From a0ba234cf9b40adf6b5390e4e67730163a42883f Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Mon, 6 Dec 1999 00:44:32 +0000 Subject: the first independent msrpc daemon - lsarpcd. one horrible cut / paste job from smbd, plus a code split of shared components between the two. the job is not _yet_ complete, as i need to be able to do a become_user() call for security reasons. i picked lsarpcd first because you don't _need_ security on it (microsoft botched so badly on this one, it's not real. at least they fixed this in nt5 with restrictanonymous=0x2). fixing this involves sending the current smb and unix credentials down the unix pipe so that the daemon it eventually goes to can pick them up at the other end. i can't believe this all worked!!! (This used to be commit 2245b0c6d13c7c5886e81f9137b05df883598c26) --- source3/smbd/password.c | 501 ------------------------------------------------ 1 file changed, 501 deletions(-) (limited to 'source3/smbd/password.c') diff --git a/source3/smbd/password.c b/source3/smbd/password.c index c14b50d3a6..240ec30c3f 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -31,209 +31,6 @@ extern pstring scope; extern pstring global_myname; extern fstring global_myworkgroup; -/* Data to do lanman1/2 password challenge. */ -static unsigned char saved_challenge[8]; -static BOOL challenge_sent=False; - -/******************************************************************* -Get the next challenge value - no repeats. -********************************************************************/ -void generate_next_challenge(char *challenge) -{ -#if 0 - /* - * Leave this ifdef'd out while we test - * the new crypto random number generator. - * JRA. - */ - unsigned char buf[16]; - static int counter = 0; - struct timeval tval; - int v1,v2; - - /* get a sort-of random number */ - GetTimeOfDay(&tval); - v1 = (counter++) + getpid() + tval.tv_sec; - v2 = (counter++) * getpid() + tval.tv_usec; - SIVAL(challenge,0,v1); - SIVAL(challenge,4,v2); - - /* mash it up with md4 */ - mdfour(buf, (unsigned char *)challenge, 8); -#else - unsigned char buf[8]; - - generate_random_buffer(buf,8,False); -#endif - memcpy(saved_challenge, buf, 8); - memcpy(challenge,buf,8); - challenge_sent = True; -} - -/******************************************************************* -set the last challenge sent, usually from a password server -********************************************************************/ -BOOL set_challenge(unsigned char *challenge) -{ - memcpy(saved_challenge,challenge,8); - challenge_sent = True; - return(True); -} - -/******************************************************************* -get the last challenge sent -********************************************************************/ -static BOOL last_challenge(unsigned char *challenge) -{ - if (!challenge_sent) return False; - memcpy(challenge,saved_challenge,8); - return(True); -} - -/* this holds info on user ids that are already validated for this VC */ -static user_struct *validated_users = NULL; -static int num_validated_users = 0; - -/**************************************************************************** -check if a uid has been validated, and return an pointer to the user_struct -if it has. NULL if not. vuid is biased by an offset. This allows us to -tell random client vuid's (normally zero) from valid vuids. -****************************************************************************/ -user_struct *get_valid_user_struct(uint16 vuid) -{ - if (vuid == UID_FIELD_INVALID) - return NULL; - vuid -= VUID_OFFSET; - if ((vuid >= (uint16)num_validated_users) || - (validated_users[vuid].uid == (uid_t)-1) || (validated_users[vuid].gid == (gid_t)-1)) - return NULL; - return &validated_users[vuid]; -} - -/**************************************************************************** -invalidate a uid -****************************************************************************/ -void invalidate_vuid(uint16 vuid) -{ - user_struct *vuser = get_valid_user_struct(vuid); - - if (vuser == NULL) return; - - vuser->uid = (uid_t)-1; - vuser->gid = (gid_t)-1; - - vuser->n_sids = 0; - - /* same number of igroups as groups */ - vuser->n_groups = 0; - - if (vuser->groups) - free((char *)vuser->groups); - - if (vuser->sids) - free((char *)vuser->sids); - - vuser->sids = NULL; - vuser->groups = NULL; -} - - -/**************************************************************************** -return a validated username -****************************************************************************/ -char *validated_username(uint16 vuid) -{ - user_struct *vuser = get_valid_user_struct(vuid); - if (vuser == NULL) - return 0; - return(vuser->name); -} - - - -/**************************************************************************** -register a uid/name pair as being valid and that a valid password -has been given. vuid is biased by an offset. This allows us to -tell random client vuid's (normally zero) from valid vuids. -****************************************************************************/ -uint16 register_vuid(uid_t uid,gid_t gid, char *unix_name, char *requested_name, BOOL guest, uchar user_sess_key[16]) -{ - user_struct *vuser; - struct passwd *pwfile; /* for getting real name from passwd file */ - - /* Ensure no vuid gets registered in share level security. */ - if(lp_security() == SEC_SHARE) - return UID_FIELD_INVALID; - -#if 0 - /* - * After observing MS-Exchange services writing to a Samba share - * I belive this code is incorrect. Each service does its own - * sessionsetup_and_X for the same user, and as each service shuts - * down, it does a user_logoff_and_X. As we are consolidating multiple - * sessionsetup_and_X's onto the same vuid here, when the first service - * shuts down, it invalidates all the open files for the other services. - * Hence I am removing this code and forcing each sessionsetup_and_X - * to get a new vuid. - * Jeremy Allison. (jallison@whistle.com). - */ - - int i; - for(i = 0; i < num_validated_users; i++) { - vuser = &validated_users[i]; - if ( vuser->uid == uid ) - return (uint16)(i + VUID_OFFSET); /* User already validated */ - } -#endif - - validated_users = (user_struct *)Realloc(validated_users, - sizeof(user_struct)* - (num_validated_users+1)); - - if (!validated_users) - { - DEBUG(0,("Failed to realloc users struct!\n")); - num_validated_users = 0; - return UID_FIELD_INVALID; - } - - vuser = &validated_users[num_validated_users]; - num_validated_users++; - - vuser->uid = uid; - vuser->gid = gid; - vuser->guest = guest; - fstrcpy(vuser->name,unix_name); - fstrcpy(vuser->requested_name,requested_name); - memcpy(vuser->dc.user_sess_key, user_sess_key, sizeof(vuser->dc.user_sess_key)); - - vuser->n_sids = 0; - vuser->sids = NULL; - - vuser->n_groups = 0; - vuser->groups = NULL; - - /* Find all the groups this uid is in and store them. - Used by become_user() */ - get_unixgroups(unix_name,uid,gid, - &vuser->n_groups, - &vuser->groups); - - DEBUG(3,("uid %d registered to name %s\n",(int)uid,unix_name)); - - DEBUG(3, ("Clearing default real name\n")); - fstrcpy(vuser->real_name, "\0"); - if (lp_unix_realname()) { - if ((pwfile=hashed_getpwnam(vuser->name))!= NULL) - { - DEBUG(3, ("User name: %s\tReal name: %s\n",vuser->name,pwfile->pw_gecos)); - fstrcpy(vuser->real_name, pwfile->pw_gecos); - } - } - - return (uint16)((num_validated_users - 1) + VUID_OFFSET); -} - /**************************************************************************** add a name to the session users list @@ -290,275 +87,6 @@ static BOOL update_smbpassword_file(char *user, char *password) -/**************************************************************************** -core of smb password checking routine. -****************************************************************************/ -static BOOL smb_pwd_check_ntlmv1(char *password, unsigned char *part_passwd, - unsigned char *c8, - uchar sess_key[16]) -{ - /* Finish the encryption of part_passwd. */ - unsigned char p24[24]; - - if (part_passwd == NULL) - DEBUG(10,("No password set - allowing access\n")); - /* No password set - always true ! */ - if (part_passwd == NULL) - return True; - - SMBOWFencrypt(part_passwd, c8, p24); - if (sess_key != NULL) - { - SMBsesskeygen_ntv1(part_passwd, NULL, sess_key); - } - -#if DEBUG_PASSWORD - DEBUG(100,("Part password (P16) was |")); - dump_data(100, part_passwd, 16); - DEBUG(100,("Password from client was |")); - dump_data(100, password, 24); - DEBUG(100,("Given challenge was |")); - dump_data(100, c8, 8); - DEBUG(100,("Value from encryption was |")); - dump_data(100, p24, 24); -#endif - return (memcmp(p24, password, 24) == 0); -} - -/**************************************************************************** -core of smb password checking routine. -****************************************************************************/ -static BOOL smb_pwd_check_ntlmv2(char *password, size_t pwd_len, - unsigned char *part_passwd, - unsigned char const *c8, - const char *user, const char *domain, - char *sess_key) -{ - /* Finish the encryption of part_passwd. */ - unsigned char kr[16]; - unsigned char resp[16]; - - if (part_passwd == NULL) - { - DEBUG(10,("No password set - allowing access\n")); - } - /* No password set - always true ! */ - if (part_passwd == NULL) - { - return True; - } - - ntv2_owf_gen(part_passwd, user, domain, kr); - SMBOWFencrypt_ntv2(kr, c8, 8, password+16, pwd_len-16, resp); - if (sess_key != NULL) - { - SMBsesskeygen_ntv2(kr, resp, sess_key); - } - -#if DEBUG_PASSWORD - DEBUG(100,("Part password (P16) was |")); - dump_data(100, part_passwd, 16); - DEBUG(100,("Password from client was |")); - dump_data(100, password, pwd_len); - DEBUG(100,("Given challenge was |")); - dump_data(100, c8, 8); - DEBUG(100,("Value from encryption was |")); - dump_data(100, resp, 16); -#endif - - return (memcmp(resp, password, 16) == 0); -} - -/**************************************************************************** - Do a specific test for an smb password being correct, given a smb_password and - the lanman and NT responses. -****************************************************************************/ -BOOL smb_password_ok(struct smb_passwd *smb_pass, uchar chal[8], - const char *user, const char *domain, - uchar *lm_pass, size_t lm_pwd_len, - uchar *nt_pass, size_t nt_pwd_len, - uchar sess_key[16]) -{ - uchar challenge[8]; - - if (smb_pass == NULL) - { - return False; - } - - DEBUG(4,("Checking SMB password for user %s\n", - smb_pass->unix_name)); - - if (smb_pass->acct_ctrl & ACB_DISABLED) - { - DEBUG(3,("account for user %s was disabled.\n", - smb_pass->unix_name)); - return False; - } - - if (chal == NULL) - { - DEBUG(5,("use last SMBnegprot challenge\n")); - if (!last_challenge(challenge)) - { - DEBUG(1,("no challenge done - password failed\n")); - return False; - } - } - else - { - DEBUG(5,("challenge received\n")); - memcpy(challenge, chal, 8); - } - - if ((Protocol >= PROTOCOL_NT1) && (smb_pass->smb_nt_passwd != NULL)) - { - /* We have the NT MD4 hash challenge available - see if we can - use it (ie. does it exist in the smbpasswd file). - */ - if (lp_server_ntlmv2() != False && nt_pwd_len > 24) - { - DEBUG(4,("smb_password_ok: Check NTLMv2 password\n")); - if (smb_pwd_check_ntlmv2(nt_pass, nt_pwd_len, - (uchar *)smb_pass->smb_nt_passwd, - challenge, user, domain, - sess_key)) - { - return True; - } - } - if (lp_server_ntlmv2() != True && nt_pwd_len == 24) - { - DEBUG(4,("smb_password_ok: Check NT MD4 password\n")); - if (smb_pwd_check_ntlmv1((char *)nt_pass, - (uchar *)smb_pass->smb_nt_passwd, - challenge, - sess_key)) - { - DEBUG(4,("NT MD4 password check succeeded\n")); - return True; - } - } - DEBUG(4,("NT MD4 password check failed\n")); - } - - if (lp_server_ntlmv2() == True) - { - DEBUG(4,("Not checking LM MD4 password\n")); - return False; - } - - /* Try against the lanman password. smb_pass->smb_passwd == NULL means - no password, allow access. */ - - DEBUG(4,("Checking LM MD4 password\n")); - - if ((smb_pass->smb_passwd == NULL) && - (smb_pass->acct_ctrl & ACB_PWNOTREQ)) - { - DEBUG(4,("no password required for user %s\n", - smb_pass->unix_name)); - return True; - } - - if ((smb_pass->smb_passwd != NULL) && - smb_pwd_check_ntlmv1((char *)lm_pass, - (uchar *)smb_pass->smb_passwd, - challenge, NULL)) - { - DEBUG(4,("LM MD4 password check succeeded\n")); - return(True); - } - - DEBUG(4,("LM MD4 password check failed\n")); - - return False; -} - - -/**************************************************************************** -check if a username/password is OK assuming the password is a 24 byte -SMB hash -return True if the password is correct, False otherwise -****************************************************************************/ - -BOOL pass_check_smb(struct smb_passwd *smb_pass, char *domain, uchar *chal, - uchar *lm_pwd, size_t lm_pwd_len, - uchar *nt_pwd, size_t nt_pwd_len, - struct passwd *pwd, uchar user_sess_key[16]) -{ - const struct passwd *pass; - struct passwd pw; - char *user = NULL; - - if (smb_pass == NULL) - { - DEBUG(3,("Couldn't find user %s in smb_passwd file.\n", user)); - return False; - } - - user = smb_pass->unix_name; - - if (lm_pwd == NULL || nt_pwd == NULL) - { - return False; - } - - if (pwd != NULL && user == NULL) - { - pass = (struct passwd *) pwd; - user = pass->pw_name; - } - else - { - pass = Get_Pwnam(user,True); - if (pass == NULL) - { - DEBUG(3,("Couldn't find user %s\n",user)); - return False; - } - memcpy(&pw, pass, sizeof(struct passwd)); - pass = &pw; - } - - /* Quit if the account was disabled. */ - if (smb_pass->acct_ctrl & ACB_DISABLED) { - DEBUG(3,("account for user %s was disabled.\n", user)); - return False; - } - - /* Ensure the uid's match */ - if (smb_pass->unix_uid != pass->pw_uid) - { - DEBUG(3,("Error : UNIX (%d) and SMB (%d) uids in password files do not match !\n", pass->pw_uid, smb_pass->unix_uid)); - return False; - } - - if (lm_pwd[0] == '\0' && IS_BITS_SET_ALL(smb_pass->acct_ctrl, ACB_PWNOTREQ) && lp_null_passwords()) - { - DEBUG(3,("account for user %s has no password and null passwords are allowed.\n", smb_pass->unix_name)); - return(True); - } - - if (smb_password_ok(smb_pass, chal, user, domain, - lm_pwd, lm_pwd_len, - nt_pwd, nt_pwd_len, - user_sess_key)) - { - if (user_sess_key != NULL) - { -#ifdef DEBUG_PASSWORD - DEBUG(100,("user session key: ")); - dump_data(100, user_sess_key, 16); -#endif - } - return(True); - } - - DEBUG(3,("Error pass_check_smb failed\n")); - return False; -} - /**************************************************************************** check if a username/password pair is OK either via the system password database or the encrypted SMB password database @@ -589,35 +117,6 @@ BOOL password_ok(char *user, char *password, int pwlen, struct passwd *pwd, update_smbpassword_file : NULL); } -/**************************************************************************** -check if a username is valid -****************************************************************************/ -BOOL user_ok(char *user,int snum) -{ - pstring valid, invalid; - BOOL ret; - - StrnCpy(valid, lp_valid_users(snum), sizeof(pstring)); - StrnCpy(invalid, lp_invalid_users(snum), sizeof(pstring)); - - string_sub(valid,"%S",lp_servicename(snum)); - string_sub(invalid,"%S",lp_servicename(snum)); - - ret = !user_in_list(user,invalid); - - if (ret && valid && *valid) { - ret = user_in_list(user,valid); - } - - if (ret && lp_onlyuser(snum)) { - char *user_list = lp_username(snum); - string_sub(user_list,"%S",lp_servicename(snum)); - ret = user_in_list(user,user_list); - } - - return(ret); -} - -- cgit