dir_drive(sam_account, pdb_unistr2_convert(&(info3->uni_dir_drive)), PDB_CHANGED)) { + if (!pdb_set_dir_drive(sam_account, unistr2_static(&(info3->uni_dir_drive)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } -- cgit From 634c54310c92c48dd4eceec602e230a021bdcfc5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 3 Jan 2003 08:28:12 +0000 Subject: Merge from HEAD - make Samba compile with -Wwrite-strings without additional warnings. (Adds a lot of const). Andrew Bartlett (This used to be commit 3a7458f9472432ef12c43008414925fd1ce8ea0c) --- source3/auth/auth.c | 4 ++-- source3/auth/pampass.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index dce14ed468..3c4448445a 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -25,7 +25,7 @@ /** List of various built-in authentication modules */ -const struct auth_init_function_entry builtin_auth_init_functions[] = { +static const struct auth_init_function_entry builtin_auth_init_functions[] = { { "guest", auth_init_guest }, { "rhosts", auth_init_rhosts }, { "hostsequiv", auth_init_hostsequiv }, @@ -52,7 +52,7 @@ const struct auth_init_function_entry builtin_auth_init_functions[] = { static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) { DATA_BLOB challenge = data_blob(NULL, 0); - char *challenge_set_by = NULL; + const char *challenge_set_by = NULL; auth_methods *auth_method; TALLOC_CTX *mem_ctx; diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 1a3e55dd44..045ceb7c72 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -65,7 +65,7 @@ typedef int (*smb_pam_conv_fn)(int, const struct pam_message **, struct pam_resp PAM error handler. *********************************************************************/ -static BOOL smb_pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl) +static BOOL smb_pam_error_handler(pam_handle_t *pamh, int pam_error, const char *msg, int dbglvl) { if( pam_error != PAM_SUCCESS) { @@ -83,7 +83,7 @@ static BOOL smb_pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, *********************************************************************/ static BOOL smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error, - char *msg, int dbglvl, + const char *msg, int dbglvl, NTSTATUS *nt_status) { *nt_status = pam_to_nt_status(pam_error); -- cgit From 302bffc08f4e0ff48dedd35c0580b143ab52671f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 4 Jan 2003 08:57:51 +0000 Subject: Merge from HEAD - we already have one function for converting a unistr2 to a static 'unix' string, so we don't need a second pdb specific version. Andrew Bartlett (This used to be commit 91ca4771c6b834747b06fff21822a14e929de2c1) --- source3/auth/auth_util.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5696b8f2dc..dd3f55539f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -953,27 +953,27 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - if (!pdb_set_fullname(sam_account, pdb_unistr2_convert(&(info3->uni_full_name)), PDB_CHANGED)) { + if (!pdb_set_fullname(sam_account, unistr2_static(&(info3->uni_full_name)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_logon_script(sam_account, pdb_unistr2_convert(&(info3->uni_logon_script)), PDB_CHANGED)) { + if (!pdb_set_logon_script(sam_account, unistr2_static(&(info3->uni_logon_script)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_profile_path(sam_account, pdb_unistr2_convert(&(info3->uni_profile_path)), PDB_CHANGED)) { + if (!pdb_set_profile_path(sam_account, unistr2_static(&(info3->uni_profile_path)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_homedir(sam_account, pdb_unistr2_convert(&(info3->uni_home_dir)), PDB_CHANGED)) { + if (!pdb_set_homedir(sam_account, unistr2_static(&(info3->uni_home_dir)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_dir_drive(sam_account, pdb_unistr2_convert(&(info3->uni_dir_drive)), PDB_CHANGED)) { + if (!pdb_set_dir_drive(sam_account, unistr2_static(&(info3->uni_dir_drive)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } -- cgit From db972ebb93d52624355191614a180b12a296a1c4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 4 Jan 2003 08:59:34 +0000 Subject: Make it clear that the credentials are being setup on the NETLOGON channel, and may not be to our PDC (might be BDC, or trusted DC). Andrew Bartlett (This used to be commit 610be8d483f335226386f92b5e85ddeb07846d41) --- source3/auth/auth_domain.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 8c56b4484e..79cf5b156d 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -212,7 +212,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); result = cli_nt_setup_creds(*cli, sec_chan, trust_passwd, &neg_flags, 2); if (!NT_STATUS_IS_OK(result)) { - DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ + DEBUG(0,("connect_to_domain_password_server: unable to setup the NETLOGON credentials to machine \ %s. Error was : %s.\n", remote_machine, nt_errstr(result))); cli_nt_session_close(*cli); cli_ulogoff(*cli); @@ -274,9 +274,9 @@ static NTSTATUS find_connect_dc(struct cli_state **cli, if ( !rpc_find_dc(lp_workgroup(), srv_name, &dc_ip) ) { DEBUG(0,("find_connect_dc: Failed to find an DCs for %s\n", lp_workgroup())); - return NT_STATUS_NO_LOGON_SERVERS; + return NT_STATUS_NO_LOGON_SERVERS; } - + return attempt_connect_to_dc( cli, domain, &dc_ip, setup_creds_as, sec_chan, trust_passwd ); } -- cgit From 9bc442abeb62c0a9985b43cf8475027ced7ec777 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 5 Jan 2003 07:32:08 +0000 Subject: Clear up the auth_sam password checking code (the core of our password checking routines). In particular, we now better support the NT# in LM feild, and the LMv2 password scheme. (LMv2 is basicly NTLMv2 capped at 24 bytes, slightly more secure, and in the LM feild for compatiblity). Thanks to the Samba-TNG team and Luke Leighton for various descriptions of this algorithm, and to MS for a solution that seems to actually make sense for once :-). Andrew Bartlett (This used to be commit 5c2e34b5b6a2241b8d2fd68458eb73bb65ade6fd) --- source3/auth/auth_sam.c | 91 +++++++++++++++++++++++++++++++------------------ 1 file changed, 58 insertions(+), 33 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 02f8511d6a..79fded870e 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -73,8 +73,11 @@ static BOOL smb_pwd_check_ntlmv1(DATA_BLOB nt_response, return (memcmp(p24, nt_response.data, 24) == 0); } + /**************************************************************************** -core of smb password checking routine. +core of smb password checking routine. (NTLMv2, LMv2) + +Note: The same code works with both NTLMv2 and LMv2. ****************************************************************************/ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB ntv2_response, const uchar *part_passwd, @@ -104,6 +107,11 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB ntv2_response, } client_key_data = data_blob(ntv2_response.data+16, ntv2_response.length-16); + /* + todo: should we be checking this for anything? We can't for LMv2, + but for NTLMv2 it is meant to contain the current time etc. + */ + memcpy(client_response, ntv2_response.data, sizeof(client_response)); if (!ntv2_owf_gen(part_passwd, user, domain, kr)) { @@ -206,54 +214,71 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, } } else { DEBUG(2,("sam_password_ok: NTLMv1 passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass))); - /* No return, we want to check the LM hash below in this case */ + /* no return, becouse we might pick up LMv2 in the LM feild */ } } - if (IS_SAM_DEFAULT(sampass, PDB_LMPASSWD)) { - DEBUG(3,("sam_password_ok: NO LanMan password set for user %s (and no NT password supplied)\n",pdb_get_username(sampass))); - auth_flags &= (~AUTH_FLAG_LM_RESP); - } - if (auth_flags & AUTH_FLAG_LM_RESP) { - lm_pw = pdb_get_lanman_passwd(sampass); - if (user_info->lm_resp.length != 24) { DEBUG(2,("sam_password_ok: invalid LanMan password length (%d) for user %s\n", user_info->nt_resp.length, pdb_get_username(sampass))); } if (!lp_lanman_auth()) { - DEBUG(3,("sam_password_ok: Lanman passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass))); - return NT_STATUS_LOGON_FAILURE; + DEBUG(3,("sam_password_ok: Lanman passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass))); + } else if (IS_SAM_DEFAULT(sampass, PDB_LMPASSWD)) { + DEBUG(3,("sam_password_ok: NO LanMan password set for user %s (and no NT password supplied)\n",pdb_get_username(sampass))); + } else { + lm_pw = pdb_get_lanman_passwd(sampass); + + DEBUG(4,("sam_password_ok: Checking LM password\n")); + if (smb_pwd_check_ntlmv1(user_info->lm_resp, + lm_pw, auth_context->challenge, + user_sess_key)) + { + return NT_STATUS_OK; + } } + + if (IS_SAM_DEFAULT(sampass, PDB_NTPASSWD)) { + DEBUG(4,("sam_password_ok: LM password check failed for user, no NT password %s\n",pdb_get_username(sampass))); + return NT_STATUS_WRONG_PASSWORD; + } - DEBUG(4,("sam_password_ok: Checking LM password\n")); - if (smb_pwd_check_ntlmv1(user_info->lm_resp, - lm_pw, auth_context->challenge, - user_sess_key)) + nt_pw = pdb_get_nt_passwd(sampass); + + /* This is for 'LMv2' authentication. almost NTLMv2 but limited to 24 bytes. + - related to Win9X, legacy NAS pass-though authentication + */ + DEBUG(4,("sam_password_ok: Checking LMv2 password\n")); + if (smb_pwd_check_ntlmv2( user_info->lm_resp, + nt_pw, auth_context->challenge, + user_info->smb_name.str, + user_info->client_domain.str, + user_sess_key)) { return NT_STATUS_OK; - } else { - if (lp_ntlm_auth() && (!IS_SAM_DEFAULT(sampass, PDB_NTPASSWD))) { - nt_pw = pdb_get_nt_passwd(sampass); - /* Apparently NT accepts NT responses in the LM field - - I think this is related to Win9X pass-though authentication - */ - DEBUG(4,("sam_password_ok: Checking NT MD4 password in LM field\n")); - if (smb_pwd_check_ntlmv1(user_info->lm_resp, - nt_pw, auth_context->challenge, - user_sess_key)) - { - return NT_STATUS_OK; - } else { - DEBUG(3,("sam_password_ok: NT MD4 password in LM field failed for user %s\n",pdb_get_username(sampass))); - return NT_STATUS_WRONG_PASSWORD; - } + } + + /* Apparently NT accepts NT responses in the LM field + - I think this is related to Win9X pass-though authentication + */ + DEBUG(4,("sam_password_ok: Checking NT MD4 password in LM field\n")); + if (lp_ntlm_auth()) + { + if (smb_pwd_check_ntlmv1(user_info->lm_resp, + nt_pw, auth_context->challenge, + user_sess_key)) + { + return NT_STATUS_OK; } - DEBUG(4,("sam_password_ok: LM password check failed for user %s\n",pdb_get_username(sampass))); + DEBUG(3,("sam_password_ok: LM password, NT MD4 password in LM field and LMv2 failed for user %s\n",pdb_get_username(sampass))); return NT_STATUS_WRONG_PASSWORD; - } + } else { + DEBUG(3,("sam_password_ok: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted\n",pdb_get_username(sampass))); + return NT_STATUS_WRONG_PASSWORD; + } + } /* Should not be reached, but if they send nothing... */ -- cgit From 2d727ea5031df66ea3eaef531cd00617a226ae1e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 5 Jan 2003 08:09:16 +0000 Subject: Merge from HEAD - updates to correctly recognise LMv2, and NT# in LM feild. Andrew Bartlett (This used to be commit 32a1802a99a51b033eee034d3d2ce5cf409441dc) --- source3/auth/auth_sam.c | 91 +++++++++++++++++++++++++++++++------------------ 1 file changed, 58 insertions(+), 33 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 02f8511d6a..79fded870e 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -73,8 +73,11 @@ static BOOL smb_pwd_check_ntlmv1(DATA_BLOB nt_response, return (memcmp(p24, nt_response.data, 24) == 0); } + /**************************************************************************** -core of smb password checking routine. +core of smb password checking routine. (NTLMv2, LMv2) + +Note: The same code works with both NTLMv2 and LMv2. ****************************************************************************/ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB ntv2_response, const uchar *part_passwd, @@ -104,6 +107,11 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB ntv2_response, } client_key_data = data_blob(ntv2_response.data+16, ntv2_response.length-16); + /* + todo: should we be checking this for anything? We can't for LMv2, + but for NTLMv2 it is meant to contain the current time etc. + */ + memcpy(client_response, ntv2_response.data, sizeof(client_response)); if (!ntv2_owf_gen(part_passwd, user, domain, kr)) { @@ -206,54 +214,71 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, } } else { DEBUG(2,("sam_password_ok: NTLMv1 passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass))); - /* No return, we want to check the LM hash below in this case */ + /* no return, becouse we might pick up LMv2 in the LM feild */ } } - if (IS_SAM_DEFAULT(sampass, PDB_LMPASSWD)) { - DEBUG(3,("sam_password_ok: NO LanMan password set for user %s (and no NT password supplied)\n",pdb_get_username(sampass))); - auth_flags &= (~AUTH_FLAG_LM_RESP); - } - if (auth_flags & AUTH_FLAG_LM_RESP) { - lm_pw = pdb_get_lanman_passwd(sampass); - if (user_info->lm_resp.length != 24) { DEBUG(2,("sam_password_ok: invalid LanMan password length (%d) for user %s\n", user_info->nt_resp.length, pdb_get_username(sampass))); } if (!lp_lanman_auth()) { - DEBUG(3,("sam_password_ok: Lanman passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass))); - return NT_STATUS_LOGON_FAILURE; + DEBUG(3,("sam_password_ok: Lanman passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass))); + } else if (IS_SAM_DEFAULT(sampass, PDB_LMPASSWD)) { + DEBUG(3,("sam_password_ok: NO LanMan password set for user %s (and no NT password supplied)\n",pdb_get_username(sampass))); + } else { + lm_pw = pdb_get_lanman_passwd(sampass); + + DEBUG(4,("sam_password_ok: Checking LM password\n")); + if (smb_pwd_check_ntlmv1(user_info->lm_resp, + lm_pw, auth_context->challenge, + user_sess_key)) + { + return NT_STATUS_OK; + } } + + if (IS_SAM_DEFAULT(sampass, PDB_NTPASSWD)) { + DEBUG(4,("sam_password_ok: LM password check failed for user, no NT password %s\n",pdb_get_username(sampass))); + return NT_STATUS_WRONG_PASSWORD; + } - DEBUG(4,("sam_password_ok: Checking LM password\n")); - if (smb_pwd_check_ntlmv1(user_info->lm_resp, - lm_pw, auth_context->challenge, - user_sess_key)) + nt_pw = pdb_get_nt_passwd(sampass); + + /* This is for 'LMv2' authentication. almost NTLMv2 but limited to 24 bytes. + - related to Win9X, legacy NAS pass-though authentication + */ + DEBUG(4,("sam_password_ok: Checking LMv2 password\n")); + if (smb_pwd_check_ntlmv2( user_info->lm_resp, + nt_pw, auth_context->challenge, + user_info->smb_name.str, + user_info->client_domain.str, + user_sess_key)) { return NT_STATUS_OK; - } else { - if (lp_ntlm_auth() && (!IS_SAM_DEFAULT(sampass, PDB_NTPASSWD))) { - nt_pw = pdb_get_nt_passwd(sampass); - /* Apparently NT accepts NT responses in the LM field - - I think this is related to Win9X pass-though authentication - */ - DEBUG(4,("sam_password_ok: Checking NT MD4 password in LM field\n")); - if (smb_pwd_check_ntlmv1(user_info->lm_resp, - nt_pw, auth_context->challenge, - user_sess_key)) - { - return NT_STATUS_OK; - } else { - DEBUG(3,("sam_password_ok: NT MD4 password in LM field failed for user %s\n",pdb_get_username(sampass))); - return NT_STATUS_WRONG_PASSWORD; - } + } + + /* Apparently NT accepts NT responses in the LM field + - I think this is related to Win9X pass-though authentication + */ + DEBUG(4,("sam_password_ok: Checking NT MD4 password in LM field\n")); + if (lp_ntlm_auth()) + { + if (smb_pwd_check_ntlmv1(user_info->lm_resp, + nt_pw, auth_context->challenge, + user_sess_key)) + { + return NT_STATUS_OK; } - DEBUG(4,("sam_password_ok: LM password check failed for user %s\n",pdb_get_username(sampass))); + DEBUG(3,("sam_password_ok: LM password, NT MD4 password in LM field and LMv2 failed for user %s\n",pdb_get_username(sampass))); return NT_STATUS_WRONG_PASSWORD; - } + } else { + DEBUG(3,("sam_password_ok: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted\n",pdb_get_username(sampass))); + return NT_STATUS_WRONG_PASSWORD; + } + } /* Should not be reached, but if they send nothing... */ -- cgit From c9991fa1bfa16b3f272fcecd44922e0d4bba2d50 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 11 Jan 2003 12:24:19 +0000 Subject: Use size_t for the counter vars, to match the type they are assigned from (signed/unsigned mixup). Andrew Bartlett (This used to be commit f42cf0783fa3aeddc4992021df9ee6f3b1aa58f3) --- source3/auth/auth_util.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index dd3f55539f..744b4668aa 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -475,7 +475,7 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info) void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) { fstring sid_str; - int i; + size_t i; if (!token) { DEBUGC(dbg_class, dbg_lev, ("NT user token: (NULL)\n")); @@ -564,7 +564,7 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro sid_ndx = 5; /* next available spot */ for (i = 0; i < n_groupSIDs; i++) { - int check_sid_idx; + size_t check_sid_idx; for (check_sid_idx = 1; check_sid_idx < ptoken->num_sids; check_sid_idx++) { if (sid_equal(&ptoken->user_sids[check_sid_idx], &groupSIDs[i])) { @@ -867,7 +867,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, NT_USER_TOKEN *token; DOM_SID *all_group_SIDs; - int i; + size_t i; /* Here is where we should check the list of -- cgit From ac04f498a2b8ec6bc2eb06fb2f0db68c5aa2270b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 13 Jan 2003 12:21:07 +0000 Subject: Fix to debian bug #171071 - we had the wrong dereference on the pointer to be Realloc()ed, causing it to fail. Big thanks to Sandor Sonfeld for the debug, stack and valgrind traces! Andrew Bartlett (This used to be commit 7abca6d281da6388899f78e3440d7ce37bf2094e) --- source3/auth/auth_util.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 744b4668aa..ff0c392219 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -678,10 +678,10 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, } if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { - *unix_groups = Realloc(unix_groups, sizeof(gid_t) * n_unix_groups); + *unix_groups = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n")); - SAFE_FREE(unix_groups); + SAFE_FREE(*unix_groups); passwd_free(&usr); return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ } @@ -695,7 +695,7 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, *groups = malloc(sizeof(DOM_SID) * n_unix_groups); if (!*groups) { DEBUG(0, ("get_user_group_from_local_sam: malloc() failed for DOM_SID list!\n")); - SAFE_FREE(unix_groups); + SAFE_FREE(*unix_groups); return NT_STATUS_NO_MEMORY; } } @@ -704,7 +704,7 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, for (i = 0; i < *n_groups; i++) { if (!gid_to_sid(&(*groups)[i], (*unix_groups)[i])) { - DEBUG(1, ("get_user_groups_from_local_sam: failed to convert gid %ld to a sid!\n", (long int)unix_groups[i+1])); + DEBUG(1, ("get_user_groups_from_local_sam: failed to convert gid %ld to a sid!\n", (long int)(*unix_groups)[i+1])); SAFE_FREE(groups); SAFE_FREE(unix_groups); return NT_STATUS_NO_SUCH_USER; -- cgit From e3293c7181525a069d2006c29792a1a805d93ee0 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 13 Jan 2003 12:48:37 +0000 Subject: Updates to our NTLMSSP code: This tries to extract our server-side code out of sessetup.c, and into a more general lib. I hope this is only a temporay resting place - I indend to refactor it again into an auth-subsystem independent lib, using callbacks. Move some of our our NTLMSSP #defines into a new file, and add two that I found in the COMsource docs - we seem to have a double-up, but I've verified from traces that the NTLMSSP_TARGET_TYPE_{DOMAIN,SERVER} is real. This code also copes with ASCII clients - not that we will ever see any here, but I hope to use this for HTTP, were we can get them. Win2k authenticates fine under forced ASCII, btw. Tested with Win2k, NTLMv2 and Samba's smbclient. Andrew Bartlett (This used to be commit b6641badcbb2fb3bfec9d00a6466318203ea33e1) --- source3/auth/auth.c | 10 +- source3/auth/auth_ntlmssp.c | 284 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 293 insertions(+), 1 deletion(-) create mode 100644 source3/auth/auth_ntlmssp.c (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 3c4448445a..5d56603b9f 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -57,7 +57,8 @@ static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) TALLOC_CTX *mem_ctx; if (auth_context->challenge.length) { - DEBUG(5, ("get_ntlm_challenge (auth subsystem): returning previous challenge (normal)\n")); + DEBUG(5, ("get_ntlm_challenge (auth subsystem): returning previous challenge by module %s (normal)\n", + auth_context->challenge_set_by)); return auth_context->challenge.data; } @@ -190,6 +191,12 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, DEBUG(3, ("check_ntlm_password: mapped user is: [%s]\\[%s]@[%s]\n", user_info->domain.str, user_info->internal_username.str, user_info->wksta_name.str)); + + if (auth_context->challenge.length != 8) { + DEBUG(0, ("check_ntlm_password: Invalid challenge stored for this auth context - cannot continue\n")); + return NT_STATUS_LOGON_FAILURE; + } + if (auth_context->challenge_set_by) DEBUG(10, ("check_ntlm_password: auth_context challenge created by %s\n", auth_context->challenge_set_by)); @@ -441,6 +448,7 @@ NTSTATUS make_auth_context_fixed(struct auth_context **auth_context, uchar chal[ } (*auth_context)->challenge = data_blob(chal, 8); + (*auth_context)->challenge_set_by = "fixed"; return nt_status; } diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c new file mode 100644 index 0000000000..f5e5c987ba --- /dev/null +++ b/source3/auth/auth_ntlmssp.c @@ -0,0 +1,284 @@ +/* + Unix SMB/Netbios implementation. + Version 3.0 + handle NLTMSSP, server side + + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Andrew Bartlett 2001-2003 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +NTSTATUS ntlmssp_server_start(NTLMSSP_STATE **ntlmssp_state) +{ + NTSTATUS nt_status; + TALLOC_CTX *mem_ctx; + + mem_ctx = talloc_init("NTLMSSP context"); + + *ntlmssp_state = talloc_zero(mem_ctx, sizeof(**ntlmssp_state)); + if (!*ntlmssp_state) { + DEBUG(0,("ntlmssp_start: talloc failed!\n")); + talloc_destroy(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + ZERO_STRUCTP(*ntlmssp_state); + + (*ntlmssp_state)->mem_ctx = mem_ctx; + + if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(&(*ntlmssp_state)->auth_context))) { + return nt_status; + } + return NT_STATUS_OK; +} + +NTSTATUS ntlmssp_server_end(NTLMSSP_STATE **ntlmssp_state) +{ + TALLOC_CTX *mem_ctx = (*ntlmssp_state)->mem_ctx; + if ((*ntlmssp_state)->auth_context) { + ((*ntlmssp_state)->auth_context->free)(&(*ntlmssp_state)->auth_context); + } + if ((*ntlmssp_state)->server_info) { + free_server_info(&(*ntlmssp_state)->server_info); + } + + talloc_destroy(mem_ctx); + return NT_STATUS_OK; +} + +NTSTATUS ntlmssp_server_update(NTLMSSP_STATE *ntlmssp_state, + DATA_BLOB request, DATA_BLOB *reply) +{ + uint32 ntlmssp_command; + + if (!msrpc_parse(&request, "Cd", + "NTLMSSP", + &ntlmssp_command)) { + return NT_STATUS_LOGON_FAILURE; + } + + if (ntlmssp_command == NTLMSSP_NEGOTIATE) { + return ntlmssp_negotiate(ntlmssp_state, request, reply); + } else if (ntlmssp_command == NTLMSSP_AUTH) { + return ntlmssp_auth(ntlmssp_state, request, reply); + } else { + return NT_STATUS_LOGON_FAILURE; + } +} + +static const char *ntlmssp_target_name(uint32 neg_flags, uint32 *chal_flags) +{ + if (neg_flags & NTLMSSP_REQUEST_TARGET) { + if (lp_server_role() == ROLE_STANDALONE) { + *chal_flags |= NTLMSSP_TARGET_TYPE_SERVER; + return global_myname(); + } else { + *chal_flags |= NTLMSSP_TARGET_TYPE_DOMAIN; + return lp_workgroup(); + }; + } else { + return ""; + } +} + +NTSTATUS ntlmssp_negotiate(NTLMSSP_STATE *ntlmssp_state, + DATA_BLOB request, DATA_BLOB *reply) +{ + DATA_BLOB struct_blob; + fstring dnsname, dnsdomname; + uint32 ntlmssp_command, neg_flags, chal_flags; + char *cliname=NULL, *domname=NULL; + const uint8 *cryptkey; + const char *target_name; + + /* parse the NTLMSSP packet */ +#if 0 + file_save("ntlmssp_negotiate.dat", request.data, request.length); +#endif + + if (!msrpc_parse(&request, "CddAA", + "NTLMSSP", + &ntlmssp_command, + &neg_flags, + &cliname, + &domname)) { + return NT_STATUS_LOGON_FAILURE; + } + + SAFE_FREE(cliname); + SAFE_FREE(domname); + + debug_ntlmssp_flags(neg_flags); + + cryptkey = ntlmssp_state->auth_context->get_ntlm_challenge(ntlmssp_state->auth_context); + + /* Give them the challenge. For now, ignore neg_flags and just + return the flags we want. Obviously this is not correct */ + + chal_flags = + NTLMSSP_NEGOTIATE_128 | + NTLMSSP_NEGOTIATE_NTLM | + NTLMSSP_CHAL_TARGET_INFO; + + if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) { + chal_flags |= NTLMSSP_NEGOTIATE_UNICODE; + ntlmssp_state->unicode = True; + } else { + chal_flags |= NTLMSSP_NEGOTIATE_OEM; + } + + target_name = ntlmssp_target_name(neg_flags, &chal_flags); + + dnsdomname[0] = '\0'; + get_mydomname(dnsdomname); + strlower(dnsdomname); + + dnsname[0] = '\0'; + get_myfullname(dnsname); + strlower(dnsname); + + /* the numbers here are the string type flags */ + msrpc_gen(&struct_blob, "aaaaa", + ntlmssp_state->unicode, NTLMSSP_NAME_TYPE_DOMAIN, lp_workgroup(), + ntlmssp_state->unicode, NTLMSSP_NAME_TYPE_SERVER, global_myname(), + ntlmssp_state->unicode, NTLMSSP_NAME_TYPE_DOMAIN_DNS, dnsname, + ntlmssp_state->unicode, NTLMSSP_NAME_TYPE_SERVER_DNS, dnsdomname, + ntlmssp_state->unicode, 0, ""); + + { + const char *gen_string; + if (ntlmssp_state->unicode) { + gen_string = "CdUdbddB"; + } else { + gen_string = "CdAdbddB"; + } + + msrpc_gen(reply, gen_string, + "NTLMSSP", + NTLMSSP_CHALLENGE, + target_name, + chal_flags, + cryptkey, 8, + 0, 0, + struct_blob.data, struct_blob.length); + } + + data_blob_free(&struct_blob); + + return NT_STATUS_MORE_PROCESSING_REQUIRED; +} + +NTSTATUS ntlmssp_auth(NTLMSSP_STATE *ntlmssp_state, + DATA_BLOB request, DATA_BLOB *reply) +{ + char *workgroup = NULL, *user = NULL, *machine = NULL; + DATA_BLOB lmhash, nthash, sess_key; + DATA_BLOB plaintext_password = data_blob(NULL, 0); + uint32 ntlmssp_command, neg_flags; + NTSTATUS nt_status; + uint32 auth_flags = AUTH_FLAG_NONE; + auth_usersupplied_info *user_info = NULL; + + const char *parse_string; + + /* parse the NTLMSSP packet */ +#if 0 + file_save("ntlmssp_auth.dat", request.data, request.length); +#endif + + if (ntlmssp_state->unicode) { + parse_string = "CdBBUUUBd"; + } else { + parse_string = "CdBBAAABd"; + } + + /* now the NTLMSSP encoded auth hashes */ + if (!msrpc_parse(&request, parse_string, + "NTLMSSP", + &ntlmssp_command, + &lmhash, + &nthash, + &workgroup, + &user, + &machine, + &sess_key, + &neg_flags)) { + return NT_STATUS_LOGON_FAILURE; + } + + data_blob_free(&sess_key); + + DEBUG(3,("Got user=[%s] workgroup=[%s] machine=[%s] len1=%d len2=%d\n", + user, workgroup, machine, lmhash.length, nthash.length)); + + /* the client has given us its machine name (which we otherwise would not get on port 445). + we need to possibly reload smb.conf if smb.conf includes depend on the machine name */ + + set_remote_machine_name(machine); + + /* setup the string used by %U */ + sub_set_smb_name(user); + + reload_services(True); + +#if 0 + file_save("nthash1.dat", nthash.data, nthash.length); + file_save("lmhash1.dat", lmhash.data, lmhash.length); +#endif + + if (lmhash.length) { + auth_flags |= AUTH_FLAG_LM_RESP; + } + + if (nthash.length == 24) { + auth_flags |= AUTH_FLAG_NTLM_RESP; + } else if (nthash.length > 24) { + auth_flags |= AUTH_FLAG_NTLMv2_RESP; + }; + + + + nt_status = make_user_info_map(&user_info, user, workgroup, machine, + lmhash, nthash, plaintext_password, + auth_flags, True); + + ntlmssp_state->orig_user = talloc_strdup(ntlmssp_state->mem_ctx, user); + ntlmssp_state->orig_domain = talloc_strdup(ntlmssp_state->mem_ctx, workgroup); + + SAFE_FREE(user); + SAFE_FREE(workgroup); + SAFE_FREE(machine); + + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + nt_status = ntlmssp_state->auth_context->check_ntlm_password(ntlmssp_state->auth_context, user_info, &ntlmssp_state->server_info); + + (ntlmssp_state->auth_context->free)(&ntlmssp_state->auth_context); + + free_user_info(&user_info); + + data_blob_free(&lmhash); + + data_blob_free(&nthash); + + *reply = data_blob(NULL, 0); + + return nt_status; +} -- cgit From 8a78a0a27ae5fdf43f137ea3c9fcd6dc4862a70f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 13 Jan 2003 13:11:36 +0000 Subject: Patch from metze to add what he feels is the correct semantics for a Domain Controller. As we have had a number of attempts at this over the last little while, I need to get my test rig going, and give this whole area a poke... Meanwhile, if you want to use this, just adjust your 'auth methods' line to use samstrict_dc... Andrew Bartlett (This used to be commit 18e598ec24493026008fcfe486057555b8832108) --- source3/auth/auth.c | 1 + source3/auth/auth_sam.c | 43 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 5d56603b9f..2abdec3a39 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -31,6 +31,7 @@ static const struct auth_init_function_entry builtin_auth_init_functions[] = { { "hostsequiv", auth_init_hostsequiv }, { "sam", auth_init_sam }, { "samstrict", auth_init_samstrict }, + { "samstrict_dc", auth_init_samstrict_dc }, { "unix", auth_init_unix }, { "smbserver", auth_init_smbserver }, { "ntdomain", auth_init_ntdomain }, diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 79fded870e..9650dc0940 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -480,6 +480,8 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context unless it is one of our aliases. */ if (!is_myname(user_info->domain.str)) { + DEBUG(7,("The requested user domain is not the local server name. [%s]\\[%s]\n", + user_info->domain.str,user_info->internal_username.str)); return NT_STATUS_NO_SUCH_USER; } @@ -498,4 +500,45 @@ NTSTATUS auth_init_samstrict(struct auth_context *auth_context, const char *para return NT_STATUS_OK; } +/**************************************************************************** +Check SAM security (above) but with a few extra checks if we're a DC. +****************************************************************************/ + +static NTSTATUS check_samstrict_dc_security(const struct auth_context *auth_context, + void *my_private_data, + TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, + auth_serversupplied_info **server_info) +{ + if (!user_info || !auth_context) { + return NT_STATUS_LOGON_FAILURE; + } + + /* If we are a domain member, we must not + attempt to check the password locally, + unless it is one of our aliases, empty + or our domain if we are a logon server.*/ + + + if ((!is_myworkgroup(user_info->domain.str))&& + (!is_myname(user_info->domain.str))) { + DEBUG(7,("The requested user domain is not the local server name or our domain. [%s]\\[%s]\n", + user_info->domain.str,user_info->internal_username.str)); + return NT_STATUS_NO_SUCH_USER; + } + + return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, server_info); +} + +/* module initialisation */ +NTSTATUS auth_init_samstrict_dc(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +{ + if (!make_auth_methods(auth_context, auth_method)) { + return NT_STATUS_NO_MEMORY; + } + + (*auth_method)->auth = check_samstrict_dc_security; + (*auth_method)->name = "samstrict_dc"; + return NT_STATUS_OK; +} -- cgit From 1276959d7c32b98f0115b008765772bf33c72eab Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 13 Jan 2003 21:49:49 +0000 Subject: Always initialise this variable - and don't set the 'must change now' if it was last changed at '0'. We need to actually change this password sometime... Andrew Bartlett (This used to be commit 740bf439d2d1512127c873cf0e57697161d6566b) --- source3/auth/auth_domain.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 79cf5b156d..b3f50072bc 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -432,7 +432,8 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, /* Test if machine password has expired and needs to be changed */ if (lp_machine_password_timeout()) { - if (time(NULL) > (last_change_time + + if (last_change_time > 0 && + time(NULL) > (last_change_time + lp_machine_password_timeout())) { global_machine_password_needs_changing = True; } -- cgit From 2467a2f0ce1a99f933773f295c8146c5cd3e66c0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 13 Jan 2003 23:07:26 +0000 Subject: Merge of indirection fixes from HEAD. Jeremy (This used to be commit 67a0b30f50aa323185cbcf3a9d39804239222480) --- source3/auth/auth_util.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index dd3f55539f..0a27e6176d 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -681,7 +681,7 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, *unix_groups = Realloc(unix_groups, sizeof(gid_t) * n_unix_groups); if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n")); - SAFE_FREE(unix_groups); + SAFE_FREE(*unix_groups); passwd_free(&usr); return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ } @@ -695,7 +695,7 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, *groups = malloc(sizeof(DOM_SID) * n_unix_groups); if (!*groups) { DEBUG(0, ("get_user_group_from_local_sam: malloc() failed for DOM_SID list!\n")); - SAFE_FREE(unix_groups); + SAFE_FREE(*unix_groups); return NT_STATUS_NO_MEMORY; } } @@ -704,9 +704,9 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, for (i = 0; i < *n_groups; i++) { if (!gid_to_sid(&(*groups)[i], (*unix_groups)[i])) { - DEBUG(1, ("get_user_groups_from_local_sam: failed to convert gid %ld to a sid!\n", (long int)unix_groups[i+1])); - SAFE_FREE(groups); - SAFE_FREE(unix_groups); + DEBUG(1, ("get_user_groups_from_local_sam: failed to convert gid %ld to a sid!\n", (long int)(*unix_groups)[i+1])); + SAFE_FREE(*groups); + SAFE_FREE(*unix_groups); return NT_STATUS_NO_SUCH_USER; } } -- cgit From 2ad16e942d46b0ee33612e3e7f7e228af9ed7138 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 13 Jan 2003 23:07:28 +0000 Subject: Missing indirect in final free. Jeremy. (This used to be commit faf443e5198e270f1a60d7a0939074efca750a94) --- source3/auth/auth_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index ff0c392219..5fdfd0694a 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -705,8 +705,8 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, for (i = 0; i < *n_groups; i++) { if (!gid_to_sid(&(*groups)[i], (*unix_groups)[i])) { DEBUG(1, ("get_user_groups_from_local_sam: failed to convert gid %ld to a sid!\n", (long int)(*unix_groups)[i+1])); - SAFE_FREE(groups); - SAFE_FREE(unix_groups); + SAFE_FREE(*groups); + SAFE_FREE(*unix_groups); return NT_STATUS_NO_SUCH_USER; } } -- cgit From 212077afa275b7111e2a28798affa9689dede2ba Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 14 Jan 2003 07:26:12 +0000 Subject: Merge indirection, signed/unsigned and uninitialiased-value fixes from HEAD. Andrew Bartlett (This used to be commit 2a1adb8f81d8966e8919fffb9b4c69f3e6acd44f) --- source3/auth/auth_domain.c | 3 ++- source3/auth/auth_util.c | 8 ++++---- 2 files changed, 6 insertions(+), 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 79cf5b156d..b3f50072bc 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -432,7 +432,8 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, /* Test if machine password has expired and needs to be changed */ if (lp_machine_password_timeout()) { - if (time(NULL) > (last_change_time + + if (last_change_time > 0 && + time(NULL) > (last_change_time + lp_machine_password_timeout())) { global_machine_password_needs_changing = True; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 0a27e6176d..5fdfd0694a 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -475,7 +475,7 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info) void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) { fstring sid_str; - int i; + size_t i; if (!token) { DEBUGC(dbg_class, dbg_lev, ("NT user token: (NULL)\n")); @@ -564,7 +564,7 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro sid_ndx = 5; /* next available spot */ for (i = 0; i < n_groupSIDs; i++) { - int check_sid_idx; + size_t check_sid_idx; for (check_sid_idx = 1; check_sid_idx < ptoken->num_sids; check_sid_idx++) { if (sid_equal(&ptoken->user_sids[check_sid_idx], &groupSIDs[i])) { @@ -678,7 +678,7 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, } if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { - *unix_groups = Realloc(unix_groups, sizeof(gid_t) * n_unix_groups); + *unix_groups = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n")); SAFE_FREE(*unix_groups); @@ -867,7 +867,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, NT_USER_TOKEN *token; DOM_SID *all_group_SIDs; - int i; + size_t i; /* Here is where we should check the list of -- cgit From 10abfb3f87cdbae204a5b49160ef8cbd9e56c090 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 15 Jan 2003 05:55:22 +0000 Subject: Crash fixes: - fix a crash when a second NTLMSSP session tried to free the first - fix a crash due to some NULL pointers in the Add Printer Wizard (or read printer code too it appears). As far as I can tell it's just that the GUID just might not exist. Andrew Bartlett (This used to be commit 51b1413056b0d001076ff47a755eb35baa2d9e6d) --- source3/auth/auth_ntlmssp.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index f5e5c987ba..f165322f7a 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -58,6 +58,7 @@ NTSTATUS ntlmssp_server_end(NTLMSSP_STATE **ntlmssp_state) } talloc_destroy(mem_ctx); + *ntlmssp_state = NULL; return NT_STATUS_OK; } -- cgit From d456bec06ef5f59e3b20907679a4f5783a3da45e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 15 Jan 2003 20:39:33 +0000 Subject: Missed auth_ntlmssp.c in last night's checkin. Also keep track of the current challenge in the NTLMSSP context. Andrew Bartlett (This used to be commit ba13e058d4533b1ffba723b9e98e95090ad63d85) --- source3/auth/auth_ntlmssp.c | 303 ++++++++++++-------------------------------- 1 file changed, 78 insertions(+), 225 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index f165322f7a..ab594c19e3 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -23,263 +23,116 @@ #include "includes.h" -NTSTATUS ntlmssp_server_start(NTLMSSP_STATE **ntlmssp_state) +static const uint8 *auth_ntlmssp_get_challenge(void *cookie) { - NTSTATUS nt_status; - TALLOC_CTX *mem_ctx; - - mem_ctx = talloc_init("NTLMSSP context"); - - *ntlmssp_state = talloc_zero(mem_ctx, sizeof(**ntlmssp_state)); - if (!*ntlmssp_state) { - DEBUG(0,("ntlmssp_start: talloc failed!\n")); - talloc_destroy(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - - ZERO_STRUCTP(*ntlmssp_state); - - (*ntlmssp_state)->mem_ctx = mem_ctx; - - if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(&(*ntlmssp_state)->auth_context))) { - return nt_status; - } - return NT_STATUS_OK; + AUTH_NTLMSSP_STATE *auth_ntlmssp_state = cookie; + return auth_ntlmssp_state->auth_context->get_ntlm_challenge(auth_ntlmssp_state->auth_context); } -NTSTATUS ntlmssp_server_end(NTLMSSP_STATE **ntlmssp_state) +static NTSTATUS auth_ntlmssp_check_password(void *cookie) { - TALLOC_CTX *mem_ctx = (*ntlmssp_state)->mem_ctx; - if ((*ntlmssp_state)->auth_context) { - ((*ntlmssp_state)->auth_context->free)(&(*ntlmssp_state)->auth_context); - } - if ((*ntlmssp_state)->server_info) { - free_server_info(&(*ntlmssp_state)->server_info); - } - - talloc_destroy(mem_ctx); - *ntlmssp_state = NULL; - return NT_STATUS_OK; -} - -NTSTATUS ntlmssp_server_update(NTLMSSP_STATE *ntlmssp_state, - DATA_BLOB request, DATA_BLOB *reply) -{ - uint32 ntlmssp_command; - - if (!msrpc_parse(&request, "Cd", - "NTLMSSP", - &ntlmssp_command)) { - return NT_STATUS_LOGON_FAILURE; - } + AUTH_NTLMSSP_STATE *auth_ntlmssp_state = cookie; + uint32 auth_flags = AUTH_FLAG_NONE; + auth_usersupplied_info *user_info = NULL; + DATA_BLOB plaintext_password = data_blob(NULL, 0); + NTSTATUS nt_status; - if (ntlmssp_command == NTLMSSP_NEGOTIATE) { - return ntlmssp_negotiate(ntlmssp_state, request, reply); - } else if (ntlmssp_command == NTLMSSP_AUTH) { - return ntlmssp_auth(ntlmssp_state, request, reply); - } else { - return NT_STATUS_LOGON_FAILURE; + if (auth_ntlmssp_state->ntlmssp_state->lm_resp.length) { + auth_flags |= AUTH_FLAG_LM_RESP; } -} -static const char *ntlmssp_target_name(uint32 neg_flags, uint32 *chal_flags) -{ - if (neg_flags & NTLMSSP_REQUEST_TARGET) { - if (lp_server_role() == ROLE_STANDALONE) { - *chal_flags |= NTLMSSP_TARGET_TYPE_SERVER; - return global_myname(); - } else { - *chal_flags |= NTLMSSP_TARGET_TYPE_DOMAIN; - return lp_workgroup(); - }; - } else { - return ""; - } -} + if (auth_ntlmssp_state->ntlmssp_state->nt_resp.length == 24) { + auth_flags |= AUTH_FLAG_NTLM_RESP; + } else if (auth_ntlmssp_state->ntlmssp_state->nt_resp.length > 24) { + auth_flags |= AUTH_FLAG_NTLMv2_RESP; + }; -NTSTATUS ntlmssp_negotiate(NTLMSSP_STATE *ntlmssp_state, - DATA_BLOB request, DATA_BLOB *reply) -{ - DATA_BLOB struct_blob; - fstring dnsname, dnsdomname; - uint32 ntlmssp_command, neg_flags, chal_flags; - char *cliname=NULL, *domname=NULL; - const uint8 *cryptkey; - const char *target_name; + /* the client has given us its machine name (which we otherwise would not get on port 445). + we need to possibly reload smb.conf if smb.conf includes depend on the machine name */ - /* parse the NTLMSSP packet */ -#if 0 - file_save("ntlmssp_negotiate.dat", request.data, request.length); -#endif + set_remote_machine_name(auth_ntlmssp_state->ntlmssp_state->workstation); - if (!msrpc_parse(&request, "CddAA", - "NTLMSSP", - &ntlmssp_command, - &neg_flags, - &cliname, - &domname)) { - return NT_STATUS_LOGON_FAILURE; - } + /* setup the string used by %U */ + /* sub_set_smb_name checks for weird internally */ + sub_set_smb_name(auth_ntlmssp_state->ntlmssp_state->user); - SAFE_FREE(cliname); - SAFE_FREE(domname); - - debug_ntlmssp_flags(neg_flags); + reload_services(True); - cryptkey = ntlmssp_state->auth_context->get_ntlm_challenge(ntlmssp_state->auth_context); + nt_status = make_user_info_map(&user_info, + auth_ntlmssp_state->ntlmssp_state->user, + auth_ntlmssp_state->ntlmssp_state->domain, + auth_ntlmssp_state->ntlmssp_state->workstation, + auth_ntlmssp_state->ntlmssp_state->lm_resp, + auth_ntlmssp_state->ntlmssp_state->nt_resp, + plaintext_password, + auth_flags, True); - /* Give them the challenge. For now, ignore neg_flags and just - return the flags we want. Obviously this is not correct */ - - chal_flags = - NTLMSSP_NEGOTIATE_128 | - NTLMSSP_NEGOTIATE_NTLM | - NTLMSSP_CHAL_TARGET_INFO; - - if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) { - chal_flags |= NTLMSSP_NEGOTIATE_UNICODE; - ntlmssp_state->unicode = True; - } else { - chal_flags |= NTLMSSP_NEGOTIATE_OEM; + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; } - target_name = ntlmssp_target_name(neg_flags, &chal_flags); - - dnsdomname[0] = '\0'; - get_mydomname(dnsdomname); - strlower(dnsdomname); - - dnsname[0] = '\0'; - get_myfullname(dnsname); - strlower(dnsname); - - /* the numbers here are the string type flags */ - msrpc_gen(&struct_blob, "aaaaa", - ntlmssp_state->unicode, NTLMSSP_NAME_TYPE_DOMAIN, lp_workgroup(), - ntlmssp_state->unicode, NTLMSSP_NAME_TYPE_SERVER, global_myname(), - ntlmssp_state->unicode, NTLMSSP_NAME_TYPE_DOMAIN_DNS, dnsname, - ntlmssp_state->unicode, NTLMSSP_NAME_TYPE_SERVER_DNS, dnsdomname, - ntlmssp_state->unicode, 0, ""); - - { - const char *gen_string; - if (ntlmssp_state->unicode) { - gen_string = "CdUdbddB"; - } else { - gen_string = "CdAdbddB"; - } - - msrpc_gen(reply, gen_string, - "NTLMSSP", - NTLMSSP_CHALLENGE, - target_name, - chal_flags, - cryptkey, 8, - 0, 0, - struct_blob.data, struct_blob.length); - } - - data_blob_free(&struct_blob); + nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context, user_info, &auth_ntlmssp_state->server_info); + + free_user_info(&user_info); - return NT_STATUS_MORE_PROCESSING_REQUIRED; + return nt_status; } -NTSTATUS ntlmssp_auth(NTLMSSP_STATE *ntlmssp_state, - DATA_BLOB request, DATA_BLOB *reply) +NTSTATUS auth_ntlmssp_start(AUTH_NTLMSSP_STATE **auth_ntlmssp_state) { - char *workgroup = NULL, *user = NULL, *machine = NULL; - DATA_BLOB lmhash, nthash, sess_key; - DATA_BLOB plaintext_password = data_blob(NULL, 0); - uint32 ntlmssp_command, neg_flags; NTSTATUS nt_status; - uint32 auth_flags = AUTH_FLAG_NONE; - auth_usersupplied_info *user_info = NULL; - - const char *parse_string; - - /* parse the NTLMSSP packet */ -#if 0 - file_save("ntlmssp_auth.dat", request.data, request.length); -#endif - - if (ntlmssp_state->unicode) { - parse_string = "CdBBUUUBd"; - } else { - parse_string = "CdBBAAABd"; - } - - /* now the NTLMSSP encoded auth hashes */ - if (!msrpc_parse(&request, parse_string, - "NTLMSSP", - &ntlmssp_command, - &lmhash, - &nthash, - &workgroup, - &user, - &machine, - &sess_key, - &neg_flags)) { - return NT_STATUS_LOGON_FAILURE; - } + TALLOC_CTX *mem_ctx; - data_blob_free(&sess_key); + mem_ctx = talloc_init("AUTH NTLMSSP context"); - DEBUG(3,("Got user=[%s] workgroup=[%s] machine=[%s] len1=%d len2=%d\n", - user, workgroup, machine, lmhash.length, nthash.length)); - - /* the client has given us its machine name (which we otherwise would not get on port 445). - we need to possibly reload smb.conf if smb.conf includes depend on the machine name */ - - set_remote_machine_name(machine); - - /* setup the string used by %U */ - sub_set_smb_name(user); + *auth_ntlmssp_state = talloc_zero(mem_ctx, sizeof(**auth_ntlmssp_state)); + if (!*auth_ntlmssp_state) { + DEBUG(0,("auth_ntlmssp_start: talloc failed!\n")); + talloc_destroy(mem_ctx); + return NT_STATUS_NO_MEMORY; + } - reload_services(True); + ZERO_STRUCTP(*auth_ntlmssp_state); -#if 0 - file_save("nthash1.dat", nthash.data, nthash.length); - file_save("lmhash1.dat", lmhash.data, lmhash.length); -#endif + (*auth_ntlmssp_state)->mem_ctx = mem_ctx; - if (lmhash.length) { - auth_flags |= AUTH_FLAG_LM_RESP; + if (!NT_STATUS_IS_OK(nt_status = ntlmssp_server_start(&(*auth_ntlmssp_state)->ntlmssp_state))) { + return nt_status; } - if (nthash.length == 24) { - auth_flags |= AUTH_FLAG_NTLM_RESP; - } else if (nthash.length > 24) { - auth_flags |= AUTH_FLAG_NTLMv2_RESP; - }; - - + if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(&(*auth_ntlmssp_state)->auth_context))) { + return nt_status; + } - nt_status = make_user_info_map(&user_info, user, workgroup, machine, - lmhash, nthash, plaintext_password, - auth_flags, True); + (*auth_ntlmssp_state)->ntlmssp_state->auth_context = (*auth_ntlmssp_state); + (*auth_ntlmssp_state)->ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge; + (*auth_ntlmssp_state)->ntlmssp_state->check_password = auth_ntlmssp_check_password; - ntlmssp_state->orig_user = talloc_strdup(ntlmssp_state->mem_ctx, user); - ntlmssp_state->orig_domain = talloc_strdup(ntlmssp_state->mem_ctx, workgroup); + return NT_STATUS_OK; +} - SAFE_FREE(user); - SAFE_FREE(workgroup); - SAFE_FREE(machine); +NTSTATUS auth_ntlmssp_end(AUTH_NTLMSSP_STATE **auth_ntlmssp_state) +{ + TALLOC_CTX *mem_ctx = (*auth_ntlmssp_state)->mem_ctx; - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; + if ((*auth_ntlmssp_state)->ntlmssp_state) { + ntlmssp_server_end(&(*auth_ntlmssp_state)->ntlmssp_state); + } + if ((*auth_ntlmssp_state)->auth_context) { + ((*auth_ntlmssp_state)->auth_context->free)(&(*auth_ntlmssp_state)->auth_context); + } + if ((*auth_ntlmssp_state)->server_info) { + free_server_info(&(*auth_ntlmssp_state)->server_info); } - nt_status = ntlmssp_state->auth_context->check_ntlm_password(ntlmssp_state->auth_context, user_info, &ntlmssp_state->server_info); - - (ntlmssp_state->auth_context->free)(&ntlmssp_state->auth_context); - - free_user_info(&user_info); - - data_blob_free(&lmhash); - - data_blob_free(&nthash); - - *reply = data_blob(NULL, 0); + talloc_destroy(mem_ctx); + *auth_ntlmssp_state = NULL; + return NT_STATUS_OK; +} - return nt_status; +NTSTATUS auth_ntlmssp_update(AUTH_NTLMSSP_STATE *auth_ntlmssp_state, + DATA_BLOB request, DATA_BLOB *reply) +{ + return ntlmssp_server_update(auth_ntlmssp_state->ntlmssp_state, request, reply); } + -- cgit From d92b21280edba86b69d3da38bc87d0390c0a3e7f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 16 Jan 2003 03:29:54 +0000 Subject: Updates to the NTLMSSP code again - moving the base64 decode fuctionality out of the SWAT code, and adding a base64 encoder. The main purpose of this patch is to add NTLMSSP support to 'ntlm_auth', for use with Squid. Unfortunetly the squid side doesn't quite support what we need yet. Changes to winbind to get us the info we need, and a couple of consequential changes/cleanups in the rest of the code. Andrew Bartlett (This used to be commit fe50ca8f54ded2e119bde08831785fbe0db2ee99) --- source3/auth/auth_ntlmssp.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index ab594c19e3..3e650a7a2a 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -23,15 +23,15 @@ #include "includes.h" -static const uint8 *auth_ntlmssp_get_challenge(void *cookie) +static const uint8 *auth_ntlmssp_get_challenge(struct ntlmssp_state *ntlmssp_state) { - AUTH_NTLMSSP_STATE *auth_ntlmssp_state = cookie; + AUTH_NTLMSSP_STATE *auth_ntlmssp_state = ntlmssp_state->auth_context; return auth_ntlmssp_state->auth_context->get_ntlm_challenge(auth_ntlmssp_state->auth_context); } -static NTSTATUS auth_ntlmssp_check_password(void *cookie) +static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state) { - AUTH_NTLMSSP_STATE *auth_ntlmssp_state = cookie; + AUTH_NTLMSSP_STATE *auth_ntlmssp_state = ntlmssp_state->auth_context; uint32 auth_flags = AUTH_FLAG_NONE; auth_usersupplied_info *user_info = NULL; DATA_BLOB plaintext_password = data_blob(NULL, 0); @@ -107,6 +107,7 @@ NTSTATUS auth_ntlmssp_start(AUTH_NTLMSSP_STATE **auth_ntlmssp_state) (*auth_ntlmssp_state)->ntlmssp_state->auth_context = (*auth_ntlmssp_state); (*auth_ntlmssp_state)->ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge; (*auth_ntlmssp_state)->ntlmssp_state->check_password = auth_ntlmssp_check_password; + (*auth_ntlmssp_state)->ntlmssp_state->server_role = lp_server_role(); return NT_STATUS_OK; } -- cgit From 1cba0a757970ffd8b81d61c88965010968ab3eff Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 28 Jan 2003 12:07:02 +0000 Subject: Merge from HEAD: - NTLMSSP over SPENGO (sesssion-setup-and-x) cleanup and code refactor. - also consequential changes to the NTLMSSP and SPNEGO parsing functions - and the client code that uses the same functions - Add ntlm_auth, a NTLMSSP authentication interface for use by applications like Squid and Apache. - also consquential changes to use common code for base64 encode/decode. - Winbind changes to support ntlm_auth (I don't want this program to need to read smb.conf, instead getting all it's details over the pipe). - nmbd changes for fstrcat() instead of fstrcpy(). Andrew Bartlett (This used to be commit fbb46da79cf322570a7e3318100c304bbf33409e) --- source3/auth/auth.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 3c4448445a..5d56603b9f 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -57,7 +57,8 @@ static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) TALLOC_CTX *mem_ctx; if (auth_context->challenge.length) { - DEBUG(5, ("get_ntlm_challenge (auth subsystem): returning previous challenge (normal)\n")); + DEBUG(5, ("get_ntlm_challenge (auth subsystem): returning previous challenge by module %s (normal)\n", + auth_context->challenge_set_by)); return auth_context->challenge.data; } @@ -190,6 +191,12 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, DEBUG(3, ("check_ntlm_password: mapped user is: [%s]\\[%s]@[%s]\n", user_info->domain.str, user_info->internal_username.str, user_info->wksta_name.str)); + + if (auth_context->challenge.length != 8) { + DEBUG(0, ("check_ntlm_password: Invalid challenge stored for this auth context - cannot continue\n")); + return NT_STATUS_LOGON_FAILURE; + } + if (auth_context->challenge_set_by) DEBUG(10, ("check_ntlm_password: auth_context challenge created by %s\n", auth_context->challenge_set_by)); @@ -441,6 +448,7 @@ NTSTATUS make_auth_context_fixed(struct auth_context **auth_context, uchar chal[ } (*auth_context)->challenge = data_blob(chal, 8); + (*auth_context)->challenge_set_by = "fixed"; return nt_status; } -- cgit From b694d0ff5321e622b79d69fc6827ef7c96ebdb9e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 4 Feb 2003 10:08:45 +0000 Subject: Merge HEAD: check both the account and password... Andrew Bartlett (This used to be commit 830de56bf2f47412acfebf6c6353ab4b98c8517e) --- source3/auth/auth_sam.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 79fded870e..e2208e1455 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -420,13 +420,13 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, nt_status = sam_account_ok(mem_ctx, sampass, user_info); - nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info, user_sess_key); - if (!NT_STATUS_IS_OK(nt_status)) { pdb_free_sam(&sampass); return nt_status; } + nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info, user_sess_key); + if (!NT_STATUS_IS_OK(nt_status)) { pdb_free_sam(&sampass); return nt_status; -- cgit From 8a20407442efa0f9fe43e1b1c61140a0771c6ff8 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 10 Feb 2003 11:47:21 +0000 Subject: Cleanups: (merge from HEAD) - use safe_strcpy() instead of pstrcpy() for malloc()ed strings - CUPS: a failure in an attempt to automaticly add a printer is not level 0 stuff. - Fix up a possible Realloc() failure segfault Andrew Bartlett (This used to be commit c1cfc296c2efdb2b5972202146e80f0e3b6a3da4) --- source3/auth/auth_ntlmssp.c | 1 - source3/auth/auth_unix.c | 2 +- source3/auth/auth_util.c | 12 ++++++++++-- source3/auth/pass_check.c | 2 +- 4 files changed, 12 insertions(+), 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 3e650a7a2a..43542b2474 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -125,7 +125,6 @@ NTSTATUS auth_ntlmssp_end(AUTH_NTLMSSP_STATE **auth_ntlmssp_state) if ((*auth_ntlmssp_state)->server_info) { free_server_info(&(*auth_ntlmssp_state)->server_info); } - talloc_destroy(mem_ctx); *auth_ntlmssp_state = NULL; return NT_STATUS_OK; diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 1251432b87..4f44767a81 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -106,7 +106,7 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context, unbecome_root(); - if NT_STATUS_IS_OK(nt_status) { + if (NT_STATUS_IS_OK(nt_status)) { if (pass) { make_server_info_pw(server_info, pass); } else { diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5fdfd0694a..bbe0c7cf43 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -671,14 +671,22 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, }; n_unix_groups = groups_max(); - if ((*unix_groups = malloc( sizeof(gid_t) * groups_max() ) ) == NULL) { + if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) { DEBUG(0, ("get_user_groups_from_local_sam: Out of memory allocating unix group list\n")); passwd_free(&usr); return NT_STATUS_NO_MEMORY; } if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { - *unix_groups = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); + gid_t *groups_tmp; + groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); + if (!groups_tmp) { + SAFE_FREE(*unix_groups); + passwd_free(&usr); + return NT_STATUS_NO_MEMORY; + } + *unix_groups = groups_tmp; + if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n")); SAFE_FREE(*unix_groups); diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index e1783bfd1e..88b82e3474 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -579,7 +579,7 @@ static NTSTATUS password_check(const char *password) } #endif /* HAVE_CRYPT */ #endif /* HAVE_BIGCRYPT && HAVE_CRYPT && USE_BOTH_CRYPT_CALLS */ -#endif /* WITH_PAM || KRB4_AUTH || KRB5_AUTH */ +#endif /* WITH_PAM */ } -- cgit From 8fc1f1aead6db996a6d96efdc5f81779afc9c8d2 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 14 Feb 2003 22:55:46 +0000 Subject: Ensure that only parse_prs.c access internal members of the prs_struct. Needed to move to disk based i/o later. Jeremy. (This used to be commit a823fee5b41a5b6cd4ef05aa1f85f7725bd272a5) --- source3/auth/auth_winbind.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index e45e2c879f..5e1567d3c1 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -36,8 +36,8 @@ static NTSTATUS get_info3_from_ndr(TALLOC_CTX *mem_ctx, struct winbindd_response if (!prs_init(&ps, len, mem_ctx, UNMARSHALL)) { return NT_STATUS_NO_MEMORY; } - prs_append_data(&ps, info3_ndr, len); - ps.data_offset = 0; + prs_copy_data_in(&ps, info3_ndr, len); + prs_set_offset(&ps,0); if (!net_io_user_info3("", info3, &ps, 1, 3)) { DEBUG(2, ("get_info3_from_ndr: could not parse info3 struct!\n")); return NT_STATUS_UNSUCCESSFUL; -- cgit From 7f204e07ae56d2727702b5e375ffd7d2f7f65ca9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 16 Feb 2003 22:23:33 +0000 Subject: Merge from HEAD - allow "" as a domain in the NLTMv2 hash calculations. Fixes interop with clients not in our domain. Andrew Bartlett (This used to be commit 6aa3aba3db604d481dc96c3befe066938cb1b0f3) --- source3/auth/auth_sam.c | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index e2208e1455..b309833440 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -184,7 +184,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, /* We have the NT MD4 hash challenge available - see if we can use it (ie. does it exist in the smbpasswd file). */ - DEBUG(4,("sam_password_ok: Checking NTLMv2 password\n")); + DEBUG(4,("sam_password_ok: Checking NTLMv2 password with domain [%s]\n", user_info->client_domain.str)); if (smb_pwd_check_ntlmv2( user_info->nt_resp, nt_pw, auth_context->challenge, user_info->smb_name.str, @@ -192,6 +192,16 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, user_sess_key)) { return NT_STATUS_OK; + } + + DEBUG(4,("sam_password_ok: Checking NTLMv2 password without a domain\n")); + if (smb_pwd_check_ntlmv2( user_info->nt_resp, + nt_pw, auth_context->challenge, + user_info->smb_name.str, + "", + user_sess_key)) + { + return NT_STATUS_OK; } else { DEBUG(3,("sam_password_ok: NTLMv2 password check failed\n")); return NT_STATUS_WRONG_PASSWORD; @@ -250,7 +260,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, /* This is for 'LMv2' authentication. almost NTLMv2 but limited to 24 bytes. - related to Win9X, legacy NAS pass-though authentication */ - DEBUG(4,("sam_password_ok: Checking LMv2 password\n")); + DEBUG(4,("sam_password_ok: Checking LMv2 password with domain %s\n", user_info->client_domain.str)); if (smb_pwd_check_ntlmv2( user_info->lm_resp, nt_pw, auth_context->challenge, user_info->smb_name.str, @@ -260,6 +270,16 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, return NT_STATUS_OK; } + DEBUG(4,("sam_password_ok: Checking LMv2 password without a domain\n")); + if (smb_pwd_check_ntlmv2( user_info->lm_resp, + nt_pw, auth_context->challenge, + user_info->smb_name.str, + "", + user_sess_key)) + { + return NT_STATUS_OK; + } + /* Apparently NT accepts NT responses in the LM field - I think this is related to Win9X pass-though authentication */ -- cgit From e72ecdc862804339912325fe848401e8ec57cde7 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 24 Feb 2003 02:35:54 +0000 Subject: Merge of server-side authentication changes to 3.0: - user_ok() and user_in_group() now take a list of groups, instead of looking for the user in the members of all groups. - The 'server_info' returned from the authentication is now kept around - in future we won't copy the sesion key, username etc, we will just referece them directly. - rhosts upgraded to use the SAM if possible, otherwise fake up based on getpwnam(). - auth_util code to deal with groups upgraded to deal with non-winbind domain members again. Andrew Bartlett (This used to be commit 74b5436c75114170ce7c780c19226103d0df9060) --- source3/auth/auth_ntlmssp.c | 2 +- source3/auth/auth_rhosts.c | 68 +++++++++++++++++++++++------------------ source3/auth/auth_util.c | 73 +++++++++++++++++++++++++++++---------------- 3 files changed, 87 insertions(+), 56 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 43542b2474..d32d248296 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -131,7 +131,7 @@ NTSTATUS auth_ntlmssp_end(AUTH_NTLMSSP_STATE **auth_ntlmssp_state) } NTSTATUS auth_ntlmssp_update(AUTH_NTLMSSP_STATE *auth_ntlmssp_state, - DATA_BLOB request, DATA_BLOB *reply) + const DATA_BLOB request, DATA_BLOB *reply) { return ntlmssp_server_update(auth_ntlmssp_state->ntlmssp_state, request, reply); } diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index 4ed0e6bbc4..5451f7d930 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -129,23 +129,19 @@ static BOOL check_user_equiv(const char *user, const char *remote, const char *e return False; } - /**************************************************************************** check for a possible hosts equiv or rhosts entry for the user ****************************************************************************/ -static BOOL check_hosts_equiv(struct passwd *pass) +static BOOL check_hosts_equiv(SAM_ACCOUNT *account) { char *fname = NULL; - if (!pass) - return(False); - fname = lp_hosts_equiv(); /* note: don't allow hosts.equiv on root */ - if (fname && *fname && (pass->pw_uid != 0)) { - if (check_user_equiv(pass->pw_name,client_name(),fname)) + if (IS_SAM_UNIX_USER(account) && fname && *fname && (pdb_get_uid(account) != 0)) { + if (check_user_equiv(pdb_get_username(account),client_name(),fname)) return(True); } @@ -164,15 +160,18 @@ static NTSTATUS check_hostsequiv_security(const struct auth_context *auth_contex auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; - struct passwd *pass = Get_Pwnam(user_info->internal_username.str); - - if (pass) { - if (check_hosts_equiv(pass)) { - nt_status = NT_STATUS_OK; - make_server_info_pw(server_info, pass); - } + SAM_ACCOUNT *account = NULL; + if (!NT_STATUS_IS_OK(nt_status = + auth_get_sam_account(user_info->internal_username.str, + &account))) { + return nt_status; + } + + if (check_hosts_equiv(account)) { + nt_status = make_server_info_sam(server_info, account); } else { - nt_status = NT_STATUS_NO_SUCH_USER; + pdb_free_sam(&account); + nt_status = NT_STATUS_LOGON_FAILURE; } return nt_status; @@ -186,6 +185,7 @@ NTSTATUS auth_init_hostsequiv(struct auth_context *auth_context, const char* par } (*auth_method)->auth = check_hostsequiv_security; + (*auth_method)->name = "hostsequiv"; return NT_STATUS_OK; } @@ -201,24 +201,33 @@ static NTSTATUS check_rhosts_security(const struct auth_context *auth_context, auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; - struct passwd *pass = Get_Pwnam(user_info->internal_username.str); + SAM_ACCOUNT *account = NULL; pstring rhostsfile; + const char *home; - if (pass) { - char *home = pass->pw_dir; - if (home) { - slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home); - become_root(); - if (check_user_equiv(pass->pw_name,client_name(),rhostsfile)) { - nt_status = NT_STATUS_OK; - make_server_info_pw(server_info, pass); - } - unbecome_root(); - } - } else { - nt_status = NT_STATUS_NO_SUCH_USER; + if (!NT_STATUS_IS_OK(nt_status = + auth_get_sam_account(user_info->internal_username.str, + &account))) { + return nt_status; } + home = pdb_get_unix_homedir(account); + + if (home) { + slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home); + become_root(); + if (check_user_equiv(pdb_get_username(account),client_name(),rhostsfile)) { + nt_status = make_server_info_sam(server_info, account); + } else { + pdb_free_sam(&account); + nt_status = NT_STATUS_LOGON_FAILURE; + } + unbecome_root(); + } else { + pdb_free_sam(&account); + nt_status = NT_STATUS_LOGON_FAILURE; + } + return nt_status; } @@ -230,5 +239,6 @@ NTSTATUS auth_init_rhosts(struct auth_context *auth_context, const char *param, } (*auth_method)->auth = check_rhosts_security; + (*auth_method)->name = "rhosts"; return NT_STATUS_OK; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index bbe0c7cf43..7d85153bd0 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -77,6 +77,36 @@ void smb_user_control(const auth_usersupplied_info *user_info, auth_serversuppli } } +/**************************************************************************** + Create a SAM_ACCOUNT - either by looking in the pdb, or by faking it up from + unix info. +****************************************************************************/ + +NTSTATUS auth_get_sam_account(const char *user, SAM_ACCOUNT **account) +{ + BOOL pdb_ret; + NTSTATUS nt_status; + if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(account))) { + return nt_status; + } + + become_root(); + pdb_ret = pdb_getsampwnam(*account, user); + unbecome_root(); + + if (!pdb_ret) { + + struct passwd *pass = Get_Pwnam(user); + if (!pass) + return NT_STATUS_NO_SUCH_USER; + + if (!NT_STATUS_IS_OK(nt_status = pdb_fill_sam_pw(*account, pass))) { + return nt_status; + } + } + return NT_STATUS_OK; +} + /**************************************************************************** Create an auth_usersupplied_data structure ****************************************************************************/ @@ -641,34 +671,25 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, * of groups. ******************************************************************************/ -static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, +static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, int *n_groups, DOM_SID **groups, gid_t **unix_groups) { uid_t uid; - enum SID_NAME_USE snu; - fstring str; + gid_t gid; int n_unix_groups; int i; struct passwd *usr; - + *n_groups = 0; *groups = NULL; - - if (!sid_to_uid(user_sid, &uid, &snu)) { - DEBUG(2, ("get_user_groups_from_local_sam: Failed to convert user SID %s to a uid!\n", - sid_to_string(str, user_sid))); - /* This might be a non-unix account */ - return NT_STATUS_OK; - } - /* - * This is _essential_ to prevent occasional segfaults when - * winbind can't find uid -> username mapping - */ - if (!(usr = getpwuid_alloc(uid))) { - DEBUG(0, ("Couldn't find passdb structure for UID = %d ! Aborting.\n", uid)); + if (!IS_SAM_UNIX_USER(sampass)) { + DEBUG(1, ("user %s does not have a unix identity!\n", pdb_get_username(sampass))); return NT_STATUS_NO_SUCH_USER; - }; + } + + uid = pdb_get_uid(sampass); + gid = pdb_get_gid(sampass); n_unix_groups = groups_max(); if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) { @@ -677,7 +698,7 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, return NT_STATUS_NO_MEMORY; } - if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { + if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) { gid_t *groups_tmp; groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); if (!groups_tmp) { @@ -687,7 +708,7 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, } *unix_groups = groups_tmp; - if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { + if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) { DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n")); SAFE_FREE(*unix_groups); passwd_free(&usr); @@ -695,9 +716,7 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, } } - debug_unix_user_token(DBGC_CLASS, 5, usr->pw_uid, usr->pw_gid, n_unix_groups, *unix_groups); - - passwd_free(&usr); + debug_unix_user_token(DBGC_CLASS, 5, uid, gid, n_unix_groups, *unix_groups); if (n_unix_groups > 0) { *groups = malloc(sizeof(DOM_SID) * n_unix_groups); @@ -763,7 +782,7 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, } if (!NT_STATUS_IS_OK(nt_status - = get_user_groups_from_local_sam(pdb_get_user_sid(sampass), + = get_user_groups_from_local_sam(sampass, &n_groupSIDs, &groupSIDs, &unix_groups))) { DEBUG(4,("get_user_groups_from_local_sam failed\n")); @@ -838,7 +857,9 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) nt_status = make_server_info_sam(server_info, sampass); - (*server_info)->guest = True; + if (NT_STATUS_IS_OK(nt_status)) { + (*server_info)->guest = True; + } return nt_status; } @@ -996,7 +1017,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, returned to the caller. */ if (!NT_STATUS_IS_OK(nt_status - = get_user_groups_from_local_sam(&user_sid, + = get_user_groups_from_local_sam(sam_account, &n_lgroupSIDs, &lgroupSIDs, &unix_groups))) -- cgit From 45d3e78547cb2024d9cf7bf1fc838dd33ad8126b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 17 Mar 2003 22:42:56 +0000 Subject: Mege from HEAD - doxygen. (This used to be commit 04a5cbc8964386774acdca759b4cfaded068c8f2) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index b3f50072bc..0d90a184a4 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -115,7 +115,7 @@ static NTSTATUS rpc_resolve_dc(const char *server, * @param cli the cli to return containing the active connection * @param server either a machine name or text IP address to * connect to. - * @param trust_password the trust password to establish the + * @param trust_passwd the trust password to establish the * credentials with. * **/ -- cgit From 395b8937ac3ad49faf65f4938212f7fa283c9da6 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 17 Mar 2003 22:43:57 +0000 Subject: Merge from HEAD - doxygen (This used to be commit 7a2566f2e922191e691b6dafb1a09e22913cccd6) --- source3/auth/auth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 5d56603b9f..126a712fbd 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -161,8 +161,8 @@ static BOOL check_domain_match(const char *user, const char *domain) * @param user_info Contains the user supplied components, including the passwords. * Must be created with make_user_info() or one of its wrappers. * - * @param auth_info Supplies the challenges and some other data. - * Must be created with make_auth_info(), and the challenges should be + * @param auth_context Supplies the challenges and some other data. + * Must be created with make_auth_context(), and the challenges should be * filled in, either at creation or by calling the challenge geneation * function auth_get_challenge(). * -- cgit From cdc6fc8acb24645ccd0f2862741c9ea9e1c02829 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 18 Mar 2003 09:52:55 +0000 Subject: Add an extra parameter to our 'set_remote_machine_name' and 'set_local_machine_name' so that the client can't change it from under us. (.NET RC2 and WinXP install calls the machine 'machinename' during NTLMSSP on the domain join). Andrew Bartlett (This used to be commit 4c7163e7c2cc09bd95faa05156ee480957a7a4d8) --- source3/auth/auth_ntlmssp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index d32d248296..a381219d74 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -50,7 +50,7 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state) /* the client has given us its machine name (which we otherwise would not get on port 445). we need to possibly reload smb.conf if smb.conf includes depend on the machine name */ - set_remote_machine_name(auth_ntlmssp_state->ntlmssp_state->workstation); + set_remote_machine_name(auth_ntlmssp_state->ntlmssp_state->workstation, True); /* setup the string used by %U */ /* sub_set_smb_name checks for weird internally */ -- cgit From 702e76dd3ed8bc64e8869ce435cf4ed154266551 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 19 Mar 2003 15:24:17 +0000 Subject: Fix some comment typos (This used to be commit 051b33e98f94ad09b4d8816a88e78715e7dc2a5e) --- source3/auth/auth_builtin.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index 32f39311dc..3b0b84b525 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -99,7 +99,7 @@ static NTSTATUS check_name_to_ntstatus_security(const struct auth_context *auth_ return nt_status; } -/** Module initailisation function */ +/** Module initialisation function */ NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { @@ -112,7 +112,7 @@ NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, const cha } /** - * Return a 'fixed' challenge instead of a varaible one. + * Return a 'fixed' challenge instead of a variable one. * * The idea of this function is to make packet snifs consistant * with a fixed challenge, so as to aid debugging. -- cgit From 53beee9e5675a59c67d9ecfbaec50dca4ac01750 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 24 Mar 2003 09:54:13 +0000 Subject: (merge from HEAD) NTLM Authentication: - Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664) --- source3/auth/auth_domain.c | 7 ------- source3/auth/auth_util.c | 3 +++ 2 files changed, 3 insertions(+), 7 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 0d90a184a4..534af2257d 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -350,13 +350,6 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, } else { nt_status = make_server_info_info3(mem_ctx, user_info->internal_username.str, user_info->smb_name.str, domain, server_info, &info3); -#if 0 - /* The stuff doesn't work right yet */ - SMB_ASSERT(sizeof((*server_info)->session_key) == sizeof(info3.user_sess_key)); - memcpy((*server_info)->session_key, info3.user_sess_key, sizeof((*server_info)->session_key)/* 16 */); - SamOEMhash((*server_info)->session_key, trust_passwd, sizeof((*server_info)->session_key)); -#endif - uni_group_cache_store_netlogon(mem_ctx, &info3); } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7d85153bd0..d0f1fc1e34 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1083,6 +1083,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, SAFE_FREE(all_group_SIDs); + memcpy((*server_info)->session_key, info3->user_sess_key, sizeof((*server_info)->session_key)/* 16 */); + memcpy((*server_info)->first_8_lm_hash, info3->padding, 8); + return NT_STATUS_OK; } -- cgit From 11fb38cfb8fd25783f54cba882e3e9968bd62a0b Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 14 Apr 2003 21:19:18 +0000 Subject: Fix typo (This used to be commit 738a2b055a0757002e8cdcbf744c8663e0e26bc2) --- source3/auth/auth_builtin.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index 3b0b84b525..a19c532fc9 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -1,6 +1,6 @@ /* Unix SMB/CIFS implementation. - Generic authenticaion types + Generic authentication types Copyright (C) Andrew Bartlett 2001-2002 Copyright (C) Jelmer Vernooij 2002 -- cgit From a8c95d79f83b4097ee20d5f3f1005c38ccf00186 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 16 Apr 2003 12:13:07 +0000 Subject: Add support for the new modules system to auth/ (merge from HEAD) (This used to be commit c7a1de090db35835be1a1623bfc80c04065c5dd9) --- source3/auth/auth.c | 100 ++++++++++++++++++++++++++++---------------- source3/auth/auth_builtin.c | 52 ++++------------------- source3/auth/auth_domain.c | 9 +++- source3/auth/auth_rhosts.c | 7 ++++ source3/auth/auth_sam.c | 7 +++- source3/auth/auth_server.c | 5 +++ source3/auth/auth_unix.c | 4 ++ source3/auth/auth_winbind.c | 5 +++ 8 files changed, 105 insertions(+), 84 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 126a712fbd..71e9ab0428 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -23,26 +23,45 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -/** List of various built-in authentication modules */ - -static const struct auth_init_function_entry builtin_auth_init_functions[] = { - { "guest", auth_init_guest }, - { "rhosts", auth_init_rhosts }, - { "hostsequiv", auth_init_hostsequiv }, - { "sam", auth_init_sam }, - { "samstrict", auth_init_samstrict }, - { "unix", auth_init_unix }, - { "smbserver", auth_init_smbserver }, - { "ntdomain", auth_init_ntdomain }, - { "trustdomain", auth_init_trustdomain }, - { "winbind", auth_init_winbind }, -#ifdef DEVELOPER - { "name_to_ntstatus", auth_init_name_to_ntstatus }, - { "fixed_challenge", auth_init_fixed_challenge }, -#endif - { "plugin", auth_init_plugin }, - { NULL, NULL} -}; +static struct auth_init_function_entry *backends = NULL; + +BOOL smb_register_auth(const char *name, auth_init_function init, int version) +{ + struct auth_init_function_entry *entry = backends; + + if(version != AUTH_INTERFACE_VERSION) + return False; + + DEBUG(5,("Attempting to register auth backend %s\n", name)); + + while(entry) { + if (strequal(name, entry->name)) { + DEBUG(0,("There already is an auth backend registered with the name %s!\n", name)); + return False; + } + entry = entry->next; + } + + entry = smb_xmalloc(sizeof(struct auth_init_function_entry)); + entry->name = smb_xstrdup(name); + entry->init = init; + + DLIST_ADD(backends, entry); + DEBUG(5,("Successfully added auth backend '%s'\n", name)); + return True; +} + +static struct auth_init_function_entry *auth_find_backend_entry(const char *name) +{ + struct auth_init_function_entry *entry = backends; + + while(entry) { + if (strequal(entry->name, name)) return entry; + entry = entry->next; + } + + return NULL; +} /**************************************************************************** Try to get a challenge out of the various authentication modules. @@ -324,8 +343,8 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context, auth_methods *list = NULL; auth_methods *t = NULL; auth_methods *tmp; - int i; NTSTATUS nt_status; + static BOOL initialised_static_modules = False; if (!text_list) { DEBUG(2,("make_auth_context_text_list: No auth method list!?\n")); @@ -334,15 +353,22 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context, if (!NT_STATUS_IS_OK(nt_status = make_auth_context(auth_context))) return nt_status; + + /* Initialise static modules if not done so yet */ + if(!initialised_static_modules) { + static_init_auth; + initialised_static_modules = True; + } for (;*text_list; text_list++) { - DEBUG(5,("make_auth_context_text_list: Attempting to find an auth method to match %s\n", - *text_list)); - for (i = 0; builtin_auth_init_functions[i].name; i++) { + struct auth_init_function_entry *entry; char *module_name = smb_xstrdup(*text_list); char *module_params = NULL; char *p; + DEBUG(5,("make_auth_context_text_list: Attempting to find an auth method to match %s\n", + *text_list)); + p = strchr(module_name, ':'); if (p) { *p = 0; @@ -352,20 +378,20 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context, trim_string(module_name, " ", " "); - if (strequal(builtin_auth_init_functions[i].name, module_name)) { - DEBUG(5,("make_auth_context_text_list: Found auth method %s (at pos %d)\n", *text_list, i)); - if (NT_STATUS_IS_OK(builtin_auth_init_functions[i].init(*auth_context, module_params, &t))) { - DEBUG(5,("make_auth_context_text_list: auth method %s has a valid init\n", - *text_list)); - DLIST_ADD_END(list, t, tmp); - } else { - DEBUG(0,("make_auth_context_text_list: auth method %s did not correctly init\n", - *text_list)); - } - break; + entry = auth_find_backend_entry(module_name); + + if(!(entry = auth_find_backend_entry(module_name)) && !smb_probe_module("auth", module_name) && + !(entry = auth_find_backend_entry(module_name))) { + DEBUG(0,("make_auth_context_text_list: can't find auth method %s!\n", module_name)); + } else if (!NT_STATUS_IS_OK(entry->init(*auth_context, module_params, &t))) { + DEBUG(0,("make_auth_context_text_list: auth method %s did not correctly init\n", + *text_list)); + } else { + DEBUG(5,("make_auth_context_text_list: auth method %s has a valid init\n", + *text_list)); + DLIST_ADD_END(list, t, tmp); } SAFE_FREE(module_name); - } } (*auth_context)->auth_method_list = list; @@ -417,7 +443,7 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) break; case SEC_ADS: DEBUG(5,("Making default auth method list for security=ADS\n")); - auth_method_list = str_list_make("guest sam ads winbind ntdomain", NULL); + auth_method_list = str_list_make("guest sam winbind ntdomain", NULL); break; default: DEBUG(5,("Unknown auth method!\n")); diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index a19c532fc9..509a4afba9 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -161,50 +161,12 @@ NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char return NT_STATUS_OK; } -/** - * Outsorce an auth module to an external loadable .so - * - * Only works on systems with dlopen() etc. - **/ - -/* Plugin modules initialisation */ - -NTSTATUS auth_init_plugin(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +int auth_builtin_init(void) { - void * dl_handle; - char *plugin_param, *plugin_name, *p; - auth_init_function plugin_init; - - if (param == NULL) { - DEBUG(0, ("auth_init_plugin: The plugin module needs an argument!\n")); - return NT_STATUS_UNSUCCESSFUL; - } - - plugin_name = smb_xstrdup(param); - p = strchr(plugin_name, ':'); - if (p) { - *p = 0; - plugin_param = p+1; - trim_string(plugin_param, " ", " "); - } else plugin_param = NULL; - - trim_string(plugin_name, " ", " "); - - DEBUG(5, ("auth_init_plugin: Trying to load auth plugin %s\n", plugin_name)); - dl_handle = sys_dlopen(plugin_name, RTLD_NOW ); - if (!dl_handle) { - DEBUG(0, ("auth_init_plugin: Failed to load auth plugin %s using sys_dlopen (%s)\n", - plugin_name, sys_dlerror())); - return NT_STATUS_UNSUCCESSFUL; - } - - plugin_init = sys_dlsym(dl_handle, "auth_init"); - if (!plugin_init){ - DEBUG(0, ("Failed to find function 'auth_init' using sys_dlsym in sam plugin %s (%s)\n", - plugin_name, sys_dlerror())); - return NT_STATUS_UNSUCCESSFUL; - } - - DEBUG(5, ("Starting sam plugin %s with paramater %s\n", plugin_name, plugin_param?plugin_param:"(null)")); - return plugin_init(auth_context, plugin_param, auth_method); + smb_register_auth("guest", auth_init_guest, AUTH_INTERFACE_VERSION); +#ifdef DEVELOPER + smb_register_auth("fixed_challenge", auth_init_fixed_challenge, AUTH_INTERFACE_VERSION); + smb_register_auth("name_to_ntstatus", auth_init_name_to_ntstatus, AUTH_INTERFACE_VERSION); +#endif + return True; } diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 534af2257d..24a5bb562c 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -24,7 +24,7 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -BOOL global_machine_password_needs_changing = False; +extern BOOL global_machine_password_needs_changing; extern userdom_struct current_user_info; @@ -545,3 +545,10 @@ NTSTATUS auth_init_trustdomain(struct auth_context *auth_context, const char* pa (*auth_method)->auth = check_trustdomain_security; return NT_STATUS_OK; } + +int auth_domain_init(void) +{ + smb_register_auth("trustdomain", auth_init_trustdomain, AUTH_INTERFACE_VERSION); + smb_register_auth("ntdomain", auth_init_ntdomain, AUTH_INTERFACE_VERSION); + return True; +} diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index 5451f7d930..db37193579 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -242,3 +242,10 @@ NTSTATUS auth_init_rhosts(struct auth_context *auth_context, const char *param, (*auth_method)->name = "rhosts"; return NT_STATUS_OK; } + +int auth_rhosts_init(void) +{ + smb_register_auth("rhosts", auth_init_rhosts, AUTH_INTERFACE_VERSION); + smb_register_auth("hostsequiv", auth_init_hostsequiv, AUTH_INTERFACE_VERSION); + return True; +} diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index b309833440..1fc8aa51bb 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -518,4 +518,9 @@ NTSTATUS auth_init_samstrict(struct auth_context *auth_context, const char *para return NT_STATUS_OK; } - +int auth_sam_init(void) +{ + smb_register_auth("samstrict", auth_init_samstrict, AUTH_INTERFACE_VERSION); + smb_register_auth("sam", auth_init_sam, AUTH_INTERFACE_VERSION); + return True; +} diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 5144852d3b..a311f01dc3 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -400,3 +400,8 @@ NTSTATUS auth_init_smbserver(struct auth_context *auth_context, const char* para (*auth_method)->free_private_data = free_server_private_data; return NT_STATUS_OK; } + +int auth_server_init(void) +{ + return smb_register_auth("smbserver", auth_init_smbserver, AUTH_INTERFACE_VERSION); +} diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 4f44767a81..efab2046c3 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -130,3 +130,7 @@ NTSTATUS auth_init_unix(struct auth_context *auth_context, const char* param, au return NT_STATUS_OK; } +int auth_unix_init(void) +{ + return smb_register_auth("unix", auth_init_unix, AUTH_INTERFACE_VERSION); +} diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 5e1567d3c1..e2a292dd01 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -134,3 +134,8 @@ NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char *param, (*auth_method)->auth = check_winbind_security; return NT_STATUS_OK; } + +int auth_winbind_init(void) +{ + return smb_register_auth("winbind", auth_init_winbind, AUTH_INTERFACE_VERSION); +} -- cgit From f071020f5e49837154581c97c5af5f84d0e2de89 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 21 Apr 2003 14:09:03 +0000 Subject: Merge from HEAD - save the type of channel used to contact the DC. This allows us to join as a BDC, without appearing on the network as one until we have the database replicated, and the admin changes the configuration. This also change the SID retreval order from secrets.tdb, so we no longer require a 'net rpc getsid' - the sid fetch during the domain join is sufficient. Also minor fixes to 'net'. Andrew Bartlett (This used to be commit 876e00fd112e4aaf7519eec27f382eb99ec7562a) --- source3/auth/auth_domain.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 24a5bb562c..e49a41763b 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -347,6 +347,11 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, "Error was %s.\n", user_info->smb_name.str, user_info->domain.str, cli->srv_name_slash, nt_errstr(nt_status))); + + /* map to something more useful */ + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_UNSUCCESSFUL)) { + nt_status = NT_STATUS_NO_LOGON_SERVERS; + } } else { nt_status = make_server_info_info3(mem_ctx, user_info->internal_username.str, user_info->smb_name.str, domain, server_info, &info3); @@ -395,6 +400,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, unsigned char trust_passwd[16]; time_t last_change_time; const char *domain = lp_workgroup(); + uint32 sec_channel_type = 0; if (!user_info || !server_info || !auth_context) { DEBUG(1,("check_ntdomain_security: Critical variables not present. Failing.\n")); @@ -417,7 +423,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, * No need to become_root() as secrets_init() is done at startup. */ - if (!secrets_fetch_trust_account_password(domain, trust_passwd, &last_change_time)) + if (!secrets_fetch_trust_account_password(domain, trust_passwd, &last_change_time, &sec_channel_type)) { DEBUG(0, ("check_ntdomain_security: could not fetch trust account password for domain '%s'\n", domain)); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; @@ -442,7 +448,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, nt_status = domain_client_validate(mem_ctx, user_info, domain, (uchar *)auth_context->challenge.data, server_info, - password_server, global_myname(), SEC_CHAN_WKSTA, trust_passwd, last_change_time); + password_server, global_myname(), sec_channel_type,trust_passwd, last_change_time); return nt_status; } -- cgit From 59e0836b7f4221fd002abab083f71f04dffe7648 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 24 Apr 2003 11:56:09 +0000 Subject: Merge auth changes from HEAD: - better error codes than NT_STATUS_UNSUCCESSFUL for domain logon errors - make auth_winbind load the ntdomain module if winbind isn't there. - use new trusted domains cache to determine if the domain is valid. Andrew Bartlett (This used to be commit ec8d6524c6b0c70927a2b57aab71d9e3a7f8a150) --- source3/auth/auth.c | 91 +++++++++++++++++++++++++-------------------- source3/auth/auth_builtin.c | 8 ++-- source3/auth/auth_domain.c | 7 +++- source3/auth/auth_util.c | 31 ++++----------- source3/auth/auth_winbind.c | 16 +++++++- 5 files changed, 83 insertions(+), 70 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 71e9ab0428..09e8f5e722 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -334,6 +334,52 @@ static NTSTATUS make_auth_context(struct auth_context **auth_context) return NT_STATUS_OK; } +BOOL load_auth_module(struct auth_context *auth_context, + const char *module, auth_methods **ret) +{ + static BOOL initialised_static_modules = False; + + struct auth_init_function_entry *entry; + char *module_name = smb_xstrdup(module); + char *module_params = NULL; + char *p; + BOOL good = False; + + /* Initialise static modules if not done so yet */ + if(!initialised_static_modules) { + static_init_auth; + initialised_static_modules = True; + } + + DEBUG(5,("load_auth_module: Attempting to find an auth method to match %s\n", + module)); + + p = strchr(module_name, ':'); + if (p) { + *p = 0; + module_params = p+1; + trim_string(module_params, " ", " "); + } + + trim_string(module_name, " ", " "); + + entry = auth_find_backend_entry(module_name); + + if(!(entry = auth_find_backend_entry(module_name)) && !smb_probe_module("auth", module_name) && + !(entry = auth_find_backend_entry(module_name))) { + DEBUG(0,("load_auth_module: can't find auth method %s!\n", module_name)); + } else if (!NT_STATUS_IS_OK(entry->init(auth_context, module_params, ret))) { + DEBUG(0,("load_auth_module: auth method %s did not correctly init\n", + module)); + } else { + DEBUG(5,("load_auth_module: auth method %s has a valid init\n", + module)); + good = True; + } + SAFE_FREE(module_name); + return good; +} + /*************************************************************************** Make a auth_info struct for the auth subsystem ***************************************************************************/ @@ -344,7 +390,6 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context, auth_methods *t = NULL; auth_methods *tmp; NTSTATUS nt_status; - static BOOL initialised_static_modules = False; if (!text_list) { DEBUG(2,("make_auth_context_text_list: No auth method list!?\n")); @@ -354,44 +399,10 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context, if (!NT_STATUS_IS_OK(nt_status = make_auth_context(auth_context))) return nt_status; - /* Initialise static modules if not done so yet */ - if(!initialised_static_modules) { - static_init_auth; - initialised_static_modules = True; - } - for (;*text_list; text_list++) { - struct auth_init_function_entry *entry; - char *module_name = smb_xstrdup(*text_list); - char *module_params = NULL; - char *p; - - DEBUG(5,("make_auth_context_text_list: Attempting to find an auth method to match %s\n", - *text_list)); - - p = strchr(module_name, ':'); - if (p) { - *p = 0; - module_params = p+1; - trim_string(module_params, " ", " "); - } - - trim_string(module_name, " ", " "); - - entry = auth_find_backend_entry(module_name); - - if(!(entry = auth_find_backend_entry(module_name)) && !smb_probe_module("auth", module_name) && - !(entry = auth_find_backend_entry(module_name))) { - DEBUG(0,("make_auth_context_text_list: can't find auth method %s!\n", module_name)); - } else if (!NT_STATUS_IS_OK(entry->init(*auth_context, module_params, &t))) { - DEBUG(0,("make_auth_context_text_list: auth method %s did not correctly init\n", - *text_list)); - } else { - DEBUG(5,("make_auth_context_text_list: auth method %s has a valid init\n", - *text_list)); - DLIST_ADD_END(list, t, tmp); - } - SAFE_FREE(module_name); + if (load_auth_module(*auth_context, *text_list, &t)) { + DLIST_ADD_END(list, t, tmp); + } } (*auth_context)->auth_method_list = list; @@ -417,7 +428,7 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) { case SEC_DOMAIN: DEBUG(5,("Making default auth method list for security=domain\n")); - auth_method_list = str_list_make("guest sam winbind ntdomain", NULL); + auth_method_list = str_list_make("guest sam winbind:ntdomain", NULL); break; case SEC_SERVER: DEBUG(5,("Making default auth method list for security=server\n")); @@ -443,7 +454,7 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) break; case SEC_ADS: DEBUG(5,("Making default auth method list for security=ADS\n")); - auth_method_list = str_list_make("guest sam winbind ntdomain", NULL); + auth_method_list = str_list_make("guest sam winbind:ntdomain", NULL); break; default: DEBUG(5,("Unknown auth method!\n")); diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index 509a4afba9..5d72898006 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -50,7 +50,7 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context, /* Guest modules initialisation */ -NTSTATUS auth_init_guest(struct auth_context *auth_context, const char *options, auth_methods **auth_method) +static NTSTATUS auth_init_guest(struct auth_context *auth_context, const char *options, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) return NT_STATUS_NO_MEMORY; @@ -60,6 +60,7 @@ NTSTATUS auth_init_guest(struct auth_context *auth_context, const char *options, return NT_STATUS_OK; } +#ifdef DEVELOPER /** * Return an error based on username * @@ -101,7 +102,7 @@ static NTSTATUS check_name_to_ntstatus_security(const struct auth_context *auth_ /** Module initialisation function */ -NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +static NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) return NT_STATUS_NO_MEMORY; @@ -150,7 +151,7 @@ static DATA_BLOB auth_get_fixed_challenge(const struct auth_context *auth_contex /** Module initailisation function */ -NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +static NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) return NT_STATUS_NO_MEMORY; @@ -160,6 +161,7 @@ NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char (*auth_method)->name = "fixed_challenge"; return NT_STATUS_OK; } +#endif /* DEVELOPER */ int auth_builtin_init(void) { diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index e49a41763b..db5f7d82b0 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -175,6 +175,11 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, &dest_ip, 0, "IPC$", "IPC", "", "", "",0, retry); if (!NT_STATUS_IS_OK(result)) { + /* map to something more useful */ + if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) { + result = NT_STATUS_NO_LOGON_SERVERS; + } + release_server_mutex(); return result; } @@ -272,7 +277,7 @@ static NTSTATUS find_connect_dc(struct cli_state **cli, struct in_addr dc_ip; fstring srv_name; - if ( !rpc_find_dc(lp_workgroup(), srv_name, &dc_ip) ) { + if (!rpc_find_dc(domain, srv_name, &dc_ip)) { DEBUG(0,("find_connect_dc: Failed to find an DCs for %s\n", lp_workgroup())); return NT_STATUS_NO_LOGON_SERVERS; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d0f1fc1e34..a3ca0b226f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -219,35 +219,18 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, where it doens't supply a domain for logon script 'net use' commands. - The way I do it here is by checking if the fully - qualified username exists. This is rather reliant - on winbind, but until we have a better method this - will have to do + Finally, we do this by looking up a cache of trusted domains! */ domain = client_domain; - if ((smb_name) && (*smb_name)) { /* Don't do this for guests */ - char *user = NULL; - if (asprintf(&user, "%s%s%s", - client_domain, lp_winbind_separator(), - smb_name) < 0) { - DEBUG(0, ("make_user_info_map: asprintf() failed!\n")); - return NT_STATUS_NO_MEMORY; - } - - DEBUG(5, ("make_user_info_map: testing for user %s\n", user)); - - if (Get_Pwnam(user) == NULL) { - DEBUG(5, ("make_user_info_map: test for user %s failed\n", user)); - domain = lp_workgroup(); - DEBUG(5, ("make_user_info_map: trusted domain %s doesn't appear to exist, using %s\n", - client_domain, domain)); - } else { - DEBUG(5, ("make_user_info_map: using trusted domain %s\n", domain)); - } - SAFE_FREE(user); + if (is_trusted_domain(domain)) { + return make_user_info(user_info, smb_name, internal_username, + client_domain, domain, wksta_name, + lm_pwd, nt_pwd, plaintext, ntlmssp_flags, + encrypted); } + } else { domain = lp_workgroup(); } diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index e2a292dd01..df08b6440a 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -103,6 +103,11 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, result = winbindd_request(WINBINDD_PAM_AUTH_CRAP, &request, &response); + if (result == NSS_STATUS_UNAVAIL) { + struct auth_methods *auth_method = my_private_data; + return auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info); + } + nt_status = NT_STATUS(response.data.auth.nt_status); if (result == NSS_STATUS_SUCCESS && response.extra_data) { @@ -127,11 +132,18 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, /* module initialisation */ NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { - if (!make_auth_methods(auth_context, auth_method)) - return NT_STATUS_NO_MEMORY; (*auth_method)->name = "winbind"; (*auth_method)->auth = check_winbind_security; + + if (param && *param) { + /* we load the 'fallback' module - if winbind isn't here, call this + module */ + if (!load_auth_module(auth_context, param, &(*auth_method)->private_data)) { + return NT_STATUS_UNSUCCESSFUL; + } + + } return NT_STATUS_OK; } -- cgit From c07d7de3895c13c175d61639171808acd824907b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 28 Apr 2003 14:23:44 +0000 Subject: Add cast for compiler (This used to be commit 456eb5d05a442ee380cfa756be54619b1d68fa48) --- source3/auth/auth_winbind.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index df08b6440a..840898415b 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -139,7 +139,7 @@ NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char *param, if (param && *param) { /* we load the 'fallback' module - if winbind isn't here, call this module */ - if (!load_auth_module(auth_context, param, &(*auth_method)->private_data)) { + if (!load_auth_module(auth_context, param, (auth_methods **)&(*auth_method)->private_data)) { return NT_STATUS_UNSUCCESSFUL; } -- cgit From 17a3acafa89bfc6090b0767d05a00a7505003fcc Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 28 Apr 2003 17:48:48 +0000 Subject: Use NTSTATUS as return value for smb_register_*() functions and init_module() function. Patch by metze with some minor modifications. (This used to be commit bc4b51bcb2daa7271c884cb83bf8bdba6d3a9b6d) --- source3/auth/auth.c | 31 +++++++++++++++++++------------ source3/auth/auth_builtin.c | 10 +++++----- source3/auth/auth_domain.c | 8 ++++---- source3/auth/auth_rhosts.c | 8 ++++---- source3/auth/auth_sam.c | 8 ++++---- source3/auth/auth_server.c | 4 ++-- source3/auth/auth_unix.c | 4 ++-- source3/auth/auth_winbind.c | 4 ++-- 8 files changed, 42 insertions(+), 35 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 09e8f5e722..8f718e3d4d 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -25,21 +25,28 @@ static struct auth_init_function_entry *backends = NULL; -BOOL smb_register_auth(const char *name, auth_init_function init, int version) +static struct auth_init_function_entry *auth_find_backend_entry(const char *name); + +NTSTATUS smb_register_auth(uint16 version, const char *name, auth_init_function init) { struct auth_init_function_entry *entry = backends; - if(version != AUTH_INTERFACE_VERSION) - return False; + if (version != AUTH_INTERFACE_VERSION) { + DEBUG(0,("Can't register auth_method!\n" + "You tried to register an auth module with AUTH_INTERFACE_VERSION %d, while this version of samba uses %d\n", + version,AUTH_INTERFACE_VERSION)); + return NT_STATUS_OBJECT_TYPE_MISMATCH; + } + + if (!name || !init) { + return NT_STATUS_INVALID_PARAMETER; + } DEBUG(5,("Attempting to register auth backend %s\n", name)); - while(entry) { - if (strequal(name, entry->name)) { - DEBUG(0,("There already is an auth backend registered with the name %s!\n", name)); - return False; - } - entry = entry->next; + if (auth_find_backend_entry(name)) { + DEBUG(0,("There already is an auth method registered with the name %s!\n", name)); + return NT_STATUS_OBJECT_NAME_COLLISION; } entry = smb_xmalloc(sizeof(struct auth_init_function_entry)); @@ -47,8 +54,8 @@ BOOL smb_register_auth(const char *name, auth_init_function init, int version) entry->init = init; DLIST_ADD(backends, entry); - DEBUG(5,("Successfully added auth backend '%s'\n", name)); - return True; + DEBUG(5,("Successfully added auth method '%s'\n", name)); + return NT_STATUS_OK; } static struct auth_init_function_entry *auth_find_backend_entry(const char *name) @@ -365,7 +372,7 @@ BOOL load_auth_module(struct auth_context *auth_context, entry = auth_find_backend_entry(module_name); - if(!(entry = auth_find_backend_entry(module_name)) && !smb_probe_module("auth", module_name) && + if(!(entry = auth_find_backend_entry(module_name)) && NT_STATUS_IS_ERR(smb_probe_module("auth", module_name)) && !(entry = auth_find_backend_entry(module_name))) { DEBUG(0,("load_auth_module: can't find auth method %s!\n", module_name)); } else if (!NT_STATUS_IS_OK(entry->init(auth_context, module_params, ret))) { diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index 5d72898006..5a9b5534ab 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -163,12 +163,12 @@ static NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, con } #endif /* DEVELOPER */ -int auth_builtin_init(void) +NTSTATUS auth_builtin_init(void) { - smb_register_auth("guest", auth_init_guest, AUTH_INTERFACE_VERSION); + smb_register_auth(AUTH_INTERFACE_VERSION, "guest", auth_init_guest); #ifdef DEVELOPER - smb_register_auth("fixed_challenge", auth_init_fixed_challenge, AUTH_INTERFACE_VERSION); - smb_register_auth("name_to_ntstatus", auth_init_name_to_ntstatus, AUTH_INTERFACE_VERSION); + smb_register_auth(AUTH_INTERFACE_VERSION, "fixed_challenge", auth_init_fixed_challenge); + smb_register_auth(AUTH_INTERFACE_VERSION, "name_to_ntstatus", auth_init_name_to_ntstatus); #endif - return True; + return NT_STATUS_OK; } diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index db5f7d82b0..bc03fecf74 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -557,9 +557,9 @@ NTSTATUS auth_init_trustdomain(struct auth_context *auth_context, const char* pa return NT_STATUS_OK; } -int auth_domain_init(void) +NTSTATUS auth_domain_init(void) { - smb_register_auth("trustdomain", auth_init_trustdomain, AUTH_INTERFACE_VERSION); - smb_register_auth("ntdomain", auth_init_ntdomain, AUTH_INTERFACE_VERSION); - return True; + smb_register_auth(AUTH_INTERFACE_VERSION, "trustdomain", auth_init_trustdomain); + smb_register_auth(AUTH_INTERFACE_VERSION, "ntdomain", auth_init_ntdomain); + return NT_STATUS_OK; } diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index db37193579..0875c48280 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -243,9 +243,9 @@ NTSTATUS auth_init_rhosts(struct auth_context *auth_context, const char *param, return NT_STATUS_OK; } -int auth_rhosts_init(void) +NTSTATUS auth_rhosts_init(void) { - smb_register_auth("rhosts", auth_init_rhosts, AUTH_INTERFACE_VERSION); - smb_register_auth("hostsequiv", auth_init_hostsequiv, AUTH_INTERFACE_VERSION); - return True; + smb_register_auth(AUTH_INTERFACE_VERSION, "rhosts", auth_init_rhosts); + smb_register_auth(AUTH_INTERFACE_VERSION, "hostsequiv", auth_init_hostsequiv); + return NT_STATUS_OK; } diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 1fc8aa51bb..9a619f81f6 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -518,9 +518,9 @@ NTSTATUS auth_init_samstrict(struct auth_context *auth_context, const char *para return NT_STATUS_OK; } -int auth_sam_init(void) +NTSTATUS auth_sam_init(void) { - smb_register_auth("samstrict", auth_init_samstrict, AUTH_INTERFACE_VERSION); - smb_register_auth("sam", auth_init_sam, AUTH_INTERFACE_VERSION); - return True; + smb_register_auth(AUTH_INTERFACE_VERSION, "samstrict", auth_init_samstrict); + smb_register_auth(AUTH_INTERFACE_VERSION, "sam", auth_init_sam); + return NT_STATUS_OK; } diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index a311f01dc3..73af290af2 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -401,7 +401,7 @@ NTSTATUS auth_init_smbserver(struct auth_context *auth_context, const char* para return NT_STATUS_OK; } -int auth_server_init(void) +NTSTATUS auth_server_init(void) { - return smb_register_auth("smbserver", auth_init_smbserver, AUTH_INTERFACE_VERSION); + return smb_register_auth(AUTH_INTERFACE_VERSION, "smbserver", auth_init_smbserver); } diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index efab2046c3..392178f77c 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -130,7 +130,7 @@ NTSTATUS auth_init_unix(struct auth_context *auth_context, const char* param, au return NT_STATUS_OK; } -int auth_unix_init(void) +NTSTATUS auth_unix_init(void) { - return smb_register_auth("unix", auth_init_unix, AUTH_INTERFACE_VERSION); + return smb_register_auth(AUTH_INTERFACE_VERSION, "unix", auth_init_unix); } diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 840898415b..76b5c34183 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -147,7 +147,7 @@ NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char *param, return NT_STATUS_OK; } -int auth_winbind_init(void) +NTSTATUS auth_winbind_init(void) { - return smb_register_auth("winbind", auth_init_winbind, AUTH_INTERFACE_VERSION); + return smb_register_auth(AUTH_INTERFACE_VERSION, "winbind", auth_init_winbind); } -- cgit From d2373e7dce03a933be465cfd006c20d2bcc6e758 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 30 Apr 2003 23:06:44 +0000 Subject: Make the version numbers ints (patch from metze) (This used to be commit dbe36b4c43dceddea9f14161c6cf7b34709287c8) --- source3/auth/auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 8f718e3d4d..cec15da1f6 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -27,7 +27,7 @@ static struct auth_init_function_entry *backends = NULL; static struct auth_init_function_entry *auth_find_backend_entry(const char *name); -NTSTATUS smb_register_auth(uint16 version, const char *name, auth_init_function init) +NTSTATUS smb_register_auth(int version, const char *name, auth_init_function init) { struct auth_init_function_entry *entry = backends; -- cgit From d1da999e0a84939e372ebe590861376e2c0075b3 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 8 May 2003 08:02:52 +0000 Subject: This puts real netlogon connection caching to winbind. This becomes important once we start doing schannel, as there would be a lot more roundtrips for the second PIPE open and bind. With this patch logging in to a member server is a matter of two (three if you count the ack...) packets between us and the DC. Volker (This used to be commit 5b3cb7725a974629d0bd8b707bc2940c36b8745e) --- source3/auth/auth_domain.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index bc03fecf74..827b4029d2 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -130,7 +130,6 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, struct in_addr dest_ip; fstring remote_machine; NTSTATUS result; - uint32 neg_flags = 0x000001ff; *retry = False; @@ -214,7 +213,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); return NT_STATUS_NO_MEMORY; } - result = cli_nt_setup_creds(*cli, sec_chan, trust_passwd, &neg_flags, 2); + result = cli_nt_establish_netlogon(*cli, sec_chan, trust_passwd); if (!NT_STATUS_IS_OK(result)) { DEBUG(0,("connect_to_domain_password_server: unable to setup the NETLOGON credentials to machine \ @@ -341,6 +340,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, */ nt_status = cli_netlogon_sam_network_logon(cli, mem_ctx, + NULL, user_info->smb_name.str, user_info->domain.str, user_info->wksta_name.str, chal, user_info->lm_resp, user_info->nt_resp, -- cgit From 5f5c4aaffd14cc15df4b367bc6d60641d7fdf7c6 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 9 May 2003 09:41:08 +0000 Subject: Make sure we always have some client data, not just the hash. An NTLMv2 or LMv2 response less than 24 bytes is just silly. Andrew Bartlett (This used to be commit b4ecdb2e582376d2713f81e8e32a668014905d70) --- source3/auth/auth_sam.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 9a619f81f6..cb88014e98 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -98,9 +98,10 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB ntv2_response, return False; } - if (ntv2_response.length < 16) { + if (ntv2_response.length < 24) { /* We MUST have more than 16 bytes, or the stuff below will go - crazy... */ + crazy. No known implementation sends less than the 24 bytes + for LMv2, let alone NTLMv2. */ DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect password length (%d)\n", ntv2_response.length)); return False; -- cgit From 4f52bd500bf9bf128b0bf8b653146b8325a99c4f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 9 May 2003 15:02:11 +0000 Subject: Cleanups. My NTLMv2 changes also changed the preference from using an implicit structure-memcpy for DATA_BLOB parameters to using a pointer to that DATA_BLOB. auth_sam calls some of these functions, so I've cleaned it all up to use this format now. Also clean up some debug statements to make them easier to read. Andrew Bartlett (This used to be commit 0c355c274a6ac084e4bf15a15613dfc007d6c5fc) --- source3/auth/auth_sam.c | 84 ++++++++++++++++++++++++------------------------- 1 file changed, 42 insertions(+), 42 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index cb88014e98..0c2ffaae88 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -28,9 +28,9 @@ /**************************************************************************** core of smb password checking routine. ****************************************************************************/ -static BOOL smb_pwd_check_ntlmv1(DATA_BLOB nt_response, +static BOOL smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response, const uchar *part_passwd, - DATA_BLOB sec_blob, + const DATA_BLOB *sec_blob, uint8 user_sess_key[16]) { /* Finish the encryption of part_passwd. */ @@ -42,17 +42,17 @@ static BOOL smb_pwd_check_ntlmv1(DATA_BLOB nt_response, return False; } - if (sec_blob.length != 8) { - DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect challenge size (%d)\n", sec_blob.length)); + if (sec_blob->length != 8) { + DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect challenge size (%d)\n", sec_blob->length)); return False; } - if (nt_response.length != 24) { - DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect password length (%d)\n", nt_response.length)); + if (nt_response->length != 24) { + DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect password length (%d)\n", nt_response->length)); return False; } - SMBOWFencrypt(part_passwd, sec_blob.data, p24); + SMBOWFencrypt(part_passwd, sec_blob->data, p24); if (user_sess_key != NULL) { SMBsesskeygen_ntv1(part_passwd, NULL, user_sess_key); @@ -61,16 +61,16 @@ static BOOL smb_pwd_check_ntlmv1(DATA_BLOB nt_response, #if DEBUG_PASSWORD - DEBUG(100,("Part password (P16) was |")); + DEBUG(100,("Part password (P16) was |\n")); dump_data(100, part_passwd, 16); - DEBUG(100,("Password from client was |")); - dump_data(100, nt_response.data, nt_response.length); - DEBUG(100,("Given challenge was |")); - dump_data(100, sec_blob.data, sec_blob.length); - DEBUG(100,("Value from encryption was |")); + DEBUGADD(100,("Password from client was |\n")); + dump_data(100, nt_response->data, nt_response->length); + DEBUGADD(100,("Given challenge was |\n")); + dump_data(100, sec_blob->data, sec_blob->length); + DEBUGADD(100,("Value from encryption was |\n")); dump_data(100, p24, 24); #endif - return (memcmp(p24, nt_response.data, 24) == 0); + return (memcmp(p24, nt_response->data, 24) == 0); } @@ -79,9 +79,9 @@ core of smb password checking routine. (NTLMv2, LMv2) Note: The same code works with both NTLMv2 and LMv2. ****************************************************************************/ -static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB ntv2_response, +static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response, const uchar *part_passwd, - const DATA_BLOB sec_blob, + const DATA_BLOB *sec_blob, const char *user, const char *domain, uint8 user_sess_key[16]) { @@ -98,43 +98,43 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB ntv2_response, return False; } - if (ntv2_response.length < 24) { + if (ntv2_response->length < 24) { /* We MUST have more than 16 bytes, or the stuff below will go crazy. No known implementation sends less than the 24 bytes for LMv2, let alone NTLMv2. */ DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect password length (%d)\n", - ntv2_response.length)); + ntv2_response->length)); return False; } - client_key_data = data_blob(ntv2_response.data+16, ntv2_response.length-16); + client_key_data = data_blob(ntv2_response->data+16, ntv2_response->length-16); /* todo: should we be checking this for anything? We can't for LMv2, but for NTLMv2 it is meant to contain the current time etc. */ - memcpy(client_response, ntv2_response.data, sizeof(client_response)); + memcpy(client_response, ntv2_response->data, sizeof(client_response)); if (!ntv2_owf_gen(part_passwd, user, domain, kr)) { return False; } - SMBOWFencrypt_ntv2(kr, sec_blob, client_key_data, value_from_encryption); + SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption); if (user_sess_key != NULL) { SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key); } #if DEBUG_PASSWORD - DEBUG(100,("Part password (P16) was |")); + DEBUG(100,("Part password (P16) was |\n")); dump_data(100, part_passwd, 16); - DEBUG(100,("Password from client was |")); - dump_data(100, ntv2_response.data, ntv2_response.length); - DEBUG(100,("Variable data from client was |")); + DEBUGADD(100,("Password from client was |\n")); + dump_data(100, ntv2_response->data, ntv2_response->length); + DEBUGADD(100,("Variable data from client was |\n")); dump_data(100, client_key_data.data, client_key_data.length); - DEBUG(100,("Given challenge was |")); - dump_data(100, sec_blob.data, sec_blob.length); - DEBUG(100,("Value from encryption was |")); + DEBUGADD(100,("Given challenge was |\n")); + dump_data(100, sec_blob->data, sec_blob->length); + DEBUGADD(100,("Value from encryption was |\n")); dump_data(100, value_from_encryption, 16); #endif data_blob_clear_free(&client_key_data); @@ -186,8 +186,8 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, use it (ie. does it exist in the smbpasswd file). */ DEBUG(4,("sam_password_ok: Checking NTLMv2 password with domain [%s]\n", user_info->client_domain.str)); - if (smb_pwd_check_ntlmv2( user_info->nt_resp, - nt_pw, auth_context->challenge, + if (smb_pwd_check_ntlmv2( &user_info->nt_resp, + nt_pw, &auth_context->challenge, user_info->smb_name.str, user_info->client_domain.str, user_sess_key)) @@ -196,8 +196,8 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, } DEBUG(4,("sam_password_ok: Checking NTLMv2 password without a domain\n")); - if (smb_pwd_check_ntlmv2( user_info->nt_resp, - nt_pw, auth_context->challenge, + if (smb_pwd_check_ntlmv2( &user_info->nt_resp, + nt_pw, &auth_context->challenge, user_info->smb_name.str, "", user_sess_key)) @@ -214,8 +214,8 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, use it (ie. does it exist in the smbpasswd file). */ DEBUG(4,("sam_password_ok: Checking NT MD4 password\n")); - if (smb_pwd_check_ntlmv1(user_info->nt_resp, - nt_pw, auth_context->challenge, + if (smb_pwd_check_ntlmv1(&user_info->nt_resp, + nt_pw, &auth_context->challenge, user_sess_key)) { return NT_STATUS_OK; @@ -243,8 +243,8 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, lm_pw = pdb_get_lanman_passwd(sampass); DEBUG(4,("sam_password_ok: Checking LM password\n")); - if (smb_pwd_check_ntlmv1(user_info->lm_resp, - lm_pw, auth_context->challenge, + if (smb_pwd_check_ntlmv1(&user_info->lm_resp, + lm_pw, &auth_context->challenge, user_sess_key)) { return NT_STATUS_OK; @@ -262,8 +262,8 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, - related to Win9X, legacy NAS pass-though authentication */ DEBUG(4,("sam_password_ok: Checking LMv2 password with domain %s\n", user_info->client_domain.str)); - if (smb_pwd_check_ntlmv2( user_info->lm_resp, - nt_pw, auth_context->challenge, + if (smb_pwd_check_ntlmv2( &user_info->lm_resp, + nt_pw, &auth_context->challenge, user_info->smb_name.str, user_info->client_domain.str, user_sess_key)) @@ -272,8 +272,8 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, } DEBUG(4,("sam_password_ok: Checking LMv2 password without a domain\n")); - if (smb_pwd_check_ntlmv2( user_info->lm_resp, - nt_pw, auth_context->challenge, + if (smb_pwd_check_ntlmv2( &user_info->lm_resp, + nt_pw, &auth_context->challenge, user_info->smb_name.str, "", user_sess_key)) @@ -287,8 +287,8 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, DEBUG(4,("sam_password_ok: Checking NT MD4 password in LM field\n")); if (lp_ntlm_auth()) { - if (smb_pwd_check_ntlmv1(user_info->lm_resp, - nt_pw, auth_context->challenge, + if (smb_pwd_check_ntlmv1(&user_info->lm_resp, + nt_pw, &auth_context->challenge, user_sess_key)) { return NT_STATUS_OK; -- cgit From fda311d5273ab7994bd372826e9615f415e9ea68 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 11 May 2003 13:20:27 +0000 Subject: When we have a NT4SP0 PDC trust us, we first have to check the password. On NT4, NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT means the password was correct. So the PDC believed that he had his trust account correctly added. Later the auth2 naturally failed. BTW, setting up an interdom trust account is not what I would call well documented and easy to handle... Working on that now :-) Volker (This used to be commit e4e44cf3b18231ec5d7326fb42edec741caa147b) --- source3/auth/auth_sam.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 0c2ffaae88..634afc633d 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -439,14 +439,14 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, return NT_STATUS_NO_SUCH_USER; } - nt_status = sam_account_ok(mem_ctx, sampass, user_info); + nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info, user_sess_key); if (!NT_STATUS_IS_OK(nt_status)) { pdb_free_sam(&sampass); return nt_status; } - nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info, user_sess_key); + nt_status = sam_account_ok(mem_ctx, sampass, user_info); if (!NT_STATUS_IS_OK(nt_status)) { pdb_free_sam(&sampass); -- cgit From c823b191ab476fc2583d6d6aaa1e2edb09cbb88e Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 12 May 2003 18:12:31 +0000 Subject: And finally IDMAP in 3_0 We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d) --- source3/auth/auth_rhosts.c | 19 +++++++++++-------- source3/auth/auth_util.c | 43 ++++++++++++++++++++++--------------------- 2 files changed, 33 insertions(+), 29 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index 0875c48280..3411083116 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -135,17 +135,20 @@ check for a possible hosts equiv or rhosts entry for the user static BOOL check_hosts_equiv(SAM_ACCOUNT *account) { - char *fname = NULL; + uid_t uid; + char *fname = NULL; - fname = lp_hosts_equiv(); + fname = lp_hosts_equiv(); + if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(account), &uid))) + return False; - /* note: don't allow hosts.equiv on root */ - if (IS_SAM_UNIX_USER(account) && fname && *fname && (pdb_get_uid(account) != 0)) { - if (check_user_equiv(pdb_get_username(account),client_name(),fname)) - return(True); - } + /* note: don't allow hosts.equiv on root */ + if (fname && *fname && uid != 0) { + if (check_user_equiv(pdb_get_username(account),client_name(),fname)) + return True; + } - return(False); + return False; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index a3ca0b226f..e8f2af41f3 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -611,21 +611,21 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, NT_USER_TOKEN *token; int i; - if (!uid_to_sid(&user_sid, uid)) { + if (NT_STATUS_IS_ERR(uid_to_sid(&user_sid, uid))) { return NULL; } - if (!gid_to_sid(&group_sid, gid)) { + if (NT_STATUS_IS_ERR(gid_to_sid(&group_sid, gid))) { return NULL; } - group_sids = malloc(sizeof(DOM_SID) * ngroups); + group_sids = malloc(sizeof(DOM_SID) * ngroups); if (!group_sids) { DEBUG(0, ("create_nt_token: malloc() failed for DOM_SID list!\n")); return NULL; } for (i = 0; i < ngroups; i++) { - if (!gid_to_sid(&(group_sids)[i], (groups)[i])) { + if (NT_STATUS_IS_ERR(gid_to_sid(&(group_sids)[i], (groups)[i]))) { DEBUG(1, ("create_nt_token: failed to convert gid %ld to a sid!\n", (long int)groups[i])); SAFE_FREE(group_sids); return NULL; @@ -648,7 +648,7 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, * If this samba server is a DC of the domain the user belongs to, it returns * both domain groups and local / builtin groups. If the user is in a trusted * domain, or samba is a member server of a domain, then this function returns - * local and builtin groups the user is a member of. + * local and builtin groups the user is a member of. * * currently this is a hack, as there is no sam implementation that is capable * of groups. @@ -661,23 +661,18 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, gid_t gid; int n_unix_groups; int i; - struct passwd *usr; *n_groups = 0; *groups = NULL; - if (!IS_SAM_UNIX_USER(sampass)) { - DEBUG(1, ("user %s does not have a unix identity!\n", pdb_get_username(sampass))); - return NT_STATUS_NO_SUCH_USER; + if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sampass), &uid)) || NT_STATUS_IS_ERR(sid_to_gid(pdb_get_group_sid(sampass), &gid))) { + DEBUG(0, ("get_user_groups_from_local_sam: error fetching uid or gid for user!\n")); + return NT_STATUS_UNSUCCESSFUL; } - - uid = pdb_get_uid(sampass); - gid = pdb_get_gid(sampass); n_unix_groups = groups_max(); if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) { DEBUG(0, ("get_user_groups_from_local_sam: Out of memory allocating unix group list\n")); - passwd_free(&usr); return NT_STATUS_NO_MEMORY; } @@ -686,7 +681,6 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); if (!groups_tmp) { SAFE_FREE(*unix_groups); - passwd_free(&usr); return NT_STATUS_NO_MEMORY; } *unix_groups = groups_tmp; @@ -694,7 +688,6 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) { DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n")); SAFE_FREE(*unix_groups); - passwd_free(&usr); return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ } } @@ -713,7 +706,7 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, *n_groups = n_unix_groups; for (i = 0; i < *n_groups; i++) { - if (!gid_to_sid(&(*groups)[i], (*unix_groups)[i])) { + if (NT_STATUS_IS_ERR(gid_to_sid(&(*groups)[i], (*unix_groups)[i]))) { DEBUG(1, ("get_user_groups_from_local_sam: failed to convert gid %ld to a sid!\n", (long int)(*unix_groups)[i+1])); SAFE_FREE(*groups); SAFE_FREE(*unix_groups); @@ -730,6 +723,8 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, static NTSTATUS make_server_info(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass) { + NTSTATUS ret; + *server_info = malloc(sizeof(**server_info)); if (!*server_info) { DEBUG(0,("make_server_info: malloc failed!\n")); @@ -739,6 +734,10 @@ static NTSTATUS make_server_info(auth_serversupplied_info **server_info, SAM_ACC (*server_info)->sam_fill_level = SAM_FILL_ALL; (*server_info)->sam_account = sampass; + if (NT_STATUS_IS_ERR(ret = sid_to_uid(pdb_get_user_sid(sampass), &((*server_info)->uid)))) + return ret; + if (NT_STATUS_IS_ERR(ret = sid_to_gid(pdb_get_group_sid(sampass), &((*server_info)->gid)))) + return ret; return NT_STATUS_OK; } @@ -869,8 +868,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, struct passwd *passwd; - uid_t uid; - gid_t gid; + unid_t u_id, g_id; + int u_type, g_type; int n_lgroupSIDs; DOM_SID *lgroupSIDs = NULL; @@ -907,9 +906,11 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, domain = domain; } - if (winbind_sid_to_uid(&uid, &user_sid) - && winbind_sid_to_gid(&gid, &group_sid) - && ((passwd = getpwuid_alloc(uid)))) { + u_type = ID_USERID; + g_type = ID_GROUPID; + if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&u_id, &u_type, &user_sid)) + && NT_STATUS_IS_OK(idmap_get_id_from_sid(&g_id, &g_type, &group_sid)) + && ((passwd = getpwuid_alloc(u_id.uid)))) { nt_status = pdb_init_sam_pw(&sam_account, passwd); passwd_free(&passwd); } else { -- cgit From 402fbc518a5489b33f1c5eafb8e6acb9ee5addbd Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 14 May 2003 00:46:43 +0000 Subject: spelling (This used to be commit 865c11275685c85124b506c9bbd2a8bde2e760b9) --- source3/auth/auth_sam.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 634afc633d..d46d362a92 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -225,7 +225,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, } } else { DEBUG(2,("sam_password_ok: NTLMv1 passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass))); - /* no return, becouse we might pick up LMv2 in the LM feild */ + /* no return, because we might pick up LMv2 in the LM feild */ } } @@ -420,7 +420,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, return NT_STATUS_UNSUCCESSFUL; } - /* Can't use the talloc version here, becouse the returned struct gets + /* Can't use the talloc version here, because the returned struct gets kept on the server_info */ if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sampass))) { return nt_status; -- cgit From 6203409d2ef442fd7d620ddaa8ea85cc7b6695fd Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 15 May 2003 08:47:28 +0000 Subject: Patch from Luke Howard that fixes some weird handling of modules in auth/ (This used to be commit 4b6785a6c0fe0aebb1cc69bfc9937d19bc692642) --- source3/auth/auth.c | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index cec15da1f6..0c4fe76830 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -372,17 +372,25 @@ BOOL load_auth_module(struct auth_context *auth_context, entry = auth_find_backend_entry(module_name); - if(!(entry = auth_find_backend_entry(module_name)) && NT_STATUS_IS_ERR(smb_probe_module("auth", module_name)) && - !(entry = auth_find_backend_entry(module_name))) { - DEBUG(0,("load_auth_module: can't find auth method %s!\n", module_name)); - } else if (!NT_STATUS_IS_OK(entry->init(auth_context, module_params, ret))) { - DEBUG(0,("load_auth_module: auth method %s did not correctly init\n", - module)); + if (entry == NULL) { + if (NT_STATUS_IS_OK(smb_probe_module("auth", module_name))) { + entry = auth_find_backend_entry(module_name); + } + } + + if (entry != NULL) { + if (!NT_STATUS_IS_OK(entry->init(auth_context, module_params, ret))) { + DEBUG(0,("load_auth_module: auth method %s did not correctly init\n", + module_name)); + } else { + DEBUG(5,("load_auth_module: auth method %s has a valid init\n", + module_name)); + good = True; + } } else { - DEBUG(5,("load_auth_module: auth method %s has a valid init\n", - module)); - good = True; + DEBUG(0,("load_auth_module: can't find auth method %s!\n", module_name)); } + SAFE_FREE(module_name); return good; } -- cgit From 9e9849c0ee5cfc79dc51e29c8015d9c53fa4bfcc Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 16 May 2003 06:20:57 +0000 Subject: add metze's patch for smb_register functions (This used to be commit 1480c7e8c7a84c34181118c449c50ca99fdcbc6b) --- source3/auth/auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 0c4fe76830..dea97a7190 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -63,7 +63,7 @@ static struct auth_init_function_entry *auth_find_backend_entry(const char *name struct auth_init_function_entry *entry = backends; while(entry) { - if (strequal(entry->name, name)) return entry; + if (strcmp(entry->name, name)==0) return entry; entry = entry->next; } -- cgit From 6ace723c44f61c1166b90666ca6f5b2546ced46b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 25 May 2003 23:56:41 +0000 Subject: Get 'add user script' working again for Samba 3.0. I'm still not convinced that sharing the option name with the administrative code is the best idea, but anyway... Tested by vl, bug #41. Andrew Bartlett (This used to be commit 9d78f064c5e4e6b340f994204977aaac6513320b) --- source3/auth/auth.c | 6 ---- source3/auth/auth_server.c | 11 +++++-- source3/auth/auth_util.c | 82 ++++++++++++++++++++++++---------------------- 3 files changed, 52 insertions(+), 47 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index dea97a7190..02c7eb6d84 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -262,12 +262,6 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, break; } - /* This is one of the few places the *relies* (rather than just sets defaults - on the value of lp_security(). This needs to change. A new paramater - perhaps? */ - if (lp_security() >= SEC_SERVER) - smb_user_control(user_info, *server_info, nt_status); - if (NT_STATUS_IS_OK(nt_status)) { pdb_username = pdb_get_username((*server_info)->sam_account); if (!(*server_info)->guest) { diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 73af290af2..18c5216137 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -372,12 +372,19 @@ use this machine as the password server.\n")); cli_ulogoff(cli); - if NT_STATUS_IS_OK(nt_status) { + if (NT_STATUS_IS_OK(nt_status)) { struct passwd *pass = Get_Pwnam(user_info->internal_username.str); if (pass) { nt_status = make_server_info_pw(server_info, pass); } else { - nt_status = NT_STATUS_NO_SUCH_USER; + auth_add_user_script(user_info->domain.str, user_info->internal_username.str); + pass = Get_Pwnam(user_info->internal_username.str); + + if (pass) { + nt_status = make_server_info_pw(server_info, pass); + } else { + nt_status = NT_STATUS_NO_SUCH_USER; + } } } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index e8f2af41f3..d57619942c 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -36,7 +36,7 @@ extern DOM_SID global_sid_Authenticated_Users; Create a UNIX user on demand. ****************************************************************************/ -static int smb_create_user(const char *unix_user, const char *homedir) +static int smb_create_user(const char *domain, const char *unix_username, const char *homedir) { pstring add_script; int ret; @@ -44,7 +44,9 @@ static int smb_create_user(const char *unix_user, const char *homedir) pstrcpy(add_script, lp_adduser_script()); if (! *add_script) return -1; - all_string_sub(add_script, "%u", unix_user, sizeof(pstring)); + all_string_sub(add_script, "%u", unix_username, sizeof(pstring)); + if (domain) + all_string_sub(add_script, "%D", domain, sizeof(pstring)); if (homedir) all_string_sub(add_script, "%H", homedir, sizeof(pstring)); ret = smbrun(add_script,NULL); @@ -56,24 +58,18 @@ static int smb_create_user(const char *unix_user, const char *homedir) Add and Delete UNIX users on demand, based on NTSTATUS codes. ****************************************************************************/ -void smb_user_control(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info, NTSTATUS nt_status) +void auth_add_user_script(const char *domain, const char *username) { struct passwd *pwd=NULL; - if (NT_STATUS_IS_OK(nt_status)) { - - if (!(server_info->sam_fill_level & SAM_FILL_UNIX)) { - - /* - * User validated ok against Domain controller. - * If the admin wants us to try and create a UNIX - * user on the fly, do so. - */ - - if(lp_adduser_script() && !(pwd = Get_Pwnam(user_info->internal_username.str))) { - smb_create_user(user_info->internal_username.str, NULL); - } - } + /* + * User validated ok against Domain controller. + * If the admin wants us to try and create a UNIX + * user on the fly, do so. + */ + + if(lp_adduser_script() && !(pwd = Get_Pwnam(username))) { + smb_create_user(domain, username, NULL); } } @@ -914,30 +910,38 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, nt_status = pdb_init_sam_pw(&sam_account, passwd); passwd_free(&passwd); } else { - char *dom_user; - dom_user = talloc_asprintf(mem_ctx, "%s%s%s", - nt_domain, - lp_winbind_separator(), - internal_username); - - if (!dom_user) { - DEBUG(0, ("talloc_asprintf failed!\n")); - return NT_STATUS_NO_MEMORY; - } else { - - if (!(passwd = Get_Pwnam(dom_user)) - /* Only lookup local for the local - domain, we don't want this for - trusted domains */ - && strequal(nt_domain, lp_workgroup())) { - passwd = Get_Pwnam(internal_username); + int try = 0; + while (try < 2) { + char *dom_user; + dom_user = talloc_asprintf(mem_ctx, "%s%s%s", + nt_domain, + lp_winbind_separator(), + internal_username); + + if (!dom_user) { + DEBUG(0, ("talloc_asprintf failed!\n")); + nt_status = NT_STATUS_NO_MEMORY; + } else { + + if (!(passwd = Get_Pwnam(dom_user)) + /* Only lookup local for the local + domain, we don't want this for + trusted domains */ + && strequal(nt_domain, lp_workgroup())) { + passwd = Get_Pwnam(internal_username); + } + + if (!passwd) { + nt_status = NT_STATUS_NO_SUCH_USER; + } else { + nt_status = pdb_init_sam_pw(&sam_account, passwd); + break; + } } - - if (!passwd) { - return NT_STATUS_NO_SUCH_USER; - } else { - nt_status = pdb_init_sam_pw(&sam_account, passwd); + if (try == 0) { + auth_add_user_script(nt_domain, internal_username); } + try++; } } -- cgit From 54e2ac64b7291d9c88d1525e7498e7750adbfbe0 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 26 May 2003 02:04:23 +0000 Subject: Add samstrict_dc from metze (been sitting in HEAD for way to long waiting for me to review it). This patch works well for a DC running with trusted domains, becouse it lets you check the local SAM first, but only for this domain's users. Andrew Bartlett (This used to be commit e0bd4d2844e6073a83b72925bca1aec007a8dd0b) --- source3/auth/auth_sam.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index d46d362a92..13612db86e 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -501,6 +501,8 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context unless it is one of our aliases. */ if (!is_myname(user_info->domain.str)) { + DEBUG(7,("The requested user domain is not the local server name. [%s]\\[%s]\n", + user_info->domain.str,user_info->internal_username.str)); return NT_STATUS_NO_SUCH_USER; } @@ -519,8 +521,52 @@ NTSTATUS auth_init_samstrict(struct auth_context *auth_context, const char *para return NT_STATUS_OK; } +/**************************************************************************** +Check SAM security (above) but with a few extra checks if we're a DC. +****************************************************************************/ + +static NTSTATUS check_samstrict_dc_security(const struct auth_context *auth_context, + void *my_private_data, + TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, + auth_serversupplied_info **server_info) +{ + + if (!user_info || !auth_context) { + return NT_STATUS_LOGON_FAILURE; + } + + /* If we are a PDC we must not check the password here + unless it is one of our aliases, empty + or equal to our domain name. Other names may be + Trusted domains. + */ + + if ((!is_myworkgroup(user_info->domain.str))&& + (!is_myname(user_info->domain.str))) { + DEBUG(7,("The requested user domain is not the local server name or our domain. [%s]\\[%s]\n", + user_info->domain.str,user_info->internal_username.str)); + return NT_STATUS_NO_SUCH_USER; + } + + return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, server_info); +} + +/* module initialisation */ +NTSTATUS auth_init_samstrict_dc(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +{ + if (!make_auth_methods(auth_context, auth_method)) { + return NT_STATUS_NO_MEMORY; + } + + (*auth_method)->auth = check_samstrict_dc_security; + (*auth_method)->name = "samstrict_dc"; + return NT_STATUS_OK; +} + NTSTATUS auth_sam_init(void) { + smb_register_auth(AUTH_INTERFACE_VERSION, "samstrict_dc", auth_init_samstrict_dc); smb_register_auth(AUTH_INTERFACE_VERSION, "samstrict", auth_init_samstrict); smb_register_auth(AUTH_INTERFACE_VERSION, "sam", auth_init_sam); return NT_STATUS_OK; -- cgit From ac33cc9ca328d42e75817aff34ab570339f732fe Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 26 May 2003 06:53:25 +0000 Subject: Spelling. (This used to be commit eda897306896b729129582fdf4fdd26af555f014) --- source3/auth/auth_sam.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 13612db86e..d01be84f19 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -201,6 +201,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, user_info->smb_name.str, "", user_sess_key)) + { return NT_STATUS_OK; } else { @@ -225,7 +226,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, } } else { DEBUG(2,("sam_password_ok: NTLMv1 passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass))); - /* no return, because we might pick up LMv2 in the LM feild */ + /* no return, becouse we might pick up LMv2 in the LM field */ } } -- cgit From f527ca3d52e76122651f133780654fc057678b25 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 26 May 2003 16:38:35 +0000 Subject: Correctly initialize winbind auth method. (This used to be commit b9e7ce9d85c4203779d6b9bfb2e65a4ed5fe33ff) --- source3/auth/auth_winbind.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 76b5c34183..79395a99c9 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -132,6 +132,9 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, /* module initialisation */ NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { + if (!make_auth_methods(auth_context, auth_method)) { + return NT_STATUS_NO_MEMORY; + } (*auth_method)->name = "winbind"; (*auth_method)->auth = check_winbind_security; -- cgit From 3a6d0a23cd226214778959d021a4a6d3eabc0c4b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 27 May 2003 16:46:51 +0000 Subject: volker's fix for crash when my_private_data == NULL (This used to be commit 40127404e3a664539de516723cf1239f47adc442) --- source3/auth/auth_winbind.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 79395a99c9..b8276b0866 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -103,9 +103,15 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, result = winbindd_request(WINBINDD_PAM_AUTH_CRAP, &request, &response); - if (result == NSS_STATUS_UNAVAIL) { + if ( result == NSS_STATUS_UNAVAIL ) { struct auth_methods *auth_method = my_private_data; - return auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info); + + if ( auth_method ) + return auth_method->auth(auth_context, auth_method->private_data, + mem_ctx, user_info, server_info); + else + /* log an error since this should not happen */ + DEBUG(0,("check_winbind_security: ERROR! my_private_data == NULL!\n")); } nt_status = NT_STATUS(response.data.auth.nt_status); -- cgit From cad20ab63b55462836da007de39fc84ffa38eda8 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 4 Jun 2003 16:40:50 +0000 Subject: Add some static. Patch by Stefan Metzmacher (This used to be commit e1a8e9b7f3e69c7271d2b715703b2d5b2412bd42) --- source3/auth/auth_domain.c | 4 ++-- source3/auth/auth_rhosts.c | 4 ++-- source3/auth/auth_sam.c | 6 +++--- source3/auth/auth_server.c | 2 +- source3/auth/auth_unix.c | 2 +- source3/auth/auth_winbind.c | 2 +- 6 files changed, 10 insertions(+), 10 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 827b4029d2..2991684280 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -458,7 +458,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, } /* module initialisation */ -NTSTATUS auth_init_ntdomain(struct auth_context *auth_context, const char* param, auth_methods **auth_method) +static NTSTATUS auth_init_ntdomain(struct auth_context *auth_context, const char* param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { return NT_STATUS_NO_MEMORY; @@ -546,7 +546,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte } /* module initialisation */ -NTSTATUS auth_init_trustdomain(struct auth_context *auth_context, const char* param, auth_methods **auth_method) +static NTSTATUS auth_init_trustdomain(struct auth_context *auth_context, const char* param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { return NT_STATUS_NO_MEMORY; diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index 3411083116..2f0de6b81e 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -181,7 +181,7 @@ static NTSTATUS check_hostsequiv_security(const struct auth_context *auth_contex } /* module initialisation */ -NTSTATUS auth_init_hostsequiv(struct auth_context *auth_context, const char* param, auth_methods **auth_method) +static NTSTATUS auth_init_hostsequiv(struct auth_context *auth_context, const char* param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { return NT_STATUS_NO_MEMORY; @@ -235,7 +235,7 @@ static NTSTATUS check_rhosts_security(const struct auth_context *auth_context, } /* module initialisation */ -NTSTATUS auth_init_rhosts(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +static NTSTATUS auth_init_rhosts(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { return NT_STATUS_NO_MEMORY; diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index d01be84f19..161376616b 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -470,7 +470,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, } /* module initialisation */ -NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +static NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { return NT_STATUS_NO_MEMORY; @@ -511,7 +511,7 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context } /* module initialisation */ -NTSTATUS auth_init_samstrict(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +static NTSTATUS auth_init_samstrict(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { return NT_STATUS_NO_MEMORY; @@ -554,7 +554,7 @@ static NTSTATUS check_samstrict_dc_security(const struct auth_context *auth_cont } /* module initialisation */ -NTSTATUS auth_init_samstrict_dc(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +static NTSTATUS auth_init_samstrict_dc(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { return NT_STATUS_NO_MEMORY; diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 18c5216137..2a1e4a48d9 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -395,7 +395,7 @@ use this machine as the password server.\n")); return(nt_status); } -NTSTATUS auth_init_smbserver(struct auth_context *auth_context, const char* param, auth_methods **auth_method) +static NTSTATUS auth_init_smbserver(struct auth_context *auth_context, const char* param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { return NT_STATUS_NO_MEMORY; diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 392178f77c..b9de6f7acb 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -119,7 +119,7 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context, } /* module initialisation */ -NTSTATUS auth_init_unix(struct auth_context *auth_context, const char* param, auth_methods **auth_method) +static NTSTATUS auth_init_unix(struct auth_context *auth_context, const char* param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { return NT_STATUS_NO_MEMORY; diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index b8276b0866..0b19746597 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -136,7 +136,7 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, } /* module initialisation */ -NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +static NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { return NT_STATUS_NO_MEMORY; -- cgit From a7e1bbbd06a4a7c2cd6ff4fed8bdc8455b9a75d6 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 11 Jun 2003 16:36:04 +0000 Subject: Fix 'security = domain' without winbind. This stores the sid we got from the PDC as a mapping to the uid we got from getpwnam in the local idmap. This should not be worse than the current state, so I decided to commit it. It is different from abartlet's preliminary patch, but I believe this is the better solution. Feel free to comment and/or revert it. Volker (This used to be commit 0c16965e6f49a2c0d73b1392e9f8cfc7449e2e59) --- source3/auth/auth_util.c | 92 +++++++++++++++++++++++++++++++----------------- 1 file changed, 60 insertions(+), 32 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d57619942c..ed3ebdbabc 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -842,6 +842,52 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) return nt_status; } +static NTSTATUS fill_sam_account(const char *domain, + const char *username, + const DOM_SID *user_sid, + const DOM_SID *group_sid, + SAM_ACCOUNT **sam_account) +{ + fstring dom_user; + struct passwd *passwd; + NTSTATUS result; + unid_t id; + + fstr_sprintf(dom_user, "%s%s%s", + domain, lp_winbind_separator(), username); + + passwd = Get_Pwnam(dom_user); + + if ( (passwd == NULL) && is_myworkgroup(domain) ) { + /* For our own domain also try unqualified */ + passwd = Get_Pwnam(username); + } + + if (passwd == NULL) + return NT_STATUS_NO_SUCH_USER; + + result = pdb_init_sam_pw(sam_account, passwd); + + if (!NT_STATUS_IS_OK(result)) + return result; + + id.uid = passwd->pw_uid; + result = idmap_set_mapping(user_sid, id, ID_USERID); + if (!NT_STATUS_IS_OK(result)) + return result; + + /* This is currently broken. We have two different sources of + information for the primary group: The info3 and + /etc/passwd. To make this work at all, the info3 sid is + mapped to the user's primary group from /etc/passwd. + This is broken, but it basically works. */ + + id.gid = passwd->pw_gid; + result = idmap_set_mapping(group_sid, id, ID_GROUPID); + + return result; +} + /*************************************************************************** Make a server_info struct from the info3 returned by a domain logon ***************************************************************************/ @@ -910,38 +956,20 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, nt_status = pdb_init_sam_pw(&sam_account, passwd); passwd_free(&passwd); } else { - int try = 0; - while (try < 2) { - char *dom_user; - dom_user = talloc_asprintf(mem_ctx, "%s%s%s", - nt_domain, - lp_winbind_separator(), - internal_username); - - if (!dom_user) { - DEBUG(0, ("talloc_asprintf failed!\n")); - nt_status = NT_STATUS_NO_MEMORY; - } else { - - if (!(passwd = Get_Pwnam(dom_user)) - /* Only lookup local for the local - domain, we don't want this for - trusted domains */ - && strequal(nt_domain, lp_workgroup())) { - passwd = Get_Pwnam(internal_username); - } - - if (!passwd) { - nt_status = NT_STATUS_NO_SUCH_USER; - } else { - nt_status = pdb_init_sam_pw(&sam_account, passwd); - break; - } - } - if (try == 0) { - auth_add_user_script(nt_domain, internal_username); - } - try++; + + nt_status = fill_sam_account(nt_domain, + internal_username, + &user_sid, &group_sid, + &sam_account); + + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { + DEBUG(3,("User %s does not exist, trying to add it\n", + internal_username)); + auth_add_user_script(nt_domain, internal_username); + nt_status = fill_sam_account(nt_domain, + internal_username, + &user_sid, &group_sid, + &sam_account); } } -- cgit From 0d8307fac322601a867cebeeb36428aadda59a07 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 12 Jun 2003 07:21:26 +0000 Subject: Andrew is right, this is probably the wrong approach. Take away the automatic mapping of users and groups again. Volker (This used to be commit 74510369d48545e813ac07e52814840803dd6ba2) --- source3/auth/auth_util.c | 31 +++++-------------------------- 1 file changed, 5 insertions(+), 26 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index ed3ebdbabc..8e5fc44291 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -842,16 +842,16 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) return nt_status; } +/*************************************************************************** + Purely internal function for make_server_info_info3 + Fill the sam account from getpwnam +***************************************************************************/ static NTSTATUS fill_sam_account(const char *domain, const char *username, - const DOM_SID *user_sid, - const DOM_SID *group_sid, SAM_ACCOUNT **sam_account) { fstring dom_user; struct passwd *passwd; - NTSTATUS result; - unid_t id; fstr_sprintf(dom_user, "%s%s%s", domain, lp_winbind_separator(), username); @@ -866,26 +866,7 @@ static NTSTATUS fill_sam_account(const char *domain, if (passwd == NULL) return NT_STATUS_NO_SUCH_USER; - result = pdb_init_sam_pw(sam_account, passwd); - - if (!NT_STATUS_IS_OK(result)) - return result; - - id.uid = passwd->pw_uid; - result = idmap_set_mapping(user_sid, id, ID_USERID); - if (!NT_STATUS_IS_OK(result)) - return result; - - /* This is currently broken. We have two different sources of - information for the primary group: The info3 and - /etc/passwd. To make this work at all, the info3 sid is - mapped to the user's primary group from /etc/passwd. - This is broken, but it basically works. */ - - id.gid = passwd->pw_gid; - result = idmap_set_mapping(group_sid, id, ID_GROUPID); - - return result; + return pdb_init_sam_pw(sam_account, passwd); } /*************************************************************************** @@ -959,7 +940,6 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, nt_status = fill_sam_account(nt_domain, internal_username, - &user_sid, &group_sid, &sam_account); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { @@ -968,7 +948,6 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, auth_add_user_script(nt_domain, internal_username); nt_status = fill_sam_account(nt_domain, internal_username, - &user_sid, &group_sid, &sam_account); } } -- cgit From 2cd38cd8e8f0a6f2b81adbd5c4b9146335781377 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 12 Jun 2003 08:22:55 +0000 Subject: Fix some misleading debug messages. (This used to be commit 9c003ae4ff21040b55264f8b4c34bd5956c97dc6) --- source3/auth/auth_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 8e5fc44291..789193c610 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1029,7 +1029,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, (n_lgroupSIDs + info3->num_groups2 + info3->num_other_sids)); if (!all_group_SIDs) { - DEBUG(0, ("create_nt_token_info3: malloc() failed for DOM_SID list!\n")); + DEBUG(0, ("malloc() failed for DOM_SID list!\n")); SAFE_FREE(lgroupSIDs); return NT_STATUS_NO_MEMORY; } @@ -1043,7 +1043,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, sid_copy(&all_group_SIDs[i+n_lgroupSIDs], &(info3->dom_sid.sid)); if (!sid_append_rid(&all_group_SIDs[i+n_lgroupSIDs], info3->gids[i].g_rid)) { nt_status = NT_STATUS_INVALID_PARAMETER; - DEBUG(3,("create_nt_token_info3: could not append additional group rid 0x%x\n", + DEBUG(3,("could not append additional group rid 0x%x\n", info3->gids[i].g_rid)); SAFE_FREE(lgroupSIDs); return nt_status; -- cgit From 511789b8555213d2f3d1b96c5434d2d0ebfd666f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 12 Jun 2003 14:24:15 +0000 Subject: Andrew's change to make 'security = domain' work again. Leave the user and group that has been authenticated unmapped. We need to make sure that every caller of idmap handles failure gracefully. Volker (This used to be commit 902d607b668b2e997778a0ca676ea689943c2817) --- source3/auth/auth_util.c | 126 +++++++++++++++++++++++++++++++++-------------- 1 file changed, 88 insertions(+), 38 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 789193c610..f7b46465f7 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -650,29 +650,22 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, * of groups. ******************************************************************************/ -static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, +static NTSTATUS get_user_groups_from_local_sam(const char *username, uid_t uid, gid_t gid, int *n_groups, DOM_SID **groups, gid_t **unix_groups) { - uid_t uid; - gid_t gid; int n_unix_groups; int i; *n_groups = 0; *groups = NULL; - if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sampass), &uid)) || NT_STATUS_IS_ERR(sid_to_gid(pdb_get_group_sid(sampass), &gid))) { - DEBUG(0, ("get_user_groups_from_local_sam: error fetching uid or gid for user!\n")); - return NT_STATUS_UNSUCCESSFUL; - } - n_unix_groups = groups_max(); if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) { DEBUG(0, ("get_user_groups_from_local_sam: Out of memory allocating unix group list\n")); return NT_STATUS_NO_MEMORY; } - if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) { + if (sys_getgrouplist(username, gid, *unix_groups, &n_unix_groups) == -1) { gid_t *groups_tmp; groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); if (!groups_tmp) { @@ -681,7 +674,7 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, } *unix_groups = groups_tmp; - if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) { + if (sys_getgrouplist(username, gid, *unix_groups, &n_unix_groups) == -1) { DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n")); SAFE_FREE(*unix_groups); return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ @@ -717,35 +710,26 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, Make a user_info struct ***************************************************************************/ -static NTSTATUS make_server_info(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass) +static NTSTATUS make_server_info(auth_serversupplied_info **server_info) { - NTSTATUS ret; - *server_info = malloc(sizeof(**server_info)); if (!*server_info) { DEBUG(0,("make_server_info: malloc failed!\n")); return NT_STATUS_NO_MEMORY; } ZERO_STRUCTP(*server_info); - - (*server_info)->sam_fill_level = SAM_FILL_ALL; - (*server_info)->sam_account = sampass; - if (NT_STATUS_IS_ERR(ret = sid_to_uid(pdb_get_user_sid(sampass), &((*server_info)->uid)))) - return ret; - if (NT_STATUS_IS_ERR(ret = sid_to_gid(pdb_get_group_sid(sampass), &((*server_info)->gid)))) - return ret; - return NT_STATUS_OK; } /*************************************************************************** - Make (and fill) a user_info struct from a SAM_ACCOUNT +Fill a server_info struct from a SAM_ACCOUNT with their groups ***************************************************************************/ -NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, - SAM_ACCOUNT *sampass) +static NTSTATUS add_user_groups(auth_serversupplied_info **server_info, + SAM_ACCOUNT *sampass, + uid_t uid, gid_t gid) { - NTSTATUS nt_status = NT_STATUS_OK; + NTSTATUS nt_status; const DOM_SID *user_sid = pdb_get_user_sid(sampass); const DOM_SID *group_sid = pdb_get_group_sid(sampass); int n_groupSIDs = 0; @@ -755,14 +739,11 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, BOOL is_guest; uint32 rid; - if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info, sampass))) { - return nt_status; - } - - if (!NT_STATUS_IS_OK(nt_status - = get_user_groups_from_local_sam(sampass, - &n_groupSIDs, &groupSIDs, &unix_groups))) - { + nt_status = get_user_groups_from_local_sam(pdb_get_username(sampass), + uid, gid, + &n_groupSIDs, &groupSIDs, + &unix_groups); + if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(4,("get_user_groups_from_local_sam failed\n")); free_server_info(server_info); return nt_status; @@ -785,9 +766,36 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, (*server_info)->n_groups = n_groupSIDs; (*server_info)->groups = unix_groups; - (*server_info)->ptok = token; - + + return nt_status; +} + +/*************************************************************************** + Make (and fill) a user_info struct from a SAM_ACCOUNT +***************************************************************************/ + +NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, + SAM_ACCOUNT *sampass) +{ + NTSTATUS nt_status; + + if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) + return nt_status; + + (*server_info)->sam_account = sampass; + + if (!NT_STATUS_IS_OK(nt_status = sid_to_uid(pdb_get_user_sid(sampass), &((*server_info)->uid)))) + return nt_status; + + if (!NT_STATUS_IS_OK(nt_status = sid_to_gid(pdb_get_group_sid(sampass), &((*server_info)->gid)))) + return nt_status; + + if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, sampass, + (*server_info)->uid, (*server_info)->gid))) + return nt_status; + + (*server_info)->sam_fill_level = SAM_FILL_ALL; DEBUG(5,("make_server_info_sam: made server info for user %s\n", pdb_get_username((*server_info)->sam_account))); @@ -806,7 +814,20 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, const struc if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sampass, pwd))) { return nt_status; } - return make_server_info_sam(server_info, sampass); + if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) { + return nt_status; + } + + (*server_info)->sam_account = sampass; + + if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, sampass, pwd->pw_uid, pwd->pw_gid))) { + return nt_status; + } + + (*server_info)->sam_fill_level = SAM_FILL_ALL; + (*server_info)->uid = pwd->pw_uid; + (*server_info)->gid = pwd->pw_gid; + return nt_status; } /*************************************************************************** @@ -848,6 +869,7 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) ***************************************************************************/ static NTSTATUS fill_sam_account(const char *domain, const char *username, + uid_t *uid, gid_t *gid, SAM_ACCOUNT **sam_account) { fstring dom_user; @@ -866,6 +888,9 @@ static NTSTATUS fill_sam_account(const char *domain, if (passwd == NULL) return NT_STATUS_NO_SUCH_USER; + *uid = passwd->pw_uid; + *gid = passwd->pw_gid; + return pdb_init_sam_pw(sam_account, passwd); } @@ -892,6 +917,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, struct passwd *passwd; unid_t u_id, g_id; + uid_t uid; + gid_t gid; int u_type, g_type; int n_lgroupSIDs; @@ -931,15 +958,27 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, u_type = ID_USERID; g_type = ID_GROUPID; + + /* we are trying to check that idmap isn't stuffing us over - does this + user actually exist? */ if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&u_id, &u_type, &user_sid)) && NT_STATUS_IS_OK(idmap_get_id_from_sid(&g_id, &g_type, &group_sid)) && ((passwd = getpwuid_alloc(u_id.uid)))) { + nt_status = pdb_init_sam_pw(&sam_account, passwd); + + uid = passwd->pw_uid; + gid = passwd->pw_gid; + + /* we should check this is the same name */ + passwd_free(&passwd); } else { + /* User not from winbind - try and find them by getpwnam() */ nt_status = fill_sam_account(nt_domain, internal_username, + &uid, &gid, &sam_account); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { @@ -948,6 +987,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, auth_add_user_script(nt_domain, internal_username); nt_status = fill_sam_account(nt_domain, internal_username, + &uid, &gid, &sam_account); } } @@ -1002,17 +1042,27 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info, sam_account))) { + /* now that we have a SAM_ACCOUNT that looks real, make a server_info + to wrap it in, and use pass it on down */ + + if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) { DEBUG(4, ("make_server_info failed!\n")); pdb_free_sam(&sam_account); return nt_status; } + /* Fill in the unix info we found on the way */ + + (*server_info)->sam_fill_level = SAM_FILL_ALL; + (*server_info)->uid = uid; + (*server_info)->gid = gid; + /* Store the user group information in the server_info returned to the caller. */ if (!NT_STATUS_IS_OK(nt_status - = get_user_groups_from_local_sam(sam_account, + = get_user_groups_from_local_sam(pdb_get_username(sam_account), + uid, gid, &n_lgroupSIDs, &lgroupSIDs, &unix_groups))) -- cgit From 292a51eda152f5e1885f38f3a811e956560f33f0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 13 Jun 2003 21:03:15 +0000 Subject: Forward port the app-head changes for dc name cache into 3.0. Jeremy. (This used to be commit 8bcc3116a22ce11b55a35f3363230f54bc5735fc) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 2991684280..f1575e43b0 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -276,7 +276,7 @@ static NTSTATUS find_connect_dc(struct cli_state **cli, struct in_addr dc_ip; fstring srv_name; - if (!rpc_find_dc(domain, srv_name, &dc_ip)) { + if (!get_dc_name(domain, srv_name, &dc_ip)) { DEBUG(0,("find_connect_dc: Failed to find an DCs for %s\n", lp_workgroup())); return NT_STATUS_NO_LOGON_SERVERS; } -- cgit From 93bcb9963bef53b91a0b16c6389cefdb7bea2b0e Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sat, 21 Jun 2003 04:05:01 +0000 Subject: merge of the netsamlogon caching code from APPLIANCE_HEAD This replaces the universal group caching code (was originally based on that code). Only applies to the the RPC code. One comment: domain local groups don't show up in 'getent group' that's easy to fix. Code has been tested against 2k domain but doesn't change anything with respect to NT4 domains. netsamlogon caching works pretty much like the universal group caching code did but has had much more testing and puts winbind mostly back in sync between branches. (This used to be commit aac01dc7bc95c20ee21c93f3581e2375d9a894e1) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index f1575e43b0..66684cc940 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -360,7 +360,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, } else { nt_status = make_server_info_info3(mem_ctx, user_info->internal_username.str, user_info->smb_name.str, domain, server_info, &info3); - uni_group_cache_store_netlogon(mem_ctx, &info3); + netsamlogon_cache_store( mem_ctx, &info3 ); } #if 0 -- cgit From f5974dfaae680d98b78d600cd1f1aaece332a085 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sun, 22 Jun 2003 10:09:52 +0000 Subject: Found out a good number of NT_STATUS_IS_ERR used the wrong way. As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK This patch will cure the problem. Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is used correctly, but I'm not 100% sure, coders should check the use of NT_STATUS_IS_ERR() in samba is ok now. Simo. (This used to be commit c501e84d412563eb3f674f76038ec48c2b458687) --- source3/auth/auth_rhosts.c | 2 +- source3/auth/auth_util.c | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index 2f0de6b81e..8fec760e21 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -139,7 +139,7 @@ static BOOL check_hosts_equiv(SAM_ACCOUNT *account) char *fname = NULL; fname = lp_hosts_equiv(); - if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(account), &uid))) + if (!NT_STATUS_IS_OK(sid_to_uid(pdb_get_user_sid(account), &uid))) return False; /* note: don't allow hosts.equiv on root */ diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index f7b46465f7..7d0f44f1d1 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -607,10 +607,10 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, NT_USER_TOKEN *token; int i; - if (NT_STATUS_IS_ERR(uid_to_sid(&user_sid, uid))) { + if (!NT_STATUS_IS_OK(uid_to_sid(&user_sid, uid))) { return NULL; } - if (NT_STATUS_IS_ERR(gid_to_sid(&group_sid, gid))) { + if (!NT_STATUS_IS_OK(gid_to_sid(&group_sid, gid))) { return NULL; } @@ -621,7 +621,7 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, } for (i = 0; i < ngroups; i++) { - if (NT_STATUS_IS_ERR(gid_to_sid(&(group_sids)[i], (groups)[i]))) { + if (!NT_STATUS_IS_OK(gid_to_sid(&(group_sids)[i], (groups)[i]))) { DEBUG(1, ("create_nt_token: failed to convert gid %ld to a sid!\n", (long int)groups[i])); SAFE_FREE(group_sids); return NULL; @@ -695,7 +695,7 @@ static NTSTATUS get_user_groups_from_local_sam(const char *username, uid_t uid, *n_groups = n_unix_groups; for (i = 0; i < *n_groups; i++) { - if (NT_STATUS_IS_ERR(gid_to_sid(&(*groups)[i], (*unix_groups)[i]))) { + if (!NT_STATUS_IS_OK(gid_to_sid(&(*groups)[i], (*unix_groups)[i]))) { DEBUG(1, ("get_user_groups_from_local_sam: failed to convert gid %ld to a sid!\n", (long int)(*unix_groups)[i+1])); SAFE_FREE(*groups); SAFE_FREE(*unix_groups); -- cgit From 7356d558ffc9c45fd5f42f29b3fffb1b8d9aee68 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 23 Jun 2003 18:27:59 +0000 Subject: fix typo (bug #170) (This used to be commit d376b67de9ff7a43c9c03c8640d9fe1671d223cb) --- source3/auth/auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 02c7eb6d84..891f47486b 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -249,7 +249,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, nt_status = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(3, ("check_ntlm_password: %s authentication for user [%s] suceeded\n", + DEBUG(3, ("check_ntlm_password: %s authentication for user [%s] succeeded\n", auth_method->name, user_info->smb_name.str)); } else { DEBUG(5, ("check_ntlm_password: %s authentication for user [%s] FAILED with error %s\n", -- cgit From f36c96d59c79a51610bb5a1fc42ac62bd8d08401 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 23 Jun 2003 19:05:23 +0000 Subject: * s/get_dc_name/rpc_dc_name/g (revert a previous change) * move back to qsort() for sorting IP address in get_dc_list() * remove dc_name_cache in cm_get_dc_name() since it slowed things down more than it helped. I've made a note of where to add in the negative connection cache in the ads code. Will come back to that. * fix rpcclient to use PRINTER_ALL_ACCESS for set printer (instead of MAX_ALLOWED) * only enumerate domain local groups in our domain * simplify ldap search for seqnum in winbindd's rpc backend (This used to be commit f8cab8635b02b205b4031279cedd804c1fb22c5b) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 66684cc940..5b2e287f6b 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -276,7 +276,7 @@ static NTSTATUS find_connect_dc(struct cli_state **cli, struct in_addr dc_ip; fstring srv_name; - if (!get_dc_name(domain, srv_name, &dc_ip)) { + if (!rpc_dc_name(domain, srv_name, &dc_ip)) { DEBUG(0,("find_connect_dc: Failed to find an DCs for %s\n", lp_workgroup())); return NT_STATUS_NO_LOGON_SERVERS; } -- cgit From f51d769dd303027a3dbf46fc89a482933988e866 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 25 Jun 2003 17:41:05 +0000 Subject: large change: *) consolidates the dc location routines again (dns and netbios) get_dc_list() or get_sorted_dc_list() is the authoritative means of locating DC's again. (also inludes a flag to get_dc_list() to define if this should be a DNS only lookup or not) (however, if you set "name resolve order = hosts wins" you could still get DNS queries for domain name IFF ldap_domain2hostlist() fails. The answer? Fix your DNS setup) *) enabled DOMAIN<0x1c> lookups to be funneled through resolve_hosts resulting in a call to ldap_domain2hostlist() if lp_security() == SEC_ADS *) enables name cache for winbind ADS backend *) enable the negative connection cache for winbind ADS backend *) removes some old dead code *) consolidates some duplicate code *) moves the internal_name_resolve() to use an IP/port pair to deal with SRV RR dns replies. The namecache code also supports the IP:port syntax now as well. *) removes 'ads server' and moves the functionality back into 'password server' (which can support "hostname:port" syntax now but works fine with defaults depending on the value of lp_security()) (This used to be commit d7f7fcda425bef380441509734eca33da943c091) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 5b2e287f6b..df19a274fb 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -253,7 +253,7 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, if (is_zero_ip(*ip)) return NT_STATUS_NO_LOGON_SERVERS; - if (!lookup_dc_name(global_myname(), domain, ip, dc_name)) + if ( !name_status_find( domain, 0x1b, 0x20, *ip, dc_name) ) return NT_STATUS_NO_LOGON_SERVERS; for (i = 0; (!NT_STATUS_IS_OK(ret)) && retry && (i < 3); i++) -- cgit From 8a6fc79ad8d9f1b6c4f604b173426bf821f98208 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sat, 28 Jun 2003 08:29:42 +0000 Subject: add check for NT_STATUS_NOT_IMPLEMENTED in auth check so that map to guest = bad user works again when "trustdomain" is listed as last auth method. Also clean up some more DC location calls. (This used to be commit 77a5b1032f39b8d20925721b719fdcfff910cb06) --- source3/auth/auth.c | 14 +++++++++++++- source3/auth/auth_domain.c | 41 +++++++++++++++++++++++++++-------------- source3/auth/auth_util.c | 31 ++++++++++--------------------- 3 files changed, 50 insertions(+), 36 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 891f47486b..25b856cd57 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -244,10 +244,22 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, return NT_STATUS_LOGON_FAILURE; for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) { + NTSTATUS result; + mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name, user_info->domain.str, user_info->smb_name.str); - nt_status = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info); + result = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info); + + /* check if the module did anything */ + if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) { + DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name)); + talloc_destroy(mem_ctx); + continue; + } + + nt_status = result; + if (NT_STATUS_IS_OK(nt_status)) { DEBUG(3, ("check_ntlm_password: %s authentication for user [%s] succeeded\n", auth_method->name, user_info->smb_name.str)); diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index df19a274fb..84453ac3b5 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -401,11 +401,12 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; - char *password_server; unsigned char trust_passwd[16]; time_t last_change_time; const char *domain = lp_workgroup(); uint32 sec_channel_type = 0; + fstring dc_name; + struct in_addr dc_ip; if (!user_info || !server_info || !auth_context) { DEBUG(1,("check_ntdomain_security: Critical variables not present. Failing.\n")); @@ -443,17 +444,15 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, } } - /* - * Treat each name in the 'password server =' line as a potential - * PDC/BDC. Contact each in turn and try and authenticate. - */ - - password_server = lp_passwordserver(); - + if ( !rpc_dc_name(user_info->domain.str, dc_name, &dc_ip) ) { + DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n", + user_info->domain.str)); + return NT_STATUS_NO_LOGON_SERVERS; + } + nt_status = domain_client_validate(mem_ctx, user_info, domain, (uchar *)auth_context->challenge.data, - server_info, - password_server, global_myname(), sec_channel_type,trust_passwd, last_change_time); + server_info, dc_name, global_myname(), sec_channel_type,trust_passwd, last_change_time); return nt_status; } @@ -485,6 +484,8 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte char *trust_password; time_t last_change_time; DOM_SID sid; + fstring dc_name; + struct in_addr dc_ip; if (!user_info || !server_info || !auth_context) { DEBUG(1,("check_trustdomain_security: Critical variables not present. Failing.\n")); @@ -509,9 +510,15 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte if(strequal(lp_workgroup(), (user_info->domain.str))) { DEBUG(3,("check_trustdomain_security: Requested domain was for this domain.\n")); - return NT_STATUS_LOGON_FAILURE; + return NT_STATUS_NOT_IMPLEMENTED; } + /* no point is bothering if this is not a trusted domain */ + /* this return makes "map to guest = bad user" work again */ + + if ( !is_trusted_domain( user_info->domain.str ) ) + return NT_STATUS_NO_SUCH_USER; + /* * Get the trusted account password for the trusted domain * No need to become_root() as secrets_init() is done at startup. @@ -537,11 +544,17 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte } #endif + if ( !rpc_dc_name(user_info->domain.str, dc_name, &dc_ip) ) { + DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n", + user_info->domain.str)); + return NT_STATUS_NO_LOGON_SERVERS; + } + nt_status = domain_client_validate(mem_ctx, user_info, user_info->domain.str, (uchar *)auth_context->challenge.data, - server_info, "*" /* Do a lookup */, - lp_workgroup(), SEC_CHAN_DOMAIN, trust_md4_password, last_change_time); - + server_info, dc_name, lp_workgroup(), + SEC_CHAN_DOMAIN, trust_md4_password, last_change_time); + return nt_status; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7d0f44f1d1..fe4900f9f4 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -204,32 +204,22 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n", client_domain, smb_name, wksta_name)); - if (lp_allow_trusted_domains() && *client_domain) { - - /* the client could have given us a workstation name - or other crap for the workgroup - we really need a - way of telling if this domain name is one of our - trusted domain names - - Also don't allow "" as a domain, fixes a Win9X bug + /* don't allow "" as a domain, fixes a Win9X bug where it doens't supply a domain for logon script - 'net use' commands. - - Finally, we do this by looking up a cache of trusted domains! - */ + 'net use' commands.*/ + if ( *client_domain ) domain = client_domain; + else + domain = lp_workgroup(); - if (is_trusted_domain(domain)) { - return make_user_info(user_info, smb_name, internal_username, - client_domain, domain, wksta_name, - lm_pwd, nt_pwd, plaintext, ntlmssp_flags, - encrypted); - } + /* do what win2k does. Always map unknown domains to our own + and let the "passdb backend" handle unknown users */ - } else { + if ( !is_trusted_domain(domain) ) domain = lp_workgroup(); - } + + /* we know that it is a trusted domain (and we are allowing them) or it is our domain */ return make_user_info(user_info, smb_name, internal_username, @@ -238,7 +228,6 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, lm_pwd, nt_pwd, plaintext, ntlmssp_flags, encrypted); - } /**************************************************************************** -- cgit From b8723aaa65a2bd760d6d2d9c9409f7c39867484c Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sun, 29 Jun 2003 03:39:50 +0000 Subject: Here's the code to make winbindd work on a Samba DC to handle domain trusts. Jeremy and I talked about this and it's going in as working code. It keeps winbind clean and solves the trust problem with minimal changes. To summarize, there are 2 basic cases where the deadlock would occur. (1) lookuping up secondary groups for a user, and (2) get[gr|pw]nam() calls that fall through the NSS layer because they don't exist anywhere. o To handle case #1, we bypass winbindd in sys_getgrouplist() unless the username includes the 'winbind separator'. o Case #2 is handled by adding checks in winbindd to return failure if we are a DC and the domain matches our own. This code has been tested using basic share connections, domain logons, and with pam_winbind (both with and without 'winbind use default domain'). The 'trustdomain' auth module should work as well if an admin wants to manually create UNIX users for acounts in the trusted domains. Other misc fixes: * we need to fix check_ntlm_password() to be able to determine if an auth module is authoritative over a user (NT_STATUS_WRONG_PASSWORD, etc...). I worked around my specific situation, but this needs to be fixed. the winbindd auth module was causing delays. * fix named server mutex deadlock between trust domain auth module and winbindd looking up a uid * make sure SAM_ACCOUNT gets stored in the server_info struct for the _net_sam_logon() reply. Configuration details: The recommended method for supporting trusts is to use winbind. The gets us around some of the server mutex issues as well. * set 'files winbind' for passwd: and group: in /etc/nsswitch.conf * create domain trusts like normal * join winbind on the pdc to the Samba domain using 'net rpc join' * add normal parameters to smb.conf for winbind * set 'auth method = guest sam winbind' * start smbd, nmbd, & winbindd Problems that remain: * join a Windows 2k/XP box to a Samba domain. * create a 2-way trust between the Samba domain and an NT domain * logon to the windows client as a user from theh trusted domain * try to browse server in the trusted domain (or other workstations). an NT client seems to work ok, but 2k and XP either prompt for passwords or fail with errors. apparanently this never got tested since no one has ever been able to logon as a trusted user to a Samba domain from a Windows client. (This used to be commit f804b590f9dbf1f0147c06a0a2f12e221ae6fc3b) --- source3/auth/auth.c | 12 +++++++++--- source3/auth/auth_domain.c | 3 ++- source3/auth/auth_util.c | 8 +++++--- 3 files changed, 16 insertions(+), 7 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 25b856cd57..c50fc1a9b7 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -269,9 +269,15 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, } talloc_destroy(mem_ctx); - - if (NT_STATUS_IS_OK(nt_status)) - break; + + /* this sucks. Somehow we have to know if an authentication module is + authoritative for a user. Fixme!!! --jerry */ + + if ( NT_STATUS_IS_OK(nt_status) || + NT_STATUS_V(nt_status) == NT_STATUS_V(NT_STATUS_WRONG_PASSWORD) ) + { + break; + } } if (NT_STATUS_IS_OK(nt_status)) { diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 84453ac3b5..39ec864f75 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -346,6 +346,8 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, user_info->lm_resp, user_info->nt_resp, &info3); + release_server_mutex(); + if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0,("domain_client_validate: unable to validate password " "for user %s in domain %s to Domain controller %s. " @@ -386,7 +388,6 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, cli_nt_session_close(cli); cli_ulogoff(cli); cli_shutdown(cli); - release_server_mutex(); return nt_status; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index fe4900f9f4..71fdb0050b 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1031,15 +1031,17 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - /* now that we have a SAM_ACCOUNT that looks real, make a server_info - to wrap it in, and use pass it on down */ - if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) { DEBUG(4, ("make_server_info failed!\n")); pdb_free_sam(&sam_account); return nt_status; } + /* save this here to _net_sam_logon() doesn't fail (it assumes a + valid SAM_ACCOUNT) */ + + (*server_info)->sam_account = sam_account; + /* Fill in the unix info we found on the way */ (*server_info)->sam_fill_level = SAM_FILL_ALL; -- cgit From f2659351017a8b2ec12548a3967cdf2767738e08 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 30 Jun 2003 17:24:59 +0000 Subject: * rename samstrict auth method to sam * rename original sam auth method to sam_ignoredomain * remove samstrict_dc auth method (now covered by 'sam') * fix wbinfo -a '...' and getent passwd bugs when running winbindd on a samba PDC (reported by Volker) (This used to be commit 52166faee793d337e045d64f7cb27ea7ac895f60) --- source3/auth/auth_sam.c | 85 +++++++++++++++++------------------------------- source3/auth/auth_util.c | 4 +-- 2 files changed, 31 insertions(+), 58 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 161376616b..1690e4d5e1 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -4,6 +4,7 @@ Copyright (C) Andrew Tridgell 1992-2000 Copyright (C) Luke Kenneth Casson Leighton 1996-2000 Copyright (C) Andrew Bartlett 2001 + Copyright (C) Gerald Carter 2003 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -470,14 +471,14 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, } /* module initialisation */ -static NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +static NTSTATUS auth_init_sam_ignoredomain(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { return NT_STATUS_NO_MEMORY; } (*auth_method)->auth = check_sam_security; - (*auth_method)->name = "sam"; + (*auth_method)->name = "sam_ignoredomain"; return NT_STATUS_OK; } @@ -492,83 +493,55 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context const auth_usersupplied_info *user_info, auth_serversupplied_info **server_info) { + BOOL is_local_name, is_my_domain; if (!user_info || !auth_context) { return NT_STATUS_LOGON_FAILURE; } - /* If we are a domain member, we must not - attempt to check the password locally, - unless it is one of our aliases. */ + is_local_name = is_myname(user_info->domain.str); + is_my_domain = strequal(user_info->domain.str, lp_workgroup()); + + /* check whether or not we service this domain/workgroup name */ - if (!is_myname(user_info->domain.str)) { - DEBUG(7,("The requested user domain is not the local server name. [%s]\\[%s]\n", - user_info->domain.str,user_info->internal_username.str)); - return NT_STATUS_NO_SUCH_USER; + switch ( lp_server_role() ) { + case ROLE_STANDALONE: + case ROLE_DOMAIN_MEMBER: + if ( !is_local_name ) { + DEBUG(6,("check_samstrict_security: %s is not one of my local names (%s)\n", + user_info->domain.str, (lp_server_role() == ROLE_DOMAIN_MEMBER + ? "ROLE_DOMAIN_MEMBER" : "ROLE_STANDALONE") )); + return NT_STATUS_NOT_IMPLEMENTED; + } + case ROLE_DOMAIN_PDC: + case ROLE_DOMAIN_BDC: + if ( !is_local_name && !is_my_domain ) { + DEBUG(6,("check_samstrict_security: %s is not one of my local names or domain name (DC)\n", + user_info->domain.str)); + return NT_STATUS_NOT_IMPLEMENTED; + } + default: /* name is ok */ + break; } return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, server_info); } /* module initialisation */ -static NTSTATUS auth_init_samstrict(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +static NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { return NT_STATUS_NO_MEMORY; } (*auth_method)->auth = check_samstrict_security; - (*auth_method)->name = "samstrict"; - return NT_STATUS_OK; -} - -/**************************************************************************** -Check SAM security (above) but with a few extra checks if we're a DC. -****************************************************************************/ - -static NTSTATUS check_samstrict_dc_security(const struct auth_context *auth_context, - void *my_private_data, - TALLOC_CTX *mem_ctx, - const auth_usersupplied_info *user_info, - auth_serversupplied_info **server_info) -{ - - if (!user_info || !auth_context) { - return NT_STATUS_LOGON_FAILURE; - } - - /* If we are a PDC we must not check the password here - unless it is one of our aliases, empty - or equal to our domain name. Other names may be - Trusted domains. - */ - - if ((!is_myworkgroup(user_info->domain.str))&& - (!is_myname(user_info->domain.str))) { - DEBUG(7,("The requested user domain is not the local server name or our domain. [%s]\\[%s]\n", - user_info->domain.str,user_info->internal_username.str)); - return NT_STATUS_NO_SUCH_USER; - } - - return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, server_info); -} - -/* module initialisation */ -static NTSTATUS auth_init_samstrict_dc(struct auth_context *auth_context, const char *param, auth_methods **auth_method) -{ - if (!make_auth_methods(auth_context, auth_method)) { - return NT_STATUS_NO_MEMORY; - } - - (*auth_method)->auth = check_samstrict_dc_security; - (*auth_method)->name = "samstrict_dc"; + (*auth_method)->name = "sam"; return NT_STATUS_OK; } NTSTATUS auth_sam_init(void) { - smb_register_auth(AUTH_INTERFACE_VERSION, "samstrict_dc", auth_init_samstrict_dc); - smb_register_auth(AUTH_INTERFACE_VERSION, "samstrict", auth_init_samstrict); smb_register_auth(AUTH_INTERFACE_VERSION, "sam", auth_init_sam); + smb_register_auth(AUTH_INTERFACE_VERSION, "sam_ignoredomain", auth_init_sam_ignoredomain); return NT_STATUS_OK; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 71fdb0050b..1538fc50a1 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -216,8 +216,8 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, /* do what win2k does. Always map unknown domains to our own and let the "passdb backend" handle unknown users */ - if ( !is_trusted_domain(domain) ) - domain = lp_workgroup(); + if ( !is_trusted_domain(domain) ) + domain = get_global_sam_name(); /* we know that it is a trusted domain (and we are allowing them) or it is our domain */ -- cgit From a32ae05744e8e065bc4be56e93875c29182bb760 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 30 Jun 2003 20:41:40 +0000 Subject: Valgrind found a bug (subtracting a pointer from a length rather than the length of what the pointer points to). Jeremy. (This used to be commit 492a96e9922c1ef96b967f2965f8bba1f5bc8f23) --- source3/auth/auth_winbind.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 0b19746597..6ae8685b11 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -29,7 +29,7 @@ static NTSTATUS get_info3_from_ndr(TALLOC_CTX *mem_ctx, struct winbindd_response *response, NET_USER_INFO_3 *info3) { uint8 *info3_ndr; - size_t len = response->length - sizeof(response); + size_t len = response->length - sizeof(struct winbindd_response); prs_struct ps; if (len > 0) { info3_ndr = response->extra_data; -- cgit From e359dbcedb53b03df79140c30ecfdfdbcb904595 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 30 Jun 2003 20:45:14 +0000 Subject: * cleanup more DC name resolution issues in check_*domain_security() * is_trusted_domain() is broken without winbind. Still working on this. * get_global_sam_name() should return the workgroup name unless we are a standalone server (verified by volker) * Get_Pwnam() should always fall back to the username (minus domain name) even if it is not our workgroup so that TRUSTEDOMAIN\user can logon if 'user' exists in the local list of accounts (on domain members w/o winbind) Tested using Samba PDC with trusts (running winbindd) and a Samba 3.0 domain member not running winbindd. notes: make_user_info_map() is slightly broken now due to the fact that is_trusted_domain() only works with winbindd. disabled checks temporarily until I can sort this out. (This used to be commit e1d6094d066d4c16ab73075caba40a1ae6c56b1e) --- source3/auth/auth_domain.c | 260 +++++++++------------------------------------ source3/auth/auth_util.c | 11 +- 2 files changed, 59 insertions(+), 212 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 39ec864f75..80320d8266 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -29,86 +29,6 @@ extern BOOL global_machine_password_needs_changing; extern userdom_struct current_user_info; -/* - resolve the name of a DC in ways appropriate for an ADS domain mode - an ADS domain may not have Netbios enabled at all, so this is - quite different from the RPC case - Note that we ignore the 'server' parameter here. That has the effect of using - the 'ADS server' smb.conf parameter, which is what we really want anyway - */ -static NTSTATUS ads_resolve_dc(fstring remote_machine, - struct in_addr *dest_ip) -{ - ADS_STRUCT *ads; - ads = ads_init_simple(); - if (!ads) { - return NT_STATUS_NO_LOGON_SERVERS; - } - - DEBUG(4,("ads_resolve_dc: realm=%s\n", ads->config.realm)); - - ads->auth.flags |= ADS_AUTH_NO_BIND; - -#ifdef HAVE_ADS - /* a full ads_connect() is actually overkill, as we don't srictly need - to do the SASL auth in order to get the info we need, but libads - doesn't offer a better way right now */ - ads_connect(ads); -#endif - - fstrcpy(remote_machine, ads->config.ldap_server_name); - strupper(remote_machine); - *dest_ip = ads->ldap_ip; - ads_destroy(&ads); - - if (!*remote_machine || is_zero_ip(*dest_ip)) { - return NT_STATUS_NO_LOGON_SERVERS; - } - - DEBUG(4,("ads_resolve_dc: using server='%s' IP=%s\n", - remote_machine, inet_ntoa(*dest_ip))); - - return NT_STATUS_OK; -} - -/* - resolve the name of a DC in ways appropriate for RPC domain mode - this relies on the server supporting netbios and port 137 not being - firewalled - */ -static NTSTATUS rpc_resolve_dc(const char *server, - fstring remote_machine, - struct in_addr *dest_ip) -{ - if (is_ipaddress(server)) { - struct in_addr to_ip = *interpret_addr2(server); - - /* we need to know the machines netbios name - this is a lousy - way to find it, but until we have a RPC call that does this - it will have to do */ - if (!name_status_find("*", 0x20, 0x20, to_ip, remote_machine)) { - DEBUG(2, ("rpc_resolve_dc: Can't resolve name for IP %s\n", server)); - return NT_STATUS_NO_LOGON_SERVERS; - } - - *dest_ip = to_ip; - return NT_STATUS_OK; - } - - fstrcpy(remote_machine, server); - strupper(remote_machine); - if (!resolve_name(remote_machine, dest_ip, 0x20)) { - DEBUG(1,("rpc_resolve_dc: Can't resolve address for %s\n", - remote_machine)); - return NT_STATUS_NO_LOGON_SERVERS; - } - - DEBUG(4,("rpc_resolve_dc: using server='%s' IP=%s\n", - remote_machine, inet_ntoa(*dest_ip))); - - return NT_STATUS_OK; -} - /** * Connect to a remote server for domain security authenticaion. * @@ -121,35 +41,14 @@ static NTSTATUS rpc_resolve_dc(const char *server, **/ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, - const char *server, + const char *dc_name, struct in_addr dc_ip, const char *setup_creds_as, uint16 sec_chan, const unsigned char *trust_passwd, BOOL *retry) { - struct in_addr dest_ip; - fstring remote_machine; NTSTATUS result; - *retry = False; - - if (lp_security() == SEC_ADS) - result = ads_resolve_dc(remote_machine, &dest_ip); - else - result = rpc_resolve_dc(server, remote_machine, &dest_ip); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(2,("connect_to_domain_password_server: unable to resolve DC: %s\n", - nt_errstr(result))); - return result; - } - - if (ismyip(dest_ip)) { - DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n", - remote_machine)); - return NT_STATUS_NO_LOGON_SERVERS; - } - /* TODO: Send a SAMLOGON request to determine whether this is a valid logonserver. We can avoid a 30-second timeout if the DC is down if the SAMLOGON request fails as it is only over UDP. */ @@ -164,14 +63,13 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, * ACCESS_DENIED errors if 2 auths are done from the same machine. JRA. */ - *retry = True; - - if (!grab_server_mutex(server)) + if (!grab_server_mutex(dc_name)) return NT_STATUS_NO_LOGON_SERVERS; /* Attempt connection */ - result = cli_full_connection(cli, global_myname(), remote_machine, - &dest_ip, 0, "IPC$", "IPC", "", "", "",0, retry); + *retry = True; + result = cli_full_connection(cli, global_myname(), dc_name, &dc_ip, 0, + "IPC$", "IPC", "", "", "", 0, retry); if (!NT_STATUS_IS_OK(result)) { /* map to something more useful */ @@ -198,7 +96,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, if(cli_nt_session_open(*cli, PI_NETLOGON) == False) { DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ -machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); +machine %s. Error was : %s.\n", dc_name, cli_errstr(*cli))); cli_nt_session_close(*cli); cli_ulogoff(*cli); cli_shutdown(*cli); @@ -217,7 +115,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); if (!NT_STATUS_IS_OK(result)) { DEBUG(0,("connect_to_domain_password_server: unable to setup the NETLOGON credentials to machine \ -%s. Error was : %s.\n", remote_machine, nt_errstr(result))); +%s. Error was : %s.\n", dc_name, nt_errstr(result))); cli_nt_session_close(*cli); cli_ulogoff(*cli); cli_shutdown(*cli); @@ -230,61 +128,6 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); return NT_STATUS_OK; } -/*********************************************************************** - Utility function to attempt a connection to an IP address of a DC. -************************************************************************/ - -static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, - const char *domain, - struct in_addr *ip, - const char *setup_creds_as, - uint16 sec_chan, - const unsigned char *trust_passwd) -{ - NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; - BOOL retry = True; - fstring dc_name; - int i; - - /* - * Ignore addresses we have already tried. - */ - - if (is_zero_ip(*ip)) - return NT_STATUS_NO_LOGON_SERVERS; - - if ( !name_status_find( domain, 0x1b, 0x20, *ip, dc_name) ) - return NT_STATUS_NO_LOGON_SERVERS; - - for (i = 0; (!NT_STATUS_IS_OK(ret)) && retry && (i < 3); i++) - ret = connect_to_domain_password_server(cli, dc_name, setup_creds_as, - sec_chan, trust_passwd, &retry); - return ret; -} - -/*********************************************************************** - We have been asked to dynamically determine the IP addresses of - the PDC and BDC's for DOMAIN, and query them in turn. -************************************************************************/ -static NTSTATUS find_connect_dc(struct cli_state **cli, - const char *domain, - const char *setup_creds_as, - uint16 sec_chan, - unsigned char *trust_passwd, - time_t last_change_time) -{ - struct in_addr dc_ip; - fstring srv_name; - - if (!rpc_dc_name(domain, srv_name, &dc_ip)) { - DEBUG(0,("find_connect_dc: Failed to find an DCs for %s\n", lp_workgroup())); - return NT_STATUS_NO_LOGON_SERVERS; - } - - return attempt_connect_to_dc( cli, domain, &dc_ip, setup_creds_as, - sec_chan, trust_passwd ); -} - /*********************************************************************** Do the same as security=server, but using NT Domain calls and a session key from the machine password. If the server parameter is specified @@ -296,15 +139,17 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, const char *domain, uchar chal[8], auth_serversupplied_info **server_info, - const char *server, const char *setup_creds_as, + const char *dc_name, struct in_addr dc_ip, + const char *setup_creds_as, uint16 sec_chan, unsigned char trust_passwd[16], time_t last_change_time) { - fstring remote_machine; NET_USER_INFO_3 info3; struct cli_state *cli = NULL; NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS; + int i; + BOOL retry = True; /* * At this point, smb_apasswd points to the lanman response to @@ -314,20 +159,14 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, * see if they were valid. */ - while (!NT_STATUS_IS_OK(nt_status) && - next_token(&server,remote_machine,LIST_SEP,sizeof(remote_machine))) { - if(lp_security() != SEC_ADS && strequal(remote_machine, "*")) { - nt_status = find_connect_dc(&cli, domain, setup_creds_as, sec_chan, trust_passwd, last_change_time); - } else { - int i; - BOOL retry = True; - for (i = 0; !NT_STATUS_IS_OK(nt_status) && retry && (i < 3); i++) - nt_status = connect_to_domain_password_server(&cli, remote_machine, setup_creds_as, - sec_chan, trust_passwd, &retry); - } + /* rety loop for robustness */ + + for (i = 0; !NT_STATUS_IS_OK(nt_status) && retry && (i < 3); i++) { + nt_status = connect_to_domain_password_server(&cli, dc_name, dc_ip, setup_creds_as, + sec_chan, trust_passwd, &retry); } - if (!NT_STATUS_IS_OK(nt_status)) { + if ( !NT_STATUS_IS_OK(nt_status) ) { DEBUG(0,("domain_client_validate: Domain password server not available.\n")); return nt_status; } @@ -340,12 +179,13 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, */ nt_status = cli_netlogon_sam_network_logon(cli, mem_ctx, - NULL, - user_info->smb_name.str, user_info->domain.str, - user_info->wksta_name.str, chal, - user_info->lm_resp, user_info->nt_resp, - &info3); + NULL, user_info->smb_name.str, user_info->domain.str, + user_info->wksta_name.str, chal, user_info->lm_resp, + user_info->nt_resp, &info3); + /* let go as soon as possible so we avoid any potential deadlocks + with winbind lookup up users or groups */ + release_server_mutex(); if (!NT_STATUS_IS_OK(nt_status)) { @@ -375,7 +215,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, if (NT_STATUS_IS_OK(status)) { if(cli_nt_logoff(&cli, &ctr) == False) { DEBUG(0,("domain_client_validate: unable to log off user %s in domain \ -%s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli))); +%s to Domain controller %s. Error was %s.\n", user, domain, dc_name, cli_errstr(&cli))); nt_status = NT_STATUS_LOGON_FAILURE; } } @@ -409,6 +249,12 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, fstring dc_name; struct in_addr dc_ip; + if ( lp_server_role() != ROLE_DOMAIN_MEMBER ) { + DEBUG(0,("check_ntdomain_security: Configuration error! Cannot use " + "ntdomain auth method when not a member of a domain.\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + if (!user_info || !server_info || !auth_context) { DEBUG(1,("check_ntdomain_security: Critical variables not present. Failing.\n")); return NT_STATUS_INVALID_PARAMETER; @@ -422,7 +268,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, if(is_myname(user_info->domain.str)) { DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n")); - return NT_STATUS_LOGON_FAILURE; + return NT_STATUS_NOT_IMPLEMENTED; } /* @@ -445,15 +291,18 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, } } - if ( !rpc_dc_name(user_info->domain.str, dc_name, &dc_ip) ) { + /* we need our DC to send the net_sam_logon() request to */ + + if ( !get_dc_name(domain, dc_name, &dc_ip) ) { DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n", user_info->domain.str)); return NT_STATUS_NO_LOGON_SERVERS; } nt_status = domain_client_validate(mem_ctx, user_info, domain, - (uchar *)auth_context->challenge.data, - server_info, dc_name, global_myname(), sec_channel_type,trust_passwd, last_change_time); + (uchar *)auth_context->challenge.data, server_info, dc_name, dc_ip, + global_myname(), sec_channel_type,trust_passwd, last_change_time); + return nt_status; } @@ -494,28 +343,19 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte } /* - * Check that the requested domain is not our own machine name. - * If it is, we should never check the PDC here, we use our own local - * password file. - */ - - if(is_myname(user_info->domain.str)) { - DEBUG(3,("check_trustdomain_security: Requested domain was for this machine.\n")); - return NT_STATUS_LOGON_FAILURE; - } - - /* - * Check that the requested domain is not our own domain, - * If it is, we should use our own local password file. + * Check that the requested domain is not our own machine name or domain name. */ - if(strequal(lp_workgroup(), (user_info->domain.str))) { - DEBUG(3,("check_trustdomain_security: Requested domain was for this domain.\n")); + if( is_myname(user_info->domain.str) || strequal(lp_workgroup(), user_info->domain.str) ) { + DEBUG(3,("check_trustdomain_security: Requested domain [%s] was for this machine.\n", + user_info->domain.str)); return NT_STATUS_NOT_IMPLEMENTED; } - /* no point is bothering if this is not a trusted domain */ - /* this return makes "map to guest = bad user" work again */ + /* No point is bothering if this is not a trusted domain. + This return makes "map to guest = bad user" work again. + The logic is that if we know nothing about the domain, that + user is known to us and does not exist */ if ( !is_trusted_domain( user_info->domain.str ) ) return NT_STATUS_NO_SUCH_USER; @@ -545,16 +385,18 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte } #endif - if ( !rpc_dc_name(user_info->domain.str, dc_name, &dc_ip) ) { + /* use get_dc_name() for consistency even through we know that it will be + a netbios name */ + + if ( !get_dc_name(user_info->domain.str, dc_name, &dc_ip) ) { DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n", user_info->domain.str)); return NT_STATUS_NO_LOGON_SERVERS; } nt_status = domain_client_validate(mem_ctx, user_info, user_info->domain.str, - (uchar *)auth_context->challenge.data, - server_info, dc_name, lp_workgroup(), - SEC_CHAN_DOMAIN, trust_md4_password, last_change_time); + (uchar *)auth_context->challenge.data, server_info, dc_name, dc_ip, + lp_workgroup(), SEC_CHAN_DOMAIN, trust_md4_password, last_change_time); return nt_status; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1538fc50a1..30510c1bfa 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -216,6 +216,9 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, /* do what win2k does. Always map unknown domains to our own and let the "passdb backend" handle unknown users */ + /* FIXME!!!! grr...this is a broken check currently since is_trusted_domain() + is useless without winbindd --jerry */ + if ( !is_trusted_domain(domain) ) domain = get_global_sam_name(); @@ -869,10 +872,12 @@ static NTSTATUS fill_sam_account(const char *domain, passwd = Get_Pwnam(dom_user); - if ( (passwd == NULL) && is_myworkgroup(domain) ) { - /* For our own domain also try unqualified */ + /* if the lookup for DOMAIN\username failed, try again + with just 'username'. This is need for accessing the server + as a trust user that actually maps to a local account */ + + if ( !passwd ) passwd = Get_Pwnam(username); - } if (passwd == NULL) return NT_STATUS_NO_SUCH_USER; -- cgit From db6ce132e360a42ea6843c81429be194662fce39 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 1 Jul 2003 03:49:41 +0000 Subject: * fix the trustdom_cache to work when winbindd is not running. smbd will update the trustdom_cache periodically after locking the timestamp key (This used to be commit 7bc4b65b91f98271089335cc301146d5f0c76c3a) --- source3/auth/auth_util.c | 3 --- 1 file changed, 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 30510c1bfa..5185f876c6 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -216,9 +216,6 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, /* do what win2k does. Always map unknown domains to our own and let the "passdb backend" handle unknown users */ - /* FIXME!!!! grr...this is a broken check currently since is_trusted_domain() - is useless without winbindd --jerry */ - if ( !is_trusted_domain(domain) ) domain = get_global_sam_name(); -- cgit From 0362868fa73bc339d40625ec0adade05fb80a9a7 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 1 Jul 2003 04:11:42 +0000 Subject: * revert change to get_global_sam_name() * add get_default_sam_name() to be used by make_user_info_map() * add comments describing get_*_sam_name() (This used to be commit 90470366ea4bdb8021a3453c4bbeb29f009668c1) --- source3/auth/auth_util.c | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5185f876c6..ab08a28ff6 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -214,20 +214,16 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, domain = lp_workgroup(); /* do what win2k does. Always map unknown domains to our own - and let the "passdb backend" handle unknown users */ + and let the "passdb backend" handle unknown users. */ if ( !is_trusted_domain(domain) ) - domain = get_global_sam_name(); + domain = get_default_sam_name(); /* we know that it is a trusted domain (and we are allowing them) or it is our domain */ - return make_user_info(user_info, - smb_name, internal_username, - client_domain, domain, - wksta_name, - lm_pwd, nt_pwd, - plaintext, - ntlmssp_flags, encrypted); + return make_user_info(user_info, smb_name, internal_username, + client_domain, domain, wksta_name, lm_pwd, nt_pwd, + plaintext, ntlmssp_flags, encrypted); } /**************************************************************************** -- cgit From fb5a006c0971694ff4da3601c04f304234d27ae7 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 1 Jul 2003 05:45:16 +0000 Subject: fix typos in log messages and comments. (This used to be commit fd24183ec30688f3699e466bd4d908b24918e328) --- source3/auth/auth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index c50fc1a9b7..d99b00d4a7 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -289,7 +289,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, unbecome_root(); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(5, ("check_ntlm_password: PAM Account for user [%s] suceeded\n", + DEBUG(5, ("check_ntlm_password: PAM Account for user [%s] succeeded\n", pdb_username)); } else { DEBUG(3, ("check_ntlm_password: PAM Account for user [%s] FAILED with error %s\n", @@ -299,7 +299,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, if (NT_STATUS_IS_OK(nt_status)) { DEBUG((*server_info)->guest ? 5 : 2, - ("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] suceeded\n", + ("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] succeeded\n", (*server_info)->guest ? "guest " : "", user_info->smb_name.str, user_info->internal_username.str, -- cgit From 814968d41b04fd6a3e889039d227ed6abb429ae2 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 1 Jul 2003 17:51:52 +0000 Subject: * fixed volker's wbinfo -a lockup again. This one was my fault. It was caused by the winbind_ping() call in is_trusted_domain() o if we are a DC then we check our own direct trust relationships we have to rely on winbindd to update the truatdom_cache o if we are a domain member, then we can update the trustdom_cache ourselves if winbindd is not there (This used to be commit 22dfcafb37f7109dc455f4fb6323a25ba4f097bc) --- source3/auth/auth_util.c | 45 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index ab08a28ff6..4e25d7fd34 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1,4 +1,4 @@ -/* +/* Unix SMB/CIFS implementation. Authentication utility functions Copyright (C) Andrew Tridgell 1992-1998 @@ -1258,4 +1258,47 @@ NTSTATUS nt_status_squash(NTSTATUS nt_status) } +/** + * Verify whether or not given domain is trusted. + * + * @param domain_name name of the domain to be verified + * @return true if domain is one of the trusted once or + * false if otherwise + **/ + +BOOL is_trusted_domain(const char* dom_name) +{ + DOM_SID trustdom_sid; + char *pass = NULL; + time_t lct; + BOOL ret; + + /* if we are a DC, then check for a direct trust relationships */ + + if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC) { + become_root(); + ret = secrets_fetch_trusted_domain_password(dom_name, &pass, &trustdom_sid, &lct); + unbecome_root(); + SAFE_FREE(pass); + if (ret) + return True; + } + else { + /* if winbindd is not up and we are a domain member) then we need to update the + trustdom_cache ourselves */ + + if ( !winbind_ping() ) + update_trustdom_cache(); + } + + /* now the trustdom cache should be available a DC could still + * have a transitive trust so fall back to the cache of trusted + * domains (like a domain member would use */ + + if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) { + return True; + } + + return False; +} -- cgit From 61116049cabc292c2f2d570af4d68ddc537b91f5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 3 Jul 2003 14:36:42 +0000 Subject: This patch takes the work the jerry did for beta2, and generalises it: - The 'not implmented' checks are now done by all auth modules - the ntdomain/trustdomain/winbind modules are more presise as to what domain names they can and cannot handle - The become_root() calls are now around the winbind pipe opening only, not the entire auth call - The unix username is kept seperate from the NT username, removing the need for 'clean off the domain\' in parse_net.c - All sid->uid translations are now validated with getpwuid() to put a very basic stop to logins with 'half deleted' accounts. Andrew Bartlett (This used to be commit 85f88191b9927cc434645ef4c1eaf5ec0e8af2ec) --- source3/auth/auth.c | 21 ++++++------ source3/auth/auth_builtin.c | 5 +-- source3/auth/auth_domain.c | 6 ++-- source3/auth/auth_rhosts.c | 7 ++-- source3/auth/auth_server.c | 4 +-- source3/auth/auth_util.c | 79 ++++++++++++++++++++++++++++++++++----------- source3/auth/auth_winbind.c | 14 ++++++-- 7 files changed, 92 insertions(+), 44 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index d99b00d4a7..9f109dc66e 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -203,8 +203,8 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, const struct auth_usersupplied_info *user_info, struct auth_serversupplied_info **server_info) { - - NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; + /* if all the modules say 'not for me' this is reasonable */ + NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER; const char *pdb_username; auth_methods *auth_method; TALLOC_CTX *mem_ctx; @@ -269,12 +269,8 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, } talloc_destroy(mem_ctx); - - /* this sucks. Somehow we have to know if an authentication module is - authoritative for a user. Fixme!!! --jerry */ - - if ( NT_STATUS_IS_OK(nt_status) || - NT_STATUS_V(nt_status) == NT_STATUS_V(NT_STATUS_WRONG_PASSWORD) ) + + if ( NT_STATUS_IS_OK(nt_status)) { break; } @@ -463,8 +459,13 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) break; case SEC_USER: if (lp_encrypted_passwords()) { - DEBUG(5,("Making default auth method list for security=user, encrypt passwords = yes\n")); - auth_method_list = str_list_make("guest sam", NULL); + if ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role() == ROLE_DOMAIN_BDC)) { + DEBUG(5,("Making default auth method list for DC, security=user, encrypt passwords = yes\n")); + auth_method_list = str_list_make("guest sam winbind:trustdomain", NULL); + } else { + DEBUG(5,("Making default auth method list for standalone security=user, encrypt passwords = yes\n")); + auth_method_list = str_list_make("guest sam", NULL); + } } else { DEBUG(5,("Making default auth method list for security=user, encrypt passwords = no\n")); auth_method_list = str_list_make("guest unix", NULL); diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index 5a9b5534ab..0358836793 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -38,7 +38,8 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context, const auth_usersupplied_info *user_info, auth_serversupplied_info **server_info) { - NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; + /* mark this as 'not for me' */ + NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; if (!(user_info->internal_username.str && *user_info->internal_username.str)) { @@ -133,7 +134,7 @@ static NTSTATUS check_fixed_challenge_security(const struct auth_context *auth_c const auth_usersupplied_info *user_info, auth_serversupplied_info **server_info) { - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_NOT_IMPLEMENTED; } /**************************************************************************** diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 80320d8266..56bd6b9aca 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -266,7 +266,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, * password file. */ - if(is_myname(user_info->domain.str)) { + if(strequal(get_global_sam_name(), user_info->domain.str)) { DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n")); return NT_STATUS_NOT_IMPLEMENTED; } @@ -346,7 +346,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte * Check that the requested domain is not our own machine name or domain name. */ - if( is_myname(user_info->domain.str) || strequal(lp_workgroup(), user_info->domain.str) ) { + if( strequal(get_global_sam_name(), user_info->domain.str)) { DEBUG(3,("check_trustdomain_security: Requested domain [%s] was for this machine.\n", user_info->domain.str)); return NT_STATUS_NOT_IMPLEMENTED; @@ -358,7 +358,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte user is known to us and does not exist */ if ( !is_trusted_domain( user_info->domain.str ) ) - return NT_STATUS_NO_SUCH_USER; + return NT_STATUS_NOT_IMPLEMENTED; /* * Get the trusted account password for the trusted domain diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index 8fec760e21..e2c6f0b06a 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -162,7 +162,7 @@ static NTSTATUS check_hostsequiv_security(const struct auth_context *auth_contex const auth_usersupplied_info *user_info, auth_serversupplied_info **server_info) { - NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; + NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; SAM_ACCOUNT *account = NULL; if (!NT_STATUS_IS_OK(nt_status = auth_get_sam_account(user_info->internal_username.str, @@ -174,7 +174,6 @@ static NTSTATUS check_hostsequiv_security(const struct auth_context *auth_contex nt_status = make_server_info_sam(server_info, account); } else { pdb_free_sam(&account); - nt_status = NT_STATUS_LOGON_FAILURE; } return nt_status; @@ -203,7 +202,7 @@ static NTSTATUS check_rhosts_security(const struct auth_context *auth_context, const auth_usersupplied_info *user_info, auth_serversupplied_info **server_info) { - NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; + NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; SAM_ACCOUNT *account = NULL; pstring rhostsfile; const char *home; @@ -223,12 +222,10 @@ static NTSTATUS check_rhosts_security(const struct auth_context *auth_context, nt_status = make_server_info_sam(server_info, account); } else { pdb_free_sam(&account); - nt_status = NT_STATUS_LOGON_FAILURE; } unbecome_root(); } else { pdb_free_sam(&account); - nt_status = NT_STATUS_LOGON_FAILURE; } return nt_status; diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 2a1e4a48d9..af0848e12a 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -222,7 +222,7 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context static fstring baduser; static BOOL tested_password_server = False; static BOOL bad_password_server = False; - NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; + NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; BOOL locally_made_cli = False; /* @@ -233,7 +233,7 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context if(is_myname(user_info->domain.str)) { DEBUG(3,("check_smbserver_security: Requested domain was for this machine.\n")); - return NT_STATUS_LOGON_FAILURE; + return nt_status; } cli = my_private_data; diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 4e25d7fd34..ea46d27e9e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -764,6 +764,7 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass) { NTSTATUS nt_status; + struct passwd *pwd; if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) return nt_status; @@ -773,16 +774,35 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, if (!NT_STATUS_IS_OK(nt_status = sid_to_uid(pdb_get_user_sid(sampass), &((*server_info)->uid)))) return nt_status; - if (!NT_STATUS_IS_OK(nt_status = sid_to_gid(pdb_get_group_sid(sampass), &((*server_info)->gid)))) + if (!(pwd = getpwuid_alloc(((*server_info)->uid)))) { + fstring sid; + DEBUG(1, ("User %s in passdb (%s) maps to UID, but getpwuid(%u) fails!\n", + pdb_get_username(sampass), + sid_to_string(sid, pdb_get_user_sid(sampass)), + (unsigned)(*server_info)->uid)); + free_server_info(server_info); + return NT_STATUS_NO_SUCH_USER; + } + (*server_info)->unix_name = smb_xstrdup(pwd->pw_name); + passwd_free(&pwd); + + if (!NT_STATUS_IS_OK(nt_status = sid_to_gid(pdb_get_group_sid(sampass), + &((*server_info)->gid)))) { + free_server_info(server_info); return nt_status; + } if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, sampass, - (*server_info)->uid, (*server_info)->gid))) + (*server_info)->uid, + (*server_info)->gid))) { + free_server_info(server_info); return nt_status; + } (*server_info)->sam_fill_level = SAM_FILL_ALL; - DEBUG(5,("make_server_info_sam: made server info for user %s\n", - pdb_get_username((*server_info)->sam_account))); + DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n", + pdb_get_username(sampass), + (*server_info)->unix_name)); return nt_status; } @@ -809,6 +829,8 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, const struc return nt_status; } + (*server_info)->unix_name = smb_xstrdup(pwd->pw_name); + (*server_info)->sam_fill_level = SAM_FILL_ALL; (*server_info)->uid = pwd->pw_uid; (*server_info)->gid = pwd->pw_gid; @@ -852,8 +874,10 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) Purely internal function for make_server_info_info3 Fill the sam account from getpwnam ***************************************************************************/ -static NTSTATUS fill_sam_account(const char *domain, +static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, + const char *domain, const char *username, + char **found_username, uid_t *uid, gid_t *gid, SAM_ACCOUNT **sam_account) { @@ -878,6 +902,8 @@ static NTSTATUS fill_sam_account(const char *domain, *uid = passwd->pw_uid; *gid = passwd->pw_gid; + *found_username = talloc_strdup(mem_ctx, passwd->pw_name); + return pdb_init_sam_pw(sam_account, passwd); } @@ -893,7 +919,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, NET_USER_INFO_3 *info3) { NTSTATUS nt_status = NT_STATUS_OK; - + char *found_username; const char *nt_domain; const char *nt_username; @@ -958,13 +984,15 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, gid = passwd->pw_gid; /* we should check this is the same name */ - + found_username = talloc_strdup(mem_ctx, passwd->pw_name); + passwd_free(&passwd); } else { /* User not from winbind - try and find them by getpwnam() */ - nt_status = fill_sam_account(nt_domain, + nt_status = fill_sam_account(mem_ctx, nt_domain, internal_username, + &found_username, &uid, &gid, &sam_account); @@ -972,8 +1000,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, DEBUG(3,("User %s does not exist, trying to add it\n", internal_username)); auth_add_user_script(nt_domain, internal_username); - nt_status = fill_sam_account(nt_domain, + nt_status = fill_sam_account(mem_ctx, nt_domain, internal_username, + &found_username, &uid, &gid, &sam_account); } @@ -984,17 +1013,12 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return nt_status; } - if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) { + if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) { pdb_free_sam(&sam_account); - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_NO_MEMORY; } - if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) { - pdb_free_sam(&sam_account); - return NT_STATUS_UNSUCCESSFUL; - } - - if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) { + if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } @@ -1004,7 +1028,18 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - if (!pdb_set_fullname(sam_account, unistr2_static(&(info3->uni_full_name)), PDB_CHANGED)) { + if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) { + pdb_free_sam(&sam_account); + return NT_STATUS_UNSUCCESSFUL; + } + + if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) { + pdb_free_sam(&sam_account); + return NT_STATUS_UNSUCCESSFUL; + } + + if (!pdb_set_fullname(sam_account, unistr2_static(&(info3->uni_full_name)), + PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } @@ -1040,6 +1075,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, (*server_info)->sam_account = sam_account; + (*server_info)->unix_name = smb_xstrdup(found_username); + /* Fill in the unix info we found on the way */ (*server_info)->sam_fill_level = SAM_FILL_ALL; @@ -1050,7 +1087,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, returned to the caller. */ if (!NT_STATUS_IS_OK(nt_status - = get_user_groups_from_local_sam(pdb_get_username(sam_account), + = get_user_groups_from_local_sam((*server_info)->unix_name, uid, gid, &n_lgroupSIDs, &lgroupSIDs, @@ -1070,6 +1107,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, if (!all_group_SIDs) { DEBUG(0, ("malloc() failed for DOM_SID list!\n")); SAFE_FREE(lgroupSIDs); + free_server_info(server_info); return NT_STATUS_NO_MEMORY; } @@ -1085,6 +1123,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, DEBUG(3,("could not append additional group rid 0x%x\n", info3->gids[i].g_rid)); SAFE_FREE(lgroupSIDs); + free_server_info(server_info); return nt_status; } } @@ -1110,6 +1149,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, all_group_SIDs, False, &token))) { DEBUG(4,("create_nt_user_token failed\n")); SAFE_FREE(all_group_SIDs); + free_server_info(server_info); return nt_status; } @@ -1161,6 +1201,7 @@ void free_server_info(auth_serversupplied_info **server_info) /* call pam_end here, unless we know we are keeping it */ delete_nt_token( &(*server_info)->ptok ); SAFE_FREE((*server_info)->groups); + SAFE_FREE((*server_info)->unix_name); ZERO_STRUCT(**server_info); } SAFE_FREE(*server_info); diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 6ae8685b11..856b8f5a82 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -72,9 +72,14 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, if (!auth_context) { DEBUG(3,("Password for user %s cannot be checked because we have no auth_info to get the challenge from.\n", user_info->internal_username.str)); - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_INVALID_PARAMETER; } + if (strequal(user_info->domain.str, get_global_sam_name())) { + DEBUG(3,("check_winbind_security: Not using winbind, requested domain was for this SAM.\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + /* Send off request */ ZERO_STRUCT(request); @@ -100,8 +105,11 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, request.data.auth_crap.lm_resp_len); memcpy(request.data.auth_crap.nt_resp, user_info->nt_resp.data, request.data.auth_crap.nt_resp_len); - + + /* we are contacting the privileged pipe */ + become_root(); result = winbindd_request(WINBINDD_PAM_AUTH_CRAP, &request, &response); + unbecome_root(); if ( result == NSS_STATUS_UNAVAIL ) { struct auth_methods *auth_method = my_private_data; @@ -129,7 +137,7 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, } } } else if (NT_STATUS_IS_OK(nt_status)) { - nt_status = NT_STATUS_UNSUCCESSFUL; + nt_status = NT_STATUS_NO_LOGON_SERVERS; } return nt_status; -- cgit From ce72beb2b558d86fb49063c6b1fa00e07952ce56 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 3 Jul 2003 19:11:31 +0000 Subject: Removed strupper/strlower macros that automatically map to strupper_m/strlower_m. I really want people to think about when they're using multibyte strings. Jeremy. (This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959) --- source3/auth/auth_builtin.c | 4 ++-- source3/auth/auth_server.c | 2 +- source3/auth/pass_check.c | 5 ++--- 3 files changed, 5 insertions(+), 6 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index 0358836793..f7cdfe3fd2 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -87,11 +87,11 @@ static NTSTATUS check_name_to_ntstatus_security(const struct auth_context *auth_ fstrcpy(user, user_info->smb_name.str); if (strncasecmp("NT_STATUS", user, strlen("NT_STATUS")) == 0) { - strupper(user); + strupper_m(user); return nt_status_string_to_code(user); } - strlower(user); + strlower_m(user); error_num = strtoul(user, NULL, 16); DEBUG(5,("check_name_to_ntstatus_security: Error for user %s was %lx\n", user, error_num)); diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index af0848e12a..30e0e13a56 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -50,7 +50,7 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) while(next_token( &p, desthost, LIST_SEP, sizeof(desthost))) { standard_sub_basic(current_user_info.smb_name, desthost, sizeof(desthost)); - strupper(desthost); + strupper_m(desthost); if(!resolve_name( desthost, &dest_ip, 0x20)) { DEBUG(1,("server_cryptkey: Can't resolve address for %s\n",desthost)); diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 88b82e3474..1ac8c1815a 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -757,7 +757,7 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas /* try all lowercase if it's currently all uppercase */ if (strhasupper(pass2)) { - strlower(pass2); + strlower_m(pass2); if NT_STATUS_IS_OK(nt_status = password_check(pass2)) { if (fn) fn(user, pass2); @@ -771,8 +771,7 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas } /* last chance - all combinations of up to level chars upper! */ - strlower(pass2); - + strlower_m(pass2); if (NT_STATUS_IS_OK(nt_status = string_combinations(pass2, password_check, level))) { if (fn) -- cgit From 9bcbaeee329cf190a793085a945acb8b20635bb0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 4 Jul 2003 18:50:21 +0000 Subject: Fixed strlower changes I missed. Pointed out by metze. Jeremy (This used to be commit da5ee2b765fc321b14e92eb27bde8ec8930b61d4) --- source3/auth/pampass.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 045ceb7c72..d666e439b0 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -229,7 +229,7 @@ static struct chat_struct *make_pw_chat(char *p) special_char_sub(prompt); fstrcpy(t->prompt, prompt); - strlower(t->prompt); + strlower_m(t->prompt); trim_string(t->prompt, " ", " "); if (!next_token(&p, reply, NULL, sizeof(fstring))) @@ -240,7 +240,7 @@ static struct chat_struct *make_pw_chat(char *p) special_char_sub(reply); fstrcpy(t->reply, reply); - strlower(t->reply); + strlower_m(t->reply); trim_string(t->reply, " ", " "); } -- cgit From d809ad1d1999b097ff30952b9d14cf5aaa72562e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 5 Jul 2003 08:05:06 +0000 Subject: PAM should operate on the Unix username, not the NT username (which might not have the domain\ qualification). Andrew Bartlett (This used to be commit 7cfa1e7c4abee10fe8c75e36aee68ee9f557656e) --- source3/auth/auth.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 9f109dc66e..a2486acbd1 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -205,7 +205,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, { /* if all the modules say 'not for me' this is reasonable */ NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER; - const char *pdb_username; + const char *unix_username; auth_methods *auth_method; TALLOC_CTX *mem_ctx; @@ -277,19 +277,19 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, } if (NT_STATUS_IS_OK(nt_status)) { - pdb_username = pdb_get_username((*server_info)->sam_account); + unix_username = (*server_info)->unix_name; if (!(*server_info)->guest) { /* We might not be root if we are an RPC call */ become_root(); - nt_status = smb_pam_accountcheck(pdb_username); + nt_status = smb_pam_accountcheck(unix_username); unbecome_root(); if (NT_STATUS_IS_OK(nt_status)) { DEBUG(5, ("check_ntlm_password: PAM Account for user [%s] succeeded\n", - pdb_username)); + unix_username)); } else { DEBUG(3, ("check_ntlm_password: PAM Account for user [%s] FAILED with error %s\n", - pdb_username, nt_errstr(nt_status))); + unix_username, nt_errstr(nt_status))); } } @@ -299,7 +299,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, (*server_info)->guest ? "guest " : "", user_info->smb_name.str, user_info->internal_username.str, - pdb_username)); + unix_username)); } } -- cgit From 85921dbd6fa417aa451ab9b6e88ecb7900333549 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 5 Jul 2003 10:39:41 +0000 Subject: Add some debug statments to our vampire code - try to make it easier to track down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e) --- source3/auth/auth_rhosts.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index e2c6f0b06a..fab2d551f2 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -162,11 +162,13 @@ static NTSTATUS check_hostsequiv_security(const struct auth_context *auth_contex const auth_usersupplied_info *user_info, auth_serversupplied_info **server_info) { - NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; + NTSTATUS nt_status; SAM_ACCOUNT *account = NULL; if (!NT_STATUS_IS_OK(nt_status = auth_get_sam_account(user_info->internal_username.str, &account))) { + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) + nt_status = NT_STATUS_NOT_IMPLEMENTED; return nt_status; } @@ -174,6 +176,7 @@ static NTSTATUS check_hostsequiv_security(const struct auth_context *auth_contex nt_status = make_server_info_sam(server_info, account); } else { pdb_free_sam(&account); + nt_status = NT_STATUS_NOT_IMPLEMENTED; } return nt_status; @@ -202,7 +205,7 @@ static NTSTATUS check_rhosts_security(const struct auth_context *auth_context, const auth_usersupplied_info *user_info, auth_serversupplied_info **server_info) { - NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; + NTSTATUS nt_status; SAM_ACCOUNT *account = NULL; pstring rhostsfile; const char *home; @@ -210,6 +213,8 @@ static NTSTATUS check_rhosts_security(const struct auth_context *auth_context, if (!NT_STATUS_IS_OK(nt_status = auth_get_sam_account(user_info->internal_username.str, &account))) { + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) + nt_status = NT_STATUS_NOT_IMPLEMENTED; return nt_status; } @@ -226,6 +231,7 @@ static NTSTATUS check_rhosts_security(const struct auth_context *auth_context, unbecome_root(); } else { pdb_free_sam(&account); + nt_status = NT_STATUS_NOT_IMPLEMENTED; } return nt_status; -- cgit From b475d0b88924a0af4a8519a2e7bc183945de0f9c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 6 Jul 2003 05:51:20 +0000 Subject: This changes our Unix primary GID behaviour back to what most people expect: Samba will now use the user's UNIX primary group, as the primary group when dealing with the filesystem. The NT primary group is ignored in unix. For the NT_TOKEN, the primary group is the NT priamry group, and the unix primary group is added to the NT_TOKEN as a supplementary group. This should fix bug #109, but will need to be revisited when we get a full NT group database. Also in this commit: - Fix debug statements in service.c - Make idmap_ldap show if it's adding, or modifying an existing DN - Make idmap_ldap show both the error message and error string (This used to be commit 32e455a714b2090fcfd1f6d73daccf600c15d51b) --- source3/auth/auth_util.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index ea46d27e9e..f77ee350b4 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -784,13 +784,9 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, return NT_STATUS_NO_SUCH_USER; } (*server_info)->unix_name = smb_xstrdup(pwd->pw_name); - passwd_free(&pwd); + (*server_info)->gid = pwd->pw_gid; - if (!NT_STATUS_IS_OK(nt_status = sid_to_gid(pdb_get_group_sid(sampass), - &((*server_info)->gid)))) { - free_server_info(server_info); - return nt_status; - } + passwd_free(&pwd); if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, sampass, (*server_info)->uid, -- cgit From 0b18acb841f6a372b3aa285d4734875e5e35fe3b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 7 Jul 2003 05:11:10 +0000 Subject: and so it begins.... * remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8) --- source3/auth/auth_util.c | 65 ++++++++++++--------------------------------- source3/auth/auth_winbind.c | 2 +- 2 files changed, 18 insertions(+), 49 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index f77ee350b4..399a1e9006 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -923,12 +923,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, DOM_SID user_sid; DOM_SID group_sid; - struct passwd *passwd; - - unid_t u_id, g_id; uid_t uid; gid_t gid; - int u_type, g_type; int n_lgroupSIDs; DOM_SID *lgroupSIDs = NULL; @@ -964,44 +960,20 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, /* If the server didn't give us one, just use the one we sent them */ domain = domain; } - - u_type = ID_USERID; - g_type = ID_GROUPID; - - /* we are trying to check that idmap isn't stuffing us over - does this - user actually exist? */ - if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&u_id, &u_type, &user_sid)) - && NT_STATUS_IS_OK(idmap_get_id_from_sid(&g_id, &g_type, &group_sid)) - && ((passwd = getpwuid_alloc(u_id.uid)))) { - - nt_status = pdb_init_sam_pw(&sam_account, passwd); - - uid = passwd->pw_uid; - gid = passwd->pw_gid; - - /* we should check this is the same name */ - found_username = talloc_strdup(mem_ctx, passwd->pw_name); - - passwd_free(&passwd); - } else { - - /* User not from winbind - try and find them by getpwnam() */ - nt_status = fill_sam_account(mem_ctx, nt_domain, - internal_username, - &found_username, - &uid, &gid, - &sam_account); - - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { - DEBUG(3,("User %s does not exist, trying to add it\n", - internal_username)); - auth_add_user_script(nt_domain, internal_username); - nt_status = fill_sam_account(mem_ctx, nt_domain, - internal_username, - &found_username, - &uid, &gid, - &sam_account); - } + + /* try to fill the same account.. If getpwnam() fails, then try the + add user script (2.2.x behavior) */ + + nt_status = fill_sam_account(mem_ctx, nt_domain, internal_username, + &found_username, &uid, &gid, &sam_account); + + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { + DEBUG(3,("User %s does not exist, trying to add it\n", + internal_username)); + auth_add_user_script(nt_domain, internal_username); + nt_status = fill_sam_account(mem_ctx, nt_domain, + internal_username, &found_username, + &uid, &gid, &sam_account); } if (!NT_STATUS_IS_OK(nt_status)) { @@ -1082,12 +1054,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, /* Store the user group information in the server_info returned to the caller. */ - if (!NT_STATUS_IS_OK(nt_status - = get_user_groups_from_local_sam((*server_info)->unix_name, - uid, gid, - &n_lgroupSIDs, - &lgroupSIDs, - &unix_groups))) + nt_status = get_user_groups_from_local_sam((*server_info)->unix_name, + uid, gid, &n_lgroupSIDs, &lgroupSIDs, &unix_groups); + if ( !NT_STATUS_IS_OK(nt_status) ) { DEBUG(4,("get_user_groups_from_local_sam failed\n")); return nt_status; diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 856b8f5a82..aa8f345a5b 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -85,7 +85,7 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, ZERO_STRUCT(request); ZERO_STRUCT(response); - request.data.auth_crap.flags = WINBIND_PAM_INFO3_NDR; + request.flags = WBFLAG_PAM_INFO3_NDR; push_utf8_fstring(request.data.auth_crap.user, user_info->smb_name.str); -- cgit From 5365869b683e696863eb27545dc4608edff3408a Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 7 Jul 2003 05:28:51 +0000 Subject: temporarily disable a sanity check to prevent winbindd from deadlocking on a Samba PDC. Will be re-enabled after winbind_passdb is done. (This used to be commit c4762aa3bc0d5d2dc5161b543b22808a369e0698) --- source3/auth/auth_util.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 399a1e9006..ae1be761da 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -771,9 +771,11 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, (*server_info)->sam_account = sampass; +#if 0 /* JERRY */ + /* disabled until winbindd_passdb is completed to prevent winbindd deadlock on a Samba PDC */ if (!NT_STATUS_IS_OK(nt_status = sid_to_uid(pdb_get_user_sid(sampass), &((*server_info)->uid)))) return nt_status; - +#endif if (!(pwd = getpwuid_alloc(((*server_info)->uid)))) { fstring sid; DEBUG(1, ("User %s in passdb (%s) maps to UID, but getpwuid(%u) fails!\n", -- cgit From e25785fbdc72357142e8229e2925bd9695f9ae3e Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 8 Jul 2003 01:04:06 +0000 Subject: Spelling. (This used to be commit a9a3339b2d99dcb64b675b27255d4aa5959a1caf) --- source3/auth/auth_sam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 1690e4d5e1..012696f46a 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -333,7 +333,7 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, kickoff_time = pdb_get_kickoff_time(sampass); if (kickoff_time != 0 && time(NULL) > kickoff_time) { - DEBUG(1,("Account for user '%s' has expried.\n", pdb_get_username(sampass))); + DEBUG(1,("Account for user '%s' has expired.\n", pdb_get_username(sampass))); DEBUG(3,("Account expired at '%ld' unix time.\n", (long)kickoff_time)); return NT_STATUS_ACCOUNT_EXPIRED; } -- cgit From 0c3d46f17f79a4e1d0330de4c7b4145a4334c804 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 8 Jul 2003 02:19:16 +0000 Subject: fix temporary bug so people can test 3.0 again; make sure to initialize the uid for the server_info struct (This used to be commit 6a84297da53e8658f4bcfa4951ceed011b69201f) --- source3/auth/auth_util.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index ae1be761da..408b26f514 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -787,7 +787,8 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, } (*server_info)->unix_name = smb_xstrdup(pwd->pw_name); (*server_info)->gid = pwd->pw_gid; - + (*server_info)->uid = pwd->pw_uid; + passwd_free(&pwd); if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, sampass, -- cgit From 0d0f89461edf95bc584423cca4de1915afe4ba90 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 8 Jul 2003 05:37:13 +0000 Subject: Initialise the uid and gid values to a safe default in make_server_info() (This used to be commit 3a1f4f5ea5379b0deb6dc6b8ed81dedc3a08f70e) --- source3/auth/auth_util.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 408b26f514..7d6a5ff8c9 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -703,6 +703,14 @@ static NTSTATUS make_server_info(auth_serversupplied_info **server_info) return NT_STATUS_NO_MEMORY; } ZERO_STRUCTP(*server_info); + + /* Initialise the uid and gid values to something non-zero + which may save us from giving away root access if there + is a bug in allocating these fields. */ + + (*server_info)->uid = -1; + (*server_info)->gid = -1; + return NT_STATUS_OK; } -- cgit From 499b3e33153527420b3945b5eeb699e6b02d3420 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 8 Jul 2003 17:04:11 +0000 Subject: fix bone head mistake when setting the uid in the server_info struct. (This used to be commit 43f21078ec0f885d4d1a0b90476b55f8f92de9e7) --- source3/auth/auth_util.c | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7d6a5ff8c9..d1c3b107e7 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -779,17 +779,9 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, (*server_info)->sam_account = sampass; -#if 0 /* JERRY */ - /* disabled until winbindd_passdb is completed to prevent winbindd deadlock on a Samba PDC */ - if (!NT_STATUS_IS_OK(nt_status = sid_to_uid(pdb_get_user_sid(sampass), &((*server_info)->uid)))) - return nt_status; -#endif - if (!(pwd = getpwuid_alloc(((*server_info)->uid)))) { - fstring sid; - DEBUG(1, ("User %s in passdb (%s) maps to UID, but getpwuid(%u) fails!\n", - pdb_get_username(sampass), - sid_to_string(sid, pdb_get_user_sid(sampass)), - (unsigned)(*server_info)->uid)); + if ( !(pwd = getpwnam_alloc(pdb_get_username(sampass))) ) { + DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", + pdb_get_username(sampass))); free_server_info(server_info); return NT_STATUS_NO_SUCH_USER; } -- cgit From f637448150ef248726363ae0df0b0f7e096c256e Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 8 Jul 2003 17:19:37 +0000 Subject: standlone servers don't have any trusted domains (This used to be commit 4acdfc5c944aa8830d6cec7bd1225200448e45c5) --- source3/auth/auth_util.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d1c3b107e7..6fc1d772ec 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1282,6 +1282,11 @@ BOOL is_trusted_domain(const char* dom_name) time_t lct; BOOL ret; + /* no trusted domains for a standalone server */ + + if ( lp_server_role() == ROLE_STANDALONE ) + return False; + /* if we are a DC, then check for a direct trust relationships */ if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC) { -- cgit From 16ff7b26f6b9d288cbd1d39e075b637e24da13a6 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 9 Jul 2003 16:44:47 +0000 Subject: Large set of changes to add UNIX account/group management to winbindd. See README.idmap-and-winbind-changes for details. (This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6) --- source3/auth/auth_util.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 6fc1d772ec..51cd1994f9 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -60,16 +60,23 @@ static int smb_create_user(const char *domain, const char *unix_username, const void auth_add_user_script(const char *domain, const char *username) { - struct passwd *pwd=NULL; - /* * User validated ok against Domain controller. * If the admin wants us to try and create a UNIX * user on the fly, do so. */ - if(lp_adduser_script() && !(pwd = Get_Pwnam(username))) { + if ( lp_adduser_script() ) smb_create_user(domain, username, NULL); + else { + DEBUG(10,("auth_add_user_script: no 'add user script'. Asking winbindd\n")); + + /* should never get here is we a re a domain member running winbindd + However, a host set for 'security = server' might run winbindd for + account allocation */ + + if ( !winbind_create_user(username) ) + DEBUG(5,("auth_add_user_script: winbindd_create_user() failed\n")); } } -- cgit From 03d5867d529f126da368ebda70bf2d997aa602e0 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 11 Jul 2003 05:33:40 +0000 Subject: moving more code around. * move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d) --- source3/auth/auth_util.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 51cd1994f9..3f9c120cfb 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -56,10 +56,12 @@ static int smb_create_user(const char *domain, const char *unix_username, const /**************************************************************************** Add and Delete UNIX users on demand, based on NTSTATUS codes. + We don't care about RID's here so ignore. ****************************************************************************/ void auth_add_user_script(const char *domain, const char *username) { + uint32 rid; /* * User validated ok against Domain controller. * If the admin wants us to try and create a UNIX @@ -75,8 +77,10 @@ void auth_add_user_script(const char *domain, const char *username) However, a host set for 'security = server' might run winbindd for account allocation */ - if ( !winbind_create_user(username) ) + if ( !winbind_create_user(username, NULL) ) { DEBUG(5,("auth_add_user_script: winbindd_create_user() failed\n")); + rid = 0; + } } } -- cgit From 9b9f1697ee2b24f28ce31c6a860c9b6c8a0c5e99 Mon Sep 17 00:00:00 2001 From: Richard Sharpe Date: Fri, 11 Jul 2003 17:50:59 +0000 Subject: Fix a small typo in a comment and pretty it up a bit. (This used to be commit 3b5ddd8e1f021f6a38434c0d9a47317ab6ff2614) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 3f9c120cfb..8e1b420b47 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -975,7 +975,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, domain = domain; } - /* try to fill the same account.. If getpwnam() fails, then try the + /* try to fill the SAM account.. If getpwnam() fails, then try the add user script (2.2.x behavior) */ nt_status = fill_sam_account(mem_ctx, nt_domain, internal_username, -- cgit From f4d4b079e986bfa79ff0748597582d46c6ee7297 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 18 Jul 2003 11:36:16 +0000 Subject: Fix memleak (This used to be commit 228fe54f0d65b895bef9e095ad996a48edf964df) --- source3/auth/auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index a2486acbd1..8316c4b617 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -512,7 +512,7 @@ NTSTATUS make_auth_context_fixed(struct auth_context **auth_context, uchar chal[ return nt_status; } - (*auth_context)->challenge = data_blob(chal, 8); + (*auth_context)->challenge = data_blob_talloc((*auth_context)->mem_ctx, chal, 8); (*auth_context)->challenge_set_by = "fixed"; return nt_status; } -- cgit From 3a5dc7c2ecacecf7dd0cfd71ff1bb298d70b391b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 23 Jul 2003 12:33:59 +0000 Subject: convert snprintf() calls using pstrings & fstrings to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 56bd6b9aca..e2fc273479 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -104,7 +104,7 @@ machine %s. Error was : %s.\n", dc_name, cli_errstr(*cli))); return NT_STATUS_NO_LOGON_SERVERS; } - snprintf((*cli)->mach_acct, sizeof((*cli)->mach_acct) - 1, "%s$", setup_creds_as); + fstr_sprintf((*cli)->mach_acct, "%s$", setup_creds_as); if (!(*cli)->mach_acct) { release_server_mutex(); -- cgit From 79e2d7c24ebc06a485d8a26c1e58c684237ef533 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 24 Jul 2003 04:25:37 +0000 Subject: Server side NTLM signing works - until the first async packet. Working on this next.... Jeremy. (This used to be commit eff74a1fcc597497a4c70589a44c1b70e93ab549) --- source3/auth/auth_ntlmssp.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index a381219d74..3af0cbaada 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -135,4 +135,3 @@ NTSTATUS auth_ntlmssp_update(AUTH_NTLMSSP_STATE *auth_ntlmssp_state, { return ntlmssp_server_update(auth_ntlmssp_state->ntlmssp_state, request, reply); } - -- cgit From 77373f1f8e3b2f61e9bbcd9fadfb83257d390cf2 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Thu, 24 Jul 2003 23:46:27 +0000 Subject: More printf fixes - size_t is long on some architectures. (This used to be commit ba4d334b822248d8ab929c9568533431603d967e) --- source3/auth/auth_sam.c | 8 ++++---- source3/auth/auth_util.c | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 012696f46a..4c120de9ae 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -44,12 +44,12 @@ static BOOL smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response, } if (sec_blob->length != 8) { - DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect challenge size (%d)\n", sec_blob->length)); + DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect challenge size (%l)\n", sec_blob->length)); return False; } if (nt_response->length != 24) { - DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect password length (%d)\n", nt_response->length)); + DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect password length (%l)\n", nt_response->length)); return False; } @@ -103,7 +103,7 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response, /* We MUST have more than 16 bytes, or the stuff below will go crazy. No known implementation sends less than the 24 bytes for LMv2, let alone NTLMv2. */ - DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect password length (%d)\n", + DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect password length (%l)\n", ntv2_response->length)); return False; } @@ -233,7 +233,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, if (auth_flags & AUTH_FLAG_LM_RESP) { if (user_info->lm_resp.length != 24) { - DEBUG(2,("sam_password_ok: invalid LanMan password length (%d) for user %s\n", + DEBUG(2,("sam_password_ok: invalid LanMan password length (%l) for user %s\n", user_info->nt_resp.length, pdb_get_username(sampass))); } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 8e1b420b47..d4d08e2273 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -133,7 +133,7 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, *user_info = malloc(sizeof(**user_info)); if (!user_info) { - DEBUG(0,("malloc failed for user_info (size %d)\n", sizeof(*user_info))); + DEBUG(0,("malloc failed for user_info (size %l)\n", sizeof(*user_info))); return NT_STATUS_NO_MEMORY; } @@ -489,9 +489,9 @@ void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) DEBUGC(dbg_class, dbg_lev, ("NT user token of user %s\n", sid_to_string(sid_str, &token->user_sids[0]) )); - DEBUGADDC(dbg_class, dbg_lev, ("contains %i SIDs\n", token->num_sids)); + DEBUGADDC(dbg_class, dbg_lev, ("contains %l SIDs\n", token->num_sids)); for (i = 0; i < token->num_sids; i++) - DEBUGADDC(dbg_class, dbg_lev, ("SID[%3i]: %s\n", i, + DEBUGADDC(dbg_class, dbg_lev, ("SID[%3l]: %s\n", i, sid_to_string(sid_str, &token->user_sids[i]))); } -- cgit From 7d833de662b83f026b54a236588da27dd8899630 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 25 Jul 2003 04:24:40 +0000 Subject: More printf portability fixes. Got caught out by some gcc'isms last time. )-: (This used to be commit 59dae1da66a5eb7e128263bd578f167d8746e9f0) --- source3/auth/auth_sam.c | 12 ++++++------ source3/auth/auth_util.c | 6 +++--- 2 files changed, 9 insertions(+), 9 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 4c120de9ae..fb66d53cd4 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -44,12 +44,12 @@ static BOOL smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response, } if (sec_blob->length != 8) { - DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect challenge size (%l)\n", sec_blob->length)); + DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect challenge size (%lu)\n", (unsigned long)sec_blob->length)); return False; } if (nt_response->length != 24) { - DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect password length (%l)\n", nt_response->length)); + DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect password length (%lu)\n", (unsigned long)nt_response->length)); return False; } @@ -103,8 +103,8 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response, /* We MUST have more than 16 bytes, or the stuff below will go crazy. No known implementation sends less than the 24 bytes for LMv2, let alone NTLMv2. */ - DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect password length (%l)\n", - ntv2_response->length)); + DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect password length (%lu)\n", + (unsigned long)ntv2_response->length)); return False; } @@ -233,8 +233,8 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, if (auth_flags & AUTH_FLAG_LM_RESP) { if (user_info->lm_resp.length != 24) { - DEBUG(2,("sam_password_ok: invalid LanMan password length (%l) for user %s\n", - user_info->nt_resp.length, pdb_get_username(sampass))); + DEBUG(2,("sam_password_ok: invalid LanMan password length (%lu) for user %s\n", + (unsigned long)user_info->nt_resp.length, pdb_get_username(sampass))); } if (!lp_lanman_auth()) { diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d4d08e2273..3a95ae591d 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -133,7 +133,7 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, *user_info = malloc(sizeof(**user_info)); if (!user_info) { - DEBUG(0,("malloc failed for user_info (size %l)\n", sizeof(*user_info))); + DEBUG(0,("malloc failed for user_info (size %lu)\n", (unsigned long)sizeof(*user_info))); return NT_STATUS_NO_MEMORY; } @@ -489,9 +489,9 @@ void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) DEBUGC(dbg_class, dbg_lev, ("NT user token of user %s\n", sid_to_string(sid_str, &token->user_sids[0]) )); - DEBUGADDC(dbg_class, dbg_lev, ("contains %l SIDs\n", token->num_sids)); + DEBUGADDC(dbg_class, dbg_lev, ("contains %lu SIDs\n", (unsigned long)token->num_sids)); for (i = 0; i < token->num_sids; i++) - DEBUGADDC(dbg_class, dbg_lev, ("SID[%3l]: %s\n", i, + DEBUGADDC(dbg_class, dbg_lev, ("SID[%3lu]: %s\n", (unsigned long)i, sid_to_string(sid_str, &token->user_sids[i]))); } -- cgit From 0c4358889e53187a6b839c8a66a5333df5580769 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 26 Jul 2003 01:21:06 +0000 Subject: Correctly detect an "add user script" - check that *lp_adduser_script() != '\0', not lp_adduser_script() != NULL. Jeremy. (This used to be commit 2eac65ebe7147b36a34e0ca1c3f455f559ab0361) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 3a95ae591d..5403ee8c39 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -68,7 +68,7 @@ void auth_add_user_script(const char *domain, const char *username) * user on the fly, do so. */ - if ( lp_adduser_script() ) + if ( *lp_adduser_script() ) smb_create_user(domain, username, NULL); else { DEBUG(10,("auth_add_user_script: no 'add user script'. Asking winbindd\n")); -- cgit From 29ca70cd34d3ba927ea1a9915ebd247f64965bd5 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 30 Jul 2003 23:49:29 +0000 Subject: Add a command line option (-S on|off|required) to enable signing on client connections. Overrides smb.conf parameter if set. Jeremy. (This used to be commit 879309671df6b530e0bff69559422a417da4a307) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index e2fc273479..aacea261fe 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -69,7 +69,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, /* Attempt connection */ *retry = True; result = cli_full_connection(cli, global_myname(), dc_name, &dc_ip, 0, - "IPC$", "IPC", "", "", "", 0, retry); + "IPC$", "IPC", "", "", "", 0, Undefined, retry); if (!NT_STATUS_IS_OK(result)) { /* map to something more useful */ -- cgit From 56bb027696d5d0c8b72fe9d37d09b00f60b62ca1 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 8 Aug 2003 05:11:11 +0000 Subject: need to be able to connect to a domain member as a local account; don't always map to the domain name (This used to be commit 20b6e64da2669e5dfc7265cae331ec9c89aa02dc) --- source3/auth/auth_util.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5403ee8c39..061cc7345b 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -216,8 +216,8 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, client_domain, smb_name, wksta_name)); /* don't allow "" as a domain, fixes a Win9X bug - where it doens't supply a domain for logon script - 'net use' commands.*/ + where it doens't supply a domain for logon script + 'net use' commands. */ if ( *client_domain ) domain = client_domain; @@ -227,7 +227,7 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, /* do what win2k does. Always map unknown domains to our own and let the "passdb backend" handle unknown users. */ - if ( !is_trusted_domain(domain) ) + if ( !is_trusted_domain(domain) && !strequal(domain, get_global_sam_name()) ) domain = get_default_sam_name(); /* we know that it is a trusted domain (and we are allowing them) or it is our domain */ -- cgit From c1bc3a7841890d8af470863e018721c035754999 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sat, 9 Aug 2003 23:12:35 +0000 Subject: fix for BUG #267 (problem with supplementary groups). Use winbindd to get the group list if possible since we already know it from netsamlogon_cache.tdb. More effecient than letting libc call getgrent() to get seconary groups. Tested by Ken Cross. (This used to be commit 3c537c906f29a08e75895c8c8e3ed5c5abaaa940) --- source3/auth/auth_util.c | 118 ++++++++++++++++++++++++++++++----------------- 1 file changed, 76 insertions(+), 42 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 061cc7345b..d07681ee7d 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -646,43 +646,66 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, * of groups. ******************************************************************************/ -static NTSTATUS get_user_groups_from_local_sam(const char *username, uid_t uid, gid_t gid, - int *n_groups, DOM_SID **groups, gid_t **unix_groups) +static NTSTATUS get_user_groups(const char *username, uid_t uid, gid_t gid, + int *n_groups, DOM_SID **groups, gid_t **unix_groups) { - int n_unix_groups; - int i; + int n_unix_groups; + int i; *n_groups = 0; *groups = NULL; + + /* Try winbind first */ - n_unix_groups = groups_max(); - if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) { - DEBUG(0, ("get_user_groups_from_local_sam: Out of memory allocating unix group list\n")); - return NT_STATUS_NO_MEMORY; + if ( strchr(username, *lp_winbind_separator()) ) { + n_unix_groups = winbind_getgroups( username, unix_groups ); + + DEBUG(10,("get_user_groups: winbind_getgroups(%s): result = %s\n", username, + n_unix_groups == -1 ? "FAIL" : "SUCCESS")); + + if ( n_unix_groups == -1 ) + return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ } - - if (sys_getgrouplist(username, gid, *unix_groups, &n_unix_groups) == -1) { - gid_t *groups_tmp; - groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); - if (!groups_tmp) { - SAFE_FREE(*unix_groups); + else { + /* fallback to getgrouplist() */ + + n_unix_groups = groups_max(); + + if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) { + DEBUG(0, ("get_user_groups: Out of memory allocating unix group list\n")); return NT_STATUS_NO_MEMORY; } - *unix_groups = groups_tmp; - + if (sys_getgrouplist(username, gid, *unix_groups, &n_unix_groups) == -1) { - DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n")); - SAFE_FREE(*unix_groups); - return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ + + gid_t *groups_tmp; + + groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); + + if (!groups_tmp) { + SAFE_FREE(*unix_groups); + return NT_STATUS_NO_MEMORY; + } + *unix_groups = groups_tmp; + + if (sys_getgrouplist(username, gid, *unix_groups, &n_unix_groups) == -1) { + DEBUG(0, ("get_user_groups: failed to get the unix group list\n")); + SAFE_FREE(*unix_groups); + return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ + } } } debug_unix_user_token(DBGC_CLASS, 5, uid, gid, n_unix_groups, *unix_groups); + /* now setup the space for storing the SIDS */ + if (n_unix_groups > 0) { + *groups = malloc(sizeof(DOM_SID) * n_unix_groups); + if (!*groups) { - DEBUG(0, ("get_user_group_from_local_sam: malloc() failed for DOM_SID list!\n")); + DEBUG(0, ("get_user_group: malloc() failed for DOM_SID list!\n")); SAFE_FREE(*unix_groups); return NT_STATUS_NO_MEMORY; } @@ -692,7 +715,8 @@ static NTSTATUS get_user_groups_from_local_sam(const char *username, uid_t uid, for (i = 0; i < *n_groups; i++) { if (!NT_STATUS_IS_OK(gid_to_sid(&(*groups)[i], (*unix_groups)[i]))) { - DEBUG(1, ("get_user_groups_from_local_sam: failed to convert gid %ld to a sid!\n", (long int)(*unix_groups)[i+1])); + DEBUG(1, ("get_user_groups: failed to convert gid %ld to a sid!\n", + (long int)(*unix_groups)[i+1])); SAFE_FREE(*groups); SAFE_FREE(*unix_groups); return NT_STATUS_NO_SUCH_USER; @@ -743,10 +767,9 @@ static NTSTATUS add_user_groups(auth_serversupplied_info **server_info, BOOL is_guest; uint32 rid; - nt_status = get_user_groups_from_local_sam(pdb_get_username(sampass), - uid, gid, - &n_groupSIDs, &groupSIDs, - &unix_groups); + nt_status = get_user_groups(pdb_get_username(sampass), uid, gid, + &n_groupSIDs, &groupSIDs, &unix_groups); + if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(4,("get_user_groups_from_local_sam failed\n")); free_server_info(server_info); @@ -1068,11 +1091,11 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, /* Store the user group information in the server_info returned to the caller. */ - nt_status = get_user_groups_from_local_sam((*server_info)->unix_name, + nt_status = get_user_groups((*server_info)->unix_name, uid, gid, &n_lgroupSIDs, &lgroupSIDs, &unix_groups); - if ( !NT_STATUS_IS_OK(nt_status) ) - { - DEBUG(4,("get_user_groups_from_local_sam failed\n")); + + if ( !NT_STATUS_IS_OK(nt_status) ) { + DEBUG(4,("get_user_groups failed\n")); return nt_status; } @@ -1080,9 +1103,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, (*server_info)->n_groups = n_lgroupSIDs; /* Create a 'combined' list of all SIDs we might want in the SD */ - all_group_SIDs = malloc(sizeof(DOM_SID) * - (n_lgroupSIDs + info3->num_groups2 + - info3->num_other_sids)); + + all_group_SIDs = malloc(sizeof(DOM_SID) * (info3->num_groups2 +info3->num_other_sids)); + if (!all_group_SIDs) { DEBUG(0, ("malloc() failed for DOM_SID list!\n")); SAFE_FREE(lgroupSIDs); @@ -1090,20 +1113,30 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } +#if 0 /* JERRY -- no such thing as local groups in current code */ /* Copy the 'local' sids */ memcpy(all_group_SIDs, lgroupSIDs, sizeof(DOM_SID) * n_lgroupSIDs); SAFE_FREE(lgroupSIDs); +#endif /* and create (by appending rids) the 'domain' sids */ + for (i = 0; i < info3->num_groups2; i++) { - sid_copy(&all_group_SIDs[i+n_lgroupSIDs], &(info3->dom_sid.sid)); - if (!sid_append_rid(&all_group_SIDs[i+n_lgroupSIDs], info3->gids[i].g_rid)) { + + sid_copy(&all_group_SIDs[i], &(info3->dom_sid.sid)); + + if (!sid_append_rid(&all_group_SIDs[i], info3->gids[i].g_rid)) { + nt_status = NT_STATUS_INVALID_PARAMETER; + DEBUG(3,("could not append additional group rid 0x%x\n", info3->gids[i].g_rid)); + SAFE_FREE(lgroupSIDs); free_server_info(server_info); + return nt_status; + } } @@ -1113,19 +1146,20 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp */ - for (i = 0; i < info3->num_other_sids; i++) - sid_copy(&all_group_SIDs[ - n_lgroupSIDs + info3->num_groups2 + i], + for (i = 0; i < info3->num_other_sids; i++) { + sid_copy(&all_group_SIDs[info3->num_groups2 + i], &info3->other_sids[i].sid); + } /* Where are the 'global' sids... */ /* can the user be guest? if yes, where is it stored? */ - if (!NT_STATUS_IS_OK( - nt_status = create_nt_user_token( - &user_sid, &group_sid, - n_lgroupSIDs + info3->num_groups2 + info3->num_other_sids, - all_group_SIDs, False, &token))) { + + nt_status = create_nt_user_token(&user_sid, &group_sid, + info3->num_groups2 + info3->num_other_sids, + all_group_SIDs, False, &token); + + if ( !NT_STATUS_IS_OK(nt_status) ) { DEBUG(4,("create_nt_user_token failed\n")); SAFE_FREE(all_group_SIDs); free_server_info(server_info); -- cgit From aa39cc37dab9c4f8c3295d872bb8cc143890b378 Mon Sep 17 00:00:00 2001 From: Herb Lewis Date: Fri, 15 Aug 2003 04:42:05 +0000 Subject: get rid of more compiler warnings (This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669) --- source3/auth/auth.c | 4 ++-- source3/auth/auth_util.c | 2 +- source3/auth/auth_winbind.c | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 8316c4b617..668bba0d64 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -131,7 +131,7 @@ static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) DEBUG(5, ("auth_context challenge created by %s\n", challenge_set_by)); DEBUG(5, ("challenge is: \n")); - dump_data(5, auth_context->challenge.data, auth_context->challenge.length); + dump_data(5, (const char *)auth_context->challenge.data, auth_context->challenge.length); SMB_ASSERT(auth_context->challenge.length == 8); @@ -228,7 +228,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, auth_context->challenge_set_by)); DEBUG(10, ("challenge is: \n")); - dump_data(5, auth_context->challenge.data, auth_context->challenge.length); + dump_data(5, (const char *)auth_context->challenge.data, auth_context->challenge.length); #ifdef DEBUG_PASSWORD DEBUG(100, ("user_info has passwords of length %d and %d\n", diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d07681ee7d..952aa8ba59 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -393,7 +393,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, dump_data(100, plaintext_password.data, plaintext_password.length); #endif - SMBencrypt( (const uchar *)plaintext_password.data, (const uchar*)chal, local_lm_response); + SMBencrypt( (const char *)plaintext_password.data, (const uchar*)chal, local_lm_response); local_lm_blob = data_blob(local_lm_response, 24); /* We can't do an NT hash here, as the password needs to be diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index aa8f345a5b..cae7aadd0c 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -36,7 +36,7 @@ static NTSTATUS get_info3_from_ndr(TALLOC_CTX *mem_ctx, struct winbindd_response if (!prs_init(&ps, len, mem_ctx, UNMARSHALL)) { return NT_STATUS_NO_MEMORY; } - prs_copy_data_in(&ps, info3_ndr, len); + prs_copy_data_in(&ps, (char *)info3_ndr, len); prs_set_offset(&ps,0); if (!net_io_user_info3("", info3, &ps, 1, 3)) { DEBUG(2, ("get_info3_from_ndr: could not parse info3 struct!\n")); -- cgit From fcdebdae6fb69575bbe6e622b112d2e61f972898 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 28 Aug 2003 23:57:34 +0000 Subject: Fix bug found by tridge in 2.2.x. Ensure that %U substitution is restored on next valid packet if a logon fails. This has relevence if people are using su.exe within logon scripts ! Jeremy. (This used to be commit d405a93a9d3f9a1d93bb3289b00683fba3160bbe) --- source3/auth/auth_domain.c | 3 --- 1 file changed, 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index aacea261fe..43e7597cd9 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -26,9 +26,6 @@ extern BOOL global_machine_password_needs_changing; -extern userdom_struct current_user_info; - - /** * Connect to a remote server for domain security authenticaion. * -- cgit From 94f59f54921174fc156fade575ca114d331b1bd8 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 5 Sep 2003 19:59:55 +0000 Subject: More tuning from cachegrind. Change most trim_string() calls to trim_char(0, as that's what they do. Fix string_replace() to fast-path ascii. Jeremy. (This used to be commit f35e9a8b909d3c74be47083ccc4a4e91a14938db) --- source3/auth/auth.c | 4 ++-- source3/auth/auth_rhosts.c | 2 +- source3/auth/pampass.c | 8 ++++---- 3 files changed, 7 insertions(+), 7 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 668bba0d64..553d9a686e 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -373,10 +373,10 @@ BOOL load_auth_module(struct auth_context *auth_context, if (p) { *p = 0; module_params = p+1; - trim_string(module_params, " ", " "); + trim_char(module_params, ' ', ' '); } - trim_string(module_name, " ", " "); + trim_char(module_name, ' ', ' '); entry = auth_find_backend_entry(module_name); diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index fab2d551f2..b295df9328 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -40,7 +40,7 @@ static BOOL check_user_equiv(const char *user, const char *remote, const char *e if (! lines) return False; for (i=0; lines[i]; i++) { char *buf = lines[i]; - trim_string(buf," "," "); + trim_char(buf,' ',' '); if (buf[0] != '#' && buf[0] != '\n') { diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index d666e439b0..3239686a20 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -230,7 +230,7 @@ static struct chat_struct *make_pw_chat(char *p) special_char_sub(prompt); fstrcpy(t->prompt, prompt); strlower_m(t->prompt); - trim_string(t->prompt, " ", " "); + trim_char(t->prompt, ' ', ' '); if (!next_token(&p, reply, NULL, sizeof(fstring))) break; @@ -241,7 +241,7 @@ static struct chat_struct *make_pw_chat(char *p) special_char_sub(reply); fstrcpy(t->reply, reply); strlower_m(t->reply); - trim_string(t->reply, " ", " "); + trim_char(t->reply, ' ', ' '); } return list; @@ -304,7 +304,7 @@ static int smb_pam_passchange_conv(int num_msg, case PAM_PROMPT_ECHO_ON: DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: PAM said: %s\n", msg[replies]->msg)); fstrcpy(current_prompt, msg[replies]->msg); - trim_string(current_prompt, " ", " "); + trim_char(current_prompt, ' ', ' '); for (t=pw_chat; t; t=t->next) { DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: trying to match |%s| to |%s|\n", @@ -335,7 +335,7 @@ static int smb_pam_passchange_conv(int num_msg, case PAM_PROMPT_ECHO_OFF: DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: PAM said: %s\n", msg[replies]->msg)); fstrcpy(current_prompt, msg[replies]->msg); - trim_string(current_prompt, " ", " "); + trim_char(current_prompt, ' ', ' '); for (t=pw_chat; t; t=t->next) { DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |%s| to |%s|\n", -- cgit From 07c90e499e5e02db94d4ca3f3d303b2b1952ace9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 8 Sep 2003 20:42:33 +0000 Subject: Tidy up some formatting. Get ready for allowing bad password lockout. (based on a patch posted from Richard Renard . Jeremy. (This used to be commit abf54b58e95a949cb883d4485853dc560489c03f) --- source3/auth/auth_sam.c | 87 +++++++++++++++++++++---------------------------- 1 file changed, 38 insertions(+), 49 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index fb66d53cd4..ce97bd7df2 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -27,8 +27,9 @@ #define DBGC_CLASS DBGC_AUTH /**************************************************************************** -core of smb password checking routine. + Core of smb password checking routine. ****************************************************************************/ + static BOOL smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response, const uchar *part_passwd, const DATA_BLOB *sec_blob, @@ -54,8 +55,7 @@ static BOOL smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response, } SMBOWFencrypt(part_passwd, sec_blob->data, p24); - if (user_sess_key != NULL) - { + if (user_sess_key != NULL) { SMBsesskeygen_ntv1(part_passwd, NULL, user_sess_key); } @@ -74,12 +74,11 @@ static BOOL smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response, return (memcmp(p24, nt_response->data, 24) == 0); } - /**************************************************************************** -core of smb password checking routine. (NTLMv2, LMv2) - -Note: The same code works with both NTLMv2 and LMv2. + Core of smb password checking routine. (NTLMv2, LMv2) + Note: The same code works with both NTLMv2 and LMv2. ****************************************************************************/ + static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response, const uchar *part_passwd, const DATA_BLOB *sec_blob, @@ -92,8 +91,7 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response, uchar client_response[16]; DATA_BLOB client_key_data; - if (part_passwd == NULL) - { + if (part_passwd == NULL) { DEBUG(10,("No password set - DISALLOWING access\n")); /* No password set - always False */ return False; @@ -121,8 +119,7 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response, } SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption); - if (user_sess_key != NULL) - { + if (user_sess_key != NULL) { SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key); } @@ -142,11 +139,11 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response, return (memcmp(value_from_encryption, client_response, 16) == 0); } - /**************************************************************************** Do a specific test for an smb password being correct, given a smb_password and the lanman and NT responses. ****************************************************************************/ + static NTSTATUS sam_password_ok(const struct auth_context *auth_context, TALLOC_CTX *mem_ctx, SAM_ACCOUNT *sampass, @@ -158,15 +155,11 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, uint32 auth_flags; acct_ctrl = pdb_get_acct_ctrl(sampass); - if (acct_ctrl & ACB_PWNOTREQ) - { - if (lp_null_passwords()) - { + if (acct_ctrl & ACB_PWNOTREQ) { + if (lp_null_passwords()) { DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", pdb_get_username(sampass))); return(NT_STATUS_OK); - } - else - { + } else { DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", pdb_get_username(sampass))); return(NT_STATUS_LOGON_FAILURE); } @@ -191,8 +184,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, nt_pw, &auth_context->challenge, user_info->smb_name.str, user_info->client_domain.str, - user_sess_key)) - { + user_sess_key)) { return NT_STATUS_OK; } @@ -201,9 +193,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, nt_pw, &auth_context->challenge, user_info->smb_name.str, "", - user_sess_key)) - - { + user_sess_key)) { return NT_STATUS_OK; } else { DEBUG(3,("sam_password_ok: NTLMv2 password check failed\n")); @@ -218,8 +208,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, DEBUG(4,("sam_password_ok: Checking NT MD4 password\n")); if (smb_pwd_check_ntlmv1(&user_info->nt_resp, nt_pw, &auth_context->challenge, - user_sess_key)) - { + user_sess_key)) { return NT_STATUS_OK; } else { DEBUG(3,("sam_password_ok: NT MD4 password check failed for user %s\n",pdb_get_username(sampass))); @@ -247,8 +236,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, DEBUG(4,("sam_password_ok: Checking LM password\n")); if (smb_pwd_check_ntlmv1(&user_info->lm_resp, lm_pw, &auth_context->challenge, - user_sess_key)) - { + user_sess_key)) { return NT_STATUS_OK; } } @@ -268,8 +256,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, nt_pw, &auth_context->challenge, user_info->smb_name.str, user_info->client_domain.str, - user_sess_key)) - { + user_sess_key)) { return NT_STATUS_OK; } @@ -278,8 +265,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, nt_pw, &auth_context->challenge, user_info->smb_name.str, "", - user_sess_key)) - { + user_sess_key)) { return NT_STATUS_OK; } @@ -287,12 +273,10 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, - I think this is related to Win9X pass-though authentication */ DEBUG(4,("sam_password_ok: Checking NT MD4 password in LM field\n")); - if (lp_ntlm_auth()) - { + if (lp_ntlm_auth()) { if (smb_pwd_check_ntlmv1(&user_info->lm_resp, nt_pw, &auth_context->challenge, - user_sess_key)) - { + user_sess_key)) { return NT_STATUS_OK; } DEBUG(3,("sam_password_ok: LM password, NT MD4 password in LM field and LMv2 failed for user %s\n",pdb_get_username(sampass))); @@ -313,6 +297,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, Do a specific test for a SAM_ACCOUNT being vaild for this connection (ie not disabled, expired and the like). ****************************************************************************/ + static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info) @@ -325,16 +310,22 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, /* Quit if the account was disabled. */ if (acct_ctrl & ACB_DISABLED) { - DEBUG(1,("Account for user '%s' was disabled.\n", pdb_get_username(sampass))); + DEBUG(1,("sam_account_ok: Account for user '%s' was disabled.\n", pdb_get_username(sampass))); return NT_STATUS_ACCOUNT_DISABLED; } + /* Quit if the account was locked out. */ + if (acct_ctrl & ACB_AUTOLOCK) { + DEBUG(1,("sam_account_ok: Account for user %s was locked out.\n", pdb_get_username(sampass))); + return NT_STATUS_ACCOUNT_LOCKED_OUT; + } + /* Test account expire time */ kickoff_time = pdb_get_kickoff_time(sampass); if (kickoff_time != 0 && time(NULL) > kickoff_time) { - DEBUG(1,("Account for user '%s' has expired.\n", pdb_get_username(sampass))); - DEBUG(3,("Account expired at '%ld' unix time.\n", (long)kickoff_time)); + DEBUG(1,("sam_account_ok: Account for user '%s' has expired.\n", pdb_get_username(sampass))); + DEBUG(3,("sam_account_ok: Account expired at '%ld' unix time.\n", (long)kickoff_time)); return NT_STATUS_ACCOUNT_EXPIRED; } @@ -344,14 +335,14 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, /* check for immediate expiry "must change at next logon" */ if (must_change_time == 0 && last_set_time != 0) { - DEBUG(1,("Account for user '%s' password must change!.\n", pdb_get_username(sampass))); + DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", pdb_get_username(sampass))); return NT_STATUS_PASSWORD_MUST_CHANGE; } /* check for expired password */ if (must_change_time < time(NULL) && must_change_time != 0) { - DEBUG(1,("Account for user '%s' password expired!.\n", pdb_get_username(sampass))); - DEBUG(1,("Password expired at '%s' (%ld) unix time.\n", http_timestring(must_change_time), (long)must_change_time)); + DEBUG(1,("sam_account_ok: Account for user '%s' password expired!.\n", pdb_get_username(sampass))); + DEBUG(1,("sam_account_ok: Password expired at '%s' (%ld) unix time.\n", http_timestring(must_change_time), (long)must_change_time)); return NT_STATUS_PASSWORD_EXPIRED; } } @@ -359,8 +350,8 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, /* Test workstation. Workstation list is comma separated. */ workstation_list = talloc_strdup(mem_ctx, pdb_get_workstations(sampass)); - - if (!workstation_list) return NT_STATUS_NO_MEMORY; + if (!workstation_list) + return NT_STATUS_NO_MEMORY; if (*workstation_list) { BOOL invalid_ws = True; @@ -369,7 +360,7 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, fstring tok; while (next_token(&s, tok, ",", sizeof(tok))) { - DEBUG(10,("checking for workstation match %s and %s (len=%d)\n", + DEBUG(10,("sam_account_ok: checking for workstation match %s and %s (len=%d)\n", tok, user_info->wksta_name.str, user_info->wksta_name.len)); if(strequal(tok, user_info->wksta_name.str)) { invalid_ws = False; @@ -399,7 +390,6 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } - /**************************************************************************** check if a username/password is OK assuming the password is a 24 byte SMB hash supplied in the user_info structure @@ -434,9 +424,8 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, ret = pdb_getsampwnam(sampass, user_info->internal_username.str); unbecome_root(); - if (ret == False) - { - DEBUG(3,("Couldn't find user '%s' in passdb file.\n", user_info->internal_username.str)); + if (ret == False) { + DEBUG(3,("check_sam_security: Couldn't find user '%s' in passdb file.\n", user_info->internal_username.str)); pdb_free_sam(&sampass); return NT_STATUS_NO_SUCH_USER; } -- cgit From e7f41de758a39e6ad242ecbd8162cbf5117ad5a7 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 7 Oct 2003 16:34:23 +0000 Subject: make sure to call get_user_groups() with the full winbindd name for a user if he;she has one; bug 406 (This used to be commit 1737b36e9193e30285c598ad75d90f610bab47fe) --- source3/auth/auth_util.c | 17 ++++++++++++++--- source3/auth/auth_winbind.c | 16 ++++++++-------- 2 files changed, 22 insertions(+), 11 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 952aa8ba59..3803741466 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -644,6 +644,9 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, * * currently this is a hack, as there is no sam implementation that is capable * of groups. + * + * NOTE!! This function will fail if you pass in a winbind user without + * the domain --jerry ******************************************************************************/ static NTSTATUS get_user_groups(const char *username, uid_t uid, gid_t gid, @@ -926,8 +929,10 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, with just 'username'. This is need for accessing the server as a trust user that actually maps to a local account */ - if ( !passwd ) - passwd = Get_Pwnam(username); + if ( !passwd ) { + fstrcpy( dom_user, username ); + passwd = Get_Pwnam( dom_user ); + } if (passwd == NULL) return NT_STATUS_NO_SUCH_USER; @@ -935,7 +940,13 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, *uid = passwd->pw_uid; *gid = passwd->pw_gid; - *found_username = talloc_strdup(mem_ctx, passwd->pw_name); + /* This is pointless -- there is no suport for differeing + unix and windows names. Make sure to always store the + one we actuall looked up and succeeded. Have I mentioned + why I hate the 'winbind use default domain' parameter? + --jerry */ + + *found_username = talloc_strdup(mem_ctx, dom_user); return pdb_init_sam_pw(sam_account, passwd); } diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index cae7aadd0c..d09987ba37 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -126,15 +126,15 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, if (result == NSS_STATUS_SUCCESS && response.extra_data) { if (NT_STATUS_IS_OK(nt_status)) { - if (NT_STATUS_IS_OK(nt_status = get_info3_from_ndr(mem_ctx, &response, &info3))) { - nt_status = - make_server_info_info3(mem_ctx, - user_info->internal_username.str, - user_info->smb_name.str, - user_info->domain.str, - server_info, - &info3); + + if (NT_STATUS_IS_OK(nt_status = get_info3_from_ndr(mem_ctx, &response, &info3))) + { + nt_status = make_server_info_info3(mem_ctx, + user_info->internal_username.str, + user_info->smb_name.str, user_info->domain.str, + server_info, &info3); } + } } else if (NT_STATUS_IS_OK(nt_status)) { nt_status = NT_STATUS_NO_LOGON_SERVERS; -- cgit From 3fb80f1926e1770f650bca1485c21cf5ee6b9c4f Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 20 Oct 2003 16:49:45 +0000 Subject: more 2.2.x compatibility fixes - allow user looksup in the kerb5 sesssetup to fall back to 'user' instaed of failing is REA.LM\user doesn't exist. also fix include line in smb_acls.h as requested by metze (This used to be commit 62ed2598b3441b3c198872df8eb55e594332807b) --- source3/auth/auth_util.c | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 3803741466..71634f08ed 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -942,7 +942,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, /* This is pointless -- there is no suport for differeing unix and windows names. Make sure to always store the - one we actuall looked up and succeeded. Have I mentioned + one we actually looked up and succeeded. Have I mentioned why I hate the 'winbind use default domain' parameter? --jerry */ @@ -951,6 +951,30 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, return pdb_init_sam_pw(sam_account, passwd); } +/**************************************************************************** + Wrapper to allow the getpwnam() call to styrip the domain name and + try again in case a local UNIX user is already there. + ****************************************************************************/ + +struct passwd *smb_getpwnam( char *domuser ) +{ + struct passwd *pw; + char *p; + + pw = Get_Pwnam( domuser ); + if ( pw ) + return pw; + + /* fallback to looking up just the username */ + + p = strchr( domuser, *lp_winbind_separator() ); + + if ( p ) + return Get_Pwnam(p+1); + + return NULL; +} + /*************************************************************************** Make a server_info struct from the info3 returned by a domain logon ***************************************************************************/ -- cgit From bb0598faf58679a7ad26a1caab8eadb154a07ae2 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 22 Oct 2003 23:38:20 +0000 Subject: Put strcasecmp/strncasecmp on the banned list (except for needed calls in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at all and I really want to discourage that. Jeremy. (This used to be commit d7e35dfb9283d560d0ed2ab231f36ed92767dace) --- source3/auth/auth_builtin.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index f7cdfe3fd2..96c2221652 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -86,7 +86,7 @@ static NTSTATUS check_name_to_ntstatus_security(const struct auth_context *auth_ long error_num; fstrcpy(user, user_info->smb_name.str); - if (strncasecmp("NT_STATUS", user, strlen("NT_STATUS")) == 0) { + if (strnequal("NT_STATUS", user, strlen("NT_STATUS"))) { strupper_m(user); return nt_status_string_to_code(user); } -- cgit From ab8f9387b73ff99db1a3255f9c55258ffa5df8f7 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 24 Oct 2003 01:18:56 +0000 Subject: Andrew Bartlett patch to cope with Exchange 5.5 cleartext pop password auth. Jeremy. (This used to be commit 46e66ee950eee035ad008c189cd2378f734af605) --- source3/auth/auth_sam.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index ce97bd7df2..2a00b6fb80 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -172,6 +172,22 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, pdb_get_username(sampass))); /* No return, we want to check the LM hash below in this case */ auth_flags &= (~(AUTH_FLAG_NTLMv2_RESP | AUTH_FLAG_NTLM_RESP)); + } else { + /* Check for cleartext netlogon. Used by Exchange 5.5. */ + unsigned char zeros[8]; + + memset(zeros,'\0',sizeof(zeros)); + if (auth_context->challenge.length == sizeof(zeros) && + (memcmp(auth_context->challenge.data, zeros, auth_context->challenge.length) == 0 ) && + user_info->nt_resp.length) { + if ((nt_pw = pdb_get_nt_passwd(sampass)) != NULL) { + unsigned char pwhash[16]; + mdfour(pwhash, user_info->nt_resp.data, user_info->nt_resp.length); + if (memcmp(pwhash, nt_pw, sizeof(pwhash)) == 0) { + return NT_STATUS_OK; + } + } + } } if (auth_flags & AUTH_FLAG_NTLMv2_RESP) { -- cgit From b922425cacd85d32b1471836636ab3675ebb17be Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 6 Nov 2003 17:28:44 +0000 Subject: run krb5 logins through the username map if the winbindd lookup fails; bug 698 (This used to be commit efe257bce2020e94d00946a27e2e586c82a1480f) --- source3/auth/auth_util.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 71634f08ed..dd0c0b02dd 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -952,14 +952,16 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, } /**************************************************************************** - Wrapper to allow the getpwnam() call to styrip the domain name and - try again in case a local UNIX user is already there. + Wrapper to allow the getpwnam() call to strip the domain name and + try again in case a local UNIX user is already there. Also run through + the username if we fallback to the username only. ****************************************************************************/ struct passwd *smb_getpwnam( char *domuser ) { struct passwd *pw; char *p; + fstring mapped_username; pw = Get_Pwnam( domuser ); if ( pw ) @@ -969,8 +971,11 @@ struct passwd *smb_getpwnam( char *domuser ) p = strchr( domuser, *lp_winbind_separator() ); - if ( p ) - return Get_Pwnam(p+1); + if ( p ) { + fstrcpy( mapped_username, p ); + map_username( mapped_username ); + return Get_Pwnam(mapped_username); + } return NULL; } -- cgit From 39ccc0f5157ba4f2c574d73b8e484211a24b677b Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 9 Nov 2003 17:23:57 +0000 Subject: Skip over the winbind separator when looking up a user. Volker (This used to be commit 6b457d0c5c1a18b6e09c2c4cc489ce791aac3c6b) --- source3/auth/auth_util.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index dd0c0b02dd..d7d7f53e2d 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -972,6 +972,7 @@ struct passwd *smb_getpwnam( char *domuser ) p = strchr( domuser, *lp_winbind_separator() ); if ( p ) { + p += 1; fstrcpy( mapped_username, p ); map_username( mapped_username ); return Get_Pwnam(mapped_username); -- cgit From 33e6af5b3d8db3e0c4a7eabacf3be1c849805c84 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 10 Nov 2003 19:33:42 +0000 Subject: Patch from Andrew Bartlett for security=server core dump if server goes away. Jeremy. (This used to be commit e61324cc6a222ca714530827068104f7a74c0911) --- source3/auth/auth_server.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 30e0e13a56..b57293943c 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -153,14 +153,16 @@ static void free_server_private_data(void **private_data_pointer) static void send_server_keepalive(void **private_data_pointer) { - struct cli_state **cli = (struct cli_state **)private_data_pointer; - /* also send a keepalive to the password server if its still connected */ - if (cli && *cli && (*cli)->initialised) { - if (!send_keepalive((*cli)->fd)) { - DEBUG( 2, ( "password server keepalive failed.\n")); - cli_shutdown(*cli); + if (private_data_pointer) { + struct cli_state *cli = (struct cli_state *)(*private_data_pointer); + if (cli && cli->initialised) { + if (!send_keepalive(cli->fd)) { + DEBUG( 2, ( "send_server_keepalive: password server keepalive failed.\n")); + cli_shutdown(cli); + *private_data_pointer = NULL; + } } } } -- cgit From fcbfc7ad0669009957c65fa61bb20df75a9701b4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 22 Nov 2003 13:19:38 +0000 Subject: Changes all over the shop, but all towards: - NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc) --- source3/auth/auth.c | 3 ++ source3/auth/auth_ntlmssp.c | 81 ++++++++++++++++++++++++++++++++++++++++----- source3/auth/auth_sam.c | 64 ++++++++++++++++++++++++----------- source3/auth/auth_util.c | 24 ++++++++++++-- 4 files changed, 142 insertions(+), 30 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 553d9a686e..20dccc6592 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -88,6 +88,8 @@ static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) return auth_context->challenge.data; } + auth_context->challenge_may_be_modified = False; + for (auth_method = auth_context->auth_method_list; auth_method; auth_method = auth_method->next) { if (auth_method->get_chal == NULL) { DEBUG(5, ("auth_get_challenge: module %s did not want to specify a challenge\n", auth_method->name)); @@ -127,6 +129,7 @@ static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) chal, sizeof(chal)); challenge_set_by = "random"; + auth_context->challenge_may_be_modified = True; } DEBUG(5, ("auth_context challenge created by %s\n", challenge_set_by)); diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 3af0cbaada..a5ce101e5e 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -23,13 +23,59 @@ #include "includes.h" -static const uint8 *auth_ntlmssp_get_challenge(struct ntlmssp_state *ntlmssp_state) +/** + * Return the challenge as determined by the authentication subsystem + * @return an 8 byte random challenge + */ + +static const uint8 *auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state) { AUTH_NTLMSSP_STATE *auth_ntlmssp_state = ntlmssp_state->auth_context; return auth_ntlmssp_state->auth_context->get_ntlm_challenge(auth_ntlmssp_state->auth_context); } -static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state) +/** + * Some authentication methods 'fix' the challenge, so we may not be able to set it + * + * @return If the effective challenge used by the auth subsystem may be modified + */ +static BOOL auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state) +{ + AUTH_NTLMSSP_STATE *auth_ntlmssp_state = ntlmssp_state->auth_context; + struct auth_context *auth_context = auth_ntlmssp_state->auth_context; + + return auth_context->challenge_may_be_modified; +} + +/** + * NTLM2 authentication modifies the effective challange, + * @param challenge The new challenge value + */ +static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge) +{ + AUTH_NTLMSSP_STATE *auth_ntlmssp_state = ntlmssp_state->auth_context; + struct auth_context *auth_context = auth_ntlmssp_state->auth_context; + + SMB_ASSERT(challenge->length == 8); + + auth_context->challenge = data_blob_talloc(auth_context->mem_ctx, + challenge->data, challenge->length); + + auth_context->challenge_set_by = "NTLMSSP callback (NTLM2)"; + + DEBUG(5, ("auth_context challenge set by %s\n", auth_context->challenge_set_by)); + DEBUG(5, ("challenge is: \n")); + dump_data(5, (const char *)auth_context->challenge.data, auth_context->challenge.length); + return NT_STATUS_OK; +} + +/** + * Check the password on an NTLMSSP login. + * + * Return the session keys used on the connection. + */ + +static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *nt_session_key, DATA_BLOB *lm_session_key) { AUTH_NTLMSSP_STATE *auth_ntlmssp_state = ntlmssp_state->auth_context; uint32 auth_flags = AUTH_FLAG_NONE; @@ -45,7 +91,7 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state) auth_flags |= AUTH_FLAG_NTLM_RESP; } else if (auth_ntlmssp_state->ntlmssp_state->nt_resp.length > 24) { auth_flags |= AUTH_FLAG_NTLMv2_RESP; - }; + } /* the client has given us its machine name (which we otherwise would not get on port 445). we need to possibly reload smb.conf if smb.conf includes depend on the machine name */ @@ -71,10 +117,26 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state) return nt_status; } - nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context, user_info, &auth_ntlmssp_state->server_info); - + nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context, + user_info, &auth_ntlmssp_state->server_info); + free_user_info(&user_info); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + if (auth_ntlmssp_state->server_info->nt_session_key.length) { + DEBUG(10, ("Got NT session key of length %u\n", auth_ntlmssp_state->server_info->nt_session_key.length)); + *nt_session_key = data_blob_talloc(auth_ntlmssp_state->mem_ctx, + auth_ntlmssp_state->server_info->nt_session_key.data, + auth_ntlmssp_state->server_info->nt_session_key.length); + } + if (auth_ntlmssp_state->server_info->lm_session_key.length) { + DEBUG(10, ("Got LM session key of length %u\n", auth_ntlmssp_state->server_info->lm_session_key.length)); + *lm_session_key = data_blob_talloc(auth_ntlmssp_state->mem_ctx, + auth_ntlmssp_state->server_info->lm_session_key.data, + auth_ntlmssp_state->server_info->lm_session_key.length); + } return nt_status; } @@ -106,18 +168,20 @@ NTSTATUS auth_ntlmssp_start(AUTH_NTLMSSP_STATE **auth_ntlmssp_state) (*auth_ntlmssp_state)->ntlmssp_state->auth_context = (*auth_ntlmssp_state); (*auth_ntlmssp_state)->ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge; + (*auth_ntlmssp_state)->ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge; + (*auth_ntlmssp_state)->ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge; (*auth_ntlmssp_state)->ntlmssp_state->check_password = auth_ntlmssp_check_password; (*auth_ntlmssp_state)->ntlmssp_state->server_role = lp_server_role(); return NT_STATUS_OK; } -NTSTATUS auth_ntlmssp_end(AUTH_NTLMSSP_STATE **auth_ntlmssp_state) +void auth_ntlmssp_end(AUTH_NTLMSSP_STATE **auth_ntlmssp_state) { TALLOC_CTX *mem_ctx = (*auth_ntlmssp_state)->mem_ctx; if ((*auth_ntlmssp_state)->ntlmssp_state) { - ntlmssp_server_end(&(*auth_ntlmssp_state)->ntlmssp_state); + ntlmssp_end(&(*auth_ntlmssp_state)->ntlmssp_state); } if ((*auth_ntlmssp_state)->auth_context) { ((*auth_ntlmssp_state)->auth_context->free)(&(*auth_ntlmssp_state)->auth_context); @@ -127,11 +191,10 @@ NTSTATUS auth_ntlmssp_end(AUTH_NTLMSSP_STATE **auth_ntlmssp_state) } talloc_destroy(mem_ctx); *auth_ntlmssp_state = NULL; - return NT_STATUS_OK; } NTSTATUS auth_ntlmssp_update(AUTH_NTLMSSP_STATE *auth_ntlmssp_state, const DATA_BLOB request, DATA_BLOB *reply) { - return ntlmssp_server_update(auth_ntlmssp_state->ntlmssp_state, request, reply); + return ntlmssp_update(auth_ntlmssp_state->ntlmssp_state, request, reply); } diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 2a00b6fb80..7352a9685b 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -33,7 +33,7 @@ static BOOL smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response, const uchar *part_passwd, const DATA_BLOB *sec_blob, - uint8 user_sess_key[16]) + DATA_BLOB *user_sess_key) { /* Finish the encryption of part_passwd. */ uchar p24[24]; @@ -56,7 +56,8 @@ static BOOL smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response, SMBOWFencrypt(part_passwd, sec_blob->data, p24); if (user_sess_key != NULL) { - SMBsesskeygen_ntv1(part_passwd, NULL, user_sess_key); + *user_sess_key = data_blob(NULL, 16); + SMBsesskeygen_ntv1(part_passwd, NULL, user_sess_key->data); } @@ -83,7 +84,7 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response, const uchar *part_passwd, const DATA_BLOB *sec_blob, const char *user, const char *domain, - uint8 user_sess_key[16]) + DATA_BLOB *user_sess_key) { /* Finish the encryption of part_passwd. */ uchar kr[16]; @@ -120,7 +121,8 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response, SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption); if (user_sess_key != NULL) { - SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key); + *user_sess_key = data_blob(NULL, 16); + SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key->data); } #if DEBUG_PASSWORD @@ -148,7 +150,8 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, TALLOC_CTX *mem_ctx, SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info, - uint8 user_sess_key[16]) + DATA_BLOB *user_sess_key, + DATA_BLOB *lm_sess_key) { uint16 acct_ctrl; const uint8 *nt_pw, *lm_pw; @@ -225,6 +228,16 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, if (smb_pwd_check_ntlmv1(&user_info->nt_resp, nt_pw, &auth_context->challenge, user_sess_key)) { + /* The LM session key for this response is not very secure, + so use it only if we otherwise allow LM authentication */ + lm_pw = pdb_get_lanman_passwd(sampass); + + if (lp_lanman_auth() && lm_pw) { + uint8 first_8_lm_hash[16]; + memcpy(first_8_lm_hash, lm_pw, 8); + memset(first_8_lm_hash + 8, '\0', 8); + *lm_sess_key = data_blob(first_8_lm_hash, 16); + } return NT_STATUS_OK; } else { DEBUG(3,("sam_password_ok: NT MD4 password check failed for user %s\n",pdb_get_username(sampass))); @@ -252,7 +265,12 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, DEBUG(4,("sam_password_ok: Checking LM password\n")); if (smb_pwd_check_ntlmv1(&user_info->lm_resp, lm_pw, &auth_context->challenge, - user_sess_key)) { + NULL)) { + uint8 first_8_lm_hash[16]; + memcpy(first_8_lm_hash, lm_pw, 8); + memset(first_8_lm_hash + 8, '\0', 8); + *user_sess_key = data_blob(first_8_lm_hash, 16); + *lm_sess_key = data_blob(first_8_lm_hash, 16); return NT_STATUS_OK; } } @@ -272,7 +290,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, nt_pw, &auth_context->challenge, user_info->smb_name.str, user_info->client_domain.str, - user_sess_key)) { + NULL)) { return NT_STATUS_OK; } @@ -281,7 +299,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, nt_pw, &auth_context->challenge, user_info->smb_name.str, "", - user_sess_key)) { + NULL)) { return NT_STATUS_OK; } @@ -292,7 +310,19 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, if (lp_ntlm_auth()) { if (smb_pwd_check_ntlmv1(&user_info->lm_resp, nt_pw, &auth_context->challenge, - user_sess_key)) { + NULL)) { + /* The session key for this response is still very odd. + It not very secure, so use it only if we otherwise + allow LM authentication */ + lm_pw = pdb_get_lanman_passwd(sampass); + + if (lp_lanman_auth() && lm_pw) { + uint8 first_8_lm_hash[16]; + memcpy(first_8_lm_hash, lm_pw, 8); + memset(first_8_lm_hash + 8, '\0', 8); + *user_sess_key = data_blob(first_8_lm_hash, 16); + *lm_sess_key = data_blob(first_8_lm_hash, 16); + } return NT_STATUS_OK; } DEBUG(3,("sam_password_ok: LM password, NT MD4 password in LM field and LMv2 failed for user %s\n",pdb_get_username(sampass))); @@ -301,7 +331,6 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, DEBUG(3,("sam_password_ok: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted\n",pdb_get_username(sampass))); return NT_STATUS_WRONG_PASSWORD; } - } /* Should not be reached, but if they send nothing... */ @@ -421,8 +450,8 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, SAM_ACCOUNT *sampass=NULL; BOOL ret; NTSTATUS nt_status; - uint8 user_sess_key[16]; - const uint8* lm_hash; + DATA_BLOB user_sess_key = data_blob(NULL, 0); + DATA_BLOB lm_sess_key = data_blob(NULL, 0); if (!user_info || !auth_context) { return NT_STATUS_UNSUCCESSFUL; @@ -446,7 +475,8 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, return NT_STATUS_NO_SUCH_USER; } - nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info, user_sess_key); + nt_status = sam_password_ok(auth_context, mem_ctx, sampass, + user_info, &user_sess_key, &lm_sess_key); if (!NT_STATUS_IS_OK(nt_status)) { pdb_free_sam(&sampass); @@ -465,12 +495,8 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, return nt_status; } - lm_hash = pdb_get_lanman_passwd((*server_info)->sam_account); - if (lm_hash) { - memcpy((*server_info)->first_8_lm_hash, lm_hash, 8); - } - - memcpy((*server_info)->session_key, user_sess_key, sizeof(user_sess_key)); + (*server_info)->nt_session_key = user_sess_key; + (*server_info)->lm_session_key = lm_sess_key; return nt_status; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d7d7f53e2d..5d3f8f0277 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -900,7 +900,13 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) nt_status = make_server_info_sam(server_info, sampass); if (NT_STATUS_IS_OK(nt_status)) { + static const char zeros[16]; (*server_info)->guest = True; + + /* annoying, but the Guest really does have a session key, + and it is all zeros! */ + (*server_info)->nt_session_key = data_blob(zeros, sizeof(zeros)); + (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros)); } return nt_status; @@ -992,6 +998,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, auth_serversupplied_info **server_info, NET_USER_INFO_3 *info3) { + static const char zeros[16]; + NTSTATUS nt_status = NT_STATUS_OK; char *found_username; const char *nt_domain; @@ -1210,10 +1218,20 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, (*server_info)->ptok = token; SAFE_FREE(all_group_SIDs); + + /* ensure we are never given NULL session keys */ - memcpy((*server_info)->session_key, info3->user_sess_key, sizeof((*server_info)->session_key)/* 16 */); - memcpy((*server_info)->first_8_lm_hash, info3->padding, 8); + if (memcmp(info3->user_sess_key, zeros, sizeof(zeros)) == 0) { + (*server_info)->nt_session_key = data_blob(NULL, 0); + } else { + (*server_info)->nt_session_key = data_blob(info3->user_sess_key, sizeof(info3->user_sess_key)); + } + if (memcmp(info3->padding, zeros, sizeof(zeros)) == 0) { + (*server_info)->lm_session_key = data_blob(NULL, 0); + } else { + (*server_info)->lm_session_key = data_blob(info3->padding, 16); + } return NT_STATUS_OK; } @@ -1256,6 +1274,8 @@ void free_server_info(auth_serversupplied_info **server_info) delete_nt_token( &(*server_info)->ptok ); SAFE_FREE((*server_info)->groups); SAFE_FREE((*server_info)->unix_name); + data_blob_free(&(*server_info)->lm_session_key); + data_blob_free(&(*server_info)->nt_session_key); ZERO_STRUCT(**server_info); } SAFE_FREE(*server_info); -- cgit From 62685054962f4be7d8791b87dff85e89347269e8 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 23 Nov 2003 00:16:54 +0000 Subject: Patch by emil@disksites.com to ensure we always always free() each auth method. (We had relied on the use of talloc() only, despite providing the free() callback) Andrew Bartlett (This used to be commit 5872c0e26e3407c7c1dcf2074a36896a3ca1325a) --- source3/auth/auth.c | 15 +++++++++++++-- source3/auth/auth_server.c | 2 ++ 2 files changed, 15 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 20dccc6592..1b49699fbc 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -321,9 +321,20 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, static void free_auth_context(struct auth_context **auth_context) { - if (*auth_context != NULL) + auth_methods *auth_method; + + if (*auth_context) { + /* Free private data of context's authentication methods */ + for (auth_method = (*auth_context)->auth_method_list; auth_method; auth_method = auth_method->next) { + if (auth_method->free_private_data) { + auth_method->free_private_data (&auth_method->private_data); + auth_method->private_data = NULL; + } + } + talloc_destroy((*auth_context)->mem_ctx); - *auth_context = NULL; + *auth_context = NULL; + } } /*************************************************************************** diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index b57293943c..41adc21784 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -143,8 +143,10 @@ static void free_server_private_data(void **private_data_pointer) { struct cli_state **cli = (struct cli_state **)private_data_pointer; if (*cli && (*cli)->initialised) { + DEBUG(10, ("Shutting down smbserver connection\n")); cli_shutdown(*cli); } + *private_data_pointer = NULL; } /**************************************************************************** -- cgit From aad0b08cbb74211eb035afe2e95e102db89db87f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 6 Dec 2003 02:34:02 +0000 Subject: Fix for bug #445 (missing unix user on kerberos auth doesn't call add user script). Jeremy. (This used to be commit 5d9f06bdae4e7b878a87fb97367cf10afbc5f6b2) --- source3/auth/auth_util.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5d3f8f0277..6df31b94a7 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -965,7 +965,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, struct passwd *smb_getpwnam( char *domuser ) { - struct passwd *pw; + struct passwd *pw = NULL; char *p; fstring mapped_username; @@ -981,10 +981,20 @@ struct passwd *smb_getpwnam( char *domuser ) p += 1; fstrcpy( mapped_username, p ); map_username( mapped_username ); - return Get_Pwnam(mapped_username); + pw = Get_Pwnam(mapped_username); + if (!pw) { + /* Create local user if requested. */ + p = strchr( mapped_username, *lp_winbind_separator() ); + if (p) + p += 1; + else + p = mapped_username; + auth_add_user_script(NULL, p); + return Get_Pwnam(p); + } } - return NULL; + return pw; } /*************************************************************************** -- cgit From 8d019a9682c6d6b42f296b7db5d3c342a5633b3b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 9 Dec 2003 18:34:29 +0000 Subject: Final part of fix for #445. Don't add user for machine accounts. Jeremy. (This used to be commit 3684cffbd269389d14b37edd5959e29912c13a60) --- source3/auth/auth_util.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 6df31b94a7..3dc0fdbe46 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -983,6 +983,10 @@ struct passwd *smb_getpwnam( char *domuser ) map_username( mapped_username ); pw = Get_Pwnam(mapped_username); if (!pw) { + /* Don't add a machine account. */ + if (mapped_username[strlen(mapped_username)-1] == '$') + return NULL; + /* Create local user if requested. */ p = strchr( mapped_username, *lp_winbind_separator() ); if (p) -- cgit From 682f20c9ca501cca0d60f838547917db7dd361d7 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 19 Dec 2003 00:33:09 +0000 Subject: * add a few useful debug lines * fix bug involving Win9x clients. Make sure we save the right case for the located username in fill_sam_account() (This used to be commit 850e4be29e185ebe890f094372aa8c2cc86de76a) --- source3/auth/auth_util.c | 36 ++++++++++++++++++++++++++++-------- source3/auth/auth_winbind.c | 3 ++- 2 files changed, 30 insertions(+), 9 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 3dc0fdbe46..c474049617 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -926,21 +926,38 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, fstring dom_user; struct passwd *passwd; - fstr_sprintf(dom_user, "%s%s%s", - domain, lp_winbind_separator(), username); + fstr_sprintf(dom_user, "%s%s%s", domain, lp_winbind_separator(), + username); passwd = Get_Pwnam(dom_user); + + if ( passwd ) { + char *p; + + /* make sure we get the case of the username correct */ + /* work around 'winbind use default domain = yes' */ + + p = strchr( passwd->pw_name, *lp_winbind_separator() ); + if ( !p ) + fstr_sprintf(dom_user, "%s%s%s", domain, + lp_winbind_separator(), passwd->pw_name); + else + fstrcpy( dom_user, passwd->pw_name ); + } + else { + /* if the lookup for DOMAIN\username failed, try again + with just 'username'. This is need for accessing the server + as a trust user that actually maps to a local account */ - /* if the lookup for DOMAIN\username failed, try again - with just 'username'. This is need for accessing the server - as a trust user that actually maps to a local account */ - - if ( !passwd ) { fstrcpy( dom_user, username ); passwd = Get_Pwnam( dom_user ); + + /* make sure we get the case of the username correct */ + if ( passwd ) + fstrcpy( dom_user, passwd->pw_name ); } - if (passwd == NULL) + if ( !passwd ) return NT_STATUS_NO_SUCH_USER; *uid = passwd->pw_uid; @@ -953,6 +970,9 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, --jerry */ *found_username = talloc_strdup(mem_ctx, dom_user); + + DEBUG(5,("fill_sam_account: located username was [%s]\n", + *found_username)); return pdb_init_sam_pw(sam_account, passwd); } diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index d09987ba37..0e2820313e 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -76,7 +76,8 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, } if (strequal(user_info->domain.str, get_global_sam_name())) { - DEBUG(3,("check_winbind_security: Not using winbind, requested domain was for this SAM.\n")); + DEBUG(3,("check_winbind_security: Not using winbind, requested domain [%s] was for this SAM.\n", + user_info->domain.str)); return NT_STATUS_NOT_IMPLEMENTED; } -- cgit From bccf3f374b984bf327057daa8d03374b70034d3b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 30 Dec 2003 05:02:32 +0000 Subject: Refactor our authentication and authentication testing code. The next move will be to remove our password checking code from the SAM authentication backend, and into a file where other parts of samba can use it. The ntlm_auth changes provide for better use of common code. Andrew Bartlett (This used to be commit 2375abfa0077a884248c84614d5109f57dfdf5b1) --- source3/auth/auth_sam.c | 367 +++++++++++++++++++++++++++++------------------- 1 file changed, 219 insertions(+), 148 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 7352a9685b..04b587343a 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -141,96 +141,129 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response, return (memcmp(value_from_encryption, client_response, 16) == 0); } -/**************************************************************************** - Do a specific test for an smb password being correct, given a smb_password and - the lanman and NT responses. -****************************************************************************/ - -static NTSTATUS sam_password_ok(const struct auth_context *auth_context, - TALLOC_CTX *mem_ctx, - SAM_ACCOUNT *sampass, - const auth_usersupplied_info *user_info, - DATA_BLOB *user_sess_key, - DATA_BLOB *lm_sess_key) +/** + * Check a challenge-response password against the value of the NT or + * LM password hash. + * + * @param mem_ctx talloc context + * @param challenge 8-byte challenge. If all zero, forces plaintext comparison + * @param nt_response 'unicode' NT response to the challenge, or unicode password + * @param lm_response ASCII or LANMAN response to the challenge, or password in DOS code page + * @param username internal Samba username, for log messages + * @param client_username username the client used + * @param client_domain domain name the client used (may be mapped) + * @param nt_pw MD4 unicode password from our passdb or similar + * @param lm_pw LANMAN ASCII password from our passdb or similar + * @param user_sess_key User session key + * @param lm_sess_key LM session key (first 8 bytes of the LM hash) + */ + +static NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, + const DATA_BLOB *challenge, + const DATA_BLOB *lm_response, + const DATA_BLOB *nt_response, + const char *username, + const char *client_username, + const char *client_domain, + const uint8 *lm_pw, const uint8 *nt_pw, + DATA_BLOB *user_sess_key, + DATA_BLOB *lm_sess_key) { - uint16 acct_ctrl; - const uint8 *nt_pw, *lm_pw; - uint32 auth_flags; - - acct_ctrl = pdb_get_acct_ctrl(sampass); - if (acct_ctrl & ACB_PWNOTREQ) { - if (lp_null_passwords()) { - DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", pdb_get_username(sampass))); - return(NT_STATUS_OK); - } else { - DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", pdb_get_username(sampass))); - return(NT_STATUS_LOGON_FAILURE); - } + static const unsigned char zeros[8]; + if (nt_pw == NULL) { + DEBUG(3,("sam_password_ok: NO NT password stored for user %s.\n", + username)); } - auth_flags = user_info->auth_flags; + /* Check for cleartext netlogon. Used by Exchange 5.5. */ + if (challenge->length == sizeof(zeros) && + (memcmp(challenge->data, zeros, challenge->length) == 0 )) { - if (IS_SAM_DEFAULT(sampass, PDB_NTPASSWD)) { - DEBUG(3,("sam_password_ok: NO NT password stored for user %s.\n", - pdb_get_username(sampass))); - /* No return, we want to check the LM hash below in this case */ - auth_flags &= (~(AUTH_FLAG_NTLMv2_RESP | AUTH_FLAG_NTLM_RESP)); - } else { - /* Check for cleartext netlogon. Used by Exchange 5.5. */ - unsigned char zeros[8]; - - memset(zeros,'\0',sizeof(zeros)); - if (auth_context->challenge.length == sizeof(zeros) && - (memcmp(auth_context->challenge.data, zeros, auth_context->challenge.length) == 0 ) && - user_info->nt_resp.length) { - if ((nt_pw = pdb_get_nt_passwd(sampass)) != NULL) { - unsigned char pwhash[16]; - mdfour(pwhash, user_info->nt_resp.data, user_info->nt_resp.length); - if (memcmp(pwhash, nt_pw, sizeof(pwhash)) == 0) { - return NT_STATUS_OK; - } + DEBUG(4,("sam_password_ok: checking plaintext passwords for user %s\n", + username)); + if (nt_pw && nt_response->length) { + unsigned char pwhash[16]; + mdfour(pwhash, nt_response->data, nt_response->length); + if (memcmp(pwhash, nt_pw, sizeof(pwhash)) == 0) { + return NT_STATUS_OK; + } else { + DEBUG(3,("sam_password_ok: NT (Unicode) plaintext password check failed for user %s\n", + username)); + return NT_STATUS_WRONG_PASSWORD; + } + + } else if (!lp_lanman_auth()) { + DEBUG(3,("sam_password_ok: (plaintext password check) LANMAN passwords NOT PERMITTED for user %s\n", + username)); + + } else if (lm_pw && lm_response->length) { + uchar dospwd[14]; + uchar p16[16]; + ZERO_STRUCT(dospwd); + + DEBUG(100, ("DOS password: %s\n")); + memcpy(dospwd, lm_response->data, MIN(lm_response->length, sizeof(dospwd))); + /* Only the fisrt 14 chars are considered, password need not be null terminated. */ + E_P16((const unsigned char *)dospwd, p16); + + dump_data_pw("DOS password (first buffer)\n", dospwd, 14); + dump_data_pw("DOS password (wire DES hash)\n", p16, 16); + dump_data_pw("DOS password (passdb DES hash)\n", lm_pw, 16); + if (memcmp(p16, lm_pw, sizeof(p16)) == 0) { + return NT_STATUS_OK; + } else { + DEBUG(3,("sam_password_ok: LANMAN (ASCII) plaintext password check failed for user %s\n", + username)); + return NT_STATUS_WRONG_PASSWORD; } + } else { + DEBUG(3, ("Plaintext authentication for user %s attempted, but neither NT nor LM passwords available\n", username)); + return NT_STATUS_WRONG_PASSWORD; } } + + if (nt_response->length != 0 && nt_response->length < 24) { + DEBUG(2,("sam_password_ok: invalid NT password length (%lu) for user %s\n", + (unsigned long)nt_response->length, username)); + } - if (auth_flags & AUTH_FLAG_NTLMv2_RESP) { - nt_pw = pdb_get_nt_passwd(sampass); - /* We have the NT MD4 hash challenge available - see if we can - use it (ie. does it exist in the smbpasswd file). - */ - DEBUG(4,("sam_password_ok: Checking NTLMv2 password with domain [%s]\n", user_info->client_domain.str)); - if (smb_pwd_check_ntlmv2( &user_info->nt_resp, - nt_pw, &auth_context->challenge, - user_info->smb_name.str, - user_info->client_domain.str, - user_sess_key)) { - return NT_STATUS_OK; + if (nt_response->length >= 24 && nt_pw) { + if (nt_response->length > 24) { + /* We have the NT MD4 hash challenge available - see if we can + use it (ie. does it exist in the smbpasswd file). + */ + DEBUG(4,("sam_password_ok: Checking NTLMv2 password with domain [%s]\n", client_domain)); + if (smb_pwd_check_ntlmv2( nt_response, + nt_pw, challenge, + client_username, + client_domain, + user_sess_key)) { + return NT_STATUS_OK; + } + + DEBUG(4,("sam_password_ok: Checking NTLMv2 password without a domain\n")); + if (smb_pwd_check_ntlmv2( nt_response, + nt_pw, challenge, + client_username, + "", + user_sess_key)) { + return NT_STATUS_OK; + } else { + DEBUG(3,("sam_password_ok: NTLMv2 password check failed\n")); + return NT_STATUS_WRONG_PASSWORD; + } } - DEBUG(4,("sam_password_ok: Checking NTLMv2 password without a domain\n")); - if (smb_pwd_check_ntlmv2( &user_info->nt_resp, - nt_pw, &auth_context->challenge, - user_info->smb_name.str, - "", - user_sess_key)) { - return NT_STATUS_OK; - } else { - DEBUG(3,("sam_password_ok: NTLMv2 password check failed\n")); - return NT_STATUS_WRONG_PASSWORD; - } - } else if (auth_flags & AUTH_FLAG_NTLM_RESP) { if (lp_ntlm_auth()) { - nt_pw = pdb_get_nt_passwd(sampass); /* We have the NT MD4 hash challenge available - see if we can use it (ie. does it exist in the smbpasswd file). */ DEBUG(4,("sam_password_ok: Checking NT MD4 password\n")); - if (smb_pwd_check_ntlmv1(&user_info->nt_resp, - nt_pw, &auth_context->challenge, + if (smb_pwd_check_ntlmv1(nt_response, + nt_pw, challenge, user_sess_key)) { /* The LM session key for this response is not very secure, so use it only if we otherwise allow LM authentication */ - lm_pw = pdb_get_lanman_passwd(sampass); if (lp_lanman_auth() && lm_pw) { uint8 first_8_lm_hash[16]; @@ -240,104 +273,142 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, } return NT_STATUS_OK; } else { - DEBUG(3,("sam_password_ok: NT MD4 password check failed for user %s\n",pdb_get_username(sampass))); + DEBUG(3,("sam_password_ok: NT MD4 password check failed for user %s\n", + username)); return NT_STATUS_WRONG_PASSWORD; } } else { - DEBUG(2,("sam_password_ok: NTLMv1 passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass))); + DEBUG(2,("sam_password_ok: NTLMv1 passwords NOT PERMITTED for user %s\n", + username)); /* no return, becouse we might pick up LMv2 in the LM field */ } } - if (auth_flags & AUTH_FLAG_LM_RESP) { - if (user_info->lm_resp.length != 24) { - DEBUG(2,("sam_password_ok: invalid LanMan password length (%lu) for user %s\n", - (unsigned long)user_info->nt_resp.length, pdb_get_username(sampass))); - } + if (lm_response->length == 0) { + DEBUG(3,("sam_password_ok: NEITHER LanMan nor NT password supplied for user %s\n", + username)); + return NT_STATUS_WRONG_PASSWORD; + } + + if (lm_response->length < 24) { + DEBUG(2,("sam_password_ok: invalid LanMan password length (%lu) for user %s\n", + (unsigned long)nt_response->length, username)); + return NT_STATUS_WRONG_PASSWORD; + } - if (!lp_lanman_auth()) { - DEBUG(3,("sam_password_ok: Lanman passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass))); - } else if (IS_SAM_DEFAULT(sampass, PDB_LMPASSWD)) { - DEBUG(3,("sam_password_ok: NO LanMan password set for user %s (and no NT password supplied)\n",pdb_get_username(sampass))); - } else { - lm_pw = pdb_get_lanman_passwd(sampass); - - DEBUG(4,("sam_password_ok: Checking LM password\n")); - if (smb_pwd_check_ntlmv1(&user_info->lm_resp, - lm_pw, &auth_context->challenge, - NULL)) { + if (!lp_lanman_auth()) { + DEBUG(3,("sam_password_ok: Lanman passwords NOT PERMITTED for user %s\n", + username)); + } else if (!lm_pw) { + DEBUG(3,("sam_password_ok: NO LanMan password set for user %s (and no NT password supplied)\n", + username)); + } else { + DEBUG(4,("sam_password_ok: Checking LM password\n")); + if (smb_pwd_check_ntlmv1(lm_response, + lm_pw, challenge, + NULL)) { + uint8 first_8_lm_hash[16]; + memcpy(first_8_lm_hash, lm_pw, 8); + memset(first_8_lm_hash + 8, '\0', 8); + *user_sess_key = data_blob(first_8_lm_hash, 16); + *lm_sess_key = data_blob(first_8_lm_hash, 16); + return NT_STATUS_OK; + } + } + + if (!nt_pw) { + DEBUG(4,("sam_password_ok: LM password check failed for user, no NT password %s\n",username)); + return NT_STATUS_WRONG_PASSWORD; + } + + /* This is for 'LMv2' authentication. almost NTLMv2 but limited to 24 bytes. + - related to Win9X, legacy NAS pass-though authentication + */ + DEBUG(4,("sam_password_ok: Checking LMv2 password with domain %s\n", client_domain)); + if (smb_pwd_check_ntlmv2( lm_response, + nt_pw, challenge, + client_username, + client_domain, + NULL)) { + return NT_STATUS_OK; + } + + DEBUG(4,("sam_password_ok: Checking LMv2 password without a domain\n")); + if (smb_pwd_check_ntlmv2( lm_response, + nt_pw, challenge, + client_username, + "", + NULL)) { + return NT_STATUS_OK; + } + + /* Apparently NT accepts NT responses in the LM field + - I think this is related to Win9X pass-though authentication + */ + DEBUG(4,("sam_password_ok: Checking NT MD4 password in LM field\n")); + if (lp_ntlm_auth()) { + if (smb_pwd_check_ntlmv1(lm_response, + nt_pw, challenge, + NULL)) { + /* The session key for this response is still very odd. + It not very secure, so use it only if we otherwise + allow LM authentication */ + + if (lp_lanman_auth() && lm_pw) { uint8 first_8_lm_hash[16]; memcpy(first_8_lm_hash, lm_pw, 8); memset(first_8_lm_hash + 8, '\0', 8); *user_sess_key = data_blob(first_8_lm_hash, 16); *lm_sess_key = data_blob(first_8_lm_hash, 16); - return NT_STATUS_OK; } - } - - if (IS_SAM_DEFAULT(sampass, PDB_NTPASSWD)) { - DEBUG(4,("sam_password_ok: LM password check failed for user, no NT password %s\n",pdb_get_username(sampass))); - return NT_STATUS_WRONG_PASSWORD; - } - - nt_pw = pdb_get_nt_passwd(sampass); - - /* This is for 'LMv2' authentication. almost NTLMv2 but limited to 24 bytes. - - related to Win9X, legacy NAS pass-though authentication - */ - DEBUG(4,("sam_password_ok: Checking LMv2 password with domain %s\n", user_info->client_domain.str)); - if (smb_pwd_check_ntlmv2( &user_info->lm_resp, - nt_pw, &auth_context->challenge, - user_info->smb_name.str, - user_info->client_domain.str, - NULL)) { return NT_STATUS_OK; } + DEBUG(3,("sam_password_ok: LM password, NT MD4 password in LM field and LMv2 failed for user %s\n",username)); + } else { + DEBUG(3,("sam_password_ok: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted\n",username)); + } + return NT_STATUS_WRONG_PASSWORD; +} - DEBUG(4,("sam_password_ok: Checking LMv2 password without a domain\n")); - if (smb_pwd_check_ntlmv2( &user_info->lm_resp, - nt_pw, &auth_context->challenge, - user_info->smb_name.str, - "", - NULL)) { - return NT_STATUS_OK; - } +/**************************************************************************** + Do a specific test for an smb password being correct, given a smb_password and + the lanman and NT responses. +****************************************************************************/ - /* Apparently NT accepts NT responses in the LM field - - I think this is related to Win9X pass-though authentication - */ - DEBUG(4,("sam_password_ok: Checking NT MD4 password in LM field\n")); - if (lp_ntlm_auth()) { - if (smb_pwd_check_ntlmv1(&user_info->lm_resp, - nt_pw, &auth_context->challenge, - NULL)) { - /* The session key for this response is still very odd. - It not very secure, so use it only if we otherwise - allow LM authentication */ - lm_pw = pdb_get_lanman_passwd(sampass); - - if (lp_lanman_auth() && lm_pw) { - uint8 first_8_lm_hash[16]; - memcpy(first_8_lm_hash, lm_pw, 8); - memset(first_8_lm_hash + 8, '\0', 8); - *user_sess_key = data_blob(first_8_lm_hash, 16); - *lm_sess_key = data_blob(first_8_lm_hash, 16); - } - return NT_STATUS_OK; - } - DEBUG(3,("sam_password_ok: LM password, NT MD4 password in LM field and LMv2 failed for user %s\n",pdb_get_username(sampass))); - return NT_STATUS_WRONG_PASSWORD; +static NTSTATUS sam_password_ok(const struct auth_context *auth_context, + TALLOC_CTX *mem_ctx, + SAM_ACCOUNT *sampass, + const auth_usersupplied_info *user_info, + DATA_BLOB *user_sess_key, + DATA_BLOB *lm_sess_key) +{ + uint16 acct_ctrl; + const uint8 *lm_pw, *nt_pw; + const char *username = pdb_get_username(sampass); + + acct_ctrl = pdb_get_acct_ctrl(sampass); + if (acct_ctrl & ACB_PWNOTREQ) { + if (lp_null_passwords()) { + DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", username)); + return NT_STATUS_OK; } else { - DEBUG(3,("sam_password_ok: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted\n",pdb_get_username(sampass))); - return NT_STATUS_WRONG_PASSWORD; - } + DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", username)); + return NT_STATUS_LOGON_FAILURE; + } } - - /* Should not be reached, but if they send nothing... */ - DEBUG(3,("sam_password_ok: NEITHER LanMan nor NT password supplied for user %s\n",pdb_get_username(sampass))); - return NT_STATUS_WRONG_PASSWORD; + + lm_pw = pdb_get_lanman_passwd(sampass); + nt_pw = pdb_get_nt_passwd(sampass); + + return ntlm_password_check(mem_ctx, &auth_context->challenge, + &user_info->lm_resp, &user_info->nt_resp, + username, + user_info->smb_name.str, + user_info->client_domain.str, + lm_pw, nt_pw, user_sess_key, lm_sess_key); } + /**************************************************************************** Do a specific test for a SAM_ACCOUNT being vaild for this connection (ie not disabled, expired and the like). -- cgit From adc07646a3057e5c572edb3ebdac2367206aaeef Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 30 Dec 2003 07:33:58 +0000 Subject: Move our basic password checking code from inside the authentication subsystem into a seperate file - ntlm_check.c. This allows us to call these routines from ntlm_auth. The purpose of this exercise is to allow ntlm_auth (when operating as an NTLMSSP server) to avoid talking to winbind. This should allow for easier debugging. ntlm_auth itself has been reorgainised, so as to share more code between the SPNEGO-wrapped and 'raw' NTLMSSP modes. A new 'client' NTLMSSP mode has been added, for use with a Cyrus-SASL module I am writing (based on vl's work) Andrew Bartlett (This used to be commit 48315e8fd227978e0161be293ad4411b45e3ea5b) --- source3/auth/auth_sam.c | 346 +----------------------------------------------- 1 file changed, 1 insertion(+), 345 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 04b587343a..ebb1e3d861 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -3,7 +3,7 @@ Password and authentication handling Copyright (C) Andrew Tridgell 1992-2000 Copyright (C) Luke Kenneth Casson Leighton 1996-2000 - Copyright (C) Andrew Bartlett 2001 + Copyright (C) Andrew Bartlett 2001-2003 Copyright (C) Gerald Carter 2003 This program is free software; you can redistribute it and/or modify @@ -26,350 +26,6 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -/**************************************************************************** - Core of smb password checking routine. -****************************************************************************/ - -static BOOL smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response, - const uchar *part_passwd, - const DATA_BLOB *sec_blob, - DATA_BLOB *user_sess_key) -{ - /* Finish the encryption of part_passwd. */ - uchar p24[24]; - - if (part_passwd == NULL) { - DEBUG(10,("No password set - DISALLOWING access\n")); - /* No password set - always false ! */ - return False; - } - - if (sec_blob->length != 8) { - DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect challenge size (%lu)\n", (unsigned long)sec_blob->length)); - return False; - } - - if (nt_response->length != 24) { - DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect password length (%lu)\n", (unsigned long)nt_response->length)); - return False; - } - - SMBOWFencrypt(part_passwd, sec_blob->data, p24); - if (user_sess_key != NULL) { - *user_sess_key = data_blob(NULL, 16); - SMBsesskeygen_ntv1(part_passwd, NULL, user_sess_key->data); - } - - - -#if DEBUG_PASSWORD - DEBUG(100,("Part password (P16) was |\n")); - dump_data(100, part_passwd, 16); - DEBUGADD(100,("Password from client was |\n")); - dump_data(100, nt_response->data, nt_response->length); - DEBUGADD(100,("Given challenge was |\n")); - dump_data(100, sec_blob->data, sec_blob->length); - DEBUGADD(100,("Value from encryption was |\n")); - dump_data(100, p24, 24); -#endif - return (memcmp(p24, nt_response->data, 24) == 0); -} - -/**************************************************************************** - Core of smb password checking routine. (NTLMv2, LMv2) - Note: The same code works with both NTLMv2 and LMv2. -****************************************************************************/ - -static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response, - const uchar *part_passwd, - const DATA_BLOB *sec_blob, - const char *user, const char *domain, - DATA_BLOB *user_sess_key) -{ - /* Finish the encryption of part_passwd. */ - uchar kr[16]; - uchar value_from_encryption[16]; - uchar client_response[16]; - DATA_BLOB client_key_data; - - if (part_passwd == NULL) { - DEBUG(10,("No password set - DISALLOWING access\n")); - /* No password set - always False */ - return False; - } - - if (ntv2_response->length < 24) { - /* We MUST have more than 16 bytes, or the stuff below will go - crazy. No known implementation sends less than the 24 bytes - for LMv2, let alone NTLMv2. */ - DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect password length (%lu)\n", - (unsigned long)ntv2_response->length)); - return False; - } - - client_key_data = data_blob(ntv2_response->data+16, ntv2_response->length-16); - /* - todo: should we be checking this for anything? We can't for LMv2, - but for NTLMv2 it is meant to contain the current time etc. - */ - - memcpy(client_response, ntv2_response->data, sizeof(client_response)); - - if (!ntv2_owf_gen(part_passwd, user, domain, kr)) { - return False; - } - - SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption); - if (user_sess_key != NULL) { - *user_sess_key = data_blob(NULL, 16); - SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key->data); - } - -#if DEBUG_PASSWORD - DEBUG(100,("Part password (P16) was |\n")); - dump_data(100, part_passwd, 16); - DEBUGADD(100,("Password from client was |\n")); - dump_data(100, ntv2_response->data, ntv2_response->length); - DEBUGADD(100,("Variable data from client was |\n")); - dump_data(100, client_key_data.data, client_key_data.length); - DEBUGADD(100,("Given challenge was |\n")); - dump_data(100, sec_blob->data, sec_blob->length); - DEBUGADD(100,("Value from encryption was |\n")); - dump_data(100, value_from_encryption, 16); -#endif - data_blob_clear_free(&client_key_data); - return (memcmp(value_from_encryption, client_response, 16) == 0); -} - -/** - * Check a challenge-response password against the value of the NT or - * LM password hash. - * - * @param mem_ctx talloc context - * @param challenge 8-byte challenge. If all zero, forces plaintext comparison - * @param nt_response 'unicode' NT response to the challenge, or unicode password - * @param lm_response ASCII or LANMAN response to the challenge, or password in DOS code page - * @param username internal Samba username, for log messages - * @param client_username username the client used - * @param client_domain domain name the client used (may be mapped) - * @param nt_pw MD4 unicode password from our passdb or similar - * @param lm_pw LANMAN ASCII password from our passdb or similar - * @param user_sess_key User session key - * @param lm_sess_key LM session key (first 8 bytes of the LM hash) - */ - -static NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, - const DATA_BLOB *challenge, - const DATA_BLOB *lm_response, - const DATA_BLOB *nt_response, - const char *username, - const char *client_username, - const char *client_domain, - const uint8 *lm_pw, const uint8 *nt_pw, - DATA_BLOB *user_sess_key, - DATA_BLOB *lm_sess_key) -{ - static const unsigned char zeros[8]; - if (nt_pw == NULL) { - DEBUG(3,("sam_password_ok: NO NT password stored for user %s.\n", - username)); - } - - /* Check for cleartext netlogon. Used by Exchange 5.5. */ - if (challenge->length == sizeof(zeros) && - (memcmp(challenge->data, zeros, challenge->length) == 0 )) { - - DEBUG(4,("sam_password_ok: checking plaintext passwords for user %s\n", - username)); - if (nt_pw && nt_response->length) { - unsigned char pwhash[16]; - mdfour(pwhash, nt_response->data, nt_response->length); - if (memcmp(pwhash, nt_pw, sizeof(pwhash)) == 0) { - return NT_STATUS_OK; - } else { - DEBUG(3,("sam_password_ok: NT (Unicode) plaintext password check failed for user %s\n", - username)); - return NT_STATUS_WRONG_PASSWORD; - } - - } else if (!lp_lanman_auth()) { - DEBUG(3,("sam_password_ok: (plaintext password check) LANMAN passwords NOT PERMITTED for user %s\n", - username)); - - } else if (lm_pw && lm_response->length) { - uchar dospwd[14]; - uchar p16[16]; - ZERO_STRUCT(dospwd); - - DEBUG(100, ("DOS password: %s\n")); - memcpy(dospwd, lm_response->data, MIN(lm_response->length, sizeof(dospwd))); - /* Only the fisrt 14 chars are considered, password need not be null terminated. */ - E_P16((const unsigned char *)dospwd, p16); - - dump_data_pw("DOS password (first buffer)\n", dospwd, 14); - dump_data_pw("DOS password (wire DES hash)\n", p16, 16); - dump_data_pw("DOS password (passdb DES hash)\n", lm_pw, 16); - if (memcmp(p16, lm_pw, sizeof(p16)) == 0) { - return NT_STATUS_OK; - } else { - DEBUG(3,("sam_password_ok: LANMAN (ASCII) plaintext password check failed for user %s\n", - username)); - return NT_STATUS_WRONG_PASSWORD; - } - } else { - DEBUG(3, ("Plaintext authentication for user %s attempted, but neither NT nor LM passwords available\n", username)); - return NT_STATUS_WRONG_PASSWORD; - } - } - - if (nt_response->length != 0 && nt_response->length < 24) { - DEBUG(2,("sam_password_ok: invalid NT password length (%lu) for user %s\n", - (unsigned long)nt_response->length, username)); - } - - if (nt_response->length >= 24 && nt_pw) { - if (nt_response->length > 24) { - /* We have the NT MD4 hash challenge available - see if we can - use it (ie. does it exist in the smbpasswd file). - */ - DEBUG(4,("sam_password_ok: Checking NTLMv2 password with domain [%s]\n", client_domain)); - if (smb_pwd_check_ntlmv2( nt_response, - nt_pw, challenge, - client_username, - client_domain, - user_sess_key)) { - return NT_STATUS_OK; - } - - DEBUG(4,("sam_password_ok: Checking NTLMv2 password without a domain\n")); - if (smb_pwd_check_ntlmv2( nt_response, - nt_pw, challenge, - client_username, - "", - user_sess_key)) { - return NT_STATUS_OK; - } else { - DEBUG(3,("sam_password_ok: NTLMv2 password check failed\n")); - return NT_STATUS_WRONG_PASSWORD; - } - } - - if (lp_ntlm_auth()) { - /* We have the NT MD4 hash challenge available - see if we can - use it (ie. does it exist in the smbpasswd file). - */ - DEBUG(4,("sam_password_ok: Checking NT MD4 password\n")); - if (smb_pwd_check_ntlmv1(nt_response, - nt_pw, challenge, - user_sess_key)) { - /* The LM session key for this response is not very secure, - so use it only if we otherwise allow LM authentication */ - - if (lp_lanman_auth() && lm_pw) { - uint8 first_8_lm_hash[16]; - memcpy(first_8_lm_hash, lm_pw, 8); - memset(first_8_lm_hash + 8, '\0', 8); - *lm_sess_key = data_blob(first_8_lm_hash, 16); - } - return NT_STATUS_OK; - } else { - DEBUG(3,("sam_password_ok: NT MD4 password check failed for user %s\n", - username)); - return NT_STATUS_WRONG_PASSWORD; - } - } else { - DEBUG(2,("sam_password_ok: NTLMv1 passwords NOT PERMITTED for user %s\n", - username)); - /* no return, becouse we might pick up LMv2 in the LM field */ - } - } - - if (lm_response->length == 0) { - DEBUG(3,("sam_password_ok: NEITHER LanMan nor NT password supplied for user %s\n", - username)); - return NT_STATUS_WRONG_PASSWORD; - } - - if (lm_response->length < 24) { - DEBUG(2,("sam_password_ok: invalid LanMan password length (%lu) for user %s\n", - (unsigned long)nt_response->length, username)); - return NT_STATUS_WRONG_PASSWORD; - } - - if (!lp_lanman_auth()) { - DEBUG(3,("sam_password_ok: Lanman passwords NOT PERMITTED for user %s\n", - username)); - } else if (!lm_pw) { - DEBUG(3,("sam_password_ok: NO LanMan password set for user %s (and no NT password supplied)\n", - username)); - } else { - DEBUG(4,("sam_password_ok: Checking LM password\n")); - if (smb_pwd_check_ntlmv1(lm_response, - lm_pw, challenge, - NULL)) { - uint8 first_8_lm_hash[16]; - memcpy(first_8_lm_hash, lm_pw, 8); - memset(first_8_lm_hash + 8, '\0', 8); - *user_sess_key = data_blob(first_8_lm_hash, 16); - *lm_sess_key = data_blob(first_8_lm_hash, 16); - return NT_STATUS_OK; - } - } - - if (!nt_pw) { - DEBUG(4,("sam_password_ok: LM password check failed for user, no NT password %s\n",username)); - return NT_STATUS_WRONG_PASSWORD; - } - - /* This is for 'LMv2' authentication. almost NTLMv2 but limited to 24 bytes. - - related to Win9X, legacy NAS pass-though authentication - */ - DEBUG(4,("sam_password_ok: Checking LMv2 password with domain %s\n", client_domain)); - if (smb_pwd_check_ntlmv2( lm_response, - nt_pw, challenge, - client_username, - client_domain, - NULL)) { - return NT_STATUS_OK; - } - - DEBUG(4,("sam_password_ok: Checking LMv2 password without a domain\n")); - if (smb_pwd_check_ntlmv2( lm_response, - nt_pw, challenge, - client_username, - "", - NULL)) { - return NT_STATUS_OK; - } - - /* Apparently NT accepts NT responses in the LM field - - I think this is related to Win9X pass-though authentication - */ - DEBUG(4,("sam_password_ok: Checking NT MD4 password in LM field\n")); - if (lp_ntlm_auth()) { - if (smb_pwd_check_ntlmv1(lm_response, - nt_pw, challenge, - NULL)) { - /* The session key for this response is still very odd. - It not very secure, so use it only if we otherwise - allow LM authentication */ - - if (lp_lanman_auth() && lm_pw) { - uint8 first_8_lm_hash[16]; - memcpy(first_8_lm_hash, lm_pw, 8); - memset(first_8_lm_hash + 8, '\0', 8); - *user_sess_key = data_blob(first_8_lm_hash, 16); - *lm_sess_key = data_blob(first_8_lm_hash, 16); - } - return NT_STATUS_OK; - } - DEBUG(3,("sam_password_ok: LM password, NT MD4 password in LM field and LMv2 failed for user %s\n",username)); - } else { - DEBUG(3,("sam_password_ok: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted\n",username)); - } - return NT_STATUS_WRONG_PASSWORD; -} - /**************************************************************************** Do a specific test for an smb password being correct, given a smb_password and the lanman and NT responses. -- cgit From 5eee23cc64139ba1d23101c87709e6d5198a6c68 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 31 Dec 2003 00:31:43 +0000 Subject: auth/auth_util.c: - Fill in the 'backup' idea of a domain, if the DC didn't supply one. This doesn't seem to occour in reality, hence why we missed the typo. lib/charcnv.c: lib/smbldap.c: libads/ldap.c: libsmb/libsmbclient.c: printing/nt_printing.c: - all the callers to pull_utf8_allocate() pass a char ** as the first parammeter, so don't make them all cast it to a void ** nsswitch/winbind_util.c: - Allow for a more 'correct' view of when usernames should be qualified in winbindd. If we are a PDC, or have 'winbind trusted domains only', then for the authentication returns stip the domain portion. - Fix valgrind warning about use of free()ed name when looking up our local domain. lp_workgroup() is maniplated inside a procedure that uses it's former value. Instead, use the fact that our local domain is always the first in the list. Andrew Bartlett (This used to be commit 494781f628683d6e68e8ba21ae54f738727e8c21) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index c474049617..0f945b33cb 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1078,7 +1078,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, if (!(nt_domain = unistr2_tdup(mem_ctx, &(info3->uni_logon_dom)))) { /* If the server didn't give us one, just use the one we sent them */ - domain = domain; + nt_domain = domain; } /* try to fill the SAM account.. If getpwnam() fails, then try the -- cgit From a7f8c26d24b78dc6a0f829cf7b53112e5ddbdeda Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 5 Jan 2004 04:10:28 +0000 Subject: Change our Domain controller lookup routines to more carefully seperate DNS names (realms) from NetBIOS domain names. Until now, we would experience delays as we broadcast lookups for DNS names onto the local network segments. Now if DNS comes back negative, we fall straight back to looking up the short name. Andrew Bartlett (This used to be commit 32397c8b01f1dec7b05140d210bb32f836a80ca6) --- source3/auth/auth_domain.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 43e7597cd9..0f34bcc0e2 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -165,6 +165,9 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, if ( !NT_STATUS_IS_OK(nt_status) ) { DEBUG(0,("domain_client_validate: Domain password server not available.\n")); + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED)) { + return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE; + } return nt_status; } @@ -290,7 +293,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, /* we need our DC to send the net_sam_logon() request to */ - if ( !get_dc_name(domain, dc_name, &dc_ip) ) { + if ( !get_dc_name(domain, NULL, dc_name, &dc_ip) ) { DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n", user_info->domain.str)); return NT_STATUS_NO_LOGON_SERVERS; @@ -385,7 +388,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte /* use get_dc_name() for consistency even through we know that it will be a netbios name */ - if ( !get_dc_name(user_info->domain.str, dc_name, &dc_ip) ) { + if ( !get_dc_name(user_info->domain.str, NULL, dc_name, &dc_ip) ) { DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n", user_info->domain.str)); return NT_STATUS_NO_LOGON_SERVERS; -- cgit From 22457718b684a895834eab924d463a3b1e3ce0b1 Mon Sep 17 00:00:00 2001 From: Rafal Szczesniak Date: Wed, 7 Jan 2004 22:43:36 +0000 Subject: Doxygen comment fix. rafal (This used to be commit b5e492b8eaf7cefe185d44b6c708f96ff61bd27b) --- source3/auth/auth_domain.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 0f34bcc0e2..0bf2031a37 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -27,13 +27,16 @@ extern BOOL global_machine_password_needs_changing; /** - * Connect to a remote server for domain security authenticaion. + * Connect to a remote server for (inter)domain security authenticaion. * * @param cli the cli to return containing the active connection * @param server either a machine name or text IP address to * connect to. + * @param setup_creds_as domain account to setup credentials as + * @param sec_chan a switch value to distinguish between domain + * member and interdomain authentication * @param trust_passwd the trust password to establish the - * credentials with. + * credentials with. * **/ -- cgit From 919c261a490460a2e2189903139c0d4ad36a7aab Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 15 Jan 2004 06:55:10 +0000 Subject: BUG 936: fix bind credentials for schannel binds in smbd (and add a comment to winbindd_cm about this (This used to be commit 5134c6bcbc5180431e95a30559c453f3744fd427) --- source3/auth/auth_domain.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 0bf2031a37..73e0ae7949 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -41,7 +41,8 @@ extern BOOL global_machine_password_needs_changing; **/ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, - const char *dc_name, struct in_addr dc_ip, + const char *domain, const char *dc_name, + struct in_addr dc_ip, const char *setup_creds_as, uint16 sec_chan, const unsigned char *trust_passwd, @@ -111,6 +112,10 @@ machine %s. Error was : %s.\n", dc_name, cli_errstr(*cli))); return NT_STATUS_NO_MEMORY; } + /* This must be the remote domain (not ours) for schannel */ + + fstrcpy( (*cli)->domain, domain ); + result = cli_nt_establish_netlogon(*cli, sec_chan, trust_passwd); if (!NT_STATUS_IS_OK(result)) { @@ -162,8 +167,8 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, /* rety loop for robustness */ for (i = 0; !NT_STATUS_IS_OK(nt_status) && retry && (i < 3); i++) { - nt_status = connect_to_domain_password_server(&cli, dc_name, dc_ip, setup_creds_as, - sec_chan, trust_passwd, &retry); + nt_status = connect_to_domain_password_server(&cli, domain, dc_name, + dc_ip, setup_creds_as, sec_chan, trust_passwd, &retry); } if ( !NT_STATUS_IS_OK(nt_status) ) { @@ -297,7 +302,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, /* we need our DC to send the net_sam_logon() request to */ if ( !get_dc_name(domain, NULL, dc_name, &dc_ip) ) { - DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n", + DEBUG(5,("check_ntdomain_security: unable to locate a DC for domain %s\n", user_info->domain.str)); return NT_STATUS_NO_LOGON_SERVERS; } -- cgit From 590b60045d184a84659cfcb13c6a1a5039b51954 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 2 Feb 2004 07:53:56 +0000 Subject: Remove bogus check. No functional change, just cosmetics. Volker (This used to be commit e3a5e2d9c23e8ba6bc817e433e596f535644c862) --- source3/auth/auth_domain.c | 5 ----- 1 file changed, 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 73e0ae7949..fdff0b52f9 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -107,11 +107,6 @@ machine %s. Error was : %s.\n", dc_name, cli_errstr(*cli))); fstr_sprintf((*cli)->mach_acct, "%s$", setup_creds_as); - if (!(*cli)->mach_acct) { - release_server_mutex(); - return NT_STATUS_NO_MEMORY; - } - /* This must be the remote domain (not ours) for schannel */ fstrcpy( (*cli)->domain, domain ); -- cgit From ee5dd175e5ac17112e0837dbba6d02e4dd7aa972 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Sat, 21 Feb 2004 17:41:28 +0000 Subject: Add calls to password lockout functions. Should now work against tdbsam only. (This used to be commit 3e8a9c3584ff2a3c2e120c97569676ac45ec8e59) --- source3/auth/auth_sam.c | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index ebb1e3d861..b35cc78d6b 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -179,6 +179,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, NTSTATUS nt_status; DATA_BLOB user_sess_key = data_blob(NULL, 0); DATA_BLOB lm_sess_key = data_blob(NULL, 0); + BOOL updated_autolock = False, updated_badpw = False; if (!user_info || !auth_context) { return NT_STATUS_UNSUCCESSFUL; @@ -202,14 +203,51 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, return NT_STATUS_NO_SUCH_USER; } + /* see if autolock flag needs to be updated */ + if (pdb_get_acct_ctrl(sampass) & ACB_NORMAL) + pdb_update_autolock_flag(sampass, &updated_autolock); + /* Quit if the account was locked out. */ + if (pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK) { + DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", pdb_get_username(sampass))); + return NT_STATUS_ACCOUNT_LOCKED_OUT; + } + nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info, &user_sess_key, &lm_sess_key); if (!NT_STATUS_IS_OK(nt_status)) { + if (NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD) && + pdb_get_acct_ctrl(sampass) &ACB_NORMAL) { + pdb_increment_bad_password_count(sampass); + updated_badpw = True; + } else { + pdb_update_bad_password_count(sampass, + &updated_badpw); + } + if (updated_autolock || updated_badpw){ + become_root(); + if(!pdb_update_sam_account(sampass)) + DEBUG(1, ("Failed to modify entry.\n")); + unbecome_root(); + } pdb_free_sam(&sampass); return nt_status; } + if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) && + (pdb_get_bad_password_count(sampass) > 0)){ + pdb_set_bad_password_count(sampass, 0, PDB_CHANGED); + pdb_set_bad_password_time(sampass, 0, PDB_CHANGED); + updated_badpw = True; + } + + if (updated_autolock || updated_badpw){ + become_root(); + if(!pdb_update_sam_account(sampass)) + DEBUG(1, ("Failed to modify entry.\n")); + unbecome_root(); + } + nt_status = sam_account_ok(mem_ctx, sampass, user_info); if (!NT_STATUS_IS_OK(nt_status)) { -- cgit From d24b8a2032a2e92d954781e610ab535361fefd88 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 16 Mar 2004 16:41:54 +0000 Subject: BUG 1165, 1126: Fix bug with secondary groups (security = ads) and winbind use default domain = yes (This used to be commit f2eaa14b1eb7e89c945b2b06a48e17998c75d620) --- source3/auth/auth_server.c | 21 ++++--- source3/auth/auth_unix.c | 2 +- source3/auth/auth_util.c | 137 +++++++++++++++++++++++++-------------------- 3 files changed, 88 insertions(+), 72 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 41adc21784..bc611ec229 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -377,18 +377,17 @@ use this machine as the password server.\n")); cli_ulogoff(cli); if (NT_STATUS_IS_OK(nt_status)) { - struct passwd *pass = Get_Pwnam(user_info->internal_username.str); - if (pass) { - nt_status = make_server_info_pw(server_info, pass); - } else { - auth_add_user_script(user_info->domain.str, user_info->internal_username.str); - pass = Get_Pwnam(user_info->internal_username.str); + fstring real_username; + struct passwd *pass; - if (pass) { - nt_status = make_server_info_pw(server_info, pass); - } else { - nt_status = NT_STATUS_NO_SUCH_USER; - } + if ( (pass = smb_getpwnam( user_info->internal_username.str, + real_username, True )) != NULL ) + { + nt_status = make_server_info_pw(server_info, pass->pw_name, pass); + } + else + { + nt_status = NT_STATUS_NO_SUCH_USER; } } diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index b9de6f7acb..f744cba0c4 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -108,7 +108,7 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context, if (NT_STATUS_IS_OK(nt_status)) { if (pass) { - make_server_info_pw(server_info, pass); + make_server_info_pw(server_info, pass->pw_name, pass); } else { /* we need to do somthing more useful here */ nt_status = NT_STATUS_NO_SUCH_USER; diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 0f945b33cb..dfc3f6cc21 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -757,6 +757,7 @@ Fill a server_info struct from a SAM_ACCOUNT with their groups ***************************************************************************/ static NTSTATUS add_user_groups(auth_serversupplied_info **server_info, + const char * unix_username, SAM_ACCOUNT *sampass, uid_t uid, gid_t gid) { @@ -770,7 +771,7 @@ static NTSTATUS add_user_groups(auth_serversupplied_info **server_info, BOOL is_guest; uint32 rid; - nt_status = get_user_groups(pdb_get_username(sampass), uid, gid, + nt_status = get_user_groups(unix_username, uid, gid, &n_groupSIDs, &groupSIDs, &unix_groups); if (!NT_STATUS_IS_OK(nt_status)) { @@ -828,9 +829,11 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, passwd_free(&pwd); - if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, sampass, + if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, pdb_get_username(sampass), + sampass, (*server_info)->uid, - (*server_info)->gid))) { + (*server_info)->gid))) + { free_server_info(server_info); return nt_status; } @@ -848,7 +851,9 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, to a SAM_ACCOUNT ***************************************************************************/ -NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, const struct passwd *pwd) +NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, + char *unix_username, + struct passwd *pwd) { NTSTATUS nt_status; SAM_ACCOUNT *sampass = NULL; @@ -861,11 +866,13 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, const struc (*server_info)->sam_account = sampass; - if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, sampass, pwd->pw_uid, pwd->pw_gid))) { + if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, unix_username, + sampass, pwd->pw_uid, pwd->pw_gid))) + { return nt_status; } - (*server_info)->unix_name = smb_xstrdup(pwd->pw_name); + (*server_info)->unix_name = smb_xstrdup(unix_username); (*server_info)->sam_fill_level = SAM_FILL_ALL; (*server_info)->uid = pwd->pw_uid; @@ -924,52 +931,30 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, SAM_ACCOUNT **sam_account) { fstring dom_user; + fstring real_username; struct passwd *passwd; fstr_sprintf(dom_user, "%s%s%s", domain, lp_winbind_separator(), username); - passwd = Get_Pwnam(dom_user); - - if ( passwd ) { - char *p; - - /* make sure we get the case of the username correct */ - /* work around 'winbind use default domain = yes' */ - - p = strchr( passwd->pw_name, *lp_winbind_separator() ); - if ( !p ) - fstr_sprintf(dom_user, "%s%s%s", domain, - lp_winbind_separator(), passwd->pw_name); - else - fstrcpy( dom_user, passwd->pw_name ); - } - else { - /* if the lookup for DOMAIN\username failed, try again - with just 'username'. This is need for accessing the server - as a trust user that actually maps to a local account */ - - fstrcpy( dom_user, username ); - passwd = Get_Pwnam( dom_user ); - - /* make sure we get the case of the username correct */ - if ( passwd ) - fstrcpy( dom_user, passwd->pw_name ); - } + /* get the passwd struct but don't create the user if he/she + does not exist. We were explicitly called from a following + a winbindd authentication request so we should assume that + nss_winbindd is working */ - if ( !passwd ) + if ( !(passwd = smb_getpwnam( dom_user, real_username, True )) ) return NT_STATUS_NO_SUCH_USER; *uid = passwd->pw_uid; *gid = passwd->pw_gid; - /* This is pointless -- there is no suport for differeing + /* This is pointless -- there is no suport for differing unix and windows names. Make sure to always store the one we actually looked up and succeeded. Have I mentioned why I hate the 'winbind use default domain' parameter? --jerry */ - *found_username = talloc_strdup(mem_ctx, dom_user); + *found_username = talloc_strdup( mem_ctx, real_username ); DEBUG(5,("fill_sam_account: located username was [%s]\n", *found_username)); @@ -983,40 +968,72 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, the username if we fallback to the username only. ****************************************************************************/ -struct passwd *smb_getpwnam( char *domuser ) +struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) { struct passwd *pw = NULL; char *p; fstring mapped_username; + + /* we only save a copy of the username it has been mangled + by winbindd use default domain */ + + save_username[0] = '\0'; + + /* save a local copy of the username and run it through the + username map */ + + fstrcpy( mapped_username, domuser ); + map_username( mapped_username ); + + p = strchr_m( mapped_username, *lp_winbind_separator() ); + + /* code for a DOMAIN\user string */ + + if ( p ) { + pw = Get_Pwnam( domuser ); + if ( pw ) { + /* make sure we get the case of the username correct */ + /* work around 'winbind use default domain = yes' */ - pw = Get_Pwnam( domuser ); - if ( pw ) - return pw; - - /* fallback to looking up just the username */ + if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) { + char *domain; + + domain = mapped_username; + *p = '\0'; + fstr_sprintf(save_username, "%s%c%s", domain, *lp_winbind_separator(), pw->pw_name); + } + else + fstrcpy( save_username, pw->pw_name ); - p = strchr( domuser, *lp_winbind_separator() ); + /* whew -- done! */ + return pw; + } - if ( p ) { - p += 1; + /* setup for lookup of just the username */ + p++; fstrcpy( mapped_username, p ); - map_username( mapped_username ); + + } + + /* just lookup a plain username */ + + pw = Get_Pwnam(mapped_username); + + /* Create local user if requested. */ + + if ( !pw && create ) { + /* Don't add a machine account. */ + if (mapped_username[strlen(mapped_username)-1] == '$') + return NULL; + + auth_add_user_script(NULL, mapped_username); pw = Get_Pwnam(mapped_username); - if (!pw) { - /* Don't add a machine account. */ - if (mapped_username[strlen(mapped_username)-1] == '$') - return NULL; - - /* Create local user if requested. */ - p = strchr( mapped_username, *lp_winbind_separator() ); - if (p) - p += 1; - else - p = mapped_username; - auth_add_user_script(NULL, p); - return Get_Pwnam(p); - } } + + /* one last check for a valid passwd struct */ + + if ( pw ) + fstrcpy( save_username, pw->pw_name ); return pw; } -- cgit From c340b2e5e49c14c2e8377234b399f0682c7e3d5a Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 16 Mar 2004 20:28:47 +0000 Subject: fix overlapping memory bug when copying username (This used to be commit a7cac639c2cf0e2606d9cfbdb08e961212ee3bfa) --- source3/auth/auth_util.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index dfc3f6cc21..f62cc2fb9e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -973,6 +973,7 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) struct passwd *pw = NULL; char *p; fstring mapped_username; + fstring strip_username; /* we only save a copy of the username it has been mangled by winbindd use default domain */ @@ -1010,9 +1011,11 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) } /* setup for lookup of just the username */ - p++; - fstrcpy( mapped_username, p ); + /* remember that p and mapped_username are overlapping memory */ + p++; + fstrcpy( strip_username, p ); + fstrcpy( mapped_username, strip_username ); } /* just lookup a plain username */ -- cgit From c2ff214772ac1934731938b3804d37e514e45c32 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 3 Apr 2004 15:41:32 +0000 Subject: Fix most of bug #169. For a (very) long time, we have had a bug in Samba were an NTLMv2-only PDC would fail, because it converted the password into NTLM format for checking. This patch performs the direct comparison required for interactive logons to function in this situation. It also removes the 'auth flags', which simply where not ever used. Natrually, this plays with the size of structures, so rebuild, rebuild rebuild... Andrew Bartlett (This used to be commit 9598593bcf2d877b1d08cd6a7323ee0bc160d4ba) --- source3/auth/auth_ntlmssp.c | 20 ++---- source3/auth/auth_sam.c | 3 +- source3/auth/auth_util.c | 167 ++++++++++++++++++++++---------------------- 3 files changed, 90 insertions(+), 100 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index a5ce101e5e..498a7b1a39 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -78,21 +78,9 @@ static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *nt_session_key, DATA_BLOB *lm_session_key) { AUTH_NTLMSSP_STATE *auth_ntlmssp_state = ntlmssp_state->auth_context; - uint32 auth_flags = AUTH_FLAG_NONE; auth_usersupplied_info *user_info = NULL; - DATA_BLOB plaintext_password = data_blob(NULL, 0); NTSTATUS nt_status; - if (auth_ntlmssp_state->ntlmssp_state->lm_resp.length) { - auth_flags |= AUTH_FLAG_LM_RESP; - } - - if (auth_ntlmssp_state->ntlmssp_state->nt_resp.length == 24) { - auth_flags |= AUTH_FLAG_NTLM_RESP; - } else if (auth_ntlmssp_state->ntlmssp_state->nt_resp.length > 24) { - auth_flags |= AUTH_FLAG_NTLMv2_RESP; - } - /* the client has given us its machine name (which we otherwise would not get on port 445). we need to possibly reload smb.conf if smb.conf includes depend on the machine name */ @@ -108,10 +96,10 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, auth_ntlmssp_state->ntlmssp_state->user, auth_ntlmssp_state->ntlmssp_state->domain, auth_ntlmssp_state->ntlmssp_state->workstation, - auth_ntlmssp_state->ntlmssp_state->lm_resp, - auth_ntlmssp_state->ntlmssp_state->nt_resp, - plaintext_password, - auth_flags, True); + auth_ntlmssp_state->ntlmssp_state->lm_resp.data ? &auth_ntlmssp_state->ntlmssp_state->lm_resp : NULL, + auth_ntlmssp_state->ntlmssp_state->nt_resp.data ? &auth_ntlmssp_state->ntlmssp_state->nt_resp : NULL, + NULL, NULL, NULL, + True); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index b35cc78d6b..5efc51b21a 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -57,7 +57,8 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, nt_pw = pdb_get_nt_passwd(sampass); return ntlm_password_check(mem_ctx, &auth_context->challenge, - &user_info->lm_resp, &user_info->nt_resp, + &user_info->lm_resp, &user_info->nt_resp, + &user_info->lm_interactive_pwd, &user_info->nt_interactive_pwd, username, user_info->smb_name.str, user_info->client_domain.str, diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index f62cc2fb9e..9df5873983 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -124,9 +124,10 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, const char *client_domain, const char *domain, const char *wksta_name, - DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, - DATA_BLOB plaintext, - uint32 auth_flags, BOOL encrypted) + DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd, + DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd, + DATA_BLOB *plaintext, + BOOL encrypted) { DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name)); @@ -183,12 +184,19 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, DEBUG(5,("making blobs for %s's user_info struct\n", internal_username)); - (*user_info)->lm_resp = data_blob(lm_pwd.data, lm_pwd.length); - (*user_info)->nt_resp = data_blob(nt_pwd.data, nt_pwd.length); - (*user_info)->plaintext_password = data_blob(plaintext.data, plaintext.length); + if (lm_pwd) + (*user_info)->lm_resp = data_blob(lm_pwd->data, lm_pwd->length); + if (nt_pwd) + (*user_info)->nt_resp = data_blob(nt_pwd->data, nt_pwd->length); + if (lm_interactive_pwd) + (*user_info)->lm_interactive_pwd = data_blob(lm_interactive_pwd->data, lm_interactive_pwd->length); + if (nt_interactive_pwd) + (*user_info)->nt_interactive_pwd = data_blob(nt_interactive_pwd->data, nt_interactive_pwd->length); + + if (plaintext) + (*user_info)->plaintext_password = data_blob(plaintext->data, plaintext->length); (*user_info)->encrypted = encrypted; - (*user_info)->auth_flags = auth_flags; DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name)); @@ -203,9 +211,10 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, const char *wksta_name, - DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, - DATA_BLOB plaintext, - uint32 ntlmssp_flags, BOOL encrypted) + DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd, + DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd, + DATA_BLOB *plaintext, + BOOL encrypted) { const char *domain; fstring internal_username; @@ -233,8 +242,10 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, /* we know that it is a trusted domain (and we are allowing them) or it is our domain */ return make_user_info(user_info, smb_name, internal_username, - client_domain, domain, wksta_name, lm_pwd, nt_pwd, - plaintext, ntlmssp_flags, encrypted); + client_domain, domain, wksta_name, + lm_pwd, nt_pwd, + lm_interactive_pwd, nt_interactive_pwd, + plaintext, encrypted); } /**************************************************************************** @@ -253,23 +264,14 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, NTSTATUS nt_status; DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); - DATA_BLOB plaintext_blob = data_blob(NULL, 0); - uint32 auth_flags = AUTH_FLAG_NONE; - - if (lm_pwd_len) - auth_flags |= AUTH_FLAG_LM_RESP; - if (nt_pwd_len == 24) { - auth_flags |= AUTH_FLAG_NTLM_RESP; - } else if (nt_pwd_len != 0) { - auth_flags |= AUTH_FLAG_NTLMv2_RESP; - } nt_status = make_user_info_map(user_info, - smb_name, client_domain, - wksta_name, - lm_blob, nt_blob, - plaintext_blob, - auth_flags, True); + smb_name, client_domain, + wksta_name, + lm_pwd_len ? &lm_blob : NULL, + nt_pwd_len ? &nt_blob : NULL, + NULL, NULL, NULL, + True); ret = NT_STATUS_IS_OK(nt_status) ? True : False; @@ -297,7 +299,6 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, unsigned char local_lm_response[24]; unsigned char local_nt_response[24]; unsigned char key[16]; - uint32 auth_flags = AUTH_FLAG_NONE; ZERO_STRUCT(key); memcpy(key, dc_sess_key, 8); @@ -316,8 +317,11 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, dump_data(100, nt_pwd, sizeof(nt_pwd)); #endif - SamOEMhash((uchar *)lm_pwd, key, sizeof(lm_pwd)); - SamOEMhash((uchar *)nt_pwd, key, sizeof(nt_pwd)); + if (lm_interactive_pwd) + SamOEMhash((uchar *)lm_pwd, key, sizeof(lm_pwd)); + + if (nt_interactive_pwd) + SamOEMhash((uchar *)nt_pwd, key, sizeof(nt_pwd)); #ifdef DEBUG_PASSWORD DEBUG(100,("decrypt of lm owf password:")); @@ -327,37 +331,51 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, dump_data(100, nt_pwd, sizeof(nt_pwd)); #endif - SMBOWFencrypt((const unsigned char *)lm_pwd, chal, local_lm_response); - SMBOWFencrypt((const unsigned char *)nt_pwd, chal, local_nt_response); + if (lm_interactive_pwd) + SMBOWFencrypt((const unsigned char *)lm_pwd, chal, local_lm_response); + + if (nt_interactive_pwd) + SMBOWFencrypt((const unsigned char *)nt_pwd, chal, local_nt_response); /* Password info paranoia */ - ZERO_STRUCT(lm_pwd); - ZERO_STRUCT(nt_pwd); ZERO_STRUCT(key); { BOOL ret; NTSTATUS nt_status; - DATA_BLOB local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response)); - DATA_BLOB local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response)); - DATA_BLOB plaintext_blob = data_blob(NULL, 0); + DATA_BLOB local_lm_blob; + DATA_BLOB local_nt_blob; - if (lm_interactive_pwd) - auth_flags |= AUTH_FLAG_LM_RESP; - if (nt_interactive_pwd) - auth_flags |= AUTH_FLAG_NTLM_RESP; + DATA_BLOB lm_interactive_blob; + DATA_BLOB nt_interactive_blob; + + if (lm_interactive_pwd) { + local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response)); + lm_interactive_blob = data_blob(lm_pwd, sizeof(lm_pwd)); + ZERO_STRUCT(lm_pwd); + } + + if (nt_interactive_pwd) { + local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response)); + nt_interactive_blob = data_blob(nt_pwd, sizeof(nt_pwd)); + ZERO_STRUCT(nt_pwd); + } nt_status = make_user_info_map(user_info, smb_name, client_domain, wksta_name, - local_lm_blob, - local_nt_blob, - plaintext_blob, - auth_flags, True); - + lm_interactive_pwd ? &local_lm_blob : NULL, + nt_interactive_pwd ? &local_nt_blob : NULL, + lm_interactive_pwd ? &lm_interactive_blob : NULL, + nt_interactive_pwd ? &nt_interactive_blob : NULL, + NULL, + True); + ret = NT_STATUS_IS_OK(nt_status) ? True : False; data_blob_free(&local_lm_blob); data_blob_free(&local_nt_blob); + data_blob_free(&lm_interactive_blob); + data_blob_free(&nt_interactive_blob); return ret; } } @@ -377,7 +395,6 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, DATA_BLOB local_lm_blob; DATA_BLOB local_nt_blob; NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; - uint32 auth_flags = AUTH_FLAG_NONE; /* * Not encrypted - do so. @@ -400,7 +417,6 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, case insensitive */ local_nt_blob = data_blob(NULL, 0); - auth_flags = (AUTH_FLAG_PLAINTEXT | AUTH_FLAG_LM_RESP); } else { local_lm_blob = data_blob(NULL, 0); local_nt_blob = data_blob(NULL, 0); @@ -409,10 +425,11 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, ret = make_user_info_map(user_info, smb_name, client_domain, get_remote_machine_name(), - local_lm_blob, - local_nt_blob, - plaintext_password, - auth_flags, False); + local_lm_blob.data ? &local_lm_blob : NULL, + local_nt_blob.data ? &local_nt_blob : NULL, + NULL, NULL, + plaintext_password.data ? &plaintext_password : NULL, + False); data_blob_free(&local_lm_blob); return NT_STATUS_IS_OK(ret) ? True : False; @@ -427,27 +444,13 @@ NTSTATUS make_user_info_for_reply_enc(auth_usersupplied_info **user_info, const char *client_domain, DATA_BLOB lm_resp, DATA_BLOB nt_resp) { - uint32 auth_flags = AUTH_FLAG_NONE; - - DATA_BLOB no_plaintext_blob = data_blob(NULL, 0); - - if (lm_resp.length == 24) { - auth_flags |= AUTH_FLAG_LM_RESP; - } - if (nt_resp.length == 0) { - } else if (nt_resp.length == 24) { - auth_flags |= AUTH_FLAG_NTLM_RESP; - } else { - auth_flags |= AUTH_FLAG_NTLMv2_RESP; - } - return make_user_info_map(user_info, smb_name, - client_domain, - get_remote_machine_name(), - lm_resp, - nt_resp, - no_plaintext_blob, - auth_flags, True); + client_domain, + get_remote_machine_name(), + lm_resp.data ? &lm_resp : NULL, + nt_resp.data ? &nt_resp : NULL, + NULL, NULL, NULL, + True); } /**************************************************************************** @@ -456,19 +459,16 @@ NTSTATUS make_user_info_for_reply_enc(auth_usersupplied_info **user_info, BOOL make_user_info_guest(auth_usersupplied_info **user_info) { - DATA_BLOB lm_blob = data_blob(NULL, 0); - DATA_BLOB nt_blob = data_blob(NULL, 0); - DATA_BLOB plaintext_blob = data_blob(NULL, 0); - uint32 auth_flags = AUTH_FLAG_NONE; NTSTATUS nt_status; nt_status = make_user_info(user_info, - "","", - "","", - "", - nt_blob, lm_blob, - plaintext_blob, - auth_flags, True); + "","", + "","", + "", + NULL, NULL, + NULL, NULL, + NULL, + True); return NT_STATUS_IS_OK(nt_status) ? True : False; } @@ -1307,7 +1307,8 @@ void free_user_info(auth_usersupplied_info **user_info) SAFE_FREE((*user_info)->wksta_name.str); data_blob_free(&(*user_info)->lm_resp); data_blob_free(&(*user_info)->nt_resp); - SAFE_FREE((*user_info)->interactive_password); + data_blob_clear_free(&(*user_info)->lm_interactive_pwd); + data_blob_clear_free(&(*user_info)->nt_interactive_pwd); data_blob_clear_free(&(*user_info)->plaintext_password); ZERO_STRUCT(**user_info); } -- cgit From d17425ed52b086b7046708a207e849271cedc804 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 6 Apr 2004 08:11:16 +0000 Subject: r69: Global rename of 'nt_session_key' -> 'user_session_key'. The session key could be anything, and may not be based on anything 'NT'. This is also what microsoft calls it. (This used to be commit 724e8d3f33719543146280062435c69a835c491e) --- source3/auth/auth_ntlmssp.c | 12 ++++++------ source3/auth/auth_sam.c | 2 +- source3/auth/auth_util.c | 8 ++++---- 3 files changed, 11 insertions(+), 11 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 498a7b1a39..4b425056b1 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -75,7 +75,7 @@ static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, * Return the session keys used on the connection. */ -static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *nt_session_key, DATA_BLOB *lm_session_key) +static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key) { AUTH_NTLMSSP_STATE *auth_ntlmssp_state = ntlmssp_state->auth_context; auth_usersupplied_info *user_info = NULL; @@ -113,11 +113,11 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } - if (auth_ntlmssp_state->server_info->nt_session_key.length) { - DEBUG(10, ("Got NT session key of length %u\n", auth_ntlmssp_state->server_info->nt_session_key.length)); - *nt_session_key = data_blob_talloc(auth_ntlmssp_state->mem_ctx, - auth_ntlmssp_state->server_info->nt_session_key.data, - auth_ntlmssp_state->server_info->nt_session_key.length); + if (auth_ntlmssp_state->server_info->user_session_key.length) { + DEBUG(10, ("Got NT session key of length %u\n", auth_ntlmssp_state->server_info->user_session_key.length)); + *user_session_key = data_blob_talloc(auth_ntlmssp_state->mem_ctx, + auth_ntlmssp_state->server_info->user_session_key.data, + auth_ntlmssp_state->server_info->user_session_key.length); } if (auth_ntlmssp_state->server_info->lm_session_key.length) { DEBUG(10, ("Got LM session key of length %u\n", auth_ntlmssp_state->server_info->lm_session_key.length)); diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 5efc51b21a..2f9ff6265c 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -261,7 +261,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, return nt_status; } - (*server_info)->nt_session_key = user_sess_key; + (*server_info)->user_session_key = user_sess_key; (*server_info)->lm_session_key = lm_sess_key; return nt_status; diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 9df5873983..3f1ac9c975 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -912,7 +912,7 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) /* annoying, but the Guest really does have a session key, and it is all zeros! */ - (*server_info)->nt_session_key = data_blob(zeros, sizeof(zeros)); + (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros)); (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros)); } @@ -1276,9 +1276,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, /* ensure we are never given NULL session keys */ if (memcmp(info3->user_sess_key, zeros, sizeof(zeros)) == 0) { - (*server_info)->nt_session_key = data_blob(NULL, 0); + (*server_info)->user_session_key = data_blob(NULL, 0); } else { - (*server_info)->nt_session_key = data_blob(info3->user_sess_key, sizeof(info3->user_sess_key)); + (*server_info)->user_session_key = data_blob(info3->user_sess_key, sizeof(info3->user_sess_key)); } if (memcmp(info3->padding, zeros, sizeof(zeros)) == 0) { @@ -1330,7 +1330,7 @@ void free_server_info(auth_serversupplied_info **server_info) SAFE_FREE((*server_info)->groups); SAFE_FREE((*server_info)->unix_name); data_blob_free(&(*server_info)->lm_session_key); - data_blob_free(&(*server_info)->nt_session_key); + data_blob_free(&(*server_info)->user_session_key); ZERO_STRUCT(**server_info); } SAFE_FREE(*server_info); -- cgit From 50ac33f5825015b723ddf60ef170d22e93623463 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 6 Apr 2004 16:49:09 +0000 Subject: r86: This function was moved to lib/nterr.h Andrew Bartlett (This used to be commit 1c6d0399d67c9206baf7d4173cc00540146fa897) --- source3/auth/auth_util.c | 28 ---------------------------- 1 file changed, 28 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 3f1ac9c975..e6ed83a79a 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1400,34 +1400,6 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) return token; } -/** - * Squash an NT_STATUS in line with security requirements. - * In an attempt to avoid giving the whole game away when users - * are authenticating, NT replaces both NT_STATUS_NO_SUCH_USER and - * NT_STATUS_WRONG_PASSWORD with NT_STATUS_LOGON_FAILURE in certain situations - * (session setups in particular). - * - * @param nt_status NTSTATUS input for squashing. - * @return the 'squashed' nt_status - **/ - -NTSTATUS nt_status_squash(NTSTATUS nt_status) -{ - if NT_STATUS_IS_OK(nt_status) { - return nt_status; - } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) { - /* Match WinXP and don't give the game away */ - return NT_STATUS_LOGON_FAILURE; - - } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) { - /* Match WinXP and don't give the game away */ - return NT_STATUS_LOGON_FAILURE; - } else { - return nt_status; - } -} - - /** * Verify whether or not given domain is trusted. * -- cgit From 8c0db1bbc469932694ed877eebecffa3d1948abd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 19 May 2004 21:49:58 +0000 Subject: r786: Memory leak fixes in (mostly) error code paths from kawasa_r@itg.hitachi.co.jp. A couple of mem leak fixes in mainline code paths though :-). Jeremy. (This used to be commit 4695cc95fe576b6da0d0cb0686f208fc306b2646) --- source3/auth/auth_util.c | 3 +++ source3/auth/auth_winbind.c | 5 ++--- 2 files changed, 5 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index e6ed83a79a..9a03e7fe13 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1236,6 +1236,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, info3->gids[i].g_rid)); SAFE_FREE(lgroupSIDs); + SAFE_FREE(all_group_SIDs); free_server_info(server_info); return nt_status; @@ -1264,6 +1265,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, if ( !NT_STATUS_IS_OK(nt_status) ) { DEBUG(4,("create_nt_user_token failed\n")); + SAFE_FREE(lgroupSIDs); SAFE_FREE(all_group_SIDs); free_server_info(server_info); return nt_status; @@ -1271,6 +1273,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, (*server_info)->ptok = token; + SAFE_FREE(lgroupSIDs); SAFE_FREE(all_group_SIDs); /* ensure we are never given NULL session keys */ diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 0e2820313e..4260a0e80b 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -127,9 +127,7 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, if (result == NSS_STATUS_SUCCESS && response.extra_data) { if (NT_STATUS_IS_OK(nt_status)) { - - if (NT_STATUS_IS_OK(nt_status = get_info3_from_ndr(mem_ctx, &response, &info3))) - { + if (NT_STATUS_IS_OK(nt_status = get_info3_from_ndr(mem_ctx, &response, &info3))) { nt_status = make_server_info_info3(mem_ctx, user_info->internal_username.str, user_info->smb_name.str, user_info->domain.str, @@ -141,6 +139,7 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, nt_status = NT_STATUS_NO_LOGON_SERVERS; } + SAFE_FREE(response.extra_data); return nt_status; } -- cgit From 9dbf2e2419e2ba0f2293b4a7a5971123f34a09ad Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 3 Jun 2004 18:00:22 +0000 Subject: r991: Allow winbindd to use the domain trust account password for setting up an schannel connection. This solves the problem of a Samba DC running winbind, trusting a native mode AD domain, and needing to enumerate AD users via wbinfo -u. (This used to be commit e9f109d1b38e0b0adec9b7e9a907f90a79d297ea) --- source3/auth/auth_util.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 9a03e7fe13..e6cc0fe5b3 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1425,8 +1425,10 @@ BOOL is_trusted_domain(const char* dom_name) /* if we are a DC, then check for a direct trust relationships */ - if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC) { + if ( IS_DC ) { become_root(); + DEBUG (5,("is_trusted_domain: Checking for domain trust with [%s]\n", + dom_name )); ret = secrets_fetch_trusted_domain_password(dom_name, &pass, &trustdom_sid, &lct); unbecome_root(); SAFE_FREE(pass); -- cgit From 5be2af482253306b0a1ddbdb813d928664f5a622 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 17 Jun 2004 12:23:00 +0000 Subject: r1175: Nowadays we actually do have local groups, so add the corresponding SIDs to the NT token we build. Thanks to Guenther Deschner . Volker (This used to be commit 2f9143dee901f7fc9e5ff0218527f1f4cff1991e) --- source3/auth/auth_util.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index e6cc0fe5b3..ddfe88d28d 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1207,7 +1207,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, /* Create a 'combined' list of all SIDs we might want in the SD */ - all_group_SIDs = malloc(sizeof(DOM_SID) * (info3->num_groups2 +info3->num_other_sids)); + all_group_SIDs = malloc(sizeof(DOM_SID) * (info3->num_groups2 + info3->num_other_sids + n_lgroupSIDs)); if (!all_group_SIDs) { DEBUG(0, ("malloc() failed for DOM_SID list!\n")); @@ -1216,12 +1216,6 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } -#if 0 /* JERRY -- no such thing as local groups in current code */ - /* Copy the 'local' sids */ - memcpy(all_group_SIDs, lgroupSIDs, sizeof(DOM_SID) * n_lgroupSIDs); - SAFE_FREE(lgroupSIDs); -#endif - /* and create (by appending rids) the 'domain' sids */ for (i = 0; i < info3->num_groups2; i++) { @@ -1254,13 +1248,22 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, sid_copy(&all_group_SIDs[info3->num_groups2 + i], &info3->other_sids[i].sid); } + + + /* add local alias sids */ + + for (i = 0; i < n_lgroupSIDs; i++) { + sid_copy(&all_group_SIDs[info3->num_groups2 + + info3->num_other_sids + i], + &lgroupSIDs[i]); + } /* Where are the 'global' sids... */ /* can the user be guest? if yes, where is it stored? */ nt_status = create_nt_user_token(&user_sid, &group_sid, - info3->num_groups2 + info3->num_other_sids, + info3->num_groups2 + info3->num_other_sids + n_lgroupSIDs, all_group_SIDs, False, &token); if ( !NT_STATUS_IS_OK(nt_status) ) { -- cgit From 600e904aa1ddf620df2ed6e5a02d0fe00e627dbb Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 6 Jul 2004 21:43:12 +0000 Subject: r1370: BUG 1297 - prevent map_username() from being called twice during logon (This used to be commit e1364ff774b62f46c0f50864695da49972352126) --- source3/auth/auth_util.c | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index ddfe88d28d..5e8f18881f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -972,25 +972,25 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) { struct passwd *pw = NULL; char *p; - fstring mapped_username; - fstring strip_username; + fstring username; /* we only save a copy of the username it has been mangled by winbindd use default domain */ save_username[0] = '\0'; - - /* save a local copy of the username and run it through the - username map */ - fstrcpy( mapped_username, domuser ); - map_username( mapped_username ); + /* don't call map_username() here since it has to be done higher + up the stack so we don't call it mutliple times */ + + fstrcpy( username, domuser ); - p = strchr_m( mapped_username, *lp_winbind_separator() ); + p = strchr_m( username, *lp_winbind_separator() ); /* code for a DOMAIN\user string */ if ( p ) { + fstring strip_username; + pw = Get_Pwnam( domuser ); if ( pw ) { /* make sure we get the case of the username correct */ @@ -999,8 +999,10 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) { char *domain; - domain = mapped_username; + /* split the domain and username into 2 strings */ *p = '\0'; + domain = username; + fstr_sprintf(save_username, "%s%c%s", domain, *lp_winbind_separator(), pw->pw_name); } else @@ -1011,26 +1013,26 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) } /* setup for lookup of just the username */ - /* remember that p and mapped_username are overlapping memory */ + /* remember that p and username are overlapping memory */ p++; fstrcpy( strip_username, p ); - fstrcpy( mapped_username, strip_username ); + fstrcpy( username, strip_username ); } /* just lookup a plain username */ - pw = Get_Pwnam(mapped_username); + pw = Get_Pwnam(username); /* Create local user if requested. */ if ( !pw && create ) { /* Don't add a machine account. */ - if (mapped_username[strlen(mapped_username)-1] == '$') + if (username[strlen(username)-1] == '$') return NULL; - auth_add_user_script(NULL, mapped_username); - pw = Get_Pwnam(mapped_username); + auth_add_user_script(NULL, username); + pw = Get_Pwnam(username); } /* one last check for a valid passwd struct */ -- cgit From cd87b3b972b39003def69671d8a3c6aaf51afd50 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 9 Jul 2004 00:13:55 +0000 Subject: r1414: Memory leak fixes found by valgrind whilst checking the password history code. Error code paths were not freeing up some memory. Jeremy. (This used to be commit 7c4666e56c2c281e023c6483459cb9e8d4787d36) --- source3/auth/auth_sam.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 2f9ff6265c..44e0a1810f 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -231,6 +231,8 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, DEBUG(1, ("Failed to modify entry.\n")); unbecome_root(); } + data_blob_free(&user_sess_key); + data_blob_free(&lm_sess_key); pdb_free_sam(&sampass); return nt_status; } @@ -253,11 +255,15 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, if (!NT_STATUS_IS_OK(nt_status)) { pdb_free_sam(&sampass); + data_blob_free(&user_sess_key); + data_blob_free(&lm_sess_key); return nt_status; } if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info, sampass))) { DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status))); + data_blob_free(&user_sess_key); + data_blob_free(&lm_sess_key); return nt_status; } -- cgit From 9d0783bf211dffe58845b36b0669f05bf8bf25b5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 14 Jul 2004 04:36:01 +0000 Subject: r1492: Rework our random number generation system. On systems with /dev/urandom, this avoids a change to secrets.tdb for every fork(). For other systems, we now only re-seed after a fork, and on startup. No need to do it per-operation. This removes the 'need_reseed' parameter from generate_random_buffer(). Andrew Bartlett (This used to be commit 36741d3cf53a7bd17d361251f2bb50851cdb035f) --- source3/auth/auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 1b49699fbc..7cfe3fc639 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -124,7 +124,7 @@ static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) if (!challenge_set_by) { uchar chal[8]; - generate_random_buffer(chal, sizeof(chal), False); + generate_random_buffer(chal, sizeof(chal)); auth_context->challenge = data_blob_talloc(auth_context->mem_ctx, chal, sizeof(chal)); -- cgit From a8dca8b4b66aecc2eaac4292b6b6c5ab386de0a8 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 12 Aug 2004 18:20:02 +0000 Subject: r1778: Fix based on code from Richard Renard to enforce logon hours. ldap fixes to follow. Jeremy. (This used to be commit 9ce273ed662bd34987eaeedeeeb7cb1c99cd50a4) --- source3/auth/auth_sam.c | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 44e0a1810f..0c59dbe049 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -65,6 +65,43 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, lm_pw, nt_pw, user_sess_key, lm_sess_key); } +/**************************************************************************** + Check if a user is allowed to logon at this time. Note this is the + servers local time, as logon hours are just specified as a weekly + bitmask. +****************************************************************************/ + +static BOOL logon_hours_ok(SAM_ACCOUNT *sampass) +{ + /* In logon hours first bit is Sunday from 12AM to 1AM */ + extern struct timeval smb_last_time; + const uint8 *hours; + struct tm *utctime; + uint8 bitmask, bitpos; + + hours = pdb_get_hours(sampass); + if (!hours) { + DEBUG(5,("logon_hours_ok: No hours restrictions for user %s\n",pdb_get_username(sampass))); + return True; + } + + utctime = localtime(&smb_last_time.tv_sec); + + /* find the corresponding byte and bit */ + bitpos = (utctime->tm_wday * 24 + utctime->tm_hour) % 168; + bitmask = 1 << (bitpos % 8); + + if (! (hours[bitpos/8] & bitmask)) { + DEBUG(1,("logon_hours_ok: Account for user %s not allowed to logon at this time (UTC %s).\n", + pdb_get_username(sampass), asctime(utctime) )); + return False; + } + + DEBUG(5,("logon_hours_ok: user %s allowed to logon at this time (UTC %s)\n", + pdb_get_username(sampass), asctime(utctime) )); + + return True; +} /**************************************************************************** Do a specific test for a SAM_ACCOUNT being vaild for this connection @@ -93,6 +130,11 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, return NT_STATUS_ACCOUNT_LOCKED_OUT; } + /* Quit if the account is not allowed to logon at this time. */ + if (! logon_hours_ok(sampass)) { + return NT_STATUS_INVALID_LOGON_HOURS; + } + /* Test account expire time */ kickoff_time = pdb_get_kickoff_time(sampass); -- cgit From efeeb4874011ad21422abc7e9c718df6456c513b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 12 Aug 2004 18:21:42 +0000 Subject: r1780: Remove the UTC comment as it isn't. Jeremy. (This used to be commit f454821ff5545a34704b149514da9064f73ca3ad) --- source3/auth/auth_sam.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 0c59dbe049..4d2fb23002 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -92,12 +92,12 @@ static BOOL logon_hours_ok(SAM_ACCOUNT *sampass) bitmask = 1 << (bitpos % 8); if (! (hours[bitpos/8] & bitmask)) { - DEBUG(1,("logon_hours_ok: Account for user %s not allowed to logon at this time (UTC %s).\n", + DEBUG(1,("logon_hours_ok: Account for user %s not allowed to logon at this time (%s).\n", pdb_get_username(sampass), asctime(utctime) )); return False; } - DEBUG(5,("logon_hours_ok: user %s allowed to logon at this time (UTC %s)\n", + DEBUG(5,("logon_hours_ok: user %s allowed to logon at this time (%s)\n", pdb_get_username(sampass), asctime(utctime) )); return True; -- cgit From ed5fd7117e931b2fce2c2a94adc53eeb3d8a8256 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 27 Aug 2004 13:39:09 +0000 Subject: r2086: fix bug with winbindd_getpwnam() caused by Microsoft DC's not filling in the username in the user_info3 (This used to be commit 4703a71fa88dff8bdc932f6c9af3a9d25a88938f) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index fdff0b52f9..6483dc143a 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -205,7 +205,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, } else { nt_status = make_server_info_info3(mem_ctx, user_info->internal_username.str, user_info->smb_name.str, domain, server_info, &info3); - netsamlogon_cache_store( mem_ctx, &info3 ); + netsamlogon_cache_store( mem_ctx, user_info->smb_name.str, &info3 ); } #if 0 -- cgit From 521268be1caeb9e50274ff17451cbfb8dbb1765f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 28 Sep 2004 00:10:09 +0000 Subject: r2703: Fix typo noticed by Igor Belyi Jeremy. (This used to be commit ba69c7229c27e917a24e6d608d59e7c0bdd47551) --- source3/auth/pampass.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 3239686a20..68871547b1 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -466,7 +466,7 @@ static BOOL smb_pam_start(pam_handle_t **pamh, const char *user, const char *rho if (rhost == NULL) { our_rhost = client_name(); - if (strequal(rhost,"UNKNOWN")) + if (strequal(our_rhost,"UNKNOWN")) our_rhost = client_addr(); } else { our_rhost = rhost; -- cgit From 8f49721fef2dfa66ac13ec7b860a3315019240da Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 11 Oct 2004 00:32:31 +0000 Subject: r2899: Change some #if DEBUG_PASSWORD's to #ifdef DEBUG_PASSWORD. Bugzilla #1903. (This used to be commit 1327d83d902b6a39096d387d734e73d85ed53f85) --- source3/auth/pass_check.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 1ac8c1815a..0425e01cdc 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -599,7 +599,7 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas NTSTATUS nt_status; -#if DEBUG_PASSWORD +#ifdef DEBUG_PASSWORD DEBUG(100, ("checking user=[%s] pass=[%s]\n", user, password)); #endif -- cgit From 841868d290400272e50bcfb5fadd7b9dba4638b6 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 22 Oct 2004 20:15:24 +0000 Subject: r3140: * try to ensure consistent usage of the username map. Use the fully qualified DOMAIN\user format for 'security = domain|ads' and apply after authentication has succeeded. * also change fill_domain_username() to only lowercase the username and not the domain+username. This was a cosmetic fix only. makes the output more consistent with %D and %U. (This used to be commit 30ee2d5b0906d5cd73a8faf5170e5aebcc6d69c8) --- source3/auth/auth_util.c | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5e8f18881f..9be297818f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -930,18 +930,23 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, uid_t *uid, gid_t *gid, SAM_ACCOUNT **sam_account) { - fstring dom_user; + fstring dom_user, lower_username; fstring real_username; struct passwd *passwd; - fstr_sprintf(dom_user, "%s%s%s", domain, lp_winbind_separator(), - username); + fstrcpy( lower_username, username ); + strlower_m( lower_username ); + + fstr_sprintf(dom_user, "%s%c%s", domain, *lp_winbind_separator(), + lower_username); /* get the passwd struct but don't create the user if he/she does not exist. We were explicitly called from a following a winbindd authentication request so we should assume that nss_winbindd is working */ + map_username( dom_user ); + if ( !(passwd = smb_getpwnam( dom_user, real_username, True )) ) return NT_STATUS_NO_SUCH_USER; @@ -1104,18 +1109,25 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, } /* try to fill the SAM account.. If getpwnam() fails, then try the - add user script (2.2.x behavior) */ + add user script (2.2.x behavior). + + We use the _unmapped_ username here in an attempt to provide + consistent username mapping behavior between kerberos and NTLM[SSP] + authentication in domain mode security. I.E. Username mapping should + be applied to the fully qualified username (e.g. DOMAIN\user) and + no just the login name. Yes this mean swe called map_username() + unnecessarily in make_user_info_map() but that is how the current + code is designed. Making the change here is the least disruptive + place. -- jerry */ - nt_status = fill_sam_account(mem_ctx, nt_domain, internal_username, + nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username, &found_username, &uid, &gid, &sam_account); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { - DEBUG(3,("User %s does not exist, trying to add it\n", - internal_username)); - auth_add_user_script(nt_domain, internal_username); - nt_status = fill_sam_account(mem_ctx, nt_domain, - internal_username, &found_username, - &uid, &gid, &sam_account); + DEBUG(3,("User %s does not exist, trying to add it\n", internal_username)); + auth_add_user_script( nt_domain, sent_nt_username ); + nt_status = fill_sam_account( mem_ctx, nt_domain, sent_nt_username, + &found_username, &uid, &gid, &sam_account ); } if (!NT_STATUS_IS_OK(nt_status)) { -- cgit From 55fe875a44bd63de766d4fbdb91bcc26be146a21 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 5 Nov 2004 22:53:35 +0000 Subject: r3563: During a typical logon a modern workstation makes a lot of anonymous session setups on its way to open a pipe. This gets rid of many round-trips to the LDAP server during logon by setting up the server_info_guest once and not asking the LDAP server and nss every time. Make sure that the ldap connection is reopened in the child. (I did not look at the sql backends.) Volker (This used to be commit 3298f6105e6a88c9390cac02245c8f2eee1e5046) --- source3/auth/auth_util.c | 45 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 9be297818f..96a229f0dc 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -884,7 +884,7 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, Make (and fill) a user_info struct for a guest login. ***************************************************************************/ -NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) +static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_info) { NTSTATUS nt_status; SAM_ACCOUNT *sampass = NULL; @@ -919,6 +919,49 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) return nt_status; } +static auth_serversupplied_info *copy_serverinfo(auth_serversupplied_info *src) +{ + auth_serversupplied_info *dst; + + if (!NT_STATUS_IS_OK(make_server_info(&dst))) + return NULL; + + dst->guest = src->guest; + dst->uid = src->uid; + dst->gid = src->gid; + dst->n_groups = src->n_groups; + if (src->n_groups != 0) + dst->groups = memdup(src->groups, sizeof(gid_t)*dst->n_groups); + else + dst->groups = NULL; + dst->ptok = dup_nt_token(src->ptok); + dst->user_session_key = data_blob(src->user_session_key.data, + src->user_session_key.length); + dst->lm_session_key = data_blob(src->lm_session_key.data, + src->lm_session_key.length); + pdb_copy_sam_account(src->sam_account, &dst->sam_account); + dst->pam_handle = NULL; + dst->unix_name = smb_xstrdup(src->unix_name); + + return dst; +} + +static auth_serversupplied_info *guest_info = NULL; + +BOOL init_guest_info(void) +{ + if (guest_info != NULL) + return True; + + return NT_STATUS_IS_OK(make_new_server_info_guest(&guest_info)); +} + +NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) +{ + *server_info = copy_serverinfo(guest_info); + return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; +} + /*************************************************************************** Purely internal function for make_server_info_info3 Fill the sam account from getpwnam -- cgit From d5a03878ef952722eaf58f16273a239398252186 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 8 Nov 2004 04:32:23 +0000 Subject: r3616: Merge for 3.0.8. In auth_winbind, remove the push_utf8 calls, as this is no longer a UTF8 interface. (Removed from everywhere else earlier). Tested with ASCII - I tried to load the weird charset for testing, but it doesn't seem to work any more. Andrew Bartlett (This used to be commit cb27c197ee44d2be09014598e3928642b59ef956) --- source3/auth/auth_winbind.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 4260a0e80b..78235d30fc 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -88,11 +88,11 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, request.flags = WBFLAG_PAM_INFO3_NDR; - push_utf8_fstring(request.data.auth_crap.user, + fstrcpy(request.data.auth_crap.user, user_info->smb_name.str); - push_utf8_fstring(request.data.auth_crap.domain, + fstrcpy(request.data.auth_crap.domain, user_info->domain.str); - push_utf8_fstring(request.data.auth_crap.workstation, + fstrcpy(request.data.auth_crap.workstation, user_info->wksta_name.str); memcpy(request.data.auth_crap.chal, auth_context->challenge.data, sizeof(request.data.auth_crap.chal)); -- cgit From f9e87b9ba65f37bafa45eacb1a6c9b8c5483d46b Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 12 Nov 2004 15:49:47 +0000 Subject: r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989) --- source3/auth/auth_util.c | 52 +++++++++++++++--------------------------------- 1 file changed, 16 insertions(+), 36 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 96a229f0dc..1ef64ab845 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -657,47 +657,27 @@ static NTSTATUS get_user_groups(const char *username, uid_t uid, gid_t gid, *n_groups = 0; *groups = NULL; - - /* Try winbind first */ - if ( strchr(username, *lp_winbind_separator()) ) { - n_unix_groups = winbind_getgroups( username, unix_groups ); + if (strchr(username, *lp_winbind_separator()) == NULL) { + NTSTATUS result; - DEBUG(10,("get_user_groups: winbind_getgroups(%s): result = %s\n", username, - n_unix_groups == -1 ? "FAIL" : "SUCCESS")); - - if ( n_unix_groups == -1 ) - return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ + become_root(); + result = pdb_enum_group_memberships(username, gid, groups, + unix_groups, n_groups); + unbecome_root(); + return result; } - else { - /* fallback to getgrouplist() */ - - n_unix_groups = groups_max(); - - if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) { - DEBUG(0, ("get_user_groups: Out of memory allocating unix group list\n")); - return NT_STATUS_NO_MEMORY; - } + + /* We have the separator, this must be winbind */ - if (sys_getgrouplist(username, gid, *unix_groups, &n_unix_groups) == -1) { - - gid_t *groups_tmp; - - groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); - - if (!groups_tmp) { - SAFE_FREE(*unix_groups); - return NT_STATUS_NO_MEMORY; - } - *unix_groups = groups_tmp; + n_unix_groups = winbind_getgroups( username, unix_groups ); - if (sys_getgrouplist(username, gid, *unix_groups, &n_unix_groups) == -1) { - DEBUG(0, ("get_user_groups: failed to get the unix group list\n")); - SAFE_FREE(*unix_groups); - return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ - } - } - } + DEBUG(10,("get_user_groups: winbind_getgroups(%s): result = %s\n", + username, n_unix_groups == -1 ? "FAIL" : "SUCCESS")); + + if ( n_unix_groups == -1 ) + return NT_STATUS_NO_SUCH_USER; /* what should this return + * value be? */ debug_unix_user_token(DBGC_CLASS, 5, uid, gid, n_unix_groups, *unix_groups); -- cgit From acf9d61421faa6c0055d57fdee7db300dc5431aa Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 7 Dec 2004 18:25:53 +0000 Subject: r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a) --- source3/auth/auth.c | 4 ++-- source3/auth/auth_ntlmssp.c | 2 +- source3/auth/auth_util.c | 28 ++++++++++++++-------------- 3 files changed, 17 insertions(+), 17 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 7cfe3fc639..b777e97cc9 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -49,7 +49,7 @@ NTSTATUS smb_register_auth(int version, const char *name, auth_init_function ini return NT_STATUS_OBJECT_NAME_COLLISION; } - entry = smb_xmalloc(sizeof(struct auth_init_function_entry)); + entry = SMB_XMALLOC_P(struct auth_init_function_entry); entry->name = smb_xstrdup(name); entry->init = init; @@ -347,7 +347,7 @@ static NTSTATUS make_auth_context(struct auth_context **auth_context) mem_ctx = talloc_init("authentication context"); - *auth_context = talloc(mem_ctx, sizeof(**auth_context)); + *auth_context = TALLOC_P(mem_ctx, struct auth_context); if (!*auth_context) { DEBUG(0,("make_auth_context: talloc failed!\n")); talloc_destroy(mem_ctx); diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 4b425056b1..0e2c359251 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -135,7 +135,7 @@ NTSTATUS auth_ntlmssp_start(AUTH_NTLMSSP_STATE **auth_ntlmssp_state) mem_ctx = talloc_init("AUTH NTLMSSP context"); - *auth_ntlmssp_state = talloc_zero(mem_ctx, sizeof(**auth_ntlmssp_state)); + *auth_ntlmssp_state = TALLOC_ZERO_P(mem_ctx, AUTH_NTLMSSP_STATE); if (!*auth_ntlmssp_state) { DEBUG(0,("auth_ntlmssp_start: talloc failed!\n")); talloc_destroy(mem_ctx); diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1ef64ab845..d985c0a54f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -132,7 +132,7 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name)); - *user_info = malloc(sizeof(**user_info)); + *user_info = SMB_MALLOC_P(auth_usersupplied_info); if (!user_info) { DEBUG(0,("malloc failed for user_info (size %lu)\n", (unsigned long)sizeof(*user_info))); return NT_STATUS_NO_MEMORY; @@ -142,7 +142,7 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, DEBUG(5,("making strings for %s's user_info struct\n", internal_username)); - (*user_info)->smb_name.str = strdup(smb_name); + (*user_info)->smb_name.str = SMB_STRDUP(smb_name); if ((*user_info)->smb_name.str) { (*user_info)->smb_name.len = strlen(smb_name); } else { @@ -150,7 +150,7 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, return NT_STATUS_NO_MEMORY; } - (*user_info)->internal_username.str = strdup(internal_username); + (*user_info)->internal_username.str = SMB_STRDUP(internal_username); if ((*user_info)->internal_username.str) { (*user_info)->internal_username.len = strlen(internal_username); } else { @@ -158,7 +158,7 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, return NT_STATUS_NO_MEMORY; } - (*user_info)->domain.str = strdup(domain); + (*user_info)->domain.str = SMB_STRDUP(domain); if ((*user_info)->domain.str) { (*user_info)->domain.len = strlen(domain); } else { @@ -166,7 +166,7 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, return NT_STATUS_NO_MEMORY; } - (*user_info)->client_domain.str = strdup(client_domain); + (*user_info)->client_domain.str = SMB_STRDUP(client_domain); if ((*user_info)->client_domain.str) { (*user_info)->client_domain.len = strlen(client_domain); } else { @@ -174,7 +174,7 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, return NT_STATUS_NO_MEMORY; } - (*user_info)->wksta_name.str = strdup(wksta_name); + (*user_info)->wksta_name.str = SMB_STRDUP(wksta_name); if ((*user_info)->wksta_name.str) { (*user_info)->wksta_name.len = strlen(wksta_name); } else { @@ -523,7 +523,7 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro int i; int sid_ndx; - if ((ptoken = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) { + if ((ptoken = SMB_MALLOC_P(NT_USER_TOKEN)) == NULL) { DEBUG(0, ("create_nt_token: Out of memory allocating token\n")); nt_status = NT_STATUS_NO_MEMORY; return nt_status; @@ -533,7 +533,7 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro ptoken->num_sids = n_groupSIDs + 5; - if ((ptoken->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptoken->num_sids )) == NULL) { + if ((ptoken->user_sids = SMB_MALLOC_ARRAY( DOM_SID, ptoken->num_sids )) == NULL) { DEBUG(0, ("create_nt_token: Out of memory allocating SIDs\n")); nt_status = NT_STATUS_NO_MEMORY; return nt_status; @@ -610,7 +610,7 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, return NULL; } - group_sids = malloc(sizeof(DOM_SID) * ngroups); + group_sids = SMB_MALLOC_ARRAY(DOM_SID, ngroups); if (!group_sids) { DEBUG(0, ("create_nt_token: malloc() failed for DOM_SID list!\n")); return NULL; @@ -685,7 +685,7 @@ static NTSTATUS get_user_groups(const char *username, uid_t uid, gid_t gid, if (n_unix_groups > 0) { - *groups = malloc(sizeof(DOM_SID) * n_unix_groups); + *groups = SMB_MALLOC_ARRAY(DOM_SID, n_unix_groups); if (!*groups) { DEBUG(0, ("get_user_group: malloc() failed for DOM_SID list!\n")); @@ -715,7 +715,7 @@ static NTSTATUS get_user_groups(const char *username, uid_t uid, gid_t gid, static NTSTATUS make_server_info(auth_serversupplied_info **server_info) { - *server_info = malloc(sizeof(**server_info)); + *server_info = SMB_MALLOC_P(auth_serversupplied_info); if (!*server_info) { DEBUG(0,("make_server_info: malloc failed!\n")); return NT_STATUS_NO_MEMORY; @@ -1244,7 +1244,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, /* Create a 'combined' list of all SIDs we might want in the SD */ - all_group_SIDs = malloc(sizeof(DOM_SID) * (info3->num_groups2 + info3->num_other_sids + n_lgroupSIDs)); + all_group_SIDs = SMB_MALLOC_ARRAY(DOM_SID,info3->num_groups2 + info3->num_other_sids + n_lgroupSIDs); if (!all_group_SIDs) { DEBUG(0, ("malloc() failed for DOM_SID list!\n")); @@ -1393,7 +1393,7 @@ BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_me smb_panic("make_auth_methods: pointer to auth_method pointer is NULL!\n"); } - *auth_method = talloc(auth_context->mem_ctx, sizeof(**auth_method)); + *auth_method = TALLOC_P(auth_context->mem_ctx, auth_methods); if (!*auth_method) { DEBUG(0,("make_auth_method: malloc failed!\n")); return False; @@ -1428,7 +1428,7 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) if (!ptoken) return NULL; - if ((token = (NT_USER_TOKEN *)malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) + if ((token = SMB_MALLOC_P(NT_USER_TOKEN)) == NULL) return NULL; ZERO_STRUCTP(token); -- cgit From 54fdd5c7dc98e9039d94bc6b45ee31cb1d363eac Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 16 Dec 2004 21:12:29 +0000 Subject: r4236: More *alloc fixes. Jeremy. (This used to be commit 6b25a6e088390d33314ca69c8f17c869cec3904b) --- source3/auth/pampass.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 68871547b1..68c2f183f1 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -59,7 +59,7 @@ typedef int (*smb_pam_conv_fn)(int, const struct pam_message **, struct pam_resp /* * Macros to help make life easy */ -#define COPY_STRING(s) (s) ? strdup(s) : NULL +#define COPY_STRING(s) (s) ? SMB_STRDUP(s) : NULL /******************************************************************* PAM error handler. -- cgit From 992ad2848522e5219291d6b9b7a6be982c147a12 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 20 Dec 2004 11:36:39 +0000 Subject: r4286: Give back 8 byte lm_session_key in Netrsamlogon-reply. The old #ifdef JRATEST-block was copying 16 bytes and thus overwriting acct_flags with bizarre values, breaking a lot of things. This patch is successfully running in a production environment for quite some time now and is required to finally allow Exchange 5.5 to access another Exchange Server when both are running on NT4 in a samba-controlled domain. This also allows Exchange Replication to take place, Exchange Administrator to access other Servers in the network, etc. Fixes Bugzilla #1136. Thanks abartlet for helping me with that one. Guenther (This used to be commit bd4c5125d6989cebc90152a23e113b345806c660) --- source3/auth/auth_util.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d985c0a54f..2eacc2b0d1 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1324,11 +1324,12 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, (*server_info)->user_session_key = data_blob(info3->user_sess_key, sizeof(info3->user_sess_key)); } - if (memcmp(info3->padding, zeros, sizeof(zeros)) == 0) { + if (memcmp(info3->lm_sess_key, zeros, 8) == 0) { (*server_info)->lm_session_key = data_blob(NULL, 0); } else { - (*server_info)->lm_session_key = data_blob(info3->padding, 16); - } + (*server_info)->lm_session_key = data_blob(info3->lm_sess_key, sizeof(info3->lm_sess_key)); + } + return NT_STATUS_OK; } -- cgit From be606e8eeb0a419189bd8f44975c80e182474993 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 6 Jan 2005 23:27:28 +0000 Subject: r4579: small changes to allow the members og the Domain Admins group on the Samba DC to join clients to the domain -- needs more testing and security review but does work with initial testing (This used to be commit 9ade9bf49c7125fb29658f943e9ebb6be9496180) --- source3/auth/auth_util.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 2eacc2b0d1..98ecd00d1c 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1444,6 +1444,35 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) return token; } +/**************************************************************************** + Check for a SID in an NT_USER_TOKEN +****************************************************************************/ + +BOOL nt_token_check_sid ( DOM_SID *sid, NT_USER_TOKEN *token ) +{ + int i; + + if ( !sid || !token ) + return False; + + for ( i=0; inum_sids; i++ ) { + if ( sid_equal( sid, &token->user_sids[i] ) ) + return True; + } + + return False; +} + +BOOL nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid ) +{ + DOM_SID domain_sid; + + sid_copy( &domain_sid, get_global_sam_sid() ); + sid_append_rid( &domain_sid, rid ); + + return nt_token_check_sid( &domain_sid, token );\ +} + /** * Verify whether or not given domain is trusted. * -- cgit From d94d87472ca2f3875caa146424caa178ce20274f Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 13 Jan 2005 18:20:37 +0000 Subject: r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c) --- source3/auth/auth_util.c | 54 ++++++++++++++++++++++++++++++++++-------------- 1 file changed, 39 insertions(+), 15 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 98ecd00d1c..e4793c3df3 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -493,6 +493,11 @@ void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) for (i = 0; i < token->num_sids; i++) DEBUGADDC(dbg_class, dbg_lev, ("SID[%3lu]: %s\n", (unsigned long)i, sid_to_string(sid_str, &token->user_sids[i]))); + + DEBUGADDC(dbg_class, dbg_lev, ("Privileges: [%d]\n", token->privileges.count)); + for ( i=0; iprivileges.count; i++ ) { + DEBUGADDC(dbg_class, dbg_lev, ("\t%s\n", luid_to_privilege_name(&token->privileges.set[i].luid) )); + } } /**************************************************************************** @@ -583,6 +588,13 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro ptoken->num_sids--; } } + + /* add privileges assigned to this user */ + + privilege_set_init( &ptoken->privileges ); + + get_privileges_for_sids( &ptoken->privileges, ptoken->user_sids, ptoken->num_sids ); + debug_nt_user_token(DBGC_AUTH, 10, ptoken); @@ -1410,12 +1422,15 @@ BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_me void delete_nt_token(NT_USER_TOKEN **pptoken) { - if (*pptoken) { - NT_USER_TOKEN *ptoken = *pptoken; - SAFE_FREE( ptoken->user_sids ); - ZERO_STRUCTP(ptoken); - } - SAFE_FREE(*pptoken); + if (*pptoken) { + NT_USER_TOKEN *ptoken = *pptoken; + + SAFE_FREE( ptoken->user_sids ); + privilege_set_free( &ptoken->privileges ); + + ZERO_STRUCTP(ptoken); + } + SAFE_FREE(*pptoken); } /**************************************************************************** @@ -1429,17 +1444,26 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) if (!ptoken) return NULL; - if ((token = SMB_MALLOC_P(NT_USER_TOKEN)) == NULL) - return NULL; - - ZERO_STRUCTP(token); + if ((token = SMB_MALLOC_P(NT_USER_TOKEN)) == NULL) + return NULL; - if ((token->user_sids = (DOM_SID *)memdup( ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids )) == NULL) { - SAFE_FREE(token); - return NULL; - } + ZERO_STRUCTP(token); + + token->user_sids = (DOM_SID *)memdup( ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids ); + + if ( !token ) { + SAFE_FREE(token); + return NULL; + } - token->num_sids = ptoken->num_sids; + token->num_sids = ptoken->num_sids; + + /* copy the privileges; don't consider failure to be critical here */ + + privilege_set_init( &token->privileges); + if ( !dup_privilege_set( &token->privileges, &ptoken->privileges ) ) { + DEBUG(0,("dup_nt_token: Failure to copy PRIVILEGE_SET!. Continuing with 0 privileges assigned.\n")); + } return token; } -- cgit From 46e5effea948931509283cb84b27007d34b521c8 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 17 Jan 2005 15:23:11 +0000 Subject: r4805: Last planned change to the privileges infrastructure: * rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15) --- source3/auth/auth_util.c | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index e4793c3df3..4a23ec8adc 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -494,10 +494,7 @@ void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) DEBUGADDC(dbg_class, dbg_lev, ("SID[%3lu]: %s\n", (unsigned long)i, sid_to_string(sid_str, &token->user_sids[i]))); - DEBUGADDC(dbg_class, dbg_lev, ("Privileges: [%d]\n", token->privileges.count)); - for ( i=0; iprivileges.count; i++ ) { - DEBUGADDC(dbg_class, dbg_lev, ("\t%s\n", luid_to_privilege_name(&token->privileges.set[i].luid) )); - } + dump_se_priv( dbg_class, dbg_lev, &token->privileges ); } /**************************************************************************** @@ -591,10 +588,7 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro /* add privileges assigned to this user */ - privilege_set_init( &ptoken->privileges ); - get_privileges_for_sids( &ptoken->privileges, ptoken->user_sids, ptoken->num_sids ); - debug_nt_user_token(DBGC_AUTH, 10, ptoken); @@ -1426,8 +1420,6 @@ void delete_nt_token(NT_USER_TOKEN **pptoken) NT_USER_TOKEN *ptoken = *pptoken; SAFE_FREE( ptoken->user_sids ); - privilege_set_free( &ptoken->privileges ); - ZERO_STRUCTP(ptoken); } SAFE_FREE(*pptoken); @@ -1460,9 +1452,8 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) /* copy the privileges; don't consider failure to be critical here */ - privilege_set_init( &token->privileges); - if ( !dup_privilege_set( &token->privileges, &ptoken->privileges ) ) { - DEBUG(0,("dup_nt_token: Failure to copy PRIVILEGE_SET!. Continuing with 0 privileges assigned.\n")); + if ( !se_priv_copy( &token->privileges, &ptoken->privileges ) ) { + DEBUG(0,("dup_nt_token: Failure to copy SE_PRIV!. Continuing with 0 privileges assigned.\n")); } return token; -- cgit From 9b1e5a71180f340a1f6327d53e68bb9b661ec894 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 25 Jan 2005 01:19:02 +0000 Subject: r4972: Fix a warning and some debugging-outputs. Guenther (This used to be commit 1eabfa050b661168b42892c2d841c7891e59cf5f) --- source3/auth/auth_sam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 4d2fb23002..2633cc92c3 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -241,7 +241,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, unbecome_root(); if (ret == False) { - DEBUG(3,("check_sam_security: Couldn't find user '%s' in passdb file.\n", user_info->internal_username.str)); + DEBUG(3,("check_sam_security: Couldn't find user '%s' in passdb.\n", user_info->internal_username.str)); pdb_free_sam(&sampass); return NT_STATUS_NO_SUCH_USER; } -- cgit From 5f54cc9bd3fa76e62926de0670f832f7b0e3739d Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 7 Feb 2005 18:20:06 +0000 Subject: r5264: Log with loglevel 0 when account-administration scripts fail. Guenther (This used to be commit 3d391ef149639750db376b05528a27422f8a3321) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 4a23ec8adc..30902a8dad 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -50,7 +50,7 @@ static int smb_create_user(const char *domain, const char *unix_username, const if (homedir) all_string_sub(add_script, "%H", homedir, sizeof(pstring)); ret = smbrun(add_script,NULL); - DEBUG(3,("smb_create_user: Running the command `%s' gave %d\n",add_script,ret)); + DEBUG(ret ? 0 : 3,("smb_create_user: Running the command `%s' gave %d\n",add_script,ret)); return ret; } -- cgit From aa9132cc55d43d9d197e3196fc7098eec6e8615a Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 11 Feb 2005 10:32:46 +0000 Subject: r5331: Support SIDs as %s replacements in the afs username map parameter. Add 'log nt token command' parameter. If set, %s is replaced with the user sid, and %t takes all the group sids. Volker (This used to be commit e7dc9fde45c750013ad07f584599dd51f8eb8a54) --- source3/auth/auth_util.c | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 30902a8dad..5c933e90c9 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -592,6 +592,39 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro debug_nt_user_token(DBGC_AUTH, 10, ptoken); + if ((lp_log_nt_token_command() != NULL) && + (strlen(lp_log_nt_token_command()) > 0)) { + TALLOC_CTX *mem_ctx; + char *command; + fstring sidstr; + char *user_sidstr, *group_sidstr; + + mem_ctx = talloc_init("setnttoken"); + if (mem_ctx == NULL) + return NT_STATUS_NO_MEMORY; + + sid_to_string(sidstr, &ptoken->user_sids[0]); + user_sidstr = talloc_strdup(mem_ctx, sidstr); + + group_sidstr = talloc_strdup(mem_ctx, ""); + for (i=1; inum_sids; i++) { + sid_to_string(sidstr, &ptoken->user_sids[i]); + group_sidstr = talloc_asprintf(mem_ctx, "%s %s", + group_sidstr, sidstr); + } + + command = strdup(lp_log_nt_token_command()); + command = realloc_string_sub(command, "%s", user_sidstr); + command = realloc_string_sub(command, "%t", group_sidstr); + DEBUG(8, ("running command: [%s]\n", command)); + if (smbrun(command, NULL) != 0) { + DEBUG(0, ("Could not log NT token\n")); + nt_status = NT_STATUS_ACCESS_DENIED; + } + talloc_destroy(mem_ctx); + SAFE_FREE(command); + } + *token = ptoken; return nt_status; -- cgit From 467da937c7e1361dca1d4a535db96cdb78e10b13 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 14 Feb 2005 02:41:34 +0000 Subject: r5385: when operating in security = domain, allow domain admins to manage rigths assignments (This used to be commit fec9cb7daa9b780aab019c0e0d7f2692c168019f) --- source3/auth/auth_util.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5c933e90c9..7a186f65cd 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1515,7 +1515,19 @@ BOOL nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid ) { DOM_SID domain_sid; - sid_copy( &domain_sid, get_global_sam_sid() ); + /* if we are a domain member, the get the domain SID, else for + a DC or standalone server, use our own SID */ + + if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) { + if ( !secrets_fetch_domain_sid( lp_workgroup(), &domain_sid ) ) { + DEBUG(1,("nt_token_check_domain_rid: Cannot lookup SID for domain [%s]\n", + lp_workgroup())); + return False; + } + } + else + sid_copy( &domain_sid, get_global_sam_sid() ); + sid_append_rid( &domain_sid, rid ); return nt_token_check_sid( &domain_sid, token );\ -- cgit From 732f09990fda978fe1cbef786d6b2d15897e6f97 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 17 Feb 2005 15:17:16 +0000 Subject: r5431: couple of cimpile fixes from Jason Mader -- BUGS 2341 & 2342 (This used to be commit 0edcfc7fa20fd8e3273b29c8f1a97cb7c7179fb6) --- source3/auth/auth_util.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7a186f65cd..f3c01a58ca 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -61,7 +61,6 @@ static int smb_create_user(const char *domain, const char *unix_username, const void auth_add_user_script(const char *domain, const char *username) { - uint32 rid; /* * User validated ok against Domain controller. * If the admin wants us to try and create a UNIX @@ -79,7 +78,6 @@ void auth_add_user_script(const char *domain, const char *username) if ( !winbind_create_user(username, NULL) ) { DEBUG(5,("auth_add_user_script: winbindd_create_user() failed\n")); - rid = 0; } } } -- cgit From 051d9d7894662d59af1b71d2ea36910d7aac5f38 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 24 Feb 2005 00:26:24 +0000 Subject: r5528: Expand the invalid-workstation-scheme. Workstation-Names with leading '@'-sign are expanded on-the-fly as posix-groups of workstations. This allows optional, more flexible login-control in larger networks. Guenther (This used to be commit 8f143b6800e0b6964c8ba4ba9607dc74da12ae59) --- source3/auth/auth_sam.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 2633cc92c3..db05ac97f8 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -170,9 +170,13 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, if (*workstation_list) { BOOL invalid_ws = True; + fstring tok; const char *s = workstation_list; + + const char *machine_name = talloc_asprintf(mem_ctx, "%s$", user_info->wksta_name.str); + if (machine_name == NULL) + return NT_STATUS_NO_MEMORY; - fstring tok; while (next_token(&s, tok, ",", sizeof(tok))) { DEBUG(10,("sam_account_ok: checking for workstation match %s and %s (len=%d)\n", @@ -181,6 +185,14 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, invalid_ws = False; break; } + if (tok[0] == '@') { + DEBUG(10,("sam_account_ok: checking for workstation %s in group: %s\n", + machine_name, tok + 1)); + if (user_in_group_list(machine_name, tok + 1, NULL, 0)) { + invalid_ws = False; + break; + } + } } if (invalid_ws) -- cgit From c7a00987e3c8b02e82142be16658d339f9b9dcd2 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 25 Feb 2005 15:56:13 +0000 Subject: r5562: * bump version to 3.0.12pre2 * change special character in gd's valid workstation check to a '+' to be more in line with the characters used by valid users (This used to be commit 8bff0486508b9952c192345302b9313ac0b2270e) --- source3/auth/auth_sam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index db05ac97f8..35f85f5e60 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -185,7 +185,7 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, invalid_ws = False; break; } - if (tok[0] == '@') { + if (tok[0] == '+') { DEBUG(10,("sam_account_ok: checking for workstation %s in group: %s\n", machine_name, tok + 1)); if (user_in_group_list(machine_name, tok + 1, NULL, 0)) { -- cgit From 140752fd35bd5701b3078abf695f811d933fe893 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 3 Mar 2005 16:52:44 +0000 Subject: r5647: Caches are good for performance, but you get a consistency problem. Fix bug # 2401. Volker (This used to be commit eb4ef94f244d28fe531d0b9f724a66ed3834b687) --- source3/auth/auth_util.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index f3c01a58ca..7cab3df99e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -50,6 +50,7 @@ static int smb_create_user(const char *domain, const char *unix_username, const if (homedir) all_string_sub(add_script, "%H", homedir, sizeof(pstring)); ret = smbrun(add_script,NULL); + flush_pwnam_cache(); DEBUG(ret ? 0 : 3,("smb_create_user: Running the command `%s' gave %d\n",add_script,ret)); return ret; } -- cgit From a5f84481e38ffc79043bfbac5f0353856b77b141 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 5 Mar 2005 01:22:53 +0000 Subject: r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58) --- source3/auth/auth_sam.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 35f85f5e60..9da59f220a 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -232,6 +232,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, SAM_ACCOUNT *sampass=NULL; BOOL ret; NTSTATUS nt_status; + NTSTATUS update_login_attempts_status; DATA_BLOB user_sess_key = data_blob(NULL, 0); DATA_BLOB lm_sess_key = data_blob(NULL, 0); BOOL updated_autolock = False, updated_badpw = False; @@ -269,7 +270,12 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info, &user_sess_key, &lm_sess_key); - + + /* Notify passdb backend of login success/failure. If not NT_STATUS_OK the backend doesn't like the login */ + update_login_attempts_status = pdb_update_login_attempts(sampass, NT_STATUS_IS_OK(nt_status)); + if (!NT_STATUS_IS_OK(update_login_attempts_status)) + nt_status = update_login_attempts_status; + if (!NT_STATUS_IS_OK(nt_status)) { if (NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD) && pdb_get_acct_ctrl(sampass) &ACB_NORMAL) { -- cgit From 978ca8486031e43754a3c23757f361bf3a85f335 Mon Sep 17 00:00:00 2001 From: Herb Lewis Date: Wed, 6 Apr 2005 16:28:04 +0000 Subject: r6225: get rid of warnings from my compiler about nested externs (This used to be commit efea76ac71412f8622cd233912309e91b9ea52da) --- source3/auth/auth_compat.c | 5 +++-- source3/auth/auth_sam.c | 3 ++- 2 files changed, 5 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c index a70f1e98b7..2ac70d7354 100644 --- a/source3/auth/auth_compat.c +++ b/source3/auth/auth_compat.c @@ -20,6 +20,9 @@ #include "includes.h" +extern struct auth_context *negprot_global_auth_context; +extern BOOL global_encrypted_passwords_negotiated; + #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH @@ -68,7 +71,6 @@ static NTSTATUS pass_check_smb(const char *smb_name, { NTSTATUS nt_status; - extern struct auth_context *negprot_global_auth_context; auth_serversupplied_info *server_info = NULL; if (encrypted) { auth_usersupplied_info *user_info = NULL; @@ -94,7 +96,6 @@ BOOL password_ok(char *smb_name, DATA_BLOB password_blob) { DATA_BLOB null_password = data_blob(NULL, 0); - extern BOOL global_encrypted_passwords_negotiated; BOOL encrypted = (global_encrypted_passwords_negotiated && password_blob.length == 24); if (encrypted) { diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 9da59f220a..023e441e24 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -23,6 +23,8 @@ #include "includes.h" +extern struct timeval smb_last_time; + #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH @@ -74,7 +76,6 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, static BOOL logon_hours_ok(SAM_ACCOUNT *sampass) { /* In logon hours first bit is Sunday from 12AM to 1AM */ - extern struct timeval smb_last_time; const uint8 *hours; struct tm *utctime; uint8 bitmask, bitpos; -- cgit From 83e11ba86c2401ece3c845fd10c22b84e6be7811 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 9 Apr 2005 11:46:40 +0000 Subject: r6263: Get rid of generate_wellknown_sids, they are const static and initializable statically. Volker (This used to be commit 3493d9f383567d286e69c0e60c0708ed400a04d9) --- source3/auth/auth_util.c | 5 ----- 1 file changed, 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7cab3df99e..a50a449815 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -26,11 +26,6 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -extern DOM_SID global_sid_World; -extern DOM_SID global_sid_Network; -extern DOM_SID global_sid_Builtin_Guests; -extern DOM_SID global_sid_Authenticated_Users; - /**************************************************************************** Create a UNIX user on demand. -- cgit From 2e0cac8e3eb021aa8f5cad4ce8b72f98036af639 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 23 Apr 2005 18:07:01 +0000 Subject: r6445: Make us survive the PARANOID_MALLOC_CHECKER. Should we enable that for --enable-developer=yes? Volker (This used to be commit 61d40ac60dd9c8c9bbcf92e4fc57fe1d706bc721) --- source3/auth/auth_util.c | 2 +- source3/auth/pampass.c | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index a50a449815..30933c6c93 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -607,7 +607,7 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro group_sidstr, sidstr); } - command = strdup(lp_log_nt_token_command()); + command = SMB_STRDUP(lp_log_nt_token_command()); command = realloc_string_sub(command, "%s", user_sidstr); command = realloc_string_sub(command, "%t", group_sidstr); DEBUG(8, ("running command: [%s]\n", command)); diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 68c2f183f1..5a40bf6c47 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -130,7 +130,7 @@ static int smb_pam_conv(int num_msg, return PAM_CONV_ERR; } - reply = malloc(sizeof(struct pam_response) * num_msg); + reply = SMB_MALLOC_ARRAY(struct pam_response, num_msg); if (!reply) return PAM_CONV_ERR; @@ -211,7 +211,7 @@ static struct chat_struct *make_pw_chat(char *p) struct chat_struct *tmp; while (1) { - t = (struct chat_struct *)malloc(sizeof(*t)); + t = SMB_MALLOC_P(struct chat_struct); if (!t) { DEBUG(0,("make_pw_chat: malloc failed!\n")); return NULL; @@ -290,7 +290,7 @@ static int smb_pam_passchange_conv(int num_msg, return PAM_CONV_ERR; } - reply = malloc(sizeof(struct pam_response) * num_msg); + reply = SMB_MALLOC_ARRAY(struct pam_response, num_msg); if (!reply) { DEBUG(0,("smb_pam_passchange_conv: malloc for reply failed!\n")); free_pw_chat(pw_chat); @@ -406,8 +406,8 @@ static void smb_free_pam_conv(struct pam_conv *pconv) static struct pam_conv *smb_setup_pam_conv(smb_pam_conv_fn smb_pam_conv_fnptr, const char *user, const char *passwd, const char *newpass) { - struct pam_conv *pconv = (struct pam_conv *)malloc(sizeof(struct pam_conv)); - struct smb_pam_userdata *udp = (struct smb_pam_userdata *)malloc(sizeof(struct smb_pam_userdata)); + struct pam_conv *pconv = SMB_MALLOC_P(struct pam_conv); + struct smb_pam_userdata *udp = SMB_MALLOC_P(struct smb_pam_userdata); if (pconv == NULL || udp == NULL) { SAFE_FREE(pconv); -- cgit From af52df2f1fde76b518bf946e396bc29869aa6964 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 27 May 2005 13:58:04 +0000 Subject: r7020: fixing printer ace values and getting rid of false compiler warning about unitialized variable (This used to be commit 3a91b20e4bcc78c91932e6c4394b3f6f153b2ff5) --- source3/auth/auth.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index b777e97cc9..e38279a140 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -215,6 +215,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, if (!user_info || !auth_context || !server_info) return NT_STATUS_LOGON_FAILURE; + DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", user_info->client_domain.str, user_info->smb_name.str, user_info->wksta_name.str)); @@ -305,12 +306,19 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, unix_username)); } } - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n", - user_info->smb_name.str, user_info->internal_username.str, - nt_errstr(nt_status))); - ZERO_STRUCTP(server_info); + if (lp_map_to_guest() == MAP_TO_GUEST_ON_VALID_DOMAIN_USER ){ + /*user_info->smb_name.str = lp_guestaccount();*/ + become_root(); + nt_status = smb_pam_accountcheck(lp_guestaccount()); + unbecome_root(); + make_server_info_guest(server_info); + }else{ + DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n", + user_info->smb_name.str, user_info->internal_username.str, + nt_errstr(nt_status))); + ZERO_STRUCTP(server_info); + } } return nt_status; } -- cgit From cc6df2e9cf5b31f83cf88d21457b32712d90f04b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 27 May 2005 14:19:57 +0000 Subject: r7024: reverting mistaken commit (This used to be commit c70c5c4ee9b14fbdb174f542607aceebe0e88470) --- source3/auth/auth.c | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index e38279a140..b777e97cc9 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -215,7 +215,6 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, if (!user_info || !auth_context || !server_info) return NT_STATUS_LOGON_FAILURE; - DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", user_info->client_domain.str, user_info->smb_name.str, user_info->wksta_name.str)); @@ -306,19 +305,12 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, unix_username)); } } + if (!NT_STATUS_IS_OK(nt_status)) { - if (lp_map_to_guest() == MAP_TO_GUEST_ON_VALID_DOMAIN_USER ){ - /*user_info->smb_name.str = lp_guestaccount();*/ - become_root(); - nt_status = smb_pam_accountcheck(lp_guestaccount()); - unbecome_root(); - make_server_info_guest(server_info); - }else{ - DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n", - user_info->smb_name.str, user_info->internal_username.str, - nt_errstr(nt_status))); - ZERO_STRUCTP(server_info); - } + DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n", + user_info->smb_name.str, user_info->internal_username.str, + nt_errstr(nt_status))); + ZERO_STRUCTP(server_info); } return nt_status; } -- cgit From 450e8d5749504f8392c0cfe8b79218f03b88076a Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 31 May 2005 02:23:47 +0000 Subject: r7130: remove 'winbind enable local accounts' code from the 3.0 tree (This used to be commit 318c3db4cb1c85be40b2f812f781bcf5f1da5c19) --- source3/auth/auth_util.c | 32 ++------------------------------ 1 file changed, 2 insertions(+), 30 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 30933c6c93..79205f1206 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -50,34 +50,6 @@ static int smb_create_user(const char *domain, const char *unix_username, const return ret; } -/**************************************************************************** - Add and Delete UNIX users on demand, based on NTSTATUS codes. - We don't care about RID's here so ignore. -****************************************************************************/ - -void auth_add_user_script(const char *domain, const char *username) -{ - /* - * User validated ok against Domain controller. - * If the admin wants us to try and create a UNIX - * user on the fly, do so. - */ - - if ( *lp_adduser_script() ) - smb_create_user(domain, username, NULL); - else { - DEBUG(10,("auth_add_user_script: no 'add user script'. Asking winbindd\n")); - - /* should never get here is we a re a domain member running winbindd - However, a host set for 'security = server' might run winbindd for - account allocation */ - - if ( !winbind_create_user(username, NULL) ) { - DEBUG(5,("auth_add_user_script: winbindd_create_user() failed\n")); - } - } -} - /**************************************************************************** Create a SAM_ACCOUNT - either by looking in the pdb, or by faking it up from unix info. @@ -1092,7 +1064,7 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) if (username[strlen(username)-1] == '$') return NULL; - auth_add_user_script(NULL, username); + smb_create_user(NULL, username, NULL); pw = Get_Pwnam(username); } @@ -1181,7 +1153,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { DEBUG(3,("User %s does not exist, trying to add it\n", internal_username)); - auth_add_user_script( nt_domain, sent_nt_username ); + smb_create_user( nt_domain, sent_nt_username, NULL); nt_status = fill_sam_account( mem_ctx, nt_domain, sent_nt_username, &found_username, &uid, &gid, &sam_account ); } -- cgit From 5084d49052f47626b61e53add818fefaacc101b0 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 3 Jun 2005 15:42:03 +0000 Subject: r7243: Don't look at gencache.tdb for the trusted domains if winbind is around. Volker (This used to be commit 94acb93f57b963bf137c6ddd644a147f4d0b5175) --- source3/auth/auth_util.c | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 79205f1206..31bfa2fe01 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1532,11 +1532,26 @@ BOOL is_trusted_domain(const char* dom_name) return True; } else { - /* if winbindd is not up and we are a domain member) then we need to update the - trustdom_cache ourselves */ + NSS_STATUS result; - if ( !winbind_ping() ) - update_trustdom_cache(); + /* If winbind is around, ask it */ + + result = wb_is_trusted_domain(dom_name); + + if (result == NSS_STATUS_SUCCESS) { + return True; + } + + if (result == NSS_STATUS_NOTFOUND) { + /* winbind could not find the domain */ + return False; + } + + /* The only other possible result is that winbind is not up + and running. We need to update the trustdom_cache + ourselves */ + + update_trustdom_cache(); } /* now the trustdom cache should be available a DC could still -- cgit From b279ee16e982d419c2205a7f790bd9cb8035d6e5 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 7 Jun 2005 17:52:19 +0000 Subject: r7372: abartet's patch for BUG 2391 (segv caused by free a static pointer) (This used to be commit 4cda2bd035276bd090bf0fbd4e3b2eff657a80cb) --- source3/auth/auth_server.c | 1 + source3/auth/auth_util.c | 11 +++++++---- 2 files changed, 8 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index bc611ec229..7bce32ef2b 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -384,6 +384,7 @@ use this machine as the password server.\n")); real_username, True )) != NULL ) { nt_status = make_server_info_pw(server_info, pass->pw_name, pass); + passwd_free(&pass); } else { diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 31bfa2fe01..021f780112 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -958,6 +958,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, uid_t *uid, gid_t *gid, SAM_ACCOUNT **sam_account) { + NTSTATUS nt_status; fstring dom_user, lower_username; fstring real_username; struct passwd *passwd; @@ -992,7 +993,9 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, DEBUG(5,("fill_sam_account: located username was [%s]\n", *found_username)); - return pdb_init_sam_pw(sam_account, passwd); + nt_status = pdb_init_sam_pw(sam_account, passwd); + passwd_free(&passwd); + return nt_status; } /**************************************************************************** @@ -1024,7 +1027,7 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) if ( p ) { fstring strip_username; - pw = Get_Pwnam( domuser ); + pw = Get_Pwnam_alloc( domuser ); if ( pw ) { /* make sure we get the case of the username correct */ /* work around 'winbind use default domain = yes' */ @@ -1055,7 +1058,7 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) /* just lookup a plain username */ - pw = Get_Pwnam(username); + pw = Get_Pwnam_alloc(username); /* Create local user if requested. */ @@ -1065,7 +1068,7 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) return NULL; smb_create_user(NULL, username, NULL); - pw = Get_Pwnam(username); + pw = Get_Pwnam_alloc(username); } /* one last check for a valid passwd struct */ -- cgit From 377f947930f3a3fe69c21d5b9386642cbf8b3df7 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 8 Jun 2005 14:23:49 +0000 Subject: r7395: * new feature 'map to guest = bad uid' (based on patch from aruna.prabakar@hp.com). This re-enables the Samba 2.2 behavior where a user that was successfully authenticated by a remote DC would be mapped to the guest account if there was not existing UNIX account for that user and we could not create one. (This used to be commit b7455fbf81f4e47c087c861f70d492a328730a9b) --- source3/auth/auth.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index b777e97cc9..61f638fcd0 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -279,6 +279,8 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, } } + /* successful authentication */ + if (NT_STATUS_IS_OK(nt_status)) { unix_username = (*server_info)->unix_name; if (!(*server_info)->guest) { @@ -304,14 +306,22 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, user_info->internal_username.str, unix_username)); } + + return nt_status; } - - if (!NT_STATUS_IS_OK(nt_status)) { + + /* failed authentication; check for guest lapping */ + + if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) { + make_server_info_guest(server_info); + nt_status = NT_STATUS_OK; + } else { DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n", - user_info->smb_name.str, user_info->internal_username.str, - nt_errstr(nt_status))); - ZERO_STRUCTP(server_info); + user_info->smb_name.str, user_info->internal_username.str, + nt_errstr(nt_status))); + ZERO_STRUCTP(server_info); } + return nt_status; } -- cgit From 958624a9fc36f89de1b33ca79b1a72fcb63cbb62 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 9 Jun 2005 18:45:56 +0000 Subject: r7450: fix my bone head mistake with ntlm authentcation and 'map to guest = bad uid'; make sure the authentication suceeds (This used to be commit 5de1ffce2f2a0a340f6591939b8f63a3d96a627e) --- source3/auth/auth.c | 13 ++++--------- source3/auth/auth_util.c | 8 ++++++++ 2 files changed, 12 insertions(+), 9 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 61f638fcd0..9886526cf9 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -312,15 +312,10 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, /* failed authentication; check for guest lapping */ - if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) { - make_server_info_guest(server_info); - nt_status = NT_STATUS_OK; - } else { - DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n", - user_info->smb_name.str, user_info->internal_username.str, - nt_errstr(nt_status))); - ZERO_STRUCTP(server_info); - } + DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n", + user_info->smb_name.str, user_info->internal_username.str, + nt_errstr(nt_status))); + ZERO_STRUCTP(server_info); return nt_status; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 021f780112..49df15533a 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1161,7 +1161,15 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, &found_username, &uid, &gid, &sam_account ); } + /* if we still don't have a valid unix account check for + 'map to gues = bad uid' */ + if (!NT_STATUS_IS_OK(nt_status)) { + if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) { + make_server_info_guest(server_info); + return NT_STATUS_OK; + } + DEBUG(0, ("make_server_info_info3: pdb_init_sam failed!\n")); return nt_status; } -- cgit From 19ca97a70f6b7b41d251eaa76e4d3c980c6eedff Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 24 Jun 2005 20:25:18 +0000 Subject: r7882: Looks like a large patch - but what it actually does is make Samba safe for using our headers and linking with C++ modules. Stops us from using C++ reserved keywords in our code. Jeremy (This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a) --- source3/auth/auth_winbind.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 78235d30fc..3a81cba626 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -109,7 +109,7 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, /* we are contacting the privileged pipe */ become_root(); - result = winbindd_request(WINBINDD_PAM_AUTH_CRAP, &request, &response); + result = winbindd_request_response(WINBINDD_PAM_AUTH_CRAP, &request, &response); unbecome_root(); if ( result == NSS_STATUS_UNAVAIL ) { -- cgit From a8961434c089a37d21d956a17a34e656eb434fd3 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 27 Jun 2005 22:06:18 +0000 Subject: r7956: Spelling mistake. Jeremy. (This used to be commit f318c371077f28ace52f7d2b1517df0d15a0f05a) --- source3/auth/auth_ntlmssp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 0e2c359251..11d9aa09c4 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -48,7 +48,7 @@ static BOOL auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_s } /** - * NTLM2 authentication modifies the effective challange, + * NTLM2 authentication modifies the effective challenge, * @param challenge The new challenge value */ static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge) -- cgit From e7c48884a5c7e1f88ce2decf7d12db338ff8995e Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Wed, 13 Jul 2005 20:04:26 +0000 Subject: r8432: Fix #2077 - login to trusted domain doesn't allow home drive map and login scripts to be executed. We were filling in our name as the server which processed the login, even when it was done by a trusted DC. Thanks to John Janosik for the fix. (This used to be commit 0446319a3b8096df385978449ffaa231bc5cfd0c) --- source3/auth/auth_util.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 49df15533a..6624631b53 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1327,6 +1327,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return nt_status; } + (*server_info)->login_server = unistr2_tdup(mem_ctx, + &(info3->uni_logon_srv)); + (*server_info)->ptok = token; SAFE_FREE(lgroupSIDs); -- cgit From e9c7079afe2d46dba1d7bb9d741a7e02d0de17e4 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 1 Aug 2005 18:15:05 +0000 Subject: r8889: Another warning (This used to be commit 9ae1098d211f5e687786abb8474b1c4210413f0f) --- source3/auth/pampass.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 5a40bf6c47..18d83ee364 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -202,7 +202,7 @@ struct chat_struct { Create a linked list containing chat data. ***************************************************************/ -static struct chat_struct *make_pw_chat(char *p) +static struct chat_struct *make_pw_chat(const char *p) { fstring prompt; fstring reply; -- cgit From 2ab5b8594ee062922554f2d0d698bb194867025b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 12 Aug 2005 00:05:17 +0000 Subject: r9252: 2 type fixes from Luke Mewburn . Bugid #2934. Jeremy. (This used to be commit c63ad85b8c1aedd04a65e46c27a6e2661093847a) --- source3/auth/auth_sam.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 023e441e24..bb4df707ef 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -78,6 +78,7 @@ static BOOL logon_hours_ok(SAM_ACCOUNT *sampass) /* In logon hours first bit is Sunday from 12AM to 1AM */ const uint8 *hours; struct tm *utctime; + time_t lasttime; uint8 bitmask, bitpos; hours = pdb_get_hours(sampass); @@ -86,7 +87,8 @@ static BOOL logon_hours_ok(SAM_ACCOUNT *sampass) return True; } - utctime = localtime(&smb_last_time.tv_sec); + lasttime = (time_t)smb_last_time.tv_sec; + utctime = localtime(&lasttime); /* find the corresponding byte and bit */ bitpos = (utctime->tm_wday * 24 + utctime->tm_hour) % 168; -- cgit From dab71bed4e61b816b112433fc44e5f7259e4d2ab Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 24 Aug 2005 16:19:07 +0000 Subject: r9588: remove netsamlogon_cache interface...everything seems to work fine. Will deal with any fallout from special environments using a non-cache solution (This used to be commit e1de6f238f3981d81e49fb41919fdce4f07c8280) --- source3/auth/auth_domain.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 6483dc143a..cdf87adebb 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -205,7 +205,6 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, } else { nt_status = make_server_info_info3(mem_ctx, user_info->internal_username.str, user_info->smb_name.str, domain, server_info, &info3); - netsamlogon_cache_store( mem_ctx, user_info->smb_name.str, &info3 ); } #if 0 -- cgit From 418e92d06da0638d92c48ffd310a409c89e2fa48 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 14 Sep 2005 23:58:14 +0000 Subject: r10234: Add new auth module "auth_script" to allow valid users to be provisioned on demand - calls script with domain, username, challenge and LM and NT responses - passing the info through a pipe. Jeremy. (This used to be commit 67be4ee41cd244bcc0445cac7c9e1e2d40e93c9b) --- source3/auth/auth_script.c | 155 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 155 insertions(+) create mode 100644 source3/auth/auth_script.c (limited to 'source3/auth') diff --git a/source3/auth/auth_script.c b/source3/auth/auth_script.c new file mode 100644 index 0000000000..1a715fca31 --- /dev/null +++ b/source3/auth/auth_script.c @@ -0,0 +1,155 @@ +/* + Unix SMB/CIFS implementation. + + Call out to a shell script for an authentication check. + + Copyright (C) Jeremy Allison 2005. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +#undef malloc + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + +/* Create a string containing the supplied : + * domain\n + * user\n + * ascii hex challenge\n + * ascii hex LM response\n + * ascii hex NT response\n\0 + * and execute a shell script to check this. + * Allows external programs to create users on demand. + * Script returns zero on success, non-zero on fail. + */ + +static NTSTATUS script_check_user_credentials(const struct auth_context *auth_context, + void *my_private_data, + TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, + auth_serversupplied_info **server_info) +{ + const char *script = lp_parm_const_string( GLOBAL_SECTION_SNUM, "auth_script", "script", NULL); + char *secret_str; + size_t secret_str_len; + char hex_str[49]; + int ret, i; + + if (!script) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (!user_info) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (!auth_context) { + DEBUG(3,("script_check_user_credentials: no auth_info !\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + secret_str_len = strlen(user_info->domain.str) + 1 + + strlen(user_info->smb_name.str) + 1 + + 16 + 1 + /* 8 bytes of challenge going to 16 */ + 48 + 1 + /* 24 bytes of challenge going to 48 */ + 48 + 1; + + secret_str = malloc(secret_str_len); + if (!secret_str) { + return NT_STATUS_NO_MEMORY; + } + + safe_strcpy( secret_str, user_info->domain.str, secret_str_len - 1); + safe_strcat( secret_str, "\n", secret_str_len - 1); + safe_strcat( secret_str, user_info->smb_name.str, secret_str_len - 1); + safe_strcat( secret_str, "\n", secret_str_len - 1); + + for (i = 0; i < 8; i++) { + slprintf(&hex_str[i*2], 3, "%02X", auth_context->challenge.data[i]); + } + safe_strcat( secret_str, hex_str, secret_str_len - 1); + safe_strcat( secret_str, "\n", secret_str_len - 1); + + if (user_info->lm_resp.data) { + for (i = 0; i < 24; i++) { + slprintf(&hex_str[i*2], 3, "%02X", user_info->lm_resp.data[i]); + } + safe_strcat( secret_str, hex_str, secret_str_len - 1); + } + safe_strcat( secret_str, "\n", secret_str_len - 1); + + if (user_info->nt_resp.data) { + for (i = 0; i < 24; i++) { + slprintf(&hex_str[i*2], 3, "%02X", user_info->nt_resp.data[i]); + } + safe_strcat( secret_str, hex_str, secret_str_len - 1); + } + safe_strcat( secret_str, "\n", secret_str_len - 1); + + DEBUG(10,("script_check_user_credentials: running %s with parameters:\n%s\n", + script, secret_str )); + + ret = smbrunsecret( script, secret_str); + + SAFE_FREE(secret_str); + + if (ret) { + DEBUG(1,("script_check_user_credentials: failed to authenticate %s\\%s\n", + user_info->domain.str, user_info->smb_name.str )); + /* auth failed. */ + return NT_STATUS_NO_SUCH_USER; + } + + /* Cause the auth system to keep going.... */ + return NT_STATUS_NOT_IMPLEMENTED; +} + +/* module initialisation */ +static NTSTATUS auth_init_script(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +{ + if (!make_auth_methods(auth_context, auth_method)) { + return NT_STATUS_NO_MEMORY; + } + + (*auth_method)->name = "script"; + (*auth_method)->auth = script_check_user_credentials; + + if (param && *param) { + /* we load the 'fallback' module - if script isn't here, call this + module */ + if (!load_auth_module(auth_context, param, (auth_methods **)&(*auth_method)->private_data)) { + return NT_STATUS_UNSUCCESSFUL; + } + + } + return NT_STATUS_OK; +} + +#if 0 +/* Define this to build static. */ +NTSTATUS auth_script_init(void) +{ + return smb_register_auth(AUTH_INTERFACE_VERSION, "script", auth_init_script); +} +#else +/* Define this to build shared. */ +NTSTATUS init_module(void) +{ + return smb_register_auth(AUTH_INTERFACE_VERSION, "script", auth_init_script); +} +#endif -- cgit From 54abd2aa66069e6baf7769c496f46d9dba18db39 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 30 Sep 2005 17:13:37 +0000 Subject: r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3) --- source3/auth/auth.c | 2 +- source3/auth/auth_domain.c | 204 +++++++++++++++++++++++--------------------- source3/auth/auth_ntlmssp.c | 6 +- source3/auth/auth_util.c | 95 ++++++++++++++++++++- source3/auth/auth_winbind.c | 2 +- 5 files changed, 208 insertions(+), 101 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 9886526cf9..92c90b6241 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -235,7 +235,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, #ifdef DEBUG_PASSWORD DEBUG(100, ("user_info has passwords of length %d and %d\n", - user_info->lm_resp.length, user_info->nt_resp.length)); + (int)user_info->lm_resp.length, (int)user_info->nt_resp.length)); DEBUG(100, ("lm:\n")); dump_data(100, user_info->lm_resp.data, user_info->lm_resp.length); DEBUG(100, ("nt:\n")); diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index cdf87adebb..4abc6c6656 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -40,15 +40,17 @@ extern BOOL global_machine_password_needs_changing; * **/ -static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, - const char *domain, const char *dc_name, - struct in_addr dc_ip, - const char *setup_creds_as, - uint16 sec_chan, - const unsigned char *trust_passwd, - BOOL *retry) +static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, + const char *domain, + const char *dc_name, + struct in_addr dc_ip, + struct rpc_pipe_client **pipe_ret, + BOOL *retry) { NTSTATUS result; + struct rpc_pipe_client *netlogon_pipe = NULL; + + *pipe_ret = NULL; /* TODO: Send a SAMLOGON request to determine whether this is a valid logonserver. We can avoid a 30-second timeout if the DC is down @@ -64,8 +66,9 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, * ACCESS_DENIED errors if 2 auths are done from the same machine. JRA. */ - if (!grab_server_mutex(dc_name)) + if (!grab_server_mutex(dc_name)) { return NT_STATUS_NO_LOGON_SERVERS; + } /* Attempt connection */ *retry = True; @@ -95,36 +98,65 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, * into account also. This patch from "Bjart Kvarme" . */ - if(cli_nt_session_open(*cli, PI_NETLOGON) == False) { + /* open the netlogon pipe. */ + if (lp_client_schannel()) { + /* We also setup the creds chain in the open_schannel call. */ + netlogon_pipe = cli_rpc_pipe_open_schannel(*cli, PI_NETLOGON, + PIPE_AUTH_LEVEL_PRIVACY, domain, &result); + } else { + netlogon_pipe = cli_rpc_pipe_open_noauth(*cli, PI_NETLOGON, &result); + } + + if(!netlogon_pipe) { DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ -machine %s. Error was : %s.\n", dc_name, cli_errstr(*cli))); - cli_nt_session_close(*cli); - cli_ulogoff(*cli); +machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); cli_shutdown(*cli); release_server_mutex(); - return NT_STATUS_NO_LOGON_SERVERS; + return result; } - fstr_sprintf((*cli)->mach_acct, "%s$", setup_creds_as); - - /* This must be the remote domain (not ours) for schannel */ - - fstrcpy( (*cli)->domain, domain ); + if (!lp_client_schannel()) { + /* We need to set up a creds chain on an unauthenticated netlogon pipe. */ + uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS; + uint32 sec_chan_type = 0; + char machine_pwd[16]; + + if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) { + DEBUG(0, ("connect_to_domain_password_server: could not fetch " + "trust account password for domain '%s'\n", + domain)); + cli_shutdown(*cli); + release_server_mutex(); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } - result = cli_nt_establish_netlogon(*cli, sec_chan, trust_passwd); + result = rpccli_netlogon_setup_creds(netlogon_pipe, + dc_name, + domain, + global_myname(), + machine_pwd, + sec_chan_type, + &neg_flags); + + if (!NT_STATUS_IS_OK(result)) { + cli_shutdown(*cli); + release_server_mutex(); + return result; + } + } - if (!NT_STATUS_IS_OK(result)) { - DEBUG(0,("connect_to_domain_password_server: unable to setup the NETLOGON credentials to machine \ -%s. Error was : %s.\n", dc_name, nt_errstr(result))); - cli_nt_session_close(*cli); - cli_ulogoff(*cli); + if(!netlogon_pipe) { + DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ +machine %s. Error was : %s.\n", dc_name, cli_errstr(*cli))); cli_shutdown(*cli); release_server_mutex(); - return result; + return NT_STATUS_NO_LOGON_SERVERS; } /* We exit here with the mutex *locked*. JRA */ + *pipe_ret = netlogon_pipe; + return NT_STATUS_OK; } @@ -135,18 +167,17 @@ machine %s. Error was : %s.\n", dc_name, cli_errstr(*cli))); ************************************************************************/ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, - const auth_usersupplied_info *user_info, - const char *domain, - uchar chal[8], - auth_serversupplied_info **server_info, - const char *dc_name, struct in_addr dc_ip, - const char *setup_creds_as, - uint16 sec_chan, - unsigned char trust_passwd[16], - time_t last_change_time) + const auth_usersupplied_info *user_info, + const char *domain, + uchar chal[8], + auth_serversupplied_info **server_info, + const char *dc_name, + struct in_addr dc_ip) + { NET_USER_INFO_3 info3; struct cli_state *cli = NULL; + struct rpc_pipe_client *netlogon_pipe = NULL; NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS; int i; BOOL retry = True; @@ -162,8 +193,12 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, /* rety loop for robustness */ for (i = 0; !NT_STATUS_IS_OK(nt_status) && retry && (i < 3); i++) { - nt_status = connect_to_domain_password_server(&cli, domain, dc_name, - dc_ip, setup_creds_as, sec_chan, trust_passwd, &retry); + nt_status = connect_to_domain_password_server(&cli, + domain, + dc_name, + dc_ip, + &netlogon_pipe, + &retry); } if ( !NT_STATUS_IS_OK(nt_status) ) { @@ -181,13 +216,19 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, * in the info3 structure. */ - nt_status = cli_netlogon_sam_network_logon(cli, mem_ctx, - NULL, user_info->smb_name.str, user_info->domain.str, - user_info->wksta_name.str, chal, user_info->lm_resp, - user_info->nt_resp, &info3); - - /* let go as soon as possible so we avoid any potential deadlocks - with winbind lookup up users or groups */ + nt_status = rpccli_netlogon_sam_network_logon(netlogon_pipe, + mem_ctx, + dc_name, /* server name */ + user_info->smb_name.str, /* user name logging on. */ + user_info->domain.str, /* domain name */ + user_info->wksta_name.str, /* workstation name */ + chal, /* 8 byte challenge. */ + user_info->lm_resp, /* lanman 24 byte response */ + user_info->nt_resp, /* nt 24 byte response */ + &info3); /* info3 out */ + + /* Let go as soon as possible so we avoid any potential deadlocks + with winbind lookup up users or groups. */ release_server_mutex(); @@ -195,7 +236,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, DEBUG(0,("domain_client_validate: unable to validate password " "for user %s in domain %s to Domain controller %s. " "Error was %s.\n", user_info->smb_name.str, - user_info->domain.str, cli->srv_name_slash, + user_info->domain.str, dc_name, nt_errstr(nt_status))); /* map to something more useful */ @@ -203,32 +244,18 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, nt_status = NT_STATUS_NO_LOGON_SERVERS; } } else { - nt_status = make_server_info_info3(mem_ctx, user_info->internal_username.str, - user_info->smb_name.str, domain, server_info, &info3); + nt_status = make_server_info_info3(mem_ctx, + user_info->internal_username.str, + user_info->smb_name.str, + domain, + server_info, + &info3); } -#if 0 - /* - * We don't actually need to do this - plus it fails currently with - * NT_STATUS_INVALID_INFO_CLASS - we need to know *exactly* what to - * send here. JRA. - */ - - if (NT_STATUS_IS_OK(status)) { - if(cli_nt_logoff(&cli, &ctr) == False) { - DEBUG(0,("domain_client_validate: unable to log off user %s in domain \ -%s to Domain controller %s. Error was %s.\n", user, domain, dc_name, cli_errstr(&cli))); - nt_status = NT_STATUS_LOGON_FAILURE; - } - } -#endif /* 0 */ - /* Note - once the cli stream is shutdown the mem_ctx used to allocate the other_sids and gids structures has been deleted - so these pointers are no longer valid..... */ - cli_nt_session_close(cli); - cli_ulogoff(cli); cli_shutdown(cli); return nt_status; } @@ -244,10 +271,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; - unsigned char trust_passwd[16]; - time_t last_change_time; const char *domain = lp_workgroup(); - uint32 sec_channel_type = 0; fstring dc_name; struct in_addr dc_ip; @@ -273,26 +297,6 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, return NT_STATUS_NOT_IMPLEMENTED; } - /* - * Get the machine account password for our primary domain - * No need to become_root() as secrets_init() is done at startup. - */ - - if (!secrets_fetch_trust_account_password(domain, trust_passwd, &last_change_time, &sec_channel_type)) - { - DEBUG(0, ("check_ntdomain_security: could not fetch trust account password for domain '%s'\n", domain)); - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; - } - - /* Test if machine password has expired and needs to be changed */ - if (lp_machine_password_timeout()) { - if (last_change_time > 0 && - time(NULL) > (last_change_time + - lp_machine_password_timeout())) { - global_machine_password_needs_changing = True; - } - } - /* we need our DC to send the net_sam_logon() request to */ if ( !get_dc_name(domain, NULL, dc_name, &dc_ip) ) { @@ -301,9 +305,13 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, return NT_STATUS_NO_LOGON_SERVERS; } - nt_status = domain_client_validate(mem_ctx, user_info, domain, - (uchar *)auth_context->challenge.data, server_info, dc_name, dc_ip, - global_myname(), sec_channel_type,trust_passwd, last_change_time); + nt_status = domain_client_validate(mem_ctx, + user_info, + domain, + (uchar *)auth_context->challenge.data, + server_info, + dc_name, + dc_ip); return nt_status; } @@ -357,7 +365,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte /* No point is bothering if this is not a trusted domain. This return makes "map to guest = bad user" work again. The logic is that if we know nothing about the domain, that - user is known to us and does not exist */ + user is not known to us and does not exist */ if ( !is_trusted_domain( user_info->domain.str ) ) return NT_STATUS_NOT_IMPLEMENTED; @@ -367,8 +375,8 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte * No need to become_root() as secrets_init() is done at startup. */ - if (!secrets_fetch_trusted_domain_password(user_info->domain.str, &trust_password, &sid, &last_change_time)) - { + if (!secrets_fetch_trusted_domain_password(user_info->domain.str, &trust_password, + &sid, &last_change_time)) { DEBUG(0, ("check_trustdomain_security: could not fetch trust account password for domain %s\n", user_info->domain.str)); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -396,9 +404,13 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte return NT_STATUS_NO_LOGON_SERVERS; } - nt_status = domain_client_validate(mem_ctx, user_info, user_info->domain.str, - (uchar *)auth_context->challenge.data, server_info, dc_name, dc_ip, - lp_workgroup(), SEC_CHAN_DOMAIN, trust_md4_password, last_change_time); + nt_status = domain_client_validate(mem_ctx, + user_info, + user_info->domain.str, + (uchar *)auth_context->challenge.data, + server_info, + dc_name, + dc_ip); return nt_status; } diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 11d9aa09c4..738af73f49 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -114,13 +114,15 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, return nt_status; } if (auth_ntlmssp_state->server_info->user_session_key.length) { - DEBUG(10, ("Got NT session key of length %u\n", auth_ntlmssp_state->server_info->user_session_key.length)); + DEBUG(10, ("Got NT session key of length %u\n", + (unsigned int)auth_ntlmssp_state->server_info->user_session_key.length)); *user_session_key = data_blob_talloc(auth_ntlmssp_state->mem_ctx, auth_ntlmssp_state->server_info->user_session_key.data, auth_ntlmssp_state->server_info->user_session_key.length); } if (auth_ntlmssp_state->server_info->lm_session_key.length) { - DEBUG(10, ("Got LM session key of length %u\n", auth_ntlmssp_state->server_info->lm_session_key.length)); + DEBUG(10, ("Got LM session key of length %u\n", + (unsigned int)auth_ntlmssp_state->server_info->lm_session_key.length)); *lm_session_key = data_blob_talloc(auth_ntlmssp_state->mem_ctx, auth_ntlmssp_state->server_info->lm_session_key.data, auth_ntlmssp_state->server_info->lm_session_key.length); diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 6624631b53..194a1ad532 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -372,7 +372,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, unsigned char local_lm_response[24]; #ifdef DEBUG_PASSWORD - DEBUG(10,("Unencrypted password (len %d):\n",plaintext_password.length)); + DEBUG(10,("Unencrypted password (len %d):\n",(int)plaintext_password.length)); dump_data(100, plaintext_password.data, plaintext_password.length); #endif @@ -640,6 +640,44 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, return token; } +/****************************************************************************** + Create a token for the root user to be used internally by smbd. + This is similar to running under the context of the LOCAL_SYSTEM account + in Windows. This is a read-only token. Do not modify it or free() it. + Create a copy if your need to change it. +******************************************************************************/ + +NT_USER_TOKEN *get_root_nt_token( void ) +{ + static NT_USER_TOKEN *token = NULL; + DOM_SID u_sid, g_sid; + DOM_SID g_sids[1]; + struct passwd *pw; + NTSTATUS result; + + if ( token ) + return token; + + if ( !(pw = getpwnam( "root" )) ) { + DEBUG(0,("create_root_nt_token: getpwnam\"root\") failed!\n")); + return NULL; + } + + /* get the user and primary group SIDs; although the + BUILTIN\Administrators SId is really the one that matters here */ + + if ( !NT_STATUS_IS_OK(uid_to_sid(&u_sid, pw->pw_uid)) ) + return NULL; + if ( !NT_STATUS_IS_OK(gid_to_sid(&g_sid, pw->pw_gid)) ) + return NULL; + + sid_copy( &g_sids[0], &global_sid_Builtin_Administrators ); + + result = create_nt_user_token( &u_sid, &g_sid, 1, g_sids, False, &token); + + return NT_STATUS_IS_OK(result) ? token : NULL; +} + /****************************************************************************** * this function returns the groups (SIDs) of the local SAM the user is in. * If this samba server is a DC of the domain the user belongs to, it returns @@ -831,6 +869,61 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, return nt_status; } +/*************************************************************************** + Make (and fill) a user_info struct from a Kerberos PAC logon_info by conversion + to a SAM_ACCOUNT +***************************************************************************/ + +NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, + char *unix_username, + struct passwd *pwd, + PAC_LOGON_INFO *logon_info) +{ + NTSTATUS nt_status; + SAM_ACCOUNT *sampass = NULL; + DOM_SID user_sid, group_sid; + fstring dom_name; + + if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sampass, pwd))) { + return nt_status; + } + if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) { + return nt_status; + } + + /* only copy user_sid, group_sid and domain name out of the PAC for + * now, we will benefit from more later - Guenther */ + + sid_copy(&user_sid, &logon_info->info3.dom_sid.sid); + sid_append_rid(&user_sid, logon_info->info3.user_rid); + pdb_set_user_sid(sampass, &user_sid, PDB_SET); + + sid_copy(&group_sid, &logon_info->info3.dom_sid.sid); + sid_append_rid(&group_sid, logon_info->info3.group_rid); + pdb_set_group_sid(sampass, &group_sid, PDB_SET); + + unistr2_to_ascii(dom_name, &logon_info->info3.uni_logon_dom, -1); + pdb_set_domain(sampass, dom_name, PDB_SET); + + pdb_set_logon_count(sampass, logon_info->info3.logon_count, PDB_SET); + + (*server_info)->sam_account = sampass; + + if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, unix_username, + sampass, pwd->pw_uid, pwd->pw_gid))) + { + return nt_status; + } + + (*server_info)->unix_name = smb_xstrdup(unix_username); + + (*server_info)->sam_fill_level = SAM_FILL_ALL; + (*server_info)->uid = pwd->pw_uid; + (*server_info)->gid = pwd->pw_gid; + return nt_status; +} + + /*************************************************************************** Make (and fill) a user_info struct from a 'struct passwd' by conversion to a SAM_ACCOUNT diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 3a81cba626..0c263b6ab3 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -38,7 +38,7 @@ static NTSTATUS get_info3_from_ndr(TALLOC_CTX *mem_ctx, struct winbindd_response } prs_copy_data_in(&ps, (char *)info3_ndr, len); prs_set_offset(&ps,0); - if (!net_io_user_info3("", info3, &ps, 1, 3)) { + if (!net_io_user_info3("", info3, &ps, 1, 3, False)) { DEBUG(2, ("get_info3_from_ndr: could not parse info3 struct!\n")); return NT_STATUS_UNSUCCESSFUL; } -- cgit From 8d7c88667190fe286971ac4fffb64ee5bd9eeeb0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 18 Oct 2005 03:24:00 +0000 Subject: r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208) --- source3/auth/auth.c | 4 ++-- source3/auth/auth_domain.c | 2 +- source3/auth/auth_util.c | 8 ++++---- 3 files changed, 7 insertions(+), 7 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 92c90b6241..df7d6fc9c6 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -237,9 +237,9 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, DEBUG(100, ("user_info has passwords of length %d and %d\n", (int)user_info->lm_resp.length, (int)user_info->nt_resp.length)); DEBUG(100, ("lm:\n")); - dump_data(100, user_info->lm_resp.data, user_info->lm_resp.length); + dump_data(100, (const char *)user_info->lm_resp.data, user_info->lm_resp.length); DEBUG(100, ("nt:\n")); - dump_data(100, user_info->nt_resp.data, user_info->nt_resp.length); + dump_data(100, (const char *)user_info->nt_resp.data, user_info->nt_resp.length); #endif /* This needs to be sorted: If it doesn't match, what should we do? */ diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 4abc6c6656..6e053b317e 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -119,7 +119,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); /* We need to set up a creds chain on an unauthenticated netlogon pipe. */ uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS; uint32 sec_chan_type = 0; - char machine_pwd[16]; + unsigned char machine_pwd[16]; if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) { DEBUG(0, ("connect_to_domain_password_server: could not fetch " diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 194a1ad532..49122bd441 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -373,7 +373,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, #ifdef DEBUG_PASSWORD DEBUG(10,("Unencrypted password (len %d):\n",(int)plaintext_password.length)); - dump_data(100, plaintext_password.data, plaintext_password.length); + dump_data(100, (const char *)plaintext_password.data, plaintext_password.length); #endif SMBencrypt( (const char *)plaintext_password.data, (const uchar*)chal, local_lm_response); @@ -693,7 +693,7 @@ NT_USER_TOKEN *get_root_nt_token( void ) ******************************************************************************/ static NTSTATUS get_user_groups(const char *username, uid_t uid, gid_t gid, - int *n_groups, DOM_SID **groups, gid_t **unix_groups) + size_t *n_groups, DOM_SID **groups, gid_t **unix_groups) { int n_unix_groups; int i; @@ -787,7 +787,7 @@ static NTSTATUS add_user_groups(auth_serversupplied_info **server_info, NTSTATUS nt_status; const DOM_SID *user_sid = pdb_get_user_sid(sampass); const DOM_SID *group_sid = pdb_get_group_sid(sampass); - int n_groupSIDs = 0; + size_t n_groupSIDs = 0; DOM_SID *groupSIDs = NULL; gid_t *unix_groups = NULL; NT_USER_TOKEN *token; @@ -1197,7 +1197,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, uid_t uid; gid_t gid; - int n_lgroupSIDs; + size_t n_lgroupSIDs; DOM_SID *lgroupSIDs = NULL; gid_t *unix_groups = NULL; -- cgit From 5678e4abb04e546735bff4907854ca32094a5b71 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 4 Nov 2005 00:03:55 +0000 Subject: r11492: Fix bug #3224 (I hope). Correctly use machine_account_name and client_name when doing netlogon credential setup. Jeremy. (This used to be commit 37e6ef9389041f58eada167239fd022f01c5fecb) --- source3/auth/auth_domain.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 6e053b317e..8d29367835 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -131,9 +131,10 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); } result = rpccli_netlogon_setup_creds(netlogon_pipe, - dc_name, - domain, - global_myname(), + dc_name, /* server name */ + domain, /* domain */ + global_myname(), /* client name */ + global_myname(), /* machine account name */ machine_pwd, sec_chan_type, &neg_flags); -- cgit From fcceedd67c29bae6941949a16ebef37e95dab601 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 8 Nov 2005 06:19:34 +0000 Subject: r11573: Adding Andrew Bartlett's patch to make machine account logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes the auth module interface to 2 (from 1). The effect of this is that clients can access resources as a machine account if they set these flags. This is the same as Windows (think of a VPN where the vpn client authenticates itself to a VPN server using machine account credentials - the vpn server checks that the machine password was valid by performing a machine account check with the PDC in the same was as it would a user account check. I may add in a restriction (parameter) to allow this behaviour to be turned off (as it was previously). That may be on by default. Andrew Bartlett please review this change carefully. Jeremy. (This used to be commit d1caef866326346fb191f8129d13d98379f18cd8) --- source3/auth/auth_domain.c | 19 ++++++++++--------- source3/auth/auth_ntlmssp.c | 2 ++ source3/auth/auth_sam.c | 15 +++++++++------ source3/auth/auth_util.c | 15 +++++++++++++-- source3/auth/auth_winbind.c | 2 ++ 5 files changed, 36 insertions(+), 17 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 8d29367835..94b138e55b 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -218,15 +218,16 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, */ nt_status = rpccli_netlogon_sam_network_logon(netlogon_pipe, - mem_ctx, - dc_name, /* server name */ - user_info->smb_name.str, /* user name logging on. */ - user_info->domain.str, /* domain name */ - user_info->wksta_name.str, /* workstation name */ - chal, /* 8 byte challenge. */ - user_info->lm_resp, /* lanman 24 byte response */ - user_info->nt_resp, /* nt 24 byte response */ - &info3); /* info3 out */ + mem_ctx, + user_info->logon_parameters,/* flags such as 'allow workstation logon' */ + dc_name, /* server name */ + user_info->smb_name.str, /* user name logging on. */ + user_info->domain.str, /* domain name */ + user_info->wksta_name.str, /* workstation name */ + chal, /* 8 byte challenge. */ + user_info->lm_resp, /* lanman 24 byte response */ + user_info->nt_resp, /* nt 24 byte response */ + &info3); /* info3 out */ /* Let go as soon as possible so we avoid any potential deadlocks with winbind lookup up users or groups. */ diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 738af73f49..2fef8f1e9b 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -101,6 +101,8 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, NULL, NULL, NULL, True); + user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT; + if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index bb4df707ef..c92cecdde5 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -208,15 +208,18 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, } if (acct_ctrl & ACB_SVRTRUST) { - DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", pdb_get_username(sampass))); - return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT; + if (!(user_info->logon_parameters & MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT)) { + DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", pdb_get_username(sampass))); + return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT; + } } - + if (acct_ctrl & ACB_WSTRUST) { - DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", pdb_get_username(sampass))); - return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT; + if (!(user_info->logon_parameters & MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)) { + DEBUG(2,("sam_account_ok: Wksta trust account %s denied by server\n", pdb_get_username(sampass))); + return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT; + } } - return NT_STATUS_OK; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 49122bd441..6a92c8782e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -164,6 +164,8 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, (*user_info)->encrypted = encrypted; + (*user_info)->logon_parameters = 0; + DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name)); return NT_STATUS_OK; @@ -223,6 +225,7 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, const char *wksta_name, + uint32 logon_parameters, const uchar *lm_network_pwd, int lm_pwd_len, const uchar *nt_network_pwd, int nt_pwd_len) { @@ -238,9 +241,12 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, nt_pwd_len ? &nt_blob : NULL, NULL, NULL, NULL, True); - + + if (NT_STATUS_IS_OK(nt_status)) { + (*user_info)->logon_parameters = logon_parameters; + } ret = NT_STATUS_IS_OK(nt_status) ? True : False; - + data_blob_free(&lm_blob); data_blob_free(&nt_blob); return ret; @@ -255,6 +261,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, const char *wksta_name, + uint32 logon_parameters, const uchar chal[8], const uchar lm_interactive_pwd[16], const uchar nt_interactive_pwd[16], @@ -337,6 +344,10 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, NULL, True); + if (NT_STATUS_IS_OK(nt_status)) { + (*user_info)->logon_parameters = logon_parameters; + } + ret = NT_STATUS_IS_OK(nt_status) ? True : False; data_blob_free(&local_lm_blob); data_blob_free(&local_nt_blob); diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 0c263b6ab3..ad72bd9a1f 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -88,6 +88,8 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, request.flags = WBFLAG_PAM_INFO3_NDR; + request.data.auth_crap.logon_parameters = user_info->logon_parameters; + fstrcpy(request.data.auth_crap.user, user_info->smb_name.str); fstrcpy(request.data.auth_crap.domain, -- cgit From ce0a1fa159baab4c4bdaac601d0f56e29a406945 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 10 Nov 2005 20:28:23 +0000 Subject: r11652: Reinstate the netsamlogon_cache in order to work around failed query_user calls. This fixes logons to a member of a Samba domain as a user from a trusted AD domain. As per comments on samba-technical, I still need to add (a) cache the PAC info as werll as NTLM net_user_info_3 (b) expire the cache when the SMB session goes away Both Jeremy and Guenther have signed off on the idea. (This used to be commit 0c2bb5ba7b92d9210e7fa9f7b70aa67dfe9faaf4) --- source3/auth/auth_domain.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 94b138e55b..242105a664 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -252,6 +252,8 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, domain, server_info, &info3); + + netsamlogon_cache_store( mem_ctx, user_info->smb_name.str, &info3 ); } /* Note - once the cli stream is shutdown the mem_ctx used -- cgit From a4d729bdfadfc39fece612fcdd68955c3e3845bb Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 11 Nov 2005 03:03:41 +0000 Subject: r11661: Store the INFO3 in the PAC data into the netsamlogon_cache. Also remove the mem_ctx from the netsamlogon_cache_store() API. Guenther, what should we be doing with the other fields in the PAC_LOGON_INFO? (This used to be commit 8bead2d2825015fe41ba7d7401a12c06c29ea7f7) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 242105a664..266851b229 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -253,7 +253,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, server_info, &info3); - netsamlogon_cache_store( mem_ctx, user_info->smb_name.str, &info3 ); + netsamlogon_cache_store( user_info->smb_name.str, &info3 ); } /* Note - once the cli stream is shutdown the mem_ctx used -- cgit From 43600a1d5808af6df72a90bf4fe951e3e7da4601 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Wed, 23 Nov 2005 22:08:57 +0000 Subject: r11886: Fix 3187: logon hours restrictions were off corresponding to our offset from GMT. Use gmtime() instead of localtime() in the calc, but still use localtime() in displaying it. (This used to be commit 9b34f2d0f4bfc623eaec9c1334e34fa3965ba25b) --- source3/auth/auth_sam.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index c92cecdde5..558c181f70 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -88,7 +88,7 @@ static BOOL logon_hours_ok(SAM_ACCOUNT *sampass) } lasttime = (time_t)smb_last_time.tv_sec; - utctime = localtime(&lasttime); + utctime = gmtime(&lasttime); /* find the corresponding byte and bit */ bitpos = (utctime->tm_wday * 24 + utctime->tm_hour) % 168; @@ -96,7 +96,8 @@ static BOOL logon_hours_ok(SAM_ACCOUNT *sampass) if (! (hours[bitpos/8] & bitmask)) { DEBUG(1,("logon_hours_ok: Account for user %s not allowed to logon at this time (%s).\n", - pdb_get_username(sampass), asctime(utctime) )); + pdb_get_username(sampass), + asctime(localtime(&lasttime)) )); return False; } -- cgit From 5cc200ae5509d73176cdcbf0180bf450077d512a Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 26 Nov 2005 18:20:58 +0000 Subject: r11916: auth_get_sam_account is only used in auth_rhosts.c -- move it there (This used to be commit 8e5bea3f84c61ea312278cbbb70542664be7bd14) --- source3/auth/auth_rhosts.c | 30 ++++++++++++++++++++++++++++++ source3/auth/auth_util.c | 30 ------------------------------ 2 files changed, 30 insertions(+), 30 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index b295df9328..b561e3d42b 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -23,6 +23,36 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH +/**************************************************************************** + Create a SAM_ACCOUNT - either by looking in the pdb, or by faking it up from + unix info. +****************************************************************************/ + +static NTSTATUS auth_get_sam_account(const char *user, SAM_ACCOUNT **account) +{ + BOOL pdb_ret; + NTSTATUS nt_status; + if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(account))) { + return nt_status; + } + + become_root(); + pdb_ret = pdb_getsampwnam(*account, user); + unbecome_root(); + + if (!pdb_ret) { + + struct passwd *pass = Get_Pwnam(user); + if (!pass) + return NT_STATUS_NO_SUCH_USER; + + if (!NT_STATUS_IS_OK(nt_status = pdb_fill_sam_pw(*account, pass))) { + return nt_status; + } + } + return NT_STATUS_OK; +} + /**************************************************************************** Read the a hosts.equiv or .rhosts file and check if it allows this user from this machine. diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 6a92c8782e..61cb7f31cc 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -50,36 +50,6 @@ static int smb_create_user(const char *domain, const char *unix_username, const return ret; } -/**************************************************************************** - Create a SAM_ACCOUNT - either by looking in the pdb, or by faking it up from - unix info. -****************************************************************************/ - -NTSTATUS auth_get_sam_account(const char *user, SAM_ACCOUNT **account) -{ - BOOL pdb_ret; - NTSTATUS nt_status; - if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(account))) { - return nt_status; - } - - become_root(); - pdb_ret = pdb_getsampwnam(*account, user); - unbecome_root(); - - if (!pdb_ret) { - - struct passwd *pass = Get_Pwnam(user); - if (!pass) - return NT_STATUS_NO_SUCH_USER; - - if (!NT_STATUS_IS_OK(nt_status = pdb_fill_sam_pw(*account, pass))) { - return nt_status; - } - } - return NT_STATUS_OK; -} - /**************************************************************************** Create an auth_usersupplied_data structure ****************************************************************************/ -- cgit From 05ac2de0df78d22ad5afb42ea5c72ba17bef8395 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 3 Dec 2005 18:34:13 +0000 Subject: r12051: Merge across the lookup_name and lookup_sid work. Lets see how the build farm reacts :-) Volker (This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7) --- source3/auth/auth_util.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 61cb7f31cc..ce1ce31d08 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1550,7 +1550,7 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) Check for a SID in an NT_USER_TOKEN ****************************************************************************/ -BOOL nt_token_check_sid ( DOM_SID *sid, NT_USER_TOKEN *token ) +static BOOL nt_token_check_sid ( DOM_SID *sid, NT_USER_TOKEN *token ) { int i; @@ -1598,8 +1598,6 @@ BOOL nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid ) BOOL is_trusted_domain(const char* dom_name) { DOM_SID trustdom_sid; - char *pass = NULL; - time_t lct; BOOL ret; /* no trusted domains for a standalone server */ @@ -1613,9 +1611,8 @@ BOOL is_trusted_domain(const char* dom_name) become_root(); DEBUG (5,("is_trusted_domain: Checking for domain trust with [%s]\n", dom_name )); - ret = secrets_fetch_trusted_domain_password(dom_name, &pass, &trustdom_sid, &lct); + ret = secrets_fetch_trusted_domain_password(dom_name, NULL, NULL, NULL); unbecome_root(); - SAFE_FREE(pass); if (ret) return True; } -- cgit From 143103954cf80c211b7799ebfd4f9ad12ff7c420 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sun, 11 Dec 2005 04:39:33 +0000 Subject: r12174: Simple patch to work around the current lack of BUILTIN nested group support. Always add the BUILTIN\Administrators SID to a Domain Admins token. This solves the extra steps of establishing a group map for the local Administrators SID in order to control services. Windows also tends to expect the Administrators group to be usable when setting up security permissions on shares. Volker's work will probably fix this long term, but this gets us past some of the setup hurdles for 3.0.21. (This used to be commit 170b6a68bcbd66bae322c5b1b8c8501ca96acab2) --- source3/auth/auth_util.c | 56 +++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 53 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index ce1ce31d08..497f16adf2 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -471,9 +471,12 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro NT_USER_TOKEN *ptoken; int i; int sid_ndx; + DOM_SID domadm; + BOOL is_domain_admin = False; + BOOL domain_mode = False; if ((ptoken = SMB_MALLOC_P(NT_USER_TOKEN)) == NULL) { - DEBUG(0, ("create_nt_token: Out of memory allocating token\n")); + DEBUG(0, ("create_nt_user_token: Out of memory allocating token\n")); nt_status = NT_STATUS_NO_MEMORY; return nt_status; } @@ -483,7 +486,7 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro ptoken->num_sids = n_groupSIDs + 5; if ((ptoken->user_sids = SMB_MALLOC_ARRAY( DOM_SID, ptoken->num_sids )) == NULL) { - DEBUG(0, ("create_nt_token: Out of memory allocating SIDs\n")); + DEBUG(0, ("create_nt_user_token: Out of memory allocating SIDs\n")); nt_status = NT_STATUS_NO_MEMORY; return nt_status; } @@ -517,6 +520,27 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro sid_ndx = 5; /* next available spot */ + /* this is where we construct the domain admins SID if we can + so that we can add the BUILTIN\Administrators SID to the token */ + + ZERO_STRUCT( domadm ); + if ( IS_DC || lp_server_role()==ROLE_DOMAIN_MEMBER ) { + domain_mode = True; + + if ( IS_DC ) + sid_copy( &domadm, get_global_sam_sid() ); + else { + /* if we a re a member server and cannot find + out domain SID then reset the domain_mode flag */ + if ( !secrets_fetch_domain_sid( lp_workgroup(), &domadm ) ) + domain_mode = False; + } + + sid_append_rid( &domadm, DOMAIN_GROUP_RID_ADMINS ); + } + + /* add the group SIDs to teh token */ + for (i = 0; i < n_groupSIDs; i++) { size_t check_sid_idx; for (check_sid_idx = 1; check_sid_idx < ptoken->num_sids; check_sid_idx++) { @@ -531,6 +555,30 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro } else { ptoken->num_sids--; } + + /* here we check if the user is a domain admin and add the + BUILTIN\Administrators SID to the token the group membership + check succeeds. */ + + if ( domain_mode ) { + if ( sid_equal( &domadm, &groupSIDs[i] ) ) + is_domain_admin = True; + } + + } + + /* finally realloc the SID array and add the BUILTIN\Administrators + SID if necessary */ + + if ( is_domain_admin ) { + DOM_SID *sids; + + if ( !(sids = SMB_REALLOC_ARRAY( ptoken->user_sids, DOM_SID, ptoken->num_sids+1 )) ) + DEBUG(0,("create_nt_user_token: Failed to realloc SID arry of size %d\n", ptoken->num_sids+1)); + else { + ptoken->user_sids = sids; + sid_copy( &(ptoken->user_sids)[ptoken->num_sids++], &global_sid_Builtin_Administrators ); + } } /* add privileges assigned to this user */ @@ -602,6 +650,8 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, return NULL; } + /* convert the Unix group ids to SIDS */ + for (i = 0; i < ngroups; i++) { if (!NT_STATUS_IS_OK(gid_to_sid(&(group_sids)[i], (groups)[i]))) { DEBUG(1, ("create_nt_token: failed to convert gid %ld to a sid!\n", (long int)groups[i])); @@ -640,7 +690,7 @@ NT_USER_TOKEN *get_root_nt_token( void ) return token; if ( !(pw = getpwnam( "root" )) ) { - DEBUG(0,("create_root_nt_token: getpwnam\"root\") failed!\n")); + DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n")); return NULL; } -- cgit From 10b5609a1458d156938302a5a26c11913c340476 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 16 Dec 2005 01:41:12 +0000 Subject: r12279: unix_mask_match has been broken for *ever*... (How). Ensure it returns a BOOL. Jerry (and anyone else) please check this, I think all uses are now correct but could do with another set of eyes. Essential for 3.0.21 release. Jeremy. (This used to be commit 0c7b8a7637e760fcb6629092f36b610b8c71f5c9) --- source3/auth/pampass.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 18d83ee364..26b45c5ff8 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -310,7 +310,7 @@ static int smb_pam_passchange_conv(int num_msg, DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: trying to match |%s| to |%s|\n", t->prompt, current_prompt )); - if (unix_wild_match(t->prompt, current_prompt) == 0) { + if (unix_wild_match(t->prompt, current_prompt)) { fstrcpy(current_reply, t->reply); DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We sent: %s\n", current_reply)); pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword); @@ -341,7 +341,7 @@ static int smb_pam_passchange_conv(int num_msg, DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |%s| to |%s|\n", t->prompt, current_prompt )); - if (unix_wild_match(t->prompt, current_prompt) == 0) { + if (unix_wild_match(t->prompt, current_prompt)) { fstrcpy(current_reply, t->reply); DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We sent: %s\n", current_reply)); pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword); -- cgit From 28fb5b6f97c17af58ae99be98219de70ee95baba Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 18 Dec 2005 18:06:15 +0000 Subject: r12313: Introduce yet another copy of the string_sub function: talloc_string_sub. Someone with time on his hands could convert all the callers of all_string_sub to this. realloc_string_sub is *only* called from within substitute.c, it could be moved there I think. Volker (This used to be commit be6c9012da174d5d5116e5172a53bbe6486d6c38) --- source3/auth/auth_util.c | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 497f16adf2..eb15fff7c8 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -591,33 +591,36 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro (strlen(lp_log_nt_token_command()) > 0)) { TALLOC_CTX *mem_ctx; char *command; - fstring sidstr; - char *user_sidstr, *group_sidstr; + char *group_sidstr; mem_ctx = talloc_init("setnttoken"); if (mem_ctx == NULL) return NT_STATUS_NO_MEMORY; - sid_to_string(sidstr, &ptoken->user_sids[0]); - user_sidstr = talloc_strdup(mem_ctx, sidstr); - group_sidstr = talloc_strdup(mem_ctx, ""); for (i=1; inum_sids; i++) { - sid_to_string(sidstr, &ptoken->user_sids[i]); - group_sidstr = talloc_asprintf(mem_ctx, "%s %s", - group_sidstr, sidstr); + group_sidstr = talloc_asprintf( + mem_ctx, "%s %s", group_sidstr, + sid_string_static(&ptoken->user_sids[i])); + } + + command = talloc_string_sub( + mem_ctx, lp_log_nt_token_command(), + "%s", sid_string_static(&ptoken->user_sids[0])); + command = talloc_string_sub( + mem_ctx, command, "%t", group_sidstr); + + if (command == NULL) { + talloc_destroy(mem_ctx); + return NT_STATUS_NO_MEMORY; } - command = SMB_STRDUP(lp_log_nt_token_command()); - command = realloc_string_sub(command, "%s", user_sidstr); - command = realloc_string_sub(command, "%t", group_sidstr); DEBUG(8, ("running command: [%s]\n", command)); if (smbrun(command, NULL) != 0) { DEBUG(0, ("Could not log NT token\n")); nt_status = NT_STATUS_ACCESS_DENIED; } talloc_destroy(mem_ctx); - SAFE_FREE(command); } *token = ptoken; -- cgit From 5a4881bf396e691524329bcd6aa1ae4a7f4084ec Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 27 Dec 2005 20:52:36 +0000 Subject: r12522: Try and fix bug #2926 by removing setlocale(LC_ALL, "C") and replace calls to isupper/islower/toupper/tolower with ASCII equivalents (mapping into _w variants). Jeremy. (This used to be commit c2752347eb2deeb2798c580ec7fc751a847717e9) --- source3/auth/pass_check.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 0425e01cdc..507e8a3836 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -452,9 +452,9 @@ static NTSTATUS string_combinations2(char *s, int offset, NTSTATUS (*fn) (const for (i = offset; i < (len - (N - 1)); i++) { char c = s[i]; - if (!islower(c)) + if (!islower_ascii(c)) continue; - s[i] = toupper(c); + s[i] = toupper_ascii(c); if (!NT_STATUS_EQUAL(nt_status = string_combinations2(s, i + 1, fn, N - 1),NT_STATUS_WRONG_PASSWORD)) { return (nt_status); } -- cgit From 0af1500fc0bafe61019f1b2ab1d9e1d369221240 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 3 Feb 2006 22:19:41 +0000 Subject: r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f) --- source3/auth/auth.c | 20 +- source3/auth/auth_builtin.c | 6 +- source3/auth/auth_compat.c | 2 +- source3/auth/auth_domain.c | 41 +- source3/auth/auth_ntlmssp.c | 10 +- source3/auth/auth_rhosts.c | 190 +++--- source3/auth/auth_sam.c | 43 +- source3/auth/auth_script.c | 10 +- source3/auth/auth_server.c | 16 +- source3/auth/auth_unix.c | 6 +- source3/auth/auth_util.c | 1441 +++++++++++++++++++++++-------------------- source3/auth/auth_winbind.c | 19 +- 12 files changed, 979 insertions(+), 825 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index df7d6fc9c6..6dc30383d5 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -216,10 +216,10 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, return NT_STATUS_LOGON_FAILURE; DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", - user_info->client_domain.str, user_info->smb_name.str, user_info->wksta_name.str)); + user_info->client_domain, user_info->smb_name, user_info->wksta_name)); DEBUG(3, ("check_ntlm_password: mapped user is: [%s]\\[%s]@[%s]\n", - user_info->domain.str, user_info->internal_username.str, user_info->wksta_name.str)); + user_info->domain, user_info->internal_username, user_info->wksta_name)); if (auth_context->challenge.length != 8) { DEBUG(0, ("check_ntlm_password: Invalid challenge stored for this auth context - cannot continue\n")); @@ -243,14 +243,14 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, #endif /* This needs to be sorted: If it doesn't match, what should we do? */ - if (!check_domain_match(user_info->smb_name.str, user_info->domain.str)) + if (!check_domain_match(user_info->smb_name, user_info->domain)) return NT_STATUS_LOGON_FAILURE; for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) { NTSTATUS result; mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name, - user_info->domain.str, user_info->smb_name.str); + user_info->domain, user_info->smb_name); result = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info); @@ -265,10 +265,10 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, if (NT_STATUS_IS_OK(nt_status)) { DEBUG(3, ("check_ntlm_password: %s authentication for user [%s] succeeded\n", - auth_method->name, user_info->smb_name.str)); + auth_method->name, user_info->smb_name)); } else { DEBUG(5, ("check_ntlm_password: %s authentication for user [%s] FAILED with error %s\n", - auth_method->name, user_info->smb_name.str, nt_errstr(nt_status))); + auth_method->name, user_info->smb_name, nt_errstr(nt_status))); } talloc_destroy(mem_ctx); @@ -302,8 +302,8 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, DEBUG((*server_info)->guest ? 5 : 2, ("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] succeeded\n", (*server_info)->guest ? "guest " : "", - user_info->smb_name.str, - user_info->internal_username.str, + user_info->smb_name, + user_info->internal_username, unix_username)); } @@ -313,8 +313,8 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, /* failed authentication; check for guest lapping */ DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n", - user_info->smb_name.str, user_info->internal_username.str, - nt_errstr(nt_status))); + user_info->smb_name, user_info->internal_username, + nt_errstr(nt_status))); ZERO_STRUCTP(server_info); return nt_status; diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index 96c2221652..d4d6d49e40 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -41,8 +41,8 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context, /* mark this as 'not for me' */ NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; - if (!(user_info->internal_username.str - && *user_info->internal_username.str)) { + if (!(user_info->internal_username + && *user_info->internal_username)) { nt_status = make_server_info_guest(server_info); } @@ -84,7 +84,7 @@ static NTSTATUS check_name_to_ntstatus_security(const struct auth_context *auth_ NTSTATUS nt_status; fstring user; long error_num; - fstrcpy(user, user_info->smb_name.str); + fstrcpy(user, user_info->smb_name); if (strnequal("NT_STATUS", user, strlen("NT_STATUS"))) { strupper_m(user); diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c index 2ac70d7354..28b9de8d43 100644 --- a/source3/auth/auth_compat.c +++ b/source3/auth/auth_compat.c @@ -84,7 +84,7 @@ static NTSTATUS pass_check_smb(const char *smb_name, } else { nt_status = check_plaintext_password(smb_name, plaintext_password, &server_info); } - free_server_info(&server_info); + talloc_free(server_info); return nt_status; } diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 266851b229..81ae7c1340 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -221,9 +221,9 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, mem_ctx, user_info->logon_parameters,/* flags such as 'allow workstation logon' */ dc_name, /* server name */ - user_info->smb_name.str, /* user name logging on. */ - user_info->domain.str, /* domain name */ - user_info->wksta_name.str, /* workstation name */ + user_info->smb_name, /* user name logging on. */ + user_info->domain, /* domain name */ + user_info->wksta_name, /* workstation name */ chal, /* 8 byte challenge. */ user_info->lm_resp, /* lanman 24 byte response */ user_info->nt_resp, /* nt 24 byte response */ @@ -237,8 +237,8 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0,("domain_client_validate: unable to validate password " "for user %s in domain %s to Domain controller %s. " - "Error was %s.\n", user_info->smb_name.str, - user_info->domain.str, dc_name, + "Error was %s.\n", user_info->smb_name, + user_info->domain, dc_name, nt_errstr(nt_status))); /* map to something more useful */ @@ -247,13 +247,13 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, } } else { nt_status = make_server_info_info3(mem_ctx, - user_info->internal_username.str, - user_info->smb_name.str, + user_info->internal_username, + user_info->smb_name, domain, server_info, &info3); - netsamlogon_cache_store( user_info->smb_name.str, &info3 ); + netsamlogon_cache_store( user_info->smb_name, &info3 ); } /* Note - once the cli stream is shutdown the mem_ctx used @@ -296,7 +296,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, * password file. */ - if(strequal(get_global_sam_name(), user_info->domain.str)) { + if(strequal(get_global_sam_name(), user_info->domain)) { DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n")); return NT_STATUS_NOT_IMPLEMENTED; } @@ -305,7 +305,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, if ( !get_dc_name(domain, NULL, dc_name, &dc_ip) ) { DEBUG(5,("check_ntdomain_security: unable to locate a DC for domain %s\n", - user_info->domain.str)); + user_info->domain)); return NT_STATUS_NO_LOGON_SERVERS; } @@ -360,9 +360,9 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte * Check that the requested domain is not our own machine name or domain name. */ - if( strequal(get_global_sam_name(), user_info->domain.str)) { + if( strequal(get_global_sam_name(), user_info->domain)) { DEBUG(3,("check_trustdomain_security: Requested domain [%s] was for this machine.\n", - user_info->domain.str)); + user_info->domain)); return NT_STATUS_NOT_IMPLEMENTED; } @@ -371,7 +371,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte The logic is that if we know nothing about the domain, that user is not known to us and does not exist */ - if ( !is_trusted_domain( user_info->domain.str ) ) + if ( !is_trusted_domain( user_info->domain ) ) return NT_STATUS_NOT_IMPLEMENTED; /* @@ -379,14 +379,17 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte * No need to become_root() as secrets_init() is done at startup. */ - if (!secrets_fetch_trusted_domain_password(user_info->domain.str, &trust_password, + if (!secrets_fetch_trusted_domain_password(user_info->domain, &trust_password, &sid, &last_change_time)) { - DEBUG(0, ("check_trustdomain_security: could not fetch trust account password for domain %s\n", user_info->domain.str)); + DEBUG(0, ("check_trustdomain_security: could not fetch trust " + "account password for domain %s\n", + user_info->domain)); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } #ifdef DEBUG_PASSWORD - DEBUG(100, ("Trust password for domain %s is %s\n", user_info->domain.str, trust_password)); + DEBUG(100, ("Trust password for domain %s is %s\n", user_info->domain, + trust_password)); #endif E_md4hash(trust_password, trust_md4_password); SAFE_FREE(trust_password); @@ -402,15 +405,15 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte /* use get_dc_name() for consistency even through we know that it will be a netbios name */ - if ( !get_dc_name(user_info->domain.str, NULL, dc_name, &dc_ip) ) { + if ( !get_dc_name(user_info->domain, NULL, dc_name, &dc_ip) ) { DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n", - user_info->domain.str)); + user_info->domain)); return NT_STATUS_NO_LOGON_SERVERS; } nt_status = domain_client_validate(mem_ctx, user_info, - user_info->domain.str, + user_info->domain, (uchar *)auth_context->challenge.data, server_info, dc_name, diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 2fef8f1e9b..2bf86860cc 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -115,6 +115,14 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } + + nt_status = create_local_token(auth_ntlmssp_state->server_info); + + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(10, ("create_local_token failed\n")); + return nt_status; + } + if (auth_ntlmssp_state->server_info->user_session_key.length) { DEBUG(10, ("Got NT session key of length %u\n", (unsigned int)auth_ntlmssp_state->server_info->user_session_key.length)); @@ -179,7 +187,7 @@ void auth_ntlmssp_end(AUTH_NTLMSSP_STATE **auth_ntlmssp_state) ((*auth_ntlmssp_state)->auth_context->free)(&(*auth_ntlmssp_state)->auth_context); } if ((*auth_ntlmssp_state)->server_info) { - free_server_info(&(*auth_ntlmssp_state)->server_info); + talloc_free((*auth_ntlmssp_state)->server_info); } talloc_destroy(mem_ctx); *auth_ntlmssp_state = NULL; diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index b561e3d42b..e310fa80fd 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -60,103 +60,101 @@ static NTSTATUS auth_get_sam_account(const char *user, SAM_ACCOUNT **account) static BOOL check_user_equiv(const char *user, const char *remote, const char *equiv_file) { - int plus_allowed = 1; - char *file_host; - char *file_user; - char **lines = file_lines_load(equiv_file, NULL); - int i; - - DEBUG(5, ("check_user_equiv %s %s %s\n", user, remote, equiv_file)); - if (! lines) return False; - for (i=0; lines[i]; i++) { - char *buf = lines[i]; - trim_char(buf,' ',' '); - - if (buf[0] != '#' && buf[0] != '\n') - { - BOOL is_group = False; - int plus = 1; - char *bp = buf; - if (strcmp(buf, "NO_PLUS\n") == 0) - { - DEBUG(6, ("check_user_equiv NO_PLUS\n")); - plus_allowed = 0; - } - else { - if (buf[0] == '+') - { - bp++; - if (*bp == '\n' && plus_allowed) - { - /* a bare plus means everbody allowed */ - DEBUG(6, ("check_user_equiv everybody allowed\n")); - file_lines_free(lines); - return True; - } - } - else if (buf[0] == '-') - { - bp++; - plus = 0; - } - if (*bp == '@') - { - is_group = True; - bp++; + int plus_allowed = 1; + char *file_host; + char *file_user; + char **lines = file_lines_load(equiv_file, NULL,0); + int i; + + DEBUG(5, ("check_user_equiv %s %s %s\n", user, remote, equiv_file)); + if (! lines) { + return False; } - file_host = strtok(bp, " \t\n"); - file_user = strtok(NULL, " \t\n"); - DEBUG(7, ("check_user_equiv %s %s\n", file_host ? file_host : "(null)", - file_user ? file_user : "(null)" )); - if (file_host && *file_host) - { - BOOL host_ok = False; + for (i=0; lines[i]; i++) { + char *buf = lines[i]; + trim_char(buf,' ',' '); + + if (buf[0] != '#' && buf[0] != '\n') { + BOOL is_group = False; + int plus = 1; + char *bp = buf; + + if (strcmp(buf, "NO_PLUS\n") == 0) { + DEBUG(6, ("check_user_equiv NO_PLUS\n")); + plus_allowed = 0; + } else { + if (buf[0] == '+') { + bp++; + if (*bp == '\n' && plus_allowed) { + /* a bare plus means everbody allowed */ + DEBUG(6, ("check_user_equiv everybody allowed\n")); + file_lines_free(lines); + return True; + } + } else if (buf[0] == '-') { + bp++; + plus = 0; + } + if (*bp == '@') { + is_group = True; + bp++; + } + file_host = strtok(bp, " \t\n"); + file_user = strtok(NULL, " \t\n"); + DEBUG(7, ("check_user_equiv %s %s\n", file_host ? file_host : "(null)", + file_user ? file_user : "(null)" )); + + if (file_host && *file_host) { + BOOL host_ok = False; #if defined(HAVE_NETGROUP) && defined(HAVE_YP_GET_DEFAULT_DOMAIN) - if (is_group) - { - static char *mydomain = NULL; - if (!mydomain) - yp_get_default_domain(&mydomain); - if (mydomain && innetgr(file_host,remote,user,mydomain)) - host_ok = True; - } + if (is_group) { + static char *mydomain = NULL; + if (!mydomain) { + yp_get_default_domain(&mydomain); + } + if (mydomain && innetgr(file_host,remote,user,mydomain)) { + host_ok = True; + } + } #else - if (is_group) - { - DEBUG(1,("Netgroups not configured\n")); - continue; - } + if (is_group) { + DEBUG(1,("Netgroups not configured\n")); + continue; + } #endif - /* is it this host */ - /* the fact that remote has come from a call of gethostbyaddr - * means that it may have the fully qualified domain name - * so we could look up the file version to get it into - * a canonical form, but I would rather just type it - * in full in the equiv file - */ - if (!host_ok && !is_group && strequal(remote, file_host)) - host_ok = True; - - if (!host_ok) - continue; - - /* is it this user */ - if (file_user == 0 || strequal(user, file_user)) - { - DEBUG(5, ("check_user_equiv matched %s%s %s\n", - (plus ? "+" : "-"), file_host, - (file_user ? file_user : ""))); - file_lines_free(lines); - return (plus ? True : False); - } + /* is it this host */ + /* the fact that remote has come from a call of gethostbyaddr + * means that it may have the fully qualified domain name + * so we could look up the file version to get it into + * a canonical form, but I would rather just type it + * in full in the equiv file + */ + + if (!host_ok && !is_group && strequal(remote, file_host)) { + host_ok = True; + } + + if (!host_ok) { + continue; + } + + /* is it this user */ + if (file_user == 0 || strequal(user, file_user)) { + DEBUG(5, ("check_user_equiv matched %s%s %s\n", + (plus ? "+" : "-"), file_host, + (file_user ? file_user : ""))); + file_lines_free(lines); + return (plus ? True : False); + } + } + } + } } - } - } - } - file_lines_free(lines); - return False; + + file_lines_free(lines); + return False; } /**************************************************************************** @@ -169,7 +167,7 @@ static BOOL check_hosts_equiv(SAM_ACCOUNT *account) char *fname = NULL; fname = lp_hosts_equiv(); - if (!NT_STATUS_IS_OK(sid_to_uid(pdb_get_user_sid(account), &uid))) + if (!sid_to_uid(pdb_get_user_sid(account), &uid)) return False; /* note: don't allow hosts.equiv on root */ @@ -195,7 +193,7 @@ static NTSTATUS check_hostsequiv_security(const struct auth_context *auth_contex NTSTATUS nt_status; SAM_ACCOUNT *account = NULL; if (!NT_STATUS_IS_OK(nt_status = - auth_get_sam_account(user_info->internal_username.str, + auth_get_sam_account(user_info->internal_username, &account))) { if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) nt_status = NT_STATUS_NOT_IMPLEMENTED; @@ -204,6 +202,9 @@ static NTSTATUS check_hostsequiv_security(const struct auth_context *auth_contex if (check_hosts_equiv(account)) { nt_status = make_server_info_sam(server_info, account); + if (!NT_STATUS_IS_OK(nt_status)) { + pdb_free_sam(&account); + } } else { pdb_free_sam(&account); nt_status = NT_STATUS_NOT_IMPLEMENTED; @@ -241,7 +242,7 @@ static NTSTATUS check_rhosts_security(const struct auth_context *auth_context, const char *home; if (!NT_STATUS_IS_OK(nt_status = - auth_get_sam_account(user_info->internal_username.str, + auth_get_sam_account(user_info->internal_username, &account))) { if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) nt_status = NT_STATUS_NOT_IMPLEMENTED; @@ -255,6 +256,9 @@ static NTSTATUS check_rhosts_security(const struct auth_context *auth_context, become_root(); if (check_user_equiv(pdb_get_username(account),client_name(),rhostsfile)) { nt_status = make_server_info_sam(server_info, account); + if (!NT_STATUS_IS_OK(nt_status)) { + pdb_free_sam(&account); + } } else { pdb_free_sam(&account); } diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 558c181f70..fb53941b79 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -62,8 +62,8 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, &user_info->lm_resp, &user_info->nt_resp, &user_info->lm_interactive_pwd, &user_info->nt_interactive_pwd, username, - user_info->smb_name.str, - user_info->client_domain.str, + user_info->smb_name, + user_info->client_domain, lm_pw, nt_pw, user_sess_key, lm_sess_key); } @@ -177,22 +177,22 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, fstring tok; const char *s = workstation_list; - const char *machine_name = talloc_asprintf(mem_ctx, "%s$", user_info->wksta_name.str); + const char *machine_name = talloc_asprintf(mem_ctx, "%s$", user_info->wksta_name); if (machine_name == NULL) return NT_STATUS_NO_MEMORY; while (next_token(&s, tok, ",", sizeof(tok))) { - DEBUG(10,("sam_account_ok: checking for workstation match %s and %s (len=%d)\n", - tok, user_info->wksta_name.str, user_info->wksta_name.len)); - if(strequal(tok, user_info->wksta_name.str)) { + DEBUG(10,("sam_account_ok: checking for workstation match %s and %s\n", + tok, user_info->wksta_name)); + if(strequal(tok, user_info->wksta_name)) { invalid_ws = False; break; } if (tok[0] == '+') { DEBUG(10,("sam_account_ok: checking for workstation %s in group: %s\n", machine_name, tok + 1)); - if (user_in_group_list(machine_name, tok + 1, NULL, 0)) { + if (user_in_group(machine_name, tok + 1)) { invalid_ws = False; break; } @@ -257,11 +257,12 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, /* get the account information */ become_root(); - ret = pdb_getsampwnam(sampass, user_info->internal_username.str); + ret = pdb_getsampwnam(sampass, user_info->internal_username); unbecome_root(); if (ret == False) { - DEBUG(3,("check_sam_security: Couldn't find user '%s' in passdb.\n", user_info->internal_username.str)); + DEBUG(3,("check_sam_security: Couldn't find user '%s' in " + "passdb.\n", user_info->internal_username)); pdb_free_sam(&sampass); return NT_STATUS_NO_SUCH_USER; } @@ -294,7 +295,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, } if (updated_autolock || updated_badpw){ become_root(); - if(!pdb_update_sam_account(sampass)) + if(!NT_STATUS_IS_OK(pdb_update_sam_account(sampass))) DEBUG(1, ("Failed to modify entry.\n")); unbecome_root(); } @@ -313,7 +314,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, if (updated_autolock || updated_badpw){ become_root(); - if(!pdb_update_sam_account(sampass)) + if(!NT_STATUS_IS_OK(pdb_update_sam_account(sampass))) DEBUG(1, ("Failed to modify entry.\n")); unbecome_root(); } @@ -329,13 +330,21 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info, sampass))) { DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status))); + pdb_free_sam(&sampass); data_blob_free(&user_sess_key); data_blob_free(&lm_sess_key); return nt_status; } - (*server_info)->user_session_key = user_sess_key; - (*server_info)->lm_session_key = lm_sess_key; + (*server_info)->user_session_key = + data_blob_talloc(*server_info, user_sess_key.data, + user_sess_key.length); + data_blob_free(&user_sess_key); + + (*server_info)->lm_session_key = + data_blob_talloc(*server_info, lm_sess_key.data, + lm_sess_key.length); + data_blob_free(&lm_sess_key); return nt_status; } @@ -369,8 +378,8 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context return NT_STATUS_LOGON_FAILURE; } - is_local_name = is_myname(user_info->domain.str); - is_my_domain = strequal(user_info->domain.str, lp_workgroup()); + is_local_name = is_myname(user_info->domain); + is_my_domain = strequal(user_info->domain, lp_workgroup()); /* check whether or not we service this domain/workgroup name */ @@ -379,7 +388,7 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context case ROLE_DOMAIN_MEMBER: if ( !is_local_name ) { DEBUG(6,("check_samstrict_security: %s is not one of my local names (%s)\n", - user_info->domain.str, (lp_server_role() == ROLE_DOMAIN_MEMBER + user_info->domain, (lp_server_role() == ROLE_DOMAIN_MEMBER ? "ROLE_DOMAIN_MEMBER" : "ROLE_STANDALONE") )); return NT_STATUS_NOT_IMPLEMENTED; } @@ -387,7 +396,7 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context case ROLE_DOMAIN_BDC: if ( !is_local_name && !is_my_domain ) { DEBUG(6,("check_samstrict_security: %s is not one of my local names or domain name (DC)\n", - user_info->domain.str)); + user_info->domain)); return NT_STATUS_NOT_IMPLEMENTED; } default: /* name is ok */ diff --git a/source3/auth/auth_script.c b/source3/auth/auth_script.c index 1a715fca31..1bc33ec59e 100644 --- a/source3/auth/auth_script.c +++ b/source3/auth/auth_script.c @@ -63,8 +63,8 @@ static NTSTATUS script_check_user_credentials(const struct auth_context *auth_co return NT_STATUS_INVALID_PARAMETER; } - secret_str_len = strlen(user_info->domain.str) + 1 + - strlen(user_info->smb_name.str) + 1 + + secret_str_len = strlen(user_info->domain) + 1 + + strlen(user_info->smb_name) + 1 + 16 + 1 + /* 8 bytes of challenge going to 16 */ 48 + 1 + /* 24 bytes of challenge going to 48 */ 48 + 1; @@ -74,9 +74,9 @@ static NTSTATUS script_check_user_credentials(const struct auth_context *auth_co return NT_STATUS_NO_MEMORY; } - safe_strcpy( secret_str, user_info->domain.str, secret_str_len - 1); + safe_strcpy( secret_str, user_info->domain, secret_str_len - 1); safe_strcat( secret_str, "\n", secret_str_len - 1); - safe_strcat( secret_str, user_info->smb_name.str, secret_str_len - 1); + safe_strcat( secret_str, user_info->smb_name, secret_str_len - 1); safe_strcat( secret_str, "\n", secret_str_len - 1); for (i = 0; i < 8; i++) { @@ -110,7 +110,7 @@ static NTSTATUS script_check_user_credentials(const struct auth_context *auth_co if (ret) { DEBUG(1,("script_check_user_credentials: failed to authenticate %s\\%s\n", - user_info->domain.str, user_info->smb_name.str )); + user_info->domain, user_info->smb_name )); /* auth failed. */ return NT_STATUS_NO_SUCH_USER; } diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 7bce32ef2b..8eed8bba6a 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -235,7 +235,7 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context * password file. */ - if(is_myname(user_info->domain.str)) { + if(is_myname(user_info->domain)) { DEBUG(3,("check_smbserver_security: Requested domain was for this machine.\n")); return nt_status; } @@ -296,7 +296,7 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context if ((!tested_password_server) && (lp_paranoid_server_security())) { if (cli_session_setup(cli, baduser, (char *)badpass, sizeof(badpass), - (char *)badpass, sizeof(badpass), user_info->domain.str)) { + (char *)badpass, sizeof(badpass), user_info->domain)) { /* * We connected to the password server so we @@ -342,11 +342,11 @@ use this machine as the password server.\n")); if (!user_info->encrypted) { /* Plaintext available */ - if (!cli_session_setup(cli, user_info->smb_name.str, + if (!cli_session_setup(cli, user_info->smb_name, (char *)user_info->plaintext_password.data, user_info->plaintext_password.length, NULL, 0, - user_info->domain.str)) { + user_info->domain)) { DEBUG(1,("password server %s rejected the password\n", cli->desthost)); /* Make this cli_nt_error() when the conversion is in */ nt_status = cli_nt_error(cli); @@ -354,12 +354,12 @@ use this machine as the password server.\n")); nt_status = NT_STATUS_OK; } } else { - if (!cli_session_setup(cli, user_info->smb_name.str, + if (!cli_session_setup(cli, user_info->smb_name, (char *)user_info->lm_resp.data, user_info->lm_resp.length, (char *)user_info->nt_resp.data, user_info->nt_resp.length, - user_info->domain.str)) { + user_info->domain)) { DEBUG(1,("password server %s rejected the password\n", cli->desthost)); /* Make this cli_nt_error() when the conversion is in */ nt_status = cli_nt_error(cli); @@ -380,11 +380,11 @@ use this machine as the password server.\n")); fstring real_username; struct passwd *pass; - if ( (pass = smb_getpwnam( user_info->internal_username.str, + if ( (pass = smb_getpwnam( NULL, user_info->internal_username, real_username, True )) != NULL ) { nt_status = make_server_info_pw(server_info, pass->pw_name, pass); - passwd_free(&pass); + talloc_free(pass); } else { diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index f744cba0c4..df0703d348 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -62,7 +62,7 @@ static BOOL update_smbpassword_file(const char *user, const char *password) /* Now write it into the file. */ become_root(); - ret = pdb_update_sam_account (sampass); + ret = NT_STATUS_IS_OK(pdb_update_sam_account (sampass)); unbecome_root(); @@ -91,13 +91,13 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context, struct passwd *pass = NULL; become_root(); - pass = Get_Pwnam(user_info->internal_username.str); + pass = Get_Pwnam(user_info->internal_username); /** @todo This call assumes a ASCII password, no charset transformation is done. We may need to revisit this **/ nt_status = pass_check(pass, - pass ? pass->pw_name : user_info->internal_username.str, + pass ? pass->pw_name : user_info->internal_username, (char *)user_info->plaintext_password.data, user_info->plaintext_password.length-1, lp_update_encrypted() ? diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index eb15fff7c8..27dab9b9aa 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -5,6 +5,7 @@ Copyright (C) Andrew Bartlett 2001 Copyright (C) Jeremy Allison 2000-2001 Copyright (C) Rafal Szczesniak 2002 + Copyright (C) Volker Lendecke 2006 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -26,6 +27,12 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH +static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, + const DOM_SID *user_sid, + const DOM_SID *group_sid, + BOOL is_guest, + int num_groupsids, + const DOM_SID *groupsids); /**************************************************************************** Create a UNIX user on demand. @@ -78,42 +85,32 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, DEBUG(5,("making strings for %s's user_info struct\n", internal_username)); - (*user_info)->smb_name.str = SMB_STRDUP(smb_name); - if ((*user_info)->smb_name.str) { - (*user_info)->smb_name.len = strlen(smb_name); - } else { + (*user_info)->smb_name = SMB_STRDUP(smb_name); + if ((*user_info)->smb_name == NULL) { free_user_info(user_info); return NT_STATUS_NO_MEMORY; } - (*user_info)->internal_username.str = SMB_STRDUP(internal_username); - if ((*user_info)->internal_username.str) { - (*user_info)->internal_username.len = strlen(internal_username); - } else { + (*user_info)->internal_username = SMB_STRDUP(internal_username); + if ((*user_info)->internal_username == NULL) { free_user_info(user_info); return NT_STATUS_NO_MEMORY; } - (*user_info)->domain.str = SMB_STRDUP(domain); - if ((*user_info)->domain.str) { - (*user_info)->domain.len = strlen(domain); - } else { + (*user_info)->domain = SMB_STRDUP(domain); + if ((*user_info)->domain == NULL) { free_user_info(user_info); return NT_STATUS_NO_MEMORY; } - (*user_info)->client_domain.str = SMB_STRDUP(client_domain); - if ((*user_info)->client_domain.str) { - (*user_info)->client_domain.len = strlen(client_domain); - } else { + (*user_info)->client_domain = SMB_STRDUP(client_domain); + if ((*user_info)->client_domain == NULL) { free_user_info(user_info); return NT_STATUS_NO_MEMORY; } - (*user_info)->wksta_name.str = SMB_STRDUP(wksta_name); - if ((*user_info)->wksta_name.str) { - (*user_info)->wksta_name.len = strlen(wksta_name); - } else { + (*user_info)->wksta_name = SMB_STRDUP(wksta_name); + if ((*user_info)->wksta_name == NULL) { free_user_info(user_info); return NT_STATUS_NO_MEMORY; } @@ -196,26 +193,28 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, const char *client_domain, const char *wksta_name, uint32 logon_parameters, - const uchar *lm_network_pwd, int lm_pwd_len, - const uchar *nt_network_pwd, int nt_pwd_len) + const uchar *lm_network_pwd, + int lm_pwd_len, + const uchar *nt_network_pwd, + int nt_pwd_len) { BOOL ret; - NTSTATUS nt_status; + NTSTATUS status; DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); - nt_status = make_user_info_map(user_info, - smb_name, client_domain, - wksta_name, - lm_pwd_len ? &lm_blob : NULL, - nt_pwd_len ? &nt_blob : NULL, - NULL, NULL, NULL, - True); + status = make_user_info_map(user_info, + smb_name, client_domain, + wksta_name, + lm_pwd_len ? &lm_blob : NULL, + nt_pwd_len ? &nt_blob : NULL, + NULL, NULL, NULL, + True); - if (NT_STATUS_IS_OK(nt_status)) { + if (NT_STATUS_IS_OK(status)) { (*user_info)->logon_parameters = logon_parameters; } - ret = NT_STATUS_IS_OK(nt_status) ? True : False; + ret = NT_STATUS_IS_OK(status) ? True : False; data_blob_free(&lm_blob); data_blob_free(&nt_blob); @@ -246,8 +245,11 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, ZERO_STRUCT(key); memcpy(key, dc_sess_key, 8); - if (lm_interactive_pwd) memcpy(lm_pwd, lm_interactive_pwd, sizeof(lm_pwd)); - if (nt_interactive_pwd) memcpy(nt_pwd, nt_interactive_pwd, sizeof(nt_pwd)); + if (lm_interactive_pwd) + memcpy(lm_pwd, lm_interactive_pwd, sizeof(lm_pwd)); + + if (nt_interactive_pwd) + memcpy(nt_pwd, nt_interactive_pwd, sizeof(nt_pwd)); #ifdef DEBUG_PASSWORD DEBUG(100,("key:")); @@ -275,10 +277,12 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, #endif if (lm_interactive_pwd) - SMBOWFencrypt((const unsigned char *)lm_pwd, chal, local_lm_response); + SMBOWFencrypt((const unsigned char *)lm_pwd, chal, + local_lm_response); if (nt_interactive_pwd) - SMBOWFencrypt((const unsigned char *)nt_pwd, chal, local_nt_response); + SMBOWFencrypt((const unsigned char *)nt_pwd, chal, + local_nt_response); /* Password info paranoia */ ZERO_STRUCT(key); @@ -293,26 +297,29 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, DATA_BLOB nt_interactive_blob; if (lm_interactive_pwd) { - local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response)); - lm_interactive_blob = data_blob(lm_pwd, sizeof(lm_pwd)); + local_lm_blob = data_blob(local_lm_response, + sizeof(local_lm_response)); + lm_interactive_blob = data_blob(lm_pwd, + sizeof(lm_pwd)); ZERO_STRUCT(lm_pwd); } if (nt_interactive_pwd) { - local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response)); - nt_interactive_blob = data_blob(nt_pwd, sizeof(nt_pwd)); + local_nt_blob = data_blob(local_nt_response, + sizeof(local_nt_response)); + nt_interactive_blob = data_blob(nt_pwd, + sizeof(nt_pwd)); ZERO_STRUCT(nt_pwd); } - nt_status = make_user_info_map(user_info, - smb_name, client_domain, - wksta_name, - lm_interactive_pwd ? &local_lm_blob : NULL, - nt_interactive_pwd ? &local_nt_blob : NULL, - lm_interactive_pwd ? &lm_interactive_blob : NULL, - nt_interactive_pwd ? &nt_interactive_blob : NULL, - NULL, - True); + nt_status = make_user_info_map( + user_info, + smb_name, client_domain, wksta_name, + lm_interactive_pwd ? &local_lm_blob : NULL, + nt_interactive_pwd ? &local_nt_blob : NULL, + lm_interactive_pwd ? &lm_interactive_blob : NULL, + nt_interactive_pwd ? &nt_interactive_blob : NULL, + NULL, True); if (NT_STATUS_IS_OK(nt_status)) { (*user_info)->logon_parameters = logon_parameters; @@ -347,17 +354,21 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, * Not encrypted - do so. */ - DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted format.\n")); + DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted " + "format.\n")); if (plaintext_password.data) { unsigned char local_lm_response[24]; #ifdef DEBUG_PASSWORD - DEBUG(10,("Unencrypted password (len %d):\n",(int)plaintext_password.length)); - dump_data(100, (const char *)plaintext_password.data, plaintext_password.length); + DEBUG(10,("Unencrypted password (len %d):\n", + (int)plaintext_password.length)); + dump_data(100, (const char *)plaintext_password.data, + plaintext_password.length); #endif - SMBencrypt( (const char *)plaintext_password.data, (const uchar*)chal, local_lm_response); + SMBencrypt( (const char *)plaintext_password.data, + (const uchar*)chal, local_lm_response); local_lm_blob = data_blob(local_lm_response, 24); /* We can't do an NT hash here, as the password needs to be @@ -369,14 +380,14 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, local_nt_blob = data_blob(NULL, 0); } - ret = make_user_info_map(user_info, smb_name, - client_domain, - get_remote_machine_name(), - local_lm_blob.data ? &local_lm_blob : NULL, - local_nt_blob.data ? &local_nt_blob : NULL, - NULL, NULL, - plaintext_password.data ? &plaintext_password : NULL, - False); + ret = make_user_info_map( + user_info, smb_name, client_domain, + get_remote_machine_name(), + local_lm_blob.data ? &local_lm_blob : NULL, + local_nt_blob.data ? &local_nt_blob : NULL, + NULL, NULL, + plaintext_password.data ? &plaintext_password : NULL, + False); data_blob_free(&local_lm_blob); return NT_STATUS_IS_OK(ret) ? True : False; @@ -426,7 +437,6 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info) void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) { - fstring sid_str; size_t i; if (!token) { @@ -434,12 +444,15 @@ void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) return; } - DEBUGC(dbg_class, dbg_lev, ("NT user token of user %s\n", - sid_to_string(sid_str, &token->user_sids[0]) )); - DEBUGADDC(dbg_class, dbg_lev, ("contains %lu SIDs\n", (unsigned long)token->num_sids)); + DEBUGC(dbg_class, dbg_lev, + ("NT user token of user %s\n", + sid_string_static(&token->user_sids[0]) )); + DEBUGADDC(dbg_class, dbg_lev, + ("contains %lu SIDs\n", (unsigned long)token->num_sids)); for (i = 0; i < token->num_sids; i++) - DEBUGADDC(dbg_class, dbg_lev, ("SID[%3lu]: %s\n", (unsigned long)i, - sid_to_string(sid_str, &token->user_sids[i]))); + DEBUGADDC(dbg_class, dbg_lev, + ("SID[%3lu]: %s\n", (unsigned long)i, + sid_string_static(&token->user_sids[i]))); dump_se_priv( dbg_class, dbg_lev, &token->privileges ); } @@ -448,464 +461,568 @@ void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) prints a UNIX 'token' to debug output. ****************************************************************************/ -void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid, int n_groups, gid_t *groups) +void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid, + int n_groups, gid_t *groups) { int i; - DEBUGC(dbg_class, dbg_lev, ("UNIX token of user %ld\n", (long int)uid)); + DEBUGC(dbg_class, dbg_lev, + ("UNIX token of user %ld\n", (long int)uid)); - DEBUGADDC(dbg_class, dbg_lev, ("Primary group is %ld and contains %i supplementary groups\n", (long int)gid, n_groups)); + DEBUGADDC(dbg_class, dbg_lev, + ("Primary group is %ld and contains %i supplementary " + "groups\n", (long int)gid, n_groups)); for (i = 0; i < n_groups; i++) DEBUGADDC(dbg_class, dbg_lev, ("Group[%3i]: %ld\n", i, (long int)groups[i])); } -/**************************************************************************** - Create the SID list for this user. -****************************************************************************/ +/****************************************************************************** + Create a token for the root user to be used internally by smbd. + This is similar to running under the context of the LOCAL_SYSTEM account + in Windows. This is a read-only token. Do not modify it or free() it. + Create a copy if your need to change it. +******************************************************************************/ -static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *group_sid, - int n_groupSIDs, DOM_SID *groupSIDs, - BOOL is_guest, NT_USER_TOKEN **token) +NT_USER_TOKEN *get_root_nt_token( void ) { - NTSTATUS nt_status = NT_STATUS_OK; - NT_USER_TOKEN *ptoken; - int i; - int sid_ndx; - DOM_SID domadm; - BOOL is_domain_admin = False; - BOOL domain_mode = False; + static NT_USER_TOKEN *token = NULL; + DOM_SID u_sid, g_sid; + struct passwd *pw; - if ((ptoken = SMB_MALLOC_P(NT_USER_TOKEN)) == NULL) { - DEBUG(0, ("create_nt_user_token: Out of memory allocating token\n")); - nt_status = NT_STATUS_NO_MEMORY; - return nt_status; + if ( token ) + return token; + + if ( !(pw = getpwnam( "root" )) ) { + DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n")); + return NULL; } + + /* get the user and primary group SIDs; although the + BUILTIN\Administrators SId is really the one that matters here */ + + uid_to_sid(&u_sid, pw->pw_uid); + gid_to_sid(&g_sid, pw->pw_gid); - ZERO_STRUCTP(ptoken); + token = create_local_nt_token(NULL, &u_sid, &g_sid, False, + 1, &global_sid_Builtin_Administrators); + return token; +} - ptoken->num_sids = n_groupSIDs + 5; +static int server_info_dtor(void *p) +{ + auth_serversupplied_info *server_info = + talloc_get_type_abort(p, auth_serversupplied_info); - if ((ptoken->user_sids = SMB_MALLOC_ARRAY( DOM_SID, ptoken->num_sids )) == NULL) { - DEBUG(0, ("create_nt_user_token: Out of memory allocating SIDs\n")); - nt_status = NT_STATUS_NO_MEMORY; - return nt_status; + if (server_info->sam_account != NULL) { + pdb_free_sam(&server_info->sam_account); } - - memset((char*)ptoken->user_sids,0,sizeof(DOM_SID) * ptoken->num_sids); - - /* - * Note - user SID *MUST* be first in token ! - * se_access_check depends on this. - * - * Primary group SID is second in token. Convention. - */ - sid_copy(&ptoken->user_sids[PRIMARY_USER_SID_INDEX], user_sid); - if (group_sid) - sid_copy(&ptoken->user_sids[PRIMARY_GROUP_SID_INDEX], group_sid); + ZERO_STRUCTP(server_info); + return 0; +} - /* - * Finally add the "standard" SIDs. - * The only difference between guest and "anonymous" (which we - * don't really support) is the addition of Authenticated_Users. - */ +/*************************************************************************** + Make a server_info struct. Free with talloc_free(). +***************************************************************************/ + +static auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx) +{ + struct auth_serversupplied_info *result; - sid_copy(&ptoken->user_sids[2], &global_sid_World); - sid_copy(&ptoken->user_sids[3], &global_sid_Network); + result = TALLOC_ZERO_P(mem_ctx, auth_serversupplied_info); + if (result == NULL) { + DEBUG(0, ("talloc failed\n")); + return NULL; + } - if (is_guest) - sid_copy(&ptoken->user_sids[4], &global_sid_Builtin_Guests); - else - sid_copy(&ptoken->user_sids[4], &global_sid_Authenticated_Users); - - sid_ndx = 5; /* next available spot */ - - /* this is where we construct the domain admins SID if we can - so that we can add the BUILTIN\Administrators SID to the token */ - - ZERO_STRUCT( domadm ); - if ( IS_DC || lp_server_role()==ROLE_DOMAIN_MEMBER ) { - domain_mode = True; - - if ( IS_DC ) - sid_copy( &domadm, get_global_sam_sid() ); - else { - /* if we a re a member server and cannot find - out domain SID then reset the domain_mode flag */ - if ( !secrets_fetch_domain_sid( lp_workgroup(), &domadm ) ) - domain_mode = False; - } + talloc_set_destructor(result, server_info_dtor); + + /* Initialise the uid and gid values to something non-zero + which may save us from giving away root access if there + is a bug in allocating these fields. */ + + result->uid = -1; + result->gid = -1; + return result; +} - sid_append_rid( &domadm, DOMAIN_GROUP_RID_ADMINS ); +/*************************************************************************** + Make (and fill) a user_info struct from a SAM_ACCOUNT +***************************************************************************/ + +NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, + SAM_ACCOUNT *sampass) +{ + NTSTATUS status; + struct passwd *pwd; + gid_t *gids; + auth_serversupplied_info *result; + + pwd = getpwnam_alloc(NULL, pdb_get_username(sampass)); + if ( pwd == NULL ) { + DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", + pdb_get_username(sampass))); + return NT_STATUS_NO_SUCH_USER; } - - /* add the group SIDs to teh token */ - - for (i = 0; i < n_groupSIDs; i++) { - size_t check_sid_idx; - for (check_sid_idx = 1; check_sid_idx < ptoken->num_sids; check_sid_idx++) { - if (sid_equal(&ptoken->user_sids[check_sid_idx], - &groupSIDs[i])) { - break; - } - } - - if (check_sid_idx >= ptoken->num_sids) /* Not found already */ { - sid_copy(&ptoken->user_sids[sid_ndx++], &groupSIDs[i]); - } else { - ptoken->num_sids--; - } - - /* here we check if the user is a domain admin and add the - BUILTIN\Administrators SID to the token the group membership - check succeeds. */ - if ( domain_mode ) { - if ( sid_equal( &domadm, &groupSIDs[i] ) ) - is_domain_admin = True; - } - + result = make_server_info(NULL); + if (result == NULL) { + talloc_free(pwd); + return NT_STATUS_NO_MEMORY; } - /* finally realloc the SID array and add the BUILTIN\Administrators - SID if necessary */ + result->sam_account = sampass; + result->unix_name = talloc_strdup(result, pwd->pw_name); + result->gid = pwd->pw_gid; + result->uid = pwd->pw_uid; + + talloc_free(pwd); - if ( is_domain_admin ) { - DOM_SID *sids; + status = pdb_enum_group_memberships(result, sampass, + &result->sids, &gids, + &result->num_sids); - if ( !(sids = SMB_REALLOC_ARRAY( ptoken->user_sids, DOM_SID, ptoken->num_sids+1 )) ) - DEBUG(0,("create_nt_user_token: Failed to realloc SID arry of size %d\n", ptoken->num_sids+1)); - else { - ptoken->user_sids = sids; - sid_copy( &(ptoken->user_sids)[ptoken->num_sids++], &global_sid_Builtin_Administrators ); - } + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("pdb_enum_group_memberships failed: %s\n", + nt_errstr(status))); + result->sam_account = NULL; /* Don't free on error exit. */ + talloc_free(result); + return status; } - /* add privileges assigned to this user */ + /* For now we throw away the gids and convert via sid_to_gid + * later. This needs fixing, but I'd like to get the code straight and + * simple first. */ + talloc_free(gids); - get_privileges_for_sids( &ptoken->privileges, ptoken->user_sids, ptoken->num_sids ); - - debug_nt_user_token(DBGC_AUTH, 10, ptoken); - - if ((lp_log_nt_token_command() != NULL) && - (strlen(lp_log_nt_token_command()) > 0)) { - TALLOC_CTX *mem_ctx; - char *command; - char *group_sidstr; - - mem_ctx = talloc_init("setnttoken"); - if (mem_ctx == NULL) - return NT_STATUS_NO_MEMORY; + DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n", + pdb_get_username(sampass), result->unix_name)); - group_sidstr = talloc_strdup(mem_ctx, ""); - for (i=1; inum_sids; i++) { - group_sidstr = talloc_asprintf( - mem_ctx, "%s %s", group_sidstr, - sid_string_static(&ptoken->user_sids[i])); - } + *server_info = result; - command = talloc_string_sub( - mem_ctx, lp_log_nt_token_command(), - "%s", sid_string_static(&ptoken->user_sids[0])); - command = talloc_string_sub( - mem_ctx, command, "%t", group_sidstr); + return NT_STATUS_OK; +} + +/* + * Add alias SIDs from memberships within the partially created token SID list + */ - if (command == NULL) { - talloc_destroy(mem_ctx); +static NTSTATUS add_aliases(TALLOC_CTX *tmp_ctx, const DOM_SID *domain_sid, + struct nt_user_token *token) +{ + uint32 *aliases; + size_t i, num_aliases; + NTSTATUS status; + + aliases = NULL; + num_aliases = 0; + + status = pdb_enum_alias_memberships(tmp_ctx, domain_sid, + token->user_sids, + token->num_sids, + &aliases, &num_aliases); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("pdb_enum_alias_memberships failed: %s\n", + nt_errstr(status))); + return status; + } + + for (i=0; iuser_sids, + &token->num_sids); + if (token->user_sids == NULL) { + DEBUG(0, ("add_sid_to_array failed\n")); return NT_STATUS_NO_MEMORY; } + } - DEBUG(8, ("running command: [%s]\n", command)); - if (smbrun(command, NULL) != 0) { - DEBUG(0, ("Could not log NT token\n")); - nt_status = NT_STATUS_ACCESS_DENIED; - } - talloc_destroy(mem_ctx); + return NT_STATUS_OK; +} + +static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token) +{ + char *command; + char *group_sidstr; + size_t i; + + if ((lp_log_nt_token_command() == NULL) || + (strlen(lp_log_nt_token_command()) == 0)) { + return NT_STATUS_OK; } - *token = ptoken; + group_sidstr = talloc_strdup(tmp_ctx, ""); + for (i=1; inum_sids; i++) { + group_sidstr = talloc_asprintf( + tmp_ctx, "%s %s", group_sidstr, + sid_string_static(&token->user_sids[i])); + } - return nt_status; -} + command = talloc_string_sub( + tmp_ctx, lp_log_nt_token_command(), + "%s", sid_string_static(&token->user_sids[0])); + command = talloc_string_sub(tmp_ctx, command, "%t", group_sidstr); -/**************************************************************************** - Create the SID list for this user. -****************************************************************************/ + if (command == NULL) { + return NT_STATUS_NO_MEMORY; + } + + DEBUG(8, ("running command: [%s]\n", command)); + if (smbrun(command, NULL) != 0) { + DEBUG(0, ("Could not log NT token\n")); + return NT_STATUS_ACCESS_DENIED; + } + + return NT_STATUS_OK; +} -NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, BOOL is_guest) +/* + * Create a NT token for the user, expanding local aliases + */ + +static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, + const DOM_SID *user_sid, + const DOM_SID *group_sid, + BOOL is_guest, + int num_groupsids, + const DOM_SID *groupsids) { - DOM_SID user_sid; - DOM_SID group_sid; - DOM_SID *group_sids; - NT_USER_TOKEN *token; + TALLOC_CTX *tmp_ctx; + struct nt_user_token *result = NULL; int i; + NTSTATUS status; - if (!NT_STATUS_IS_OK(uid_to_sid(&user_sid, uid))) { + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) { + DEBUG(0, ("talloc_new failed\n")); return NULL; } - if (!NT_STATUS_IS_OK(gid_to_sid(&group_sid, gid))) { - return NULL; + + result = TALLOC_ZERO_P(tmp_ctx, NT_USER_TOKEN); + if (result == NULL) { + DEBUG(0, ("talloc failed\n")); + goto done; } - group_sids = SMB_MALLOC_ARRAY(DOM_SID, ngroups); - if (!group_sids) { - DEBUG(0, ("create_nt_token: malloc() failed for DOM_SID list!\n")); - return NULL; + /* First create the default SIDs */ + + add_sid_to_array(result, user_sid, + &result->user_sids, &result->num_sids); + add_sid_to_array(result, group_sid, + &result->user_sids, &result->num_sids); + add_sid_to_array(result, &global_sid_World, + &result->user_sids, &result->num_sids); + add_sid_to_array(result, &global_sid_Network, + &result->user_sids, &result->num_sids); + + if (is_guest) { + add_sid_to_array(result, &global_sid_Builtin_Guests, + &result->user_sids, &result->num_sids); + } else { + add_sid_to_array(result, &global_sid_Authenticated_Users, + &result->user_sids, &result->num_sids); } - /* convert the Unix group ids to SIDS */ + /* Now the SIDs we got from authentication. These are the ones from + * the info3 struct or from the pdb_enum_group_memberships, depending + * on who authenticated the user. */ - for (i = 0; i < ngroups; i++) { - if (!NT_STATUS_IS_OK(gid_to_sid(&(group_sids)[i], (groups)[i]))) { - DEBUG(1, ("create_nt_token: failed to convert gid %ld to a sid!\n", (long int)groups[i])); - SAFE_FREE(group_sids); - return NULL; - } + for (i=0; iuser_sids, &result->num_sids); } - if (!NT_STATUS_IS_OK(create_nt_user_token(&user_sid, &group_sid, - ngroups, group_sids, is_guest, &token))) { - SAFE_FREE(group_sids); - return NULL; + if (lp_winbind_nested_groups()) { + + /* Now add the aliases. First the one from our local SAM */ + + status = add_aliases(tmp_ctx, get_global_sam_sid(), result); + + if (!NT_STATUS_IS_OK(status)) { + result = NULL; + goto done; + } + + /* Finally the builtin ones */ + + status = add_aliases(tmp_ctx, &global_sid_Builtin, result); + + if (!NT_STATUS_IS_OK(status)) { + result = NULL; + goto done; + } + } else { + + /* Play jerry's trick to auto-add local admins if we're a + * domain admin. */ + + DOM_SID dom_admins; + BOOL domain_mode = False; + + if (IS_DC) { + sid_compose(&dom_admins, get_global_sam_sid(), + DOMAIN_GROUP_RID_ADMINS); + domain_mode = True; + } + if ((lp_server_role() == ROLE_DOMAIN_MEMBER) && + (secrets_fetch_domain_sid(lp_workgroup(), &dom_admins))) { + sid_append_rid(&dom_admins, DOMAIN_GROUP_RID_ADMINS); + domain_mode = True; + } + + if (domain_mode) { + for (i=0; inum_sids; i++) { + if (sid_equal(&dom_admins, + &result->user_sids[i])) { + add_sid_to_array_unique( + result, + &global_sid_Builtin_Administrators, + &result->user_sids, + &result->num_sids); + break; + } + } + + } } - SAFE_FREE(group_sids); + get_privileges_for_sids(&result->privileges, result->user_sids, + result->num_sids); - return token; + talloc_steal(mem_ctx, result); + + done: + talloc_free(tmp_ctx); + return result; } -/****************************************************************************** - Create a token for the root user to be used internally by smbd. - This is similar to running under the context of the LOCAL_SYSTEM account - in Windows. This is a read-only token. Do not modify it or free() it. - Create a copy if your need to change it. -******************************************************************************/ +/* + * Create the token to use from server_info->sam_account and + * server_info->sids (the info3/sam groups). Find the unix gids. + */ -NT_USER_TOKEN *get_root_nt_token( void ) +NTSTATUS create_local_token(auth_serversupplied_info *server_info) { - static NT_USER_TOKEN *token = NULL; - DOM_SID u_sid, g_sid; - DOM_SID g_sids[1]; - struct passwd *pw; - NTSTATUS result; + TALLOC_CTX *mem_ctx; + NTSTATUS status; + size_t i; - if ( token ) - return token; - - if ( !(pw = getpwnam( "root" )) ) { - DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n")); - return NULL; + + mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + DEBUG(0, ("talloc_new failed\n")); + return NT_STATUS_NO_MEMORY; } + + server_info->ptok = create_local_nt_token( + server_info, + pdb_get_user_sid(server_info->sam_account), + pdb_get_group_sid(server_info->sam_account), + server_info->guest, + server_info->num_sids, server_info->sids); - /* get the user and primary group SIDs; although the - BUILTIN\Administrators SId is really the one that matters here */ - - if ( !NT_STATUS_IS_OK(uid_to_sid(&u_sid, pw->pw_uid)) ) - return NULL; - if ( !NT_STATUS_IS_OK(gid_to_sid(&g_sid, pw->pw_gid)) ) - return NULL; - - sid_copy( &g_sids[0], &global_sid_Builtin_Administrators ); - - result = create_nt_user_token( &u_sid, &g_sid, 1, g_sids, False, &token); + /* Convert the SIDs to gids. */ + + server_info->n_groups = 0; + server_info->groups = NULL; + + /* Start at index 1, where the groups start. */ + + for (i=1; iptok->num_sids; i++) { + gid_t gid; + DOM_SID *sid = &server_info->ptok->user_sids[i]; + + if (!sid_to_gid(sid, &gid)) { + DEBUG(10, ("Could not convert SID %s to gid, " + "ignoring it\n", sid_string_static(sid))); + continue; + } + add_gid_to_array_unique(server_info, gid, &server_info->groups, + &server_info->n_groups); + } - return NT_STATUS_IS_OK(result) ? token : NULL; + debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok); + + status = log_nt_token(mem_ctx, server_info->ptok); + + talloc_free(mem_ctx); + return status; } -/****************************************************************************** - * this function returns the groups (SIDs) of the local SAM the user is in. - * If this samba server is a DC of the domain the user belongs to, it returns - * both domain groups and local / builtin groups. If the user is in a trusted - * domain, or samba is a member server of a domain, then this function returns - * local and builtin groups the user is a member of. +/* + * Create an artificial NT token given just a username. (Initially indended + * for force user) * - * currently this is a hack, as there is no sam implementation that is capable - * of groups. + * We go through lookup_name() to avoid problems we had with 'winbind use + * default domain'. * - * NOTE!! This function will fail if you pass in a winbind user without - * the domain --jerry - ******************************************************************************/ - -static NTSTATUS get_user_groups(const char *username, uid_t uid, gid_t gid, - size_t *n_groups, DOM_SID **groups, gid_t **unix_groups) + * We have 3 cases: + * + * unmapped unix users: Go directly to nss to find the user's group. + * + * A passdb user: The list of groups is provided by pdb_enum_group_memberships. + * + * If the user is provided by winbind, the primary gid is set to "domain + * users" of the user's domain. For an explanation why this is necessary, see + * the thread starting at + * http://lists.samba.org/archive/samba-technical/2006-January/044803.html. + */ + +NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, + BOOL is_guest, + uid_t *uid, gid_t *gid, + char **found_username, + struct nt_user_token **token) { - int n_unix_groups; - int i; + NTSTATUS result = NT_STATUS_NO_SUCH_USER; + TALLOC_CTX *tmp_ctx; + DOM_SID user_sid; + enum SID_NAME_USE type; + gid_t *gids; + DOM_SID primary_group_sid; + DOM_SID *group_sids; + size_t num_group_sids; - *n_groups = 0; - *groups = NULL; + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(0, ("talloc_new failed\n")); + return NT_STATUS_NO_MEMORY; + } - if (strchr(username, *lp_winbind_separator()) == NULL) { - NTSTATUS result; + if (!lookup_name(tmp_ctx, username, LOOKUP_NAME_ALL, + NULL, NULL, &user_sid, &type)) { + DEBUG(1, ("lookup_name for %s failed\n", username)); + goto done; + } - become_root(); - result = pdb_enum_group_memberships(username, gid, groups, - unix_groups, n_groups); - unbecome_root(); - return result; + if (type != SID_NAME_USER) { + DEBUG(1, ("%s is a %s, not a user\n", username, + sid_type_lookup(type))); + goto done; } - /* We have the separator, this must be winbind */ - - n_unix_groups = winbind_getgroups( username, unix_groups ); + if (!sid_to_uid(&user_sid, uid)) { + DEBUG(1, ("sid_to_uid for %s (%s) failed\n", + username, sid_string_static(&user_sid))); + goto done; + } - DEBUG(10,("get_user_groups: winbind_getgroups(%s): result = %s\n", - username, n_unix_groups == -1 ? "FAIL" : "SUCCESS")); - - if ( n_unix_groups == -1 ) - return NT_STATUS_NO_SUCH_USER; /* what should this return - * value be? */ + if (sid_check_is_in_unix_users(&user_sid)) { - debug_unix_user_token(DBGC_CLASS, 5, uid, gid, n_unix_groups, *unix_groups); - - /* now setup the space for storing the SIDS */ - - if (n_unix_groups > 0) { - - *groups = SMB_MALLOC_ARRAY(DOM_SID, n_unix_groups); - - if (!*groups) { - DEBUG(0, ("get_user_group: malloc() failed for DOM_SID list!\n")); - SAFE_FREE(*unix_groups); - return NT_STATUS_NO_MEMORY; + /* This is a unix user not in passdb. We need to ask nss + * directly, without consulting passdb */ + + struct passwd *pass; + size_t i; + + pass = getpwuid_alloc(tmp_ctx, *uid); + if (pass == NULL) { + DEBUG(1, ("getpwuid(%d) for user %s failed\n", + *uid, username)); + goto done; } - } - *n_groups = n_unix_groups; + *gid = pass->pw_gid; + gid_to_sid(&primary_group_sid, pass->pw_gid); - for (i = 0; i < *n_groups; i++) { - if (!NT_STATUS_IS_OK(gid_to_sid(&(*groups)[i], (*unix_groups)[i]))) { - DEBUG(1, ("get_user_groups: failed to convert gid %ld to a sid!\n", - (long int)(*unix_groups)[i+1])); - SAFE_FREE(*groups); - SAFE_FREE(*unix_groups); - return NT_STATUS_NO_SUCH_USER; + if (!getgroups_unix_user(tmp_ctx, username, pass->pw_gid, + &gids, &num_group_sids)) { + DEBUG(1, ("getgroups_unix_user for user %s failed\n", + username)); + goto done; } - } - - return NT_STATUS_OK; -} -/*************************************************************************** - Make a user_info struct -***************************************************************************/ + group_sids = talloc_array(tmp_ctx, DOM_SID, num_group_sids); + if (group_sids == NULL) { + DEBUG(1, ("talloc_array failed\n")); + result = NT_STATUS_NO_MEMORY; + goto done; + } -static NTSTATUS make_server_info(auth_serversupplied_info **server_info) -{ - *server_info = SMB_MALLOC_P(auth_serversupplied_info); - if (!*server_info) { - DEBUG(0,("make_server_info: malloc failed!\n")); - return NT_STATUS_NO_MEMORY; - } - ZERO_STRUCTP(*server_info); + for (i=0; ipw_name); - /* Initialise the uid and gid values to something non-zero - which may save us from giving away root access if there - is a bug in allocating these fields. */ + } else if (sid_check_is_in_our_domain(&user_sid)) { - (*server_info)->uid = -1; - (*server_info)->gid = -1; + /* This is a passdb user, so ask passdb */ - return NT_STATUS_OK; -} + SAM_ACCOUNT *sam_acct = NULL; -/*************************************************************************** -Fill a server_info struct from a SAM_ACCOUNT with their groups -***************************************************************************/ + result = pdb_init_sam_talloc(tmp_ctx, &sam_acct); + if (!NT_STATUS_IS_OK(result)) { + goto done; + } -static NTSTATUS add_user_groups(auth_serversupplied_info **server_info, - const char * unix_username, - SAM_ACCOUNT *sampass, - uid_t uid, gid_t gid) -{ - NTSTATUS nt_status; - const DOM_SID *user_sid = pdb_get_user_sid(sampass); - const DOM_SID *group_sid = pdb_get_group_sid(sampass); - size_t n_groupSIDs = 0; - DOM_SID *groupSIDs = NULL; - gid_t *unix_groups = NULL; - NT_USER_TOKEN *token; - BOOL is_guest; - uint32 rid; + if (!pdb_getsampwsid(sam_acct, &user_sid)) { + DEBUG(1, ("pdb_getsampwsid(%s) for user %s failed\n", + sid_string_static(&user_sid), username)); + result = NT_STATUS_NO_SUCH_USER; + goto done; + } - nt_status = get_user_groups(unix_username, uid, gid, - &n_groupSIDs, &groupSIDs, &unix_groups); - - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(4,("get_user_groups_from_local_sam failed\n")); - free_server_info(server_info); - return nt_status; - } - - is_guest = (sid_peek_rid(user_sid, &rid) && rid == DOMAIN_USER_RID_GUEST); + sid_copy(&primary_group_sid, pdb_get_group_sid(sam_acct)); - if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token(user_sid, group_sid, - n_groupSIDs, groupSIDs, is_guest, - &token))) - { - DEBUG(4,("create_nt_user_token failed\n")); - SAFE_FREE(groupSIDs); - SAFE_FREE(unix_groups); - free_server_info(server_info); - return nt_status; - } - - SAFE_FREE(groupSIDs); + result = pdb_enum_group_memberships(tmp_ctx, sam_acct, + &group_sids, &gids, + &num_group_sids); + if (!NT_STATUS_IS_OK(result)) { + DEBUG(10, ("enum_group_memberships failed for %s\n", + username)); + goto done; + } - (*server_info)->n_groups = n_groupSIDs; - (*server_info)->groups = unix_groups; - (*server_info)->ptok = token; + *found_username = talloc_strdup(mem_ctx, + pdb_get_username(sam_acct)); - return nt_status; -} + } else { -/*************************************************************************** - Make (and fill) a user_info struct from a SAM_ACCOUNT -***************************************************************************/ + /* This user is from winbind, force the primary gid to the + * user's "domain users" group. Under certain circumstances + * (user comes from NT4), this might be a loss of + * information. But we can not rely on winbind getting the + * correct info. AD might prohibit winbind looking up that + * information. */ -NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, - SAM_ACCOUNT *sampass) -{ - NTSTATUS nt_status; - struct passwd *pwd; + uint32 dummy; - if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) - return nt_status; + sid_copy(&primary_group_sid, &user_sid); + sid_split_rid(&primary_group_sid, &dummy); + sid_append_rid(&primary_group_sid, DOMAIN_GROUP_RID_USERS); - (*server_info)->sam_account = sampass; + if (!sid_to_gid(&primary_group_sid, gid)) { + DEBUG(1, ("sid_to_gid(%s) failed\n", + sid_string_static(&primary_group_sid))); + goto done; + } - if ( !(pwd = getpwnam_alloc(pdb_get_username(sampass))) ) { - DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", - pdb_get_username(sampass))); - free_server_info(server_info); - return NT_STATUS_NO_SUCH_USER; - } - (*server_info)->unix_name = smb_xstrdup(pwd->pw_name); - (*server_info)->gid = pwd->pw_gid; - (*server_info)->uid = pwd->pw_uid; - - passwd_free(&pwd); + num_group_sids = 0; + group_sids = NULL; - if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, pdb_get_username(sampass), - sampass, - (*server_info)->uid, - (*server_info)->gid))) - { - free_server_info(server_info); - return nt_status; + *found_username = talloc_strdup(mem_ctx, username); } - (*server_info)->sam_fill_level = SAM_FILL_ALL; - DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n", - pdb_get_username(sampass), - (*server_info)->unix_name)); + *token = create_local_nt_token(mem_ctx, &user_sid, &primary_group_sid, + is_guest, num_group_sids, group_sids); - return nt_status; + if ((*token == NULL) || (*found_username == NULL)) { + result = NT_STATUS_NO_MEMORY; + goto done; + } + + result = NT_STATUS_OK; + done: + talloc_free(tmp_ctx); + return result; } /*************************************************************************** - Make (and fill) a user_info struct from a Kerberos PAC logon_info by conversion - to a SAM_ACCOUNT + Make (and fill) a user_info struct from a Kerberos PAC logon_info by + conversion to a SAM_ACCOUNT ***************************************************************************/ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, @@ -913,16 +1030,22 @@ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, struct passwd *pwd, PAC_LOGON_INFO *logon_info) { - NTSTATUS nt_status; + NTSTATUS status; SAM_ACCOUNT *sampass = NULL; DOM_SID user_sid, group_sid; fstring dom_name; + auth_serversupplied_info *result; - if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sampass, pwd))) { - return nt_status; + status = pdb_init_sam_pw(&sampass, pwd); + + if (!NT_STATUS_IS_OK(status)) { + return status; } - if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) { - return nt_status; + + result = make_server_info(NULL); + if (result == NULL) { + pdb_free_sam(&sampass); + return NT_STATUS_NO_MEMORY; } /* only copy user_sid, group_sid and domain name out of the PAC for @@ -941,20 +1064,18 @@ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, pdb_set_logon_count(sampass, logon_info->info3.logon_count, PDB_SET); - (*server_info)->sam_account = sampass; + result->sam_account = sampass; + result->unix_name = talloc_strdup(result, unix_username); + result->uid = pwd->pw_uid; + result->gid = pwd->pw_gid; - if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, unix_username, - sampass, pwd->pw_uid, pwd->pw_gid))) - { - return nt_status; - } + /* TODO: Add groups from pac */ + result->sids = NULL; + result->num_sids = 0; - (*server_info)->unix_name = smb_xstrdup(unix_username); + *server_info = result; - (*server_info)->sam_fill_level = SAM_FILL_ALL; - (*server_info)->uid = pwd->pw_uid; - (*server_info)->gid = pwd->pw_gid; - return nt_status; + return NT_STATUS_OK; } @@ -967,93 +1088,172 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, char *unix_username, struct passwd *pwd) { - NTSTATUS nt_status; + NTSTATUS status; SAM_ACCOUNT *sampass = NULL; - if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sampass, pwd))) { - return nt_status; + gid_t *gids; + auth_serversupplied_info *result; + + status = pdb_init_sam_pw(&sampass, pwd); + + if (!NT_STATUS_IS_OK(status)) { + return status; } - if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) { - return nt_status; + + result = make_server_info(NULL); + + if (!NT_STATUS_IS_OK(status)) { + pdb_free_sam(&sampass); + return status; } - (*server_info)->sam_account = sampass; + result->sam_account = sampass; + result->unix_name = talloc_strdup(result, unix_username); + result->uid = pwd->pw_uid; + result->gid = pwd->pw_gid; - if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, unix_username, - sampass, pwd->pw_uid, pwd->pw_gid))) - { - return nt_status; + status = pdb_enum_group_memberships(result, sampass, + &result->sids, &gids, + &result->num_sids); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("pdb_enum_group_memberships failed: %s\n", + nt_errstr(status))); + talloc_free(result); + return status; } - (*server_info)->unix_name = smb_xstrdup(unix_username); + /* For now we throw away the gids and convert via sid_to_gid + * later. This needs fixing, but I'd like to get the code straight and + * simple first. */ + talloc_free(gids); - (*server_info)->sam_fill_level = SAM_FILL_ALL; - (*server_info)->uid = pwd->pw_uid; - (*server_info)->gid = pwd->pw_gid; - return nt_status; + *server_info = result; + + return NT_STATUS_OK; } /*************************************************************************** Make (and fill) a user_info struct for a guest login. + This *must* succeed for smbd to start. If there is no mapping entry for + the guest gid, then create one. ***************************************************************************/ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_info) { - NTSTATUS nt_status; + NTSTATUS status; SAM_ACCOUNT *sampass = NULL; DOM_SID guest_sid; + BOOL ret; + static const char zeros[16]; - if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sampass))) { - return nt_status; + status = pdb_init_sam(&sampass); + + if (!NT_STATUS_IS_OK(status)) { + return status; } sid_copy(&guest_sid, get_global_sam_sid()); sid_append_rid(&guest_sid, DOMAIN_USER_RID_GUEST); become_root(); - if (!pdb_getsampwsid(sampass, &guest_sid)) { - unbecome_root(); + ret = pdb_getsampwsid(sampass, &guest_sid); + unbecome_root(); + + if (!ret) { + pdb_free_sam(&sampass); return NT_STATUS_NO_SUCH_USER; } - unbecome_root(); - nt_status = make_server_info_sam(server_info, sampass); + status = make_server_info_sam(server_info, sampass); - if (NT_STATUS_IS_OK(nt_status)) { - static const char zeros[16]; - (*server_info)->guest = True; - - /* annoying, but the Guest really does have a session key, - and it is all zeros! */ - (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros)); - (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros)); + if (!NT_STATUS_IS_OK(status)) { + + /* If there was no initial group mapping for the nobody user, + create one*/ + + if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) { + GROUP_MAP map; + struct passwd *pwd = getpwnam_alloc(NULL, pdb_get_username(sampass)); + + if ( pwd == NULL ) { + DEBUG(1, ("No guest user %s!\n", + pdb_get_username(sampass))); + pdb_free_sam(&sampass); + return NT_STATUS_NO_SUCH_USER; + } + + map.gid = pwd->pw_gid; + sid_copy(&map.sid, get_global_sam_sid()); + sid_append_rid(&map.sid, DOMAIN_GROUP_RID_GUESTS); + map.sid_name_use = SID_NAME_DOM_GRP; + fstrcpy(map.nt_name, "Domain Guests"); + map.comment[0] = '\0'; + + if ( !NT_STATUS_IS_OK(pdb_update_group_mapping_entry(&map)) ) { + DEBUG(1, ("Could not update group database for guest user %s\n", + pdb_get_username(sampass) )); + talloc_free(pwd); + pdb_free_sam(&sampass); + return NT_STATUS_NO_SUCH_USER; + } + + talloc_free(pwd); + + /* And try again. */ + status = make_server_info_sam(server_info, sampass); + } + + if (!NT_STATUS_IS_OK(status)) { + pdb_free_sam(&sampass); + return status; + } } + + (*server_info)->guest = True; - return nt_status; + status = create_local_token(*server_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("create_local_token failed: %s\n", + nt_errstr(status))); + return status; + } + + /* annoying, but the Guest really does have a session key, and it is + all zeros! */ + (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros)); + (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros)); + + return NT_STATUS_OK; } static auth_serversupplied_info *copy_serverinfo(auth_serversupplied_info *src) { auth_serversupplied_info *dst; - if (!NT_STATUS_IS_OK(make_server_info(&dst))) + dst = make_server_info(NULL); + if (dst == NULL) { return NULL; + } dst->guest = src->guest; dst->uid = src->uid; dst->gid = src->gid; dst->n_groups = src->n_groups; if (src->n_groups != 0) - dst->groups = memdup(src->groups, sizeof(gid_t)*dst->n_groups); + dst->groups = talloc_memdup(dst, src->groups, + sizeof(gid_t)*dst->n_groups); else dst->groups = NULL; - dst->ptok = dup_nt_token(src->ptok); - dst->user_session_key = data_blob(src->user_session_key.data, - src->user_session_key.length); - dst->lm_session_key = data_blob(src->lm_session_key.data, - src->lm_session_key.length); + dst->ptok = dup_nt_token(dst, src->ptok); + dst->user_session_key = data_blob_talloc( + dst, src->user_session_key.data, + src->user_session_key.length); + dst->lm_session_key = data_blob_talloc( + dst, src->lm_session_key.data, + src->lm_session_key.length); pdb_copy_sam_account(src->sam_account, &dst->sam_account); dst->pam_handle = NULL; - dst->unix_name = smb_xstrdup(src->unix_name); + dst->unix_name = talloc_strdup(dst, src->unix_name); return dst; } @@ -1103,7 +1303,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, map_username( dom_user ); - if ( !(passwd = smb_getpwnam( dom_user, real_username, True )) ) + if ( !(passwd = smb_getpwnam( NULL, dom_user, real_username, True )) ) return NT_STATUS_NO_SUCH_USER; *uid = passwd->pw_uid; @@ -1121,7 +1321,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, *found_username)); nt_status = pdb_init_sam_pw(sam_account, passwd); - passwd_free(&passwd); + talloc_free(passwd); return nt_status; } @@ -1131,7 +1331,8 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, the username if we fallback to the username only. ****************************************************************************/ -struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) +struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, char *domuser, + fstring save_username, BOOL create ) { struct passwd *pw = NULL; char *p; @@ -1154,7 +1355,7 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) if ( p ) { fstring strip_username; - pw = Get_Pwnam_alloc( domuser ); + pw = Get_Pwnam_alloc( mem_ctx, domuser ); if ( pw ) { /* make sure we get the case of the username correct */ /* work around 'winbind use default domain = yes' */ @@ -1185,7 +1386,7 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) /* just lookup a plain username */ - pw = Get_Pwnam_alloc(username); + pw = Get_Pwnam_alloc(mem_ctx, username); /* Create local user if requested. */ @@ -1195,7 +1396,7 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) return NULL; smb_create_user(NULL, username, NULL); - pw = Get_Pwnam_alloc(username); + pw = Get_Pwnam_alloc(mem_ctx, username); } /* one last check for a valid passwd struct */ @@ -1231,15 +1432,10 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, uid_t uid; gid_t gid; - size_t n_lgroupSIDs; - DOM_SID *lgroupSIDs = NULL; - - gid_t *unix_groups = NULL; - NT_USER_TOKEN *token; - - DOM_SID *all_group_SIDs; size_t i; + auth_serversupplied_info *result; + /* Here is where we should check the list of trusted domains, and verify that the SID @@ -1257,12 +1453,14 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, } if (!(nt_username = unistr2_tdup(mem_ctx, &(info3->uni_user_name)))) { - /* If the server didn't give us one, just use the one we sent them */ + /* If the server didn't give us one, just use the one we sent + * them */ nt_username = sent_nt_username; } if (!(nt_domain = unistr2_tdup(mem_ctx, &(info3->uni_logon_dom)))) { - /* If the server didn't give us one, just use the one we sent them */ + /* If the server didn't give us one, just use the one we sent + * them */ nt_domain = domain; } @@ -1271,21 +1469,25 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, We use the _unmapped_ username here in an attempt to provide consistent username mapping behavior between kerberos and NTLM[SSP] - authentication in domain mode security. I.E. Username mapping should - be applied to the fully qualified username (e.g. DOMAIN\user) and - no just the login name. Yes this mean swe called map_username() - unnecessarily in make_user_info_map() but that is how the current - code is designed. Making the change here is the least disruptive - place. -- jerry */ + authentication in domain mode security. I.E. Username mapping + should be applied to the fully qualified username + (e.g. DOMAIN\user) and not just the login name. Yes this means we + called map_username() unnecessarily in make_user_info_map() but + that is how the current code is designed. Making the change here + is the least disruptive place. -- jerry */ nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username, - &found_username, &uid, &gid, &sam_account); + &found_username, &uid, &gid, + &sam_account); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { - DEBUG(3,("User %s does not exist, trying to add it\n", internal_username)); + DEBUG(3,("User %s does not exist, trying to add it\n", + internal_username)); smb_create_user( nt_domain, sent_nt_username, NULL); - nt_status = fill_sam_account( mem_ctx, nt_domain, sent_nt_username, - &found_username, &uid, &gid, &sam_account ); + nt_status = fill_sam_account( mem_ctx, nt_domain, + sent_nt_username, + &found_username, &uid, &gid, + &sam_account ); } /* if we still don't have a valid unix account check for @@ -1326,96 +1528,77 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_UNSUCCESSFUL; } - if (!pdb_set_fullname(sam_account, unistr2_static(&(info3->uni_full_name)), + if (!pdb_set_fullname(sam_account, + unistr2_static(&(info3->uni_full_name)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_logon_script(sam_account, unistr2_static(&(info3->uni_logon_script)), PDB_CHANGED)) { + if (!pdb_set_logon_script(sam_account, + unistr2_static(&(info3->uni_logon_script)), + PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_profile_path(sam_account, unistr2_static(&(info3->uni_profile_path)), PDB_CHANGED)) { + if (!pdb_set_profile_path(sam_account, + unistr2_static(&(info3->uni_profile_path)), + PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_homedir(sam_account, unistr2_static(&(info3->uni_home_dir)), PDB_CHANGED)) { + if (!pdb_set_homedir(sam_account, + unistr2_static(&(info3->uni_home_dir)), + PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_dir_drive(sam_account, unistr2_static(&(info3->uni_dir_drive)), PDB_CHANGED)) { + if (!pdb_set_dir_drive(sam_account, + unistr2_static(&(info3->uni_dir_drive)), + PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) { + result = make_server_info(NULL); + if (result == NULL) { DEBUG(4, ("make_server_info failed!\n")); pdb_free_sam(&sam_account); - return nt_status; + return NT_STATUS_NO_MEMORY; } /* save this here to _net_sam_logon() doesn't fail (it assumes a valid SAM_ACCOUNT) */ - (*server_info)->sam_account = sam_account; - - (*server_info)->unix_name = smb_xstrdup(found_username); + result->sam_account = sam_account; + result->unix_name = talloc_strdup(result, found_username); /* Fill in the unix info we found on the way */ - (*server_info)->sam_fill_level = SAM_FILL_ALL; - (*server_info)->uid = uid; - (*server_info)->gid = gid; - - /* Store the user group information in the server_info - returned to the caller. */ - - nt_status = get_user_groups((*server_info)->unix_name, - uid, gid, &n_lgroupSIDs, &lgroupSIDs, &unix_groups); - - if ( !NT_STATUS_IS_OK(nt_status) ) { - DEBUG(4,("get_user_groups failed\n")); - return nt_status; - } + result->uid = uid; + result->gid = gid; - (*server_info)->groups = unix_groups; - (*server_info)->n_groups = n_lgroupSIDs; - /* Create a 'combined' list of all SIDs we might want in the SD */ - - all_group_SIDs = SMB_MALLOC_ARRAY(DOM_SID,info3->num_groups2 + info3->num_other_sids + n_lgroupSIDs); - - if (!all_group_SIDs) { - DEBUG(0, ("malloc() failed for DOM_SID list!\n")); - SAFE_FREE(lgroupSIDs); - free_server_info(server_info); - return NT_STATUS_NO_MEMORY; - } + + result->num_sids = 0; + result->sids = NULL; /* and create (by appending rids) the 'domain' sids */ for (i = 0; i < info3->num_groups2; i++) { - - sid_copy(&all_group_SIDs[i], &(info3->dom_sid.sid)); - - if (!sid_append_rid(&all_group_SIDs[i], info3->gids[i].g_rid)) { - - nt_status = NT_STATUS_INVALID_PARAMETER; - - DEBUG(3,("could not append additional group rid 0x%x\n", - info3->gids[i].g_rid)); - - SAFE_FREE(lgroupSIDs); - SAFE_FREE(all_group_SIDs); - free_server_info(server_info); - - return nt_status; - + DOM_SID sid; + if (!sid_compose(&sid, &info3->dom_sid.sid, + info3->gids[i].g_rid)) { + DEBUG(3,("could not append additional group rid " + "0x%x\n", info3->gids[i].g_rid)); + talloc_free(result); + return NT_STATUS_INVALID_PARAMETER; } + add_sid_to_array(result, &sid, &result->sids, + &result->num_sids); } /* Copy 'other' sids. We need to do sid filtering here to @@ -1425,56 +1608,33 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, */ for (i = 0; i < info3->num_other_sids; i++) { - sid_copy(&all_group_SIDs[info3->num_groups2 + i], - &info3->other_sids[i].sid); - } - - - /* add local alias sids */ - - for (i = 0; i < n_lgroupSIDs; i++) { - sid_copy(&all_group_SIDs[info3->num_groups2 + - info3->num_other_sids + i], - &lgroupSIDs[i]); - } - - /* Where are the 'global' sids... */ - - /* can the user be guest? if yes, where is it stored? */ - - nt_status = create_nt_user_token(&user_sid, &group_sid, - info3->num_groups2 + info3->num_other_sids + n_lgroupSIDs, - all_group_SIDs, False, &token); - - if ( !NT_STATUS_IS_OK(nt_status) ) { - DEBUG(4,("create_nt_user_token failed\n")); - SAFE_FREE(lgroupSIDs); - SAFE_FREE(all_group_SIDs); - free_server_info(server_info); - return nt_status; + add_sid_to_array(result, &info3->other_sids[i].sid, + &result->sids, + &result->num_sids); } - (*server_info)->login_server = unistr2_tdup(mem_ctx, - &(info3->uni_logon_srv)); - - (*server_info)->ptok = token; - - SAFE_FREE(lgroupSIDs); - SAFE_FREE(all_group_SIDs); + result->login_server = unistr2_tdup(result, + &(info3->uni_logon_srv)); /* ensure we are never given NULL session keys */ if (memcmp(info3->user_sess_key, zeros, sizeof(zeros)) == 0) { - (*server_info)->user_session_key = data_blob(NULL, 0); + result->user_session_key = data_blob(NULL, 0); } else { - (*server_info)->user_session_key = data_blob(info3->user_sess_key, sizeof(info3->user_sess_key)); + result->user_session_key = data_blob_talloc( + result, info3->user_sess_key, + sizeof(info3->user_sess_key)); } if (memcmp(info3->lm_sess_key, zeros, 8) == 0) { - (*server_info)->lm_session_key = data_blob(NULL, 0); + result->lm_session_key = data_blob(NULL, 0); } else { - (*server_info)->lm_session_key = data_blob(info3->lm_sess_key, sizeof(info3->lm_sess_key)); - } + result->lm_session_key = data_blob_talloc( + result, info3->lm_sess_key, + sizeof(info3->lm_sess_key)); + } + + *server_info = result; return NT_STATUS_OK; } @@ -1487,14 +1647,15 @@ void free_user_info(auth_usersupplied_info **user_info) { DEBUG(5,("attempting to free (and zero) a user_info structure\n")); if (*user_info != NULL) { - if ((*user_info)->smb_name.str) { - DEBUG(10,("structure was created for %s\n", (*user_info)->smb_name.str)); + if ((*user_info)->smb_name) { + DEBUG(10,("structure was created for %s\n", + (*user_info)->smb_name)); } - SAFE_FREE((*user_info)->smb_name.str); - SAFE_FREE((*user_info)->internal_username.str); - SAFE_FREE((*user_info)->client_domain.str); - SAFE_FREE((*user_info)->domain.str); - SAFE_FREE((*user_info)->wksta_name.str); + SAFE_FREE((*user_info)->smb_name); + SAFE_FREE((*user_info)->internal_username); + SAFE_FREE((*user_info)->client_domain); + SAFE_FREE((*user_info)->domain); + SAFE_FREE((*user_info)->wksta_name); data_blob_free(&(*user_info)->lm_resp); data_blob_free(&(*user_info)->nt_resp); data_blob_clear_free(&(*user_info)->lm_interactive_pwd); @@ -1505,27 +1666,6 @@ void free_user_info(auth_usersupplied_info **user_info) SAFE_FREE(*user_info); } -/*************************************************************************** - Clear out a server_info struct that has been allocated -***************************************************************************/ - -void free_server_info(auth_serversupplied_info **server_info) -{ - DEBUG(5,("attempting to free (and zero) a server_info structure\n")); - if (*server_info != NULL) { - pdb_free_sam(&(*server_info)->sam_account); - - /* call pam_end here, unless we know we are keeping it */ - delete_nt_token( &(*server_info)->ptok ); - SAFE_FREE((*server_info)->groups); - SAFE_FREE((*server_info)->unix_name); - data_blob_free(&(*server_info)->lm_session_key); - data_blob_free(&(*server_info)->user_session_key); - ZERO_STRUCT(**server_info); - } - SAFE_FREE(*server_info); -} - /*************************************************************************** Make an auth_methods struct ***************************************************************************/ @@ -1533,11 +1673,13 @@ void free_server_info(auth_serversupplied_info **server_info) BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_method) { if (!auth_context) { - smb_panic("no auth_context supplied to make_auth_methods()!\n"); + smb_panic("no auth_context supplied to " + "make_auth_methods()!\n"); } if (!auth_method) { - smb_panic("make_auth_methods: pointer to auth_method pointer is NULL!\n"); + smb_panic("make_auth_methods: pointer to auth_method pointer " + "is NULL!\n"); } *auth_method = TALLOC_P(auth_context->mem_ctx, auth_methods); @@ -1550,41 +1692,29 @@ BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_me return True; } -/**************************************************************************** - Delete a SID token. -****************************************************************************/ - -void delete_nt_token(NT_USER_TOKEN **pptoken) -{ - if (*pptoken) { - NT_USER_TOKEN *ptoken = *pptoken; - - SAFE_FREE( ptoken->user_sids ); - ZERO_STRUCTP(ptoken); - } - SAFE_FREE(*pptoken); -} - /**************************************************************************** Duplicate a SID token. ****************************************************************************/ -NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) +NT_USER_TOKEN *dup_nt_token(TALLOC_CTX *mem_ctx, NT_USER_TOKEN *ptoken) { NT_USER_TOKEN *token; if (!ptoken) return NULL; - if ((token = SMB_MALLOC_P(NT_USER_TOKEN)) == NULL) + token = TALLOC_P(mem_ctx, NT_USER_TOKEN); + if (token == NULL) { + DEBUG(0, ("talloc failed\n")); return NULL; + } - ZERO_STRUCTP(token); - - token->user_sids = (DOM_SID *)memdup( ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids ); - - if ( !token ) { - SAFE_FREE(token); + token->user_sids = talloc_memdup(token, ptoken->user_sids, + sizeof(DOM_SID) * ptoken->num_sids ); + + if ((ptoken->user_sids != NULL) && (token->user_sids == NULL)) { + DEBUG(0, ("talloc_memdup failed\n")); + talloc_free(token); return NULL; } @@ -1593,7 +1723,8 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) /* copy the privileges; don't consider failure to be critical here */ if ( !se_priv_copy( &token->privileges, &ptoken->privileges ) ) { - DEBUG(0,("dup_nt_token: Failure to copy SE_PRIV!. Continuing with 0 privileges assigned.\n")); + DEBUG(0,("dup_nt_token: Failure to copy SE_PRIV!. " + "Continuing with 0 privileges assigned.\n")); } return token; @@ -1603,7 +1734,7 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) Check for a SID in an NT_USER_TOKEN ****************************************************************************/ -static BOOL nt_token_check_sid ( DOM_SID *sid, NT_USER_TOKEN *token ) +BOOL nt_token_check_sid ( const DOM_SID *sid, const NT_USER_TOKEN *token ) { int i; @@ -1626,9 +1757,10 @@ BOOL nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid ) a DC or standalone server, use our own SID */ if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) { - if ( !secrets_fetch_domain_sid( lp_workgroup(), &domain_sid ) ) { - DEBUG(1,("nt_token_check_domain_rid: Cannot lookup SID for domain [%s]\n", - lp_workgroup())); + if ( !secrets_fetch_domain_sid( lp_workgroup(), + &domain_sid ) ) { + DEBUG(1,("nt_token_check_domain_rid: Cannot lookup " + "SID for domain [%s]\n", lp_workgroup())); return False; } } @@ -1662,9 +1794,10 @@ BOOL is_trusted_domain(const char* dom_name) if ( IS_DC ) { become_root(); - DEBUG (5,("is_trusted_domain: Checking for domain trust with [%s]\n", - dom_name )); - ret = secrets_fetch_trusted_domain_password(dom_name, NULL, NULL, NULL); + DEBUG (5,("is_trusted_domain: Checking for domain trust with " + "[%s]\n", dom_name )); + ret = secrets_fetch_trusted_domain_password(dom_name, NULL, + NULL, NULL); unbecome_root(); if (ret) return True; diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index ad72bd9a1f..6e2f26a572 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -71,13 +71,13 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, if (!auth_context) { DEBUG(3,("Password for user %s cannot be checked because we have no auth_info to get the challenge from.\n", - user_info->internal_username.str)); + user_info->internal_username)); return NT_STATUS_INVALID_PARAMETER; } - if (strequal(user_info->domain.str, get_global_sam_name())) { + if (strequal(user_info->domain, get_global_sam_name())) { DEBUG(3,("check_winbind_security: Not using winbind, requested domain [%s] was for this SAM.\n", - user_info->domain.str)); + user_info->domain)); return NT_STATUS_NOT_IMPLEMENTED; } @@ -90,12 +90,9 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, request.data.auth_crap.logon_parameters = user_info->logon_parameters; - fstrcpy(request.data.auth_crap.user, - user_info->smb_name.str); - fstrcpy(request.data.auth_crap.domain, - user_info->domain.str); - fstrcpy(request.data.auth_crap.workstation, - user_info->wksta_name.str); + fstrcpy(request.data.auth_crap.user, user_info->smb_name); + fstrcpy(request.data.auth_crap.domain, user_info->domain); + fstrcpy(request.data.auth_crap.workstation, user_info->wksta_name); memcpy(request.data.auth_crap.chal, auth_context->challenge.data, sizeof(request.data.auth_crap.chal)); @@ -131,8 +128,8 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, if (NT_STATUS_IS_OK(nt_status)) { if (NT_STATUS_IS_OK(nt_status = get_info3_from_ndr(mem_ctx, &response, &info3))) { nt_status = make_server_info_info3(mem_ctx, - user_info->internal_username.str, - user_info->smb_name.str, user_info->domain.str, + user_info->internal_username, + user_info->smb_name, user_info->domain, server_info, &info3); } -- cgit From f351b9c6eb05fc051d639ee47e3dd56a4de7ec16 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 8 Feb 2006 04:03:47 +0000 Subject: r13382: added server affinity cache stores for 'net rpc join' and trusted domain code (This used to be commit 9eb743584d32cdb67e0512ac915c34565bce1c01) --- source3/auth/auth_domain.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 81ae7c1340..c91cbf7af1 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -210,6 +210,10 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, return nt_status; } + /* store a successful connection */ + + saf_store( domain, cli->desthost ); + ZERO_STRUCT(info3); /* -- cgit From 75ef18fa7510d894ccc4540d82616110c3166db3 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sat, 11 Feb 2006 21:27:08 +0000 Subject: r13460: by popular demand.... * remove pdb_context data structure * set default group for DOMAIN_RID_GUEST user as RID 513 (just like Windows) * Allow RID 513 to resolve to always resolve to a name * Remove auto mapping of guest account primary group given the previous 2 changes (This used to be commit 7a2da5f0cc05c1920c664c9a690a23bdf854e285) --- source3/auth/auth_util.c | 54 +++++++----------------------------------------- 1 file changed, 8 insertions(+), 46 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 27dab9b9aa..1567b6e40b 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -558,15 +558,13 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, gid_t *gids; auth_serversupplied_info *result; - pwd = getpwnam_alloc(NULL, pdb_get_username(sampass)); - if ( pwd == NULL ) { + if ( !(pwd = getpwnam_alloc(NULL, pdb_get_username(sampass))) ) { DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", pdb_get_username(sampass))); return NT_STATUS_NO_SUCH_USER; } - result = make_server_info(NULL); - if (result == NULL) { + if ( !(result = make_server_info(NULL)) ) { talloc_free(pwd); return NT_STATUS_NO_MEMORY; } @@ -1136,7 +1134,8 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, Make (and fill) a user_info struct for a guest login. This *must* succeed for smbd to start. If there is no mapping entry for the guest gid, then create one. -***************************************************************************/ +********************** +*****************************************************/ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_info) { @@ -1165,48 +1164,9 @@ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_inf } status = make_server_info_sam(server_info, sampass); - if (!NT_STATUS_IS_OK(status)) { - - /* If there was no initial group mapping for the nobody user, - create one*/ - - if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) { - GROUP_MAP map; - struct passwd *pwd = getpwnam_alloc(NULL, pdb_get_username(sampass)); - - if ( pwd == NULL ) { - DEBUG(1, ("No guest user %s!\n", - pdb_get_username(sampass))); - pdb_free_sam(&sampass); - return NT_STATUS_NO_SUCH_USER; - } - - map.gid = pwd->pw_gid; - sid_copy(&map.sid, get_global_sam_sid()); - sid_append_rid(&map.sid, DOMAIN_GROUP_RID_GUESTS); - map.sid_name_use = SID_NAME_DOM_GRP; - fstrcpy(map.nt_name, "Domain Guests"); - map.comment[0] = '\0'; - - if ( !NT_STATUS_IS_OK(pdb_update_group_mapping_entry(&map)) ) { - DEBUG(1, ("Could not update group database for guest user %s\n", - pdb_get_username(sampass) )); - talloc_free(pwd); - pdb_free_sam(&sampass); - return NT_STATUS_NO_SUCH_USER; - } - - talloc_free(pwd); - - /* And try again. */ - status = make_server_info_sam(server_info, sampass); - } - - if (!NT_STATUS_IS_OK(status)) { - pdb_free_sam(&sampass); - return status; - } + pdb_free_sam(&sampass); + return status; } (*server_info)->guest = True; @@ -1264,6 +1224,8 @@ BOOL init_guest_info(void) { if (guest_info != NULL) return True; + + return NT_STATUS_IS_OK(make_new_server_info_guest(&guest_info)); } -- cgit From 301d51e13a1aa4e633e2da161b0dd260a8a499cd Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 13 Feb 2006 17:08:25 +0000 Subject: r13494: Merge the stuff I've done in head the last days. Volker (This used to be commit bb40e544de68f01a6e774753f508e69373b39899) --- source3/auth/auth_util.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1567b6e40b..ad02b24a42 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1018,6 +1018,72 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, return result; } +/*************************************************************************** + Build upon create_token_from_username: + + Expensive helper function to figure out whether a user given its name is + member of a particular group. +***************************************************************************/ +BOOL user_in_group_sid(const char *username, const DOM_SID *group_sid) +{ + NTSTATUS status; + uid_t uid; + gid_t gid; + char *found_username; + struct nt_user_token *token; + BOOL result; + + TALLOC_CTX *mem_ctx; + + mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + DEBUG(0, ("talloc_new failed\n")); + return False; + } + + status = create_token_from_username(mem_ctx, username, False, + &uid, &gid, &found_username, + &token); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("could not create token for %s\n", username)); + return False; + } + + result = nt_token_check_sid(group_sid, token); + + talloc_free(mem_ctx); + return result; + +} + +BOOL user_in_group(const char *username, const char *groupname) +{ + TALLOC_CTX *mem_ctx; + DOM_SID group_sid; + NTSTATUS status; + BOOL ret; + + mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + DEBUG(0, ("talloc_new failed\n")); + return False; + } + + ret = lookup_name(mem_ctx, groupname, LOOKUP_NAME_ALL, + NULL, NULL, &group_sid, NULL); + talloc_free(mem_ctx); + + if (!ret) { + DEBUG(10, ("lookup_name(%s) failed: %s\n", groupname, + nt_errstr(status))); + return False; + } + + return user_in_group_sid(username, &group_sid); +} + + /*************************************************************************** Make (and fill) a user_info struct from a Kerberos PAC logon_info by conversion to a SAM_ACCOUNT -- cgit From 14c4d535d25250f9535b66e68cff169300739f78 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 17 Feb 2006 13:30:34 +0000 Subject: r13541: we have to wrap pen_enum_group_memberships() in become/unbecome_root() blocks. This fixes the problem I had with missing groups in the net_samlogon() reply from a Samba PDC. (This used to be commit 06b83fe35048c84dfd68be2ee656317c51e89bce) --- source3/auth/auth_sam.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index fb53941b79..2ab42f7e11 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -328,7 +328,11 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, return nt_status; } - if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info, sampass))) { + become_root(); + nt_status = make_server_info_sam(server_info, sampass); + unbecome_root(); + + if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status))); pdb_free_sam(&sampass); data_blob_free(&user_sess_key); -- cgit From fb5362c069b5b6548478b2217a0519c56d856705 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 20 Feb 2006 17:59:58 +0000 Subject: r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2) --- source3/auth/auth_compat.c | 2 +- source3/auth/auth_ntlmssp.c | 2 +- source3/auth/auth_server.c | 2 +- source3/auth/auth_util.c | 30 +++++++++++++++--------------- 4 files changed, 18 insertions(+), 18 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c index 28b9de8d43..bd5d7f0229 100644 --- a/source3/auth/auth_compat.c +++ b/source3/auth/auth_compat.c @@ -84,7 +84,7 @@ static NTSTATUS pass_check_smb(const char *smb_name, } else { nt_status = check_plaintext_password(smb_name, plaintext_password, &server_info); } - talloc_free(server_info); + TALLOC_FREE(server_info); return nt_status; } diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 2bf86860cc..1d3d17d60d 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -187,7 +187,7 @@ void auth_ntlmssp_end(AUTH_NTLMSSP_STATE **auth_ntlmssp_state) ((*auth_ntlmssp_state)->auth_context->free)(&(*auth_ntlmssp_state)->auth_context); } if ((*auth_ntlmssp_state)->server_info) { - talloc_free((*auth_ntlmssp_state)->server_info); + TALLOC_FREE((*auth_ntlmssp_state)->server_info); } talloc_destroy(mem_ctx); *auth_ntlmssp_state = NULL; diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 8eed8bba6a..7bec1b4128 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -384,7 +384,7 @@ use this machine as the password server.\n")); real_username, True )) != NULL ) { nt_status = make_server_info_pw(server_info, pass->pw_name, pass); - talloc_free(pass); + TALLOC_FREE(pass); } else { diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index ad02b24a42..3e7c520fc5 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -522,7 +522,7 @@ static int server_info_dtor(void *p) } /*************************************************************************** - Make a server_info struct. Free with talloc_free(). + Make a server_info struct. Free with TALLOC_FREE(). ***************************************************************************/ static auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx) @@ -565,7 +565,7 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, } if ( !(result = make_server_info(NULL)) ) { - talloc_free(pwd); + TALLOC_FREE(pwd); return NT_STATUS_NO_MEMORY; } @@ -574,7 +574,7 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, result->gid = pwd->pw_gid; result->uid = pwd->pw_uid; - talloc_free(pwd); + TALLOC_FREE(pwd); status = pdb_enum_group_memberships(result, sampass, &result->sids, &gids, @@ -584,14 +584,14 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, DEBUG(10, ("pdb_enum_group_memberships failed: %s\n", nt_errstr(status))); result->sam_account = NULL; /* Don't free on error exit. */ - talloc_free(result); + TALLOC_FREE(result); return status; } /* For now we throw away the gids and convert via sid_to_gid * later. This needs fixing, but I'd like to get the code straight and * simple first. */ - talloc_free(gids); + TALLOC_FREE(gids); DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n", pdb_get_username(sampass), result->unix_name)); @@ -793,7 +793,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, talloc_steal(mem_ctx, result); done: - talloc_free(tmp_ctx); + TALLOC_FREE(tmp_ctx); return result; } @@ -846,7 +846,7 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) status = log_nt_token(mem_ctx, server_info->ptok); - talloc_free(mem_ctx); + TALLOC_FREE(mem_ctx); return status; } @@ -1014,7 +1014,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, result = NT_STATUS_OK; done: - talloc_free(tmp_ctx); + TALLOC_FREE(tmp_ctx); return result; } @@ -1052,7 +1052,7 @@ BOOL user_in_group_sid(const char *username, const DOM_SID *group_sid) result = nt_token_check_sid(group_sid, token); - talloc_free(mem_ctx); + TALLOC_FREE(mem_ctx); return result; } @@ -1072,7 +1072,7 @@ BOOL user_in_group(const char *username, const char *groupname) ret = lookup_name(mem_ctx, groupname, LOOKUP_NAME_ALL, NULL, NULL, &group_sid, NULL); - talloc_free(mem_ctx); + TALLOC_FREE(mem_ctx); if (!ret) { DEBUG(10, ("lookup_name(%s) failed: %s\n", groupname, @@ -1182,14 +1182,14 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("pdb_enum_group_memberships failed: %s\n", nt_errstr(status))); - talloc_free(result); + TALLOC_FREE(result); return status; } /* For now we throw away the gids and convert via sid_to_gid * later. This needs fixing, but I'd like to get the code straight and * simple first. */ - talloc_free(gids); + TALLOC_FREE(gids); *server_info = result; @@ -1349,7 +1349,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, *found_username)); nt_status = pdb_init_sam_pw(sam_account, passwd); - talloc_free(passwd); + TALLOC_FREE(passwd); return nt_status; } @@ -1622,7 +1622,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, info3->gids[i].g_rid)) { DEBUG(3,("could not append additional group rid " "0x%x\n", info3->gids[i].g_rid)); - talloc_free(result); + TALLOC_FREE(result); return NT_STATUS_INVALID_PARAMETER; } add_sid_to_array(result, &sid, &result->sids, @@ -1742,7 +1742,7 @@ NT_USER_TOKEN *dup_nt_token(TALLOC_CTX *mem_ctx, NT_USER_TOKEN *ptoken) if ((ptoken->user_sids != NULL) && (token->user_sids == NULL)) { DEBUG(0, ("talloc_memdup failed\n")); - talloc_free(token); + TALLOC_FREE(token); return NULL; } -- cgit From 2203bed32c84c63737f402accf73452efb76b483 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 20 Feb 2006 20:09:36 +0000 Subject: r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0) --- source3/auth/auth.c | 2 +- source3/auth/auth_rhosts.c | 25 ++++++++++----------- source3/auth/auth_sam.c | 18 ++++++++-------- source3/auth/auth_unix.c | 10 ++++----- source3/auth/auth_util.c | 54 +++++++++++++++++++++++----------------------- 5 files changed, 55 insertions(+), 54 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 6dc30383d5..5329e736ff 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -196,7 +196,7 @@ static BOOL check_domain_match(const char *user, const char *domain) * function auth_get_challenge(). * * @param server_info If successful, contains information about the authentication, - * including a SAM_ACCOUNT struct describing the user. + * including a struct samu struct describing the user. * * @return An NTSTATUS with NT_STATUS_OK or an appropriate error. * diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index e310fa80fd..7068fa2e88 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -24,16 +24,17 @@ #define DBGC_CLASS DBGC_AUTH /**************************************************************************** - Create a SAM_ACCOUNT - either by looking in the pdb, or by faking it up from + Create a struct samu - either by looking in the pdb, or by faking it up from unix info. ****************************************************************************/ -static NTSTATUS auth_get_sam_account(const char *user, SAM_ACCOUNT **account) +static NTSTATUS auth_get_sam_account(const char *user, struct samu **account) { BOOL pdb_ret; NTSTATUS nt_status; - if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(account))) { - return nt_status; + + if ( !(*account = samu_new( NULL )) ) { + return NT_STATUS_NO_MEMORY; } become_root(); @@ -161,7 +162,7 @@ static BOOL check_user_equiv(const char *user, const char *remote, const char *e check for a possible hosts equiv or rhosts entry for the user ****************************************************************************/ -static BOOL check_hosts_equiv(SAM_ACCOUNT *account) +static BOOL check_hosts_equiv(struct samu *account) { uid_t uid; char *fname = NULL; @@ -191,7 +192,7 @@ static NTSTATUS check_hostsequiv_security(const struct auth_context *auth_contex auth_serversupplied_info **server_info) { NTSTATUS nt_status; - SAM_ACCOUNT *account = NULL; + struct samu *account = NULL; if (!NT_STATUS_IS_OK(nt_status = auth_get_sam_account(user_info->internal_username, &account))) { @@ -203,10 +204,10 @@ static NTSTATUS check_hostsequiv_security(const struct auth_context *auth_contex if (check_hosts_equiv(account)) { nt_status = make_server_info_sam(server_info, account); if (!NT_STATUS_IS_OK(nt_status)) { - pdb_free_sam(&account); + TALLOC_FREE(account); } } else { - pdb_free_sam(&account); + TALLOC_FREE(account); nt_status = NT_STATUS_NOT_IMPLEMENTED; } @@ -237,7 +238,7 @@ static NTSTATUS check_rhosts_security(const struct auth_context *auth_context, auth_serversupplied_info **server_info) { NTSTATUS nt_status; - SAM_ACCOUNT *account = NULL; + struct samu *account = NULL; pstring rhostsfile; const char *home; @@ -257,14 +258,14 @@ static NTSTATUS check_rhosts_security(const struct auth_context *auth_context, if (check_user_equiv(pdb_get_username(account),client_name(),rhostsfile)) { nt_status = make_server_info_sam(server_info, account); if (!NT_STATUS_IS_OK(nt_status)) { - pdb_free_sam(&account); + TALLOC_FREE(account); } } else { - pdb_free_sam(&account); + TALLOC_FREE(account); } unbecome_root(); } else { - pdb_free_sam(&account); + TALLOC_FREE(account); nt_status = NT_STATUS_NOT_IMPLEMENTED; } diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 2ab42f7e11..6f8ca387d2 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -35,7 +35,7 @@ extern struct timeval smb_last_time; static NTSTATUS sam_password_ok(const struct auth_context *auth_context, TALLOC_CTX *mem_ctx, - SAM_ACCOUNT *sampass, + struct samu *sampass, const auth_usersupplied_info *user_info, DATA_BLOB *user_sess_key, DATA_BLOB *lm_sess_key) @@ -73,7 +73,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, bitmask. ****************************************************************************/ -static BOOL logon_hours_ok(SAM_ACCOUNT *sampass) +static BOOL logon_hours_ok(struct samu *sampass) { /* In logon hours first bit is Sunday from 12AM to 1AM */ const uint8 *hours; @@ -108,12 +108,12 @@ static BOOL logon_hours_ok(SAM_ACCOUNT *sampass) } /**************************************************************************** - Do a specific test for a SAM_ACCOUNT being vaild for this connection + Do a specific test for a struct samu being vaild for this connection (ie not disabled, expired and the like). ****************************************************************************/ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, - SAM_ACCOUNT *sampass, + struct samu *sampass, const auth_usersupplied_info *user_info) { uint16 acct_ctrl = pdb_get_acct_ctrl(sampass); @@ -236,7 +236,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, const auth_usersupplied_info *user_info, auth_serversupplied_info **server_info) { - SAM_ACCOUNT *sampass=NULL; + struct samu *sampass=NULL; BOOL ret; NTSTATUS nt_status; NTSTATUS update_login_attempts_status; @@ -263,7 +263,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, if (ret == False) { DEBUG(3,("check_sam_security: Couldn't find user '%s' in " "passdb.\n", user_info->internal_username)); - pdb_free_sam(&sampass); + TALLOC_FREE(sampass); return NT_STATUS_NO_SUCH_USER; } @@ -301,7 +301,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, } data_blob_free(&user_sess_key); data_blob_free(&lm_sess_key); - pdb_free_sam(&sampass); + TALLOC_FREE(sampass); return nt_status; } @@ -322,7 +322,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, nt_status = sam_account_ok(mem_ctx, sampass, user_info); if (!NT_STATUS_IS_OK(nt_status)) { - pdb_free_sam(&sampass); + TALLOC_FREE(sampass); data_blob_free(&user_sess_key); data_blob_free(&lm_sess_key); return nt_status; @@ -334,7 +334,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status))); - pdb_free_sam(&sampass); + TALLOC_FREE(sampass); data_blob_free(&user_sess_key); data_blob_free(&lm_sess_key); return nt_status; diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index df0703d348..1d29389716 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -30,7 +30,7 @@ **/ static BOOL update_smbpassword_file(const char *user, const char *password) { - SAM_ACCOUNT *sampass = NULL; + struct samu *sampass = NULL; BOOL ret; pdb_init_sam(&sampass); @@ -41,7 +41,7 @@ static BOOL update_smbpassword_file(const char *user, const char *password) if(ret == False) { DEBUG(0,("pdb_getsampwnam returned NULL\n")); - pdb_free_sam(&sampass); + TALLOC_FREE(sampass); return False; } @@ -50,12 +50,12 @@ static BOOL update_smbpassword_file(const char *user, const char *password) * users password from a login. */ if (!pdb_set_acct_ctrl(sampass, pdb_get_acct_ctrl(sampass) & ~ACB_DISABLED, PDB_CHANGED)) { - pdb_free_sam(&sampass); + TALLOC_FREE(sampass); return False; } if (!pdb_set_plaintext_passwd (sampass, password)) { - pdb_free_sam(&sampass); + TALLOC_FREE(sampass); return False; } @@ -70,7 +70,7 @@ static BOOL update_smbpassword_file(const char *user, const char *password) DEBUG(3,("pdb_update_sam_account returned %d\n",ret)); } - pdb_free_sam(&sampass); + TALLOC_FREE(sampass); return ret; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 3e7c520fc5..7e6ab021b4 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -514,7 +514,7 @@ static int server_info_dtor(void *p) talloc_get_type_abort(p, auth_serversupplied_info); if (server_info->sam_account != NULL) { - pdb_free_sam(&server_info->sam_account); + TALLOC_FREE(server_info->sam_account); } ZERO_STRUCTP(server_info); @@ -547,11 +547,11 @@ static auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx) } /*************************************************************************** - Make (and fill) a user_info struct from a SAM_ACCOUNT + Make (and fill) a user_info struct from a struct samu ***************************************************************************/ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, - SAM_ACCOUNT *sampass) + struct samu *sampass) { NTSTATUS status; struct passwd *pwd; @@ -949,7 +949,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, /* This is a passdb user, so ask passdb */ - SAM_ACCOUNT *sam_acct = NULL; + struct samu *sam_acct = NULL; result = pdb_init_sam_talloc(tmp_ctx, &sam_acct); if (!NT_STATUS_IS_OK(result)) { @@ -1086,7 +1086,7 @@ BOOL user_in_group(const char *username, const char *groupname) /*************************************************************************** Make (and fill) a user_info struct from a Kerberos PAC logon_info by - conversion to a SAM_ACCOUNT + conversion to a struct samu ***************************************************************************/ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, @@ -1095,7 +1095,7 @@ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, PAC_LOGON_INFO *logon_info) { NTSTATUS status; - SAM_ACCOUNT *sampass = NULL; + struct samu *sampass = NULL; DOM_SID user_sid, group_sid; fstring dom_name; auth_serversupplied_info *result; @@ -1108,7 +1108,7 @@ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, result = make_server_info(NULL); if (result == NULL) { - pdb_free_sam(&sampass); + TALLOC_FREE(sampass); return NT_STATUS_NO_MEMORY; } @@ -1145,7 +1145,7 @@ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, /*************************************************************************** Make (and fill) a user_info struct from a 'struct passwd' by conversion - to a SAM_ACCOUNT + to a struct samu ***************************************************************************/ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, @@ -1153,7 +1153,7 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, struct passwd *pwd) { NTSTATUS status; - SAM_ACCOUNT *sampass = NULL; + struct samu *sampass = NULL; gid_t *gids; auth_serversupplied_info *result; @@ -1166,7 +1166,7 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, result = make_server_info(NULL); if (!NT_STATUS_IS_OK(status)) { - pdb_free_sam(&sampass); + TALLOC_FREE(sampass); return status; } @@ -1206,7 +1206,7 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_info) { NTSTATUS status; - SAM_ACCOUNT *sampass = NULL; + struct samu *sampass = NULL; DOM_SID guest_sid; BOOL ret; static const char zeros[16]; @@ -1225,13 +1225,13 @@ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_inf unbecome_root(); if (!ret) { - pdb_free_sam(&sampass); + TALLOC_FREE(sampass); return NT_STATUS_NO_SUCH_USER; } status = make_server_info_sam(server_info, sampass); if (!NT_STATUS_IS_OK(status)) { - pdb_free_sam(&sampass); + TALLOC_FREE(sampass); return status; } @@ -1311,7 +1311,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, const char *username, char **found_username, uid_t *uid, gid_t *gid, - SAM_ACCOUNT **sam_account) + struct samu **sam_account) { NTSTATUS nt_status; fstring dom_user, lower_username; @@ -1453,7 +1453,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, const char *nt_domain; const char *nt_username; - SAM_ACCOUNT *sam_account = NULL; + struct samu *sam_account = NULL; DOM_SID user_sid; DOM_SID group_sid; @@ -1532,74 +1532,74 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, } if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) { - pdb_free_sam(&sam_account); + TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) { - pdb_free_sam(&sam_account); + TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) { - pdb_free_sam(&sam_account); + TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) { - pdb_free_sam(&sam_account); + TALLOC_FREE(sam_account); return NT_STATUS_UNSUCCESSFUL; } if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) { - pdb_free_sam(&sam_account); + TALLOC_FREE(sam_account); return NT_STATUS_UNSUCCESSFUL; } if (!pdb_set_fullname(sam_account, unistr2_static(&(info3->uni_full_name)), PDB_CHANGED)) { - pdb_free_sam(&sam_account); + TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } if (!pdb_set_logon_script(sam_account, unistr2_static(&(info3->uni_logon_script)), PDB_CHANGED)) { - pdb_free_sam(&sam_account); + TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } if (!pdb_set_profile_path(sam_account, unistr2_static(&(info3->uni_profile_path)), PDB_CHANGED)) { - pdb_free_sam(&sam_account); + TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } if (!pdb_set_homedir(sam_account, unistr2_static(&(info3->uni_home_dir)), PDB_CHANGED)) { - pdb_free_sam(&sam_account); + TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } if (!pdb_set_dir_drive(sam_account, unistr2_static(&(info3->uni_dir_drive)), PDB_CHANGED)) { - pdb_free_sam(&sam_account); + TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } result = make_server_info(NULL); if (result == NULL) { DEBUG(4, ("make_server_info failed!\n")); - pdb_free_sam(&sam_account); + TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } /* save this here to _net_sam_logon() doesn't fail (it assumes a - valid SAM_ACCOUNT) */ + valid struct samu) */ result->sam_account = sam_account; result->unix_name = talloc_strdup(result, found_username); -- cgit From cd559192633d78a9f06e239c6a448955f6ea0842 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 21 Feb 2006 14:34:11 +0000 Subject: r13590: * replace all pdb_init_sam[_talloc]() calls with samu_new() * replace all pdb_{init,fill}_sam_pw() calls with samu_set_unix() (This used to be commit 6f1afa4acc93a07d0ee9940822d7715acaae634f) --- source3/auth/auth_rhosts.c | 19 ++++++++-------- source3/auth/auth_sam.c | 5 +++-- source3/auth/auth_unix.c | 6 +++-- source3/auth/auth_util.c | 55 ++++++++++++++++++++++++---------------------- 4 files changed, 46 insertions(+), 39 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index 7068fa2e88..23e276bc84 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -31,7 +31,7 @@ static NTSTATUS auth_get_sam_account(const char *user, struct samu **account) { BOOL pdb_ret; - NTSTATUS nt_status; + NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER; if ( !(*account = samu_new( NULL )) ) { return NT_STATUS_NO_MEMORY; @@ -41,17 +41,18 @@ static NTSTATUS auth_get_sam_account(const char *user, struct samu **account) pdb_ret = pdb_getsampwnam(*account, user); unbecome_root(); - if (!pdb_ret) { - - struct passwd *pass = Get_Pwnam(user); - if (!pass) - return NT_STATUS_NO_SUCH_USER; + if (!pdb_ret) + { + struct passwd *pass; - if (!NT_STATUS_IS_OK(nt_status = pdb_fill_sam_pw(*account, pass))) { - return nt_status; + if ( !(pass = Get_Pwnam( user )) ) { + return NT_STATUS_NO_SUCH_USER; } + + nt_status = samu_set_unix( *account, pass ); } - return NT_STATUS_OK; + + return nt_status; } /**************************************************************************** diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 6f8ca387d2..f06eb83ba1 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -250,8 +250,9 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, /* Can't use the talloc version here, because the returned struct gets kept on the server_info */ - if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sampass))) { - return nt_status; + + if ( !(sampass = samu_new( NULL )) ) { + return NT_STATUS_NO_MEMORY; } /* get the account information */ diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 1d29389716..efe5203b23 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -30,10 +30,12 @@ **/ static BOOL update_smbpassword_file(const char *user, const char *password) { - struct samu *sampass = NULL; + struct samu *sampass; BOOL ret; - pdb_init_sam(&sampass); + if ( !(sampass = samu_new( NULL )) ) { + return False; + } become_root(); ret = pdb_getsampwnam(sampass, user); diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7e6ab021b4..bc929fc81d 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -172,7 +172,7 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, and let the "passdb backend" handle unknown users. */ if ( !is_trusted_domain(domain) && !strequal(domain, get_global_sam_name()) ) - domain = get_default_sam_name(); + domain = my_sam_name(); /* we know that it is a trusted domain (and we are allowing them) or it is our domain */ @@ -492,7 +492,7 @@ NT_USER_TOKEN *get_root_nt_token( void ) if ( token ) return token; - if ( !(pw = getpwnam( "root" )) ) { + if ( !(pw = sys_getpwnam( "root" )) ) { DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n")); return NULL; } @@ -951,8 +951,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, struct samu *sam_acct = NULL; - result = pdb_init_sam_talloc(tmp_ctx, &sam_acct); - if (!NT_STATUS_IS_OK(result)) { + if ( !(sam_acct = samu_new( tmp_ctx )) ) { goto done; } @@ -1100,9 +1099,12 @@ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, fstring dom_name; auth_serversupplied_info *result; - status = pdb_init_sam_pw(&sampass, pwd); - - if (!NT_STATUS_IS_OK(status)) { + if ( !(sampass = samu_new( NULL )) ) { + return NT_STATUS_NO_MEMORY; + } + + status = samu_set_unix( sampass, pwd ); + if ( !NT_STATUS_IS_OK(status) ) { return status; } @@ -1157,8 +1159,11 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, gid_t *gids; auth_serversupplied_info *result; - status = pdb_init_sam_pw(&sampass, pwd); - + if ( !(sampass = samu_new( NULL )) ) { + return NT_STATUS_NO_MEMORY; + } + + status = samu_set_unix( sampass, pwd ); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -1211,10 +1216,8 @@ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_inf BOOL ret; static const char zeros[16]; - status = pdb_init_sam(&sampass); - - if (!NT_STATUS_IS_OK(status)) { - return status; + if ( !(sampass = samu_new( NULL )) ) { + return NT_STATUS_NO_MEMORY; } sid_copy(&guest_sid, get_global_sam_sid()); @@ -1311,7 +1314,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, const char *username, char **found_username, uid_t *uid, gid_t *gid, - struct samu **sam_account) + struct samu *account) { NTSTATUS nt_status; fstring dom_user, lower_username; @@ -1345,11 +1348,12 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, *found_username = talloc_strdup( mem_ctx, real_username ); - DEBUG(5,("fill_sam_account: located username was [%s]\n", - *found_username)); + DEBUG(5,("fill_sam_account: located username was [%s]\n", *found_username)); - nt_status = pdb_init_sam_pw(sam_account, passwd); + nt_status = samu_set_unix( account, passwd ); + TALLOC_FREE(passwd); + return nt_status; } @@ -1452,7 +1456,6 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, char *found_username; const char *nt_domain; const char *nt_username; - struct samu *sam_account = NULL; DOM_SID user_sid; DOM_SID group_sid; @@ -1504,30 +1507,30 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, that is how the current code is designed. Making the change here is the least disruptive place. -- jerry */ + if ( !(sam_account = samu_new( NULL )) ) { + return NT_STATUS_NO_MEMORY; + } + nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username, - &found_username, &uid, &gid, - &sam_account); + &found_username, &uid, &gid, sam_account); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { DEBUG(3,("User %s does not exist, trying to add it\n", internal_username)); smb_create_user( nt_domain, sent_nt_username, NULL); - nt_status = fill_sam_account( mem_ctx, nt_domain, - sent_nt_username, - &found_username, &uid, &gid, - &sam_account ); + nt_status = fill_sam_account( mem_ctx, nt_domain, sent_nt_username, + &found_username, &uid, &gid, sam_account ); } /* if we still don't have a valid unix account check for 'map to gues = bad uid' */ if (!NT_STATUS_IS_OK(nt_status)) { + TALLOC_FREE( sam_account ); if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) { make_server_info_guest(server_info); return NT_STATUS_OK; } - - DEBUG(0, ("make_server_info_info3: pdb_init_sam failed!\n")); return nt_status; } -- cgit From d95e13e68f3c7ac517a45877b351849ef4a99b93 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 24 Feb 2006 21:36:40 +0000 Subject: r13679: Commiting the rm_primary_group.patch posted on samba-technical * ignore the primary group SID attribute from struct samu* * generate the primary group SID strictlky from the Unix primary group when dealing with passdb users * Fix memory leak in original patch caused by failing to free a talloc * * add wrapper around samu_set_unix() to prevent exposing the create BOOL to callers. Wrappers are samu_set_unix() and samu-allic_rid_unix() (This used to be commit bcf269e2ec6630b78d909010fabd3b69dd6dda84) --- source3/auth/auth_util.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index bc929fc81d..1d6a3a21a8 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1273,14 +1273,18 @@ static auth_serversupplied_info *copy_serverinfo(auth_serversupplied_info *src) sizeof(gid_t)*dst->n_groups); else dst->groups = NULL; + dst->ptok = dup_nt_token(dst, src->ptok); - dst->user_session_key = data_blob_talloc( - dst, src->user_session_key.data, + + dst->user_session_key = data_blob_talloc( dst, src->user_session_key.data, src->user_session_key.length); - dst->lm_session_key = data_blob_talloc( - dst, src->lm_session_key.data, + + dst->lm_session_key = data_blob_talloc(dst, src->lm_session_key.data, src->lm_session_key.length); - pdb_copy_sam_account(src->sam_account, &dst->sam_account); + + if ( (dst->sam_account = samu_new( NULL )) != NULL ) + pdb_copy_sam_account(dst->sam_account, src->sam_account); + dst->pam_handle = NULL; dst->unix_name = talloc_strdup(dst, src->unix_name); -- cgit From 49739134adb58d0a90c0f0d6f63ca8e6d1d5493a Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 27 Feb 2006 02:14:26 +0000 Subject: r13705: Fix a typo (and janitor for myself). (This used to be commit 37b0166d3f15bfcf155b0c3d927cc838b8f55c3c) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1d6a3a21a8..e5cf840c03 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1527,7 +1527,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, } /* if we still don't have a valid unix account check for - 'map to gues = bad uid' */ + 'map to guest = bad user' */ if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE( sam_account ); -- cgit From bd97e1a5eae982feda5e5bbd08e7f4e3b6473baf Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 27 Feb 2006 02:44:41 +0000 Subject: r13706: Fix typo in typo fix. (-: (This used to be commit 06be7711269acbcd481ebdef5b9493dab138c81c) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index e5cf840c03..2de362cabe 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1527,7 +1527,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, } /* if we still don't have a valid unix account check for - 'map to guest = bad user' */ + 'map to guest = bad uid' */ if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE( sam_account ); -- cgit From e54786b53543b4667288c64abb55478fddd95061 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 27 Feb 2006 10:32:45 +0000 Subject: r13711: * Correctly handle acb_info/acct_flags as uint32 not as uint16. * Fix a couple of related parsing issues. * in the info3 reply in a samlogon, return the ACB-flags (instead of returning zero) Guenther (This used to be commit 5b89e8bc24f0fdc8b52d5c9e849aba723df34ea7) --- source3/auth/auth_sam.c | 4 ++-- source3/auth/auth_util.c | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index f06eb83ba1..740170d73d 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -40,7 +40,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, DATA_BLOB *user_sess_key, DATA_BLOB *lm_sess_key) { - uint16 acct_ctrl; + uint32 acct_ctrl; const uint8 *lm_pw, *nt_pw; const char *username = pdb_get_username(sampass); @@ -116,7 +116,7 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, struct samu *sampass, const auth_usersupplied_info *user_info) { - uint16 acct_ctrl = pdb_get_acct_ctrl(sampass); + uint32 acct_ctrl = pdb_get_acct_ctrl(sampass); char *workstation_list; time_t kickoff_time; diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 2de362cabe..1f853e5eb9 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1598,6 +1598,11 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } + if (!pdb_set_acct_ctrl(sam_account, info3->acct_flags, PDB_CHANGED)) { + TALLOC_FREE(sam_account); + return NT_STATUS_NO_MEMORY; + } + result = make_server_info(NULL); if (result == NULL) { DEBUG(4, ("make_server_info failed!\n")); -- cgit From 5f76ee419e98bb113eead87eac9a1d7fee80e82f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 7 Mar 2006 20:14:47 +0000 Subject: r13981: Fix Coverity bug # 138 (This used to be commit 303067ba3bdf34ab501f0d99e386cfdb6ab10233) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1f853e5eb9..065e9d1899 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -76,7 +76,7 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name)); *user_info = SMB_MALLOC_P(auth_usersupplied_info); - if (!user_info) { + if (*user_info == NULL) { DEBUG(0,("malloc failed for user_info (size %lu)\n", (unsigned long)sizeof(*user_info))); return NT_STATUS_NO_MEMORY; } -- cgit From 29c8cef22d48cdc95f121d6e3eea66d471a1e4fb Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 8 Mar 2006 15:18:14 +0000 Subject: r14042: check that create_local_nt_token() succeeds before dereferncing the NT_USER_TOKEN* (This used to be commit 4e5df4cb643886144d0fff4cac303e493c825955) --- source3/auth/auth_util.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 065e9d1899..263d8f2df7 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -821,6 +821,10 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) pdb_get_group_sid(server_info->sam_account), server_info->guest, server_info->num_sids, server_info->sids); + + if ( !server_info->ptok ) { + return NT_STATUS_NO_SUCH_USER; + } /* Convert the SIDs to gids. */ -- cgit From 1de2983de4ea1a482c294a9ecce8437cc35ff7ee Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 9 Mar 2006 22:31:37 +0000 Subject: r14112: * fix checks on return code from register_vuid() which could actually fail and we would still return success in the SMBsesssetup reply :-( * Make sure to create the local token for the server_fino struct in reply_spnego_kerberos() so that register_vuid() does not fail. (how did this ever work?) (This used to be commit 8dafa45b97020d1aceb027a85e18401c965bf402) --- source3/auth/auth_util.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 263d8f2df7..357da1fdb7 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1301,8 +1301,6 @@ BOOL init_guest_info(void) { if (guest_info != NULL) return True; - - return NT_STATUS_IS_OK(make_new_server_info_guest(&guest_info)); } -- cgit From d3d4e224785cae86b99cc748555aff9ac57de200 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 10 Mar 2006 08:26:40 +0000 Subject: r14129: Add the group sids from the Kerberos PAC to the user token. Guenther (This used to be commit 1280d79111ae56c6a1b4daf7a1d6d413d1f4df64) --- source3/auth/auth_util.c | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 357da1fdb7..99ce6620c3 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1102,6 +1102,7 @@ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, DOM_SID user_sid, group_sid; fstring dom_name; auth_serversupplied_info *result; + int i; if ( !(sampass = samu_new( NULL )) ) { return NT_STATUS_NO_MEMORY; @@ -1139,10 +1140,36 @@ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, result->uid = pwd->pw_uid; result->gid = pwd->pw_gid; - /* TODO: Add groups from pac */ result->sids = NULL; result->num_sids = 0; + /* and create (by appending rids) the 'domain' sids */ + + for (i = 0; i < logon_info->info3.num_groups2; i++) { + DOM_SID sid; + if (!sid_compose(&sid, &logon_info->info3.dom_sid.sid, + logon_info->info3.gids[i].g_rid)) { + DEBUG(3,("could not append additional group rid " + "0x%x\n", logon_info->info3.gids[i].g_rid)); + TALLOC_FREE(result); + return NT_STATUS_INVALID_PARAMETER; + } + add_sid_to_array(result, &sid, &result->sids, + &result->num_sids); + } + + /* Copy 'other' sids. We need to do sid filtering here to + prevent possible elevation of privileges. See: + + http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp + */ + + for (i = 0; i < logon_info->info3.num_other_sids; i++) { + add_sid_to_array(result, &logon_info->info3.other_sids[i].sid, + &result->sids, + &result->num_sids); + } + *server_info = result; return NT_STATUS_OK; -- cgit From c077d363a4f14afd2c83d57dcd52e6a2c1a2d42b Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 10 Mar 2006 08:43:32 +0000 Subject: r14130: Remove make_server_info_pac alltogether, make_server_info_info3 does already do what we need. Guenther (This used to be commit 773e33c9717ae04f48983ddc49f7619a97523603) --- source3/auth/auth_util.c | 89 ------------------------------------------------ 1 file changed, 89 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 99ce6620c3..14aaa4c5ee 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1087,95 +1087,6 @@ BOOL user_in_group(const char *username, const char *groupname) } -/*************************************************************************** - Make (and fill) a user_info struct from a Kerberos PAC logon_info by - conversion to a struct samu -***************************************************************************/ - -NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, - char *unix_username, - struct passwd *pwd, - PAC_LOGON_INFO *logon_info) -{ - NTSTATUS status; - struct samu *sampass = NULL; - DOM_SID user_sid, group_sid; - fstring dom_name; - auth_serversupplied_info *result; - int i; - - if ( !(sampass = samu_new( NULL )) ) { - return NT_STATUS_NO_MEMORY; - } - - status = samu_set_unix( sampass, pwd ); - if ( !NT_STATUS_IS_OK(status) ) { - return status; - } - - result = make_server_info(NULL); - if (result == NULL) { - TALLOC_FREE(sampass); - return NT_STATUS_NO_MEMORY; - } - - /* only copy user_sid, group_sid and domain name out of the PAC for - * now, we will benefit from more later - Guenther */ - - sid_copy(&user_sid, &logon_info->info3.dom_sid.sid); - sid_append_rid(&user_sid, logon_info->info3.user_rid); - pdb_set_user_sid(sampass, &user_sid, PDB_SET); - - sid_copy(&group_sid, &logon_info->info3.dom_sid.sid); - sid_append_rid(&group_sid, logon_info->info3.group_rid); - pdb_set_group_sid(sampass, &group_sid, PDB_SET); - - unistr2_to_ascii(dom_name, &logon_info->info3.uni_logon_dom, -1); - pdb_set_domain(sampass, dom_name, PDB_SET); - - pdb_set_logon_count(sampass, logon_info->info3.logon_count, PDB_SET); - - result->sam_account = sampass; - result->unix_name = talloc_strdup(result, unix_username); - result->uid = pwd->pw_uid; - result->gid = pwd->pw_gid; - - result->sids = NULL; - result->num_sids = 0; - - /* and create (by appending rids) the 'domain' sids */ - - for (i = 0; i < logon_info->info3.num_groups2; i++) { - DOM_SID sid; - if (!sid_compose(&sid, &logon_info->info3.dom_sid.sid, - logon_info->info3.gids[i].g_rid)) { - DEBUG(3,("could not append additional group rid " - "0x%x\n", logon_info->info3.gids[i].g_rid)); - TALLOC_FREE(result); - return NT_STATUS_INVALID_PARAMETER; - } - add_sid_to_array(result, &sid, &result->sids, - &result->num_sids); - } - - /* Copy 'other' sids. We need to do sid filtering here to - prevent possible elevation of privileges. See: - - http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp - */ - - for (i = 0; i < logon_info->info3.num_other_sids; i++) { - add_sid_to_array(result, &logon_info->info3.other_sids[i].sid, - &result->sids, - &result->num_sids); - } - - *server_info = result; - - return NT_STATUS_OK; -} - - /*************************************************************************** Make (and fill) a user_info struct from a 'struct passwd' by conversion to a struct samu -- cgit From 0ce53f8ba5110381ad6f910abe581a69019135b8 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 15 Mar 2006 00:10:38 +0000 Subject: r14403: * modifies create_local_nt_token() to create a BUILTIN\Administrators group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes' * Add a SID domain to the group mapping enumeration passdb call to fix the checks for local and builtin groups. The SID can be NULL if you want the old semantics for internal maintenance. I only updated the tdb group mapping code. * remove any group mapping from the tdb that have a gid of -1 for better consistency with pdb_ldap.c. The fixes the problem with calling add_group_map() in the tdb code for unmapped groups which might have had a record present. * Ensure that we distinguish between groups in the BUILTIN and local machine domains via getgrnam() Other wise BUILTIN\Administrators & SERVER\Administrators would resolve to the same gid. * Doesn't strip the global_sam_name() from groups in the local machine's domain (this is required to work with 'winbind default domain' code) Still todo. * Fix fallback Administrators membership for root and domain Admins if nested groups = no or winbindd is not running * issues with "su - user -c 'groups'" command * There are a few outstanding issues with BUILTIN\Users that Windows apparently tends to assume. I worked around this presently with a manual group mapping but I do not think this is a good solution. So I'll probably add some similar as I did for Administrators. (This used to be commit 612979476aef62e8e8eef632fa6be7d30282bb83) --- source3/auth/auth_util.c | 135 ++++++++++++++++++++++++++++++++++------------- 1 file changed, 97 insertions(+), 38 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 14aaa4c5ee..5b88945284 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -677,9 +677,68 @@ static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token) return NT_STATUS_OK; } -/* - * Create a NT token for the user, expanding local aliases - */ +/******************************************************************* +*******************************************************************/ + +static NTSTATUS add_builtin_administrators( TALLOC_CTX *ctx, struct nt_user_token *token ) +{ + return NT_STATUS_OK; +} + +/******************************************************************* +*******************************************************************/ + +static NTSTATUS create_builtin_administrators( void ) +{ + NTSTATUS status; + DOM_SID dom_admins, root_sid; + fstring root_name; + enum SID_NAME_USE type; + TALLOC_CTX *ctx; + BOOL ret; + + status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_ADMINS ); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(0,("create_builtin_administrators: Failed to create Administrators\n")); + return status; + } + + /* add domain admins */ + if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) + && secrets_fetch_domain_sid(lp_workgroup(), &dom_admins)) + { + sid_append_rid(&dom_admins, DOMAIN_GROUP_RID_ADMINS); + status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &dom_admins ); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(0,("create_builtin_administrators: Failed to add Domain Admins" + " Administrators\n")); + return status; + } + } + + /* add root */ + if ( (ctx = talloc_init(NULL)) == NULL ) { + return NT_STATUS_NO_MEMORY; + } + fstr_sprintf( root_name, "%s\\root", get_global_sam_name() ); + ret = lookup_name( ctx, root_name, 0, NULL, NULL, &root_sid, &type ); + TALLOC_FREE( ctx ); + + if ( ret ) { + status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &root_sid ); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(0,("create_builtin_administrators: Failed to add root" + " Administrators\n")); + return status; + } + } + + return NT_STATUS_OK; +} + +/******************************************************************* + Create a NT token for the user, expanding local aliases +*******************************************************************/ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, const DOM_SID *user_sid, @@ -692,6 +751,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, struct nt_user_token *result = NULL; int i; NTSTATUS status; + gid_t gid; tmp_ctx = talloc_new(mem_ctx); if (tmp_ctx == NULL) { @@ -705,12 +765,15 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, goto done; } - /* First create the default SIDs */ + /* Add the user and primary group sid */ add_sid_to_array(result, user_sid, &result->user_sids, &result->num_sids); add_sid_to_array(result, group_sid, &result->user_sids, &result->num_sids); + + /* Add in BUILTIN sids */ + add_sid_to_array(result, &global_sid_World, &result->user_sids, &result->num_sids); add_sid_to_array(result, &global_sid_Network, @@ -723,7 +786,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, add_sid_to_array(result, &global_sid_Authenticated_Users, &result->user_sids, &result->num_sids); } - + /* Now the SIDs we got from authentication. These are the ones from * the info3 struct or from the pdb_enum_group_memberships, depending * on who authenticated the user. */ @@ -732,7 +795,35 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, add_sid_to_array_unique(result, &groupsids[i], &result->user_sids, &result->num_sids); } + + /* Deal with the BUILTIN\Administrators group. If the SID can + be resolved then assume that the add_aliasmem( S-1-5-32 ) + handled it. */ + + if ( !sid_to_gid( &global_sid_Builtin_Administrators, &gid ) ) { + /* We can only create a mapping if winbind is running + and the nested group functionality has been enabled */ + + if ( lp_winbind_nested_groups() ) { + become_root(); + status = create_builtin_administrators( ); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(0,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n")); + /* don't fail, just log the message */ + } + unbecome_root(); + } + else { + status = add_builtin_administrators( tmp_ctx, result ); + if ( !NT_STATUS_IS_OK(status) ) { + result = NULL; + goto done; + } + } + } + /* Deal with local groups */ + if (lp_winbind_nested_groups()) { /* Now add the aliases. First the one from our local SAM */ @@ -752,40 +843,8 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, result = NULL; goto done; } - } else { - - /* Play jerry's trick to auto-add local admins if we're a - * domain admin. */ - - DOM_SID dom_admins; - BOOL domain_mode = False; - - if (IS_DC) { - sid_compose(&dom_admins, get_global_sam_sid(), - DOMAIN_GROUP_RID_ADMINS); - domain_mode = True; - } - if ((lp_server_role() == ROLE_DOMAIN_MEMBER) && - (secrets_fetch_domain_sid(lp_workgroup(), &dom_admins))) { - sid_append_rid(&dom_admins, DOMAIN_GROUP_RID_ADMINS); - domain_mode = True; - } + } - if (domain_mode) { - for (i=0; inum_sids; i++) { - if (sid_equal(&dom_admins, - &result->user_sids[i])) { - add_sid_to_array_unique( - result, - &global_sid_Builtin_Administrators, - &result->user_sids, - &result->num_sids); - break; - } - } - - } - } get_privileges_for_sids(&result->privileges, result->user_sids, result->num_sids); -- cgit From 8723178048f3b98938476c41679d46ed1f809515 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 15 Mar 2006 03:46:20 +0000 Subject: r14421: This does two things * Automatically creates the BUILTIN\Users group similar to how BUILTIN\Administrators is done. This code does need to be cleaned up considerably. I'll continue to work on this. * The important fix is for getusergroups() when dealing with a local user and nested groups. Now I can run the following successfully: $ su - jerry -c groups users BUILTIN\users (This used to be commit f54d911e686ffd68ddc6dbc073987b9d8eb2fa5b) --- source3/auth/auth_util.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5b88945284..776b2fb3d7 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -688,6 +688,36 @@ static NTSTATUS add_builtin_administrators( TALLOC_CTX *ctx, struct nt_user_toke /******************************************************************* *******************************************************************/ +static NTSTATUS create_builtin_users( void ) +{ + NTSTATUS status; + DOM_SID dom_users; + + status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_USERS ); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(0,("create_builtin_users: Failed to create Users\n")); + return status; + } + + /* add domain users */ + if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) + && secrets_fetch_domain_sid(lp_workgroup(), &dom_users)) + { + sid_append_rid(&dom_users, DOMAIN_GROUP_RID_USERS ); + status = pdb_add_aliasmem( &global_sid_Builtin_Users, &dom_users); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(0,("create_builtin_administrators: Failed to add Domain Users to" + " Users\n")); + return status; + } + } + + return NT_STATUS_OK; +} + +/******************************************************************* +*******************************************************************/ + static NTSTATUS create_builtin_administrators( void ) { NTSTATUS status; @@ -822,6 +852,25 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, } } + /* Deal with the BUILTIN\Users group. If the SID can + be resolved then assume that the add_aliasmem( S-1-5-32 ) + handled it. */ + + if ( !sid_to_gid( &global_sid_Builtin_Users, &gid ) ) { + /* We can only create a mapping if winbind is running + and the nested group functionality has been enabled */ + + if ( lp_winbind_nested_groups() ) { + become_root(); + status = create_builtin_users( ); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(0,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n")); + /* don't fail, just log the message */ + } + unbecome_root(); + } + } + /* Deal with local groups */ if (lp_winbind_nested_groups()) { -- cgit From 8641d7d4067b0037b6ddb7216ada7d497bbf091c Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 20 Mar 2006 10:55:48 +0000 Subject: r14578: fix incorrect comment in fill_sam_account(). This function is called from multiple places now (krb5, winbindd auth and domain_client_validate() (This used to be commit ddad66ec58d09f89105ceb822b7bea534dafd9e6) --- source3/auth/auth_util.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 776b2fb3d7..2ece2a6150 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1379,10 +1379,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, fstr_sprintf(dom_user, "%s%c%s", domain, *lp_winbind_separator(), lower_username); - /* get the passwd struct but don't create the user if he/she - does not exist. We were explicitly called from a following - a winbindd authentication request so we should assume that - nss_winbindd is working */ + /* Get the passwd struct. Try to create the account is necessary. */ map_username( dom_user ); -- cgit From 1839b4be14e905428257eb999def184d73dcf08f Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 22 Mar 2006 08:04:13 +0000 Subject: r14634: Many bug fixes thanks to train rides and overnight stays in airports * Finally fix parsing idmap uid/gid ranges not to break with spaces surrounding the '-' * Allow local groups to renamed by adding info level 2 to _samr_set_aliasinfo() * Fix parsing bug in _samr_del_dom_alias() reply * Prevent root from being deleted via Samba * Prevent builting groups from being renamed or deleted * Fix bug in pdb_tdb that broke renaming user accounts * Make sure winbindd is running when trying to create the Administrators and Users BUILTIN groups automatically from smbd (and not just check the winbind nexted groups parameter value). * Have the top level rid allocator verify that the RID it is about to grant is not already assigned in our own SAM (retries up to 250 times). This fixes passdb with existing SIDs assigned to users from the RID algorithm but not monotonically allocating the RIDs from passdb. (This used to be commit db1162241f79c2af8afb7d8c26e8ed1c4a4b476f) --- source3/auth/auth_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 2ece2a6150..31bc2664b8 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -834,7 +834,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, /* We can only create a mapping if winbind is running and the nested group functionality has been enabled */ - if ( lp_winbind_nested_groups() ) { + if ( lp_winbind_nested_groups() && winbind_ping() ) { become_root(); status = create_builtin_administrators( ); if ( !NT_STATUS_IS_OK(status) ) { @@ -860,7 +860,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, /* We can only create a mapping if winbind is running and the nested group functionality has been enabled */ - if ( lp_winbind_nested_groups() ) { + if ( lp_winbind_nested_groups() && winbind_ping() ) { become_root(); status = create_builtin_users( ); if ( !NT_STATUS_IS_OK(status) ) { -- cgit From 8c9eb7631eecbe3f9bda30aff4b5d97d5e2a8737 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 12 Apr 2006 14:10:39 +0000 Subject: r15053: fix portabilities issues between 32-bit winbind clients and a 64-bit winbindd server (This used to be commit a95d11345e76948b147bbc1f29a05c978d99a47a) --- source3/auth/auth_winbind.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 6e2f26a572..4836d62ef9 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -32,7 +32,7 @@ static NTSTATUS get_info3_from_ndr(TALLOC_CTX *mem_ctx, struct winbindd_response size_t len = response->length - sizeof(struct winbindd_response); prs_struct ps; if (len > 0) { - info3_ndr = response->extra_data; + info3_ndr = response->extra_data.data; if (!prs_init(&ps, len, mem_ctx, UNMARSHALL)) { return NT_STATUS_NO_MEMORY; } @@ -124,7 +124,7 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, nt_status = NT_STATUS(response.data.auth.nt_status); - if (result == NSS_STATUS_SUCCESS && response.extra_data) { + if (result == NSS_STATUS_SUCCESS && response.extra_data.data) { if (NT_STATUS_IS_OK(nt_status)) { if (NT_STATUS_IS_OK(nt_status = get_info3_from_ndr(mem_ctx, &response, &info3))) { nt_status = make_server_info_info3(mem_ctx, @@ -138,7 +138,7 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, nt_status = NT_STATUS_NO_LOGON_SERVERS; } - SAFE_FREE(response.extra_data); + SAFE_FREE(response.extra_data.data); return nt_status; } -- cgit From a2e2032d080804b4555df8938e53b395e3fe0b7b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 14 Apr 2006 19:36:36 +0000 Subject: r15086: Get defensive about creating user accounts when winbindd fails (but is present). (This used to be commit 77fb19c45dcb07f5b675831979fbd74a99e30638) --- source3/auth/auth_util.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 31bc2664b8..4ffbba2e23 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1469,9 +1469,12 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, char *domuser, pw = Get_Pwnam_alloc(mem_ctx, username); - /* Create local user if requested. */ + /* Create local user if requested but only if winbindd + is not running. We need to protect against cases + where winbindd is failing and then prematurely + creating users in /etc/passwd */ - if ( !pw && create ) { + if ( !pw && create && !winbind_ping() ) { /* Don't add a machine account. */ if (username[strlen(username)-1] == '$') return NULL; -- cgit From 010c725b36feb1a234dce9f40b95ae5869058698 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 15 Apr 2006 04:07:10 +0000 Subject: r15088: Remove all time() and gettimeofday() calls out of the mainline packet processing code. Only do these when needed (ie. in the idle timeout code). We drop an unneccessary global here too. Jeremy. (This used to be commit 8272a5ab0605fcf95527143c4f909aa1008e5b94) --- source3/auth/auth_sam.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 740170d73d..94e4ec414b 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -23,8 +23,6 @@ #include "includes.h" -extern struct timeval smb_last_time; - #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH @@ -87,7 +85,7 @@ static BOOL logon_hours_ok(struct samu *sampass) return True; } - lasttime = (time_t)smb_last_time.tv_sec; + lasttime = time(NULL); utctime = gmtime(&lasttime); /* find the corresponding byte and bit */ -- cgit From 31693197bee0d71e83418c0fb72685fd848e358f Mon Sep 17 00:00:00 2001 From: Paul Green Date: Wed, 26 Apr 2006 15:41:25 +0000 Subject: r15283: Oh yeah. The build farm doesn't do much with head. OK, here is the patch to SAMBA_3_0 to declare prototypes for the initialization functions. These are the same changes I just made to head. --paulg (This used to be commit 17774387ad879b6a72dd1cf406326318add31b04) --- source3/auth/auth.c | 2 ++ source3/auth/auth_script.c | 4 +--- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 5329e736ff..139ba5482b 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -23,6 +23,8 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH +static_decl_auth; + static struct auth_init_function_entry *backends = NULL; static struct auth_init_function_entry *auth_find_backend_entry(const char *name); diff --git a/source3/auth/auth_script.c b/source3/auth/auth_script.c index 1bc33ec59e..05bae44865 100644 --- a/source3/auth/auth_script.c +++ b/source3/auth/auth_script.c @@ -140,16 +140,14 @@ static NTSTATUS auth_init_script(struct auth_context *auth_context, const char * return NT_STATUS_OK; } -#if 0 /* Define this to build static. */ NTSTATUS auth_script_init(void) { return smb_register_auth(AUTH_INTERFACE_VERSION, "script", auth_init_script); } -#else + /* Define this to build shared. */ NTSTATUS init_module(void) { return smb_register_auth(AUTH_INTERFACE_VERSION, "script", auth_init_script); } -#endif -- cgit From 0ec947bf1a661ac275fd6bd0aa96b6982f50dab3 Mon Sep 17 00:00:00 2001 From: Paul Green Date: Wed, 26 Apr 2006 16:18:02 +0000 Subject: r15285: Fix the build. (This used to be commit 2270a5196db071bbf15aed92637a24f81d179cd5) --- source3/auth/auth_script.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_script.c b/source3/auth/auth_script.c index 05bae44865..722abe3d04 100644 --- a/source3/auth/auth_script.c +++ b/source3/auth/auth_script.c @@ -145,9 +145,10 @@ NTSTATUS auth_script_init(void) { return smb_register_auth(AUTH_INTERFACE_VERSION, "script", auth_init_script); } - +#if 0 /* Define this to build shared. */ NTSTATUS init_module(void) { return smb_register_auth(AUTH_INTERFACE_VERSION, "script", auth_init_script); } +#endif -- cgit From 567e8fa6ca61e136f94d06e858ee30577c8f36e3 Mon Sep 17 00:00:00 2001 From: Paul Green Date: Sun, 30 Apr 2006 23:49:39 +0000 Subject: r15368: Remove some dead code. -- paulg (This used to be commit e1bd357fe87a66861d092fcdbdde1ff6ffcc8cf2) --- source3/auth/auth_script.c | 8 -------- 1 file changed, 8 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_script.c b/source3/auth/auth_script.c index 722abe3d04..ec7264924c 100644 --- a/source3/auth/auth_script.c +++ b/source3/auth/auth_script.c @@ -140,15 +140,7 @@ static NTSTATUS auth_init_script(struct auth_context *auth_context, const char * return NT_STATUS_OK; } -/* Define this to build static. */ NTSTATUS auth_script_init(void) { return smb_register_auth(AUTH_INTERFACE_VERSION, "script", auth_init_script); } -#if 0 -/* Define this to build shared. */ -NTSTATUS init_module(void) -{ - return smb_register_auth(AUTH_INTERFACE_VERSION, "script", auth_init_script); -} -#endif -- cgit From 8719dc2b93a93e97284cee8b9a9136d8c9c46657 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 2 May 2006 12:13:23 +0000 Subject: r15393: remove extra call to fallback user creation on member servers; it's handled by the smb_getpwnam() call deeper in (This used to be commit 7433dba78bda27cd6366a49b0efc10a387439ccd) --- source3/auth/auth_util.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 4ffbba2e23..c6d7b44d4e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1563,16 +1563,11 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } + /* this call will try to create the user if necessary */ + nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username, &found_username, &uid, &gid, sam_account); - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { - DEBUG(3,("User %s does not exist, trying to add it\n", - internal_username)); - smb_create_user( nt_domain, sent_nt_username, NULL); - nt_status = fill_sam_account( mem_ctx, nt_domain, sent_nt_username, - &found_username, &uid, &gid, sam_account ); - } /* if we still don't have a valid unix account check for 'map to guest = bad uid' */ -- cgit From 83e4ea7e852e4ae9a4ba6fd187787c76f2d54ef6 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 6 May 2006 15:46:53 +0000 Subject: r15472: Remove an unused function parameter (This used to be commit d2f39ae7fe79fd31846c555849655023a2d1cbc7) --- source3/auth/auth_domain.c | 1 - source3/auth/auth_util.c | 1 - source3/auth/auth_winbind.c | 1 - 3 files changed, 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index c91cbf7af1..9360d28fac 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -251,7 +251,6 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, } } else { nt_status = make_server_info_info3(mem_ctx, - user_info->internal_username, user_info->smb_name, domain, server_info, diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index c6d7b44d4e..8822d3358c 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1496,7 +1496,6 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, char *domuser, ***************************************************************************/ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, - const char *internal_username, const char *sent_nt_username, const char *domain, auth_serversupplied_info **server_info, diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 4836d62ef9..2c584f54c2 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -128,7 +128,6 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, if (NT_STATUS_IS_OK(nt_status)) { if (NT_STATUS_IS_OK(nt_status = get_info3_from_ndr(mem_ctx, &response, &info3))) { nt_status = make_server_info_info3(mem_ctx, - user_info->internal_username, user_info->smb_name, user_info->domain, server_info, &info3); } -- cgit From dc9f30b8b0ace8d6e2c8c0cbed537fde68d1556a Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 6 May 2006 19:24:35 +0000 Subject: r15475: Ugly and disgusting patch to fix the username map problem I created by changing the token generation. I *hate* this code! Jerry, you have been looking at this as well, can you double-check that I did not screw it up? Thanks, Volker (This used to be commit 2765c4ff8d44c970db3e075b0a2412662f1936c6) --- source3/auth/auth_ntlmssp.c | 5 +++++ source3/auth/auth_util.c | 51 +++++++++++++++++++++++++++++++++------------ source3/auth/auth_winbind.c | 3 +++ 3 files changed, 46 insertions(+), 13 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 1d3d17d60d..7607107548 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -80,6 +80,7 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, AUTH_NTLMSSP_STATE *auth_ntlmssp_state = ntlmssp_state->auth_context; auth_usersupplied_info *user_info = NULL; NTSTATUS nt_status; + BOOL username_was_mapped; /* the client has given us its machine name (which we otherwise would not get on port 445). we need to possibly reload smb.conf if smb.conf includes depend on the machine name */ @@ -110,12 +111,16 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context, user_info, &auth_ntlmssp_state->server_info); + username_was_mapped = user_info->was_mapped; + free_user_info(&user_info); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } + auth_ntlmssp_state->server_info->was_mapped |= username_was_mapped; + nt_status = create_local_token(auth_ntlmssp_state->server_info); if (!NT_STATUS_IS_OK(nt_status)) { diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 8822d3358c..06fbe1b7e6 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -152,9 +152,11 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, BOOL encrypted) { const char *domain; + NTSTATUS result; + BOOL was_mapped; fstring internal_username; fstrcpy(internal_username, smb_name); - map_username(internal_username); + was_mapped = map_username(internal_username); DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n", client_domain, smb_name, wksta_name)); @@ -176,11 +178,15 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, /* we know that it is a trusted domain (and we are allowing them) or it is our domain */ - return make_user_info(user_info, smb_name, internal_username, + result = make_user_info(user_info, smb_name, internal_username, client_domain, domain, wksta_name, lm_pwd, nt_pwd, lm_interactive_pwd, nt_interactive_pwd, plaintext, encrypted); + if (NT_STATUS_IS_OK(result)) { + (*user_info)->was_mapped = was_mapped; + } + return result; } /**************************************************************************** @@ -923,15 +929,29 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) return NT_STATUS_NO_MEMORY; } - server_info->ptok = create_local_nt_token( - server_info, - pdb_get_user_sid(server_info->sam_account), - pdb_get_group_sid(server_info->sam_account), - server_info->guest, - server_info->num_sids, server_info->sids); + if (server_info->was_mapped) { + status = create_token_from_username(server_info, + server_info->unix_name, + server_info->guest, + &server_info->uid, + &server_info->gid, + &server_info->unix_name, + &server_info->ptok); + + } else { + server_info->ptok = create_local_nt_token( + server_info, + pdb_get_user_sid(server_info->sam_account), + pdb_get_group_sid(server_info->sam_account), + server_info->guest, + server_info->num_sids, server_info->sids); + status = server_info->ptok ? + NT_STATUS_OK : NT_STATUS_NO_SUCH_USER; + } - if ( !server_info->ptok ) { - return NT_STATUS_NO_SUCH_USER; + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(mem_ctx); + return status; } /* Convert the SIDs to gids. */ @@ -1366,7 +1386,8 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, const char *username, char **found_username, uid_t *uid, gid_t *gid, - struct samu *account) + struct samu *account, + BOOL *username_was_mapped) { NTSTATUS nt_status; fstring dom_user, lower_username; @@ -1381,7 +1402,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, /* Get the passwd struct. Try to create the account is necessary. */ - map_username( dom_user ); + *username_was_mapped = map_username( dom_user ); if ( !(passwd = smb_getpwnam( NULL, dom_user, real_username, True )) ) return NT_STATUS_NO_SUCH_USER; @@ -1510,6 +1531,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, struct samu *sam_account = NULL; DOM_SID user_sid; DOM_SID group_sid; + BOOL username_was_mapped; uid_t uid; gid_t gid; @@ -1565,7 +1587,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, /* this call will try to create the user if necessary */ nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username, - &found_username, &uid, &gid, sam_account); + &found_username, &uid, &gid, sam_account, + &username_was_mapped); /* if we still don't have a valid unix account check for @@ -1716,6 +1739,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, sizeof(info3->lm_sess_key)); } + result->was_mapped = username_was_mapped; + *server_info = result; return NT_STATUS_OK; diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 2c584f54c2..d8ac348d04 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -132,6 +132,9 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, server_info, &info3); } + if (NT_STATUS_IS_OK(nt_status)) { + (*server_info)->was_mapped |= user_info->was_mapped; + } } } else if (NT_STATUS_IS_OK(nt_status)) { nt_status = NT_STATUS_NO_LOGON_SERVERS; -- cgit From 5ab7e77bc7659a9707fb702b162fc4201f244c60 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 6 May 2006 19:42:25 +0000 Subject: r15476: Transfer the was_mapped flag from user_info to server_info also in auth_sam and auth_domain. Thanks for Simo to point this out. Volker (This used to be commit 293b89dfb109d6e220ced433f025cf987aa1f500) --- source3/auth/auth_domain.c | 4 ++++ source3/auth/auth_sam.c | 2 ++ 2 files changed, 6 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 9360d28fac..6360d10b69 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -256,6 +256,10 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, server_info, &info3); + if (NT_STATUS_IS_OK(nt_status)) { + (*server_info)->was_mapped |= user_info->was_mapped; + } + netsamlogon_cache_store( user_info->smb_name, &info3 ); } diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 94e4ec414b..50ce9065fd 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -349,6 +349,8 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, lm_sess_key.length); data_blob_free(&lm_sess_key); + (*server_info)->was_mapped |= user_info->was_mapped; + return nt_status; } -- cgit From 18d5a26f74ea49ba0a059cfb942c4c8ac9956d3b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 12 May 2006 21:00:52 +0000 Subject: r15549: removing rhosts and 'hosts equiv' authentication features (This used to be commit d19dad88155f985f113c667b6bdad5a1b25eca18) --- source3/auth/auth_rhosts.c | 293 --------------------------------------------- 1 file changed, 293 deletions(-) delete mode 100644 source3/auth/auth_rhosts.c (limited to 'source3/auth') diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c deleted file mode 100644 index 23e276bc84..0000000000 --- a/source3/auth/auth_rhosts.c +++ /dev/null @@ -1,293 +0,0 @@ -/* - Unix SMB/CIFS implementation. - Main SMB reply routines - Copyright (C) Andrew Tridgell 1992-1998 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_AUTH - -/**************************************************************************** - Create a struct samu - either by looking in the pdb, or by faking it up from - unix info. -****************************************************************************/ - -static NTSTATUS auth_get_sam_account(const char *user, struct samu **account) -{ - BOOL pdb_ret; - NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER; - - if ( !(*account = samu_new( NULL )) ) { - return NT_STATUS_NO_MEMORY; - } - - become_root(); - pdb_ret = pdb_getsampwnam(*account, user); - unbecome_root(); - - if (!pdb_ret) - { - struct passwd *pass; - - if ( !(pass = Get_Pwnam( user )) ) { - return NT_STATUS_NO_SUCH_USER; - } - - nt_status = samu_set_unix( *account, pass ); - } - - return nt_status; -} - -/**************************************************************************** - Read the a hosts.equiv or .rhosts file and check if it - allows this user from this machine. -****************************************************************************/ - -static BOOL check_user_equiv(const char *user, const char *remote, const char *equiv_file) -{ - int plus_allowed = 1; - char *file_host; - char *file_user; - char **lines = file_lines_load(equiv_file, NULL,0); - int i; - - DEBUG(5, ("check_user_equiv %s %s %s\n", user, remote, equiv_file)); - if (! lines) { - return False; - } - for (i=0; lines[i]; i++) { - char *buf = lines[i]; - trim_char(buf,' ',' '); - - if (buf[0] != '#' && buf[0] != '\n') { - BOOL is_group = False; - int plus = 1; - char *bp = buf; - - if (strcmp(buf, "NO_PLUS\n") == 0) { - DEBUG(6, ("check_user_equiv NO_PLUS\n")); - plus_allowed = 0; - } else { - if (buf[0] == '+') { - bp++; - if (*bp == '\n' && plus_allowed) { - /* a bare plus means everbody allowed */ - DEBUG(6, ("check_user_equiv everybody allowed\n")); - file_lines_free(lines); - return True; - } - } else if (buf[0] == '-') { - bp++; - plus = 0; - } - if (*bp == '@') { - is_group = True; - bp++; - } - file_host = strtok(bp, " \t\n"); - file_user = strtok(NULL, " \t\n"); - DEBUG(7, ("check_user_equiv %s %s\n", file_host ? file_host : "(null)", - file_user ? file_user : "(null)" )); - - if (file_host && *file_host) { - BOOL host_ok = False; - -#if defined(HAVE_NETGROUP) && defined(HAVE_YP_GET_DEFAULT_DOMAIN) - if (is_group) { - static char *mydomain = NULL; - if (!mydomain) { - yp_get_default_domain(&mydomain); - } - if (mydomain && innetgr(file_host,remote,user,mydomain)) { - host_ok = True; - } - } -#else - if (is_group) { - DEBUG(1,("Netgroups not configured\n")); - continue; - } -#endif - - /* is it this host */ - /* the fact that remote has come from a call of gethostbyaddr - * means that it may have the fully qualified domain name - * so we could look up the file version to get it into - * a canonical form, but I would rather just type it - * in full in the equiv file - */ - - if (!host_ok && !is_group && strequal(remote, file_host)) { - host_ok = True; - } - - if (!host_ok) { - continue; - } - - /* is it this user */ - if (file_user == 0 || strequal(user, file_user)) { - DEBUG(5, ("check_user_equiv matched %s%s %s\n", - (plus ? "+" : "-"), file_host, - (file_user ? file_user : ""))); - file_lines_free(lines); - return (plus ? True : False); - } - } - } - } - } - - file_lines_free(lines); - return False; -} - -/**************************************************************************** -check for a possible hosts equiv or rhosts entry for the user -****************************************************************************/ - -static BOOL check_hosts_equiv(struct samu *account) -{ - uid_t uid; - char *fname = NULL; - - fname = lp_hosts_equiv(); - if (!sid_to_uid(pdb_get_user_sid(account), &uid)) - return False; - - /* note: don't allow hosts.equiv on root */ - if (fname && *fname && uid != 0) { - if (check_user_equiv(pdb_get_username(account),client_name(),fname)) - return True; - } - - return False; -} - - -/**************************************************************************** - Check for a valid .rhosts/hosts.equiv entry for this user -****************************************************************************/ - -static NTSTATUS check_hostsequiv_security(const struct auth_context *auth_context, - void *my_private_data, - TALLOC_CTX *mem_ctx, - const auth_usersupplied_info *user_info, - auth_serversupplied_info **server_info) -{ - NTSTATUS nt_status; - struct samu *account = NULL; - if (!NT_STATUS_IS_OK(nt_status = - auth_get_sam_account(user_info->internal_username, - &account))) { - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) - nt_status = NT_STATUS_NOT_IMPLEMENTED; - return nt_status; - } - - if (check_hosts_equiv(account)) { - nt_status = make_server_info_sam(server_info, account); - if (!NT_STATUS_IS_OK(nt_status)) { - TALLOC_FREE(account); - } - } else { - TALLOC_FREE(account); - nt_status = NT_STATUS_NOT_IMPLEMENTED; - } - - return nt_status; -} - -/* module initialisation */ -static NTSTATUS auth_init_hostsequiv(struct auth_context *auth_context, const char* param, auth_methods **auth_method) -{ - if (!make_auth_methods(auth_context, auth_method)) { - return NT_STATUS_NO_MEMORY; - } - - (*auth_method)->auth = check_hostsequiv_security; - (*auth_method)->name = "hostsequiv"; - return NT_STATUS_OK; -} - - -/**************************************************************************** - Check for a valid .rhosts/hosts.equiv entry for this user -****************************************************************************/ - -static NTSTATUS check_rhosts_security(const struct auth_context *auth_context, - void *my_private_data, - TALLOC_CTX *mem_ctx, - const auth_usersupplied_info *user_info, - auth_serversupplied_info **server_info) -{ - NTSTATUS nt_status; - struct samu *account = NULL; - pstring rhostsfile; - const char *home; - - if (!NT_STATUS_IS_OK(nt_status = - auth_get_sam_account(user_info->internal_username, - &account))) { - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) - nt_status = NT_STATUS_NOT_IMPLEMENTED; - return nt_status; - } - - home = pdb_get_unix_homedir(account); - - if (home) { - slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home); - become_root(); - if (check_user_equiv(pdb_get_username(account),client_name(),rhostsfile)) { - nt_status = make_server_info_sam(server_info, account); - if (!NT_STATUS_IS_OK(nt_status)) { - TALLOC_FREE(account); - } - } else { - TALLOC_FREE(account); - } - unbecome_root(); - } else { - TALLOC_FREE(account); - nt_status = NT_STATUS_NOT_IMPLEMENTED; - } - - return nt_status; -} - -/* module initialisation */ -static NTSTATUS auth_init_rhosts(struct auth_context *auth_context, const char *param, auth_methods **auth_method) -{ - if (!make_auth_methods(auth_context, auth_method)) { - return NT_STATUS_NO_MEMORY; - } - - (*auth_method)->auth = check_rhosts_security; - (*auth_method)->name = "rhosts"; - return NT_STATUS_OK; -} - -NTSTATUS auth_rhosts_init(void) -{ - smb_register_auth(AUTH_INTERFACE_VERSION, "rhosts", auth_init_rhosts); - smb_register_auth(AUTH_INTERFACE_VERSION, "hostsequiv", auth_init_hostsequiv); - return NT_STATUS_OK; -} -- cgit From 990c406a89f9ec52d2570928d07f6913a4c31808 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 14 May 2006 14:39:10 +0000 Subject: r15600: Correctly fill in the gid for local users. Volker (This used to be commit 6071dd5db0dbb79a80b248ab93942911bf08fd2b) --- source3/auth/auth_util.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 06fbe1b7e6..64b707bc1a 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1096,6 +1096,12 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, sid_copy(&primary_group_sid, pdb_get_group_sid(sam_acct)); + if (!sid_to_gid(&primary_group_sid, gid)) { + DEBUG(1, ("sid_to_gid(%s) failed\n", + sid_string_static(&primary_group_sid))); + goto done; + } + result = pdb_enum_group_memberships(tmp_ctx, sam_acct, &group_sids, &gids, &num_group_sids); -- cgit From 905bac92ba1b487e733b989089c649ea3b6cf4dc Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 18 May 2006 02:05:53 +0000 Subject: r15676: Fix meaningless debug statement from uninitialized variable. Spotted by "John E. Malmberg" . Jeremy. (This used to be commit ff3fe39b837e0d0de2edaa284c2dd7d1c8161c46) --- source3/auth/auth_util.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 64b707bc1a..f4d32ebdc0 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1198,7 +1198,6 @@ BOOL user_in_group(const char *username, const char *groupname) { TALLOC_CTX *mem_ctx; DOM_SID group_sid; - NTSTATUS status; BOOL ret; mem_ctx = talloc_new(NULL); @@ -1212,8 +1211,7 @@ BOOL user_in_group(const char *username, const char *groupname) TALLOC_FREE(mem_ctx); if (!ret) { - DEBUG(10, ("lookup_name(%s) failed: %s\n", groupname, - nt_errstr(status))); + DEBUG(10, ("lookup_name for (%s) failed.\n", groupname)); return False; } -- cgit From f897e7094f9630a808b9d4622bb542ac676a8fb2 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 7 Jun 2006 04:45:50 +0000 Subject: r16076: Fix for machine password timeout overflow from Shlomi Yaakobovich . Jeremy. (This used to be commit 5cd234a1fff1e9d025eea6600649e56c997eafc2) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 6360d10b69..bedd318c3c 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -403,7 +403,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte #if 0 /* Test if machine password is expired and need to be changed */ - if (time(NULL) > last_change_time + lp_machine_password_timeout()) + if (time(NULL) > last_change_time + (time_t)lp_machine_password_timeout()) { global_machine_password_needs_changing = True; } -- cgit From 21eeddb80df515d1b3969f42dc56b9c8e02db3ff Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 11 Jun 2006 16:13:41 +0000 Subject: r16141: Dummy commit to make the build farm re-test against Samba4 16140 (This used to be commit a1fcacf75683e4c08236bb4cc4164678ea1a1ce4) --- source3/auth/auth_util.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index f4d32ebdc0..d02ad66200 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1279,8 +1279,7 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, Make (and fill) a user_info struct for a guest login. This *must* succeed for smbd to start. If there is no mapping entry for the guest gid, then create one. -********************** -*****************************************************/ +***************************************************************************/ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_info) { -- cgit From 780f121462b91c520c5a1bd13e7fcde288e1fad2 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 12 Jun 2006 11:03:49 +0000 Subject: r16150: Fix possible NULL dereference found by Klocwork ID # 17 (This used to be commit 3159bd3a4e3ad70c60fea4cacc892be9f1d71ab9) --- source3/auth/auth_util.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d02ad66200..43ae5c1af6 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1243,10 +1243,9 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, } result = make_server_info(NULL); - - if (!NT_STATUS_IS_OK(status)) { + if (result == NULL) { TALLOC_FREE(sampass); - return status; + return NT_STATUS_NO_MEMORY; } result->sam_account = sampass; -- cgit From 0372e0372297ef02c65d033b73db602a562f72cd Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 13 Jun 2006 19:56:26 +0000 Subject: r16204: Fix Klocwork # 14 localtime() can return NULL. Volker (This used to be commit 07c5dcb8633e6fadb596dc5a22d8d31b2e16a3ef) --- source3/auth/auth_sam.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 50ce9065fd..e8018eb13d 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -93,9 +93,11 @@ static BOOL logon_hours_ok(struct samu *sampass) bitmask = 1 << (bitpos % 8); if (! (hours[bitpos/8] & bitmask)) { - DEBUG(1,("logon_hours_ok: Account for user %s not allowed to logon at this time (%s).\n", - pdb_get_username(sampass), - asctime(localtime(&lasttime)) )); + struct tm *t = localtime(&lasttime); + DEBUG(1, ("logon_hours_ok: Account for user %s not allowed to " + "logon at this time (%s).\n", + pdb_get_username(sampass), + t ? asctime(t) : "INVALID TIME")); return False; } -- cgit From d4a80fdf38428c7a0e6cda6da838c8ccc5d8f2ab Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 13 Jun 2006 21:21:44 +0000 Subject: r16209: Klocwork bug #66, ensure no null deref. Jeremy. (This used to be commit 79e693798cf322071ea64a4014a01ad9eaba73e8) --- source3/auth/auth_util.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 43ae5c1af6..fb21d424c5 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1082,6 +1082,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, /* This is a passdb user, so ask passdb */ struct samu *sam_acct = NULL; + const DOM_SID *gr_sid = NULL; if ( !(sam_acct = samu_new( tmp_ctx )) ) { goto done; @@ -1094,7 +1095,13 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto done; } - sid_copy(&primary_group_sid, pdb_get_group_sid(sam_acct)); + gr_sid = pdb_get_group_sid(sam_acct); + if (!gr_sid) { + result = NT_STATUS_NO_MEMORY; + goto done; + } + + sid_copy(&primary_group_sid, gr_sid); if (!sid_to_gid(&primary_group_sid, gid)) { DEBUG(1, ("sid_to_gid(%s) failed\n", -- cgit From a1e0a0e9286fbe90ca04cda9df38e72d8d18b0c1 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 14 Jun 2006 21:36:49 +0000 Subject: r16230: Fix Klocwork #861 and others. localtime and asctime can return NULL. Ensure we check all returns correctly. Jeremy. (This used to be commit 6c61dc8ed6d84f310ef391fb7700e93ef42c4afc) --- source3/auth/auth_sam.c | 21 ++++++++++++++++++--- source3/auth/pass_check.c | 10 ++++++++-- 2 files changed, 26 insertions(+), 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index e8018eb13d..ec405dd2be 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -77,6 +77,7 @@ static BOOL logon_hours_ok(struct samu *sampass) const uint8 *hours; struct tm *utctime; time_t lasttime; + const char *asct; uint8 bitmask, bitpos; hours = pdb_get_hours(sampass); @@ -87,6 +88,11 @@ static BOOL logon_hours_ok(struct samu *sampass) lasttime = time(NULL); utctime = gmtime(&lasttime); + if (!utctime) { + DEBUG(1, ("logon_hours_ok: failed to get gmtime. Failing logon for user %s\n", + pdb_get_username(sampass) )); + return False; + } /* find the corresponding byte and bit */ bitpos = (utctime->tm_wday * 24 + utctime->tm_hour) % 168; @@ -94,15 +100,24 @@ static BOOL logon_hours_ok(struct samu *sampass) if (! (hours[bitpos/8] & bitmask)) { struct tm *t = localtime(&lasttime); + if (!t) { + asct = "INVALID TIME"; + } else { + asct = asctime(t); + if (!asct) { + asct = "INVALID TIME"; + } + } + DEBUG(1, ("logon_hours_ok: Account for user %s not allowed to " "logon at this time (%s).\n", - pdb_get_username(sampass), - t ? asctime(t) : "INVALID TIME")); + pdb_get_username(sampass), asct )); return False; } + asct = asctime(utctime); DEBUG(5,("logon_hours_ok: user %s allowed to logon at this time (%s)\n", - pdb_get_username(sampass), asctime(utctime) )); + pdb_get_username(sampass), asct ? asct : "UNKNOWN TIME" )); return True; } diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 507e8a3836..d0a900b80f 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -92,6 +92,7 @@ check on a DCE/DFS authentication ********************************************************************/ static BOOL dfs_auth(char *user, char *password) { + struct tm *t; error_status_t err; int err2; int prterr; @@ -341,8 +342,13 @@ static BOOL dfs_auth(char *user, char *password) set_effective_uid(0); set_effective_gid(0); - DEBUG(0, - ("DCE context expires: %s", asctime(localtime(&expire_time)))); + t = localtime(&expire_time); + if (t) { + const char *asct = asctime(t); + if (asct) { + DEBUG(0,("DCE context expires: %s", asct)); + } + } dcelogin_atmost_once = 1; return (True); -- cgit From f9147c4e408d316d194c4e367dfccbf433cb8ec9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 15 Jun 2006 01:54:09 +0000 Subject: r16241: Fix Klocwork #106 and others like it. Make 2 important changes. pdb_get_methods() returning NULL is a *fatal* error. Don't try and cope with it just call smb_panic. This removes a *lot* of pointless "if (!pdb)" handling code. Secondly, ensure that if samu_init() fails we *always* back out of a function. That way we are never in a situation where the pdb_XXX() functions need to start with a "if (sampass)" test - this was just bad design, not defensive programming. Jeremy. (This used to be commit a0d368197d6ae6777b7c2c3c6e970ab8ae7ca2ae) --- source3/auth/auth_util.c | 40 ++++++++++++++++++++++++++++++---------- 1 file changed, 30 insertions(+), 10 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index fb21d424c5..9427c7681e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1085,6 +1085,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, const DOM_SID *gr_sid = NULL; if ( !(sam_acct = samu_new( tmp_ctx )) ) { + result = NT_STATUS_NO_MEMORY; goto done; } @@ -1347,25 +1348,44 @@ static auth_serversupplied_info *copy_serverinfo(auth_serversupplied_info *src) dst->uid = src->uid; dst->gid = src->gid; dst->n_groups = src->n_groups; - if (src->n_groups != 0) + if (src->n_groups != 0) { dst->groups = talloc_memdup(dst, src->groups, sizeof(gid_t)*dst->n_groups); - else + } else { dst->groups = NULL; - - dst->ptok = dup_nt_token(dst, src->ptok); + } + + if (src->ptok) { + dst->ptok = dup_nt_token(dst, src->ptok); + if (!dst->ptok) { + TALLOC_FREE(dst); + return NULL; + } + } dst->user_session_key = data_blob_talloc( dst, src->user_session_key.data, - src->user_session_key.length); - + src->user_session_key.length); + dst->lm_session_key = data_blob_talloc(dst, src->lm_session_key.data, - src->lm_session_key.length); - - if ( (dst->sam_account = samu_new( NULL )) != NULL ) - pdb_copy_sam_account(dst->sam_account, src->sam_account); + src->lm_session_key.length); + + dst->sam_account = samu_new(NULL); + if (!dst->sam_account) { + TALLOC_FREE(dst); + return NULL; + } + + if (!pdb_copy_sam_account(dst->sam_account, src->sam_account)) { + TALLOC_FREE(dst); + return NULL; + } dst->pam_handle = NULL; dst->unix_name = talloc_strdup(dst, src->unix_name); + if (!dst->unix_name) { + TALLOC_FREE(dst); + return NULL; + } return dst; } -- cgit From 600b0ae2e97967ebc19639312f03561e4004a7ee Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 22 Jun 2006 19:47:44 +0000 Subject: r16471: Bug reported by Vitaly Protsko in 3.0.23rc1. Add missing automatic add of the Administrators SID in the absence of winbindd and precense of Domain Admins SID in the user's token. (This used to be commit ce7846d6f19f63ca99179b75e6f2195cc593795f) --- source3/auth/auth_util.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 9427c7681e..0401e02b7d 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -688,6 +688,31 @@ static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token) static NTSTATUS add_builtin_administrators( TALLOC_CTX *ctx, struct nt_user_token *token ) { + DOM_SID domadm; + + /* nothing to do if we aren't in a domain */ + + if ( !(IS_DC || lp_server_role()==ROLE_DOMAIN_MEMBER) ) { + return NT_STATUS_OK; + } + + /* Find the Domain Admins SID */ + + if ( IS_DC ) { + sid_copy( &domadm, get_global_sam_sid() ); + } else { + if ( !secrets_fetch_domain_sid( lp_workgroup(), &domadm ) ) + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + sid_append_rid( &domadm, DOMAIN_GROUP_RID_ADMINS ); + + /* Add Administrators if the user beloongs to Domain Admins */ + + if ( nt_token_check_sid( &domadm, token ) ) { + add_sid_to_array(token, &global_sid_Builtin_Administrators, + &token->user_sids, &token->num_sids); + } + return NT_STATUS_OK; } -- cgit From 8322d26276a63c2909ed4835693fae5ac4349f74 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 28 Jun 2006 18:16:33 +0000 Subject: r16632: Fix bug #3882 reported by jason@ncac.gwu.edu. Jeremy. (This used to be commit 6b39f53e43572fe29fc037a36328387a0b1bb423) --- source3/auth/auth_ntlmssp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 7607107548..6cf987a48b 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -176,7 +176,7 @@ NTSTATUS auth_ntlmssp_start(AUTH_NTLMSSP_STATE **auth_ntlmssp_state) (*auth_ntlmssp_state)->ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge; (*auth_ntlmssp_state)->ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge; (*auth_ntlmssp_state)->ntlmssp_state->check_password = auth_ntlmssp_check_password; - (*auth_ntlmssp_state)->ntlmssp_state->server_role = lp_server_role(); + (*auth_ntlmssp_state)->ntlmssp_state->server_role = (enum server_types)lp_server_role(); return NT_STATUS_OK; } -- cgit From 9d0ccba34c645de612821c929f56b44f74c88c71 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sat, 1 Jul 2006 17:55:07 +0000 Subject: r16749: BUG 3905: don't fail in create_local_nt_token() when a checking for the builtin Administrators group membership. security = server has no domain info in secrets.tdb (This used to be commit fa477969fbbcd9f707461a2d9015bebf719ddfbb) --- source3/auth/auth_util.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 0401e02b7d..df4a4e1b38 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -876,9 +876,10 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, } else { status = add_builtin_administrators( tmp_ctx, result ); - if ( !NT_STATUS_IS_OK(status) ) { - result = NULL; - goto done; + if ( !NT_STATUS_IS_OK(status) ) { + /* just log a complaint but do not fail */ + DEBUG(3,("create_local_nt_token: failed to check for local Administrators" + " membership (%s)\n", nt_errstr(status))); } } } -- cgit From 355cbde8df75d429906e1e2f6e465b20222b4173 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 2 Jul 2006 22:04:29 +0000 Subject: r16766: A warning found by RHEL3. This might actually be 3.0.23 code, maybe there are vasprintf implementations that don't like a NULL format. Volker (This used to be commit 03c665c307e518c9ff66096904873266b145637c) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index df4a4e1b38..c5ce55bc8c 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -778,7 +778,7 @@ static NTSTATUS create_builtin_administrators( void ) } /* add root */ - if ( (ctx = talloc_init(NULL)) == NULL ) { + if ( (ctx = talloc_init("create_builtin_administrators")) == NULL ) { return NT_STATUS_NO_MEMORY; } fstr_sprintf( root_name, "%s\\root", get_global_sam_name() ); -- cgit From fc4abcf02857596c40110f2421facfb70f9be41d Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 7 Jul 2006 18:22:26 +0000 Subject: r16864: Intermediate checkin -- swap the sid_check_is_in_unix_users and sid_check_is_in_our_domain cases. Volker (This used to be commit dc403cec88d91fdeb09cbd04321d88bbdc0f490c) --- source3/auth/auth_util.c | 76 ++++++++++++++++++++++++------------------------ 1 file changed, 38 insertions(+), 38 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index c5ce55bc8c..1c629bca82 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1066,44 +1066,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto done; } - if (sid_check_is_in_unix_users(&user_sid)) { - - /* This is a unix user not in passdb. We need to ask nss - * directly, without consulting passdb */ - - struct passwd *pass; - size_t i; - - pass = getpwuid_alloc(tmp_ctx, *uid); - if (pass == NULL) { - DEBUG(1, ("getpwuid(%d) for user %s failed\n", - *uid, username)); - goto done; - } - - *gid = pass->pw_gid; - gid_to_sid(&primary_group_sid, pass->pw_gid); - - if (!getgroups_unix_user(tmp_ctx, username, pass->pw_gid, - &gids, &num_group_sids)) { - DEBUG(1, ("getgroups_unix_user for user %s failed\n", - username)); - goto done; - } - - group_sids = talloc_array(tmp_ctx, DOM_SID, num_group_sids); - if (group_sids == NULL) { - DEBUG(1, ("talloc_array failed\n")); - result = NT_STATUS_NO_MEMORY; - goto done; - } - - for (i=0; ipw_name); - - } else if (sid_check_is_in_our_domain(&user_sid)) { + if (sid_check_is_in_our_domain(&user_sid)) { /* This is a passdb user, so ask passdb */ @@ -1148,6 +1111,43 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, *found_username = talloc_strdup(mem_ctx, pdb_get_username(sam_acct)); + } else if (sid_check_is_in_unix_users(&user_sid)) { + + /* This is a unix user not in passdb. We need to ask nss + * directly, without consulting passdb */ + + struct passwd *pass; + size_t i; + + pass = getpwuid_alloc(tmp_ctx, *uid); + if (pass == NULL) { + DEBUG(1, ("getpwuid(%d) for user %s failed\n", + *uid, username)); + goto done; + } + + *gid = pass->pw_gid; + gid_to_sid(&primary_group_sid, pass->pw_gid); + + if (!getgroups_unix_user(tmp_ctx, username, pass->pw_gid, + &gids, &num_group_sids)) { + DEBUG(1, ("getgroups_unix_user for user %s failed\n", + username)); + goto done; + } + + group_sids = talloc_array(tmp_ctx, DOM_SID, num_group_sids); + if (group_sids == NULL) { + DEBUG(1, ("talloc_array failed\n")); + result = NT_STATUS_NO_MEMORY; + goto done; + } + + for (i=0; ipw_name); + } else { /* This user is from winbind, force the primary gid to the -- cgit From 3899f95e1f44a4dfe31b42119ad5e14304d8a4b4 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 7 Jul 2006 18:53:19 +0000 Subject: r16865: This is a proposal to fix bug 3915. Before sending patches around, this is what svn is for. The idea is that we fall back to a pure unix user with S-1-22 SIDs in the token in case anything weird is going on with the 'force user'. Volker (This used to be commit 9ec5ccfe851ac8a1f88b88c8c8461a5cf75b4c57) --- source3/auth/auth_util.c | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1c629bca82..493d7393d0 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1081,14 +1081,13 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, if (!pdb_getsampwsid(sam_acct, &user_sid)) { DEBUG(1, ("pdb_getsampwsid(%s) for user %s failed\n", sid_string_static(&user_sid), username)); - result = NT_STATUS_NO_SUCH_USER; - goto done; + DEBUGADD(1, ("Fall back to unix user %s\n", username)); + goto unix_user; } gr_sid = pdb_get_group_sid(sam_acct); if (!gr_sid) { - result = NT_STATUS_NO_MEMORY; - goto done; + goto unix_user; } sid_copy(&primary_group_sid, gr_sid); @@ -1096,7 +1095,8 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, if (!sid_to_gid(&primary_group_sid, gid)) { DEBUG(1, ("sid_to_gid(%s) failed\n", sid_string_static(&primary_group_sid))); - goto done; + DEBUGADD(1, ("Fall back to unix user %s\n", username)); + goto unix_user; } result = pdb_enum_group_memberships(tmp_ctx, sam_acct, @@ -1105,7 +1105,8 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, if (!NT_STATUS_IS_OK(result)) { DEBUG(10, ("enum_group_memberships failed for %s\n", username)); - goto done; + DEBUGADD(1, ("Fall back to unix user %s\n", username)); + goto unix_user; } *found_username = talloc_strdup(mem_ctx, @@ -1119,6 +1120,16 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, struct passwd *pass; size_t i; + /* + * This goto target is used as a fallback for the passdb + * case. The concrete bug report is when passdb gave us an + * unmapped gid. + */ + + unix_user: + + uid_to_unix_users_sid(*uid, &user_sid); + pass = getpwuid_alloc(tmp_ctx, *uid); if (pass == NULL) { DEBUG(1, ("getpwuid(%d) for user %s failed\n", -- cgit From fbdcf2663b56007a438ac4f0d8d82436b1bfe688 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 11 Jul 2006 18:01:26 +0000 Subject: r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8) --- source3/auth/auth_domain.c | 11 +++++ source3/auth/auth_server.c | 9 ++-- source3/auth/auth_util.c | 104 ++++++++++++++++++++++++++++++++++----------- 3 files changed, 95 insertions(+), 29 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index bedd318c3c..8ad6329da9 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -50,6 +50,8 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, NTSTATUS result; struct rpc_pipe_client *netlogon_pipe = NULL; + *cli = NULL; + *pipe_ret = NULL; /* TODO: Send a SAMLOGON request to determine whether this is a valid @@ -81,6 +83,11 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, result = NT_STATUS_NO_LOGON_SERVERS; } + if (*cli) { + cli_shutdown(*cli); + *cli = NULL; + } + release_server_mutex(); return result; } @@ -111,6 +118,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); cli_shutdown(*cli); + *cli = NULL; release_server_mutex(); return result; } @@ -126,6 +134,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); "trust account password for domain '%s'\n", domain)); cli_shutdown(*cli); + *cli = NULL; release_server_mutex(); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -141,6 +150,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); if (!NT_STATUS_IS_OK(result)) { cli_shutdown(*cli); + *cli = NULL; release_server_mutex(); return result; } @@ -150,6 +160,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ machine %s. Error was : %s.\n", dc_name, cli_errstr(*cli))); cli_shutdown(*cli); + *cli = NULL; release_server_mutex(); return NT_STATUS_NO_LOGON_SERVERS; } diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 7bec1b4128..6e4dba0be2 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -39,7 +39,7 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) char *pserver; BOOL connected_ok = False; - if (!(cli = cli_initialise(cli))) + if (!(cli = cli_initialise())) return NULL; /* security = server just can't function with spnego */ @@ -49,7 +49,8 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) p = pserver; while(next_token( &p, desthost, LIST_SEP, sizeof(desthost))) { - standard_sub_basic(current_user_info.smb_name, desthost, sizeof(desthost)); + standard_sub_basic(current_user_info.smb_name, current_user_info.domain, + desthost, sizeof(desthost)); strupper_m(desthost); if(!resolve_name( desthost, &dest_ip, 0x20)) { @@ -85,7 +86,7 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) return NULL; } - if (!attempt_netbios_session_request(cli, global_myname(), + if (!attempt_netbios_session_request(&cli, global_myname(), desthost, &dest_ip)) { release_server_mutex(); DEBUG(1,("password server fails session request\n")); @@ -129,7 +130,7 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) } release_server_mutex(); - + DEBUG(3,("password server OK\n")); return cli; diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 493d7393d0..823bf8c322 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -611,12 +611,17 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, * Add alias SIDs from memberships within the partially created token SID list */ -static NTSTATUS add_aliases(TALLOC_CTX *tmp_ctx, const DOM_SID *domain_sid, +static NTSTATUS add_aliases(const DOM_SID *domain_sid, struct nt_user_token *token) { uint32 *aliases; size_t i, num_aliases; NTSTATUS status; + TALLOC_CTX *tmp_ctx; + + if (!(tmp_ctx = talloc_init("add_aliases"))) { + return NT_STATUS_NO_MEMORY; + } aliases = NULL; num_aliases = 0; @@ -629,6 +634,7 @@ static NTSTATUS add_aliases(TALLOC_CTX *tmp_ctx, const DOM_SID *domain_sid, if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("pdb_enum_alias_memberships failed: %s\n", nt_errstr(status))); + TALLOC_FREE(tmp_ctx); return status; } @@ -640,10 +646,12 @@ static NTSTATUS add_aliases(TALLOC_CTX *tmp_ctx, const DOM_SID *domain_sid, &token->num_sids); if (token->user_sids == NULL) { DEBUG(0, ("add_sid_to_array failed\n")); + TALLOC_FREE(tmp_ctx); return NT_STATUS_NO_MEMORY; } } + TALLOC_FREE(tmp_ctx); return NT_STATUS_OK; } @@ -686,7 +694,7 @@ static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token) /******************************************************************* *******************************************************************/ -static NTSTATUS add_builtin_administrators( TALLOC_CTX *ctx, struct nt_user_token *token ) +static NTSTATUS add_builtin_administrators( struct nt_user_token *token ) { DOM_SID domadm; @@ -808,22 +816,14 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, int num_groupsids, const DOM_SID *groupsids) { - TALLOC_CTX *tmp_ctx; struct nt_user_token *result = NULL; int i; NTSTATUS status; gid_t gid; - tmp_ctx = talloc_new(mem_ctx); - if (tmp_ctx == NULL) { - DEBUG(0, ("talloc_new failed\n")); - return NULL; - } - - result = TALLOC_ZERO_P(tmp_ctx, NT_USER_TOKEN); - if (result == NULL) { + if (!(result = TALLOC_ZERO_P(mem_ctx, NT_USER_TOKEN))) { DEBUG(0, ("talloc failed\n")); - goto done; + return NULL; } /* Add the user and primary group sid */ @@ -875,7 +875,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, unbecome_root(); } else { - status = add_builtin_administrators( tmp_ctx, result ); + status = add_builtin_administrators( result ); if ( !NT_STATUS_IS_OK(status) ) { /* just log a complaint but do not fail */ DEBUG(3,("create_local_nt_token: failed to check for local Administrators" @@ -896,7 +896,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, become_root(); status = create_builtin_users( ); if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n")); + DEBUG(0,("create_local_nt_token: Failed to create BUILTIN\\Users group!\n")); /* don't fail, just log the message */ } unbecome_root(); @@ -909,31 +909,26 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, /* Now add the aliases. First the one from our local SAM */ - status = add_aliases(tmp_ctx, get_global_sam_sid(), result); + status = add_aliases(get_global_sam_sid(), result); if (!NT_STATUS_IS_OK(status)) { - result = NULL; - goto done; + TALLOC_FREE(result); + return NULL; } /* Finally the builtin ones */ - status = add_aliases(tmp_ctx, &global_sid_Builtin, result); + status = add_aliases(&global_sid_Builtin, result); if (!NT_STATUS_IS_OK(status)) { - result = NULL; - goto done; + TALLOC_FREE(result); + return NULL; } } get_privileges_for_sids(&result->privileges, result->user_sids, result->num_sids); - - talloc_steal(mem_ctx, result); - - done: - TALLOC_FREE(tmp_ctx); return result; } @@ -1443,6 +1438,65 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; } +BOOL copy_current_user(struct current_user *dst, struct current_user *src) +{ + gid_t *groups; + NT_USER_TOKEN *nt_token; + + groups = memdup(src->ut.groups, sizeof(gid_t) * src->ut.ngroups); + if ((src->ut.ngroups != 0) && (groups == NULL)) { + return False; + } + + nt_token = dup_nt_token(NULL, src->nt_user_token); + if (nt_token == NULL) { + SAFE_FREE(groups); + return False; + } + + dst->conn = src->conn; + dst->vuid = src->vuid; + dst->ut.uid = src->ut.uid; + dst->ut.gid = src->ut.gid; + dst->ut.ngroups = src->ut.ngroups; + dst->ut.groups = groups; + dst->nt_user_token = nt_token; + return True; +} + +BOOL set_current_user_guest(struct current_user *dst) +{ + gid_t *groups; + NT_USER_TOKEN *nt_token; + + groups = memdup(guest_info->groups, + sizeof(gid_t) * guest_info->n_groups); + if (groups == NULL) { + return False; + } + + nt_token = dup_nt_token(NULL, guest_info->ptok); + if (nt_token == NULL) { + SAFE_FREE(groups); + return False; + } + + TALLOC_FREE(dst->nt_user_token); + SAFE_FREE(dst->ut.groups); + + /* dst->conn is never really dereferenced, it's only tested for + * equality in uid.c */ + dst->conn = NULL; + + dst->vuid = UID_FIELD_INVALID; + dst->ut.uid = guest_info->uid; + dst->ut.gid = guest_info->gid; + dst->ut.ngroups = guest_info->n_groups; + dst->ut.groups = groups; + dst->nt_user_token = nt_token; + return True; +} + /*************************************************************************** Purely internal function for make_server_info_info3 Fill the sam account from getpwnam -- cgit From a85395e0f5b18b9359d5785dcbe43e8f42c3448f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 13 Jul 2006 15:03:46 +0000 Subject: r17010: If winbind is not around, add S-1-22-1- to the user's token. See the comment in the patch for the reason. Volker (This used to be commit 5e07ab750af3744e1ee5bfc813d5c6532aff4ecb) --- source3/auth/auth_util.c | 43 ++++++++++++++++++++++++++++++++++--------- 1 file changed, 34 insertions(+), 9 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 823bf8c322..56a3568933 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -958,23 +958,48 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) &server_info->gid, &server_info->unix_name, &server_info->ptok); - + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(mem_ctx); + return status; + } } else { - server_info->ptok = create_local_nt_token( + struct nt_user_token *token; + + token = create_local_nt_token( server_info, pdb_get_user_sid(server_info->sam_account), pdb_get_group_sid(server_info->sam_account), server_info->guest, server_info->num_sids, server_info->sids); - status = server_info->ptok ? - NT_STATUS_OK : NT_STATUS_NO_SUCH_USER; - } - if (!NT_STATUS_IS_OK(status)) { - TALLOC_FREE(mem_ctx); - return status; + if (token == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_SUCH_USER; + } + + /* + * We need to add the unix user sid as not necessarily the + * unix username resolves to the domain user sid. This is an + * artifact of an incomplete lookup_name/sid implementation + * when winbind is not around. + */ + + if (!winbind_ping()) { + DOM_SID unix_user_sid; + uid_to_unix_users_sid(server_info->uid, + &unix_user_sid); + + add_sid_to_array(token, &unix_user_sid, + &token->user_sids, &token->num_sids); + if (token->user_sids == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + } + server_info->ptok = token; + status = NT_STATUS_OK; } - + /* Convert the SIDs to gids. */ server_info->n_groups = 0; -- cgit From de4492b28d6c598a9db37e389e14bdb65330e65a Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 13 Jul 2006 15:37:58 +0000 Subject: r17011: Back out r17010 after talking to Jerry. Another fix pending... Volker (This used to be commit 7a629118ee6f468505172147724f7f532f0f4a4f) --- source3/auth/auth_util.c | 43 +++++++++---------------------------------- 1 file changed, 9 insertions(+), 34 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 56a3568933..823bf8c322 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -958,48 +958,23 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) &server_info->gid, &server_info->unix_name, &server_info->ptok); - if (!NT_STATUS_IS_OK(status)) { - TALLOC_FREE(mem_ctx); - return status; - } + } else { - struct nt_user_token *token; - - token = create_local_nt_token( + server_info->ptok = create_local_nt_token( server_info, pdb_get_user_sid(server_info->sam_account), pdb_get_group_sid(server_info->sam_account), server_info->guest, server_info->num_sids, server_info->sids); - - if (token == NULL) { - TALLOC_FREE(mem_ctx); - return NT_STATUS_NO_SUCH_USER; - } - - /* - * We need to add the unix user sid as not necessarily the - * unix username resolves to the domain user sid. This is an - * artifact of an incomplete lookup_name/sid implementation - * when winbind is not around. - */ - - if (!winbind_ping()) { - DOM_SID unix_user_sid; - uid_to_unix_users_sid(server_info->uid, - &unix_user_sid); - - add_sid_to_array(token, &unix_user_sid, - &token->user_sids, &token->num_sids); - if (token->user_sids == NULL) { - TALLOC_FREE(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - } - server_info->ptok = token; - status = NT_STATUS_OK; + status = server_info->ptok ? + NT_STATUS_OK : NT_STATUS_NO_SUCH_USER; } + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(mem_ctx); + return status; + } + /* Convert the SIDs to gids. */ server_info->n_groups = 0; -- cgit From f8004328f41db5eec4332b2d6fc54ff91dd3a0c1 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 13 Jul 2006 16:28:38 +0000 Subject: r17016: Different and smaller fix for the valid users = username problem. If no winbind is around, the best we can do to get the user's token correct is to ask unix via create_token_from_username. More investigation is needed if this also fixes the +groupname for unmapped groups problems more cleanly. Volker (This used to be commit f6e3ee147ffde572532fb44b619dda01388d4a31) --- source3/auth/auth_util.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 823bf8c322..9fcaffa3d6 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -950,7 +950,13 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) return NT_STATUS_NO_MEMORY; } - if (server_info->was_mapped) { + /* + * If winbind is not around, we can not make much use of the SIDs the + * domain controller provided us with. Likewise if the user name was + * mapped to some local unix user. + */ + + if ((!winbind_ping()) || (server_info->was_mapped)) { status = create_token_from_username(server_info, server_info->unix_name, server_info->guest, -- cgit From 413ec64f27bb955f477b0b6b5737ed58453acd9c Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 13 Jul 2006 20:16:12 +0000 Subject: r17022: Fix the build farm -- maybe this is the real fix, testing more (This used to be commit 19d02690002a35cb6e0204db236d2b768e48c6d8) --- source3/auth/auth_util.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 9fcaffa3d6..dfb4193357 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -956,7 +956,8 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) * mapped to some local unix user. */ - if ((!winbind_ping()) || (server_info->was_mapped)) { + if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) || + (server_info->was_mapped)) { status = create_token_from_username(server_info, server_info->unix_name, server_info->guest, -- cgit From dca7d08e61ecd0f6695a05c44feb58abbc2d8826 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 3 Aug 2006 01:49:14 +0000 Subject: r17378: Fix the issues people have been having with mapped users (username map) and failure to connect to a share. Essentially, even on a standalone system we were going into the create_token_from_username() code (I think by mistake) if the username was mapped. Fixes bug #3991. Volker & Jerry - please go over this with a very careful eye and let me know if this isn't correct (I think it is, but this isn't my code and it's a dangerous area for me to be playing in :-). Jeremy (This used to be commit 0b5b2b53ec6e4c25b5f6645451dfce4aa7ae8a61) --- source3/auth/auth_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index dfb4193357..d59c6b40cc 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -956,8 +956,8 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) * mapped to some local unix user. */ - if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) || - (server_info->was_mapped)) { + if ((lp_server_role() == ROLE_DOMAIN_MEMBER) && + (server_info->was_mapped || !winbind_ping())) { status = create_token_from_username(server_info, server_info->unix_name, server_info->guest, -- cgit From ba5f9c4ef9b91b636157647fdd9f610cfdde97ff Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 3 Aug 2006 19:07:12 +0000 Subject: r17388: Fix the "valid users"/token issue for now. Volker, please come in and fix it in a less ugly way once you have some time. Thanks, Jeremy. (This used to be commit 79b1e668e2ce263c84ff8fafaafb3e57b06717ab) --- source3/auth/auth_util.c | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d59c6b40cc..77da182f57 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -599,6 +599,14 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, * simple first. */ TALLOC_FREE(gids); + /* For a local user the real primary group sid is the result->sids[0] */ + + if (!pdb_set_group_sid(sampass, &result->sids[0], PDB_CHANGED)) { + result->sam_account = NULL; /* Don't free on error exit. */ + TALLOC_FREE(result); + return NT_STATUS_UNSUCCESSFUL; + } + DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n", pdb_get_username(sampass), result->unix_name)); @@ -1089,7 +1097,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, gr_sid = pdb_get_group_sid(sam_acct); if (!gr_sid) { - goto unix_user; + goto unix_group; } sid_copy(&primary_group_sid, gr_sid); @@ -1097,8 +1105,8 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, if (!sid_to_gid(&primary_group_sid, gid)) { DEBUG(1, ("sid_to_gid(%s) failed\n", sid_string_static(&primary_group_sid))); - DEBUGADD(1, ("Fall back to unix user %s\n", username)); - goto unix_user; + DEBUGADD(1, ("Fall back to unix group %s\n", username)); + goto unix_group; } result = pdb_enum_group_memberships(tmp_ctx, sam_acct, @@ -1107,8 +1115,8 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, if (!NT_STATUS_IS_OK(result)) { DEBUG(10, ("enum_group_memberships failed for %s\n", username)); - DEBUGADD(1, ("Fall back to unix user %s\n", username)); - goto unix_user; + DEBUGADD(1, ("Fall back to unix group %s\n", username)); + goto unix_group; } *found_username = talloc_strdup(mem_ctx, @@ -1132,6 +1140,8 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, uid_to_unix_users_sid(*uid, &user_sid); + unix_group: + pass = getpwuid_alloc(tmp_ctx, *uid); if (pass == NULL) { DEBUG(1, ("getpwuid(%d) for user %s failed\n", @@ -1316,6 +1326,14 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, * simple first. */ TALLOC_FREE(gids); + /* For a local user the real primary group sid is the result->sids[0] */ + + if (!pdb_set_group_sid(sampass, &result->sids[0], PDB_CHANGED)) { + result->sam_account = NULL; /* Don't free on error exit. */ + TALLOC_FREE(sampass); + return NT_STATUS_UNSUCCESSFUL; + } + *server_info = result; return NT_STATUS_OK; -- cgit From 74ee62a45b4cdb32ae7291c1bdae322692bb64c2 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 3 Aug 2006 23:44:07 +0000 Subject: r17391: Revert the second part of the valid users fix - the netlogon code uses pdb_get_group_sid() which could return a S-1-1-22 unix sid. Who knew.... :-(. I'm going to test Volker's fix instead. Once 3.0.23b is out we *have* to rip out the pdb_set_group_sid() code.... Jeremy. (This used to be commit 65003e1b251b4762cef2b3cdcc895269f9319eb8) --- source3/auth/auth_util.c | 28 +++++----------------------- 1 file changed, 5 insertions(+), 23 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 77da182f57..d59c6b40cc 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -599,14 +599,6 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, * simple first. */ TALLOC_FREE(gids); - /* For a local user the real primary group sid is the result->sids[0] */ - - if (!pdb_set_group_sid(sampass, &result->sids[0], PDB_CHANGED)) { - result->sam_account = NULL; /* Don't free on error exit. */ - TALLOC_FREE(result); - return NT_STATUS_UNSUCCESSFUL; - } - DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n", pdb_get_username(sampass), result->unix_name)); @@ -1097,7 +1089,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, gr_sid = pdb_get_group_sid(sam_acct); if (!gr_sid) { - goto unix_group; + goto unix_user; } sid_copy(&primary_group_sid, gr_sid); @@ -1105,8 +1097,8 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, if (!sid_to_gid(&primary_group_sid, gid)) { DEBUG(1, ("sid_to_gid(%s) failed\n", sid_string_static(&primary_group_sid))); - DEBUGADD(1, ("Fall back to unix group %s\n", username)); - goto unix_group; + DEBUGADD(1, ("Fall back to unix user %s\n", username)); + goto unix_user; } result = pdb_enum_group_memberships(tmp_ctx, sam_acct, @@ -1115,8 +1107,8 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, if (!NT_STATUS_IS_OK(result)) { DEBUG(10, ("enum_group_memberships failed for %s\n", username)); - DEBUGADD(1, ("Fall back to unix group %s\n", username)); - goto unix_group; + DEBUGADD(1, ("Fall back to unix user %s\n", username)); + goto unix_user; } *found_username = talloc_strdup(mem_ctx, @@ -1140,8 +1132,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, uid_to_unix_users_sid(*uid, &user_sid); - unix_group: - pass = getpwuid_alloc(tmp_ctx, *uid); if (pass == NULL) { DEBUG(1, ("getpwuid(%d) for user %s failed\n", @@ -1326,14 +1316,6 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, * simple first. */ TALLOC_FREE(gids); - /* For a local user the real primary group sid is the result->sids[0] */ - - if (!pdb_set_group_sid(sampass, &result->sids[0], PDB_CHANGED)) { - result->sam_account = NULL; /* Don't free on error exit. */ - TALLOC_FREE(sampass); - return NT_STATUS_UNSUCCESSFUL; - } - *server_info = result; return NT_STATUS_OK; -- cgit From 87b2b16cbf211675a23c4f4282f026098d7334ed Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 4 Aug 2006 00:00:15 +0000 Subject: r17392: Commit Volker's fix for the valid users problem. Let's look at the build farm now... :-). Jeremy. (This used to be commit 6d822b85676f033a1a2e422e2d5ac92aaf566aef) --- source3/auth/auth_util.c | 52 ++++++++++++++++++++---------------------------- 1 file changed, 22 insertions(+), 30 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d59c6b40cc..89792bca94 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -29,7 +29,6 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, const DOM_SID *user_sid, - const DOM_SID *group_sid, BOOL is_guest, int num_groupsids, const DOM_SID *groupsids); @@ -509,7 +508,7 @@ NT_USER_TOKEN *get_root_nt_token( void ) uid_to_sid(&u_sid, pw->pw_uid); gid_to_sid(&g_sid, pw->pw_gid); - token = create_local_nt_token(NULL, &u_sid, &g_sid, False, + token = create_local_nt_token(NULL, &u_sid, False, 1, &global_sid_Builtin_Administrators); return token; } @@ -811,7 +810,6 @@ static NTSTATUS create_builtin_administrators( void ) static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, const DOM_SID *user_sid, - const DOM_SID *group_sid, BOOL is_guest, int num_groupsids, const DOM_SID *groupsids) @@ -830,7 +828,9 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, add_sid_to_array(result, user_sid, &result->user_sids, &result->num_sids); - add_sid_to_array(result, group_sid, + + SMB_ASSERT(num_groupsids > 0); + add_sid_to_array(result, &groupsids[0], &result->user_sids, &result->num_sids); /* Add in BUILTIN sids */ @@ -850,9 +850,11 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, /* Now the SIDs we got from authentication. These are the ones from * the info3 struct or from the pdb_enum_group_memberships, depending - * on who authenticated the user. */ + * on who authenticated the user. + * Note that we start the for loop at "1" here, we already added the + * first group sid as primary above. */ - for (i=0; iuser_sids, &result->num_sids); } @@ -956,8 +958,8 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) * mapped to some local unix user. */ - if ((lp_server_role() == ROLE_DOMAIN_MEMBER) && - (server_info->was_mapped || !winbind_ping())) { + if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) || + (server_info->was_mapped)) { status = create_token_from_username(server_info, server_info->unix_name, server_info->guest, @@ -970,7 +972,6 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) server_info->ptok = create_local_nt_token( server_info, pdb_get_user_sid(server_info->sam_account), - pdb_get_group_sid(server_info->sam_account), server_info->guest, server_info->num_sids, server_info->sids); status = server_info->ptok ? @@ -1073,7 +1074,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, /* This is a passdb user, so ask passdb */ struct samu *sam_acct = NULL; - const DOM_SID *gr_sid = NULL; if ( !(sam_acct = samu_new( tmp_ctx )) ) { result = NT_STATUS_NO_MEMORY; @@ -1087,20 +1087,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto unix_user; } - gr_sid = pdb_get_group_sid(sam_acct); - if (!gr_sid) { - goto unix_user; - } - - sid_copy(&primary_group_sid, gr_sid); - - if (!sid_to_gid(&primary_group_sid, gid)) { - DEBUG(1, ("sid_to_gid(%s) failed\n", - sid_string_static(&primary_group_sid))); - DEBUGADD(1, ("Fall back to unix user %s\n", username)); - goto unix_user; - } - result = pdb_enum_group_memberships(tmp_ctx, sam_acct, &group_sids, &gids, &num_group_sids); @@ -1111,6 +1097,10 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto unix_user; } + /* see the smb_panic() in pdb_default_enum_group_memberships */ + SMB_ASSERT(num_group_sids > 0); + + *gid = gids[0]; *found_username = talloc_strdup(mem_ctx, pdb_get_username(sam_acct)); @@ -1139,9 +1129,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto done; } - *gid = pass->pw_gid; - gid_to_sid(&primary_group_sid, pass->pw_gid); - if (!getgroups_unix_user(tmp_ctx, username, pass->pw_gid, &gids, &num_group_sids)) { DEBUG(1, ("getgroups_unix_user for user %s failed\n", @@ -1159,6 +1146,11 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, for (i=0; i 0); + + *gid = gids[0]; *found_username = talloc_strdup(mem_ctx, pass->pw_name); } else { @@ -1182,13 +1174,13 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto done; } - num_group_sids = 0; - group_sids = NULL; + num_group_sids = 1; + group_sids = &primary_group_sid; *found_username = talloc_strdup(mem_ctx, username); } - *token = create_local_nt_token(mem_ctx, &user_sid, &primary_group_sid, + *token = create_local_nt_token(mem_ctx, &user_sid, is_guest, num_group_sids, group_sids); if ((*token == NULL) || (*found_username == NULL)) { -- cgit From 49051067785befb4e549248084f583bdcdc191da Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 4 Aug 2006 01:09:57 +0000 Subject: r17393: Remove Volker's ASSERT that num_groupsids > 0. For guest connection they may well be zero. This should fix up the buildfarm (fingers crossed). Jeremy. (This used to be commit 16ebccbc5889c3b4c1a20bf3453bd523ddf6f5b0) --- source3/auth/auth_util.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 89792bca94..b7d3fdfcbd 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -829,9 +829,11 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, add_sid_to_array(result, user_sid, &result->user_sids, &result->num_sids); - SMB_ASSERT(num_groupsids > 0); - add_sid_to_array(result, &groupsids[0], - &result->user_sids, &result->num_sids); + /* For guest, num_groupsids may be zero. */ + if (num_groupsids) { + add_sid_to_array(result, &groupsids[0], + &result->user_sids, &result->num_sids); + } /* Add in BUILTIN sids */ -- cgit From 749c8d587c50a8761e6c9a86c2cdafb7a7fc537d Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 4 Aug 2006 12:15:53 +0000 Subject: r17399: Some C++ warnings (This used to be commit d12b08fc619f7b566ef5c4cc7294174e887014fe) --- source3/auth/auth_util.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index b7d3fdfcbd..90ec3ecaab 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1382,8 +1382,8 @@ static auth_serversupplied_info *copy_serverinfo(auth_serversupplied_info *src) dst->gid = src->gid; dst->n_groups = src->n_groups; if (src->n_groups != 0) { - dst->groups = talloc_memdup(dst, src->groups, - sizeof(gid_t)*dst->n_groups); + dst->groups = (gid_t *)talloc_memdup( + dst, src->groups, sizeof(gid_t)*dst->n_groups); } else { dst->groups = NULL; } @@ -1444,7 +1444,8 @@ BOOL copy_current_user(struct current_user *dst, struct current_user *src) gid_t *groups; NT_USER_TOKEN *nt_token; - groups = memdup(src->ut.groups, sizeof(gid_t) * src->ut.ngroups); + groups = (gid_t *)memdup(src->ut.groups, + sizeof(gid_t) * src->ut.ngroups); if ((src->ut.ngroups != 0) && (groups == NULL)) { return False; } @@ -1470,8 +1471,8 @@ BOOL set_current_user_guest(struct current_user *dst) gid_t *groups; NT_USER_TOKEN *nt_token; - groups = memdup(guest_info->groups, - sizeof(gid_t) * guest_info->n_groups); + groups = (gid_t *)memdup(guest_info->groups, + sizeof(gid_t) * guest_info->n_groups); if (groups == NULL) { return False; } @@ -1937,8 +1938,8 @@ NT_USER_TOKEN *dup_nt_token(TALLOC_CTX *mem_ctx, NT_USER_TOKEN *ptoken) return NULL; } - token->user_sids = talloc_memdup(token, ptoken->user_sids, - sizeof(DOM_SID) * ptoken->num_sids ); + token->user_sids = (DOM_SID *)talloc_memdup( + token, ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids ); if ((ptoken->user_sids != NULL) && (token->user_sids == NULL)) { DEBUG(0, ("talloc_memdup failed\n")); -- cgit From f8aa1c75f4961739863928392c8870c9c9a019d8 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 4 Aug 2006 20:35:52 +0000 Subject: r17402: Added lookup_name_smbconf() to be called when looking up names from smb.conf. If the name is unqualified it causes the lookup to be done in WORKGROUP\name, then "Unix [users|groups]"\name rather than searching the domain. Should fix the problems with "force user" selecting a domain user by preference. Jeremy. (This used to be commit 1e1fcb5eb2ac4bd360461b29f85c07dbf460025d) --- source3/auth/auth_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 90ec3ecaab..45b3bcccef 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1053,9 +1053,9 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, return NT_STATUS_NO_MEMORY; } - if (!lookup_name(tmp_ctx, username, LOOKUP_NAME_ALL, + if (!lookup_name_smbconf(tmp_ctx, username, LOOKUP_NAME_ALL, NULL, NULL, &user_sid, &type)) { - DEBUG(1, ("lookup_name for %s failed\n", username)); + DEBUG(1, ("lookup_name_smbconf for %s failed\n", username)); goto done; } -- cgit From b29915d6113264bdce243005d29a1af9a8b69bde Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 16 Aug 2006 17:14:16 +0000 Subject: r17571: Change the return code of cli_session_setup from BOOL to NTSTATUS Volker (This used to be commit 94817a8ef53589011bc4ead4e17807a101acf5c9) --- source3/auth/auth_server.c | 55 +++++++++++++++++++++++----------------------- 1 file changed, 27 insertions(+), 28 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 6e4dba0be2..7ffea1ca11 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -120,8 +120,8 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) this one... */ - if (!cli_session_setup(cli, "", "", 0, "", 0, - "")) { + if (!NT_STATUS_IS_OK(cli_session_setup(cli, "", "", 0, "", 0, + ""))) { DEBUG(0,("%s rejected the initial session setup (%s)\n", desthost, cli_errstr(cli))); release_server_mutex(); @@ -241,7 +241,7 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context return nt_status; } - cli = my_private_data; + cli = (struct cli_state *)my_private_data; if (cli) { } else { @@ -296,8 +296,12 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context */ if ((!tested_password_server) && (lp_paranoid_server_security())) { - if (cli_session_setup(cli, baduser, (char *)badpass, sizeof(badpass), - (char *)badpass, sizeof(badpass), user_info->domain)) { + if (NT_STATUS_IS_OK(cli_session_setup(cli, baduser, + (char *)badpass, + sizeof(badpass), + (char *)badpass, + sizeof(badpass), + user_info->domain))) { /* * We connected to the password server so we @@ -343,30 +347,25 @@ use this machine as the password server.\n")); if (!user_info->encrypted) { /* Plaintext available */ - if (!cli_session_setup(cli, user_info->smb_name, - (char *)user_info->plaintext_password.data, - user_info->plaintext_password.length, - NULL, 0, - user_info->domain)) { - DEBUG(1,("password server %s rejected the password\n", cli->desthost)); - /* Make this cli_nt_error() when the conversion is in */ - nt_status = cli_nt_error(cli); - } else { - nt_status = NT_STATUS_OK; - } + nt_status = cli_session_setup( + cli, user_info->smb_name, + (char *)user_info->plaintext_password.data, + user_info->plaintext_password.length, + NULL, 0, user_info->domain); + } else { - if (!cli_session_setup(cli, user_info->smb_name, - (char *)user_info->lm_resp.data, - user_info->lm_resp.length, - (char *)user_info->nt_resp.data, - user_info->nt_resp.length, - user_info->domain)) { - DEBUG(1,("password server %s rejected the password\n", cli->desthost)); - /* Make this cli_nt_error() when the conversion is in */ - nt_status = cli_nt_error(cli); - } else { - nt_status = NT_STATUS_OK; - } + nt_status = cli_session_setup( + cli, user_info->smb_name, + (char *)user_info->lm_resp.data, + user_info->lm_resp.length, + (char *)user_info->nt_resp.data, + user_info->nt_resp.length, + user_info->domain); + } + + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(1,("password server %s rejected the password: %s\n", + cli->desthost, nt_errstr(nt_status))); } /* if logged in as guest then reject */ -- cgit From 097bd537adfda839705a9b8c1aa821c6e3e025a3 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 16 Aug 2006 17:43:13 +0000 Subject: r17573: Fix typo (This used to be commit fd6e3f133b267a9506699d1c2934a153dd732df2) --- source3/auth/pampass.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 26b45c5ff8..6631b277dc 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -511,7 +511,7 @@ static NTSTATUS smb_pam_auth(pam_handle_t *pamh, const char *user) pam_error = pam_authenticate(pamh, PAM_SILENT | lp_null_passwords() ? 0 : PAM_DISALLOW_NULL_AUTHTOK); switch( pam_error ){ case PAM_AUTH_ERR: - DEBUG(2, ("smb_pam_auth: PAM: Athentication Error for user %s\n", user)); + DEBUG(2, ("smb_pam_auth: PAM: Authentication Error for user %s\n", user)); break; case PAM_CRED_INSUFFICIENT: DEBUG(2, ("smb_pam_auth: PAM: Insufficient Credentials for user %s\n", user)); -- cgit From 0691ed55cade8093213db38555edb536ee0c557d Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 17 Aug 2006 11:54:23 +0000 Subject: r17584: Some C++ Warnings (This used to be commit f6194cf4b263454bbdf180a7d014ffc3498df497) --- source3/auth/auth_script.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_script.c b/source3/auth/auth_script.c index ec7264924c..70c906d942 100644 --- a/source3/auth/auth_script.c +++ b/source3/auth/auth_script.c @@ -69,7 +69,7 @@ static NTSTATUS script_check_user_credentials(const struct auth_context *auth_co 48 + 1 + /* 24 bytes of challenge going to 48 */ 48 + 1; - secret_str = malloc(secret_str_len); + secret_str = (char *)malloc(secret_str_len); if (!secret_str) { return NT_STATUS_NO_MEMORY; } -- cgit From f852fdbe06ec9f19424d6870cba9b1872a0d5d7a Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 20 Aug 2006 17:55:06 +0000 Subject: r17626: Some C++ Warnings (This used to be commit 09e7c010f03ac3c621f7a7fad44685d278c1481a) --- source3/auth/auth_ntlmssp.c | 12 ++++++++---- source3/auth/auth_winbind.c | 5 +++-- 2 files changed, 11 insertions(+), 6 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 6cf987a48b..51b145a760 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -30,7 +30,8 @@ static const uint8 *auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state) { - AUTH_NTLMSSP_STATE *auth_ntlmssp_state = ntlmssp_state->auth_context; + AUTH_NTLMSSP_STATE *auth_ntlmssp_state = + (AUTH_NTLMSSP_STATE *)ntlmssp_state->auth_context; return auth_ntlmssp_state->auth_context->get_ntlm_challenge(auth_ntlmssp_state->auth_context); } @@ -41,7 +42,8 @@ static const uint8 *auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlms */ static BOOL auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state) { - AUTH_NTLMSSP_STATE *auth_ntlmssp_state = ntlmssp_state->auth_context; + AUTH_NTLMSSP_STATE *auth_ntlmssp_state = + (AUTH_NTLMSSP_STATE *)ntlmssp_state->auth_context; struct auth_context *auth_context = auth_ntlmssp_state->auth_context; return auth_context->challenge_may_be_modified; @@ -53,7 +55,8 @@ static BOOL auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_s */ static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge) { - AUTH_NTLMSSP_STATE *auth_ntlmssp_state = ntlmssp_state->auth_context; + AUTH_NTLMSSP_STATE *auth_ntlmssp_state = + (AUTH_NTLMSSP_STATE *)ntlmssp_state->auth_context; struct auth_context *auth_context = auth_ntlmssp_state->auth_context; SMB_ASSERT(challenge->length == 8); @@ -77,7 +80,8 @@ static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key) { - AUTH_NTLMSSP_STATE *auth_ntlmssp_state = ntlmssp_state->auth_context; + AUTH_NTLMSSP_STATE *auth_ntlmssp_state = + (AUTH_NTLMSSP_STATE *)ntlmssp_state->auth_context; auth_usersupplied_info *user_info = NULL; NTSTATUS nt_status; BOOL username_was_mapped; diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index d8ac348d04..835e0b4b25 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -32,7 +32,7 @@ static NTSTATUS get_info3_from_ndr(TALLOC_CTX *mem_ctx, struct winbindd_response size_t len = response->length - sizeof(struct winbindd_response); prs_struct ps; if (len > 0) { - info3_ndr = response->extra_data.data; + info3_ndr = (uint8 *)response->extra_data.data; if (!prs_init(&ps, len, mem_ctx, UNMARSHALL)) { return NT_STATUS_NO_MEMORY; } @@ -112,7 +112,8 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, unbecome_root(); if ( result == NSS_STATUS_UNAVAIL ) { - struct auth_methods *auth_method = my_private_data; + struct auth_methods *auth_method = + (struct auth_methods *)my_private_data; if ( auth_method ) return auth_method->auth(auth_context, auth_method->private_data, -- cgit From 21e35f8e73a5d63e17486b286827a06a6029afbe Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 22 Aug 2006 16:01:24 +0000 Subject: r17710: Thanks to Thomas Bork for testing and continued feedback on this. Comments from the patch: /* Add the "Unix Group" SID for each gid to catch mapped groups and their Unix equivalent. This is to solve the backwards compatibility problem of 'valid users = +ntadmin' where ntadmin has been paired with "Domain Admins" in the group mapping table. Otherwise smb.conf would need to be changed to 'valid user = "Domain Admins"'. --jerry */ (This used to be commit 3848199287c5829aef66d0dee38a79056fe1ff5c) --- source3/auth/auth_util.c | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 45b3bcccef..7ba1bea955 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -562,6 +562,10 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, struct passwd *pwd; gid_t *gids; auth_serversupplied_info *result; + int i; + size_t num_gids; + DOM_SID unix_group_sid; + if ( !(pwd = getpwnam_alloc(NULL, pdb_get_username(sampass))) ) { DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", @@ -592,10 +596,29 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, TALLOC_FREE(result); return status; } + + /* Add the "Unix Group" SID for each gid to catch mapped groups + and their Unix equivalent. This is to solve the backwards + compatibility problem of 'valid users = +ntadmin' where + ntadmin has been paired with "Domain Admins" in the group + mapping table. Otherwise smb.conf would need to be changed + to 'valid user = "Domain Admins"'. --jerry */ + + num_gids = result->num_sids; + for ( i=0; isids, &result->num_sids ); + } /* For now we throw away the gids and convert via sid_to_gid * later. This needs fixing, but I'd like to get the code straight and * simple first. */ + TALLOC_FREE(gids); DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n", @@ -873,7 +896,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, become_root(); status = create_builtin_administrators( ); if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n")); + DEBUG(2,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n")); /* don't fail, just log the message */ } unbecome_root(); @@ -900,7 +923,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, become_root(); status = create_builtin_users( ); if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_local_nt_token: Failed to create BUILTIN\\Users group!\n")); + DEBUG(2,("create_local_nt_token: Failed to create BUILTIN\\Users group!\n")); /* don't fail, just log the message */ } unbecome_root(); -- cgit From 049fcc8dd54a5fc93b27f84366880cc308a12ca6 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 23 Aug 2006 02:45:45 +0000 Subject: r17736: Apply the Unix group patch when creating the token for a username map. (This used to be commit 0298a3466bc6c5e322db7dac386e4e5eef0e2702) --- source3/auth/auth_util.c | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7ba1bea955..2c20beb33c 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1068,7 +1068,10 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, gid_t *gids; DOM_SID primary_group_sid; DOM_SID *group_sids; + DOM_SID unix_group_sid; size_t num_group_sids; + size_t num_gids; + size_t i; tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) { @@ -1135,7 +1138,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, * directly, without consulting passdb */ struct passwd *pass; - size_t i; /* * This goto target is used as a fallback for the passdb @@ -1205,6 +1207,31 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, *found_username = talloc_strdup(mem_ctx, username); } + /* Add the "Unix Group" SID for each gid to catch mapped groups + and their Unix equivalent. This is to solve the backwards + compatibility problem of 'valid users = +ntadmin' where + ntadmin has been paired with "Domain Admins" in the group + mapping table. Otherwise smb.conf would need to be changed + to 'valid user = "Domain Admins"'. --jerry */ + + num_gids = num_group_sids; + for ( i=0; i= low) && (gids[i] <= high) ) + continue; + + if ( !gid_to_unix_groups_sid( gids[i], &unix_group_sid ) ) { + DEBUG(1,("create_token_from_username: Failed to create SID " + "for gid %d!\n", gids[i])); + continue; + } + add_sid_to_array_unique( mem_ctx, &unix_group_sid, + &group_sids, &num_group_sids ); + } + *token = create_local_nt_token(mem_ctx, &user_sid, is_guest, num_group_sids, group_sids); -- cgit From 9ab430ac4b9555206c25d04cddd57283397dd529 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 28 Aug 2006 05:22:10 +0000 Subject: r17875: Fix (rather theoretical, but still...) null deref found by Stanford checker. Jeremy. (This used to be commit 45d77ae12235e6b39cc30845d69ac3777d3eefd0) --- source3/auth/auth_util.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 2c20beb33c..26d1eb710f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1988,16 +1988,19 @@ NT_USER_TOKEN *dup_nt_token(TALLOC_CTX *mem_ctx, NT_USER_TOKEN *ptoken) return NULL; } - token->user_sids = (DOM_SID *)talloc_memdup( - token, ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids ); + ZERO_STRUCTP(token); - if ((ptoken->user_sids != NULL) && (token->user_sids == NULL)) { - DEBUG(0, ("talloc_memdup failed\n")); - TALLOC_FREE(token); - return NULL; - } + if (ptoken->user_sids && ptoken->num_sids) { + token->user_sids = (DOM_SID *)talloc_memdup( + token, ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids ); - token->num_sids = ptoken->num_sids; + if (token->user_sids == NULL) { + DEBUG(0, ("talloc_memdup failed\n")); + TALLOC_FREE(token); + return NULL; + } + token->num_sids = ptoken->num_sids; + } /* copy the privileges; don't consider failure to be critical here */ -- cgit From 3bc4fd1bb9bfbd0e0efd89d47c50bf798e5a1481 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 29 Aug 2006 19:14:25 +0000 Subject: r17924: Get rid of warnings now that talloc is merged. Destructors now take a pointer to the "real" destroyed object as an argument. Volker (This used to be commit 70edd716ef0ccb218fe18d1233bd30abe46b62bf) --- source3/auth/auth_util.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 26d1eb710f..c2f32f4f95 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -513,11 +513,8 @@ NT_USER_TOKEN *get_root_nt_token( void ) return token; } -static int server_info_dtor(void *p) +static int server_info_dtor(auth_serversupplied_info *server_info) { - auth_serversupplied_info *server_info = - talloc_get_type_abort(p, auth_serversupplied_info); - if (server_info->sam_account != NULL) { TALLOC_FREE(server_info->sam_account); } -- cgit From 6655e1e997fa96408ce257f1c96773db4551f69f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 4 Sep 2006 09:51:47 +0000 Subject: r18029: More C++ stuff (This used to be commit 089b51e28cc5e3674e4edf5464c7a15673c5ec0f) --- source3/auth/auth_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index c2f32f4f95..1ab9d2a49e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1374,7 +1374,7 @@ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_inf struct samu *sampass = NULL; DOM_SID guest_sid; BOOL ret; - static const char zeros[16]; + static const char zeros[16] = { 0, }; if ( !(sampass = samu_new( NULL )) ) { return NT_STATUS_NO_MEMORY; @@ -1691,7 +1691,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, auth_serversupplied_info **server_info, NET_USER_INFO_3 *info3) { - static const char zeros[16]; + static const char zeros[16] = { 0, }; NTSTATUS nt_status = NT_STATUS_OK; char *found_username; -- cgit From 2b27c93a9a8471693d7dcb5fdbe8afe65b22ff66 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 8 Sep 2006 14:28:06 +0000 Subject: r18271: Big change: * autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951) --- source3/auth/auth_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1ab9d2a49e..fd857a2806 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -781,7 +781,7 @@ static NTSTATUS create_builtin_administrators( void ) NTSTATUS status; DOM_SID dom_admins, root_sid; fstring root_name; - enum SID_NAME_USE type; + enum lsa_SidType type; TALLOC_CTX *ctx; BOOL ret; @@ -1061,7 +1061,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, NTSTATUS result = NT_STATUS_NO_SUCH_USER; TALLOC_CTX *tmp_ctx; DOM_SID user_sid; - enum SID_NAME_USE type; + enum lsa_SidType type; gid_t *gids; DOM_SID primary_group_sid; DOM_SID *group_sids; -- cgit From 258a465e20e007a30043220367d17ecfc87b4f90 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 18 Sep 2006 07:52:16 +0000 Subject: r18605: sync dlinklist.h with samba4, that means DLIST_ADD_END() and DLIST_DEMOTE() now take the type of the tmp pointer not the tmp pointer itself anymore. metze (This used to be commit 2f58645b7094e81dff3734f11aa183ea2ab53d2d) --- source3/auth/auth.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 139ba5482b..0b868b265e 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -432,7 +432,6 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context, { auth_methods *list = NULL; auth_methods *t = NULL; - auth_methods *tmp; NTSTATUS nt_status; if (!text_list) { @@ -445,7 +444,7 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context, for (;*text_list; text_list++) { if (load_auth_module(*auth_context, *text_list, &t)) { - DLIST_ADD_END(list, t, tmp); + DLIST_ADD_END(list, t, auth_methods *); } } -- cgit From 4646147a399d6fd7a452f5c16dd18afa97697aca Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 18 Sep 2006 18:28:56 +0000 Subject: r18616: fix breakage after DLIST_ADD_END() changes for --with-pam (This used to be commit 5c00b5497b7b2bb345429893d247cbb6bb0f4e20) --- source3/auth/pampass.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 6631b277dc..ba11d2e8fc 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -208,7 +208,6 @@ static struct chat_struct *make_pw_chat(const char *p) fstring reply; struct chat_struct *list = NULL; struct chat_struct *t; - struct chat_struct *tmp; while (1) { t = SMB_MALLOC_P(struct chat_struct); @@ -219,7 +218,7 @@ static struct chat_struct *make_pw_chat(const char *p) ZERO_STRUCTP(t); - DLIST_ADD_END(list, t, tmp); + DLIST_ADD_END(list, t, struct chat_struct*); if (!next_token(&p, prompt, NULL, sizeof(fstring))) break; -- cgit From 72e9a5d9e658514568586fb6e7ec4a8e479bf8ad Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 19 Sep 2006 01:25:52 +0000 Subject: r18665: Remove two type-punned warnings (This used to be commit 157b2c0c262dc9b9ae2a8a3133479e66e6c8db07) --- source3/auth/auth_script.c | 5 +++-- source3/auth/auth_winbind.c | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_script.c b/source3/auth/auth_script.c index 70c906d942..3d007b7730 100644 --- a/source3/auth/auth_script.c +++ b/source3/auth/auth_script.c @@ -132,10 +132,11 @@ static NTSTATUS auth_init_script(struct auth_context *auth_context, const char * if (param && *param) { /* we load the 'fallback' module - if script isn't here, call this module */ - if (!load_auth_module(auth_context, param, (auth_methods **)&(*auth_method)->private_data)) { + auth_methods *priv; + if (!load_auth_module(auth_context, param, &priv)) { return NT_STATUS_UNSUCCESSFUL; } - + (*auth_method)->private_data = (void *)priv; } return NT_STATUS_OK; } diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 835e0b4b25..fa56757950 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -158,10 +158,11 @@ static NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char if (param && *param) { /* we load the 'fallback' module - if winbind isn't here, call this module */ - if (!load_auth_module(auth_context, param, (auth_methods **)&(*auth_method)->private_data)) { + auth_methods *priv; + if (!load_auth_module(auth_context, param, &priv)) { return NT_STATUS_UNSUCCESSFUL; } - + (*auth_method)->private_data = (void *)priv; } return NT_STATUS_OK; } -- cgit From 2b7d1fc7797e3124e3f6e5d579bfc275141f6000 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 29 Sep 2006 21:26:33 +0000 Subject: r19008: Fix a segfault (This used to be commit adfc82f0e6b12f8ccfe00f3ff49a089a4c936239) --- source3/auth/auth_util.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index fd857a2806..7d6effebc4 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1200,6 +1200,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, num_group_sids = 1; group_sids = &primary_group_sid; + gids = gid; *found_username = talloc_strdup(mem_ctx, username); } -- cgit From dc1f0804dd8177d3c3a0b2db993855d5679e9565 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Tue, 3 Oct 2006 17:14:18 +0000 Subject: r19058: Implement "user cannot change password", and complete "user must change password at next logon" code. The "password last set time" of zero now means "user must change password", because that's how windows seems to use it. The "can change" and "must change" times are now calculated based on the "last set" time and policies. We use the "can change" field now to indicate that a user cannot change a password by putting MAX_TIME_T in it (so long as "last set" time isn't zero). Based on this, we set the password-can-change bit in the faked secdesc. (This used to be commit 21abbeaee9b7f7cff1d34d048463c30cda44a2e3) --- source3/auth/auth_sam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index ec405dd2be..847315ef88 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -168,7 +168,7 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, time_t last_set_time = pdb_get_pass_last_set_time(sampass); /* check for immediate expiry "must change at next logon" */ - if (must_change_time == 0 && last_set_time != 0) { + if (last_set_time == 0) { DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", pdb_get_username(sampass))); return NT_STATUS_PASSWORD_MUST_CHANGE; } -- cgit From 5e48602456f50cc3e261acfb005e6ee28231f64c Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 18 Nov 2006 17:05:50 +0000 Subject: r19773: TALLOC_FREE checks for NULL itself (This used to be commit fb3983ae1fdd1935333ffee80bceb747228ac0f3) --- source3/auth/auth_util.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7d6effebc4..82a13fd9e7 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -515,10 +515,7 @@ NT_USER_TOKEN *get_root_nt_token( void ) static int server_info_dtor(auth_serversupplied_info *server_info) { - if (server_info->sam_account != NULL) { - TALLOC_FREE(server_info->sam_account); - } - + TALLOC_FREE(server_info->sam_account); ZERO_STRUCTP(server_info); return 0; } -- cgit From cb0402c2d3941a813e33b2b5e07c54b9ff644ca4 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 1 Dec 2006 15:06:34 +0000 Subject: r19980: Implement pam account stack checks when obey pam restrictions is true. It was missing for security=server/domain/ads Simo. (This used to be commit 550f651499c22c3c11594a0a39061a8a9b438d82) --- source3/auth/auth_domain.c | 11 +++++++++++ source3/auth/auth_server.c | 10 +++++++++- source3/auth/auth_unix.c | 9 ++++++++- source3/auth/auth_util.c | 2 +- 4 files changed, 29 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 8ad6329da9..6468c18cb0 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -269,6 +269,17 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, if (NT_STATUS_IS_OK(nt_status)) { (*server_info)->was_mapped |= user_info->was_mapped; + + if ( ! (*server_info)->guest) { + /* if a real user check pam account restrictions */ + /* only really perfomed if "obey pam restriction" is true */ + nt_status = smb_pam_accountcheck((*server_info)->unix_name); + if ( !NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("PAM account restriction prevents user login\n")); + cli_shutdown(cli); + return nt_status; + } + } } netsamlogon_cache_store( user_info->smb_name, &info3 ); diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 7ffea1ca11..8a8ecfa575 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -383,7 +383,15 @@ use this machine as the password server.\n")); if ( (pass = smb_getpwnam( NULL, user_info->internal_username, real_username, True )) != NULL ) { - nt_status = make_server_info_pw(server_info, pass->pw_name, pass); + /* if a real user check pam account restrictions */ + /* only really perfomed if "obey pam restriction" is true */ + nt_status = smb_pam_accountcheck(pass->pw_name); + if ( !NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("PAM account restriction prevents user login\n")); + } else { + + nt_status = make_server_info_pw(server_info, pass->pw_name, pass); + } TALLOC_FREE(pass); } else diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index efe5203b23..837c932365 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -110,7 +110,14 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context, if (NT_STATUS_IS_OK(nt_status)) { if (pass) { - make_server_info_pw(server_info, pass->pw_name, pass); + /* if a real user check pam account restrictions */ + /* only really perfomed if "obey pam restriction" is true */ + nt_status = smb_pam_accountcheck(pass->pw_name); + if ( !NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("PAM account restriction prevents user login\n")); + } else { + make_server_info_pw(server_info, pass->pw_name, pass); + } } else { /* we need to do somthing more useful here */ nt_status = NT_STATUS_NO_SUCH_USER; diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 82a13fd9e7..357ca5f626 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -496,7 +496,7 @@ NT_USER_TOKEN *get_root_nt_token( void ) if ( token ) return token; - + if ( !(pw = sys_getpwnam( "root" )) ) { DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n")); return NULL; -- cgit From ecf90c495eb850cd6f376fb4e090640b69f0c029 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 1 Dec 2006 20:01:09 +0000 Subject: r19991: Sorry for this 2000-liner... The main thing here is a rewrite of srv_winreg_nt.c. The core functionality has moved to registry/reg_api.c which is then usable by the rest of Samba as well. On that way it fixes creating keys with more than one element in the path. This did not work before. Two things that sneaked in (sorry :-) is the change of some routines from NTSTATUS to WERROR the removed "parent" argument to regkey_open_internal. Volker (This used to be commit fea52801de8c7b85c578d200c599475680c5339f) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 357ca5f626..e066ba279c 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1970,7 +1970,7 @@ BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_me Duplicate a SID token. ****************************************************************************/ -NT_USER_TOKEN *dup_nt_token(TALLOC_CTX *mem_ctx, NT_USER_TOKEN *ptoken) +NT_USER_TOKEN *dup_nt_token(TALLOC_CTX *mem_ctx, const NT_USER_TOKEN *ptoken) { NT_USER_TOKEN *token; -- cgit From 63609fbb04d2ce620338b4b79e7c1abf39f08ef8 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 9 Dec 2006 02:58:18 +0000 Subject: r20090: Fix a class of bugs found by James Peach. Ensure we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24) --- source3/auth/auth_util.c | 117 +++++++++++++++++++++++++++++++---------------- 1 file changed, 77 insertions(+), 40 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index e066ba279c..7e65121b2d 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -605,8 +605,12 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, "for gid %d!\n", gids[i])); continue; } - add_sid_to_array_unique( result, &unix_group_sid, - &result->sids, &result->num_sids ); + if (!add_sid_to_array_unique( result, &unix_group_sid, + &result->sids, &result->num_sids )) { + result->sam_account = NULL; /* Don't free on error exit. */ + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } } /* For now we throw away the gids and convert via sid_to_gid @@ -657,10 +661,9 @@ static NTSTATUS add_aliases(const DOM_SID *domain_sid, for (i=0; iuser_sids, - &token->num_sids); - if (token->user_sids == NULL) { + &token->num_sids)) { DEBUG(0, ("add_sid_to_array failed\n")); TALLOC_FREE(tmp_ctx); return NT_STATUS_NO_MEMORY; @@ -733,8 +736,10 @@ static NTSTATUS add_builtin_administrators( struct nt_user_token *token ) /* Add Administrators if the user beloongs to Domain Admins */ if ( nt_token_check_sid( &domadm, token ) ) { - add_sid_to_array(token, &global_sid_Builtin_Administrators, - &token->user_sids, &token->num_sids); + if (!add_sid_to_array(token, &global_sid_Builtin_Administrators, + &token->user_sids, &token->num_sids)) { + return NT_STATUS_NO_MEMORY; + } } return NT_STATUS_OK; @@ -843,28 +848,40 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, /* Add the user and primary group sid */ - add_sid_to_array(result, user_sid, - &result->user_sids, &result->num_sids); + if (!add_sid_to_array(result, user_sid, + &result->user_sids, &result->num_sids)) { + return NULL; + } /* For guest, num_groupsids may be zero. */ if (num_groupsids) { - add_sid_to_array(result, &groupsids[0], - &result->user_sids, &result->num_sids); + if (!add_sid_to_array(result, &groupsids[0], + &result->user_sids, &result->num_sids)) { + return NULL; + } } /* Add in BUILTIN sids */ - add_sid_to_array(result, &global_sid_World, - &result->user_sids, &result->num_sids); - add_sid_to_array(result, &global_sid_Network, - &result->user_sids, &result->num_sids); + if (!add_sid_to_array(result, &global_sid_World, + &result->user_sids, &result->num_sids)) { + return NULL; + } + if (!add_sid_to_array(result, &global_sid_Network, + &result->user_sids, &result->num_sids)) { + return NULL; + } if (is_guest) { - add_sid_to_array(result, &global_sid_Builtin_Guests, - &result->user_sids, &result->num_sids); + if (!add_sid_to_array(result, &global_sid_Builtin_Guests, + &result->user_sids, &result->num_sids)) { + return NULL; + } } else { - add_sid_to_array(result, &global_sid_Authenticated_Users, - &result->user_sids, &result->num_sids); + if (!add_sid_to_array(result, &global_sid_Authenticated_Users, + &result->user_sids, &result->num_sids)) { + return NULL; + } } /* Now the SIDs we got from authentication. These are the ones from @@ -874,8 +891,10 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, * first group sid as primary above. */ for (i=1; iuser_sids, &result->num_sids); + if (!add_sid_to_array_unique(result, &groupsids[i], + &result->user_sids, &result->num_sids)) { + return NULL; + } } /* Deal with the BUILTIN\Administrators group. If the SID can @@ -1018,8 +1037,11 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) "ignoring it\n", sid_string_static(sid))); continue; } - add_gid_to_array_unique(server_info, gid, &server_info->groups, - &server_info->n_groups); + if (!add_gid_to_array_unique(server_info, gid, &server_info->groups, + &server_info->n_groups)) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } } debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok); @@ -1060,7 +1082,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, DOM_SID user_sid; enum lsa_SidType type; gid_t *gids; - DOM_SID primary_group_sid; DOM_SID *group_sids; DOM_SID unix_group_sid; size_t num_group_sids; @@ -1109,7 +1130,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto unix_user; } - result = pdb_enum_group_memberships(tmp_ctx, sam_acct, + result = pdb_enum_group_memberships(mem_ctx, sam_acct, &group_sids, &gids, &num_group_sids); if (!NT_STATUS_IS_OK(result)) { @@ -1157,7 +1178,8 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto done; } - group_sids = talloc_array(tmp_ctx, DOM_SID, num_group_sids); + /* group_sids can be realloced - must be done on mem_ctx not tmp_ctx. */ + group_sids = talloc_array(mem_ctx, DOM_SID, num_group_sids); if (group_sids == NULL) { DEBUG(1, ("talloc_array failed\n")); result = NT_STATUS_NO_MEMORY; @@ -1185,18 +1207,24 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, uint32 dummy; - sid_copy(&primary_group_sid, &user_sid); - sid_split_rid(&primary_group_sid, &dummy); - sid_append_rid(&primary_group_sid, DOMAIN_GROUP_RID_USERS); + num_group_sids = 1; + group_sids = talloc_array(mem_ctx, DOM_SID, num_group_sids); + if (group_sids == NULL) { + DEBUG(1, ("talloc_array failed\n")); + result = NT_STATUS_NO_MEMORY; + goto done; + } + + sid_copy(&group_sids[0], &user_sid); + sid_split_rid(&group_sids[0], &dummy); + sid_append_rid(&group_sids[0], DOMAIN_GROUP_RID_USERS); - if (!sid_to_gid(&primary_group_sid, gid)) { + if (!sid_to_gid(&group_sids[0], gid)) { DEBUG(1, ("sid_to_gid(%s) failed\n", - sid_string_static(&primary_group_sid))); + sid_string_static(&group_sids[0]))); goto done; } - num_group_sids = 1; - group_sids = &primary_group_sid; gids = gid; *found_username = talloc_strdup(mem_ctx, username); @@ -1223,8 +1251,11 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, "for gid %d!\n", gids[i])); continue; } - add_sid_to_array_unique( mem_ctx, &unix_group_sid, - &group_sids, &num_group_sids ); + if (!add_sid_to_array_unique( mem_ctx, &unix_group_sid, + &group_sids, &num_group_sids )) { + result = NT_STATUS_NO_MEMORY; + goto done; + } } *token = create_local_nt_token(mem_ctx, &user_sid, @@ -1869,8 +1900,11 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, TALLOC_FREE(result); return NT_STATUS_INVALID_PARAMETER; } - add_sid_to_array(result, &sid, &result->sids, - &result->num_sids); + if (!add_sid_to_array(result, &sid, &result->sids, + &result->num_sids)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } } /* Copy 'other' sids. We need to do sid filtering here to @@ -1880,9 +1914,12 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, */ for (i = 0; i < info3->num_other_sids; i++) { - add_sid_to_array(result, &info3->other_sids[i].sid, - &result->sids, - &result->num_sids); + if (!add_sid_to_array(result, &info3->other_sids[i].sid, + &result->sids, + &result->num_sids)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } } result->login_server = unistr2_tdup(result, -- cgit From 25d6eaae8d0d885add7e64b96df7a489328c6b0f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sun, 10 Dec 2006 05:23:47 +0000 Subject: r20098: Properly fix issues with create_token_from_username() reported by James. Ensure that this function allocates everything on the temporary context except the return memory. Never call this with a null mem context, and now use conn->mem_ctx instead in smbd/service.c. Remove separate free functions for conn->ngroups and conn->nt_user_token as they are now always talloc'ed off the conn->mem_ctx. Future optimization will be to remove conn->mem_ctx and make all objects pointed to in the conn struct talloc'ed off conn itself. Easy to free then :-). Jeremy. (This used to be commit f83b6de44f1058811ff94ac72a8a71bd8e49e4e8) --- source3/auth/auth_util.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7e65121b2d..870dc9b5d0 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1130,7 +1130,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto unix_user; } - result = pdb_enum_group_memberships(mem_ctx, sam_acct, + result = pdb_enum_group_memberships(tmp_ctx, sam_acct, &group_sids, &gids, &num_group_sids); if (!NT_STATUS_IS_OK(result)) { @@ -1144,6 +1144,8 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, SMB_ASSERT(num_group_sids > 0); *gid = gids[0]; + + /* Ensure we're returning the found_username on the right context. */ *found_username = talloc_strdup(mem_ctx, pdb_get_username(sam_acct)); @@ -1178,8 +1180,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto done; } - /* group_sids can be realloced - must be done on mem_ctx not tmp_ctx. */ - group_sids = talloc_array(mem_ctx, DOM_SID, num_group_sids); + group_sids = talloc_array(tmp_ctx, DOM_SID, num_group_sids); if (group_sids == NULL) { DEBUG(1, ("talloc_array failed\n")); result = NT_STATUS_NO_MEMORY; @@ -1194,8 +1195,9 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, SMB_ASSERT(num_group_sids > 0); *gid = gids[0]; - *found_username = talloc_strdup(mem_ctx, pass->pw_name); + /* Ensure we're returning the found_username on the right context. */ + *found_username = talloc_strdup(mem_ctx, pass->pw_name); } else { /* This user is from winbind, force the primary gid to the @@ -1208,7 +1210,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, uint32 dummy; num_group_sids = 1; - group_sids = talloc_array(mem_ctx, DOM_SID, num_group_sids); + group_sids = talloc_array(tmp_ctx, DOM_SID, num_group_sids); if (group_sids == NULL) { DEBUG(1, ("talloc_array failed\n")); result = NT_STATUS_NO_MEMORY; @@ -1227,6 +1229,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, gids = gid; + /* Ensure we're returning the found_username on the right context. */ *found_username = talloc_strdup(mem_ctx, username); } @@ -1251,13 +1254,14 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, "for gid %d!\n", gids[i])); continue; } - if (!add_sid_to_array_unique( mem_ctx, &unix_group_sid, + if (!add_sid_to_array_unique(tmp_ctx, &unix_group_sid, &group_sids, &num_group_sids )) { result = NT_STATUS_NO_MEMORY; goto done; } } + /* Ensure we're creating the nt_token on the right context. */ *token = create_local_nt_token(mem_ctx, &user_sid, is_guest, num_group_sids, group_sids); @@ -1278,6 +1282,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, Expensive helper function to figure out whether a user given its name is member of a particular group. ***************************************************************************/ + BOOL user_in_group_sid(const char *username, const DOM_SID *group_sid) { NTSTATUS status; -- cgit From 4225f9a4bd5eece4d57820bbabb7b882610aa7cc Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 12 Dec 2006 14:52:13 +0000 Subject: r20116: Start merging in the work done to create the new idmap subsystem. Simo. (This used to be commit 50cd8bffeeed2cac755f75fc3d76fe41c451976b) --- source3/auth/auth_util.c | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 870dc9b5d0..709d77bb36 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -841,6 +841,8 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, NTSTATUS status; gid_t gid; + DEBUG(10, ("Create local NT token for %s\n", sid_string_static(user_sid))); + if (!(result = TALLOC_ZERO_P(mem_ctx, NT_USER_TOKEN))) { DEBUG(0, ("talloc failed\n")); return NULL; @@ -980,6 +982,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, NTSTATUS create_local_token(auth_serversupplied_info *server_info) { TALLOC_CTX *mem_ctx; + struct id_map *ids; NTSTATUS status; size_t i; @@ -1027,23 +1030,33 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) server_info->groups = NULL; /* Start at index 1, where the groups start. */ + ids = talloc_zero_array(mem_ctx, struct id_map, server_info->ptok->num_sids); + for (i = 0; i < server_info->ptok->num_sids-1; i++) { + ids[i].sid = &server_info->ptok->user_sids[i + 1]; /* store the sids */ + } - for (i=1; iptok->num_sids; i++) { - gid_t gid; - DOM_SID *sid = &server_info->ptok->user_sids[i]; + if (!winbind_sids_to_unixids(ids, server_info->ptok->num_sids-1)) { + DEBUG(2, ("Query to map secondary SIDs failed!\n")); + } - if (!sid_to_gid(sid, &gid)) { + for (i = 0; i < server_info->ptok->num_sids-1; i++) { + if ( ! ids[i].mapped) { DEBUG(10, ("Could not convert SID %s to gid, " - "ignoring it\n", sid_string_static(sid))); + "ignoring it\n", sid_string_static(ids[i].sid))); continue; } - if (!add_gid_to_array_unique(server_info, gid, &server_info->groups, + if ( ! ids[i].xid.type == ID_TYPE_UID) { + DEBUG(10, ("SID %s is a User ID (%u) not a Group ID, " + "ignoring it\n", sid_string_static(ids[i].sid), ids[i].xid.id)); + continue; + } + if (!add_gid_to_array_unique(server_info, (gid_t)ids[i].xid.id, &server_info->groups, &server_info->n_groups)) { TALLOC_FREE(mem_ctx); return NT_STATUS_NO_MEMORY; } } - + debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok); status = log_nt_token(mem_ctx, server_info->ptok); -- cgit From 35a3773a6df72fc4031b90fb94010193966dbdc0 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 14 Dec 2006 15:30:54 +0000 Subject: r20169: Support for fallback to legacy mapping code was not completely tested. Add necessary fixes. (This used to be commit 4a81ee9608d45f95eaaccc78a080e717cb7d4682) --- source3/auth/auth_util.c | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 709d77bb36..c1f58cfecd 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -984,6 +984,7 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) TALLOC_CTX *mem_ctx; struct id_map *ids; NTSTATUS status; + BOOL wb = True; size_t i; @@ -1037,20 +1038,33 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) if (!winbind_sids_to_unixids(ids, server_info->ptok->num_sids-1)) { DEBUG(2, ("Query to map secondary SIDs failed!\n")); + if (!winbind_ping()) { + DEBUG(2, ("Winbindd is not running, will try to map SIDs one by one with legacy code\n")); + wb = False; + } } for (i = 0; i < server_info->ptok->num_sids-1; i++) { - if ( ! ids[i].mapped) { - DEBUG(10, ("Could not convert SID %s to gid, " - "ignoring it\n", sid_string_static(ids[i].sid))); - continue; - } - if ( ! ids[i].xid.type == ID_TYPE_UID) { - DEBUG(10, ("SID %s is a User ID (%u) not a Group ID, " - "ignoring it\n", sid_string_static(ids[i].sid), ids[i].xid.id)); - continue; + gid_t agid; + + if (wb) { + if ( ! ids[i].mapped) { + DEBUG(10, ("Could not convert SID %s to gid, " + "ignoring it\n", sid_string_static(ids[i].sid))); + continue; + } + if (ids[i].xid.type == ID_TYPE_UID) { + DEBUG(10, ("SID %s is a User ID (%u) not a Group ID, " + "ignoring it\n", sid_string_static(ids[i].sid), ids[i].xid.id)); + continue; + } + agid = (gid_t)ids[i].xid.id; + } else { + if (! sid_to_gid(ids[i].sid, &agid)) { + continue; + } } - if (!add_gid_to_array_unique(server_info, (gid_t)ids[i].xid.id, &server_info->groups, + if (!add_gid_to_array_unique(server_info, agid, &server_info->groups, &server_info->n_groups)) { TALLOC_FREE(mem_ctx); return NT_STATUS_NO_MEMORY; -- cgit From 5bb49b08f3d79ef9ee17dbbd64ce90dc438d96df Mon Sep 17 00:00:00 2001 From: James Peach Date: Mon, 18 Dec 2006 04:25:21 +0000 Subject: r20237: Replace exit_server with exit_server_cleanly where appropriate. All send_smb failures should be clean exits. All times when we exit as a matter of policy should also be clean exits. (This used to be commit d6382092e72120a3c89ffe81975e8898d454bf06) --- source3/auth/auth_server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 8a8ecfa575..c7243e8468 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -95,7 +95,7 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) } if (strequal(desthost,myhostname())) { - exit_server("Password server loop!"); + exit_server_cleanly("Password server loop!"); } DEBUG(3,("got session\n")); -- cgit From 84cd4d05e0a6e04c2a9fd1f4608a73ee1086a7af Mon Sep 17 00:00:00 2001 From: Herb Lewis Date: Wed, 20 Dec 2006 01:07:21 +0000 Subject: r20268: merge -r 20261:20263 from samba_3_0_24 get rid of previous prototype warnings (This used to be commit 90265c83ff1c7f11672694ff005d8ecc5d4a867f) --- source3/auth/auth_script.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_script.c b/source3/auth/auth_script.c index 3d007b7730..bdcd7533f9 100644 --- a/source3/auth/auth_script.c +++ b/source3/auth/auth_script.c @@ -141,6 +141,7 @@ static NTSTATUS auth_init_script(struct auth_context *auth_context, const char * return NT_STATUS_OK; } +NTSTATUS auth_script_init(void); NTSTATUS auth_script_init(void) { return smb_register_auth(AUTH_INTERFACE_VERSION, "script", auth_init_script); -- cgit From c50c8d0dc31b95a98e09b1cfdd2e54e4bac336f2 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sun, 14 Jan 2007 17:58:24 +0000 Subject: r20774: I thought I committed this before Xmas holidays ... This change is needed to make it possible to not expire caches in disconnected mode. Jerry, please can you look at this and confirm it is ok? Simo. (This used to be commit 9e8715e4e15d9cede8f4aa9652642995392617e6) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index c1f58cfecd..94551cb8a5 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1048,7 +1048,7 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) gid_t agid; if (wb) { - if ( ! ids[i].mapped) { + if (ids[i].status != ID_MAPPED) { DEBUG(10, ("Could not convert SID %s to gid, " "ignoring it\n", sid_string_static(ids[i].sid))); continue; -- cgit From b906886e9e9739877fef4c381c46a9a9d61859ba Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 16 Jan 2007 08:17:26 +0000 Subject: r20824: Send access to the trusted domain passwords through the pdb backend, so that in the next step we can store them in LDAP to be replicated across DCs. Thanks to Michael Adam Volker (This used to be commit 3c879745cfc39be6128b63a88ecdbfa3d9ce6c2d) --- source3/auth/auth_domain.c | 4 ++-- source3/auth/auth_util.c | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 6468c18cb0..6517852093 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -408,8 +408,8 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte * No need to become_root() as secrets_init() is done at startup. */ - if (!secrets_fetch_trusted_domain_password(user_info->domain, &trust_password, - &sid, &last_change_time)) { + if (!pdb_get_trusteddom_pw(user_info->domain, &trust_password, + &sid, &last_change_time)) { DEBUG(0, ("check_trustdomain_security: could not fetch trust " "account password for domain %s\n", user_info->domain)); diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 94551cb8a5..1080ced51b 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -2142,8 +2142,7 @@ BOOL is_trusted_domain(const char* dom_name) become_root(); DEBUG (5,("is_trusted_domain: Checking for domain trust with " "[%s]\n", dom_name )); - ret = secrets_fetch_trusted_domain_password(dom_name, NULL, - NULL, NULL); + ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL); unbecome_root(); if (ret) return True; -- cgit From 685ca94ac24842fddf22e31edc39de40b0729248 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 2 Feb 2007 22:02:42 +0000 Subject: r21128: Fix Vista connecting to Samba in share level security. Vista sends the NTLMv2 blob by default in the tconX packet. Make sure we save off the workgroup the user was logged into on the client in the sessionsetupX and re-use it for the NTLMv2 calc. Jeremy. (This used to be commit 45dcf62960c2815c4d8e0c5f4a2d0af24df83290) --- source3/auth/auth_compat.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c index bd5d7f0229..7b9802f7d4 100644 --- a/source3/auth/auth_compat.c +++ b/source3/auth/auth_compat.c @@ -92,18 +92,25 @@ static NTSTATUS pass_check_smb(const char *smb_name, check if a username/password pair is ok via the auth subsystem. return True if the password is correct, False otherwise ****************************************************************************/ + BOOL password_ok(char *smb_name, DATA_BLOB password_blob) { DATA_BLOB null_password = data_blob(NULL, 0); - BOOL encrypted = (global_encrypted_passwords_negotiated && password_blob.length == 24); + BOOL encrypted = (global_encrypted_passwords_negotiated && (password_blob.length == 24 || password_blob.length > 46)); if (encrypted) { /* * The password could be either NTLM or plain LM. Try NTLM first, * but fall-through as required. - * NTLMv2 makes no sense here. + * Vista sends NTLMv2 here - we need to try the client given workgroup. */ + if (get_session_workgroup()) { + if (NT_STATUS_IS_OK(pass_check_smb(smb_name, get_session_workgroup(), null_password, password_blob, null_password, encrypted))) { + return True; + } + } + if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), null_password, password_blob, null_password, encrypted))) { return True; } @@ -119,5 +126,3 @@ BOOL password_ok(char *smb_name, DATA_BLOB password_blob) return False; } - - -- cgit From 299e16112d781ab8c24134c249e0259265a15fd4 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 16 Feb 2007 13:40:11 +0000 Subject: r21383: More possible "security=share" fixes. If a client is sending LMv2 make sure we test with the password blob in the LM field as well as the NT field. Jeremy. (This used to be commit a6b55beae7ae0c70cf955d01f51f881f9f962910) --- source3/auth/auth_compat.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c index 7b9802f7d4..13035eece2 100644 --- a/source3/auth/auth_compat.c +++ b/source3/auth/auth_compat.c @@ -109,6 +109,9 @@ BOOL password_ok(char *smb_name, DATA_BLOB password_blob) if (NT_STATUS_IS_OK(pass_check_smb(smb_name, get_session_workgroup(), null_password, password_blob, null_password, encrypted))) { return True; } + if (NT_STATUS_IS_OK(pass_check_smb(smb_name, get_session_workgroup(), password_blob, null_password, null_password, encrypted))) { + return True; + } } if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), null_password, password_blob, null_password, encrypted))) { -- cgit From 6784d54a77c6ef67102b1b2c6a73ac16991b0b50 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 26 Feb 2007 09:46:05 +0000 Subject: r21536: Fix copy/paste typo. Guenther (This used to be commit 7edbb636f7caf43135f0320cc08ff18a34a80594) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1080ced51b..7a12508a3b 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -766,7 +766,7 @@ static NTSTATUS create_builtin_users( void ) sid_append_rid(&dom_users, DOMAIN_GROUP_RID_USERS ); status = pdb_add_aliasmem( &global_sid_Builtin_Users, &dom_users); if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_builtin_administrators: Failed to add Domain Users to" + DEBUG(0,("create_builtin_users: Failed to add Domain Users to" " Users\n")); return status; } -- cgit From 3bd2394b20723809b0736bb8bd6d2340a811471d Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 1 Mar 2007 22:12:49 +0000 Subject: r21642: Fix bug 4365. Please note that this was only tested with Vista so far, it needs testing with other clients as well. I'm afraid I'm visiting a conference tomorrow and saturday, so I'd be happy to get support in this. Thanks, Volker (This used to be commit 2186e276a0f15457ee6b29ecf2d109d812628ff9) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 6517852093..853108863b 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -237,7 +237,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, user_info->logon_parameters,/* flags such as 'allow workstation logon' */ dc_name, /* server name */ user_info->smb_name, /* user name logging on. */ - user_info->domain, /* domain name */ + user_info->client_domain, /* domain name */ user_info->wksta_name, /* workstation name */ chal, /* 8 byte challenge. */ user_info->lm_resp, /* lanman 24 byte response */ -- cgit From c0e37a74963ae942ed48431bd2ea353ebad256ff Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 18 Mar 2007 11:24:10 +0000 Subject: r21870: Move sending auth_server keepalives out of the main loop into an idle event. Volker (This used to be commit 6226b30f38cd82531422815ba66a687aab50028d) --- source3/auth/auth.c | 5 +-- source3/auth/auth_server.c | 85 ++++++++++++++++++++++++++++++++-------------- 2 files changed, 61 insertions(+), 29 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 0b868b265e..dd5481767b 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -333,10 +333,7 @@ static void free_auth_context(struct auth_context **auth_context) if (*auth_context) { /* Free private data of context's authentication methods */ for (auth_method = (*auth_context)->auth_method_list; auth_method; auth_method = auth_method->next) { - if (auth_method->free_private_data) { - auth_method->free_private_data (&auth_method->private_data); - auth_method->private_data = NULL; - } + TALLOC_FREE(auth_method->private_data); } talloc_destroy((*auth_context)->mem_ctx); diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index c7243e8468..c140ef48f9 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -136,38 +136,72 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) return cli; } +struct server_security_state { + struct cli_state *cli; +}; + /**************************************************************************** - Clean up our allocated cli. + Send a 'keepalive' packet down the cli pipe. ****************************************************************************/ -static void free_server_private_data(void **private_data_pointer) +static BOOL send_server_keepalive(const struct timeval *now, + void *private_data) { - struct cli_state **cli = (struct cli_state **)private_data_pointer; - if (*cli && (*cli)->initialised) { - DEBUG(10, ("Shutting down smbserver connection\n")); - cli_shutdown(*cli); + struct server_security_state *state = talloc_get_type_abort( + private_data, struct server_security_state); + + if (!state->cli || !state->cli->initialised) { + return False; + } + + if (send_keepalive(state->cli->fd)) { + return True; } - *private_data_pointer = NULL; + + DEBUG( 2, ( "send_server_keepalive: password server keepalive " + "failed.\n")); + cli_shutdown(state->cli); + state->cli = NULL; + return False; } -/**************************************************************************** - Send a 'keepalive' packet down the cli pipe. -****************************************************************************/ +static int destroy_server_security(struct server_security_state *state) +{ + if (state->cli) { + cli_shutdown(state->cli); + } + return 0; +} -static void send_server_keepalive(void **private_data_pointer) +static struct server_security_state *make_server_security_state(struct cli_state *cli) { - /* also send a keepalive to the password server if its still - connected */ - if (private_data_pointer) { - struct cli_state *cli = (struct cli_state *)(*private_data_pointer); - if (cli && cli->initialised) { - if (!send_keepalive(cli->fd)) { - DEBUG( 2, ( "send_server_keepalive: password server keepalive failed.\n")); - cli_shutdown(cli); - *private_data_pointer = NULL; - } + struct server_security_state *result; + + if (!(result = talloc(NULL, struct server_security_state))) { + DEBUG(0, ("talloc failed\n")); + cli_shutdown(cli); + return NULL; + } + + result->cli = cli; + talloc_set_destructor(result, destroy_server_security); + + if (lp_keepalive() != 0) { + struct timeval interval; + interval.tv_sec = lp_keepalive(); + interval.tv_usec = 0; + + if (event_add_idle(smbd_event_context(), result, interval, + "server_security_keepalive", + send_server_keepalive, + result) == NULL) { + DEBUG(0, ("event_add_idle failed\n")); + TALLOC_FREE(result); + return NULL; } } + + return result; } /**************************************************************************** @@ -190,7 +224,8 @@ static DATA_BLOB auth_get_challenge_server(const struct auth_context *auth_conte /* However, it is still a perfectly fine connection to pass that unencrypted password over */ - *my_private_data = (void *)cli; + *my_private_data = + (void *)make_server_security_state(cli); return data_blob(NULL, 0); } else if (cli->secblob.length < 8) { @@ -200,7 +235,9 @@ static DATA_BLOB auth_get_challenge_server(const struct auth_context *auth_conte return data_blob(NULL, 0); } - *my_private_data = (void *)cli; + if (!(*my_private_data = (void *)make_server_security_state(cli))) { + return data_blob(NULL,0); + } /* The return must be allocated on the caller's mem_ctx, as our own will be destoyed just after the call. */ @@ -415,8 +452,6 @@ static NTSTATUS auth_init_smbserver(struct auth_context *auth_context, const cha (*auth_method)->name = "smbserver"; (*auth_method)->auth = check_smbserver_security; (*auth_method)->get_chal = auth_get_challenge_server; - (*auth_method)->send_keepalive = send_server_keepalive; - (*auth_method)->free_private_data = free_server_private_data; return NT_STATUS_OK; } -- cgit From 3fdef9433a9e08064b32e34a16ce62a60ce144fb Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 19 Mar 2007 21:04:56 +0000 Subject: r21878: Fix a bug with smbd serving a windows terminal server: If winbind decides smbd to be idle it might happen that smbd needs to do a winbind operation (for example sid2name) as non-root. This then fails to get the privileged pipe. When later on on the same connection another authentication request comes in, we try to do the CRAP auth via the non-privileged pipe. This adds a winbindd_priv_request_response() request that kills the existing winbind pipe connection if it's not privileged. Volker (This used to be commit e5741e27c4c22702c9f8b07877641fecc7eef39c) --- source3/auth/auth_winbind.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index fa56757950..f06f83f406 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -108,7 +108,8 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, /* we are contacting the privileged pipe */ become_root(); - result = winbindd_request_response(WINBINDD_PAM_AUTH_CRAP, &request, &response); + result = winbindd_priv_request_response(WINBINDD_PAM_AUTH_CRAP, + &request, &response); unbecome_root(); if ( result == NSS_STATUS_UNAVAIL ) { -- cgit From 719f4657e8c987cd29e8824dd3938f5609da9d61 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 22 Mar 2007 18:36:09 +0000 Subject: r21935: Revert obviously not sufficiently tested code -- sorry for the pain. I am afraid I was basically off the net for the day (This used to be commit 08c29abc03267b0dfb41cec3734653a536027a10) --- source3/auth/auth_winbind.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index f06f83f406..fa56757950 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -108,8 +108,7 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, /* we are contacting the privileged pipe */ become_root(); - result = winbindd_priv_request_response(WINBINDD_PAM_AUTH_CRAP, - &request, &response); + result = winbindd_request_response(WINBINDD_PAM_AUTH_CRAP, &request, &response); unbecome_root(); if ( result == NSS_STATUS_UNAVAIL ) { -- cgit From 5b105eaf7c3ce4ad174f0c389ed9b0c60dec66ca Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 22 Mar 2007 21:41:36 +0000 Subject: r21940: Sorry Volker, I have to revert your revert in r21935. We can talk about this later if you still feel that strongly but I need to fix the build for now. (This used to be commit c7df0cad8257333c6a8dfd98818269a783ba7a26) --- source3/auth/auth_winbind.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index fa56757950..f06f83f406 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -108,7 +108,8 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, /* we are contacting the privileged pipe */ become_root(); - result = winbindd_request_response(WINBINDD_PAM_AUTH_CRAP, &request, &response); + result = winbindd_priv_request_response(WINBINDD_PAM_AUTH_CRAP, + &request, &response); unbecome_root(); if ( result == NSS_STATUS_UNAVAIL ) { -- cgit From 5b7c813104c652cfa215090361946ab33e8f0679 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 28 Mar 2007 13:26:43 +0000 Subject: r21999: remove useless casts metze (This used to be commit f948005ca69c50b07fdbcf7801975676d19d1486) --- source3/auth/auth_util.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7a12508a3b..0afcabcf07 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -241,8 +241,8 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, const uchar nt_interactive_pwd[16], const uchar *dc_sess_key) { - char lm_pwd[16]; - char nt_pwd[16]; + unsigned char lm_pwd[16]; + unsigned char nt_pwd[16]; unsigned char local_lm_response[24]; unsigned char local_nt_response[24]; unsigned char key[16]; @@ -268,10 +268,10 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, #endif if (lm_interactive_pwd) - SamOEMhash((uchar *)lm_pwd, key, sizeof(lm_pwd)); + SamOEMhash(lm_pwd, key, sizeof(lm_pwd)); if (nt_interactive_pwd) - SamOEMhash((uchar *)nt_pwd, key, sizeof(nt_pwd)); + SamOEMhash(nt_pwd, key, sizeof(nt_pwd)); #ifdef DEBUG_PASSWORD DEBUG(100,("decrypt of lm owf password:")); @@ -282,11 +282,11 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, #endif if (lm_interactive_pwd) - SMBOWFencrypt((const unsigned char *)lm_pwd, chal, + SMBOWFencrypt(lm_pwd, chal, local_lm_response); if (nt_interactive_pwd) - SMBOWFencrypt((const unsigned char *)nt_pwd, chal, + SMBOWFencrypt(nt_pwd, chal, local_nt_response); /* Password info paranoia */ -- cgit From 56ba44766854ed7cda265bdaf85913f2a1008282 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 28 Mar 2007 13:34:59 +0000 Subject: r22001: change prototype of dump_data(), so that it takes unsigned char * now, which matches what samba4 has. also fix all the callers to prevent compiler warnings metze (This used to be commit fa322f0cc9c26a9537ba3f0a7d4e4a25941317e7) --- source3/auth/auth.c | 8 ++++---- source3/auth/auth_ntlmssp.c | 2 +- source3/auth/auth_util.c | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index dd5481767b..91a5ac2ff1 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -136,7 +136,7 @@ static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) DEBUG(5, ("auth_context challenge created by %s\n", challenge_set_by)); DEBUG(5, ("challenge is: \n")); - dump_data(5, (const char *)auth_context->challenge.data, auth_context->challenge.length); + dump_data(5, auth_context->challenge.data, auth_context->challenge.length); SMB_ASSERT(auth_context->challenge.length == 8); @@ -233,15 +233,15 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, auth_context->challenge_set_by)); DEBUG(10, ("challenge is: \n")); - dump_data(5, (const char *)auth_context->challenge.data, auth_context->challenge.length); + dump_data(5, auth_context->challenge.data, auth_context->challenge.length); #ifdef DEBUG_PASSWORD DEBUG(100, ("user_info has passwords of length %d and %d\n", (int)user_info->lm_resp.length, (int)user_info->nt_resp.length)); DEBUG(100, ("lm:\n")); - dump_data(100, (const char *)user_info->lm_resp.data, user_info->lm_resp.length); + dump_data(100, user_info->lm_resp.data, user_info->lm_resp.length); DEBUG(100, ("nt:\n")); - dump_data(100, (const char *)user_info->nt_resp.data, user_info->nt_resp.length); + dump_data(100, user_info->nt_resp.data, user_info->nt_resp.length); #endif /* This needs to be sorted: If it doesn't match, what should we do? */ diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 51b145a760..08e88cc21a 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -68,7 +68,7 @@ static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DEBUG(5, ("auth_context challenge set by %s\n", auth_context->challenge_set_by)); DEBUG(5, ("challenge is: \n")); - dump_data(5, (const char *)auth_context->challenge.data, auth_context->challenge.length); + dump_data(5, auth_context->challenge.data, auth_context->challenge.length); return NT_STATUS_OK; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 0afcabcf07..82567473b5 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -258,7 +258,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, #ifdef DEBUG_PASSWORD DEBUG(100,("key:")); - dump_data(100, (char *)key, sizeof(key)); + dump_data(100, key, sizeof(key)); DEBUG(100,("lm owf password:")); dump_data(100, lm_pwd, sizeof(lm_pwd)); @@ -368,7 +368,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, #ifdef DEBUG_PASSWORD DEBUG(10,("Unencrypted password (len %d):\n", (int)plaintext_password.length)); - dump_data(100, (const char *)plaintext_password.data, + dump_data(100, plaintext_password.data, plaintext_password.length); #endif -- cgit From fb3835846ef89a632230ff808259dad1cddc05c0 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 2 Apr 2007 03:46:13 +0000 Subject: r22020: Make it more clear that both the vuser struct and it's contents are talloc_free()'ed at the end of a session. Rework the passwd cache code to use talloc_unlink and talloc_reference, to more carefully manage the cache. Andrew Bartlett (This used to be commit e3e0ec25e67308de314aa61852905ee42aa2c8fe) --- source3/auth/auth_sam.c | 2 +- source3/auth/auth_util.c | 18 +++++++++++------- 2 files changed, 12 insertions(+), 8 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 847315ef88..31178a761c 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -266,7 +266,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, /* Can't use the talloc version here, because the returned struct gets kept on the server_info */ - if ( !(sampass = samu_new( NULL )) ) { + if ( !(sampass = samu_new( mem_ctx )) ) { return NT_STATUS_NO_MEMORY; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 82567473b5..5c3bf7acce 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -561,19 +561,23 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, DOM_SID unix_group_sid; - if ( !(pwd = getpwnam_alloc(NULL, pdb_get_username(sampass))) ) { - DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", - pdb_get_username(sampass))); - return NT_STATUS_NO_SUCH_USER; - } - if ( !(result = make_server_info(NULL)) ) { TALLOC_FREE(pwd); return NT_STATUS_NO_MEMORY; } + if ( !(pwd = getpwnam_alloc(result, pdb_get_username(sampass))) ) { + DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", + pdb_get_username(sampass))); + return NT_STATUS_NO_SUCH_USER; + } + result->sam_account = sampass; - result->unix_name = talloc_strdup(result, pwd->pw_name); + /* Ensure thaat the sampass will be freed with the result */ + talloc_steal(result, sampass); + result->unix_name = pwd->pw_name; + /* Ensure that we keep pwd->pw_name, because we will free pwd below */ + talloc_steal(result, pwd->pw_name); result->gid = pwd->pw_gid; result->uid = pwd->pw_uid; -- cgit From ccc06f84415a0496b8f3771e8888f81442acd808 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 2 Apr 2007 05:53:34 +0000 Subject: r22022: - Clarify the comments - make sure never to free an uninitialised variable - ensure to free result on getpwnam_alloc failure Andrew Bartlett (This used to be commit 5fe3328e66661371182cc1c3b6e239797c3b4f93) --- source3/auth/auth_sam.c | 4 ++-- source3/auth/auth_util.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 31178a761c..0fa68cbb87 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -263,8 +263,8 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, return NT_STATUS_UNSUCCESSFUL; } - /* Can't use the talloc version here, because the returned struct gets - kept on the server_info */ + /* the returned struct gets kept on the server_info, by means + of a steal further down */ if ( !(sampass = samu_new( mem_ctx )) ) { return NT_STATUS_NO_MEMORY; diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5c3bf7acce..7891ce1599 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -562,13 +562,13 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, if ( !(result = make_server_info(NULL)) ) { - TALLOC_FREE(pwd); return NT_STATUS_NO_MEMORY; } if ( !(pwd = getpwnam_alloc(result, pdb_get_username(sampass))) ) { DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", pdb_get_username(sampass))); + TALLOC_FREE(result); return NT_STATUS_NO_SUCH_USER; } -- cgit From a40df6f92d42676a9184fb2c20a11d5662ca5b3a Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 9 Apr 2007 10:38:55 +0000 Subject: r22135: Check in most of Michael Adam's net conf utility. A good share of this patch is moving functions around to fix some linker dependencies for the registry. Michael, I've renamed your auth_utils2.c to token_utils.c. Thanks! Volker (This used to be commit 9de16f25c1c3e0b203da47391772ef2e2fe291ac) --- source3/auth/auth_util.c | 432 ------------------------------------------- source3/auth/token_util.c | 458 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 458 insertions(+), 432 deletions(-) create mode 100644 source3/auth/token_util.c (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7891ce1599..0de3bf2325 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -27,12 +27,6 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, - const DOM_SID *user_sid, - BOOL is_guest, - int num_groupsids, - const DOM_SID *groupsids); - /**************************************************************************** Create a UNIX user on demand. ****************************************************************************/ @@ -481,38 +475,6 @@ void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid, (long int)groups[i])); } -/****************************************************************************** - Create a token for the root user to be used internally by smbd. - This is similar to running under the context of the LOCAL_SYSTEM account - in Windows. This is a read-only token. Do not modify it or free() it. - Create a copy if your need to change it. -******************************************************************************/ - -NT_USER_TOKEN *get_root_nt_token( void ) -{ - static NT_USER_TOKEN *token = NULL; - DOM_SID u_sid, g_sid; - struct passwd *pw; - - if ( token ) - return token; - - if ( !(pw = sys_getpwnam( "root" )) ) { - DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n")); - return NULL; - } - - /* get the user and primary group SIDs; although the - BUILTIN\Administrators SId is really the one that matters here */ - - uid_to_sid(&u_sid, pw->pw_uid); - gid_to_sid(&g_sid, pw->pw_gid); - - token = create_local_nt_token(NULL, &u_sid, False, - 1, &global_sid_Builtin_Administrators); - return token; -} - static int server_info_dtor(auth_serversupplied_info *server_info) { TALLOC_FREE(server_info->sam_account); @@ -631,53 +593,6 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, return NT_STATUS_OK; } -/* - * Add alias SIDs from memberships within the partially created token SID list - */ - -static NTSTATUS add_aliases(const DOM_SID *domain_sid, - struct nt_user_token *token) -{ - uint32 *aliases; - size_t i, num_aliases; - NTSTATUS status; - TALLOC_CTX *tmp_ctx; - - if (!(tmp_ctx = talloc_init("add_aliases"))) { - return NT_STATUS_NO_MEMORY; - } - - aliases = NULL; - num_aliases = 0; - - status = pdb_enum_alias_memberships(tmp_ctx, domain_sid, - token->user_sids, - token->num_sids, - &aliases, &num_aliases); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(10, ("pdb_enum_alias_memberships failed: %s\n", - nt_errstr(status))); - TALLOC_FREE(tmp_ctx); - return status; - } - - for (i=0; iuser_sids, - &token->num_sids)) { - DEBUG(0, ("add_sid_to_array failed\n")); - TALLOC_FREE(tmp_ctx); - return NT_STATUS_NO_MEMORY; - } - } - - TALLOC_FREE(tmp_ctx); - return NT_STATUS_OK; -} - static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token) { char *command; @@ -714,270 +629,6 @@ static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token) return NT_STATUS_OK; } -/******************************************************************* -*******************************************************************/ - -static NTSTATUS add_builtin_administrators( struct nt_user_token *token ) -{ - DOM_SID domadm; - - /* nothing to do if we aren't in a domain */ - - if ( !(IS_DC || lp_server_role()==ROLE_DOMAIN_MEMBER) ) { - return NT_STATUS_OK; - } - - /* Find the Domain Admins SID */ - - if ( IS_DC ) { - sid_copy( &domadm, get_global_sam_sid() ); - } else { - if ( !secrets_fetch_domain_sid( lp_workgroup(), &domadm ) ) - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; - } - sid_append_rid( &domadm, DOMAIN_GROUP_RID_ADMINS ); - - /* Add Administrators if the user beloongs to Domain Admins */ - - if ( nt_token_check_sid( &domadm, token ) ) { - if (!add_sid_to_array(token, &global_sid_Builtin_Administrators, - &token->user_sids, &token->num_sids)) { - return NT_STATUS_NO_MEMORY; - } - } - - return NT_STATUS_OK; -} - -/******************************************************************* -*******************************************************************/ - -static NTSTATUS create_builtin_users( void ) -{ - NTSTATUS status; - DOM_SID dom_users; - - status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_USERS ); - if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_builtin_users: Failed to create Users\n")); - return status; - } - - /* add domain users */ - if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) - && secrets_fetch_domain_sid(lp_workgroup(), &dom_users)) - { - sid_append_rid(&dom_users, DOMAIN_GROUP_RID_USERS ); - status = pdb_add_aliasmem( &global_sid_Builtin_Users, &dom_users); - if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_builtin_users: Failed to add Domain Users to" - " Users\n")); - return status; - } - } - - return NT_STATUS_OK; -} - -/******************************************************************* -*******************************************************************/ - -static NTSTATUS create_builtin_administrators( void ) -{ - NTSTATUS status; - DOM_SID dom_admins, root_sid; - fstring root_name; - enum lsa_SidType type; - TALLOC_CTX *ctx; - BOOL ret; - - status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_ADMINS ); - if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_builtin_administrators: Failed to create Administrators\n")); - return status; - } - - /* add domain admins */ - if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) - && secrets_fetch_domain_sid(lp_workgroup(), &dom_admins)) - { - sid_append_rid(&dom_admins, DOMAIN_GROUP_RID_ADMINS); - status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &dom_admins ); - if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_builtin_administrators: Failed to add Domain Admins" - " Administrators\n")); - return status; - } - } - - /* add root */ - if ( (ctx = talloc_init("create_builtin_administrators")) == NULL ) { - return NT_STATUS_NO_MEMORY; - } - fstr_sprintf( root_name, "%s\\root", get_global_sam_name() ); - ret = lookup_name( ctx, root_name, 0, NULL, NULL, &root_sid, &type ); - TALLOC_FREE( ctx ); - - if ( ret ) { - status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &root_sid ); - if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_builtin_administrators: Failed to add root" - " Administrators\n")); - return status; - } - } - - return NT_STATUS_OK; -} - -/******************************************************************* - Create a NT token for the user, expanding local aliases -*******************************************************************/ - -static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, - const DOM_SID *user_sid, - BOOL is_guest, - int num_groupsids, - const DOM_SID *groupsids) -{ - struct nt_user_token *result = NULL; - int i; - NTSTATUS status; - gid_t gid; - - DEBUG(10, ("Create local NT token for %s\n", sid_string_static(user_sid))); - - if (!(result = TALLOC_ZERO_P(mem_ctx, NT_USER_TOKEN))) { - DEBUG(0, ("talloc failed\n")); - return NULL; - } - - /* Add the user and primary group sid */ - - if (!add_sid_to_array(result, user_sid, - &result->user_sids, &result->num_sids)) { - return NULL; - } - - /* For guest, num_groupsids may be zero. */ - if (num_groupsids) { - if (!add_sid_to_array(result, &groupsids[0], - &result->user_sids, &result->num_sids)) { - return NULL; - } - } - - /* Add in BUILTIN sids */ - - if (!add_sid_to_array(result, &global_sid_World, - &result->user_sids, &result->num_sids)) { - return NULL; - } - if (!add_sid_to_array(result, &global_sid_Network, - &result->user_sids, &result->num_sids)) { - return NULL; - } - - if (is_guest) { - if (!add_sid_to_array(result, &global_sid_Builtin_Guests, - &result->user_sids, &result->num_sids)) { - return NULL; - } - } else { - if (!add_sid_to_array(result, &global_sid_Authenticated_Users, - &result->user_sids, &result->num_sids)) { - return NULL; - } - } - - /* Now the SIDs we got from authentication. These are the ones from - * the info3 struct or from the pdb_enum_group_memberships, depending - * on who authenticated the user. - * Note that we start the for loop at "1" here, we already added the - * first group sid as primary above. */ - - for (i=1; iuser_sids, &result->num_sids)) { - return NULL; - } - } - - /* Deal with the BUILTIN\Administrators group. If the SID can - be resolved then assume that the add_aliasmem( S-1-5-32 ) - handled it. */ - - if ( !sid_to_gid( &global_sid_Builtin_Administrators, &gid ) ) { - /* We can only create a mapping if winbind is running - and the nested group functionality has been enabled */ - - if ( lp_winbind_nested_groups() && winbind_ping() ) { - become_root(); - status = create_builtin_administrators( ); - if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(2,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n")); - /* don't fail, just log the message */ - } - unbecome_root(); - } - else { - status = add_builtin_administrators( result ); - if ( !NT_STATUS_IS_OK(status) ) { - /* just log a complaint but do not fail */ - DEBUG(3,("create_local_nt_token: failed to check for local Administrators" - " membership (%s)\n", nt_errstr(status))); - } - } - } - - /* Deal with the BUILTIN\Users group. If the SID can - be resolved then assume that the add_aliasmem( S-1-5-32 ) - handled it. */ - - if ( !sid_to_gid( &global_sid_Builtin_Users, &gid ) ) { - /* We can only create a mapping if winbind is running - and the nested group functionality has been enabled */ - - if ( lp_winbind_nested_groups() && winbind_ping() ) { - become_root(); - status = create_builtin_users( ); - if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(2,("create_local_nt_token: Failed to create BUILTIN\\Users group!\n")); - /* don't fail, just log the message */ - } - unbecome_root(); - } - } - - /* Deal with local groups */ - - if (lp_winbind_nested_groups()) { - - /* Now add the aliases. First the one from our local SAM */ - - status = add_aliases(get_global_sam_sid(), result); - - if (!NT_STATUS_IS_OK(status)) { - TALLOC_FREE(result); - return NULL; - } - - /* Finally the builtin ones */ - - status = add_aliases(&global_sid_Builtin, result); - - if (!NT_STATUS_IS_OK(status)) { - TALLOC_FREE(result); - return NULL; - } - } - - - get_privileges_for_sids(&result->privileges, result->user_sids, - result->num_sids); - return result; -} - /* * Create the token to use from server_info->sam_account and * server_info->sids (the info3/sam groups). Find the unix gids. @@ -2039,89 +1690,6 @@ BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_me return True; } -/**************************************************************************** - Duplicate a SID token. -****************************************************************************/ - -NT_USER_TOKEN *dup_nt_token(TALLOC_CTX *mem_ctx, const NT_USER_TOKEN *ptoken) -{ - NT_USER_TOKEN *token; - - if (!ptoken) - return NULL; - - token = TALLOC_P(mem_ctx, NT_USER_TOKEN); - if (token == NULL) { - DEBUG(0, ("talloc failed\n")); - return NULL; - } - - ZERO_STRUCTP(token); - - if (ptoken->user_sids && ptoken->num_sids) { - token->user_sids = (DOM_SID *)talloc_memdup( - token, ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids ); - - if (token->user_sids == NULL) { - DEBUG(0, ("talloc_memdup failed\n")); - TALLOC_FREE(token); - return NULL; - } - token->num_sids = ptoken->num_sids; - } - - /* copy the privileges; don't consider failure to be critical here */ - - if ( !se_priv_copy( &token->privileges, &ptoken->privileges ) ) { - DEBUG(0,("dup_nt_token: Failure to copy SE_PRIV!. " - "Continuing with 0 privileges assigned.\n")); - } - - return token; -} - -/**************************************************************************** - Check for a SID in an NT_USER_TOKEN -****************************************************************************/ - -BOOL nt_token_check_sid ( const DOM_SID *sid, const NT_USER_TOKEN *token ) -{ - int i; - - if ( !sid || !token ) - return False; - - for ( i=0; inum_sids; i++ ) { - if ( sid_equal( sid, &token->user_sids[i] ) ) - return True; - } - - return False; -} - -BOOL nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid ) -{ - DOM_SID domain_sid; - - /* if we are a domain member, the get the domain SID, else for - a DC or standalone server, use our own SID */ - - if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) { - if ( !secrets_fetch_domain_sid( lp_workgroup(), - &domain_sid ) ) { - DEBUG(1,("nt_token_check_domain_rid: Cannot lookup " - "SID for domain [%s]\n", lp_workgroup())); - return False; - } - } - else - sid_copy( &domain_sid, get_global_sam_sid() ); - - sid_append_rid( &domain_sid, rid ); - - return nt_token_check_sid( &domain_sid, token );\ -} - /** * Verify whether or not given domain is trusted. * diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c new file mode 100644 index 0000000000..1eb9d12ab5 --- /dev/null +++ b/source3/auth/token_util.c @@ -0,0 +1,458 @@ +/* + * Unix SMB/CIFS implementation. + * Authentication utility functions + * Copyright (C) Andrew Tridgell 1992-1998 + * Copyright (C) Andrew Bartlett 2001 + * Copyright (C) Jeremy Allison 2000-2001 + * Copyright (C) Rafal Szczesniak 2002 + * Copyright (C) Volker Lendecke 2006 + * Copyright (C) Michael Adam 2007 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +/* functions moved from auth/auth_util.c to minimize linker deps */ + +#include "includes.h" + +/**************************************************************************** + Duplicate a SID token. +****************************************************************************/ + +NT_USER_TOKEN *dup_nt_token(TALLOC_CTX *mem_ctx, const NT_USER_TOKEN *ptoken) +{ + NT_USER_TOKEN *token; + + if (!ptoken) + return NULL; + + token = TALLOC_P(mem_ctx, NT_USER_TOKEN); + if (token == NULL) { + DEBUG(0, ("talloc failed\n")); + return NULL; + } + + ZERO_STRUCTP(token); + + if (ptoken->user_sids && ptoken->num_sids) { + token->user_sids = (DOM_SID *)talloc_memdup( + token, ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids ); + + if (token->user_sids == NULL) { + DEBUG(0, ("talloc_memdup failed\n")); + TALLOC_FREE(token); + return NULL; + } + token->num_sids = ptoken->num_sids; + } + + /* copy the privileges; don't consider failure to be critical here */ + + if ( !se_priv_copy( &token->privileges, &ptoken->privileges ) ) { + DEBUG(0,("dup_nt_token: Failure to copy SE_PRIV!. " + "Continuing with 0 privileges assigned.\n")); + } + + return token; +} + +/**************************************************************************** + Check for a SID in an NT_USER_TOKEN +****************************************************************************/ + +BOOL nt_token_check_sid ( const DOM_SID *sid, const NT_USER_TOKEN *token ) +{ + int i; + + if ( !sid || !token ) + return False; + + for ( i=0; inum_sids; i++ ) { + if ( sid_equal( sid, &token->user_sids[i] ) ) + return True; + } + + return False; +} + +BOOL nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid ) +{ + DOM_SID domain_sid; + + /* if we are a domain member, the get the domain SID, else for + a DC or standalone server, use our own SID */ + + if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) { + if ( !secrets_fetch_domain_sid( lp_workgroup(), + &domain_sid ) ) { + DEBUG(1,("nt_token_check_domain_rid: Cannot lookup " + "SID for domain [%s]\n", lp_workgroup())); + return False; + } + } + else + sid_copy( &domain_sid, get_global_sam_sid() ); + + sid_append_rid( &domain_sid, rid ); + + return nt_token_check_sid( &domain_sid, token );\ +} + +/****************************************************************************** + Create a token for the root user to be used internally by smbd. + This is similar to running under the context of the LOCAL_SYSTEM account + in Windows. This is a read-only token. Do not modify it or free() it. + Create a copy if your need to change it. +******************************************************************************/ + +NT_USER_TOKEN *get_root_nt_token( void ) +{ + static NT_USER_TOKEN *token = NULL; + DOM_SID u_sid, g_sid; + struct passwd *pw; + + if ( token ) + return token; + + if ( !(pw = sys_getpwnam( "root" )) ) { + DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n")); + return NULL; + } + + /* get the user and primary group SIDs; although the + BUILTIN\Administrators SId is really the one that matters here */ + + uid_to_sid(&u_sid, pw->pw_uid); + gid_to_sid(&g_sid, pw->pw_gid); + + token = create_local_nt_token(NULL, &u_sid, False, + 1, &global_sid_Builtin_Administrators); + return token; +} + + +/* + * Add alias SIDs from memberships within the partially created token SID list + */ + +static NTSTATUS add_aliases(const DOM_SID *domain_sid, + struct nt_user_token *token) +{ + uint32 *aliases; + size_t i, num_aliases; + NTSTATUS status; + TALLOC_CTX *tmp_ctx; + + if (!(tmp_ctx = talloc_init("add_aliases"))) { + return NT_STATUS_NO_MEMORY; + } + + aliases = NULL; + num_aliases = 0; + + status = pdb_enum_alias_memberships(tmp_ctx, domain_sid, + token->user_sids, + token->num_sids, + &aliases, &num_aliases); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("pdb_enum_alias_memberships failed: %s\n", + nt_errstr(status))); + TALLOC_FREE(tmp_ctx); + return status; + } + + for (i=0; iuser_sids, + &token->num_sids)) { + DEBUG(0, ("add_sid_to_array failed\n")); + TALLOC_FREE(tmp_ctx); + return NT_STATUS_NO_MEMORY; + } + } + + TALLOC_FREE(tmp_ctx); + return NT_STATUS_OK; +} + +/******************************************************************* +*******************************************************************/ + +static NTSTATUS add_builtin_administrators( struct nt_user_token *token ) +{ + DOM_SID domadm; + + /* nothing to do if we aren't in a domain */ + + if ( !(IS_DC || lp_server_role()==ROLE_DOMAIN_MEMBER) ) { + return NT_STATUS_OK; + } + + /* Find the Domain Admins SID */ + + if ( IS_DC ) { + sid_copy( &domadm, get_global_sam_sid() ); + } else { + if ( !secrets_fetch_domain_sid( lp_workgroup(), &domadm ) ) + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + sid_append_rid( &domadm, DOMAIN_GROUP_RID_ADMINS ); + + /* Add Administrators if the user beloongs to Domain Admins */ + + if ( nt_token_check_sid( &domadm, token ) ) { + if (!add_sid_to_array(token, &global_sid_Builtin_Administrators, + &token->user_sids, &token->num_sids)) { + return NT_STATUS_NO_MEMORY; + } + } + + return NT_STATUS_OK; +} + +/******************************************************************* +*******************************************************************/ + +static NTSTATUS create_builtin_users( void ) +{ + NTSTATUS status; + DOM_SID dom_users; + + status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_USERS ); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(0,("create_builtin_users: Failed to create Users\n")); + return status; + } + + /* add domain users */ + if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) + && secrets_fetch_domain_sid(lp_workgroup(), &dom_users)) + { + sid_append_rid(&dom_users, DOMAIN_GROUP_RID_USERS ); + status = pdb_add_aliasmem( &global_sid_Builtin_Users, &dom_users); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(0,("create_builtin_administrators: Failed to add Domain Users to" + " Users\n")); + return status; + } + } + + return NT_STATUS_OK; +} + +/******************************************************************* +*******************************************************************/ + +static NTSTATUS create_builtin_administrators( void ) +{ + NTSTATUS status; + DOM_SID dom_admins, root_sid; + fstring root_name; + enum lsa_SidType type; + TALLOC_CTX *ctx; + BOOL ret; + + status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_ADMINS ); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(0,("create_builtin_administrators: Failed to create Administrators\n")); + return status; + } + + /* add domain admins */ + if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) + && secrets_fetch_domain_sid(lp_workgroup(), &dom_admins)) + { + sid_append_rid(&dom_admins, DOMAIN_GROUP_RID_ADMINS); + status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &dom_admins ); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(0,("create_builtin_administrators: Failed to add Domain Admins" + " Administrators\n")); + return status; + } + } + + /* add root */ + if ( (ctx = talloc_init("create_builtin_administrators")) == NULL ) { + return NT_STATUS_NO_MEMORY; + } + fstr_sprintf( root_name, "%s\\root", get_global_sam_name() ); + ret = lookup_name( ctx, root_name, 0, NULL, NULL, &root_sid, &type ); + TALLOC_FREE( ctx ); + + if ( ret ) { + status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &root_sid ); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(0,("create_builtin_administrators: Failed to add root" + " Administrators\n")); + return status; + } + } + + return NT_STATUS_OK; +} + + +/******************************************************************* + Create a NT token for the user, expanding local aliases +*******************************************************************/ + +struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, + const DOM_SID *user_sid, + BOOL is_guest, + int num_groupsids, + const DOM_SID *groupsids) +{ + struct nt_user_token *result = NULL; + int i; + NTSTATUS status; + gid_t gid; + + DEBUG(10, ("Create local NT token for %s\n", sid_string_static(user_sid))); + + if (!(result = TALLOC_ZERO_P(mem_ctx, NT_USER_TOKEN))) { + DEBUG(0, ("talloc failed\n")); + return NULL; + } + + /* Add the user and primary group sid */ + + if (!add_sid_to_array(result, user_sid, + &result->user_sids, &result->num_sids)) { + return NULL; + } + + /* For guest, num_groupsids may be zero. */ + if (num_groupsids) { + if (!add_sid_to_array(result, &groupsids[0], + &result->user_sids, &result->num_sids)) { + return NULL; + } + } + + /* Add in BUILTIN sids */ + + if (!add_sid_to_array(result, &global_sid_World, + &result->user_sids, &result->num_sids)) { + return NULL; + } + if (!add_sid_to_array(result, &global_sid_Network, + &result->user_sids, &result->num_sids)) { + return NULL; + } + + if (is_guest) { + if (!add_sid_to_array(result, &global_sid_Builtin_Guests, + &result->user_sids, &result->num_sids)) { + return NULL; + } + } else { + if (!add_sid_to_array(result, &global_sid_Authenticated_Users, + &result->user_sids, &result->num_sids)) { + return NULL; + } + } + + /* Now the SIDs we got from authentication. These are the ones from + * the info3 struct or from the pdb_enum_group_memberships, depending + * on who authenticated the user. + * Note that we start the for loop at "1" here, we already added the + * first group sid as primary above. */ + + for (i=1; iuser_sids, &result->num_sids)) { + return NULL; + } + } + + /* Deal with the BUILTIN\Administrators group. If the SID can + be resolved then assume that the add_aliasmem( S-1-5-32 ) + handled it. */ + + if ( !sid_to_gid( &global_sid_Builtin_Administrators, &gid ) ) { + /* We can only create a mapping if winbind is running + and the nested group functionality has been enabled */ + + if ( lp_winbind_nested_groups() && winbind_ping() ) { + become_root(); + status = create_builtin_administrators( ); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(2,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n")); + /* don't fail, just log the message */ + } + unbecome_root(); + } + else { + status = add_builtin_administrators( result ); + if ( !NT_STATUS_IS_OK(status) ) { + /* just log a complaint but do not fail */ + DEBUG(3,("create_local_nt_token: failed to check for local Administrators" + " membership (%s)\n", nt_errstr(status))); + } + } + } + + /* Deal with the BUILTIN\Users group. If the SID can + be resolved then assume that the add_aliasmem( S-1-5-32 ) + handled it. */ + + if ( !sid_to_gid( &global_sid_Builtin_Users, &gid ) ) { + /* We can only create a mapping if winbind is running + and the nested group functionality has been enabled */ + + if ( lp_winbind_nested_groups() && winbind_ping() ) { + become_root(); + status = create_builtin_users( ); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(2,("create_local_nt_token: Failed to create BUILTIN\\Users group!\n")); + /* don't fail, just log the message */ + } + unbecome_root(); + } + } + + /* Deal with local groups */ + + if (lp_winbind_nested_groups()) { + + /* Now add the aliases. First the one from our local SAM */ + + status = add_aliases(get_global_sam_sid(), result); + + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(result); + return NULL; + } + + /* Finally the builtin ones */ + + status = add_aliases(&global_sid_Builtin, result); + + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(result); + return NULL; + } + } + + + get_privileges_for_sids(&result->privileges, result->user_sids, + result->num_sids); + return result; +} + +/* END */ -- cgit From 36da6cb5847df2754e8f9223e0784da6013c572b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 19 Apr 2007 22:26:09 +0000 Subject: r22390: Patchset sent to samba-technical to address the winbind loop when allocating a new id for a SID: auth_util.patch Revert create_local_token() to the 3.0.24 codebase idmap_type.patch Have the caller fillin the id_map.xid.type field when resolving a SID so that if we allocate a new id, we know what type to use winbindd_api.patch Remove the WINBINDD_SIDS_TO_XIDS calls from the public winbindd interface for the 3.0.25 release idmap_rid.patch Cleanup the idmap_rid backend to not call back into winbindd to resolve the SID in order to verify it's type. (This used to be commit 3b24dae9e73b244540a68b631b428a4d0f57440b) --- source3/auth/auth_util.c | 48 ++++++++++-------------------------------------- 1 file changed, 10 insertions(+), 38 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 0de3bf2325..336daa906d 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -637,9 +637,7 @@ static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token) NTSTATUS create_local_token(auth_serversupplied_info *server_info) { TALLOC_CTX *mem_ctx; - struct id_map *ids; NTSTATUS status; - BOOL wb = True; size_t i; @@ -686,46 +684,20 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) server_info->groups = NULL; /* Start at index 1, where the groups start. */ - ids = talloc_zero_array(mem_ctx, struct id_map, server_info->ptok->num_sids); - for (i = 0; i < server_info->ptok->num_sids-1; i++) { - ids[i].sid = &server_info->ptok->user_sids[i + 1]; /* store the sids */ - } - - if (!winbind_sids_to_unixids(ids, server_info->ptok->num_sids-1)) { - DEBUG(2, ("Query to map secondary SIDs failed!\n")); - if (!winbind_ping()) { - DEBUG(2, ("Winbindd is not running, will try to map SIDs one by one with legacy code\n")); - wb = False; - } - } - for (i = 0; i < server_info->ptok->num_sids-1; i++) { - gid_t agid; + for (i=1; iptok->num_sids; i++) { + gid_t gid; + DOM_SID *sid = &server_info->ptok->user_sids[i]; - if (wb) { - if (ids[i].status != ID_MAPPED) { - DEBUG(10, ("Could not convert SID %s to gid, " - "ignoring it\n", sid_string_static(ids[i].sid))); - continue; - } - if (ids[i].xid.type == ID_TYPE_UID) { - DEBUG(10, ("SID %s is a User ID (%u) not a Group ID, " - "ignoring it\n", sid_string_static(ids[i].sid), ids[i].xid.id)); - continue; - } - agid = (gid_t)ids[i].xid.id; - } else { - if (! sid_to_gid(ids[i].sid, &agid)) { - continue; - } - } - if (!add_gid_to_array_unique(server_info, agid, &server_info->groups, - &server_info->n_groups)) { - TALLOC_FREE(mem_ctx); - return NT_STATUS_NO_MEMORY; + if (!sid_to_gid(sid, &gid)) { + DEBUG(10, ("Could not convert SID %s to gid, " + "ignoring it\n", sid_string_static(sid))); + continue; } + add_gid_to_array_unique(server_info, gid, &server_info->groups, + &server_info->n_groups); } - + debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok); status = log_nt_token(mem_ctx, server_info->ptok); -- cgit From 12ba88574bf91bdcc4447bfc3d429b799064bfd9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 27 Apr 2007 23:18:41 +0000 Subject: r22542: Move over to using the _strict varients of the talloc calls. No functional changes. Looks bigger than it is :-). Jeremy. (This used to be commit f6fa3080fee1b20df9f1968500840a88cf0ee592) --- source3/auth/auth_util.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 336daa906d..e2bc8e75b5 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -834,9 +834,9 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto done; } - group_sids = talloc_array(tmp_ctx, DOM_SID, num_group_sids); + group_sids = TALLOC_ARRAY(tmp_ctx, DOM_SID, num_group_sids); if (group_sids == NULL) { - DEBUG(1, ("talloc_array failed\n")); + DEBUG(1, ("TALLOC_ARRAY failed\n")); result = NT_STATUS_NO_MEMORY; goto done; } @@ -864,9 +864,9 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, uint32 dummy; num_group_sids = 1; - group_sids = talloc_array(tmp_ctx, DOM_SID, num_group_sids); + group_sids = TALLOC_ARRAY(tmp_ctx, DOM_SID, num_group_sids); if (group_sids == NULL) { - DEBUG(1, ("talloc_array failed\n")); + DEBUG(1, ("TALLOC_ARRAY failed\n")); result = NT_STATUS_NO_MEMORY; goto done; } @@ -1117,7 +1117,7 @@ static auth_serversupplied_info *copy_serverinfo(auth_serversupplied_info *src) dst->gid = src->gid; dst->n_groups = src->n_groups; if (src->n_groups != 0) { - dst->groups = (gid_t *)talloc_memdup( + dst->groups = (gid_t *)TALLOC_MEMDUP( dst, src->groups, sizeof(gid_t)*dst->n_groups); } else { dst->groups = NULL; -- cgit From be8b0685a55700c6bce3681734800ec6434b0364 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 30 Apr 2007 02:39:34 +0000 Subject: r22589: Make TALLOC_ARRAY consistent across all uses. Jeremy. (This used to be commit 8968808c3b5b0208cbad9ac92eaf948f2c546dd9) --- source3/auth/auth_util.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index e2bc8e75b5..db92c50df0 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -834,11 +834,15 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto done; } - group_sids = TALLOC_ARRAY(tmp_ctx, DOM_SID, num_group_sids); - if (group_sids == NULL) { - DEBUG(1, ("TALLOC_ARRAY failed\n")); - result = NT_STATUS_NO_MEMORY; - goto done; + if (num_group_sids) { + group_sids = TALLOC_ARRAY(tmp_ctx, DOM_SID, num_group_sids); + if (group_sids == NULL) { + DEBUG(1, ("TALLOC_ARRAY failed\n")); + result = NT_STATUS_NO_MEMORY; + goto done; + } + } else { + group_sids = NULL; } for (i=0; i Date: Mon, 7 May 2007 12:15:11 +0000 Subject: r22740: Move debug_*_user_token to token_utils.c (This used to be commit 4ad9f8aa61cef94be8d38c6e91aac3a5c848f81f) --- source3/auth/auth_util.c | 45 ------------------------------------------- source3/auth/token_util.c | 49 +++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 47 insertions(+), 47 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index db92c50df0..399cf3ad9e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -430,51 +430,6 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info) return NT_STATUS_IS_OK(nt_status) ? True : False; } -/**************************************************************************** - prints a NT_USER_TOKEN to debug output. -****************************************************************************/ - -void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) -{ - size_t i; - - if (!token) { - DEBUGC(dbg_class, dbg_lev, ("NT user token: (NULL)\n")); - return; - } - - DEBUGC(dbg_class, dbg_lev, - ("NT user token of user %s\n", - sid_string_static(&token->user_sids[0]) )); - DEBUGADDC(dbg_class, dbg_lev, - ("contains %lu SIDs\n", (unsigned long)token->num_sids)); - for (i = 0; i < token->num_sids; i++) - DEBUGADDC(dbg_class, dbg_lev, - ("SID[%3lu]: %s\n", (unsigned long)i, - sid_string_static(&token->user_sids[i]))); - - dump_se_priv( dbg_class, dbg_lev, &token->privileges ); -} - -/**************************************************************************** - prints a UNIX 'token' to debug output. -****************************************************************************/ - -void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid, - int n_groups, gid_t *groups) -{ - int i; - DEBUGC(dbg_class, dbg_lev, - ("UNIX token of user %ld\n", (long int)uid)); - - DEBUGADDC(dbg_class, dbg_lev, - ("Primary group is %ld and contains %i supplementary " - "groups\n", (long int)gid, n_groups)); - for (i = 0; i < n_groups; i++) - DEBUGADDC(dbg_class, dbg_lev, ("Group[%3i]: %ld\n", i, - (long int)groups[i])); -} - static int server_info_dtor(auth_serversupplied_info *server_info) { TALLOC_FREE(server_info->sam_account); diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index 1eb9d12ab5..d68f44cbf1 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -147,8 +147,8 @@ NT_USER_TOKEN *get_root_nt_token( void ) * Add alias SIDs from memberships within the partially created token SID list */ -static NTSTATUS add_aliases(const DOM_SID *domain_sid, - struct nt_user_token *token) +NTSTATUS add_aliases(const DOM_SID *domain_sid, + struct nt_user_token *token) { uint32 *aliases; size_t i, num_aliases; @@ -455,4 +455,49 @@ struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, return result; } +/**************************************************************************** + prints a NT_USER_TOKEN to debug output. +****************************************************************************/ + +void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) +{ + size_t i; + + if (!token) { + DEBUGC(dbg_class, dbg_lev, ("NT user token: (NULL)\n")); + return; + } + + DEBUGC(dbg_class, dbg_lev, + ("NT user token of user %s\n", + sid_string_static(&token->user_sids[0]) )); + DEBUGADDC(dbg_class, dbg_lev, + ("contains %lu SIDs\n", (unsigned long)token->num_sids)); + for (i = 0; i < token->num_sids; i++) + DEBUGADDC(dbg_class, dbg_lev, + ("SID[%3lu]: %s\n", (unsigned long)i, + sid_string_static(&token->user_sids[i]))); + + dump_se_priv( dbg_class, dbg_lev, &token->privileges ); +} + +/**************************************************************************** + prints a UNIX 'token' to debug output. +****************************************************************************/ + +void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid, + int n_groups, gid_t *groups) +{ + int i; + DEBUGC(dbg_class, dbg_lev, + ("UNIX token of user %ld\n", (long int)uid)); + + DEBUGADDC(dbg_class, dbg_lev, + ("Primary group is %ld and contains %i supplementary " + "groups\n", (long int)gid, n_groups)); + for (i = 0; i < n_groups; i++) + DEBUGADDC(dbg_class, dbg_lev, ("Group[%3i]: %ld\n", i, + (long int)groups[i])); +} + /* END */ -- cgit From 8190e0466330fbdfb1beed7a073122c752d7fa31 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 12 May 2007 19:53:47 +0000 Subject: r22819: Fix Bug 4613. We just dumped the must change & friends. With the pass_last_changed == 0 we now return "Change now!" instead of "Change never" (This used to be commit 450e4d94f64f86a3dd709265d15ed5082d4b53e8) --- source3/auth/auth_util.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 399cf3ad9e..1795322b55 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1484,6 +1484,30 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } + if (!pdb_set_pass_last_set_time( + sam_account, + nt_time_to_unix(info3->pass_last_set_time), + PDB_CHANGED)) { + TALLOC_FREE(sam_account); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_pass_can_change_time( + sam_account, + nt_time_to_unix(info3->pass_can_change_time), + PDB_CHANGED)) { + TALLOC_FREE(sam_account); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_pass_must_change_time( + sam_account, + nt_time_to_unix(info3->pass_must_change_time), + PDB_CHANGED)) { + TALLOC_FREE(sam_account); + return NT_STATUS_NO_MEMORY; + } + result = make_server_info(NULL); if (result == NULL) { DEBUG(4, ("make_server_info failed!\n")); -- cgit From b4a7b7a8889737e2891fc1176feabd4ce47f2737 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 14 May 2007 12:16:20 +0000 Subject: r22844: Introduce const DATA_BLOB data_blob_null = { NULL, 0, NULL }; and replace all data_blob(NULL, 0) calls. (This used to be commit 3d3d61687ef00181f4f04e001d42181d93ac931e) --- source3/auth/auth.c | 2 +- source3/auth/auth_compat.c | 2 +- source3/auth/auth_sam.c | 4 ++-- source3/auth/auth_server.c | 8 ++++---- source3/auth/auth_util.c | 10 +++++----- 5 files changed, 13 insertions(+), 13 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 91a5ac2ff1..eb239d3d7d 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -79,7 +79,7 @@ static struct auth_init_function_entry *auth_find_backend_entry(const char *name static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) { - DATA_BLOB challenge = data_blob(NULL, 0); + DATA_BLOB challenge = data_blob_null; const char *challenge_set_by = NULL; auth_methods *auth_method; TALLOC_CTX *mem_ctx; diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c index 13035eece2..65ece50a50 100644 --- a/source3/auth/auth_compat.c +++ b/source3/auth/auth_compat.c @@ -96,7 +96,7 @@ return True if the password is correct, False otherwise BOOL password_ok(char *smb_name, DATA_BLOB password_blob) { - DATA_BLOB null_password = data_blob(NULL, 0); + DATA_BLOB null_password = data_blob_null; BOOL encrypted = (global_encrypted_passwords_negotiated && (password_blob.length == 24 || password_blob.length > 46)); if (encrypted) { diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 0fa68cbb87..64556cabd3 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -255,8 +255,8 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, BOOL ret; NTSTATUS nt_status; NTSTATUS update_login_attempts_status; - DATA_BLOB user_sess_key = data_blob(NULL, 0); - DATA_BLOB lm_sess_key = data_blob(NULL, 0); + DATA_BLOB user_sess_key = data_blob_null; + DATA_BLOB lm_sess_key = data_blob_null; BOOL updated_autolock = False, updated_badpw = False; if (!user_info || !auth_context) { diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index c140ef48f9..e5331893fd 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -226,24 +226,24 @@ static DATA_BLOB auth_get_challenge_server(const struct auth_context *auth_conte to pass that unencrypted password over */ *my_private_data = (void *)make_server_security_state(cli); - return data_blob(NULL, 0); + return data_blob_null; } else if (cli->secblob.length < 8) { /* We can't do much if we don't get a full challenge */ DEBUG(2,("make_auth_info_server: Didn't receive a full challenge from server\n")); cli_shutdown(cli); - return data_blob(NULL, 0); + return data_blob_null; } if (!(*my_private_data = (void *)make_server_security_state(cli))) { - return data_blob(NULL,0); + return data_blob_null; } /* The return must be allocated on the caller's mem_ctx, as our own will be destoyed just after the call. */ return data_blob_talloc(auth_context->mem_ctx, cli->secblob.data,8); } else { - return data_blob(NULL, 0); + return data_blob_null; } } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1795322b55..f66c500943 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -372,11 +372,11 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, /* We can't do an NT hash here, as the password needs to be case insensitive */ - local_nt_blob = data_blob(NULL, 0); + local_nt_blob = data_blob_null; } else { - local_lm_blob = data_blob(NULL, 0); - local_nt_blob = data_blob(NULL, 0); + local_lm_blob = data_blob_null; + local_nt_blob = data_blob_null; } ret = make_user_info_map( @@ -1570,7 +1570,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, /* ensure we are never given NULL session keys */ if (memcmp(info3->user_sess_key, zeros, sizeof(zeros)) == 0) { - result->user_session_key = data_blob(NULL, 0); + result->user_session_key = data_blob_null; } else { result->user_session_key = data_blob_talloc( result, info3->user_sess_key, @@ -1578,7 +1578,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, } if (memcmp(info3->lm_sess_key, zeros, 8) == 0) { - result->lm_session_key = data_blob(NULL, 0); + result->lm_session_key = data_blob_null; } else { result->lm_session_key = data_blob_talloc( result, info3->lm_sess_key, -- cgit From 9b48f7d76d1700f3be951b0322a7184bd192004f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 16 May 2007 20:02:32 +0000 Subject: r22953: Well, this apparently has never been tested. But *this* code never saw a release yet .... ;-)) (This used to be commit f93b6353fe18e2c992a3dad96afd1a4c16032c55) --- source3/auth/auth_server.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index e5331893fd..20ce078d2e 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -254,7 +254,7 @@ static DATA_BLOB auth_get_challenge_server(const struct auth_context *auth_conte ****************************************************************************/ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context, - void *my_private_data, + void *private_data, TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, auth_serversupplied_info **server_info) @@ -266,6 +266,7 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context static BOOL bad_password_server = False; NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; BOOL locally_made_cli = False; + struct server_security_state *state; /* * Check that the requested domain is not our own machine name. @@ -273,12 +274,10 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context * password file. */ - if(is_myname(user_info->domain)) { - DEBUG(3,("check_smbserver_security: Requested domain was for this machine.\n")); - return nt_status; - } + state = talloc_get_type_abort( + private_data, struct server_security_state); - cli = (struct cli_state *)my_private_data; + cli = state->cli; if (cli) { } else { -- cgit From 0b38bfa9ea337f360fca6a85eb9764d1eafb1728 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 16 May 2007 22:52:17 +0000 Subject: r22956: Fix security=server (bug #4622). Volker's patch (slightly truncated by me). Will be in 3.0.25a. Jeremy. (This used to be commit 039fb906af883a7ca1a68955f1b36b583fe1b698) --- source3/auth/auth_server.c | 6 ------ 1 file changed, 6 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 20ce078d2e..4351f96eeb 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -268,12 +268,6 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context BOOL locally_made_cli = False; struct server_security_state *state; - /* - * Check that the requested domain is not our own machine name. - * If it is, we should never check the PDC here, we use our own local - * password file. - */ - state = talloc_get_type_abort( private_data, struct server_security_state); -- cgit From f4ae28576376741a5402a286827a46c053db0ff7 Mon Sep 17 00:00:00 2001 From: James Peach Date: Wed, 23 May 2007 20:31:28 +0000 Subject: r23095: Support systems that have their PAM headers in /usr/include/pam. (This used to be commit f1e8de4b576b3954d456cb64c02417908bab8da4) --- source3/auth/pampass.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index ba11d2e8fc..a83e2bcb3f 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -41,7 +41,11 @@ * which determines what actions/limitations/allowances become affected. *********************************************************************/ +#if defined(HAVE_SECURITY_PAM_APPL_H) #include +#elif defined(HAVE_PAM_PAM_APPL_H) +#include +#endif /* * Structure used to communicate between the conversation function -- cgit From 55ac16ba74602bf96fa63265a1026f62f58c273c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 5 Jun 2007 23:35:39 +0000 Subject: r23358: Fix from Justin Maggard - ensure we don't expire a password if it's explicitly set as ACB_PWNOTREQ. Jeremy. (This used to be commit 2ea5a6bd334e31201aa6f93f5c51e42924d36ebd) --- source3/auth/auth_sam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 64556cabd3..b6364a6ca4 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -163,7 +163,7 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, return NT_STATUS_ACCOUNT_EXPIRED; } - if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOEXP)) { + if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOEXP) && !(pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ)) { time_t must_change_time = pdb_get_pass_must_change_time(sampass); time_t last_set_time = pdb_get_pass_last_set_time(sampass); -- cgit From 6090601c8b6abde1642906351d1dd9bb41e576b6 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 14 Jun 2007 11:29:35 +0000 Subject: r23485: This checkin consists mostly of refactorings in preparation of the activation of global registry options in loadparm.c, mainly to extract functionality from net_conf.c to be made availabel elsewhere and to minimize linker dependencies. In detail: * move functions registry_push/pull_value from lib/util_reg.c to new file lib/util_reg_api.c * create a fake user token consisting of builtin administrators sid and se_disk_operators privilege by hand instead of using get_root_nt_token() to minimize linker deps for bin/net. + new function registry_create_admin_token() in new lib/util_reg_smbconf.c + move dup_nt_token from auth/token_util.c to new file lib/util_nttoken.c + adapt net_conf.c and Makefile.in accordingly. * split lib/profiles.c into two parts: new file lib/profiles_basic.c takes all the low level mask manipulation and format conversion functions (se_priv, privset, luid). the privs array is completely hidden from profiles.c by adding some access-functions. some mask-functions are not static anymore. Generally, SID- and LUID-related stuff that has more dependencies is kept in lib/profiles.c * Move initialization of regdb from net_conf.c into a function registry_init_regdb() in lib/util_reg_smbconf.c. Michael (This used to be commit efd3e2bfb756ac5c4df7984791c67e7ae20a582e) --- source3/auth/token_util.c | 41 ----------------------------------------- 1 file changed, 41 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index d68f44cbf1..57db0d193f 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -27,47 +27,6 @@ #include "includes.h" -/**************************************************************************** - Duplicate a SID token. -****************************************************************************/ - -NT_USER_TOKEN *dup_nt_token(TALLOC_CTX *mem_ctx, const NT_USER_TOKEN *ptoken) -{ - NT_USER_TOKEN *token; - - if (!ptoken) - return NULL; - - token = TALLOC_P(mem_ctx, NT_USER_TOKEN); - if (token == NULL) { - DEBUG(0, ("talloc failed\n")); - return NULL; - } - - ZERO_STRUCTP(token); - - if (ptoken->user_sids && ptoken->num_sids) { - token->user_sids = (DOM_SID *)talloc_memdup( - token, ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids ); - - if (token->user_sids == NULL) { - DEBUG(0, ("talloc_memdup failed\n")); - TALLOC_FREE(token); - return NULL; - } - token->num_sids = ptoken->num_sids; - } - - /* copy the privileges; don't consider failure to be critical here */ - - if ( !se_priv_copy( &token->privileges, &ptoken->privileges ) ) { - DEBUG(0,("dup_nt_token: Failure to copy SE_PRIV!. " - "Continuing with 0 privileges assigned.\n")); - } - - return token; -} - /**************************************************************************** Check for a SID in an NT_USER_TOKEN ****************************************************************************/ -- cgit From a4354d399d65e0b0e660b0e41647c0116d51bd37 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sun, 17 Jun 2007 19:23:32 +0000 Subject: r23530: Fix bugs #4678 and #4697 which had the same root cause. In make_server_info_pw() we assign a user SID in our authoritative SAM, even though this may be from a pure "Unix User" that doesn't exist in the SAM. This causes lookups on "[in]valid users" to fail as they will lookup this name as a "Unix User" SID to check against the user token. Fix this by adding the "Unix User"\unix_username SID to the sid array. The correct fix should probably be changing the server_info->sam_account user SID to be a S-1-22 Unix SID, but this might break old configs where plaintext passwords were used with no SAM backend. Jeremy (This used to be commit 80d1da7e6cce451d3934751feaa6ad60a337e3db) --- source3/auth/auth_util.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index f66c500943..7509b5ad1c 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -966,6 +966,10 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, NTSTATUS status; struct samu *sampass = NULL; gid_t *gids; + char *qualified_name = NULL; + TALLOC_CTX *mem_ctx = NULL; + DOM_SID u_sid; + enum lsa_SidType type; auth_serversupplied_info *result; if ( !(sampass = samu_new( NULL )) ) { @@ -999,6 +1003,56 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, return status; } + /* + * The SID returned in server_info->sam_account is based + * on our SAM sid even though for a pure UNIX account this should + * not be the case as it doesn't really exist in the SAM db. + * This causes lookups on "[in]valid users" to fail as they + * will lookup this name as a "Unix User" SID to check against + * the user token. Fix this by adding the "Unix User"\unix_username + * SID to the sid array. The correct fix should probably be + * changing the server_info->sam_account user SID to be a + * S-1-22 Unix SID, but this might break old configs where + * plaintext passwords were used with no SAM backend. + */ + + mem_ctx = talloc_init("make_server_info_pw_tmp"); + if (!mem_ctx) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + qualified_name = talloc_asprintf(mem_ctx, "%s\\%s", + unix_users_domain_name(), + unix_username ); + if (!qualified_name) { + TALLOC_FREE(result); + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL, + NULL, NULL, + &u_sid, &type)) { + TALLOC_FREE(result); + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_SUCH_USER; + } + + TALLOC_FREE(mem_ctx); + + if (type != SID_NAME_USER) { + TALLOC_FREE(result); + return NT_STATUS_NO_SUCH_USER; + } + + if (!add_sid_to_array_unique(result, &u_sid, + &result->sids, + &result->num_sids)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + /* For now we throw away the gids and convert via sid_to_gid * later. This needs fixing, but I'd like to get the code straight and * simple first. */ -- cgit From ce02d0dfcbeeeec316578322257d998589090c6f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 20 Jun 2007 17:38:42 +0000 Subject: r23554: Fix bug #4711 by makeing cli_connect return an NTSTATUS. Long overdue fix.... Jeremy. (This used to be commit 073fdc5a58139796dbaa7ea9833dca5308f11282) --- source3/auth/auth_server.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 4351f96eeb..f862ba0f1a 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -49,6 +49,8 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) p = pserver; while(next_token( &p, desthost, LIST_SEP, sizeof(desthost))) { + NTSTATUS status; + standard_sub_basic(current_user_info.smb_name, current_user_info.domain, desthost, sizeof(desthost)); strupper_m(desthost); @@ -72,11 +74,14 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) return NULL; } - if (cli_connect(cli, desthost, &dest_ip)) { + status = cli_connect(cli, desthost, &dest_ip); + if (NT_STATUS_IS_OK(status)) { DEBUG(3,("connected to password server %s\n",desthost)); connected_ok = True; break; } + DEBUG(10,("server_cryptkey: failed to connect to server %s. Error %s\n", + desthost, nt_errstr(status) )); } if (!connected_ok) { -- cgit From d824b98f80ba186030cbb70b3a1e5daf80469ecd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 9 Jul 2007 19:25:36 +0000 Subject: r23779: Change from v2 or later to v3 or later. Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3) --- source3/auth/auth.c | 2 +- source3/auth/auth_builtin.c | 2 +- source3/auth/auth_compat.c | 2 +- source3/auth/auth_domain.c | 2 +- source3/auth/auth_ntlmssp.c | 2 +- source3/auth/auth_sam.c | 2 +- source3/auth/auth_script.c | 2 +- source3/auth/auth_server.c | 2 +- source3/auth/auth_unix.c | 2 +- source3/auth/auth_util.c | 2 +- source3/auth/auth_winbind.c | 2 +- source3/auth/pampass.c | 2 +- source3/auth/pass_check.c | 2 +- source3/auth/token_util.c | 2 +- 14 files changed, 14 insertions(+), 14 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index eb239d3d7d..9284079542 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -5,7 +5,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index d4d6d49e40..8175beeaec 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -6,7 +6,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c index 65ece50a50..0d2a6d76bf 100644 --- a/source3/auth/auth_compat.c +++ b/source3/auth/auth_compat.c @@ -5,7 +5,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 853108863b..b0cd54638a 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -6,7 +6,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 08e88cc21a..0234637045 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -8,7 +8,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index b6364a6ca4..afd1386375 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -8,7 +8,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, diff --git a/source3/auth/auth_script.c b/source3/auth/auth_script.c index bdcd7533f9..4d65269b89 100644 --- a/source3/auth/auth_script.c +++ b/source3/auth/auth_script.c @@ -7,7 +7,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index f862ba0f1a..75898eaff5 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -6,7 +6,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 837c932365..81d3736529 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -5,7 +5,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7509b5ad1c..14d2fbed09 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -9,7 +9,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index f06f83f406..d6af08c716 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -8,7 +8,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index a83e2bcb3f..e2d52ada2d 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -8,7 +8,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index d0a900b80f..8d16acd27c 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -5,7 +5,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index 57db0d193f..977baa9b23 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -10,7 +10,7 @@ * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or + * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, -- cgit From 5e54558c6dea67b56bbfaba5698f3a434d3dffb6 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 00:52:41 +0000 Subject: r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text (This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07) --- source3/auth/auth.c | 3 +-- source3/auth/auth_builtin.c | 3 +-- source3/auth/auth_compat.c | 3 +-- source3/auth/auth_domain.c | 3 +-- source3/auth/auth_ntlmssp.c | 3 +-- source3/auth/auth_sam.c | 3 +-- source3/auth/auth_script.c | 3 +-- source3/auth/auth_server.c | 3 +-- source3/auth/auth_unix.c | 3 +-- source3/auth/auth_util.c | 3 +-- source3/auth/auth_winbind.c | 3 +-- source3/auth/pampass.c | 3 +-- source3/auth/pass_check.c | 3 +-- 13 files changed, 13 insertions(+), 26 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 9284079542..29f9be9bf6 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -14,8 +14,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index 8175beeaec..ffc8b94962 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -15,8 +15,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c index 0d2a6d76bf..9035f8917a 100644 --- a/source3/auth/auth_compat.c +++ b/source3/auth/auth_compat.c @@ -14,8 +14,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index b0cd54638a..1e6857230f 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -15,8 +15,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 0234637045..742be2156f 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -17,8 +17,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index afd1386375..eb02ad4e7d 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -17,8 +17,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" diff --git a/source3/auth/auth_script.c b/source3/auth/auth_script.c index 4d65269b89..6cbace71e8 100644 --- a/source3/auth/auth_script.c +++ b/source3/auth/auth_script.c @@ -16,8 +16,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 75898eaff5..ba7507ef4f 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -15,8 +15,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 81d3736529..b79e7361d3 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -14,8 +14,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 14d2fbed09..0d8c3b3f95 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -18,8 +18,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index d6af08c716..959c550524 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -17,8 +17,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index e2d52ada2d..0104108e8e 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -17,8 +17,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ /* diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 8d16acd27c..b1a6e4d402 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -14,8 +14,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ /* this module is for checking a username/password against a system -- cgit From 153cfb9c83534b09f15cc16205d7adb19b394928 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 05:23:25 +0000 Subject: r23801: The FSF has moved around a lot. This fixes their Mass Ave address. (This used to be commit 87c91e4362c51819032bfbebbb273c52e203b227) --- source3/auth/token_util.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index 977baa9b23..2c11fa5b17 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -19,8 +19,7 @@ * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + * along with this program; if not, see . */ /* functions moved from auth/auth_util.c to minimize linker deps */ -- cgit From 4b4a3c7df1b894c32473ee559185f6253b895800 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 17 Jul 2007 11:47:17 +0000 Subject: r23928: Merge all "copy-info3-groups-to-sid-array" blocks to a sid_array_from_info3() function. Guenther (This used to be commit 1e1e480115e37b3f4c85f979ddd800b8de0b9c57) --- source3/auth/auth_util.c | 38 ++++++-------------------------------- 1 file changed, 6 insertions(+), 32 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 0d8c3b3f95..325b05f80f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1405,8 +1405,6 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, uid_t uid; gid_t gid; - size_t i; - auth_serversupplied_info *result; /* @@ -1584,37 +1582,13 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, result->num_sids = 0; result->sids = NULL; - /* and create (by appending rids) the 'domain' sids */ - - for (i = 0; i < info3->num_groups2; i++) { - DOM_SID sid; - if (!sid_compose(&sid, &info3->dom_sid.sid, - info3->gids[i].g_rid)) { - DEBUG(3,("could not append additional group rid " - "0x%x\n", info3->gids[i].g_rid)); - TALLOC_FREE(result); - return NT_STATUS_INVALID_PARAMETER; - } - if (!add_sid_to_array(result, &sid, &result->sids, - &result->num_sids)) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; - } - } - - /* Copy 'other' sids. We need to do sid filtering here to - prevent possible elevation of privileges. See: - - http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp - */ - - for (i = 0; i < info3->num_other_sids; i++) { - if (!add_sid_to_array(result, &info3->other_sids[i].sid, + nt_status = sid_array_from_info3(result, info3, &result->sids, - &result->num_sids)) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; - } + &result->num_sids, + False); + if (!NT_STATUS_IS_OK(nt_status)) { + TALLOC_FREE(result); + return nt_status; } result->login_server = unistr2_tdup(result, -- cgit From 3529156971e17c7ec13f6a6243f7b613e4666cdd Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 28 Sep 2007 03:54:42 +0000 Subject: r25400: Windows 2008 (Longhorn) Interop fixes for AD specific auth2 flags, and client fixes. Patch from Todd Stetcher . (This used to be commit 8304ccba7346597425307e260e88647e49081f68) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 1e6857230f..0010d8bc26 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -124,7 +124,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); if (!lp_client_schannel()) { /* We need to set up a creds chain on an unauthenticated netlogon pipe. */ - uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS; + uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS; uint32 sec_chan_type = 0; unsigned char machine_pwd[16]; -- cgit From 99b031e190f68d976aa44bfb867f13e929a296f3 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 28 Sep 2007 03:56:12 +0000 Subject: r25401: BUG 4982: Don't delete lanman hashes on invalid logins when using the "lanman auth = no". Tested by Guenter Kukkukk. (This used to be commit 611fdd95a583ebd22ffa17e2f39c5a1bb0936c63) --- source3/auth/auth_sam.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index eb02ad4e7d..9070de1ce4 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -294,14 +294,16 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info, &user_sess_key, &lm_sess_key); - /* Notify passdb backend of login success/failure. If not NT_STATUS_OK the backend doesn't like the login */ + /* Notify passdb backend of login success/failure. If not + NT_STATUS_OK the backend doesn't like the login */ + update_login_attempts_status = pdb_update_login_attempts(sampass, NT_STATUS_IS_OK(nt_status)); - if (!NT_STATUS_IS_OK(update_login_attempts_status)) - nt_status = update_login_attempts_status; if (!NT_STATUS_IS_OK(nt_status)) { if (NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD) && - pdb_get_acct_ctrl(sampass) &ACB_NORMAL) { + pdb_get_acct_ctrl(sampass) &ACB_NORMAL && + NT_STATUS_IS_OK(update_login_attempts_status)) + { pdb_increment_bad_password_count(sampass); updated_badpw = True; } else { -- cgit From 5221ebb299081da6a806362212c6a8ceb9cc70a8 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 28 Sep 2007 18:15:34 +0000 Subject: r25407: Revert Longhorn join patch as it is not correct for the 3.2 tree. The translate_name() used by cli_session_setup_spnego() cann rely Winbindd since it is needed by the join process (and hence before Winbind can be run). (This used to be commit 00a93ed336c5f36643e6e33bd277608eaf05677c) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 0010d8bc26..1e6857230f 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -124,7 +124,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); if (!lp_client_schannel()) { /* We need to set up a creds chain on an unauthenticated netlogon pipe. */ - uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS; + uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS; uint32 sec_chan_type = 0; unsigned char machine_pwd[16]; -- cgit From 57482469b32645250e92a7ffd003aeeb4a42235e Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Wed, 10 Oct 2007 08:27:56 +0000 Subject: r25598: Add missing become_root/unbecome_root around calls of add_aliases. This triggered a "cannot access LDAP when not root"-bug with "passdb backend = ldap" and "winbind nested groups = yes". This *might* be a step towards fixing bug #4308, since the failure was observerd when triggered by acl code. Michael (This used to be commit ba8c48244e140403b728d9a2ca297b40e8888964) --- source3/auth/token_util.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index 2c11fa5b17..7514d867ad 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -388,6 +388,8 @@ struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, if (lp_winbind_nested_groups()) { + become_root(); + /* Now add the aliases. First the one from our local SAM */ status = add_aliases(get_global_sam_sid(), result); @@ -405,6 +407,8 @@ struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, TALLOC_FREE(result); return NULL; } + + unbecome_root(); } -- cgit From e5a951325a6cac8567af3a66de6d2df577508ae4 Mon Sep 17 00:00:00 2001 From: "Gerald (Jerry) Carter" Date: Wed, 10 Oct 2007 15:34:30 -0500 Subject: [GLUE] Rsync SAMBA_3_2_0 SVN r25598 in order to create the v3-2-test branch. (This used to be commit 5c6c8e1fe93f340005110a7833946191659d88ab) --- source3/auth/auth_server.c | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index ba7507ef4f..b7669e945c 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -149,7 +149,7 @@ struct server_security_state { ****************************************************************************/ static BOOL send_server_keepalive(const struct timeval *now, - void *private_data) + void *private_data) { struct server_security_state *state = talloc_get_type_abort( private_data, struct server_security_state); @@ -231,7 +231,6 @@ static DATA_BLOB auth_get_challenge_server(const struct auth_context *auth_conte *my_private_data = (void *)make_server_security_state(cli); return data_blob_null; - } else if (cli->secblob.length < 8) { /* We can't do much if we don't get a full challenge */ DEBUG(2,("make_auth_info_server: Didn't receive a full challenge from server\n")); @@ -240,7 +239,7 @@ static DATA_BLOB auth_get_challenge_server(const struct auth_context *auth_conte } if (!(*my_private_data = (void *)make_server_security_state(cli))) { - return data_blob_null; + return data_blob(NULL,0); } /* The return must be allocated on the caller's mem_ctx, as our own will be @@ -258,7 +257,7 @@ static DATA_BLOB auth_get_challenge_server(const struct auth_context *auth_conte ****************************************************************************/ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context, - void *private_data, + void *my_private_data, TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, auth_serversupplied_info **server_info) @@ -270,12 +269,8 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context static BOOL bad_password_server = False; NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; BOOL locally_made_cli = False; - struct server_security_state *state; - - state = talloc_get_type_abort( - private_data, struct server_security_state); - cli = state->cli; + cli = (struct cli_state *)my_private_data; if (cli) { } else { -- cgit From 8e54530b52fd256137740107e9fdf000f00a7a30 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 10 Oct 2007 18:25:16 -0700 Subject: Add start of IPv6 implementation. Currently most of this is avoiding IPv6 in winbindd, but moves most of the socket functions that were wrongly in lib/util.c into lib/util_sock.c and provides generic IPv4/6 independent versions of most things. Still lots of work to do, but now I can see how I'll fix the access check code. Nasty part that remains is the name resolution code which is used to returning arrays of in_addr structs. Jeremy. (This used to be commit 3f6bd0e1ec5cc6670f3d08f76fc2cd94c9cd1a08) --- source3/auth/auth_server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index b7669e945c..44f36dc4cf 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -59,7 +59,7 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) continue; } - if (ismyip(dest_ip)) { + if (ismyip_v4(dest_ip)) { DEBUG(1,("Password server loop - disabling password server %s\n",desthost)); continue; } -- cgit From ea33a1c22f834f985766347c8505935b59a808d8 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Fri, 12 Oct 2007 13:20:07 +0200 Subject: Add become_root/unbecome_root around one call of getsampwsid() in create_token_from_username(). This caused set_nt_acl to partially fail in certain circumstances. This is expected to bring an improvement to bug #4308. Michael (This used to be commit e68671b59500d7e1b645c80ee264c49893f8df84) --- source3/auth/auth_util.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 325b05f80f..2c05f04b9b 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -721,6 +721,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, } if (sid_check_is_in_our_domain(&user_sid)) { + BOOL ret; /* This is a passdb user, so ask passdb */ @@ -731,7 +732,11 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto done; } - if (!pdb_getsampwsid(sam_acct, &user_sid)) { + become_root(); + ret = pdb_getsampwsid(sam_acct, &user_sid); + unbecome_root(); + + if (!ret) { DEBUG(1, ("pdb_getsampwsid(%s) for user %s failed\n", sid_string_static(&user_sid), username)); DEBUGADD(1, ("Fall back to unix user %s\n", username)); -- cgit From 30191d1a5704ad2b158386b511558972d539ce47 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 18 Oct 2007 17:40:25 -0700 Subject: RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f) --- source3/auth/auth.c | 8 ++++---- source3/auth/auth_compat.c | 8 ++++---- source3/auth/auth_domain.c | 6 +++--- source3/auth/auth_ntlmssp.c | 4 ++-- source3/auth/auth_sam.c | 10 ++++----- source3/auth/auth_server.c | 10 ++++----- source3/auth/auth_unix.c | 4 ++-- source3/auth/auth_util.c | 50 ++++++++++++++++++++++----------------------- source3/auth/pampass.c | 24 +++++++++++----------- source3/auth/pass_check.c | 8 ++++---- source3/auth/token_util.c | 8 ++++---- 11 files changed, 70 insertions(+), 70 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 29f9be9bf6..0a9ae32472 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -156,7 +156,7 @@ static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) * False otherwise. **/ -static BOOL check_domain_match(const char *user, const char *domain) +static bool check_domain_match(const char *user, const char *domain) { /* * If we aren't serving to trusted domains, we must make sure that @@ -366,16 +366,16 @@ static NTSTATUS make_auth_context(struct auth_context **auth_context) return NT_STATUS_OK; } -BOOL load_auth_module(struct auth_context *auth_context, +bool load_auth_module(struct auth_context *auth_context, const char *module, auth_methods **ret) { - static BOOL initialised_static_modules = False; + static bool initialised_static_modules = False; struct auth_init_function_entry *entry; char *module_name = smb_xstrdup(module); char *module_params = NULL; char *p; - BOOL good = False; + bool good = False; /* Initialise static modules if not done so yet */ if(!initialised_static_modules) { diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c index 9035f8917a..f10585d9dd 100644 --- a/source3/auth/auth_compat.c +++ b/source3/auth/auth_compat.c @@ -20,7 +20,7 @@ #include "includes.h" extern struct auth_context *negprot_global_auth_context; -extern BOOL global_encrypted_passwords_negotiated; +extern bool global_encrypted_passwords_negotiated; #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH @@ -66,7 +66,7 @@ static NTSTATUS pass_check_smb(const char *smb_name, DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, DATA_BLOB plaintext_password, - BOOL encrypted) + bool encrypted) { NTSTATUS nt_status; @@ -92,11 +92,11 @@ check if a username/password pair is ok via the auth subsystem. return True if the password is correct, False otherwise ****************************************************************************/ -BOOL password_ok(char *smb_name, DATA_BLOB password_blob) +bool password_ok(char *smb_name, DATA_BLOB password_blob) { DATA_BLOB null_password = data_blob_null; - BOOL encrypted = (global_encrypted_passwords_negotiated && (password_blob.length == 24 || password_blob.length > 46)); + bool encrypted = (global_encrypted_passwords_negotiated && (password_blob.length == 24 || password_blob.length > 46)); if (encrypted) { /* diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 1e6857230f..72bdbab182 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -23,7 +23,7 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -extern BOOL global_machine_password_needs_changing; +extern bool global_machine_password_needs_changing; /** * Connect to a remote server for (inter)domain security authenticaion. @@ -44,7 +44,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, const char *dc_name, struct in_addr dc_ip, struct rpc_pipe_client **pipe_ret, - BOOL *retry) + bool *retry) { NTSTATUS result; struct rpc_pipe_client *netlogon_pipe = NULL; @@ -191,7 +191,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, struct rpc_pipe_client *netlogon_pipe = NULL; NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS; int i; - BOOL retry = True; + bool retry = True; /* * At this point, smb_apasswd points to the lanman response to diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 742be2156f..526f2c93df 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -39,7 +39,7 @@ static const uint8 *auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlms * * @return If the effective challenge used by the auth subsystem may be modified */ -static BOOL auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state) +static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state) { AUTH_NTLMSSP_STATE *auth_ntlmssp_state = (AUTH_NTLMSSP_STATE *)ntlmssp_state->auth_context; @@ -83,7 +83,7 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, (AUTH_NTLMSSP_STATE *)ntlmssp_state->auth_context; auth_usersupplied_info *user_info = NULL; NTSTATUS nt_status; - BOOL username_was_mapped; + bool username_was_mapped; /* the client has given us its machine name (which we otherwise would not get on port 445). we need to possibly reload smb.conf if smb.conf includes depend on the machine name */ diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 9070de1ce4..13fc968b88 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -70,7 +70,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, bitmask. ****************************************************************************/ -static BOOL logon_hours_ok(struct samu *sampass) +static bool logon_hours_ok(struct samu *sampass) { /* In logon hours first bit is Sunday from 12AM to 1AM */ const uint8 *hours; @@ -187,7 +187,7 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; if (*workstation_list) { - BOOL invalid_ws = True; + bool invalid_ws = True; fstring tok; const char *s = workstation_list; @@ -251,12 +251,12 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, auth_serversupplied_info **server_info) { struct samu *sampass=NULL; - BOOL ret; + bool ret; NTSTATUS nt_status; NTSTATUS update_login_attempts_status; DATA_BLOB user_sess_key = data_blob_null; DATA_BLOB lm_sess_key = data_blob_null; - BOOL updated_autolock = False, updated_badpw = False; + bool updated_autolock = False, updated_badpw = False; if (!user_info || !auth_context) { return NT_STATUS_UNSUCCESSFUL; @@ -395,7 +395,7 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context const auth_usersupplied_info *user_info, auth_serversupplied_info **server_info) { - BOOL is_local_name, is_my_domain; + bool is_local_name, is_my_domain; if (!user_info || !auth_context) { return NT_STATUS_LOGON_FAILURE; diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 44f36dc4cf..815c1193d1 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -36,7 +36,7 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) struct in_addr dest_ip; const char *p; char *pserver; - BOOL connected_ok = False; + bool connected_ok = False; if (!(cli = cli_initialise())) return NULL; @@ -148,7 +148,7 @@ struct server_security_state { Send a 'keepalive' packet down the cli pipe. ****************************************************************************/ -static BOOL send_server_keepalive(const struct timeval *now, +static bool send_server_keepalive(const struct timeval *now, void *private_data) { struct server_security_state *state = talloc_get_type_abort( @@ -265,10 +265,10 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context struct cli_state *cli; static unsigned char badpass[24]; static fstring baduser; - static BOOL tested_password_server = False; - static BOOL bad_password_server = False; + static bool tested_password_server = False; + static bool bad_password_server = False; NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; - BOOL locally_made_cli = False; + bool locally_made_cli = False; cli = (struct cli_state *)my_private_data; diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index b79e7361d3..4fca5bcbe4 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -27,10 +27,10 @@ * * this ugly hack needs to die, but not quite yet, I think people still use it... **/ -static BOOL update_smbpassword_file(const char *user, const char *password) +static bool update_smbpassword_file(const char *user, const char *password) { struct samu *sampass; - BOOL ret; + bool ret; if ( !(sampass = samu_new( NULL )) ) { return False; diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 2c05f04b9b..99eea6cdd2 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -62,7 +62,7 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd, DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd, DATA_BLOB *plaintext, - BOOL encrypted) + bool encrypted) { DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name)); @@ -141,11 +141,11 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd, DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd, DATA_BLOB *plaintext, - BOOL encrypted) + bool encrypted) { const char *domain; NTSTATUS result; - BOOL was_mapped; + bool was_mapped; fstring internal_username; fstrcpy(internal_username, smb_name); was_mapped = map_username(internal_username); @@ -186,7 +186,7 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, Decrypt and encrypt the passwords. ****************************************************************************/ -BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, +bool make_user_info_netlogon_network(auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, const char *wksta_name, @@ -196,7 +196,7 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, const uchar *nt_network_pwd, int nt_pwd_len) { - BOOL ret; + bool ret; NTSTATUS status; DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); @@ -224,7 +224,7 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, Decrypt and encrypt the passwords. ****************************************************************************/ -BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, +bool make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, const char *wksta_name, @@ -286,7 +286,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, ZERO_STRUCT(key); { - BOOL ret; + bool ret; NTSTATUS nt_status; DATA_BLOB local_lm_blob; DATA_BLOB local_nt_blob; @@ -337,7 +337,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, Create an auth_usersupplied_data structure ****************************************************************************/ -BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, +bool make_user_info_for_reply(auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, const uint8 chal[8], @@ -413,7 +413,7 @@ NTSTATUS make_user_info_for_reply_enc(auth_usersupplied_info **user_info, Create a guest user_info blob, for anonymous authenticaion. ****************************************************************************/ -BOOL make_user_info_guest(auth_usersupplied_info **user_info) +bool make_user_info_guest(auth_usersupplied_info **user_info) { NTSTATUS nt_status; @@ -680,7 +680,7 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) */ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, - BOOL is_guest, + bool is_guest, uid_t *uid, gid_t *gid, char **found_username, struct nt_user_token **token) @@ -721,7 +721,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, } if (sid_check_is_in_our_domain(&user_sid)) { - BOOL ret; + bool ret; /* This is a passdb user, so ask passdb */ @@ -900,14 +900,14 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, member of a particular group. ***************************************************************************/ -BOOL user_in_group_sid(const char *username, const DOM_SID *group_sid) +bool user_in_group_sid(const char *username, const DOM_SID *group_sid) { NTSTATUS status; uid_t uid; gid_t gid; char *found_username; struct nt_user_token *token; - BOOL result; + bool result; TALLOC_CTX *mem_ctx; @@ -933,11 +933,11 @@ BOOL user_in_group_sid(const char *username, const DOM_SID *group_sid) } -BOOL user_in_group(const char *username, const char *groupname) +bool user_in_group(const char *username, const char *groupname) { TALLOC_CTX *mem_ctx; DOM_SID group_sid; - BOOL ret; + bool ret; mem_ctx = talloc_new(NULL); if (mem_ctx == NULL) { @@ -1078,7 +1078,7 @@ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_inf NTSTATUS status; struct samu *sampass = NULL; DOM_SID guest_sid; - BOOL ret; + bool ret; static const char zeros[16] = { 0, }; if ( !(sampass = samu_new( NULL )) ) { @@ -1177,7 +1177,7 @@ static auth_serversupplied_info *copy_serverinfo(auth_serversupplied_info *src) static auth_serversupplied_info *guest_info = NULL; -BOOL init_guest_info(void) +bool init_guest_info(void) { if (guest_info != NULL) return True; @@ -1191,7 +1191,7 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; } -BOOL copy_current_user(struct current_user *dst, struct current_user *src) +bool copy_current_user(struct current_user *dst, struct current_user *src) { gid_t *groups; NT_USER_TOKEN *nt_token; @@ -1218,7 +1218,7 @@ BOOL copy_current_user(struct current_user *dst, struct current_user *src) return True; } -BOOL set_current_user_guest(struct current_user *dst) +bool set_current_user_guest(struct current_user *dst) { gid_t *groups; NT_USER_TOKEN *nt_token; @@ -1261,7 +1261,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, char **found_username, uid_t *uid, gid_t *gid, struct samu *account, - BOOL *username_was_mapped) + bool *username_was_mapped) { NTSTATUS nt_status; fstring dom_user, lower_username; @@ -1308,7 +1308,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, ****************************************************************************/ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, char *domuser, - fstring save_username, BOOL create ) + fstring save_username, bool create ) { struct passwd *pw = NULL; char *p; @@ -1405,7 +1405,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, struct samu *sam_account = NULL; DOM_SID user_sid; DOM_SID group_sid; - BOOL username_was_mapped; + bool username_was_mapped; uid_t uid; gid_t gid; @@ -1655,7 +1655,7 @@ void free_user_info(auth_usersupplied_info **user_info) Make an auth_methods struct ***************************************************************************/ -BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_method) +bool make_auth_methods(struct auth_context *auth_context, auth_methods **auth_method) { if (!auth_context) { smb_panic("no auth_context supplied to " @@ -1685,10 +1685,10 @@ BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_me * false if otherwise **/ -BOOL is_trusted_domain(const char* dom_name) +bool is_trusted_domain(const char* dom_name) { DOM_SID trustdom_sid; - BOOL ret; + bool ret; /* no trusted domains for a standalone server */ diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 0104108e8e..ac3aa3aa64 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -68,7 +68,7 @@ typedef int (*smb_pam_conv_fn)(int, const struct pam_message **, struct pam_resp PAM error handler. *********************************************************************/ -static BOOL smb_pam_error_handler(pam_handle_t *pamh, int pam_error, const char *msg, int dbglvl) +static bool smb_pam_error_handler(pam_handle_t *pamh, int pam_error, const char *msg, int dbglvl) { if( pam_error != PAM_SUCCESS) { @@ -85,7 +85,7 @@ static BOOL smb_pam_error_handler(pam_handle_t *pamh, int pam_error, const char failure as sucess. *********************************************************************/ -static BOOL smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error, +static bool smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error, const char *msg, int dbglvl, NTSTATUS *nt_status) { @@ -270,7 +270,7 @@ static int smb_pam_passchange_conv(int num_msg, struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr; struct chat_struct *pw_chat= make_pw_chat(lp_passwd_chat()); struct chat_struct *t; - BOOL found; + bool found; *resp = NULL; DEBUG(10,("smb_pam_passchange_conv: starting converstation for %d messages\n", num_msg)); @@ -430,7 +430,7 @@ static struct pam_conv *smb_setup_pam_conv(smb_pam_conv_fn smb_pam_conv_fnptr, c * PAM Closing out cleanup handler */ -static BOOL smb_pam_end(pam_handle_t *pamh, struct pam_conv *smb_pam_conv_ptr) +static bool smb_pam_end(pam_handle_t *pamh, struct pam_conv *smb_pam_conv_ptr) { int pam_error; @@ -451,7 +451,7 @@ static BOOL smb_pam_end(pam_handle_t *pamh, struct pam_conv *smb_pam_conv_ptr) * Start PAM authentication for specified account */ -static BOOL smb_pam_start(pam_handle_t **pamh, const char *user, const char *rhost, struct pam_conv *pconv) +static bool smb_pam_start(pam_handle_t **pamh, const char *user, const char *rhost, struct pam_conv *pconv) { int pam_error; const char *our_rhost; @@ -624,7 +624,7 @@ static NTSTATUS smb_pam_setcred(pam_handle_t *pamh, const char * user) /* * PAM Internal Session Handler */ -static BOOL smb_internal_pam_session(pam_handle_t *pamh, const char *user, const char *tty, BOOL flag) +static bool smb_internal_pam_session(pam_handle_t *pamh, const char *user, const char *tty, bool flag) { int pam_error; @@ -652,7 +652,7 @@ static BOOL smb_internal_pam_session(pam_handle_t *pamh, const char *user, const * Internal PAM Password Changer. */ -static BOOL smb_pam_chauthtok(pam_handle_t *pamh, const char * user) +static bool smb_pam_chauthtok(pam_handle_t *pamh, const char * user) { int pam_error; @@ -706,7 +706,7 @@ static BOOL smb_pam_chauthtok(pam_handle_t *pamh, const char * user) * PAM Externally accessible Session handler */ -BOOL smb_pam_claim_session(char *user, char *tty, char *rhost) +bool smb_pam_claim_session(char *user, char *tty, char *rhost) { pam_handle_t *pamh = NULL; struct pam_conv *pconv = NULL; @@ -734,7 +734,7 @@ BOOL smb_pam_claim_session(char *user, char *tty, char *rhost) * PAM Externally accessible Session handler */ -BOOL smb_pam_close_session(char *user, char *tty, char *rhost) +bool smb_pam_close_session(char *user, char *tty, char *rhost) { pam_handle_t *pamh = NULL; struct pam_conv *pconv = NULL; @@ -834,7 +834,7 @@ NTSTATUS smb_pam_passcheck(const char * user, const char * password) * PAM Password Change Suite */ -BOOL smb_pam_passchange(const char * user, const char * oldpassword, const char * newpassword) +bool smb_pam_passchange(const char * user, const char * oldpassword, const char * newpassword) { /* Appropriate quantities of root should be obtained BEFORE calling this function */ struct pam_conv *pconv = NULL; @@ -864,13 +864,13 @@ NTSTATUS smb_pam_accountcheck(const char * user) } /* If PAM not used, also no PAM restrictions on sessions. */ -BOOL smb_pam_claim_session(char *user, char *tty, char *rhost) +bool smb_pam_claim_session(char *user, char *tty, char *rhost) { return True; } /* If PAM not used, also no PAM restrictions on sessions. */ -BOOL smb_pam_close_session(char *in_user, char *tty, char *rhost) +bool smb_pam_close_session(char *in_user, char *tty, char *rhost) { return True; } diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index b1a6e4d402..8773804a38 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -40,7 +40,7 @@ static fstring this_crypted; /******************************************************************* check on AFS authentication ********************************************************************/ -static BOOL afs_auth(char *user, char *password) +static bool afs_auth(char *user, char *password) { long password_expires = 0; char *reason; @@ -89,7 +89,7 @@ int dcelogin_atmost_once = 0; /******************************************************************* check on a DCE/DFS authentication ********************************************************************/ -static BOOL dfs_auth(char *user, char *password) +static bool dfs_auth(char *user, char *password) { struct tm *t; error_status_t err; @@ -495,7 +495,7 @@ static NTSTATUS password_check(const char *password) return smb_pam_passcheck(this_user, password); #else - BOOL ret; + bool ret; #ifdef WITH_AFS if (afs_auth(this_user, password)) @@ -597,7 +597,7 @@ return NT_STATUS_OK on correct match, appropriate error otherwise ****************************************************************************/ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *password, - int pwlen, BOOL (*fn) (const char *, const char *), BOOL run_cracker) + int pwlen, bool (*fn) (const char *, const char *), bool run_cracker) { pstring pass2; int level = lp_passwordlevel(); diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index 7514d867ad..bc6bea5d29 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -30,7 +30,7 @@ Check for a SID in an NT_USER_TOKEN ****************************************************************************/ -BOOL nt_token_check_sid ( const DOM_SID *sid, const NT_USER_TOKEN *token ) +bool nt_token_check_sid ( const DOM_SID *sid, const NT_USER_TOKEN *token ) { int i; @@ -45,7 +45,7 @@ BOOL nt_token_check_sid ( const DOM_SID *sid, const NT_USER_TOKEN *token ) return False; } -BOOL nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid ) +bool nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid ) { DOM_SID domain_sid; @@ -223,7 +223,7 @@ static NTSTATUS create_builtin_administrators( void ) fstring root_name; enum lsa_SidType type; TALLOC_CTX *ctx; - BOOL ret; + bool ret; status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_ADMINS ); if ( !NT_STATUS_IS_OK(status) ) { @@ -271,7 +271,7 @@ static NTSTATUS create_builtin_administrators( void ) struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, const DOM_SID *user_sid, - BOOL is_guest, + bool is_guest, int num_groupsids, const DOM_SID *groupsids) { -- cgit From f88b7a076be74a29a3bf876b4e2705f4a1ecf42b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 24 Oct 2007 14:16:54 -0700 Subject: This is a large patch (sorry). Migrate from struct in_addr to struct sockaddr_storage in most places that matter (ie. not the nmbd and NetBIOS lookups). This passes make test on an IPv4 box, but I'll have to do more work/testing on IPv6 enabled boxes. This should now give us a framework for testing and finishing the IPv6 migration. It's at the state where someone with a working IPv6 setup should (theorecically) be able to type : smbclient //ipv6-address/share and have it work. Jeremy. (This used to be commit 98e154c3125d5732c37a72d74b0eb5cd7b6155fd) --- source3/auth/auth_domain.c | 20 ++++++++++---------- source3/auth/auth_server.c | 10 +++++----- 2 files changed, 15 insertions(+), 15 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 72bdbab182..7cddabbbbd 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -42,7 +42,7 @@ extern bool global_machine_password_needs_changing; static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, const char *domain, const char *dc_name, - struct in_addr dc_ip, + struct sockaddr_storage *dc_ss, struct rpc_pipe_client **pipe_ret, bool *retry) { @@ -73,7 +73,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, /* Attempt connection */ *retry = True; - result = cli_full_connection(cli, global_myname(), dc_name, &dc_ip, 0, + result = cli_full_connection(cli, global_myname(), dc_name, dc_ss, 0, "IPC$", "IPC", "", "", "", 0, Undefined, retry); if (!NT_STATUS_IS_OK(result)) { @@ -183,7 +183,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, uchar chal[8], auth_serversupplied_info **server_info, const char *dc_name, - struct in_addr dc_ip) + struct sockaddr_storage *dc_ss) { NET_USER_INFO_3 info3; @@ -207,7 +207,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, nt_status = connect_to_domain_password_server(&cli, domain, dc_name, - dc_ip, + dc_ss, &netlogon_pipe, &retry); } @@ -305,7 +305,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; const char *domain = lp_workgroup(); fstring dc_name; - struct in_addr dc_ip; + struct sockaddr_storage dc_ss; if ( lp_server_role() != ROLE_DOMAIN_MEMBER ) { DEBUG(0,("check_ntdomain_security: Configuration error! Cannot use " @@ -331,7 +331,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, /* we need our DC to send the net_sam_logon() request to */ - if ( !get_dc_name(domain, NULL, dc_name, &dc_ip) ) { + if ( !get_dc_name(domain, NULL, dc_name, &dc_ss) ) { DEBUG(5,("check_ntdomain_security: unable to locate a DC for domain %s\n", user_info->domain)); return NT_STATUS_NO_LOGON_SERVERS; @@ -343,7 +343,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, (uchar *)auth_context->challenge.data, server_info, dc_name, - dc_ip); + &dc_ss); return nt_status; } @@ -377,7 +377,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte time_t last_change_time; DOM_SID sid; fstring dc_name; - struct in_addr dc_ip; + struct sockaddr_storage dc_ss; if (!user_info || !server_info || !auth_context) { DEBUG(1,("check_trustdomain_security: Critical variables not present. Failing.\n")); @@ -433,7 +433,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte /* use get_dc_name() for consistency even through we know that it will be a netbios name */ - if ( !get_dc_name(user_info->domain, NULL, dc_name, &dc_ip) ) { + if ( !get_dc_name(user_info->domain, NULL, dc_name, &dc_ss) ) { DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n", user_info->domain)); return NT_STATUS_NO_LOGON_SERVERS; @@ -445,7 +445,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte (uchar *)auth_context->challenge.data, server_info, dc_name, - dc_ip); + &dc_ss); return nt_status; } diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 815c1193d1..8b10be93fc 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -33,7 +33,7 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) { struct cli_state *cli = NULL; fstring desthost; - struct in_addr dest_ip; + struct sockaddr_storage dest_ss; const char *p; char *pserver; bool connected_ok = False; @@ -54,12 +54,12 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) desthost, sizeof(desthost)); strupper_m(desthost); - if(!resolve_name( desthost, &dest_ip, 0x20)) { + if(!resolve_name( desthost, &dest_ss, 0x20)) { DEBUG(1,("server_cryptkey: Can't resolve address for %s\n",desthost)); continue; } - if (ismyip_v4(dest_ip)) { + if (ismyaddr(&dest_ss)) { DEBUG(1,("Password server loop - disabling password server %s\n",desthost)); continue; } @@ -73,7 +73,7 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) return NULL; } - status = cli_connect(cli, desthost, &dest_ip); + status = cli_connect(cli, desthost, &dest_ss); if (NT_STATUS_IS_OK(status)) { DEBUG(3,("connected to password server %s\n",desthost)); connected_ok = True; @@ -91,7 +91,7 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) } if (!attempt_netbios_session_request(&cli, global_myname(), - desthost, &dest_ip)) { + desthost, &dest_ss)) { release_server_mutex(); DEBUG(1,("password server fails session request\n")); cli_shutdown(cli); -- cgit From 6658165d5e9cd186fea74e1581091233e8990e9b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 3 Nov 2007 18:15:45 -0700 Subject: Stop get_peer_addr() and client_addr() from using global statics. Part of my library cleanups. Jeremy. (This used to be commit e848506c858bd16706c1d7f6b4b032005512b8ac) --- source3/auth/pampass.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index ac3aa3aa64..9b8faf1609 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -455,6 +455,7 @@ static bool smb_pam_start(pam_handle_t **pamh, const char *user, const char *rho { int pam_error; const char *our_rhost; + char addr[INET6_ADDRSTRLEN]; *pamh = (pam_handle_t *)NULL; @@ -469,7 +470,7 @@ static bool smb_pam_start(pam_handle_t **pamh, const char *user, const char *rho if (rhost == NULL) { our_rhost = client_name(); if (strequal(our_rhost,"UNKNOWN")) - our_rhost = client_addr(); + our_rhost = client_addr(addr); } else { our_rhost = rhost; } -- cgit From 25074433f412c4dd2531fd268d51be8753ddc11b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 3 Nov 2007 18:41:26 -0700 Subject: I can't get away without a 'length' arg. :-). Jeremy. (This used to be commit 95d01279a5def709d0a5d5ae7224d6286006d120) --- source3/auth/pampass.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 9b8faf1609..c7ec79b969 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -470,7 +470,7 @@ static bool smb_pam_start(pam_handle_t **pamh, const char *user, const char *rho if (rhost == NULL) { our_rhost = client_name(); if (strequal(our_rhost,"UNKNOWN")) - our_rhost = client_addr(addr); + our_rhost = client_addr(addr,sizeof(addr)); } else { our_rhost = rhost; } -- cgit From 5b0b4f23ef5fec3d1ad518237f973d4e014b5766 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 3 Nov 2007 23:20:10 -0700 Subject: Remove most of the remaining globals out of lib/util_sock.c. I have a plan for dealing with the remaining..... Watch this space. Jeremy. (This used to be commit 963fc7685212689f02b3adcc05b4273ee5c382d4) --- source3/auth/pampass.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index c7ec79b969..739e0a78fd 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -468,9 +468,9 @@ static bool smb_pam_start(pam_handle_t **pamh, const char *user, const char *rho } if (rhost == NULL) { - our_rhost = client_name(); + our_rhost = client_name(get_client_fd()); if (strequal(our_rhost,"UNKNOWN")) - our_rhost = client_addr(addr,sizeof(addr)); + our_rhost = client_addr(get_client_fd(),addr,sizeof(addr)); } else { our_rhost = rhost; } -- cgit From 052efa9a33d7a9a3b9ae9b038f6b3943c85c4bfc Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 13 Nov 2007 12:51:31 -0800 Subject: Remove last pstring from smbd/*.c Jeremy. (This used to be commit f1680bada913af4eaf5c0d686983018d6c8b3e5f) --- source3/auth/auth_compat.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c index f10585d9dd..ad2686c003 100644 --- a/source3/auth/auth_compat.c +++ b/source3/auth/auth_compat.c @@ -92,7 +92,7 @@ check if a username/password pair is ok via the auth subsystem. return True if the password is correct, False otherwise ****************************************************************************/ -bool password_ok(char *smb_name, DATA_BLOB password_blob) +bool password_ok(const char *smb_name, DATA_BLOB password_blob) { DATA_BLOB null_password = data_blob_null; -- cgit From d07eabcb444a281ec63a36c6612aca6e34730f18 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 14 Nov 2007 10:37:18 -0800 Subject: Remove pstring from auth/* Jeremy. (This used to be commit 72c19d114b40ee307bbe45d9828667165a26d7a3) --- source3/auth/auth_util.c | 52 ++++++++++++++++++++++++++++++++++------------- source3/auth/pass_check.c | 7 +++++-- 2 files changed, 43 insertions(+), 16 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 99eea6cdd2..7ef894239e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -32,20 +32,44 @@ static int smb_create_user(const char *domain, const char *unix_username, const char *homedir) { - pstring add_script; + TALLOC_CTX *ctx = talloc_tos(); + char *add_script; int ret; - pstrcpy(add_script, lp_adduser_script()); - if (! *add_script) + add_script = talloc_strdup(ctx, lp_adduser_script()); + if (!add_script || !*add_script) { return -1; - all_string_sub(add_script, "%u", unix_username, sizeof(pstring)); - if (domain) - all_string_sub(add_script, "%D", domain, sizeof(pstring)); - if (homedir) - all_string_sub(add_script, "%H", homedir, sizeof(pstring)); + } + add_script = talloc_all_string_sub(ctx, + add_script, + "%u", + unix_username); + if (!add_script) { + return -1; + } + if (domain) { + add_script = talloc_all_string_sub(ctx, + add_script, + "%D", + domain); + if (!add_script) { + return -1; + } + } + if (homedir) { + add_script = talloc_all_string_sub(ctx, + add_script, + "%H", + homedir); + if (!add_script) { + return -1; + } + } ret = smbrun(add_script,NULL); flush_pwnam_cache(); - DEBUG(ret ? 0 : 3,("smb_create_user: Running the command `%s' gave %d\n",add_script,ret)); + DEBUG(ret ? 0 : 3, + ("smb_create_user: Running the command `%s' gave %d\n", + add_script,ret)); return ret; } @@ -53,15 +77,15 @@ static int smb_create_user(const char *domain, const char *unix_username, const Create an auth_usersupplied_data structure ****************************************************************************/ -static NTSTATUS make_user_info(auth_usersupplied_info **user_info, - const char *smb_name, +static NTSTATUS make_user_info(auth_usersupplied_info **user_info, + const char *smb_name, const char *internal_username, - const char *client_domain, + const char *client_domain, const char *domain, - const char *wksta_name, + const char *wksta_name, DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd, DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd, - DATA_BLOB *plaintext, + DATA_BLOB *plaintext, bool encrypted) { diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 8773804a38..27915bf499 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -599,7 +599,7 @@ return NT_STATUS_OK on correct match, appropriate error otherwise NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *password, int pwlen, bool (*fn) (const char *, const char *), bool run_cracker) { - pstring pass2; + char *pass2 = NULL; int level = lp_passwordlevel(); NTSTATUS nt_status; @@ -758,7 +758,10 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas } /* make a copy of it */ - pstrcpy(pass2, password); + pass2 = talloc_strdup(talloc_tos(), password); + if (!pass2) { + return NT_STATUS_NO_MEMORY; + } /* try all lowercase if it's currently all uppercase */ if (strhasupper(pass2)) { -- cgit From 6b6655edd90850d09c7711fc3b9fe98271e3e625 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 27 Nov 2007 14:35:30 -0800 Subject: Remove pstrings from everything except srv_spoolss_nt.c. Jeremy. (This used to be commit 0002a9e96b0ef78316295a6eb94ff29b64e2f988) --- source3/auth/auth_util.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7ef894239e..c0a9e9bc84 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1452,13 +1452,13 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } - if (!(nt_username = unistr2_tdup(mem_ctx, &(info3->uni_user_name)))) { + if (!(nt_username = unistr2_to_ascii_talloc(mem_ctx, &(info3->uni_user_name)))) { /* If the server didn't give us one, just use the one we sent * them */ nt_username = sent_nt_username; } - if (!(nt_domain = unistr2_tdup(mem_ctx, &(info3->uni_logon_dom)))) { + if (!(nt_domain = unistr2_to_ascii_talloc(mem_ctx, &(info3->uni_logon_dom)))) { /* If the server didn't give us one, just use the one we sent * them */ nt_domain = domain; @@ -1620,7 +1620,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return nt_status; } - result->login_server = unistr2_tdup(result, + result->login_server = unistr2_to_ascii_talloc(result, &(info3->uni_logon_srv)); /* ensure we are never given NULL session keys */ -- cgit From 42cfffae80480eae4381902fff3f7c61f858a933 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 7 Dec 2007 17:32:32 -0800 Subject: Remove next_token - all uses must now be next_token_talloc. No more temptations to use static length strings. Jeremy. (This used to be commit ec003f39369910dee852b7cafb883ddaa321c2de) --- source3/auth/auth_sam.c | 15 ++++++++------- source3/auth/auth_server.c | 39 ++++++++++++++++++++++----------------- source3/auth/pampass.c | 21 ++++++++++++++------- 3 files changed, 44 insertions(+), 31 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 13fc968b88..1ab0c8b3eb 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -188,15 +188,14 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, if (*workstation_list) { bool invalid_ws = True; - fstring tok; + char *tok; const char *s = workstation_list; const char *machine_name = talloc_asprintf(mem_ctx, "%s$", user_info->wksta_name); if (machine_name == NULL) return NT_STATUS_NO_MEMORY; - - - while (next_token(&s, tok, ",", sizeof(tok))) { + + while (next_token_talloc(mem_ctx, &s, &tok, ",")) { DEBUG(10,("sam_account_ok: checking for workstation match %s and %s\n", tok, user_info->wksta_name)); if(strequal(tok, user_info->wksta_name)) { @@ -211,9 +210,11 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, break; } } + TALLOC_FREE(tok); } - - if (invalid_ws) + TALLOC_FREE(tok); + + if (invalid_ws) return NT_STATUS_INVALID_WORKSTATION; } @@ -221,7 +222,7 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", pdb_get_username(sampass))); return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT; } - + if (acct_ctrl & ACB_SVRTRUST) { if (!(user_info->logon_parameters & MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT)) { DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", pdb_get_username(sampass))); diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 8b10be93fc..7c99848612 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -32,10 +32,10 @@ extern userdom_struct current_user_info; static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) { struct cli_state *cli = NULL; - fstring desthost; + char *desthost = NULL; struct sockaddr_storage dest_ss; const char *p; - char *pserver; + char *pserver = NULL; bool connected_ok = False; if (!(cli = cli_initialise())) @@ -47,11 +47,16 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) pserver = talloc_strdup(mem_ctx, lp_passwordserver()); p = pserver; - while(next_token( &p, desthost, LIST_SEP, sizeof(desthost))) { + while(next_token_talloc(mem_ctx, &p, &desthost, LIST_SEP)) { NTSTATUS status; - standard_sub_basic(current_user_info.smb_name, current_user_info.domain, - desthost, sizeof(desthost)); + desthost = talloc_sub_basic(mem_ctx, + current_user_info.smb_name, + current_user_info.domain, + desthost); + if (!desthost) { + return NULL; + } strupper_m(desthost); if(!resolve_name( desthost, &dest_ss, 0x20)) { @@ -64,9 +69,9 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) continue; } - /* we use a mutex to prevent two connections at once - when a - Win2k PDC get two connections where one hasn't completed a - session setup yet it will send a TCP reset to the first + /* we use a mutex to prevent two connections at once - when a + Win2k PDC get two connections where one hasn't completed a + session setup yet it will send a TCP reset to the first connection (tridge) */ if (!grab_server_mutex(desthost)) { @@ -81,27 +86,27 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) } DEBUG(10,("server_cryptkey: failed to connect to server %s. Error %s\n", desthost, nt_errstr(status) )); + release_server_mutex(); } if (!connected_ok) { - release_server_mutex(); DEBUG(0,("password server not available\n")); cli_shutdown(cli); return NULL; } - - if (!attempt_netbios_session_request(&cli, global_myname(), + + if (!attempt_netbios_session_request(&cli, global_myname(), desthost, &dest_ss)) { release_server_mutex(); DEBUG(1,("password server fails session request\n")); cli_shutdown(cli); return NULL; } - + if (strequal(desthost,myhostname())) { exit_server_cleanly("Password server loop!"); } - + DEBUG(3,("got session\n")); if (!cli_negprot(cli)) { @@ -119,9 +124,9 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) return NULL; } - /* Get the first session setup done quickly, to avoid silly + /* Get the first session setup done quickly, to avoid silly Win2k bugs. (The next connection to the server will kill - this one... + this one... */ if (!NT_STATUS_IS_OK(cli_session_setup(cli, "", "", 0, "", 0, @@ -132,11 +137,11 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) cli_shutdown(cli); return NULL; } - + release_server_mutex(); DEBUG(3,("password server OK\n")); - + return cli; } diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 739e0a78fd..554df3c157 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -207,15 +207,17 @@ struct chat_struct { static struct chat_struct *make_pw_chat(const char *p) { - fstring prompt; - fstring reply; + char *prompt; + char *reply; struct chat_struct *list = NULL; struct chat_struct *t; + TALLOC_CTX *frame = talloc_stackframe(); while (1) { t = SMB_MALLOC_P(struct chat_struct); if (!t) { DEBUG(0,("make_pw_chat: malloc failed!\n")); + TALLOC_FREE(frame); return NULL; } @@ -223,22 +225,26 @@ static struct chat_struct *make_pw_chat(const char *p) DLIST_ADD_END(list, t, struct chat_struct*); - if (!next_token(&p, prompt, NULL, sizeof(fstring))) + if (!next_token_talloc(frame, &p, &prompt, NULL)) { break; + } - if (strequal(prompt,".")) + if (strequal(prompt,".")) { fstrcpy(prompt,"*"); + } special_char_sub(prompt); fstrcpy(t->prompt, prompt); strlower_m(t->prompt); trim_char(t->prompt, ' ', ' '); - if (!next_token(&p, reply, NULL, sizeof(fstring))) + if (!next_token_talloc(frame, &p, reply, NULL)) { break; + } - if (strequal(reply,".")) - fstrcpy(reply,""); + if (strequal(reply,".")) { + fstrcpy(reply,""); + } special_char_sub(reply); fstrcpy(t->reply, reply); @@ -246,6 +252,7 @@ static struct chat_struct *make_pw_chat(const char *p) trim_char(t->reply, ' ', ' '); } + TALLOC_FREE(frame); return list; } -- cgit From 0cdcd255a5ab2d776d1f4d010199ca9edd06c5e9 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 8 Dec 2007 11:20:53 +0100 Subject: Fix two incompatible pointer warnings Jeremy, please check (This used to be commit 60500fac30911500eade7c2a9aa13569dcab0911) --- source3/auth/pampass.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 554df3c157..58921bdf15 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -238,7 +238,7 @@ static struct chat_struct *make_pw_chat(const char *p) strlower_m(t->prompt); trim_char(t->prompt, ' ', ' '); - if (!next_token_talloc(frame, &p, reply, NULL)) { + if (!next_token_talloc(frame, &p, &reply, NULL)) { break; } -- cgit From af082d096e49e7662400efee3e78174d888e88c3 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 10 Dec 2007 11:47:17 +0100 Subject: Correctly unbecome_root() on error (This used to be commit aec5f1512660953168a2c55b2890cd6c076b8a92) --- source3/auth/token_util.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index bc6bea5d29..63672bcf74 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -395,6 +395,7 @@ struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, status = add_aliases(get_global_sam_sid(), result); if (!NT_STATUS_IS_OK(status)) { + unbecome_root(); TALLOC_FREE(result); return NULL; } @@ -404,6 +405,7 @@ struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, status = add_aliases(&global_sid_Builtin, result); if (!NT_STATUS_IS_OK(status)) { + unbecome_root(); TALLOC_FREE(result); return NULL; } -- cgit From f793c99ca54d62cb8142607e8449f5b5b3a5e79d Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 11 Dec 2007 13:05:44 +0100 Subject: Let get_trust_pw() determine the machine_account_name to use. Up to now each caller used its own logic. This eliminates code paths where there was a special treatment of the following situation: the domain given is not our workgroup (i.e. our own domain) and we are not a DC (i.e. it is not a typical trusted domain situation). In situation the given domain name was previously used as the machine account name, resulting in an account name of DOMAIN\\DOMAIN$, which does not seem very reasonable to me. get_trust_pw would not have obtained a password in this situation anyways. I hope I have not missed an important point here! Michael (This used to be commit 6ced4a7f88798dc449a667d63bc29bf6c569291f) --- source3/auth/auth_domain.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 7cddabbbbd..b428723a06 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -127,8 +127,11 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS; uint32 sec_chan_type = 0; unsigned char machine_pwd[16]; + const char *account_name; - if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) { + if (!get_trust_pw(domain, machine_pwd, &account_name, + &sec_chan_type)) + { DEBUG(0, ("connect_to_domain_password_server: could not fetch " "trust account password for domain '%s'\n", domain)); @@ -142,7 +145,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); dc_name, /* server name */ domain, /* domain */ global_myname(), /* client name */ - global_myname(), /* machine account name */ + account_name, /* machine account name */ machine_pwd, sec_chan_type, &neg_flags); -- cgit From 31f221ed9316c8dc2f4911d7b8ddcdf8b74367db Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 11 Dec 2007 14:07:32 +0100 Subject: Rename get_trust_pw() to get_trust_pw_hash(). Michael (This used to be commit 0cde7ac9cb39a0026a38ccf66dbecefc12931074) --- source3/auth/auth_domain.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index b428723a06..b2c87174fd 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -129,8 +129,8 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); unsigned char machine_pwd[16]; const char *account_name; - if (!get_trust_pw(domain, machine_pwd, &account_name, - &sec_chan_type)) + if (!get_trust_pw_hash(domain, machine_pwd, &account_name, + &sec_chan_type)) { DEBUG(0, ("connect_to_domain_password_server: could not fetch " "trust account password for domain '%s'\n", -- cgit From 0d8146d5de33b4a8fc4b2833fb7e112f440ae365 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 13 Dec 2007 14:38:05 +0100 Subject: Fix typo in debug statement. Michael (This used to be commit da23684261f40c06dea30ab2df0c878ebb0d0d81) --- source3/auth/token_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index 63672bcf74..330acde6e4 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -85,7 +85,7 @@ NT_USER_TOKEN *get_root_nt_token( void ) return token; if ( !(pw = sys_getpwnam( "root" )) ) { - DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n")); + DEBUG(0,("get_root_nt_token: getpwnam(\"root\") failed!\n")); return NULL; } -- cgit From 105635e23c5c77c5efed727bbc686650406ab82e Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 15 Dec 2007 21:10:58 +0100 Subject: Use sid_string_talloc where we have a tmp talloc ctx (This used to be commit f00ab810d2540679bec109498ac89e1eafe18f03) --- source3/auth/auth_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index c0a9e9bc84..0d4caecb2d 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -586,12 +586,12 @@ static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token) for (i=1; inum_sids; i++) { group_sidstr = talloc_asprintf( tmp_ctx, "%s %s", group_sidstr, - sid_string_static(&token->user_sids[i])); + sid_string_talloc(tmp_ctx, &token->user_sids[i])); } command = talloc_string_sub( tmp_ctx, lp_log_nt_token_command(), - "%s", sid_string_static(&token->user_sids[0])); + "%s", sid_string_talloc(tmp_ctx, &token->user_sids[0])); command = talloc_string_sub(tmp_ctx, command, "%t", group_sidstr); if (command == NULL) { -- cgit From 900288a2b86abd247f9eb4cd15dc5617a17cfef1 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 15 Dec 2007 21:11:36 +0100 Subject: Replace sid_string_static by sid_string_dbg in DEBUGs (This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09) --- source3/auth/auth_util.c | 8 ++++---- source3/auth/token_util.c | 7 ++++--- 2 files changed, 8 insertions(+), 7 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 0d4caecb2d..1e33869ea9 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -669,7 +669,7 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) if (!sid_to_gid(sid, &gid)) { DEBUG(10, ("Could not convert SID %s to gid, " - "ignoring it\n", sid_string_static(sid))); + "ignoring it\n", sid_string_dbg(sid))); continue; } add_gid_to_array_unique(server_info, gid, &server_info->groups, @@ -740,7 +740,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, if (!sid_to_uid(&user_sid, uid)) { DEBUG(1, ("sid_to_uid for %s (%s) failed\n", - username, sid_string_static(&user_sid))); + username, sid_string_dbg(&user_sid))); goto done; } @@ -762,7 +762,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, if (!ret) { DEBUG(1, ("pdb_getsampwsid(%s) for user %s failed\n", - sid_string_static(&user_sid), username)); + sid_string_dbg(&user_sid), username)); DEBUGADD(1, ("Fall back to unix user %s\n", username)); goto unix_user; } @@ -864,7 +864,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, if (!sid_to_gid(&group_sids[0], gid)) { DEBUG(1, ("sid_to_gid(%s) failed\n", - sid_string_static(&group_sids[0]))); + sid_string_dbg(&group_sids[0]))); goto done; } diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index 330acde6e4..2415a90b02 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -280,7 +280,8 @@ struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, NTSTATUS status; gid_t gid; - DEBUG(10, ("Create local NT token for %s\n", sid_string_static(user_sid))); + DEBUG(10, ("Create local NT token for %s\n", + sid_string_dbg(user_sid))); if (!(result = TALLOC_ZERO_P(mem_ctx, NT_USER_TOKEN))) { DEBUG(0, ("talloc failed\n")); @@ -434,13 +435,13 @@ void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) DEBUGC(dbg_class, dbg_lev, ("NT user token of user %s\n", - sid_string_static(&token->user_sids[0]) )); + sid_string_dbg(&token->user_sids[0]) )); DEBUGADDC(dbg_class, dbg_lev, ("contains %lu SIDs\n", (unsigned long)token->num_sids)); for (i = 0; i < token->num_sids; i++) DEBUGADDC(dbg_class, dbg_lev, ("SID[%3lu]: %s\n", (unsigned long)i, - sid_string_static(&token->user_sids[i]))); + sid_string_dbg(&token->user_sids[i]))); dump_se_priv( dbg_class, dbg_lev, &token->privileges ); } -- cgit From 26daf2b479d1e6833f417b5d6c3d073ec0828935 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sun, 16 Dec 2007 18:32:03 -0800 Subject: Remove another static string and static passwd. Jeremy. (This used to be commit 2a700c5a57a417add3b1975b2c396d20c8a5f301) --- source3/auth/auth_server.c | 41 ++++++++++++++++++++++------------------- 1 file changed, 22 insertions(+), 19 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 7c99848612..9f90ef8ccd 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -268,8 +268,6 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context auth_serversupplied_info **server_info) { struct cli_state *cli; - static unsigned char badpass[24]; - static fstring baduser; static bool tested_password_server = False; static bool bad_password_server = False; NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; @@ -300,23 +298,6 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context } } - if(badpass[0] == 0) - memset(badpass, 0x1f, sizeof(badpass)); - - if((user_info->nt_resp.length == sizeof(badpass)) && - !memcmp(badpass, user_info->nt_resp.data, sizeof(badpass))) { - /* - * Very unlikely, our random bad password is the same as the users - * password. - */ - memset(badpass, badpass[0]+1, sizeof(badpass)); - } - - if(baduser[0] == 0) { - fstrcpy(baduser, INVALID_USER_PREFIX); - fstrcat(baduser, global_myname()); - } - /* * Attempt a session setup with a totally incorrect password. * If this succeeds with the guest bit *NOT* set then the password @@ -330,6 +311,28 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context */ if ((!tested_password_server) && (lp_paranoid_server_security())) { + unsigned char badpass[24]; + char *baduser = NULL; + + memset(badpass, 0x1f, sizeof(badpass)); + + if((user_info->nt_resp.length == sizeof(badpass)) && + !memcmp(badpass, user_info->nt_resp.data, sizeof(badpass))) { + /* + * Very unlikely, our random bad password is the same as the users + * password. + */ + memset(badpass, badpass[0]+1, sizeof(badpass)); + } + + baduser = talloc_asprintf(mem_ctx, + "%s%s", + INVALID_USER_PREFIX, + global_myname()); + if (!baduser) { + return NT_STATUS_NO_MEMORY; + } + if (NT_STATUS_IS_OK(cli_session_setup(cli, baduser, (char *)badpass, sizeof(badpass), -- cgit From 720c65faeda7c5f5dd195d2e341b6f5e10eb06e0 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Mon, 17 Dec 2007 10:54:05 +0100 Subject: Fix flags in caller of lookup_name() in create_builtin_administrators(). Michael (This used to be commit 46bfbf5c8af6c030e67219a29c49fd2d40003b18) --- source3/auth/token_util.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index 2415a90b02..eb8271faf6 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -249,7 +249,8 @@ static NTSTATUS create_builtin_administrators( void ) return NT_STATUS_NO_MEMORY; } fstr_sprintf( root_name, "%s\\root", get_global_sam_name() ); - ret = lookup_name( ctx, root_name, 0, NULL, NULL, &root_sid, &type ); + ret = lookup_name(ctx, root_name, LOOKUP_NAME_DOMAIN, NULL, NULL, + &root_sid, &type); TALLOC_FREE( ctx ); if ( ret ) { -- cgit From 3fa2183941b4f5ccd53be70249f40e1aaaf24b77 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Mon, 17 Dec 2007 10:34:29 +0100 Subject: Reformat: Remove trailing spaces. Michael (This used to be commit 5249b3d204bf5f9191c2a4a7e81d09227eb5ddea) --- source3/auth/token_util.c | 94 +++++++++++++++++++++++------------------------ 1 file changed, 47 insertions(+), 47 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index eb8271faf6..27c98c9581 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -1,4 +1,4 @@ -/* +/* * Unix SMB/CIFS implementation. * Authentication utility functions * Copyright (C) Andrew Tridgell 1992-1998 @@ -12,12 +12,12 @@ * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License * along with this program; if not, see . */ @@ -33,10 +33,10 @@ bool nt_token_check_sid ( const DOM_SID *sid, const NT_USER_TOKEN *token ) { int i; - + if ( !sid || !token ) return False; - + for ( i=0; inum_sids; i++ ) { if ( sid_equal( sid, &token->user_sids[i] ) ) return True; @@ -45,11 +45,11 @@ bool nt_token_check_sid ( const DOM_SID *sid, const NT_USER_TOKEN *token ) return False; } -bool nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid ) +bool nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid ) { DOM_SID domain_sid; - /* if we are a domain member, the get the domain SID, else for + /* if we are a domain member, the get the domain SID, else for a DC or standalone server, use our own SID */ if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) { @@ -59,12 +59,12 @@ bool nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid ) "SID for domain [%s]\n", lp_workgroup())); return False; } - } + } else sid_copy( &domain_sid, get_global_sam_sid() ); sid_append_rid( &domain_sid, rid ); - + return nt_token_check_sid( &domain_sid, token );\ } @@ -80,7 +80,7 @@ NT_USER_TOKEN *get_root_nt_token( void ) static NT_USER_TOKEN *token = NULL; DOM_SID u_sid, g_sid; struct passwd *pw; - + if ( token ) return token; @@ -88,10 +88,10 @@ NT_USER_TOKEN *get_root_nt_token( void ) DEBUG(0,("get_root_nt_token: getpwnam(\"root\") failed!\n")); return NULL; } - - /* get the user and primary group SIDs; although the + + /* get the user and primary group SIDs; although the BUILTIN\Administrators SId is really the one that matters here */ - + uid_to_sid(&u_sid, pw->pw_uid); gid_to_sid(&g_sid, pw->pw_gid); @@ -156,13 +156,13 @@ static NTSTATUS add_builtin_administrators( struct nt_user_token *token ) DOM_SID domadm; /* nothing to do if we aren't in a domain */ - + if ( !(IS_DC || lp_server_role()==ROLE_DOMAIN_MEMBER) ) { return NT_STATUS_OK; } - + /* Find the Domain Admins SID */ - + if ( IS_DC ) { sid_copy( &domadm, get_global_sam_sid() ); } else { @@ -170,16 +170,16 @@ static NTSTATUS add_builtin_administrators( struct nt_user_token *token ) return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } sid_append_rid( &domadm, DOMAIN_GROUP_RID_ADMINS ); - + /* Add Administrators if the user beloongs to Domain Admins */ - + if ( nt_token_check_sid( &domadm, token ) ) { if (!add_sid_to_array(token, &global_sid_Builtin_Administrators, &token->user_sids, &token->num_sids)) { return NT_STATUS_NO_MEMORY; } } - + return NT_STATUS_OK; } @@ -196,9 +196,9 @@ static NTSTATUS create_builtin_users( void ) DEBUG(0,("create_builtin_users: Failed to create Users\n")); return status; } - + /* add domain users */ - if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) + if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) && secrets_fetch_domain_sid(lp_workgroup(), &dom_users)) { sid_append_rid(&dom_users, DOMAIN_GROUP_RID_USERS ); @@ -209,9 +209,9 @@ static NTSTATUS create_builtin_users( void ) return status; } } - + return NT_STATUS_OK; -} +} /******************************************************************* *******************************************************************/ @@ -221,7 +221,7 @@ static NTSTATUS create_builtin_administrators( void ) NTSTATUS status; DOM_SID dom_admins, root_sid; fstring root_name; - enum lsa_SidType type; + enum lsa_SidType type; TALLOC_CTX *ctx; bool ret; @@ -230,9 +230,9 @@ static NTSTATUS create_builtin_administrators( void ) DEBUG(0,("create_builtin_administrators: Failed to create Administrators\n")); return status; } - + /* add domain admins */ - if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) + if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) && secrets_fetch_domain_sid(lp_workgroup(), &dom_admins)) { sid_append_rid(&dom_admins, DOMAIN_GROUP_RID_ADMINS); @@ -243,7 +243,7 @@ static NTSTATUS create_builtin_administrators( void ) return status; } } - + /* add root */ if ( (ctx = talloc_init("create_builtin_administrators")) == NULL ) { return NT_STATUS_NO_MEMORY; @@ -261,9 +261,9 @@ static NTSTATUS create_builtin_administrators( void ) return status; } } - + return NT_STATUS_OK; -} +} /******************************************************************* @@ -303,9 +303,9 @@ struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, return NULL; } } - + /* Add in BUILTIN sids */ - + if (!add_sid_to_array(result, &global_sid_World, &result->user_sids, &result->num_sids)) { return NULL; @@ -326,7 +326,7 @@ struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, return NULL; } } - + /* Now the SIDs we got from authentication. These are the ones from * the info3 struct or from the pdb_enum_group_memberships, depending * on who authenticated the user. @@ -339,15 +339,15 @@ struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, return NULL; } } - + /* Deal with the BUILTIN\Administrators group. If the SID can - be resolved then assume that the add_aliasmem( S-1-5-32 ) + be resolved then assume that the add_aliasmem( S-1-5-32 ) handled it. */ if ( !sid_to_gid( &global_sid_Builtin_Administrators, &gid ) ) { - /* We can only create a mapping if winbind is running + /* We can only create a mapping if winbind is running and the nested group functionality has been enabled */ - + if ( lp_winbind_nested_groups() && winbind_ping() ) { become_root(); status = create_builtin_administrators( ); @@ -363,18 +363,18 @@ struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, /* just log a complaint but do not fail */ DEBUG(3,("create_local_nt_token: failed to check for local Administrators" " membership (%s)\n", nt_errstr(status))); - } - } + } + } } /* Deal with the BUILTIN\Users group. If the SID can - be resolved then assume that the add_aliasmem( S-1-5-32 ) + be resolved then assume that the add_aliasmem( S-1-5-32 ) handled it. */ if ( !sid_to_gid( &global_sid_Builtin_Users, &gid ) ) { - /* We can only create a mapping if winbind is running + /* We can only create a mapping if winbind is running and the nested group functionality has been enabled */ - + if ( lp_winbind_nested_groups() && winbind_ping() ) { become_root(); status = create_builtin_users( ); @@ -387,7 +387,7 @@ struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, } /* Deal with local groups */ - + if (lp_winbind_nested_groups()) { become_root(); @@ -413,7 +413,7 @@ struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, } unbecome_root(); - } + } get_privileges_for_sids(&result->privileges, result->user_sids, @@ -428,12 +428,12 @@ struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) { size_t i; - + if (!token) { DEBUGC(dbg_class, dbg_lev, ("NT user token: (NULL)\n")); return; } - + DEBUGC(dbg_class, dbg_lev, ("NT user token of user %s\n", sid_string_dbg(&token->user_sids[0]) )); @@ -441,7 +441,7 @@ void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) ("contains %lu SIDs\n", (unsigned long)token->num_sids)); for (i = 0; i < token->num_sids; i++) DEBUGADDC(dbg_class, dbg_lev, - ("SID[%3lu]: %s\n", (unsigned long)i, + ("SID[%3lu]: %s\n", (unsigned long)i, sid_string_dbg(&token->user_sids[i]))); dump_se_priv( dbg_class, dbg_lev, &token->privileges ); @@ -462,7 +462,7 @@ void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid, ("Primary group is %ld and contains %i supplementary " "groups\n", (long int)gid, n_groups)); for (i = 0; i < n_groups; i++) - DEBUGADDC(dbg_class, dbg_lev, ("Group[%3i]: %ld\n", i, + DEBUGADDC(dbg_class, dbg_lev, ("Group[%3i]: %ld\n", i, (long int)groups[i])); } -- cgit From 2b0a570c77b5e4afba44e670f1ebf0016f96d30a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 17 Dec 2007 17:02:48 -0800 Subject: More static fstring removal. Jeremy. (This used to be commit dcf624aa02cf7415a4a55e6d45606e813ae6b91f) --- source3/auth/pass_check.c | 149 ++++++++++++++++++++++++++++++++++++---------- 1 file changed, 116 insertions(+), 33 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 27915bf499..fe1f98c150 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -26,10 +26,61 @@ #define DBGC_CLASS DBGC_AUTH /* these are kept here to keep the string_combinations function simple */ -static fstring this_user; -#if !defined(WITH_PAM) -static fstring this_salt; -static fstring this_crypted; +static char *ths_user; + +static const char *get_this_user() +{ + if (!ths_user) { + return ""; + } + return ths_user; +} + +#if defined(WITH_PAM) || defined(OSF1_ENH_SEC) +static const char *set_this_user(const char *newuser) +{ + char *orig_user = ths_user; + ths_user = SMB_STRDUP(newuser); + SAFE_FREE(orig_user); + return ths_user; +} +#endif + +#if !defined(WITH_PAM) +static char *ths_salt; +/* This must be writable. */ +static char *get_this_salt() +{ + return ths_salt; +} + +/* We may be setting a modified version of the same + * string, so don't free before use. */ + +static const char *set_this_salt(const char *newsalt) +{ + char *orig_salt = ths_salt; + ths_salt = SMB_STRDUP(newsalt); + SAFE_FREE(orig_salt); + return ths_salt; +} + +static char *ths_crypted; +static const char *get_this_crypted() +{ + if (!ths_crypted) { + return ""; + } + return ths_crypted; +} + +static const char *set_this_crypted(const char *newcrypted) +{ + char *orig_crypted = ths_crypted; + ths_crypted = SMB_STRDUP(newcrypted); + SAFE_FREE(orig_crypted); + return ths_crypted; +} #endif #ifdef WITH_AFS @@ -113,7 +164,7 @@ static bool dfs_auth(char *user, char *password) * Assumes local passwd file is kept in sync w/ DCE RGY! */ - if (strcmp((char *)crypt(password, this_salt), this_crypted)) + if (strcmp((char *)crypt(password, get_this_salt()), get_this_crypted())) { return (False); } @@ -492,29 +543,29 @@ core of password checking routine static NTSTATUS password_check(const char *password) { #ifdef WITH_PAM - return smb_pam_passcheck(this_user, password); + return smb_pam_passcheck(get_this_user(), password); #else bool ret; #ifdef WITH_AFS - if (afs_auth(this_user, password)) + if (afs_auth(get_this_user(), password)) return NT_STATUS_OK; #endif /* WITH_AFS */ #ifdef WITH_DFS - if (dfs_auth(this_user, password)) + if (dfs_auth(get_this_user(), password)) return NT_STATUS_OK; #endif /* WITH_DFS */ #ifdef OSF1_ENH_SEC - ret = (strcmp(osf1_bigcrypt(password, this_salt), - this_crypted) == 0); + ret = (strcmp(osf1_bigcrypt(password, get_this_salt()), + get_this_crypted()) == 0); if (!ret) { DEBUG(2, ("OSF1_ENH_SEC failed. Trying normal crypt.\n")); - ret = (strcmp((char *)crypt(password, this_salt), this_crypted) == 0); + ret = (strcmp((char *)crypt(password, get_this_salt()), get_this_crypted()) == 0); } if (ret) { return NT_STATUS_OK; @@ -525,7 +576,7 @@ static NTSTATUS password_check(const char *password) #endif /* OSF1_ENH_SEC */ #ifdef ULTRIX_AUTH - ret = (strcmp((char *)crypt16(password, this_salt), this_crypted) == 0); + ret = (strcmp((char *)crypt16(password, get_this_salt()), get_this_crypted()) == 0); if (ret) { return NT_STATUS_OK; } else { @@ -535,7 +586,7 @@ static NTSTATUS password_check(const char *password) #endif /* ULTRIX_AUTH */ #ifdef LINUX_BIGCRYPT - ret = (linux_bigcrypt(password, this_salt, this_crypted)); + ret = (linux_bigcrypt(password, get_this_salt(), get_this_crypted())); if (ret) { return NT_STATUS_OK; } else { @@ -552,10 +603,10 @@ static NTSTATUS password_check(const char *password) * by crypt. */ - if (strcmp(bigcrypt(password, this_salt), this_crypted) == 0) + if (strcmp(bigcrypt(password, get_this_salt()), get_this_crypted()) == 0) return NT_STATUS_OK; else - ret = (strcmp((char *)crypt(password, this_salt), this_crypted) == 0); + ret = (strcmp((char *)crypt(password, get_this_salt()), get_this_crypted()) == 0); if (ret) { return NT_STATUS_OK; } else { @@ -564,7 +615,7 @@ static NTSTATUS password_check(const char *password) #else /* HAVE_BIGCRYPT && HAVE_CRYPT && USE_BOTH_CRYPT_CALLS */ #ifdef HAVE_BIGCRYPT - ret = (strcmp(bigcrypt(password, this_salt), this_crypted) == 0); + ret = (strcmp(bigcrypt(password, get_this_salt()), get_this_crypted()) == 0); if (ret) { return NT_STATUS_OK; } else { @@ -576,7 +627,7 @@ static NTSTATUS password_check(const char *password) DEBUG(1, ("Warning - no crypt available\n")); return NT_STATUS_LOGON_FAILURE; #else /* HAVE_CRYPT */ - ret = (strcmp((char *)crypt(password, this_salt), this_crypted) == 0); + ret = (strcmp((char *)crypt(password, get_this_salt()), get_this_crypted()) == 0); if (ret) { return NT_STATUS_OK; } else { @@ -621,7 +672,9 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas * checks below and dive straight into the PAM code. */ - fstrcpy(this_user, user); + if (set_this_user(user) == NULL) { + return NT_STATUS_NO_MEMORY; + } DEBUG(4, ("pass_check: Checking (PAM) password for user %s (l=%d)\n", user, pwlen)); @@ -638,8 +691,12 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas /* Copy into global for the convenience of looping code */ /* Also the place to keep the 'password' no matter what crazy struct it started in... */ - fstrcpy(this_crypted, pass->pw_passwd); - fstrcpy(this_salt, pass->pw_passwd); + if (set_this_crypted(pass->pw_passwd) == NULL) { + return NT_STATUS_NO_MEMORY; + } + if (set_this_salt(pass->pw_passwd) == NULL) { + return NT_STATUS_NO_MEMORY; + } #ifdef HAVE_GETSPNAM { @@ -652,8 +709,12 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas spass = getspnam(pass->pw_name); if (spass && spass->sp_pwdp) { - fstrcpy(this_crypted, spass->sp_pwdp); - fstrcpy(this_salt, spass->sp_pwdp); + if (set_this_crypted(spass->sp_pwdp) == NULL) { + return NT_STATUS_NO_MEMORY; + } + if (set_this_salt(spass->sp_pwdp) == NULL) { + return NT_STATUS_NO_MEMORY; + } } } #elif defined(IA_UINFO) @@ -671,8 +732,11 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas #ifdef HAVE_GETPRPWNAM { struct pr_passwd *pr_pw = getprpwnam(pass->pw_name); - if (pr_pw && pr_pw->ufld.fd_encrypt) - fstrcpy(this_crypted, pr_pw->ufld.fd_encrypt); + if (pr_pw && pr_pw->ufld.fd_encrypt) { + if (set_this_crypted(pr_pw->ufld.fd_encrypt) == NULL) { + return NT_STATUS_NO_MEMORY; + } + } } #endif @@ -680,8 +744,11 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas { struct passwd_adjunct *pwret; pwret = getpwanam(s); - if (pwret && pwret->pwa_passwd) - fstrcpy(this_crypted, pwret->pwa_passwd); + if (pwret && pwret->pwa_passwd) { + if (set_this_crypted(pwret->pwa_passwd) == NULL) { + return NT_STATUS_NO_MEMORY; + } + } } #endif @@ -692,8 +759,12 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas user)); mypasswd = getprpwnam(user); if (mypasswd) { - fstrcpy(this_user, mypasswd->ufld.fd_name); - fstrcpy(this_crypted, mypasswd->ufld.fd_encrypt); + if (set_this_user(mypasswd->ufld.fd_name) == NULL) { + return NT_STATUS_NO_MEMORY; + } + if (set_this_crypted(mypasswd->ufld.fd_encrypt) == NULL) { + return NT_STATUS_NO_MEMORY; + } } else { DEBUG(5, ("OSF1_ENH_SEC: No entry for user %s in protected database !\n", @@ -706,7 +777,10 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas { AUTHORIZATION *ap = getauthuid(pass->pw_uid); if (ap) { - fstrcpy(this_crypted, ap->a_password); + if (set_this_crypted(ap->a_password) == NULL) { + endauthent(); + return NT_STATUS_NO_MEMORY; + } endauthent(); } } @@ -715,19 +789,28 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas #if defined(HAVE_TRUNCATED_SALT) /* crypt on some platforms (HPUX in particular) won't work with more than 2 salt characters. */ - this_salt[2] = 0; + { + char *trunc_salt = get_this_salt(); + if (!trunc_salt || strlen(trunc_salt) < 2) { + return NT_STATUS_LOGON_FAILURE; + } + trunc_salt[2] = 0; + if (set_this_salt(trunc_salt) == NULL) { + return NT_STATUS_NO_MEMORY; + } + } #endif - if (!*this_crypted) { + if (!get_this_crypted() || !*get_this_crypted()) { if (!lp_null_passwords()) { DEBUG(2, ("Disallowing %s with null password\n", - this_user)); + get_this_user())); return NT_STATUS_LOGON_FAILURE; } if (!*password) { DEBUG(3, ("Allowing access to %s with null password\n", - this_user)); + get_this_user())); return NT_STATUS_OK; } } -- cgit From 5bfe3c49a1b5ee0fad40e83326cf8b4bc88240f5 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 17 Dec 2007 17:13:31 -0800 Subject: Correctly define prototypes for accessor functions. Jeremy. (This used to be commit 299ea5d122e173adf6edb6399fc90798747b0c97) --- source3/auth/pass_check.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index fe1f98c150..813540d9fa 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -28,7 +28,7 @@ /* these are kept here to keep the string_combinations function simple */ static char *ths_user; -static const char *get_this_user() +static const char *get_this_user(void) { if (!ths_user) { return ""; @@ -49,7 +49,7 @@ static const char *set_this_user(const char *newuser) #if !defined(WITH_PAM) static char *ths_salt; /* This must be writable. */ -static char *get_this_salt() +static char *get_this_salt(void) { return ths_salt; } @@ -66,7 +66,7 @@ static const char *set_this_salt(const char *newsalt) } static char *ths_crypted; -static const char *get_this_crypted() +static const char *get_this_crypted(void) { if (!ths_crypted) { return ""; -- cgit From e518e19bc0000019f131354f55e9f5b55f6a2c5e Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 19 Dec 2007 15:02:59 +0100 Subject: Remove Get_Pwnam and its associated static variable All callers are replaced by Get_Pwnam_alloc (This used to be commit 735f59315497113aebadcf9ad387e3dbfffa284a) --- source3/auth/auth_unix.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 4fca5bcbe4..58c765226d 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -92,7 +92,7 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context, struct passwd *pass = NULL; become_root(); - pass = Get_Pwnam(user_info->internal_username); + pass = Get_Pwnam_alloc(talloc_tos(), user_info->internal_username); /** @todo This call assumes a ASCII password, no charset transformation is @@ -123,6 +123,7 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context, } } + TALLOC_FREE(pass); return nt_status; } -- cgit From 59ce7650f24eb7c35b8d3ee9f830711a4af8f8e9 Mon Sep 17 00:00:00 2001 From: "Gerald (Jerry) Carter" Date: Fri, 21 Dec 2007 11:59:56 -0600 Subject: De-couple smbd from staticly linking against winbindd client files. Implements a wrapper layer in winbind_util.c which are just stubs if compiled --without-winbind. When building with winbindd, it is now required to build the libwbclient DSO first (in the Makefile) and then either set LD_LIBRARY_PATH or /etc/ld.so.conf to pick up the library PATH. (This used to be commit 42787bccff4fcffafc7aae6a678e792604ecaaa5) --- source3/auth/auth_util.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1e33869ea9..373a2a375f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1731,17 +1731,17 @@ bool is_trusted_domain(const char* dom_name) return True; } else { - NSS_STATUS result; + wbcErr result; /* If winbind is around, ask it */ result = wb_is_trusted_domain(dom_name); - if (result == NSS_STATUS_SUCCESS) { + if (result == WBC_ERR_SUCCESS) { return True; } - if (result == NSS_STATUS_NOTFOUND) { + if (result == WBC_ERR_DOMAIN_NOT_FOUND) { /* winbind could not find the domain */ return False; } -- cgit From 4dc0c1b88be359cbf4e5273e1670ef0f87b9e36b Mon Sep 17 00:00:00 2001 From: James Peach Date: Sat, 22 Dec 2007 14:10:06 -0800 Subject: Fix "may be used uninitialized" compiler warnings. (This used to be commit 22ac34a329c9be9cf7d1e6749ebcfb50215378e4) --- source3/auth/auth_util.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 373a2a375f..3f65e6b126 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1423,7 +1423,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, static const char zeros[16] = { 0, }; NTSTATUS nt_status = NT_STATUS_OK; - char *found_username; + char *found_username = NULL; const char *nt_domain; const char *nt_username; struct samu *sam_account = NULL; @@ -1431,8 +1431,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, DOM_SID group_sid; bool username_was_mapped; - uid_t uid; - gid_t gid; + uid_t uid = (uid_t)-1; + gid_t gid = (gid_t)-1; auth_serversupplied_info *result; -- cgit From 533d6f617efc4dfe1e145785cb9736df07671bdf Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 28 Dec 2007 17:02:34 +0100 Subject: Remove static zeros (This used to be commit dbcc213710a9af31b6094d4741a6f68f573dcdad) --- source3/auth/auth_util.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 3f65e6b126..fea1b2d761 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1103,7 +1103,7 @@ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_inf struct samu *sampass = NULL; DOM_SID guest_sid; bool ret; - static const char zeros[16] = { 0, }; + char zeros[16]; if ( !(sampass = samu_new( NULL )) ) { return NT_STATUS_NO_MEMORY; @@ -1138,6 +1138,7 @@ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_inf /* annoying, but the Guest really does have a session key, and it is all zeros! */ + ZERO_STRUCT(zeros); (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros)); (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros)); @@ -1420,7 +1421,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, auth_serversupplied_info **server_info, NET_USER_INFO_3 *info3) { - static const char zeros[16] = { 0, }; + char zeros[16]; NTSTATUS nt_status = NT_STATUS_OK; char *found_username = NULL; @@ -1624,7 +1625,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, &(info3->uni_logon_srv)); /* ensure we are never given NULL session keys */ - + + ZERO_STRUCT(zeros); + if (memcmp(info3->user_sess_key, zeros, sizeof(zeros)) == 0) { result->user_session_key = data_blob_null; } else { -- cgit From 245537f9bd1bddc496da0155012c34a2c7a18668 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 28 Dec 2007 17:24:39 +0100 Subject: Convert get_root_nt_token to memcache (This used to be commit fada689893314bed2fc78588b3fd9b144f4c808a) --- source3/auth/token_util.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index 27c98c9581..a1b4edfb7a 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -77,12 +77,19 @@ bool nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid ) NT_USER_TOKEN *get_root_nt_token( void ) { - static NT_USER_TOKEN *token = NULL; + struct nt_user_token *token = NULL; DOM_SID u_sid, g_sid; struct passwd *pw; + void *cache_data; - if ( token ) - return token; + cache_data = memcache_lookup_talloc( + NULL, SINGLETON_CACHE_TALLOC, + data_blob_string_const("root_nt_token")); + + if (cache_data != NULL) { + return talloc_get_type_abort( + cache_data, struct nt_user_token); + } if ( !(pw = sys_getpwnam( "root" )) ) { DEBUG(0,("get_root_nt_token: getpwnam(\"root\") failed!\n")); @@ -97,6 +104,11 @@ NT_USER_TOKEN *get_root_nt_token( void ) token = create_local_nt_token(NULL, &u_sid, False, 1, &global_sid_Builtin_Administrators); + + memcache_add_talloc( + NULL, SINGLETON_CACHE_TALLOC, + data_blob_string_const("root_nt_token"), token); + return token; } -- cgit From 99bd615a80e8f983d386e260e747db102ec38cf3 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 29 Dec 2007 21:41:23 +0100 Subject: Fix a panic get_root_nt_token asks for "struct nt_user_token". talloc_get_type is not smart enough to see that this is the same as NT_USER_TOKEN... :-) (This used to be commit 22a98bf7b81fb89dce1f32ef65cfe6caaba985b3) --- source3/auth/token_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index a1b4edfb7a..9ca5216af0 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -296,7 +296,7 @@ struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, DEBUG(10, ("Create local NT token for %s\n", sid_string_dbg(user_sid))); - if (!(result = TALLOC_ZERO_P(mem_ctx, NT_USER_TOKEN))) { + if (!(result = TALLOC_ZERO_P(mem_ctx, struct nt_user_token))) { DEBUG(0, ("talloc failed\n")); return NULL; } -- cgit From 99e349b35da5ea5df0889a8eccc0c9774ecc24e9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 4 Jan 2008 23:24:15 -0800 Subject: More logical operations on booleans. IBM checker. Jeremy. (This used to be commit e289a0c8592f9e5c58100ddcde2577b452725b88) --- source3/auth/auth_domain.c | 4 +++- source3/auth/auth_winbind.c | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index b2c87174fd..1de9869f90 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -270,7 +270,9 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, &info3); if (NT_STATUS_IS_OK(nt_status)) { - (*server_info)->was_mapped |= user_info->was_mapped; + if (user_info->was_mapped) { + (*server_info)->was_mapped = user_info->was_mapped; + } if ( ! (*server_info)->guest) { /* if a real user check pam account restrictions */ diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 959c550524..b24aa3a75b 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -134,7 +134,9 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, } if (NT_STATUS_IS_OK(nt_status)) { - (*server_info)->was_mapped |= user_info->was_mapped; + if (user_info->was_mapped) { + (*server_info)->was_mapped = user_info->was_mapped; + } } } } else if (NT_STATUS_IS_OK(nt_status)) { -- cgit From f3603d5a5ab878d45b67bf0f33e2beca50d0af2d Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Wed, 9 Jan 2008 00:11:31 +0100 Subject: Convert add_sid_to_array() add_sid_to_array_unique() to return NTSTATUS. Michael (This used to be commit 6b2b9a60ef857ec31da5fea631535205fbdede4a) --- source3/auth/auth_util.c | 23 +++++++++-------- source3/auth/token_util.c | 63 +++++++++++++++++++++++++++++------------------ 2 files changed, 52 insertions(+), 34 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index fea1b2d761..ce47e94eb5 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -549,11 +549,13 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, "for gid %d!\n", gids[i])); continue; } - if (!add_sid_to_array_unique( result, &unix_group_sid, - &result->sids, &result->num_sids )) { + status = add_sid_to_array_unique(result, &unix_group_sid, + &result->sids, + &result->num_sids); + if (!NT_STATUS_IS_OK(status)) { result->sam_account = NULL; /* Don't free on error exit. */ TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; + return status; } } @@ -895,9 +897,9 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, "for gid %d!\n", gids[i])); continue; } - if (!add_sid_to_array_unique(tmp_ctx, &unix_group_sid, - &group_sids, &num_group_sids )) { - result = NT_STATUS_NO_MEMORY; + result = add_sid_to_array_unique(tmp_ctx, &unix_group_sid, + &group_sids, &num_group_sids); + if (!NT_STATUS_IS_OK(result)) { goto done; } } @@ -1074,11 +1076,12 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, return NT_STATUS_NO_SUCH_USER; } - if (!add_sid_to_array_unique(result, &u_sid, - &result->sids, - &result->num_sids)) { + status = add_sid_to_array_unique(result, &u_sid, + &result->sids, + &result->num_sids); + if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; + return status; } /* For now we throw away the gids and convert via sid_to_gid diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index 9ca5216af0..fc93060fc6 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -140,22 +140,22 @@ NTSTATUS add_aliases(const DOM_SID *domain_sid, if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("pdb_enum_alias_memberships failed: %s\n", nt_errstr(status))); - TALLOC_FREE(tmp_ctx); - return status; + goto done; } for (i=0; iuser_sids, - &token->num_sids)) { + status = add_sid_to_array_unique(token, &alias_sid, + &token->user_sids, + &token->num_sids); + if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("add_sid_to_array failed\n")); - TALLOC_FREE(tmp_ctx); - return NT_STATUS_NO_MEMORY; + goto done; } } +done: TALLOC_FREE(tmp_ctx); return NT_STATUS_OK; } @@ -166,6 +166,7 @@ NTSTATUS add_aliases(const DOM_SID *domain_sid, static NTSTATUS add_builtin_administrators( struct nt_user_token *token ) { DOM_SID domadm; + NTSTATUS status; /* nothing to do if we aren't in a domain */ @@ -186,9 +187,11 @@ static NTSTATUS add_builtin_administrators( struct nt_user_token *token ) /* Add Administrators if the user beloongs to Domain Admins */ if ( nt_token_check_sid( &domadm, token ) ) { - if (!add_sid_to_array(token, &global_sid_Builtin_Administrators, - &token->user_sids, &token->num_sids)) { - return NT_STATUS_NO_MEMORY; + status = add_sid_to_array(token, + &global_sid_Builtin_Administrators, + &token->user_sids, &token->num_sids); + if (!NT_STATUS_IS_OK(status)) { + return status; } } @@ -303,38 +306,48 @@ struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, /* Add the user and primary group sid */ - if (!add_sid_to_array(result, user_sid, - &result->user_sids, &result->num_sids)) { + status = add_sid_to_array(result, user_sid, + &result->user_sids, &result->num_sids); + if (!NT_STATUS_IS_OK(status)) { return NULL; } /* For guest, num_groupsids may be zero. */ if (num_groupsids) { - if (!add_sid_to_array(result, &groupsids[0], - &result->user_sids, &result->num_sids)) { + status = add_sid_to_array(result, &groupsids[0], + &result->user_sids, + &result->num_sids); + if (!NT_STATUS_IS_OK(status)) { return NULL; } } /* Add in BUILTIN sids */ - if (!add_sid_to_array(result, &global_sid_World, - &result->user_sids, &result->num_sids)) { + status = add_sid_to_array(result, &global_sid_World, + &result->user_sids, &result->num_sids); + if (!NT_STATUS_IS_OK(status)) { return NULL; } - if (!add_sid_to_array(result, &global_sid_Network, - &result->user_sids, &result->num_sids)) { + status = add_sid_to_array(result, &global_sid_Network, + &result->user_sids, &result->num_sids); + if (!NT_STATUS_IS_OK(status)) { return NULL; } if (is_guest) { - if (!add_sid_to_array(result, &global_sid_Builtin_Guests, - &result->user_sids, &result->num_sids)) { + status = add_sid_to_array(result, &global_sid_Builtin_Guests, + &result->user_sids, + &result->num_sids); + if (!NT_STATUS_IS_OK(status)) { return NULL; } } else { - if (!add_sid_to_array(result, &global_sid_Authenticated_Users, - &result->user_sids, &result->num_sids)) { + status = add_sid_to_array(result, + &global_sid_Authenticated_Users, + &result->user_sids, + &result->num_sids); + if (!NT_STATUS_IS_OK(status)) { return NULL; } } @@ -346,8 +359,10 @@ struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, * first group sid as primary above. */ for (i=1; iuser_sids, &result->num_sids)) { + status = add_sid_to_array_unique(result, &groupsids[i], + &result->user_sids, + &result->num_sids); + if (!NT_STATUS_IS_OK(status)) { return NULL; } } -- cgit From b47d491489ae6161f0c04378ed15dc1a54a166e1 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 8 Jan 2008 18:48:04 -0800 Subject: Fix CID 460 - resource leak on error. Jeremy. (This used to be commit d61831164b482d02e0eef3c28aeed93d3e44433f) --- source3/auth/auth_server.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 9f90ef8ccd..095f0b9fb8 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -75,6 +75,7 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) connection (tridge) */ if (!grab_server_mutex(desthost)) { + cli_shutdown(cli); return NULL; } -- cgit From 691c4b1a4175e3d4a073c396a2a7d8d315cd42bd Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 17 Jan 2008 10:11:11 +0100 Subject: Windows 2008 (Longhorn) auth2 flag fixes. Interop fixes for AD specific flags. Original patch from Todd Stetcher. (This used to be commit 5aadfcdaacd6f136eab9e107a88b8544e6d2105f) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 1de9869f90..40a2985600 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -124,7 +124,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); if (!lp_client_schannel()) { /* We need to set up a creds chain on an unauthenticated netlogon pipe. */ - uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS; + uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS; uint32 sec_chan_type = 0; unsigned char machine_pwd[16]; const char *account_name; -- cgit From b47672656bc762fb5f5d7136769591449cd4c0f1 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 4 Feb 2008 16:50:09 +0100 Subject: tiny simplification (This used to be commit 22e49ef2c0c9b641068ac5419b9c82fb97d3e8e6) --- source3/auth/auth.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 0a9ae32472..e136fc2f04 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -508,11 +508,9 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) DEBUG(5,("Using specified auth order\n")); } - if (!NT_STATUS_IS_OK(nt_status = make_auth_context_text_list(auth_context, auth_method_list))) { - str_list_free(&auth_method_list); - return nt_status; - } - + nt_status = make_auth_context_text_list(auth_context, + auth_method_list); + str_list_free(&auth_method_list); return nt_status; } -- cgit From 2762b9a97582b9b28fd5985ba8e3d0299126820e Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 4 Feb 2008 20:57:35 +0100 Subject: Always pass a TALLOC_CTX to str_list_make and str_list_copy (This used to be commit e2c9fc4cf5f0ff725330fa44f53782db65fca37e) --- source3/auth/auth.c | 36 ++++++++++++++++++++++++++---------- 1 file changed, 26 insertions(+), 10 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index e136fc2f04..05bb6a5af0 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -458,7 +458,9 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) char **auth_method_list = NULL; NTSTATUS nt_status; - if (lp_auth_methods() && !str_list_copy(&auth_method_list, lp_auth_methods())) { + if (lp_auth_methods() + && !str_list_copy(talloc_tos(), &auth_method_list, + lp_auth_methods())) { return NT_STATUS_NO_MEMORY; } @@ -467,38 +469,52 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) { case SEC_DOMAIN: DEBUG(5,("Making default auth method list for security=domain\n")); - auth_method_list = str_list_make("guest sam winbind:ntdomain", NULL); + auth_method_list = str_list_make( + talloc_tos(), "guest sam winbind:ntdomain", + NULL); break; case SEC_SERVER: DEBUG(5,("Making default auth method list for security=server\n")); - auth_method_list = str_list_make("guest sam smbserver", NULL); + auth_method_list = str_list_make( + talloc_tos(), "guest sam smbserver", + NULL); break; case SEC_USER: if (lp_encrypted_passwords()) { if ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role() == ROLE_DOMAIN_BDC)) { DEBUG(5,("Making default auth method list for DC, security=user, encrypt passwords = yes\n")); - auth_method_list = str_list_make("guest sam winbind:trustdomain", NULL); + auth_method_list = str_list_make( + talloc_tos(), + "guest sam winbind:trustdomain", + NULL); } else { DEBUG(5,("Making default auth method list for standalone security=user, encrypt passwords = yes\n")); - auth_method_list = str_list_make("guest sam", NULL); + auth_method_list = str_list_make( + talloc_tos(), "guest sam", + NULL); } } else { DEBUG(5,("Making default auth method list for security=user, encrypt passwords = no\n")); - auth_method_list = str_list_make("guest unix", NULL); + auth_method_list = str_list_make( + talloc_tos(), "guest unix", NULL); } break; case SEC_SHARE: if (lp_encrypted_passwords()) { DEBUG(5,("Making default auth method list for security=share, encrypt passwords = yes\n")); - auth_method_list = str_list_make("guest sam", NULL); + auth_method_list = str_list_make( + talloc_tos(), "guest sam", NULL); } else { DEBUG(5,("Making default auth method list for security=share, encrypt passwords = no\n")); - auth_method_list = str_list_make("guest unix", NULL); + auth_method_list = str_list_make( + talloc_tos(), "guest unix", NULL); } break; case SEC_ADS: DEBUG(5,("Making default auth method list for security=ADS\n")); - auth_method_list = str_list_make("guest sam winbind:ntdomain", NULL); + auth_method_list = str_list_make( + talloc_tos(), "guest sam winbind:ntdomain", + NULL); break; default: DEBUG(5,("Unknown auth method!\n")); @@ -511,7 +527,7 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) nt_status = make_auth_context_text_list(auth_context, auth_method_list); - str_list_free(&auth_method_list); + TALLOC_FREE(auth_method_list); return nt_status; } -- cgit From 95eb2f2eba529fca0792b8f5dd64c929824e421b Mon Sep 17 00:00:00 2001 From: Karolin Seeger Date: Tue, 5 Feb 2008 15:51:27 +0100 Subject: Fix typo. Karolin (This used to be commit 906e19bad40ba0c0a473ec2601e9eb0fff169f83) --- source3/auth/auth_sam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 1ab0c8b3eb..66504a8a52 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -122,7 +122,7 @@ static bool logon_hours_ok(struct samu *sampass) } /**************************************************************************** - Do a specific test for a struct samu being vaild for this connection + Do a specific test for a struct samu being valid for this connection (ie not disabled, expired and the like). ****************************************************************************/ -- cgit From b397b5cb8f0a9ca5d5b2fa3349635a4cebd81779 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 4 Feb 2008 18:18:36 +0100 Subject: auth_winbind: use wbcAuthenticateUserEx() smbd doesn't need $(WBCOMMON_OBJ) anymore, it works with any libwbclient.so now and may talk to an older winbindd. metze (This used to be commit e3435930a307cff3066fe2047ed8c5c48911f001) --- source3/auth/auth_util.c | 233 ++++++++++++++++++++++++++++++++++++++++++++ source3/auth/auth_winbind.c | 113 +++++++++------------ 2 files changed, 277 insertions(+), 69 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index ce47e94eb5..6efd31d574 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1654,6 +1654,239 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +/***************************************************************************** + Make a server_info struct from the wbcAuthUserInfo returned by a domain logon +******************************************************************************/ + +NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx, + const char *sent_nt_username, + const char *domain, + const struct wbcAuthUserInfo *info, + auth_serversupplied_info **server_info) +{ + char zeros[16]; + + NTSTATUS nt_status = NT_STATUS_OK; + char *found_username = NULL; + const char *nt_domain; + const char *nt_username; + struct samu *sam_account = NULL; + DOM_SID user_sid; + DOM_SID group_sid; + bool username_was_mapped; + uint32_t i; + + uid_t uid = (uid_t)-1; + gid_t gid = (gid_t)-1; + + auth_serversupplied_info *result; + + result = make_server_info(NULL); + if (result == NULL) { + DEBUG(4, ("make_server_info failed!\n")); + return NT_STATUS_NO_MEMORY; + } + + /* + Here is where we should check the list of + trusted domains, and verify that the SID + matches. + */ + + memcpy(&user_sid, &info->sids[0].sid, sizeof(user_sid)); + memcpy(&group_sid, &info->sids[1].sid, sizeof(group_sid)); + + if (info->account_name) { + nt_username = talloc_strdup(result, info->account_name); + } else { + /* If the server didn't give us one, just use the one we sent + * them */ + nt_username = talloc_strdup(result, sent_nt_username); + } + if (!nt_username) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + if (info->domain_name) { + nt_domain = talloc_strdup(result, info->domain_name); + } else { + /* If the server didn't give us one, just use the one we sent + * them */ + nt_domain = talloc_strdup(result, domain); + } + if (!nt_domain) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + /* try to fill the SAM account.. If getpwnam() fails, then try the + add user script (2.2.x behavior). + + We use the _unmapped_ username here in an attempt to provide + consistent username mapping behavior between kerberos and NTLM[SSP] + authentication in domain mode security. I.E. Username mapping + should be applied to the fully qualified username + (e.g. DOMAIN\user) and not just the login name. Yes this means we + called map_username() unnecessarily in make_user_info_map() but + that is how the current code is designed. Making the change here + is the least disruptive place. -- jerry */ + + if ( !(sam_account = samu_new( result )) ) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + /* this call will try to create the user if necessary */ + + nt_status = fill_sam_account(result, nt_domain, sent_nt_username, + &found_username, &uid, &gid, sam_account, + &username_was_mapped); + + /* if we still don't have a valid unix account check for + 'map to guest = bad uid' */ + + if (!NT_STATUS_IS_OK(nt_status)) { + TALLOC_FREE( result ); + if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) { + make_server_info_guest(server_info); + return NT_STATUS_OK; + } + return nt_status; + } + + if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_UNSUCCESSFUL; + } + + if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_UNSUCCESSFUL; + } + + if (!pdb_set_fullname(sam_account, info->full_name, PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_logon_script(sam_account, info->logon_script, PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_profile_path(sam_account, info->profile_path, PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_homedir(sam_account, info->home_directory, PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_dir_drive(sam_account, info->home_drive, PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_acct_ctrl(sam_account, info->acct_flags, PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_pass_last_set_time( + sam_account, + nt_time_to_unix(info->pass_last_set_time), + PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_pass_can_change_time( + sam_account, + nt_time_to_unix(info->pass_can_change_time), + PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_pass_must_change_time( + sam_account, + nt_time_to_unix(info->pass_must_change_time), + PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + /* save this here to _net_sam_logon() doesn't fail (it assumes a + valid struct samu) */ + + result->sam_account = sam_account; + result->unix_name = talloc_strdup(result, found_username); + + result->login_server = talloc_strdup(result, info->logon_server); + + /* Fill in the unix info we found on the way */ + + result->uid = uid; + result->gid = gid; + + /* Create a 'combined' list of all SIDs we might want in the SD */ + + result->num_sids = info->num_sids - 2; + result->sids = talloc_array(result, DOM_SID, result->num_sids); + if (result->sids == NULL) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + for (i=0; i < result->num_sids; i++) { + memcpy(&result->sids[i], &info->sids[i+2].sid, sizeof(result->sids[i])); + } + + /* ensure we are never given NULL session keys */ + + ZERO_STRUCT(zeros); + + if (memcmp(info->user_session_key, zeros, sizeof(zeros)) == 0) { + result->user_session_key = data_blob_null; + } else { + result->user_session_key = data_blob_talloc( + result, info->user_session_key, + sizeof(info->user_session_key)); + } + + if (memcmp(info->lm_session_key, zeros, 8) == 0) { + result->lm_session_key = data_blob_null; + } else { + result->lm_session_key = data_blob_talloc( + result, info->lm_session_key, + sizeof(info->lm_session_key)); + } + + result->was_mapped = username_was_mapped; + + *server_info = result; + + return NT_STATUS_OK; +} + /*************************************************************************** Free a user_info struct ***************************************************************************/ diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index b24aa3a75b..26a1b7f101 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -25,31 +25,6 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -static NTSTATUS get_info3_from_ndr(TALLOC_CTX *mem_ctx, struct winbindd_response *response, NET_USER_INFO_3 *info3) -{ - uint8 *info3_ndr; - size_t len = response->length - sizeof(struct winbindd_response); - prs_struct ps; - if (len > 0) { - info3_ndr = (uint8 *)response->extra_data.data; - if (!prs_init(&ps, len, mem_ctx, UNMARSHALL)) { - return NT_STATUS_NO_MEMORY; - } - prs_copy_data_in(&ps, (char *)info3_ndr, len); - prs_set_offset(&ps,0); - if (!net_io_user_info3("", info3, &ps, 1, 3, False)) { - DEBUG(2, ("get_info3_from_ndr: could not parse info3 struct!\n")); - return NT_STATUS_UNSUCCESSFUL; - } - prs_mem_free(&ps); - - return NT_STATUS_OK; - } else { - DEBUG(2, ("get_info3_from_ndr: No info3 struct found!\n")); - return NT_STATUS_UNSUCCESSFUL; - } -} - /* Authenticate a user with a challenge/response */ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, @@ -58,11 +33,11 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, const auth_usersupplied_info *user_info, auth_serversupplied_info **server_info) { - struct winbindd_request request; - struct winbindd_response response; - NSS_STATUS result; NTSTATUS nt_status; - NET_USER_INFO_3 info3; + wbcErr wbc_status; + struct wbcAuthUserParams params; + struct wbcAuthUserInfo *info = NULL; + struct wbcAuthErrorInfo *err = NULL; if (!user_info) { return NT_STATUS_INVALID_PARAMETER; @@ -82,36 +57,34 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, /* Send off request */ - ZERO_STRUCT(request); - ZERO_STRUCT(response); + params.account_name = user_info->smb_name; + params.domain_name = user_info->domain; + params.workstation_name = user_info->wksta_name; - request.flags = WBFLAG_PAM_INFO3_NDR; + params.flags = 0; + params.parameter_control= user_info->logon_parameters; - request.data.auth_crap.logon_parameters = user_info->logon_parameters; + params.level = WBC_AUTH_USER_LEVEL_RESPONSE; - fstrcpy(request.data.auth_crap.user, user_info->smb_name); - fstrcpy(request.data.auth_crap.domain, user_info->domain); - fstrcpy(request.data.auth_crap.workstation, user_info->wksta_name); + memcpy(params.password.response.challenge, + auth_context->challenge.data, + sizeof(params.password.response.challenge)); - memcpy(request.data.auth_crap.chal, auth_context->challenge.data, sizeof(request.data.auth_crap.chal)); - - request.data.auth_crap.lm_resp_len = MIN(user_info->lm_resp.length, - sizeof(request.data.auth_crap.lm_resp)); - request.data.auth_crap.nt_resp_len = MIN(user_info->nt_resp.length, - sizeof(request.data.auth_crap.nt_resp)); - - memcpy(request.data.auth_crap.lm_resp, user_info->lm_resp.data, - request.data.auth_crap.lm_resp_len); - memcpy(request.data.auth_crap.nt_resp, user_info->nt_resp.data, - request.data.auth_crap.nt_resp_len); + params.password.response.nt_length = user_info->nt_resp.length; + params.password.response.nt_data = user_info->nt_resp.data; + params.password.response.lm_length = user_info->lm_resp.length; + params.password.response.lm_data = user_info->lm_resp.data; /* we are contacting the privileged pipe */ become_root(); - result = winbindd_priv_request_response(WINBINDD_PAM_AUTH_CRAP, - &request, &response); + wbc_status = wbcAuthenticateUserEx(¶ms, &info, &err); unbecome_root(); - if ( result == NSS_STATUS_UNAVAIL ) { + if (wbc_status == WBC_ERR_NO_MEMORY) { + return NT_STATUS_NO_MEMORY; + } + + if (wbc_status == WBC_ERR_WINBIND_NOT_AVAILABLE) { struct auth_methods *auth_method = (struct auth_methods *)my_private_data; @@ -123,27 +96,29 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, DEBUG(0,("check_winbind_security: ERROR! my_private_data == NULL!\n")); } - nt_status = NT_STATUS(response.data.auth.nt_status); - - if (result == NSS_STATUS_SUCCESS && response.extra_data.data) { - if (NT_STATUS_IS_OK(nt_status)) { - if (NT_STATUS_IS_OK(nt_status = get_info3_from_ndr(mem_ctx, &response, &info3))) { - nt_status = make_server_info_info3(mem_ctx, - user_info->smb_name, user_info->domain, - server_info, &info3); - } - - if (NT_STATUS_IS_OK(nt_status)) { - if (user_info->was_mapped) { - (*server_info)->was_mapped = user_info->was_mapped; - } - } - } - } else if (NT_STATUS_IS_OK(nt_status)) { - nt_status = NT_STATUS_NO_LOGON_SERVERS; + if (wbc_status == WBC_ERR_AUTH_ERROR) { + nt_status = NT_STATUS(err->nt_status); + wbcFreeMemory(err); + return nt_status; + } + + if (!WBC_ERROR_IS_OK(wbc_status)) { + return NT_STATUS_LOGON_FAILURE; + } + + nt_status = make_server_info_wbcAuthUserInfo(mem_ctx, + user_info->smb_name, + user_info->domain, + info, server_info); + wbcFreeMemory(info); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + if (user_info->was_mapped) { + (*server_info)->was_mapped = user_info->was_mapped; } - SAFE_FREE(response.extra_data.data); return nt_status; } -- cgit From 4f1cc7b4958f06a54da92c82f19fba61e76d25b8 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 14 Feb 2008 18:05:37 -0800 Subject: Allow auth_ntlmssp_end() to ignore null pointers passed in. Jeremy. (This used to be commit b7628f3a47166791db4cd6451d52ea3881a45bed) --- source3/auth/auth_ntlmssp.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 526f2c93df..ed66d0db0a 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -186,8 +186,13 @@ NTSTATUS auth_ntlmssp_start(AUTH_NTLMSSP_STATE **auth_ntlmssp_state) void auth_ntlmssp_end(AUTH_NTLMSSP_STATE **auth_ntlmssp_state) { - TALLOC_CTX *mem_ctx = (*auth_ntlmssp_state)->mem_ctx; + TALLOC_CTX *mem_ctx; + + if (*auth_ntlmssp_state == NULL) { + return; + } + mem_ctx = (*auth_ntlmssp_state)->mem_ctx; if ((*auth_ntlmssp_state)->ntlmssp_state) { ntlmssp_end(&(*auth_ntlmssp_state)->ntlmssp_state); } -- cgit From c52dcc7b92ce96e5d3804f839f7464432902bf3a Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sat, 16 Feb 2008 19:08:22 +0100 Subject: Use netr_SamInfo3 in make_server_info_info3(). Guenther (This used to be commit 5866c11b288c217f0c38240c44f8bfeff185890d) --- source3/auth/auth_util.c | 52 +++++++++++++++++++++++++----------------------- 1 file changed, 27 insertions(+), 25 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 6efd31d574..a95a59ea46 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1422,7 +1422,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, const char *sent_nt_username, const char *domain, auth_serversupplied_info **server_info, - NET_USER_INFO_3 *info3) + struct netr_SamInfo3 *info3) { char zeros[16]; @@ -1446,23 +1446,25 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, matches. */ - sid_copy(&user_sid, &info3->dom_sid.sid); - if (!sid_append_rid(&user_sid, info3->user_rid)) { + sid_copy(&user_sid, info3->base.domain_sid); + if (!sid_append_rid(&user_sid, info3->base.rid)) { return NT_STATUS_INVALID_PARAMETER; } - sid_copy(&group_sid, &info3->dom_sid.sid); - if (!sid_append_rid(&group_sid, info3->group_rid)) { + sid_copy(&group_sid, info3->base.domain_sid); + if (!sid_append_rid(&group_sid, info3->base.primary_gid)) { return NT_STATUS_INVALID_PARAMETER; } - if (!(nt_username = unistr2_to_ascii_talloc(mem_ctx, &(info3->uni_user_name)))) { + nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string); + if (!nt_username) { /* If the server didn't give us one, just use the one we sent * them */ nt_username = sent_nt_username; } - if (!(nt_domain = unistr2_to_ascii_talloc(mem_ctx, &(info3->uni_logon_dom)))) { + nt_domain = talloc_strdup(mem_ctx, info3->base.domain.string); + if (!nt_domain) { /* If the server didn't give us one, just use the one we sent * them */ nt_domain = domain; @@ -1527,50 +1529,50 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, TALLOC_FREE(sam_account); return NT_STATUS_UNSUCCESSFUL; } - + if (!pdb_set_fullname(sam_account, - unistr2_static(&(info3->uni_full_name)), + info3->base.full_name.string, PDB_CHANGED)) { TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } if (!pdb_set_logon_script(sam_account, - unistr2_static(&(info3->uni_logon_script)), + info3->base.logon_script.string, PDB_CHANGED)) { TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } if (!pdb_set_profile_path(sam_account, - unistr2_static(&(info3->uni_profile_path)), + info3->base.profile_path.string, PDB_CHANGED)) { TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } if (!pdb_set_homedir(sam_account, - unistr2_static(&(info3->uni_home_dir)), + info3->base.home_directory.string, PDB_CHANGED)) { TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } if (!pdb_set_dir_drive(sam_account, - unistr2_static(&(info3->uni_dir_drive)), + info3->base.home_drive.string, PDB_CHANGED)) { TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_acct_ctrl(sam_account, info3->acct_flags, PDB_CHANGED)) { + if (!pdb_set_acct_ctrl(sam_account, info3->base.acct_flags, PDB_CHANGED)) { TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } if (!pdb_set_pass_last_set_time( sam_account, - nt_time_to_unix(info3->pass_last_set_time), + nt_time_to_unix(info3->base.last_password_change), PDB_CHANGED)) { TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; @@ -1578,7 +1580,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, if (!pdb_set_pass_can_change_time( sam_account, - nt_time_to_unix(info3->pass_can_change_time), + nt_time_to_unix(info3->base.allow_password_change), PDB_CHANGED)) { TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; @@ -1586,7 +1588,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, if (!pdb_set_pass_must_change_time( sam_account, - nt_time_to_unix(info3->pass_must_change_time), + nt_time_to_unix(info3->base.force_password_change), PDB_CHANGED)) { TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; @@ -1624,27 +1626,27 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return nt_status; } - result->login_server = unistr2_to_ascii_talloc(result, - &(info3->uni_logon_srv)); + result->login_server = talloc_strdup(result, + info3->base.logon_server.string); /* ensure we are never given NULL session keys */ ZERO_STRUCT(zeros); - if (memcmp(info3->user_sess_key, zeros, sizeof(zeros)) == 0) { + if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) { result->user_session_key = data_blob_null; } else { result->user_session_key = data_blob_talloc( - result, info3->user_sess_key, - sizeof(info3->user_sess_key)); + result, info3->base.key.key, + sizeof(info3->base.key.key)); } - if (memcmp(info3->lm_sess_key, zeros, 8) == 0) { + if (memcmp(info3->base.LMSessKey.key, zeros, 8) == 0) { result->lm_session_key = data_blob_null; } else { result->lm_session_key = data_blob_talloc( - result, info3->lm_sess_key, - sizeof(info3->lm_sess_key)); + result, info3->base.LMSessKey.key, + sizeof(info3->base.LMSessKey.key)); } result->was_mapped = username_was_mapped; -- cgit From 7dfeae6073b31c04f6bdc33e9e835f256ba4f8d2 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sun, 17 Feb 2008 02:09:35 +0100 Subject: Use netr_SamInfo3 in remaining places. Guenther (This used to be commit 92fca97951bf7adf8caaeabdaff21682b18dd91f) --- source3/auth/auth_domain.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 40a2985600..df51966f4c 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -189,7 +189,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, struct sockaddr_storage *dc_ss) { - NET_USER_INFO_3 info3; + struct netr_SamInfo3 *info3 = NULL; struct cli_state *cli = NULL; struct rpc_pipe_client *netlogon_pipe = NULL; NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS; @@ -227,8 +227,6 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, saf_store( domain, cli->desthost ); - ZERO_STRUCT(info3); - /* * If this call succeeds, we now have lots of info about the user * in the info3 structure. @@ -267,7 +265,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, user_info->smb_name, domain, server_info, - &info3); + info3); if (NT_STATUS_IS_OK(nt_status)) { if (user_info->was_mapped) { @@ -281,12 +279,14 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, if ( !NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("PAM account restriction prevents user login\n")); cli_shutdown(cli); + TALLOC_FREE(info3); return nt_status; } } } - netsamlogon_cache_store( user_info->smb_name, &info3 ); + netsamlogon_cache_store(user_info->smb_name, info3); + TALLOC_FREE(info3); } /* Note - once the cli stream is shutdown the mem_ctx used -- cgit From 23cd8e5ea7f2aac6cfdcb52666ba4e925740f63f Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 6 Mar 2008 12:24:37 +0100 Subject: Be more verbose why create local token has failed during NTLMSSP and Kerberos session setup Guenther (This used to be commit 18b8c2c19e50aee8fc900c7507244cb95014a4fa) --- source3/auth/auth_ntlmssp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index ed66d0db0a..b6c26a1fc8 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -127,7 +127,8 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, nt_status = create_local_token(auth_ntlmssp_state->server_info); if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(10, ("create_local_token failed\n")); + DEBUG(10, ("create_local_token failed: %s\n", + nt_errstr(nt_status))); return nt_status; } -- cgit From 1ebfc66b2c145289d1e1314e8415d9e3c6f405ae Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 10 Mar 2008 21:08:29 +0100 Subject: Use a separate tdb for mutexes Another preparation to convert secrets.c to dbwrap: The dbwrap API does not provide a sane tdb_lock_with_timeout abstraction. In the clustered case the DC mutex is needed per-node anyway, so it is perfectly fine to use a local mutex only. (This used to be commit f94a63cd8f94490780ad9331da229c0bcb2ca5d6) --- source3/auth/auth_domain.c | 16 +++++++++------- source3/auth/auth_server.c | 16 +++++++++------- 2 files changed, 18 insertions(+), 14 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index df51966f4c..26474089fb 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -24,6 +24,7 @@ #define DBGC_CLASS DBGC_AUTH extern bool global_machine_password_needs_changing; +static struct named_mutex *mutex; /** * Connect to a remote server for (inter)domain security authenticaion. @@ -67,7 +68,8 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, * ACCESS_DENIED errors if 2 auths are done from the same machine. JRA. */ - if (!grab_server_mutex(dc_name)) { + mutex = grab_named_mutex(NULL, dc_name, 10); + if (mutex == NULL) { return NT_STATUS_NO_LOGON_SERVERS; } @@ -87,7 +89,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, *cli = NULL; } - release_server_mutex(); + TALLOC_FREE(mutex); return result; } @@ -118,7 +120,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); cli_shutdown(*cli); *cli = NULL; - release_server_mutex(); + TALLOC_FREE(mutex); return result; } @@ -137,7 +139,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); domain)); cli_shutdown(*cli); *cli = NULL; - release_server_mutex(); + TALLOC_FREE(mutex); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -153,7 +155,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); if (!NT_STATUS_IS_OK(result)) { cli_shutdown(*cli); *cli = NULL; - release_server_mutex(); + TALLOC_FREE(mutex); return result; } } @@ -163,7 +165,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); machine %s. Error was : %s.\n", dc_name, cli_errstr(*cli))); cli_shutdown(*cli); *cli = NULL; - release_server_mutex(); + TALLOC_FREE(mutex); return NT_STATUS_NO_LOGON_SERVERS; } @@ -247,7 +249,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, /* Let go as soon as possible so we avoid any potential deadlocks with winbind lookup up users or groups. */ - release_server_mutex(); + TALLOC_FREE(mutex); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0,("domain_client_validate: unable to validate password " diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 095f0b9fb8..b07884c49b 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -37,6 +37,7 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) const char *p; char *pserver = NULL; bool connected_ok = False; + struct named_mutex *mutex; if (!(cli = cli_initialise())) return NULL; @@ -74,7 +75,8 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) session setup yet it will send a TCP reset to the first connection (tridge) */ - if (!grab_server_mutex(desthost)) { + mutex = grab_named_mutex(talloc_tos(), desthost, 10); + if (mutex == NULL) { cli_shutdown(cli); return NULL; } @@ -87,7 +89,7 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) } DEBUG(10,("server_cryptkey: failed to connect to server %s. Error %s\n", desthost, nt_errstr(status) )); - release_server_mutex(); + TALLOC_FREE(mutex); } if (!connected_ok) { @@ -98,7 +100,7 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) if (!attempt_netbios_session_request(&cli, global_myname(), desthost, &dest_ss)) { - release_server_mutex(); + TALLOC_FREE(mutex); DEBUG(1,("password server fails session request\n")); cli_shutdown(cli); return NULL; @@ -111,16 +113,16 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) DEBUG(3,("got session\n")); if (!cli_negprot(cli)) { + TALLOC_FREE(mutex); DEBUG(1,("%s rejected the negprot\n",desthost)); - release_server_mutex(); cli_shutdown(cli); return NULL; } if (cli->protocol < PROTOCOL_LANMAN2 || !(cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) { + TALLOC_FREE(mutex); DEBUG(1,("%s isn't in user level security mode\n",desthost)); - release_server_mutex(); cli_shutdown(cli); return NULL; } @@ -132,14 +134,14 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) if (!NT_STATUS_IS_OK(cli_session_setup(cli, "", "", 0, "", 0, ""))) { + TALLOC_FREE(mutex); DEBUG(0,("%s rejected the initial session setup (%s)\n", desthost, cli_errstr(cli))); - release_server_mutex(); cli_shutdown(cli); return NULL; } - release_server_mutex(); + TALLOC_FREE(mutex); DEBUG(3,("password server OK\n")); -- cgit From 6b2da4d2f4a576038c272c6521d7c160949c6740 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 14 Mar 2008 22:22:30 +0100 Subject: Fix bug 5317 Thanks to oster@cs.usask.ca (This used to be commit f18a80575921a241c7243c5af5a0101a2956ff17) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 26474089fb..c9aa0648f4 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -255,7 +255,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, DEBUG(0,("domain_client_validate: unable to validate password " "for user %s in domain %s to Domain controller %s. " "Error was %s.\n", user_info->smb_name, - user_info->domain, dc_name, + user_info->client_domain, dc_name, nt_errstr(nt_status))); /* map to something more useful */ -- cgit From e3731bd1486788106f9f9c014858a99c54125046 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 20 Mar 2008 00:30:01 +0100 Subject: Fix crash bug in check_sam_security() when make_server_info_sam() did a talloc_steal and talloc_free on the sam account already. Guenther (This used to be commit dbc7237a8a566f3e86bd6e4b48593b93c5bfb94e) --- source3/auth/auth_sam.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 66504a8a52..4d25d31b56 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -352,7 +352,6 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status))); - TALLOC_FREE(sampass); data_blob_free(&user_sess_key); data_blob_free(&lm_sess_key); return nt_status; -- cgit From 5b8591c05f45b20f19b359dbf5200efe44b35502 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 26 Mar 2008 01:25:57 +0100 Subject: Add debug statement in auth_winbind to display wbcAuthenticateUserEx error code. Guenther (This used to be commit 0ad00a452f03d8af6e6b6fabd4a05ca26a9910d0) --- source3/auth/auth_winbind.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 26a1b7f101..20faa95b01 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -80,6 +80,11 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, wbc_status = wbcAuthenticateUserEx(¶ms, &info, &err); unbecome_root(); + if (!WBC_ERROR_IS_OK(wbc_status)) { + DEBUG(10,("check_winbind_security: wbcAuthenticateUserEx failed: %s\n", + wbcErrorString(wbc_status))); + } + if (wbc_status == WBC_ERR_NO_MEMORY) { return NT_STATUS_NO_MEMORY; } -- cgit From 99d35904552b01ef9f2adc40e16887da9eb4de69 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 2 Apr 2008 02:29:48 +0200 Subject: Fix NETLOGON credential chain with Windows 2008 all over the place. In order to avoid receiving NT_STATUS_DOWNGRADE_DETECTED from a w2k8 netr_ServerAuthenticate2 reply, we need to start with the AD netlogon negotiate flags everywhere (not only when running in security=ads). Only for NT4 we need to do a downgrade to the returned negotiate flags. Tested with w2k8, w2ksp4, w2k3r2 and nt4sp6. Guenther (This used to be commit 0970369ca0cb9ae465cff40e5c75739824daf1d0) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index c9aa0648f4..f526677eca 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -126,7 +126,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); if (!lp_client_schannel()) { /* We need to set up a creds chain on an unauthenticated netlogon pipe. */ - uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS; + uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; uint32 sec_chan_type = 0; unsigned char machine_pwd[16]; const char *account_name; -- cgit From bea4541e11f0664aaa8b62d525e0a02b14fc3afa Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 4 Apr 2008 02:53:40 +0200 Subject: Use sid_array_from_info3 in lookup_usergroups_cached(). Guenther (This used to be commit 65b4cb20ea3fb806cfd50281e08f32bea70fafce) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index a95a59ea46..7013285809 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1620,7 +1620,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, nt_status = sid_array_from_info3(result, info3, &result->sids, &result->num_sids, - False); + false, false); if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE(result); return nt_status; -- cgit From a8124367b4fcfea165569e4ce1e3401deacb0142 Mon Sep 17 00:00:00 2001 From: Karolin Seeger Date: Wed, 9 Apr 2008 16:14:04 +0200 Subject: Fix typos. Karolin (This used to be commit 6cee34703503fbf3629057345fe221b866560648) --- source3/auth/auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 05bb6a5af0..754cb7a508 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -114,7 +114,7 @@ static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) DEBUG(3, ("auth_get_challenge: getting challenge from authentication method %s FAILED.\n", auth_method->name)); } else { - DEBUG(5, ("auth_get_challenge: sucessfully got challenge from module %s\n", auth_method->name)); + DEBUG(5, ("auth_get_challenge: successfully got challenge from module %s\n", auth_method->name)); auth_context->challenge = challenge; challenge_set_by = auth_method->name; auth_context->challenge_set_method = auth_method; -- cgit From b64be89a6ddd1b9c62df98801f34f4d9116a06bf Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 15 Apr 2008 20:41:14 +0200 Subject: auth: add SeDiskOperatorsPrivilege to get_root_nt_token to fix registry shares. Michael (This used to be commit 6bb107b17d557c27d035ca518ab61296814a3cea) --- source3/auth/token_util.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index fc93060fc6..6720a2cbd8 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -105,6 +105,8 @@ NT_USER_TOKEN *get_root_nt_token( void ) token = create_local_nt_token(NULL, &u_sid, False, 1, &global_sid_Builtin_Administrators); + token->privileges = se_disk_operators; + memcache_add_talloc( NULL, SINGLETON_CACHE_TALLOC, data_blob_string_const("root_nt_token"), token); -- cgit From d6aa45d29ced8c86b3b9cb100e01ab02ac149c28 Mon Sep 17 00:00:00 2001 From: "Gerald W. Carter" Date: Wed, 30 Apr 2008 09:43:00 -0500 Subject: BUG 5429: Clarify log msgs re: failure to create BUILTIN\{Administrators,Users} Raise the debug msgs from Lvl 0 in the create_builtin_XX() functions to prevent unnecessary panic from people reading the logs. (This used to be commit 2983b9dc790e0f90ec1e6add131438c6bfd361b4) --- source3/auth/token_util.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index 6720a2cbd8..cd67c2a213 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -210,7 +210,7 @@ static NTSTATUS create_builtin_users( void ) status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_USERS ); if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_builtin_users: Failed to create Users\n")); + DEBUG(5,("create_builtin_users: Failed to create Users\n")); return status; } @@ -221,7 +221,7 @@ static NTSTATUS create_builtin_users( void ) sid_append_rid(&dom_users, DOMAIN_GROUP_RID_USERS ); status = pdb_add_aliasmem( &global_sid_Builtin_Users, &dom_users); if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_builtin_administrators: Failed to add Domain Users to" + DEBUG(4,("create_builtin_administrators: Failed to add Domain Users to" " Users\n")); return status; } @@ -244,7 +244,7 @@ static NTSTATUS create_builtin_administrators( void ) status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_ADMINS ); if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_builtin_administrators: Failed to create Administrators\n")); + DEBUG(5,("create_builtin_administrators: Failed to create Administrators\n")); return status; } @@ -255,7 +255,7 @@ static NTSTATUS create_builtin_administrators( void ) sid_append_rid(&dom_admins, DOMAIN_GROUP_RID_ADMINS); status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &dom_admins ); if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_builtin_administrators: Failed to add Domain Admins" + DEBUG(4,("create_builtin_administrators: Failed to add Domain Admins" " Administrators\n")); return status; } @@ -273,7 +273,7 @@ static NTSTATUS create_builtin_administrators( void ) if ( ret ) { status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &root_sid ); if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_builtin_administrators: Failed to add root" + DEBUG(4,("create_builtin_administrators: Failed to add root" " Administrators\n")); return status; } @@ -381,7 +381,8 @@ struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, become_root(); status = create_builtin_administrators( ); if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(2,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n")); + DEBUG(2,("WARNING: Failed to create BUILTIN\\Administrators " + "group! Can Winbind allocate gids?\n")); /* don't fail, just log the message */ } unbecome_root(); @@ -408,7 +409,8 @@ struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, become_root(); status = create_builtin_users( ); if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(2,("create_local_nt_token: Failed to create BUILTIN\\Users group!\n")); + DEBUG(2,("WARNING: Failed to create BUILTIN\\Users group! " + "Can Winbind allocate gids?\n")); /* don't fail, just log the message */ } unbecome_root(); -- cgit From dd11f1d8a89a5d5f20395ca6aea0bf32b7f273c4 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 30 Apr 2008 17:06:45 +0200 Subject: Remove unused set_current_user_guest() (This used to be commit a33e8d2ffa4daea1deba13b3571cb0b36d521476) --- source3/auth/auth_util.c | 33 --------------------------------- 1 file changed, 33 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7013285809..34d0048b4b 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1246,39 +1246,6 @@ bool copy_current_user(struct current_user *dst, struct current_user *src) return True; } -bool set_current_user_guest(struct current_user *dst) -{ - gid_t *groups; - NT_USER_TOKEN *nt_token; - - groups = (gid_t *)memdup(guest_info->groups, - sizeof(gid_t) * guest_info->n_groups); - if (groups == NULL) { - return False; - } - - nt_token = dup_nt_token(NULL, guest_info->ptok); - if (nt_token == NULL) { - SAFE_FREE(groups); - return False; - } - - TALLOC_FREE(dst->nt_user_token); - SAFE_FREE(dst->ut.groups); - - /* dst->conn is never really dereferenced, it's only tested for - * equality in uid.c */ - dst->conn = NULL; - - dst->vuid = UID_FIELD_INVALID; - dst->ut.uid = guest_info->uid; - dst->ut.gid = guest_info->gid; - dst->ut.ngroups = guest_info->n_groups; - dst->ut.groups = groups; - dst->nt_user_token = nt_token; - return True; -} - /*************************************************************************** Purely internal function for make_server_info_info3 Fill the sam account from getpwnam -- cgit From a683625d7fe0be58da23b98828b445478df1606f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 3 May 2008 09:52:24 +0200 Subject: Fix a typo (This used to be commit 964bd02220c04030d8cb0f97ca9b409400d1238c) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 34d0048b4b..78f275d867 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -985,7 +985,7 @@ bool user_in_group(const char *username, const char *groupname) /*************************************************************************** - Make (and fill) a user_info struct from a 'struct passwd' by conversion + Make (and fill) a server_info struct from a 'struct passwd' by conversion to a struct samu ***************************************************************************/ -- cgit From bec1dfab27be3db888eeb451b4547f16e08e93c3 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 30 Apr 2008 17:42:39 +0200 Subject: Remove "userdom_struct user" from "struct user_struct" (This used to be commit 420de035237bb08bc470c9eb820f3da2edaa6805) --- source3/auth/auth_util.c | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 78f275d867..5116425606 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1107,6 +1107,7 @@ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_inf DOM_SID guest_sid; bool ret; char zeros[16]; + fstring tmp; if ( !(sampass = samu_new( NULL )) ) { return NT_STATUS_NO_MEMORY; @@ -1145,6 +1146,9 @@ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_inf (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros)); (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros)); + alpha_strcpy(tmp, pdb_get_username(sampass), ". _-$", sizeof(tmp)); + (*server_info)->sanitized_username = talloc_strdup(*server_info, tmp); + return NT_STATUS_OK; } @@ -1200,6 +1204,12 @@ static auth_serversupplied_info *copy_serverinfo(auth_serversupplied_info *src) return NULL; } + dst->sanitized_username = talloc_strdup(dst, src->sanitized_username); + if (!dst->sanitized_username) { + TALLOC_FREE(dst); + return NULL; + } + return dst; } -- cgit From 64ddd381b74ca94e8ff8ae62d8f019a9b5290a80 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 6 May 2008 17:37:00 +0200 Subject: Rename server_info->was_mapped to server_info->nss_token "nss_token" from my point of view much better reflects what this flag actually represents (This used to be commit b121a5acb2ef0bb3067d953b028696175432f10d) --- source3/auth/auth_domain.c | 4 +--- source3/auth/auth_ntlmssp.c | 2 +- source3/auth/auth_sam.c | 2 +- source3/auth/auth_util.c | 6 +++--- source3/auth/auth_winbind.c | 4 +--- 5 files changed, 7 insertions(+), 11 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index f526677eca..f483718552 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -270,9 +270,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, info3); if (NT_STATUS_IS_OK(nt_status)) { - if (user_info->was_mapped) { - (*server_info)->was_mapped = user_info->was_mapped; - } + (*server_info)->nss_token |= user_info->was_mapped; if ( ! (*server_info)->guest) { /* if a real user check pam account restrictions */ diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index b6c26a1fc8..0d46b14f97 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -122,7 +122,7 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, return nt_status; } - auth_ntlmssp_state->server_info->was_mapped |= username_was_mapped; + auth_ntlmssp_state->server_info->nss_token |= username_was_mapped; nt_status = create_local_token(auth_ntlmssp_state->server_info); diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 4d25d31b56..5e393f7220 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -367,7 +367,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, lm_sess_key.length); data_blob_free(&lm_sess_key); - (*server_info)->was_mapped |= user_info->was_mapped; + (*server_info)->nss_token |= user_info->was_mapped; return nt_status; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5116425606..5e9da4eaff 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -634,7 +634,7 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) */ if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) || - (server_info->was_mapped)) { + (server_info->nss_token)) { status = create_token_from_username(server_info, server_info->unix_name, server_info->guest, @@ -1626,7 +1626,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, sizeof(info3->base.LMSessKey.key)); } - result->was_mapped = username_was_mapped; + result->nss_token |= username_was_mapped; *server_info = result; @@ -1859,7 +1859,7 @@ NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx, sizeof(info->lm_session_key)); } - result->was_mapped = username_was_mapped; + result->nss_token |= username_was_mapped; *server_info = result; diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 20faa95b01..d1b00a3268 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -120,9 +120,7 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, return nt_status; } - if (user_info->was_mapped) { - (*server_info)->was_mapped = user_info->was_mapped; - } + (*server_info)->nss_token |= user_info->was_mapped; return nt_status; } -- cgit From 505205b1cba38eed14d6a2d4b9c80a82b5ae8b1f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 6 May 2008 16:10:23 +0200 Subject: Make copy_serverinfo non-static, add mem_ctx (This used to be commit a3651ced9e0859578df8cc44da64e7a8066bde76) --- source3/auth/auth_util.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5e9da4eaff..038636f868 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1152,11 +1152,12 @@ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_inf return NT_STATUS_OK; } -static auth_serversupplied_info *copy_serverinfo(auth_serversupplied_info *src) +struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx, + auth_serversupplied_info *src) { auth_serversupplied_info *dst; - dst = make_server_info(NULL); + dst = make_server_info(mem_ctx); if (dst == NULL) { return NULL; } @@ -1225,7 +1226,7 @@ bool init_guest_info(void) NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) { - *server_info = copy_serverinfo(guest_info); + *server_info = copy_serverinfo(NULL, guest_info); return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; } -- cgit From 0283e95a7c20bb0aeedbdd0b657a1293e449a62d Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 6 May 2008 17:26:49 +0200 Subject: Add a mem_ctx argument to make_server_info_guest() (This used to be commit e4a9492967f3d2b64f27943f99414608e0c03d21) --- source3/auth/auth_builtin.c | 2 +- source3/auth/auth_util.c | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index ffc8b94962..3741f29779 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -42,7 +42,7 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context, if (!(user_info->internal_username && *user_info->internal_username)) { - nt_status = make_server_info_guest(server_info); + nt_status = make_server_info_guest(NULL, server_info); } return nt_status; diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 038636f868..bb3dc78e83 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1224,9 +1224,10 @@ bool init_guest_info(void) return NT_STATUS_IS_OK(make_new_server_info_guest(&guest_info)); } -NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) +NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx, + auth_serversupplied_info **server_info) { - *server_info = copy_serverinfo(NULL, guest_info); + *server_info = copy_serverinfo(mem_ctx, guest_info); return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; } @@ -1477,7 +1478,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE( sam_account ); if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) { - make_server_info_guest(server_info); + make_server_info_guest(NULL, server_info); return NT_STATUS_OK; } return nt_status; @@ -1729,7 +1730,7 @@ NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx, if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE( result ); if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) { - make_server_info_guest(server_info); + make_server_info_guest(NULL, server_info); return NT_STATUS_OK; } return nt_status; -- cgit From b446bb05d0438cd5f831a738c59cd37975e25b67 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 6 May 2008 17:47:26 +0200 Subject: Add function make_serverinfo_from_username() This will be used for 'security=share' and 'force user' (This used to be commit 88e43097cafcd2849d9f1200a377357fde4cce99) --- source3/auth/auth_util.c | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index bb3dc78e83..e07d687d35 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1152,6 +1152,44 @@ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_inf return NT_STATUS_OK; } +/**************************************************************************** + Fake a auth_serversupplied_info just from a username +****************************************************************************/ + +NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx, + const char *username, + bool is_guest, + struct auth_serversupplied_info **presult) +{ + struct auth_serversupplied_info *result; + NTSTATUS status; + + result = make_server_info(mem_ctx); + if (result == NULL) { + return NT_STATUS_NO_MEMORY; + } + + result->nss_token = true; + result->guest = is_guest; + + result->unix_name = talloc_strdup(result, username); + if (result->unix_name == NULL) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + status = create_local_token(result); + + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(result); + return status; + } + + *presult = result; + return NT_STATUS_OK; +} + + struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx, auth_serversupplied_info *src) { -- cgit From 87803073ec78859e67d072c014dce98feee3b58f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 11 May 2008 00:25:55 +0200 Subject: Make sure we have serversupplied_info->sanitized_username everywhere (This used to be commit 88423a17b966652eba4085e88f7ddb5c86b463dd) --- source3/auth/auth_util.c | 63 ++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 53 insertions(+), 10 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index e07d687d35..790b2f0624 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -485,6 +485,14 @@ static auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx) return result; } +static char *sanitize_username(TALLOC_CTX *mem_ctx, const char *username) +{ + fstring tmp; + + alpha_strcpy(tmp, username, ". _-$", sizeof(tmp)); + return talloc_strdup(mem_ctx, tmp); +} + /*************************************************************************** Make (and fill) a user_info struct from a struct samu ***************************************************************************/ @@ -523,6 +531,13 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, TALLOC_FREE(pwd); + result->sanitized_username = sanitize_username(result, + result->unix_name); + if (result->sanitized_username == NULL) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + status = pdb_enum_group_memberships(result, sampass, &result->sids, &gids, &result->num_sids); @@ -983,7 +998,6 @@ bool user_in_group(const char *username, const char *groupname) return user_in_group_sid(username, &group_sid); } - /*************************************************************************** Make (and fill) a server_info struct from a 'struct passwd' by conversion to a struct samu @@ -1018,7 +1032,17 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, } result->sam_account = sampass; + result->unix_name = talloc_strdup(result, unix_username); + result->sanitized_username = sanitize_username(result, unix_username); + + if ((result->unix_name == NULL) + || (result->sanitized_username == NULL)) { + TALLOC_FREE(sampass); + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + result->uid = pwd->pw_uid; result->gid = pwd->pw_gid; @@ -1162,22 +1186,25 @@ NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx, struct auth_serversupplied_info **presult) { struct auth_serversupplied_info *result; + struct passwd *pwd; NTSTATUS status; - result = make_server_info(mem_ctx); - if (result == NULL) { - return NT_STATUS_NO_MEMORY; + pwd = getpwnam_alloc(talloc_tos(), username); + if (pwd == NULL) { + return NT_STATUS_NO_SUCH_USER; } - result->nss_token = true; - result->guest = is_guest; + status = make_server_info_pw(&result, pwd->pw_name, pwd); - result->unix_name = talloc_strdup(result, username); - if (result->unix_name == NULL) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; + TALLOC_FREE(pwd); + + if (!NT_STATUS_IS_OK(status)) { + return status; } + result->nss_token = true; + result->guest = is_guest; + status = create_local_token(result); if (!NT_STATUS_IS_OK(status)) { @@ -1624,6 +1651,13 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, result->sam_account = sam_account; result->unix_name = talloc_strdup(result, found_username); + result->sanitized_username = sanitize_username(result, + result->unix_name); + if (result->sanitized_username == NULL) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + /* Fill in the unix info we found on the way */ result->uid = uid; @@ -1859,8 +1893,17 @@ NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx, result->sam_account = sam_account; result->unix_name = talloc_strdup(result, found_username); + result->sanitized_username = sanitize_username(result, + result->unix_name); result->login_server = talloc_strdup(result, info->logon_server); + if ((result->unix_name == NULL) + || (result->sanitized_username == NULL) + || (result->login_server == NULL)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + /* Fill in the unix info we found on the way */ result->uid = uid; -- cgit From 4f0626ee0945a79c484746b3ab4beae9e01348c9 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 30 May 2008 11:46:34 +0200 Subject: Fix security=server, bug 5502 This has brown paper bag quality and is definitely needed for 3.2.0. Thanks to Orion Poplawski for reporting this! Volker (This used to be commit 3b31f8cce3703645a57778bc752bc9b9e853df5d) --- source3/auth/auth_server.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index b07884c49b..31d1d37fbf 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -270,13 +270,15 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context const auth_usersupplied_info *user_info, auth_serversupplied_info **server_info) { + struct server_security_state *state = talloc_get_type_abort( + my_private_data, struct server_security_state); struct cli_state *cli; static bool tested_password_server = False; static bool bad_password_server = False; NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; bool locally_made_cli = False; - cli = (struct cli_state *)my_private_data; + cli = state->cli; if (cli) { } else { @@ -285,7 +287,7 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context } if (!cli || !cli->initialised) { - DEBUG(1,("password server is not connected (cli not initilised)\n")); + DEBUG(1,("password server is not connected (cli not initialised)\n")); return NT_STATUS_LOGON_FAILURE; } -- cgit From 40f5eab5eb515937e1b23cf6762b77c194d29b9d Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 19 Jun 2008 16:54:12 +0200 Subject: Wrap the unix token info in a unix_user_token in auth_serversupplied_info No functional change, this is a preparation for more current_user ref removal (This used to be commit dcaedf345e62ab74ea87f0a3fa1e3199c75c5445) --- source3/auth/auth_util.c | 48 +++++++++++++++++++++++++----------------------- 1 file changed, 25 insertions(+), 23 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 790b2f0624..f3fccb0a88 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -480,8 +480,8 @@ static auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx) which may save us from giving away root access if there is a bug in allocating these fields. */ - result->uid = -1; - result->gid = -1; + result->utok.uid = -1; + result->utok.gid = -1; return result; } @@ -526,8 +526,8 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, result->unix_name = pwd->pw_name; /* Ensure that we keep pwd->pw_name, because we will free pwd below */ talloc_steal(result, pwd->pw_name); - result->gid = pwd->pw_gid; - result->uid = pwd->pw_uid; + result->utok.gid = pwd->pw_gid; + result->utok.uid = pwd->pw_uid; TALLOC_FREE(pwd); @@ -653,8 +653,8 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) status = create_token_from_username(server_info, server_info->unix_name, server_info->guest, - &server_info->uid, - &server_info->gid, + &server_info->utok.uid, + &server_info->utok.gid, &server_info->unix_name, &server_info->ptok); @@ -675,8 +675,8 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) /* Convert the SIDs to gids. */ - server_info->n_groups = 0; - server_info->groups = NULL; + server_info->utok.ngroups = 0; + server_info->utok.groups = NULL; /* Start at index 1, where the groups start. */ @@ -689,8 +689,9 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) "ignoring it\n", sid_string_dbg(sid))); continue; } - add_gid_to_array_unique(server_info, gid, &server_info->groups, - &server_info->n_groups); + add_gid_to_array_unique(server_info, gid, + &server_info->utok.groups, + &server_info->utok.ngroups); } debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok); @@ -1043,8 +1044,8 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, return NT_STATUS_NO_MEMORY; } - result->uid = pwd->pw_uid; - result->gid = pwd->pw_gid; + result->utok.uid = pwd->pw_uid; + result->utok.gid = pwd->pw_gid; status = pdb_enum_group_memberships(result, sampass, &result->sids, &gids, @@ -1228,14 +1229,15 @@ struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx, } dst->guest = src->guest; - dst->uid = src->uid; - dst->gid = src->gid; - dst->n_groups = src->n_groups; - if (src->n_groups != 0) { - dst->groups = (gid_t *)TALLOC_MEMDUP( - dst, src->groups, sizeof(gid_t)*dst->n_groups); + dst->utok.uid = src->utok.uid; + dst->utok.gid = src->utok.gid; + dst->utok.ngroups = src->utok.ngroups; + if (src->utok.ngroups != 0) { + dst->utok.groups = (gid_t *)TALLOC_MEMDUP( + dst, src->utok.groups, + sizeof(gid_t)*dst->utok.ngroups); } else { - dst->groups = NULL; + dst->utok.groups = NULL; } if (src->ptok) { @@ -1660,8 +1662,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, /* Fill in the unix info we found on the way */ - result->uid = uid; - result->gid = gid; + result->utok.uid = uid; + result->utok.gid = gid; /* Create a 'combined' list of all SIDs we might want in the SD */ @@ -1906,8 +1908,8 @@ NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx, /* Fill in the unix info we found on the way */ - result->uid = uid; - result->gid = gid; + result->utok.uid = uid; + result->utok.gid = gid; /* Create a 'combined' list of all SIDs we might want in the SD */ -- cgit From ee6b168e6ea7ef0d7b498b5c881ac28d48e07c6f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 24 Jun 2008 16:37:15 -0700 Subject: Fix bug #5555. Don't return NT_STATUS_PASSWORD_MUST_CHANGE error on machine account logon. Jeremy. (This used to be commit 10da498a2349bf5944183adf5a9284eafa2b8b74) --- source3/auth/auth_sam.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 5e393f7220..50bf15318b 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -166,8 +166,9 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, time_t must_change_time = pdb_get_pass_must_change_time(sampass); time_t last_set_time = pdb_get_pass_last_set_time(sampass); - /* check for immediate expiry "must change at next logon" */ - if (last_set_time == 0) { + /* check for immediate expiry "must change at next logon" + * for a user account. */ + if (((acct_ctrl & (ACB_WSTRUST|ACB_SVRTRUST)) == 0) && (last_set_time == 0)) { DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", pdb_get_username(sampass))); return NT_STATUS_PASSWORD_MUST_CHANGE; } -- cgit From da70f8ab1ec840bbdcc73c22c4d4c54705c83980 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 24 Jun 2008 18:01:59 -0700 Subject: Fix for bug #5551, smbd recursing back into winbindd from a winbindd call. Jeremy. (This used to be commit a07fe72538e8e724b9736d5a85cc590864c5cab2) --- source3/auth/auth_util.c | 79 ++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 66 insertions(+), 13 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index f3fccb0a88..b1558bceac 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -493,27 +493,51 @@ static char *sanitize_username(TALLOC_CTX *mem_ctx, const char *username) return talloc_strdup(mem_ctx, tmp); } +/*************************************************************************** + Is the incoming username our own machine account ? + If so, the connection is almost certainly from winbindd. +***************************************************************************/ + +static bool is_our_machine_account(const char *username) +{ + bool ret; + char *truncname = NULL; + size_t ulen = strlen(username); + + if (ulen == 0 || username[ulen-1] != '$') { + return false; + } + truncname = SMB_STRDUP(username); + if (!truncname) { + return false; + } + truncname[ulen-1] = '\0'; + ret = strequal(truncname, global_myname()); + SAFE_FREE(truncname); + return ret; +} + /*************************************************************************** Make (and fill) a user_info struct from a struct samu ***************************************************************************/ -NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, +NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, struct samu *sampass) { - NTSTATUS status; struct passwd *pwd; gid_t *gids; auth_serversupplied_info *result; int i; size_t num_gids; DOM_SID unix_group_sid; - + const char *username = pdb_get_username(sampass); + NTSTATUS status; if ( !(result = make_server_info(NULL)) ) { return NT_STATUS_NO_MEMORY; } - if ( !(pwd = getpwnam_alloc(result, pdb_get_username(sampass))) ) { + if ( !(pwd = getpwnam_alloc(result, username)) ) { DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", pdb_get_username(sampass))); TALLOC_FREE(result); @@ -528,7 +552,7 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, talloc_steal(result, pwd->pw_name); result->utok.gid = pwd->pw_gid; result->utok.uid = pwd->pw_uid; - + TALLOC_FREE(pwd); result->sanitized_username = sanitize_username(result, @@ -538,18 +562,47 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, return NT_STATUS_NO_MEMORY; } - status = pdb_enum_group_memberships(result, sampass, + if (IS_DC && is_our_machine_account(username)) { + /* + * Ensure for a connection from our own + * machine account (from winbindd on a DC) + * there are no supplementary groups. + * Prevents loops in calling gid_to_sid(). + */ + result->sids = NULL; + gids = NULL; + result->num_sids = 0; + + /* + * This is a hack of monstrous proportions. + * If we know it's winbindd talking to us, + * we know we must never recurse into it, + * so turn off contacting winbindd for this + * entire process. This will get fixed when + * winbindd doesn't need to talk to smbd on + * a PDC. JRA. + */ + + winbind_off(); + + DEBUG(10, ("make_server_info_sam: our machine account %s " + "setting supplementary group list empty and " + "turning off winbindd requests.\n", + username)); + } else { + status = pdb_enum_group_memberships(result, sampass, &result->sids, &gids, &result->num_sids); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(10, ("pdb_enum_group_memberships failed: %s\n", - nt_errstr(status))); - result->sam_account = NULL; /* Don't free on error exit. */ - TALLOC_FREE(result); - return status; + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("pdb_enum_group_memberships failed: %s\n", + nt_errstr(status))); + result->sam_account = NULL; /* Don't free on error exit. */ + TALLOC_FREE(result); + return status; + } } - + /* Add the "Unix Group" SID for each gid to catch mapped groups and their Unix equivalent. This is to solve the backwards compatibility problem of 'valid users = +ntadmin' where -- cgit From d331624fdfe9fc72f1da7fd01c59a1a20cf1c7d7 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 24 Jun 2008 14:18:55 +0200 Subject: Add server_info to pipes_struct (This used to be commit d621867bb8767e1c4236d28dd9294a61db6cbb10) --- source3/auth/auth_util.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index b1558bceac..998a81b61a 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1334,6 +1334,22 @@ struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx, return dst; } +/* + * Set a new session key. Used in the rpc server where we have to override the + * SMB level session key with SystemLibraryDTC + */ + +bool server_info_set_session_key(struct auth_serversupplied_info *info, + DATA_BLOB session_key) +{ + TALLOC_FREE(info->user_session_key.data); + + info->user_session_key = data_blob_talloc( + info, session_key.data, session_key.length); + + return (info->user_session_key.data != NULL); +} + static auth_serversupplied_info *guest_info = NULL; bool init_guest_info(void) -- cgit From 799252f635a4cf1790a24f9ba8765dba9fb7df86 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 26 Jun 2008 19:46:18 -0700 Subject: Fix the non-LDAP, non-krb5 build, fix gcc -O3 warnings. Jeremy. (This used to be commit 9e2ab30d3cf6950fc79152b2169e7aeae8d6a366) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 998a81b61a..a7fce46923 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -583,7 +583,7 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, * a PDC. JRA. */ - winbind_off(); + (void)winbind_off(); DEBUG(10, ("make_server_info_sam: our machine account %s " "setting supplementary group list empty and " -- cgit From 1335da2a7cc639310e5d389e8e8dbe67c4e7ca25 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 20 Jul 2008 11:04:31 +0200 Subject: Refactoring: Change calling conventions for cli_rpc_pipe_open_noauth Pass in ndr_syntax_id instead of pipe_idx, return NTSTATUS (This used to be commit 9abc9dc4dc13bd3e42f98eff64eacf24b51f5779) --- source3/auth/auth_domain.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index f483718552..2c67bf9f1c 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -112,10 +112,11 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, netlogon_pipe = cli_rpc_pipe_open_schannel(*cli, PI_NETLOGON, PIPE_AUTH_LEVEL_PRIVACY, domain, &result); } else { - netlogon_pipe = cli_rpc_pipe_open_noauth(*cli, PI_NETLOGON, &result); + result = cli_rpc_pipe_open_noauth( + *cli, &ndr_table_netlogon.syntax_id, &netlogon_pipe); } - if(!netlogon_pipe) { + if (!NT_STATUS_IS_OK(result)) { DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); cli_shutdown(*cli); -- cgit From 99526d391dc274eb87cfd0b393363d8ceafccda9 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 20 Jul 2008 11:04:31 +0200 Subject: Refactoring: Change calling conventions for cli_rpc_pipe_open_schannel Pass in ndr_syntax_id instead of pipe_idx, return NTSTATUS (This used to be commit 1fcfca007f33a2c4e979abf30c2ea0db65bac718) --- source3/auth/auth_domain.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 2c67bf9f1c..c25e62ab80 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -109,8 +109,9 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, /* open the netlogon pipe. */ if (lp_client_schannel()) { /* We also setup the creds chain in the open_schannel call. */ - netlogon_pipe = cli_rpc_pipe_open_schannel(*cli, PI_NETLOGON, - PIPE_AUTH_LEVEL_PRIVACY, domain, &result); + result = cli_rpc_pipe_open_schannel( + *cli, &ndr_table_netlogon.syntax_id, + PIPE_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe); } else { result = cli_rpc_pipe_open_noauth( *cli, &ndr_table_netlogon.syntax_id, &netlogon_pipe); -- cgit From 06d0790c0799112b89534a646e78d0cb38b06e20 Mon Sep 17 00:00:00 2001 From: Zach Loafman Date: Thu, 3 Jul 2008 22:53:42 -0700 Subject: Fix various build warnings This fixes various build warnings on our platform. I'm sure I haven't caught them all, but it's a start. (This used to be commit 6b73f259cb67d9dda9127907d706f9244a871fa3) --- source3/auth/auth_server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 31d1d37fbf..696b42621e 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -37,7 +37,7 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) const char *p; char *pserver = NULL; bool connected_ok = False; - struct named_mutex *mutex; + struct named_mutex *mutex = NULL; if (!(cli = cli_initialise())) return NULL; -- cgit From f738f9f7c9803933d60a166f4101f5097baab719 Mon Sep 17 00:00:00 2001 From: Tim Prouty Date: Wed, 23 Jul 2008 20:24:39 -0700 Subject: Helper functions to enable domain groups to be added to builtin groups at domain join time Added two new helper functions which wrap the raw pdb alias functions so they can be more conveniently called while adding domain groups to builtin groups. (This used to be commit 668ef314559df40f1b8aa0991539adcd8d35ffe3) --- source3/auth/token_util.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index cd67c2a213..214930f8f7 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -200,6 +200,65 @@ static NTSTATUS add_builtin_administrators( struct nt_user_token *token ) return NT_STATUS_OK; } +/** + * Create the requested BUILTIN if it doesn't already exist. This requires + * winbindd to be running. + * + * @param[in] rid BUILTIN rid to create + * @return Normal NTSTATUS return. + */ +static NTSTATUS create_builtin(uint32 rid) +{ + NTSTATUS status = NT_STATUS_OK; + DOM_SID sid; + gid_t gid; + + if (!sid_compose(&sid, &global_sid_Builtin, rid)) { + return NT_STATUS_NO_SUCH_ALIAS; + } + + if (!sid_to_gid(&sid, &gid)) { + if (!lp_winbind_nested_groups() || !winbind_ping()) { + return NT_STATUS_PROTOCOL_UNREACHABLE; + } + status = pdb_create_builtin_alias(rid); + } + return status; +} + +/** + * Add sid as a member of builtin_sid. + * + * @param[in] builtin_sid An existing builtin group. + * @param[in] dom_sid sid to add as a member of builtin_sid. + * @return Normal NTSTATUS return + */ +static NTSTATUS add_sid_to_builtin(const DOM_SID *builtin_sid, + const DOM_SID *dom_sid) +{ + NTSTATUS status = NT_STATUS_OK; + + if (!dom_sid || !builtin_sid) { + return NT_STATUS_INVALID_PARAMETER; + } + + status = pdb_add_aliasmem(builtin_sid, dom_sid); + + if (NT_STATUS_EQUAL(status, NT_STATUS_MEMBER_IN_ALIAS)) { + DEBUG(5, ("add_sid_to_builtin %s is already a member of %s\n", + sid_string_dbg(dom_sid), + sid_string_dbg(builtin_sid))); + return NT_STATUS_OK; + } + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(3, ("add_sid_to_builtin %s could not be added to %s: " + "%s\n", sid_string_dbg(dom_sid), + sid_string_dbg(builtin_sid), nt_errstr(status))); + } + return status; +} + /******************************************************************* *******************************************************************/ -- cgit From fb41bb762f1d9b1623c4fe6179bebbe4de2e2440 Mon Sep 17 00:00:00 2001 From: Tim Prouty Date: Wed, 23 Jul 2008 20:33:15 -0700 Subject: Refactored the code that adds Domain Users to BUILTIN\Users to use the new helper functions. - Modified create_builtin_users to take in the domain sid to reduce the number of times it needs to be looked up. - Changed create_builtin_users to call the new helper functions. - Changed create_local_nt_token to call the new version of create_builtin_users and handle the new error that can be returned. (This used to be commit 8d75d40b9f6d22bae7430211f8a1fe99051b756c) --- source3/auth/token_util.c | 39 ++++++++++++++++++++++----------------- 1 file changed, 22 insertions(+), 17 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index 214930f8f7..e41df5d9ae 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -262,12 +262,12 @@ static NTSTATUS add_sid_to_builtin(const DOM_SID *builtin_sid, /******************************************************************* *******************************************************************/ -static NTSTATUS create_builtin_users( void ) +static NTSTATUS create_builtin_users(const DOM_SID *dom_sid) { NTSTATUS status; DOM_SID dom_users; - status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_USERS ); + status = create_builtin(BUILTIN_ALIAS_RID_USERS); if ( !NT_STATUS_IS_OK(status) ) { DEBUG(5,("create_builtin_users: Failed to create Users\n")); return status; @@ -275,10 +275,10 @@ static NTSTATUS create_builtin_users( void ) /* add domain users */ if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) - && secrets_fetch_domain_sid(lp_workgroup(), &dom_users)) + && sid_compose(&dom_users, dom_sid, DOMAIN_GROUP_RID_USERS)) { - sid_append_rid(&dom_users, DOMAIN_GROUP_RID_USERS ); - status = pdb_add_aliasmem( &global_sid_Builtin_Users, &dom_users); + status = add_sid_to_builtin(&global_sid_Builtin_Users, + &dom_users); if ( !NT_STATUS_IS_OK(status) ) { DEBUG(4,("create_builtin_administrators: Failed to add Domain Users to" " Users\n")); @@ -356,6 +356,7 @@ struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, int i; NTSTATUS status; gid_t gid; + DOM_SID dom_sid; DEBUG(10, ("Create local NT token for %s\n", sid_string_dbg(user_sid))); @@ -460,19 +461,23 @@ struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, be resolved then assume that the add_aliasmem( S-1-5-32 ) handled it. */ - if ( !sid_to_gid( &global_sid_Builtin_Users, &gid ) ) { - /* We can only create a mapping if winbind is running - and the nested group functionality has been enabled */ + if (!sid_to_gid(&global_sid_Builtin_Users, &gid)) { - if ( lp_winbind_nested_groups() && winbind_ping() ) { - become_root(); - status = create_builtin_users( ); - if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(2,("WARNING: Failed to create BUILTIN\\Users group! " - "Can Winbind allocate gids?\n")); - /* don't fail, just log the message */ - } - unbecome_root(); + become_root(); + if (!secrets_fetch_domain_sid(lp_workgroup(), &dom_sid)) { + status = NT_STATUS_OK; + DEBUG(3, ("Failed to fetch domain sid for %s\n", + lp_workgroup())); + } else { + status = create_builtin_users(&dom_sid); + } + unbecome_root(); + + if (!NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) && + !NT_STATUS_IS_OK(status)) + { + DEBUG(2, ("WARNING: Failed to create BUILTIN\\Users group! " + "Can Winbind allocate gids?\n")); } } -- cgit From bbb02aa8e925774532376b6a6218a4cbbb708c38 Mon Sep 17 00:00:00 2001 From: Tim Prouty Date: Wed, 23 Jul 2008 20:42:32 -0700 Subject: Refactored the code that adds Domain Admins to BUILTIN\Administrators to use the new helper functions. - Modified create_builtin_administrators and add_builtin_administrators to take in the domain sid to reduce the number of times it needs to be looked up. - Changed create_builtin_administrators to call the new helper functions. - Changed create_local_nt_token to call the new version of create_builtin_administrators and handle the new error that can be returned. - Made it more explicit that add_builtin_administrators is only called when winbindd can't be pinged. (This used to be commit f6411ccb4a1530034e481e1c63b6114a93317b29) --- source3/auth/token_util.c | 56 +++++++++++++++++++++++++---------------------- 1 file changed, 30 insertions(+), 26 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index e41df5d9ae..281741298a 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -165,7 +165,8 @@ done: /******************************************************************* *******************************************************************/ -static NTSTATUS add_builtin_administrators( struct nt_user_token *token ) +static NTSTATUS add_builtin_administrators(struct nt_user_token *token, + const DOM_SID *dom_sid) { DOM_SID domadm; NTSTATUS status; @@ -181,8 +182,7 @@ static NTSTATUS add_builtin_administrators( struct nt_user_token *token ) if ( IS_DC ) { sid_copy( &domadm, get_global_sam_sid() ); } else { - if ( !secrets_fetch_domain_sid( lp_workgroup(), &domadm ) ) - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + sid_copy(&domadm, dom_sid); } sid_append_rid( &domadm, DOMAIN_GROUP_RID_ADMINS ); @@ -292,7 +292,7 @@ static NTSTATUS create_builtin_users(const DOM_SID *dom_sid) /******************************************************************* *******************************************************************/ -static NTSTATUS create_builtin_administrators( void ) +static NTSTATUS create_builtin_administrators(const DOM_SID *dom_sid) { NTSTATUS status; DOM_SID dom_admins, root_sid; @@ -301,7 +301,7 @@ static NTSTATUS create_builtin_administrators( void ) TALLOC_CTX *ctx; bool ret; - status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_ADMINS ); + status = create_builtin(BUILTIN_ALIAS_RID_ADMINS); if ( !NT_STATUS_IS_OK(status) ) { DEBUG(5,("create_builtin_administrators: Failed to create Administrators\n")); return status; @@ -309,10 +309,10 @@ static NTSTATUS create_builtin_administrators( void ) /* add domain admins */ if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) - && secrets_fetch_domain_sid(lp_workgroup(), &dom_admins)) + && sid_compose(&dom_admins, dom_sid, DOMAIN_GROUP_RID_ADMINS)) { - sid_append_rid(&dom_admins, DOMAIN_GROUP_RID_ADMINS); - status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &dom_admins ); + status = add_sid_to_builtin(&global_sid_Builtin_Administrators, + &dom_admins); if ( !NT_STATUS_IS_OK(status) ) { DEBUG(4,("create_builtin_administrators: Failed to add Domain Admins" " Administrators\n")); @@ -330,7 +330,8 @@ static NTSTATUS create_builtin_administrators( void ) TALLOC_FREE( ctx ); if ( ret ) { - status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &root_sid ); + status = add_sid_to_builtin(&global_sid_Builtin_Administrators, + &root_sid); if ( !NT_STATUS_IS_OK(status) ) { DEBUG(4,("create_builtin_administrators: Failed to add root" " Administrators\n")); @@ -433,27 +434,30 @@ struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, be resolved then assume that the add_aliasmem( S-1-5-32 ) handled it. */ - if ( !sid_to_gid( &global_sid_Builtin_Administrators, &gid ) ) { - /* We can only create a mapping if winbind is running - and the nested group functionality has been enabled */ + if (!sid_to_gid(&global_sid_Builtin_Administrators, &gid)) { - if ( lp_winbind_nested_groups() && winbind_ping() ) { - become_root(); - status = create_builtin_administrators( ); - if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(2,("WARNING: Failed to create BUILTIN\\Administrators " - "group! Can Winbind allocate gids?\n")); - /* don't fail, just log the message */ - } - unbecome_root(); + become_root(); + if (!secrets_fetch_domain_sid(lp_workgroup(), &dom_sid)) { + status = NT_STATUS_OK; + DEBUG(3, ("Failed to fetch domain sid for %s\n", + lp_workgroup())); + } else { + status = create_builtin_administrators(&dom_sid); } - else { - status = add_builtin_administrators( result ); + unbecome_root(); + + if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) { + /* Add BUILTIN\Administrators directly to token. */ + status = add_builtin_administrators(result, &dom_sid); if ( !NT_STATUS_IS_OK(status) ) { - /* just log a complaint but do not fail */ - DEBUG(3,("create_local_nt_token: failed to check for local Administrators" - " membership (%s)\n", nt_errstr(status))); + DEBUG(3, ("Failed to check for local " + "Administrators membership (%s)\n", + nt_errstr(status))); } + } else if (!NT_STATUS_IS_OK(status)) { + DEBUG(2, ("WARNING: Failed to create " + "BUILTIN\\Administrators group! Can " + "Winbind allocate gids?\n")); } } -- cgit From 097b27dbcc1339db174c50e69767d171794d3603 Mon Sep 17 00:00:00 2001 From: Tim Prouty Date: Wed, 23 Jul 2008 20:50:21 -0700 Subject: Enabled domain groups to be added to builtin groups at domain join time Previously this was done at token creation time if the Administrators and Users builtins hadn't been created yet. A major drawback to this approach is that if a customer is joined to a domain and decides they want to join a different domain, the domain groups from this new domain will not be added to the builtins. It would be ideal if these groups could be added exclusively at domain join time, but we can't rely solely on that because there are cases where winbindd must be running to allocate new gids for the builtins. In the future if there is a way to allocate gids for builtins without running winbindd, this code can be removed from create_local_nt_token. - Made create_builtin_users and create_builtin_administrators non-static so they can be called from libnet - Added a new function to libnet_join that will make a best effort to add domain administrators and domain users to BUILTIN\Administrators and BUILTIN\Users, respectively. If the builtins don't exist yet, winbindd must be running to allocate new gids, but if the builtins already exist, the domain groups will be added even if winbindd is not running. In the case of a failure the error will be logged, but the join will not be failed. - Plumbed libnet_join_add_dom_rids_to_builtins into the join post processing. (This used to be commit e92faf5996cadac480deb60a4f6232eea90b00f6) --- source3/auth/token_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index 281741298a..e5b9e1b531 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -262,7 +262,7 @@ static NTSTATUS add_sid_to_builtin(const DOM_SID *builtin_sid, /******************************************************************* *******************************************************************/ -static NTSTATUS create_builtin_users(const DOM_SID *dom_sid) +NTSTATUS create_builtin_users(const DOM_SID *dom_sid) { NTSTATUS status; DOM_SID dom_users; @@ -292,7 +292,7 @@ static NTSTATUS create_builtin_users(const DOM_SID *dom_sid) /******************************************************************* *******************************************************************/ -static NTSTATUS create_builtin_administrators(const DOM_SID *dom_sid) +NTSTATUS create_builtin_administrators(const DOM_SID *dom_sid) { NTSTATUS status; DOM_SID dom_admins, root_sid; -- cgit From f18076cb32526735d6a79f341bb5e5522b480400 Mon Sep 17 00:00:00 2001 From: Tim Prouty Date: Wed, 30 Jul 2008 09:35:13 -0700 Subject: Removed redundant logging from create_builtin_users and create_builtin_administrators The Debug messages in create_builtin_users and create_builtin_users have now been encapsulated in add_sid_to_builtin. (This used to be commit ca153139b1dced07c196aac93dbc9d9428d98124) --- source3/auth/token_util.c | 20 ++++---------------- 1 file changed, 4 insertions(+), 16 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index e5b9e1b531..d6cd2ea3a8 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -252,7 +252,7 @@ static NTSTATUS add_sid_to_builtin(const DOM_SID *builtin_sid, } if (!NT_STATUS_IS_OK(status)) { - DEBUG(3, ("add_sid_to_builtin %s could not be added to %s: " + DEBUG(4, ("add_sid_to_builtin %s could not be added to %s: " "%s\n", sid_string_dbg(dom_sid), sid_string_dbg(builtin_sid), nt_errstr(status))); } @@ -279,14 +279,9 @@ NTSTATUS create_builtin_users(const DOM_SID *dom_sid) { status = add_sid_to_builtin(&global_sid_Builtin_Users, &dom_users); - if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(4,("create_builtin_administrators: Failed to add Domain Users to" - " Users\n")); - return status; - } } - return NT_STATUS_OK; + return status; } /******************************************************************* @@ -313,9 +308,7 @@ NTSTATUS create_builtin_administrators(const DOM_SID *dom_sid) { status = add_sid_to_builtin(&global_sid_Builtin_Administrators, &dom_admins); - if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(4,("create_builtin_administrators: Failed to add Domain Admins" - " Administrators\n")); + if (!NT_STATUS_IS_OK(status)) { return status; } } @@ -332,14 +325,9 @@ NTSTATUS create_builtin_administrators(const DOM_SID *dom_sid) if ( ret ) { status = add_sid_to_builtin(&global_sid_Builtin_Administrators, &root_sid); - if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(4,("create_builtin_administrators: Failed to add root" - " Administrators\n")); - return status; - } } - return NT_STATUS_OK; + return status; } -- cgit From 9ab5cffcfa3320ec298e8759e96efa1670ebd770 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 14 Aug 2008 14:36:02 -0700 Subject: Make it clear that this is a temporary context byusing a talloc stackframe instead. Jeremy (This used to be commit 7f7dd5e8883e23d7fe3f9cb804905c5b23a5a41c) --- source3/auth/auth_util.c | 38 ++++++++++++++++---------------------- 1 file changed, 16 insertions(+), 22 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index a7fce46923..98884eaddb 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -641,39 +641,44 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, return NT_STATUS_OK; } -static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token) +static NTSTATUS log_nt_token(NT_USER_TOKEN *token) { + TALLOC_CTX *frame = talloc_stackframe(); char *command; char *group_sidstr; size_t i; if ((lp_log_nt_token_command() == NULL) || (strlen(lp_log_nt_token_command()) == 0)) { + TALLOC_FREE(frame); return NT_STATUS_OK; } - group_sidstr = talloc_strdup(tmp_ctx, ""); + group_sidstr = talloc_strdup(frame, ""); for (i=1; inum_sids; i++) { group_sidstr = talloc_asprintf( - tmp_ctx, "%s %s", group_sidstr, - sid_string_talloc(tmp_ctx, &token->user_sids[i])); + frame, "%s %s", group_sidstr, + sid_string_talloc(frame, &token->user_sids[i])); } command = talloc_string_sub( - tmp_ctx, lp_log_nt_token_command(), - "%s", sid_string_talloc(tmp_ctx, &token->user_sids[0])); - command = talloc_string_sub(tmp_ctx, command, "%t", group_sidstr); + frame, lp_log_nt_token_command(), + "%s", sid_string_talloc(frame, &token->user_sids[0])); + command = talloc_string_sub(frame, command, "%t", group_sidstr); if (command == NULL) { + TALLOC_FREE(frame); return NT_STATUS_NO_MEMORY; } DEBUG(8, ("running command: [%s]\n", command)); if (smbrun(command, NULL) != 0) { DEBUG(0, ("Could not log NT token\n")); + TALLOC_FREE(frame); return NT_STATUS_ACCESS_DENIED; } + TALLOC_FREE(frame); return NT_STATUS_OK; } @@ -684,16 +689,8 @@ static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token) NTSTATUS create_local_token(auth_serversupplied_info *server_info) { - TALLOC_CTX *mem_ctx; NTSTATUS status; size_t i; - - - mem_ctx = talloc_new(NULL); - if (mem_ctx == NULL) { - DEBUG(0, ("talloc_new failed\n")); - return NT_STATUS_NO_MEMORY; - } /* * If winbind is not around, we can not make much use of the SIDs the @@ -710,7 +707,7 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) &server_info->utok.gid, &server_info->unix_name, &server_info->ptok); - + } else { server_info->ptok = create_local_nt_token( server_info, @@ -722,10 +719,9 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) } if (!NT_STATUS_IS_OK(status)) { - TALLOC_FREE(mem_ctx); return status; } - + /* Convert the SIDs to gids. */ server_info->utok.ngroups = 0; @@ -746,12 +742,10 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) &server_info->utok.groups, &server_info->utok.ngroups); } - - debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok); - status = log_nt_token(mem_ctx, server_info->ptok); + debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok); - TALLOC_FREE(mem_ctx); + status = log_nt_token(server_info->ptok); return status; } -- cgit From 8bda4e059edba4807feeafa88cb90e16ca7a1d91 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 14 Aug 2008 21:52:11 -0700 Subject: Fix show-stopper for 3.2. Smbd depends on group SID position zero being the primary group sid. Authenicating via winbindd call returned a non-sorted sid list. This fixes is for both a winbindd call and a pac list from an info3 struct. Without this we mess up the primary group associated with created files. Found by Herb. Jeremy. (This used to be commit cb925dec85cfc4cfc194c3ff76dbeba2bd2178d7) --- source3/auth/auth_util.c | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 98884eaddb..9220df01c0 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -26,6 +26,34 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH +/**************************************************************************** + Ensure primary group SID is always at position 0 in a + auth_serversupplied_info struct. +****************************************************************************/ + +static void sort_sid_array_for_smbd(auth_serversupplied_info *result, + const DOM_SID *pgroup_sid) +{ + unsigned int i; + + if (!result->sids) { + return; + } + + if (sid_compare(&result->sids[0], pgroup_sid)==0) { + return; + } + + for (i = 1; i < result->num_sids; i++) { + if (sid_compare(pgroup_sid, + &result->sids[i]) == 0) { + sid_copy(&result->sids[i], &result->sids[0]); + sid_copy(&result->sids[0], pgroup_sid); + return; + } + } +} + /**************************************************************************** Create a UNIX user on demand. ****************************************************************************/ @@ -1742,6 +1770,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return nt_status; } + /* Ensure the primary group sid is at position 0. */ + sort_sid_array_for_smbd(result, &group_sid); + result->login_server = talloc_strdup(result, info3->base.logon_server.string); @@ -1987,6 +2018,9 @@ NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx, memcpy(&result->sids[i], &info->sids[i+2].sid, sizeof(result->sids[i])); } + /* Ensure the primary group sid is at position 0. */ + sort_sid_array_for_smbd(result, &group_sid); + /* ensure we are never given NULL session keys */ ZERO_STRUCT(zeros); -- cgit From 5e7655fa27f7b2c9c54edfc25f86974dbdb23ea4 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sun, 17 Aug 2008 19:54:41 -0400 Subject: Split lookup_name() and create a new functiong called lookup_domain_name(). This new function accept separated strings for domain and name. (This used to be commit 8594edf666c29fd4ddf1780da842683dd81483b6) --- source3/auth/auth_util.c | 17 ++++------------- source3/auth/token_util.c | 7 +++---- 2 files changed, 7 insertions(+), 17 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 9220df01c0..5b2c3045c3 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1086,7 +1086,6 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, NTSTATUS status; struct samu *sampass = NULL; gid_t *gids; - char *qualified_name = NULL; TALLOC_CTX *mem_ctx = NULL; DOM_SID u_sid; enum lsa_SidType type; @@ -1152,18 +1151,10 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, return NT_STATUS_NO_MEMORY; } - qualified_name = talloc_asprintf(mem_ctx, "%s\\%s", - unix_users_domain_name(), - unix_username ); - if (!qualified_name) { - TALLOC_FREE(result); - TALLOC_FREE(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - - if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL, - NULL, NULL, - &u_sid, &type)) { + if (!lookup_domain_name(mem_ctx, + unix_users_domain_name(), unix_username, + LOOKUP_NAME_ALL, + NULL, NULL, &u_sid, &type)) { TALLOC_FREE(result); TALLOC_FREE(mem_ctx); return NT_STATUS_NO_SUCH_USER; diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index d6cd2ea3a8..2b55af779e 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -291,7 +291,6 @@ NTSTATUS create_builtin_administrators(const DOM_SID *dom_sid) { NTSTATUS status; DOM_SID dom_admins, root_sid; - fstring root_name; enum lsa_SidType type; TALLOC_CTX *ctx; bool ret; @@ -317,9 +316,9 @@ NTSTATUS create_builtin_administrators(const DOM_SID *dom_sid) if ( (ctx = talloc_init("create_builtin_administrators")) == NULL ) { return NT_STATUS_NO_MEMORY; } - fstr_sprintf( root_name, "%s\\root", get_global_sam_name() ); - ret = lookup_name(ctx, root_name, LOOKUP_NAME_DOMAIN, NULL, NULL, - &root_sid, &type); + ret = lookup_domain_name(ctx, get_global_sam_name(), "root", + LOOKUP_NAME_DOMAIN, + NULL, NULL, &root_sid, &type); TALLOC_FREE( ctx ); if ( ret ) { -- cgit From ab5076d9fdd83cffe9a88f389bb8a49750f322e0 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 25 Aug 2008 11:36:56 +0200 Subject: auth: Fix build warning. Guenther (This used to be commit 4661ef625a6522d6f859b83e3e3702f01d0b952f) --- source3/auth/pampass.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 58921bdf15..9345eed27a 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -63,6 +63,7 @@ typedef int (*smb_pam_conv_fn)(int, const struct pam_message **, struct pam_resp * Macros to help make life easy */ #define COPY_STRING(s) (s) ? SMB_STRDUP(s) : NULL +#define COPY_FSTRING(s) (s[0]) ? SMB_STRDUP(s) : NULL /******************************************************************* PAM error handler. @@ -327,7 +328,7 @@ static int smb_pam_passchange_conv(int num_msg, DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We actualy sent: %s\n", current_reply)); #endif reply[replies].resp_retcode = PAM_SUCCESS; - reply[replies].resp = COPY_STRING(current_reply); + reply[replies].resp = COPY_FSTRING(current_reply); found = True; break; } @@ -355,7 +356,7 @@ static int smb_pam_passchange_conv(int num_msg, DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We sent: %s\n", current_reply)); pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword); reply[replies].resp_retcode = PAM_SUCCESS; - reply[replies].resp = COPY_STRING(current_reply); + reply[replies].resp = COPY_FSTRING(current_reply); #ifdef DEBUG_PASSWORD DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We actualy sent: %s\n", current_reply)); #endif -- cgit From 3fa16da8c70af9c54e03ea2a497d18009d2126e9 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 3 Sep 2008 14:36:43 -0400 Subject: Revert "Split lookup_name() and create a new functiong called" This reverts commit 8594edf666c29fd4ddf1780da842683dd81483b6. (This used to be commit ad462e2e2d025a7fc23e7dea32b2b442b528970b) --- source3/auth/auth_util.c | 17 +++++++++++++---- source3/auth/token_util.c | 7 ++++--- 2 files changed, 17 insertions(+), 7 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5b2c3045c3..9220df01c0 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1086,6 +1086,7 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, NTSTATUS status; struct samu *sampass = NULL; gid_t *gids; + char *qualified_name = NULL; TALLOC_CTX *mem_ctx = NULL; DOM_SID u_sid; enum lsa_SidType type; @@ -1151,10 +1152,18 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, return NT_STATUS_NO_MEMORY; } - if (!lookup_domain_name(mem_ctx, - unix_users_domain_name(), unix_username, - LOOKUP_NAME_ALL, - NULL, NULL, &u_sid, &type)) { + qualified_name = talloc_asprintf(mem_ctx, "%s\\%s", + unix_users_domain_name(), + unix_username ); + if (!qualified_name) { + TALLOC_FREE(result); + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL, + NULL, NULL, + &u_sid, &type)) { TALLOC_FREE(result); TALLOC_FREE(mem_ctx); return NT_STATUS_NO_SUCH_USER; diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index 2b55af779e..d6cd2ea3a8 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -291,6 +291,7 @@ NTSTATUS create_builtin_administrators(const DOM_SID *dom_sid) { NTSTATUS status; DOM_SID dom_admins, root_sid; + fstring root_name; enum lsa_SidType type; TALLOC_CTX *ctx; bool ret; @@ -316,9 +317,9 @@ NTSTATUS create_builtin_administrators(const DOM_SID *dom_sid) if ( (ctx = talloc_init("create_builtin_administrators")) == NULL ) { return NT_STATUS_NO_MEMORY; } - ret = lookup_domain_name(ctx, get_global_sam_name(), "root", - LOOKUP_NAME_DOMAIN, - NULL, NULL, &root_sid, &type); + fstr_sprintf( root_name, "%s\\root", get_global_sam_name() ); + ret = lookup_name(ctx, root_name, LOOKUP_NAME_DOMAIN, NULL, NULL, + &root_sid, &type); TALLOC_FREE( ctx ); if ( ret ) { -- cgit