From 2d27d8c720b705e8ca9575682948c0750c1bb080 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Thu, 17 May 2001 06:08:49 +0000 Subject: Fixes to get pam_auth() functionality working again. (This used to be commit 083b74c743f0026693fa0fbe665ed08a3ac706b8) --- source3/Makefile.in | 11 ++++++++- source3/nsswitch/winbindd_pam.c | 49 +++++++++++------------------------------ source3/smbd/password.c | 21 +++++++++--------- source3/smbd/reply.c | 2 +- 4 files changed, 35 insertions(+), 48 deletions(-) (limited to 'source3') diff --git a/source3/Makefile.in b/source3/Makefile.in index dbbf4b717d..89ea6d4282 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -368,10 +368,17 @@ WINBINDD_OBJ1 = \ nsswitch/winbindd_sid.o \ nsswitch/winbindd_misc.o +UNECESSARY_BECAUSE_SAMBA_DEPENDENCIES_ARE_SO_BROKEN_OBJ = \ + smbd/password.o smbd/session.o smbd/uid.o smbd/sec_ctx.o \ + rpc_client/cli_netlogon.o rpc_client/cli_login.o \ + smbd/chgpasswd.o + WINBINDD_OBJ = \ $(WINBINDD_OBJ1) $(NOPROTO_OBJ) $(PASSDB_OBJ) \ $(LIBNMB_OBJ) $(PARAM_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) \ - $(LIBSMB_OBJ) $(LIBMSRPC_OBJ) $(RPC_PARSE_OBJ) $(GROUPDB_OBJ) + $(LIBSMB_OBJ) $(LIBMSRPC_OBJ) $(RPC_PARSE_OBJ) \ + $(GROUPDB_OBJ) \ + $(UNECESSARY_BECAUSE_SAMBA_DEPENDENCIES_ARE_SO_BROKEN_OBJ) WBINFO_OBJ = nsswitch/wbinfo.o @@ -407,6 +414,8 @@ debug2html : CHECK bin/debug2html smbfilter : CHECK bin/smbfilter +nsswitch : CHECK $(WINBIND_PROGS) + .SUFFIXES: .SUFFIXES: .c .o .po .po32 .lo diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 57b2394799..d9197bcb0e 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -50,56 +50,33 @@ static void parse_domain_user(char *domuser, fstring domain, fstring user) enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) { - NET_USER_INFO_3 info3; - uchar ntpw[16]; - uchar lmpw[16]; - uchar trust_passwd[16]; - uint32 status; - fstring server; + BOOL result, user_exists; fstring name_domain, name_user; - extern pstring global_myname; + int passlen; DEBUG(3, ("[%5d]: pam auth %s\n", state->pid, state->request.data.auth.user)); /* Parse domain and username */ + parse_domain_user(state->request.data.auth.user, name_domain, name_user); /* don't allow the null domain */ - if (strcmp(name_domain,"") == 0) return WINBINDD_ERROR; - - ZERO_STRUCT(info3); - - if (!_get_trust_account_password(lp_workgroup(), trust_passwd, NULL)) { - DEBUG(1, ("could not get trust password for domain %s\n", - name_domain)); - return WINBINDD_ERROR; - } - nt_lm_owf_gen(state->request.data.auth.pass, ntpw, lmpw); + if (strcmp(name_domain,"") == 0) + return WINBINDD_ERROR; - slprintf(server, sizeof(server), "\\\\%s", server_state.controller); - -#if 0 - - /* XXX */ - - status = domain_client_validate_backend(server, - name_user, name_domain, - global_myname, SEC_CHAN_WKSTA, - trust_passwd, - NULL, - lmpw, sizeof(lmpw), - ntpw, sizeof(ntpw), &info3); -#else - status = NT_STATUS_UNSUCCESSFUL; -#endif - + passlen = strlen(state->request.data.auth.pass); - if (status != NT_STATUS_NOPROBLEMO) return WINBINDD_ERROR; + result = domain_client_validate(name_user, name_domain, + state->request.data.auth.pass, + passlen, + state->request.data.auth.pass, + passlen, &user_exists, + server_state.controller); - return WINBINDD_OK; + return result ? WINBINDD_OK : WINBINDD_ERROR; } /* Change a user password */ diff --git a/source3/smbd/password.c b/source3/smbd/password.c index 01fc9cdd53..303ed783e9 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -1416,8 +1416,6 @@ static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, un return connect_to_domain_password_server(pcli, dc_name, trust_passwd); } - - /*********************************************************************** We have been asked to dynamcially determine the IP addresses of the PDC and BDC's for this DOMAIN, and query them in turn. @@ -1491,17 +1489,16 @@ static BOOL find_connect_pdc(struct cli_state *pcli, unsigned char *trust_passwd return connected_ok; } - - /*********************************************************************** Do the same as security=server, but using NT Domain calls and a session - key from the machine password. + key from the machine password. If the server parameter is specified + use it, otherwise figure out a server from the 'password server' param. ************************************************************************/ BOOL domain_client_validate( char *user, char *domain, char *smb_apasswd, int smb_apasslen, char *smb_ntpasswd, int smb_ntpasslen, - BOOL *user_exists) + BOOL *user_exists, char *server) { unsigned char local_challenge[8]; unsigned char local_lm_response[24]; @@ -1541,7 +1538,7 @@ BOOL domain_client_validate( char *user, char *domain, * Not encrypted - do so. */ - DEBUG(3,("domain_client_validate: User passwords not in encrypted format.\n")); + DEBUG(5,("domain_client_validate: User passwords not in encrypted format.\n")); generate_random_buffer( local_challenge, 8, False); SMBencrypt( (uchar *)smb_apasswd, local_challenge, local_lm_response); SMBNTencrypt((uchar *)smb_ntpasswd, local_challenge, local_nt_response); @@ -1586,9 +1583,13 @@ BOOL domain_client_validate( char *user, char *domain, * PDC/BDC. Contact each in turn and try and authenticate. */ - pserver = lp_passwordserver(); - if (! *pserver) pserver = "*"; - p = pserver; + if (server) { + p = server; + } else { + pserver = lp_passwordserver(); + if (! *pserver) pserver = "*"; + p = pserver; + } while (!connected_ok && next_token(&p,remote_machine,LIST_SEP,sizeof(remote_machine))) { diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 41970c4040..2e4837013e 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -616,7 +616,7 @@ static BOOL check_domain_security(char *orig_user, char *domain, char *unix_user ret = domain_client_validate(orig_user, domain, smb_apasswd, smb_apasslen, smb_ntpasswd, smb_ntpasslen, - &user_exists); + &user_exists, NULL); if(ret) { /* -- cgit