From e357d9106895b165bfa3f8331b9f186004c9a6cd Mon Sep 17 00:00:00 2001
From: Luke Leighton <lkcl@samba.org>
Date: Sun, 9 Nov 1997 17:30:10 +0000
Subject: attempting to mark up 32 bit error codes, needed for NT domains.
 separated out smb server-mode password validation into a separate file. added
 called and calling netbios names to client gen state: referenced section in
 rfc1002.txt. created workstation trust account checking code in ntclient.c

there might be a bug in reply_session_setup_andX.  i indented and added { }
around single-line if statements: the lm password checking code now doesn't
look right (around the GUEST_SESSSETUP bits).  *no code semantics have been
changed by the indentation process*.
(This used to be commit f27966957fa7f16d337a4a58719239d036deab4c)
---
 source3/pwd_validate.c | 276 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 276 insertions(+)
 create mode 100644 source3/pwd_validate.c

(limited to 'source3/pwd_validate.c')

diff --git a/source3/pwd_validate.c b/source3/pwd_validate.c
new file mode 100644
index 0000000000..2eefa1e5f0
--- /dev/null
+++ b/source3/pwd_validate.c
@@ -0,0 +1,276 @@
+/* 
+   Unix SMB/Netbios implementation.
+   Version 1.9.
+   Password and authentication handling
+   Copyright (C) Andrew Tridgell 1992-1997
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+extern int DEBUGLEVEL;
+extern int Protocol;
+
+
+/****************************************************************************
+initiates a connection to a user-level server.
+****************************************************************************/
+BOOL server_connect_init(struct cli_state *clnt, char my_netbios_name[16],
+				struct in_addr dest_ip, char *desthost)
+{
+	DEBUG(5,("password server connection requested: %s [%s]\n",
+		desthost, inet_ntoa(dest_ip)));
+
+	if (clnt == NULL || !clnt->initialised)
+	{
+		DEBUG(1,("password server client state not initialised\n", desthost));
+		return(False);
+	}  
+
+	if (!cli_connect(clnt, desthost, &dest_ip))
+	{
+		DEBUG(3,("connected to password server %s\n", desthost));
+		return False;
+	}
+
+	if (!cli_session_request(clnt, desthost, 0x20, my_netbios_name, 0x0))
+	{
+		DEBUG(1,("%s rejected the session\n", desthost));
+		return False;
+	}
+
+	DEBUG(3,("got session\n"));
+
+	if (!cli_negprot(clnt))
+	{
+		DEBUG(1,("%s rejected the negprot\n", desthost));
+		return False;
+	}
+
+	if (clnt->protocol < PROTOCOL_LANMAN2 || !(clnt->sec_mode & 1))
+	{
+		DEBUG(1,("%s isn't in user level security mode\n", desthost));
+		return False;
+	}
+
+	DEBUG(3,("password server OK\n"));
+
+	return True;
+}
+
+/****************************************************************************
+support for server level security 
+****************************************************************************/
+BOOL server_cryptkey(struct cli_state *clnt, char my_netbios_name[16])
+{
+	fstring desthost;
+	struct in_addr dest_ip;
+	char *p;
+	BOOL connection_found = False;
+
+	if (clnt == NULL || !cli_initialise(clnt))
+	{
+		DEBUG(1,("server_cryptkey: failed to initialise client state\n"));
+		return False;
+	}
+	    
+	for (p = strtok(lp_passwordserver(),LIST_SEP); p && !connection_found; p = strtok(NULL,LIST_SEP))
+	{
+		fstrcpy(desthost,p);
+		standard_sub_basic(desthost);
+		strupper(desthost);
+
+		dest_ip = *interpret_addr2(desthost);
+
+		if (zero_ip(dest_ip))
+		{
+			DEBUG(1,("Can't resolve address for %s\n",p));
+			continue;
+		}
+
+		if (ismyip(dest_ip))
+		{
+			DEBUG(1,("Password server loop - disabling password server %s\n", p));
+			continue;
+		}
+
+		connection_found = server_connect_init(clnt, my_netbios_name, dest_ip, desthost);
+	}
+
+	if (!p && !connection_found)
+	{
+		DEBUG(1,("password server not available\n"));
+		cli_shutdown(clnt);
+		return False;
+	}
+
+	DEBUG(3,("password server OK\n"));
+
+	return True;
+}
+
+/****************************************************************************
+validate a password
+****************************************************************************/
+BOOL server_validate2(struct cli_state *clnt, char *user, char *domain, 
+		     char *pass, int passlen,
+		     char *ntpass, int ntpasslen)
+{
+	BOOL pwd_ok = False;
+
+	DEBUG(4,("server_validate2: user:[%s] domain:[%s]\n", user, domain));
+
+	if (clnt == NULL)
+	{
+		DEBUG(1,("server_validate2: NULL client_state. cannot validate\n"));
+		return(False);
+	}  
+
+	if (pass == NULL && ntpass == NULL)
+	{
+		DEBUG(1,("server_validate2: both lm and nt passwords are NULL.  cannot validate\n"));
+		return(False);
+	}  
+	
+	if (!clnt->initialised)
+	{
+		DEBUG(1,("server %s is not connected\n", clnt->full_dest_host_name));
+		return(False);
+	}  
+
+	if (!cli_session_setup(clnt, user, pass, passlen, ntpass, ntpasslen, domain)) {
+		DEBUG(1,("server %s rejected the password\n", clnt->full_dest_host_name));
+		return False;
+	}
+
+	/* if logged in as guest then reject */
+	if ((SVAL(clnt->inbuf,smb_vwv2) & 1) != 0) {
+		DEBUG(1,("server %s gave us guest only\n", clnt->full_dest_host_name));
+		return(False);
+	}
+
+	pwd_ok = False;
+
+	if (!pwd_ok)
+	{
+		pwd_ok = pass != NULL && !cli_send_tconX(clnt, "IPC$", "IPC", pass, passlen);
+	}
+
+	if (!pwd_ok)
+	{
+		DEBUG(1,("server %s refused IPC$ connect with LM password\n", clnt->full_dest_host_name));
+	}
+
+	if (!pwd_ok)
+	{
+		pwd_ok = ntpass != NULL && !cli_send_tconX(clnt, "IPC$", "IPC", ntpass, ntpasslen);
+	}
+
+	if (!pwd_ok)
+	{
+		DEBUG(1,("server %s refused IPC$ connect with NT password\n", clnt->full_dest_host_name));
+		return False;
+	}
+
+	if (!pwd_ok)
+	{
+		DEBUG(3,("server %s rejected the password\n", clnt->full_dest_host_name));
+	}
+	else
+	{
+		DEBUG(3,("server %s accepted the password\n", clnt->full_dest_host_name));
+	}
+
+	cli_tdis(clnt);
+
+	return(True);
+}
+
+
+/****************************************************************************
+validate a password with the password server.  here's some good code to go
+into an SMB pam, by the way...
+****************************************************************************/
+BOOL server_validate(struct cli_state *clnt, char *user, char *domain, 
+		     char *pass, int passlen,
+		     char *ntpass, int ntpasslen)
+{
+	if (clnt == NULL)
+	{
+		DEBUG(1,("server_validate: NULL client_state. cannot validate\n"));
+		return(False);
+	}  
+
+	if (!clnt->initialised) {
+		DEBUG(1,("password server %s is not connected\n", clnt->full_dest_host_name));
+		return(False);
+	}  
+
+	if (!cli_session_setup(clnt, user, pass, passlen, ntpass, ntpasslen, domain)) {
+		DEBUG(1,("password server %s rejected the password\n", clnt->full_dest_host_name));
+		return False;
+	}
+
+	/* if logged in as guest then reject */
+	if ((SVAL(clnt->inbuf,smb_vwv2) & 1) != 0) {
+		DEBUG(1,("password server %s gave us guest only\n", clnt->full_dest_host_name));
+		return(False);
+	}
+
+
+	if (!cli_send_tconX(clnt, "IPC$", "IPC", "", 1))
+    {
+		DEBUG(1,("password server %s refused IPC$ connect\n", clnt->full_dest_host_name));
+		return False;
+	}
+
+
+	if (!cli_send_tconX(clnt, "IPC$", "IPC", "", 1)) {
+		DEBUG(1,("password server %s refused IPC$ connect\n", clnt->full_dest_host_name));
+		return False;
+	}
+
+
+	if (!cli_NetWkstaUserLogon(clnt, user, clnt->called_netbios_name))
+	{
+		DEBUG(1,("password server %s failed NetWkstaUserLogon\n", clnt->full_dest_host_name));
+		cli_tdis(clnt);
+		return False;
+	}
+
+	if (clnt->privileges == 0)
+	{
+		DEBUG(1,("password server %s gave guest privilages\n", clnt->full_dest_host_name));
+		cli_tdis(clnt);
+		return False;
+	}
+
+	if (!strequal(clnt->eff_name, user)) {
+		DEBUG(1,("password server %s gave different username %s\n", 
+			 clnt->full_dest_host_name,
+			 clnt->eff_name));
+		cli_tdis(clnt);
+		return False;
+	}
+
+	DEBUG(3,("password server %s accepted the password\n", clnt->full_dest_host_name));
+
+	cli_tdis(clnt);
+
+	return(True);
+}
+
+
-- 
cgit