From 548b417d404a2653ebb5918b0c169ccdfafe856f Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Sat, 7 Nov 1998 05:32:37 +0000
Subject: codepages/codepage_def.936: Updated comment. param/loadparm.c:
 Removed "networkstation user login", "domain controller", and "domain sid"
 parameters. passdb/passdb.c: Removed "networkstation user login" code and
 changed bug test code                  to only check once for a bad password
 server. This will stop the                  complaints of many "bad login"
 audit records in NT PDC logs. utils/smbpasswd.c: Removed check for "domain
 controller". Jeremy. (This used to be commit
 d6e6e936b5dd90dd8fc38d9404efbe5c546c15e5)

---
 source3/codepages/codepage_def.936 |   2 +-
 source3/param/loadparm.c           |  11 ---
 source3/passdb/passdb.c            |   8 +-
 source3/smbd/password.c            | 162 +++++++++++++++++--------------------
 source3/utils/smbpasswd.c          |   6 +-
 5 files changed, 80 insertions(+), 109 deletions(-)

(limited to 'source3')

diff --git a/source3/codepages/codepage_def.936 b/source3/codepages/codepage_def.936
index 25a317ffea..400b60a633 100644
--- a/source3/codepages/codepage_def.936
+++ b/source3/codepages/codepage_def.936
@@ -14,7 +14,7 @@
 #   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
 #
 
-# Codepage definition file for IBM Code Page 949 - MS-DOS Simplified Chinese.
+# Codepage definition file for IBM Code Page 936 - MS-DOS Simplified Chinese.
 # defines lower->upper mapping.
 # Written by Jeremy Allison <jallison@whistle.com>
 
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 37e53f437e..fcdc2ae68d 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -145,7 +145,6 @@ typedef struct
   char *szNISHomeMapName;
   char *szAnnounceVersion; /* This is initialised in init_globals */
   char *szNetbiosAliases;
-  char *szDomainSID;
   char *szDomainOtherSIDs;
   char *szDomainGroups;
   char *szDriverFile;
@@ -207,7 +206,6 @@ typedef struct
   BOOL bWINSproxy;
   BOOL bLocalMaster;
   BOOL bPreferredMaster;
-  BOOL bDomainController;
   BOOL bDomainMaster;
   BOOL bDomainLogons;
   BOOL bEncryptPasswords;
@@ -226,7 +224,6 @@ typedef struct
   BOOL bNISHomeMap;
   BOOL bTimeServer;
   BOOL bBindInterfacesOnly;
-  BOOL bNetWkstaUserLogon;
   BOOL bUnixPasswdSync;
   BOOL bPasswdChatDebug;
   BOOL bOleLockingCompat;
@@ -577,7 +574,6 @@ static struct parm_struct parm_table[] =
   {"read bmpx",        P_BOOL,    P_GLOBAL, &Globals.bReadbmpx,         NULL,   NULL,  0},
   {"read raw",         P_BOOL,    P_GLOBAL, &Globals.bReadRaw,          NULL,   NULL,  0},
   {"write raw",        P_BOOL,    P_GLOBAL, &Globals.bWriteRaw,         NULL,   NULL,  0},
-  {"networkstation user login", P_BOOL,P_GLOBAL, &Globals.bNetWkstaUserLogon,NULL,   NULL,  0},
   {"nt smb support",   P_BOOL,    P_GLOBAL, &Globals.bNTSmbSupport,    NULL,   NULL,  0},
   {"nt pipe support",   P_BOOL,    P_GLOBAL, &Globals.bNTPipeSupport,    NULL,   NULL,  0},
   {"announce version", P_STRING,  P_GLOBAL, &Globals.szAnnounceVersion, NULL,   NULL,  0},
@@ -659,9 +655,7 @@ static struct parm_struct parm_table[] =
   {"stat cache",       P_BOOL,    P_GLOBAL, &Globals.bStatCache,        NULL,   NULL,  0},
 
   {"Domain Options", P_SEP, P_SEPARATOR},
-  {"domain sid",       P_USTRING, P_GLOBAL, &Globals.szDomainSID,       NULL,   NULL,  0},
   {"domain groups",    P_STRING,  P_GLOBAL, &Globals.szDomainGroups,    NULL,   NULL,  0},
-  {"domain controller",P_BOOL  ,  P_GLOBAL, &Globals.bDomainController,NULL,   NULL,  0},
   {"domain admin group",P_STRING, P_GLOBAL, &Globals.szDomainAdminGroup, NULL,   NULL,  0},
   {"domain guest group",P_STRING, P_GLOBAL, &Globals.szDomainGuestGroup, NULL,   NULL,  0},
   {"domain admin users",P_STRING, P_GLOBAL, &Globals.szDomainAdminUsers, NULL,   NULL,  0},
@@ -866,8 +860,6 @@ static void init_globals(void)
   Globals.client_code_page = DEFAULT_CLIENT_CODE_PAGE;
   Globals.bTimeServer = False;
   Globals.bBindInterfacesOnly = False;
-  Globals.bNetWkstaUserLogon = False; /* This is now set to false by default as
-                                         the code in password.c protects us from this bug. */
   Globals.bUnixPasswdSync = False;
   Globals.bPasswdChatDebug = False;
   Globals.bOleLockingCompat = True;
@@ -1105,7 +1097,6 @@ FN_GLOBAL_STRING(lp_netbios_aliases,&Globals.szNetbiosAliases)
 FN_GLOBAL_STRING(lp_driverfile,&Globals.szDriverFile)
 FN_GLOBAL_STRING(lp_panic_action,&Globals.szPanicAction)
 
-FN_GLOBAL_STRING(lp_domain_sid,&Globals.szDomainSID)
 FN_GLOBAL_STRING(lp_domain_groups,&Globals.szDomainGroups)
 FN_GLOBAL_STRING(lp_domain_admin_group,&Globals.szDomainAdminGroup)
 FN_GLOBAL_STRING(lp_domain_guest_group,&Globals.szDomainGuestGroup)
@@ -1142,7 +1133,6 @@ FN_GLOBAL_BOOL(lp_wins_support,&Globals.bWINSsupport)
 FN_GLOBAL_BOOL(lp_we_are_a_wins_server,&Globals.bWINSsupport)
 FN_GLOBAL_BOOL(lp_wins_proxy,&Globals.bWINSproxy)
 FN_GLOBAL_BOOL(lp_local_master,&Globals.bLocalMaster)
-FN_GLOBAL_BOOL(lp_domain_controller,&Globals.bDomainController)
 FN_GLOBAL_BOOL(lp_domain_master,&Globals.bDomainMaster)
 FN_GLOBAL_BOOL(lp_domain_logons,&Globals.bDomainLogons)
 FN_GLOBAL_BOOL(lp_preferred_master,&Globals.bPreferredMaster)
@@ -1163,7 +1153,6 @@ FN_GLOBAL_BOOL(lp_unix_realname,&Globals.bUnixRealname)
 FN_GLOBAL_BOOL(lp_nis_home_map,&Globals.bNISHomeMap)
 static FN_GLOBAL_BOOL(lp_time_server,&Globals.bTimeServer)
 FN_GLOBAL_BOOL(lp_bind_interfaces_only,&Globals.bBindInterfacesOnly)
-FN_GLOBAL_BOOL(lp_net_wksta_user_logon,&Globals.bNetWkstaUserLogon)
 FN_GLOBAL_BOOL(lp_unix_password_sync,&Globals.bUnixPasswdSync)
 FN_GLOBAL_BOOL(lp_passwd_chat_debug,&Globals.bPasswdChatDebug)
 FN_GLOBAL_BOOL(lp_ole_locking_compat,&Globals.bOleLockingCompat)
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index aae59b32f6..f29a9ff570 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -875,13 +875,11 @@ BOOL pdb_generate_sam_sid(void)
 	} 
   
 	/*
-	 * The file contains no data - we may need to generate our
-	 * own sid. Try the lp_domain_sid() first.
+	 * The file contains no data - we need to generate our
+	 * own sid.
 	 */
 	
-	if(*lp_domain_sid())
-		fstrcpy( sid_string, lp_domain_sid());
-	else {
+	{
 		/*
 		 * Generate the new sid data & turn it into a string.
 		 */
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index 95560df66b..d49ea7c562 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -1036,114 +1036,98 @@ BOOL server_validate(char *user, char *domain,
 		     char *pass, int passlen,
 		     char *ntpass, int ntpasslen)
 {
-	struct cli_state *cli;
-	extern fstring local_machine;
-        static unsigned char badpass[24];
-	cli = server_client();
+  struct cli_state *cli;
+  extern fstring local_machine;
+  static unsigned char badpass[24];
+  static BOOL tested_password_server = False;
+  static BOOL bad_password_server = False;
 
-	if (!cli->initialised) {
-		DEBUG(1,("password server %s is not connected\n", cli->desthost));
-		return(False);
-	}  
+  cli = server_client();
 
-        if(badpass[0] == 0) {
-          memset(badpass, 0x1f, sizeof(badpass));
-        }
+  if (!cli->initialised) {
+    DEBUG(1,("password server %s is not connected\n", cli->desthost));
+    return(False);
+  }  
 
-        if((passlen == sizeof(badpass)) && !memcmp(badpass, pass, passlen)) {
-          /* Very unlikely, our random bad password is the same as the users
-             password. */
-          memset(badpass, badpass[0]+1, sizeof(badpass));
-        }
+  if(badpass[0] == 0)
+    memset(badpass, 0x1f, sizeof(badpass));
 
-        /*
-         * Attempt a session setup with a totally incorrect password.
-         * If this succeeds with the guest bit *NOT* set then the password
-         * server is broken and is not correctly setting the guest bit. We
-         * need to detect this as some versions of NT4.x are broken. JRA.
-         */
+  if((passlen == sizeof(badpass)) && !memcmp(badpass, pass, passlen)) {
+    /* 
+     * Very unlikely, our random bad password is the same as the users
+     * password. */
+    memset(badpass, badpass[0]+1, sizeof(badpass));
+  }
 
-        if (cli_session_setup(cli, user, (char *)badpass, sizeof(badpass), 
-                              (char *)badpass, sizeof(badpass), domain)) {
-	  if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) {
-            DEBUG(0,("server_validate: password server %s allows users as non-guest \
-with a bad password.\n", cli->desthost));
-            DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \
-use this machine as the password server.\n"));
-            cli_ulogoff(cli);
-            return False;
-          }
-          cli_ulogoff(cli);
-        }
+  /*
+   * Attempt a session setup with a totally incorrect password.
+   * If this succeeds with the guest bit *NOT* set then the password
+   * server is broken and is not correctly setting the guest bit. We
+   * need to detect this as some versions of NT4.x are broken. JRA.
+   */
 
-        /*
-         * Now we know the password server will correctly set the guest bit, or is
-         * not guest enabled, we can try with the real password.
-         */
+  if(!tested_password_server) {
+    if (cli_session_setup(cli, user, (char *)badpass, sizeof(badpass), 
+                              (char *)badpass, sizeof(badpass), domain)) {
 
-	if (!cli_session_setup(cli, user, pass, passlen, ntpass, ntpasslen, domain)) {
-		DEBUG(1,("password server %s rejected the password\n", cli->desthost));
-		return False;
-	}
+      /*
+       * We connected to the password server so we
+       * can say we've tested it.
+       */
+      tested_password_server = True;
 
-	/* if logged in as guest then reject */
-	if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) {
-		DEBUG(1,("password server %s gave us guest only\n", cli->desthost));
-                cli_ulogoff(cli);
-		return(False);
-	}
+      if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) {
+        DEBUG(0,("server_validate: password server %s allows users as non-guest \
+with a bad password.\n", cli->desthost));
+        DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \
+use this machine as the password server.\n"));
+        cli_ulogoff(cli);
 
         /*
-         * This patch from Rob Nielsen <ran@adc.com> makes doing
-         * the NetWksaUserLogon a dynamic, rather than compile-time
-         * parameter, defaulting to on. This is somewhat dangerous
-         * as it allows people to turn off this neccessary check,
-         * but so many people have had problems with this that I
-         * think it is a neccessary change. JRA.
+         * Password server has the bug.
          */
+        bad_password_server = True;
+        return False;
+      }
+      cli_ulogoff(cli);
+    }
+  } else {
 
-	if (lp_net_wksta_user_logon()) {
-		DEBUG(3,("trying NetWkstaUserLogon with password server %s\n", cli->desthost));
+    /*
+     * We have already tested the password server.
+     * Fail immediately if it has the bug.
+     */
 
-                if (!cli_send_tconX(cli, "IPC$", "IPC", "", 1)) {
-                        DEBUG(0,("password server %s refused IPC$ connect\n", cli->desthost));
-                        cli_ulogoff(cli);
-                        return False;
-                }
+    if(bad_password_server) {
+      DEBUG(0,("server_validate: [1] password server %s allows users as non-guest \
+with a bad password.\n", cli->desthost));
+      DEBUG(0,("server_validate: [1] This is broken (and insecure) behaviour. Please do not \
+use this machine as the password server.\n"));
+      return False;
+    }
+  }
 
-		if (!cli_NetWkstaUserLogon(cli,user,local_machine)) {
-			DEBUG(0,("password server %s failed NetWkstaUserLogon\n", cli->desthost));
-			cli_tdis(cli);
-                        cli_ulogoff(cli);
-			return False;
-		}
+  /*
+   * Now we know the password server will correctly set the guest bit, or is
+   * not guest enabled, we can try with the real password.
+   */
 
-		if (cli->privilages == 0) {
-			DEBUG(0,("password server %s gave guest privilages\n", cli->desthost));
-			cli_tdis(cli);
-                        cli_ulogoff(cli);
-			return False;
-		}
+  if (!cli_session_setup(cli, user, pass, passlen, ntpass, ntpasslen, domain)) {
+    DEBUG(1,("password server %s rejected the password\n", cli->desthost));
+    return False;
+  }
 
-		if (!strequal(cli->eff_name, user)) {
-			DEBUG(0,("password server %s gave different username %s\n", 
-			 	cli->desthost,
-			 	cli->eff_name));
-			cli_tdis(cli);
-                        cli_ulogoff(cli);
-			return False;
-		}
-                cli_tdis(cli);
-	}
-        else {
-		DEBUG(3,("skipping NetWkstaUserLogon with password server %s\n", cli->desthost));
-        }
+  /* if logged in as guest then reject */
+  if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) {
+    DEBUG(1,("password server %s gave us guest only\n", cli->desthost));
+    cli_ulogoff(cli);
+    return(False);
+  }
 
-	DEBUG(3,("password server %s accepted the password\n", cli->desthost));
 
-        cli_ulogoff(cli);
+  cli_ulogoff(cli);
 
-	return(True);
+  return(True);
 }
 
 /***********************************************************************
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
index 147e3492af..b27bbbbd3b 100644
--- a/source3/utils/smbpasswd.c
+++ b/source3/utils/smbpasswd.c
@@ -60,9 +60,9 @@ static int join_domain( char *domain, char *remote)
      domain if we are locally set up as a domain
      controller. */
 
-  if(lp_domain_controller() && strequal(lp_workgroup(), domain)) {
-    fprintf(stderr, "%s: Cannot join domain %s as we already configured as \
-domain controller for that domain.\n", prog_name, domain);
+  if(strequal(remote, global_myname)) {
+    fprintf(stderr, "%s: Cannot join domain %s as the domain controller name is our own. \
+We cannot be a domain controller for a domain and also be a domain member.\n", prog_name, domain);
     return 1;
   }
 
-- 
cgit