From d0a2faf78d316fec200497f5f7997df4c477a1e1 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 24 Nov 2001 12:12:38 +0000 Subject: This is another rather major change to the samba authenticaion subystem. The particular aim is to modularized the interface - so that we can have arbitrary password back-ends. This code adds one such back-end, a 'winbind' module to authenticate against the winbind_auth_crap functionality. While fully-functional this code is mainly useful as a demonstration, because we don't get back the info3 as we would for direct ntdomain authentication. This commit introduced the new 'auth methods' parameter, in the spirit of the 'auth order' discussed on the lists. It is renamed because not all the methods may be consulted, even if previous methods fail - they may not have a suitable challenge for example. Also, we have a 'local' authentication method, for old-style 'unix if plaintext, sam if encrypted' authentication and a 'guest' module to handle guest logins in a single place. While this current design is not ideal, I feel that it does provide a better infrastructure than the current design, and can be built upon. The following parameters have changed: - use rhosts = This has been replaced by the 'rhosts' authentication method, and can be specified like 'auth methods = guest rhosts' - hosts equiv = This needs both this parameter and an 'auth methods' entry to be effective. (auth methods = guest hostsequiv ....) - plaintext to smbpasswd = This is replaced by specifying 'sam' rather than 'local' in the auth methods. The security = parameter is unchanged, and now provides defaults for the 'auth methods' parameter. The available auth methods are: guest rhosts hostsequiv sam (passdb direct hash access) unix (PAM, crypt() etc) local (the combination of the above, based on encryption) smbserver (old security=server) ntdomain (old security=domain) winbind (use winbind to cache DC connections) Assistance in testing, or the production of new and interesting authentication modules is always appreciated. Andrew Bartlett (This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99) --- source3/rpc_server/srv_netlog_nt.c | 26 ++++++++++++++++++++++---- source3/rpc_server/srv_pipe.c | 8 ++++++-- 2 files changed, 28 insertions(+), 6 deletions(-) (limited to 'source3/rpc_server') diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index 1aa58f5274..6f0d2384d5 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -566,26 +566,46 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON * switch (ctr->switch_value) { case NET_LOGON_TYPE: + { + auth_authsupplied_info *auth_info = NULL; + make_auth_info_fixed(&auth_info, ctr->auth.id2.lm_chal); /* Standard challange/response authenticaion */ make_user_info_netlogon_network(&user_info, nt_username, nt_domain, - nt_workstation, ctr->auth.id2.lm_chal, + nt_workstation, ctr->auth.id2.lm_chal_resp.buffer, ctr->auth.id2.lm_chal_resp.str_str_len, ctr->auth.id2.nt_chal_resp.buffer, ctr->auth.id2.nt_chal_resp.str_str_len); + + status = check_password(user_info, auth_info, &server_info); + free_auth_info(&auth_info); + break; + } case INTERACTIVE_LOGON_TYPE: /* 'Interactive' autheticaion, supplies the password in its MD4 form, encrypted with the session key. We will convert this to challange/responce for the auth subsystem to chew on */ { + auth_authsupplied_info *auth_info = NULL; + DATA_BLOB chal; + if (!make_auth_info_subsystem(&auth_info)) { + return NT_STATUS_NO_MEMORY; + } + + chal = auth_get_challange(auth_info); + make_user_info_netlogon_interactive(&user_info, nt_username, nt_domain, - nt_workstation, + nt_workstation, chal.data, ctr->auth.id1.lm_owf.data, ctr->auth.id1.nt_owf.data, p->dc.sess_key); + status = check_password(user_info, auth_info, &server_info); + data_blob_free(&chal); + free_auth_info(&auth_info); + break; } default: @@ -593,8 +613,6 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON * return NT_STATUS_INVALID_INFO_CLASS; } /* end switch */ - status = check_password(user_info, &server_info); - free_user_info(&user_info); DEBUG(5, ("_net_sam_logon: check_password returned status %s\n", diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index b9c40e719b..4b3140b350 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -271,6 +271,7 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm NTSTATUS nt_status; auth_usersupplied_info *user_info = NULL; + auth_authsupplied_info *auth_info = NULL; auth_serversupplied_info *server_info = NULL; uid_t *puid; @@ -343,17 +344,20 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm return False; } + + make_auth_info_fixed(&auth_info, (uchar*)p->challenge); if (!make_user_info_netlogon_network(&user_info, - user_name, domain, wks, (uchar*)p->challenge, + user_name, domain, wks, lm_owf, lm_pw_len, nt_owf, nt_pw_len)) { DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n")); return False; } - nt_status = check_password(user_info, &server_info); + nt_status = check_password(user_info, auth_info, &server_info); + free_auth_info(&auth_info); free_user_info(&user_info); p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status); -- cgit