From 93fb9f76e2a78d131901c4f11c4a6ed30a4afa9d Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 5 Nov 2001 00:21:17 +0000 Subject: Use cli_nt_login_network() instead of domain_client_validate() to perform pam authentication. This allows us to link in less other crap. Authenticating with a challenge/response doesn't seem to work though - we always get back NT_STATUS_WRONG_PASSWORD. (This used to be commit d85aa1ce83327dda6aa3dcd9bbab9cf6979dda1e) --- source3/Makefile.in | 4 +- source3/nsswitch/winbindd_cm.c | 30 ++++++++++++ source3/nsswitch/winbindd_pam.c | 96 ++++++++++++++++++++++----------------- source3/nsswitch/winbindd_proto.h | 1 + 4 files changed, 88 insertions(+), 43 deletions(-) (limited to 'source3') diff --git a/source3/Makefile.in b/source3/Makefile.in index 4bced02721..615887389c 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -398,8 +398,8 @@ WINBINDD_OBJ1 = \ nsswitch/winbindd_cm.o NECESSARY_BECAUSE_SAMBA_DEPENDENCIES_ARE_SO_BROKEN_OBJ = \ - libsmb/domain_client_validate.o smbd/auth_util.o \ - rpc_client/cli_netlogon.o rpc_client/cli_login.o + rpc_client/cli_netlogon.o rpc_client/cli_login.o \ + smbd/auth_util.o WINBINDD_OBJ = \ $(WINBINDD_OBJ1) $(NOPROTO_OBJ) $(PASSDB_OBJ) \ diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c index 4f0974fe06..c41ed5ac62 100644 --- a/source3/nsswitch/winbindd_cm.c +++ b/source3/nsswitch/winbindd_cm.c @@ -513,3 +513,33 @@ CLI_POLICY_HND *cm_get_sam_group_handle(char *domain, DOM_SID *domain_sid, return &hnd; } + +/* Get a handle on a netlogon pipe */ + +struct cli_state *cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd) +{ + struct winbindd_cm_conn conn; + NTSTATUS result; + + /* Open an initial conection */ + + ZERO_STRUCT(conn); + + if (!cm_open_connection(domain, PIPE_NETLOGON, &conn)) { + DEBUG(3, ("Could not open a connection to %s\n", domain)); + return NULL; + } + + result = cli_nt_setup_creds(conn.cli, trust_passwd); + + if (!NT_STATUS_IS_OK(result)) { + DEBUG(0, ("error connecting to domain password server: %s\n", + get_nt_error_msg(result))); + cli_shutdown(conn.cli); + return NULL; + } + + /* We only want the client handle from this structure */ + + return conn.cli; +} diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 22f102269d..aa248aadaf 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -53,13 +53,15 @@ static void parse_domain_user(char *domuser, fstring domain, fstring user) enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) { NTSTATUS result; - fstring name_domain, name_user, auth_dc; + fstring name_domain, name_user; int passlen; unsigned char trust_passwd[16]; time_t last_change_time; - auth_usersupplied_info *user_info; - auth_serversupplied_info *server_info; + uint32 smb_uid_low; + NET_USER_INFO_3 info3; + NET_ID_INFO_CTR ctr; + struct cli_state *cli; DEBUG(3, ("[%5d]: pam auth %s\n", state->pid, state->request.data.auth.user)); @@ -76,39 +78,41 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) passlen = strlen(state->request.data.auth.pass); - if (state->request.data.auth.pass[0]) { - make_user_info_for_winbind(&user_info, - name_user, name_domain, - state->request.data.auth.pass); - } else { + if (state->request.data.auth.pass[0]) + make_user_info_winbind(&user_info, + name_user, name_domain, + state->request.data.auth.pass); + else return WINBINDD_ERROR; - } /* * Get the machine account password for our primary domain */ - if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, &last_change_time)) - { - DEBUG(0, ("winbindd_pam_auth: could not fetch trust account password for domain %s\n", lp_workgroup())); + if (!secrets_fetch_trust_account_password( + lp_workgroup(), trust_passwd, &last_change_time)) { + DEBUG(0, ("winbindd_pam_auth: could not fetch trust account " + "password for domain %s\n", lp_workgroup())); return WINBINDD_ERROR; } - if (!cm_get_dc_name(lp_workgroup(), auth_dc)) { - DEBUG(3, ("Could not find dc for workgroup %s\n", - lp_workgroup())); + /* We really don't care what LUID we give the user. */ + + generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False); + + ZERO_STRUCT(info3); + + if (!(cli = cm_get_netlogon_cli(lp_workgroup(), trust_passwd))) { + DEBUG(3, ("could not open handle to NETLOGON pipe\n")); return WINBINDD_ERROR; } - /* So domain_client_validate() actually opens a new connection - for each authentication performed. This can theoretically - be optimised to use an already open IPC$ connection. */ + result = cli_nt_login_network(cli, user_info, smb_uid_low, + &ctr, &info3); - result = domain_client_validate(user_info, &server_info, - auth_dc, trust_passwd, - last_change_time); + free_user_info(&user_info); - free_server_info(&server_info); /* No info needed */ + cli_shutdown(cli); return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; } @@ -118,11 +122,15 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) { NTSTATUS result; - fstring name_domain, name_user, auth_dc; + fstring name_domain, name_user; unsigned char trust_passwd[16]; time_t last_change_time; + auth_usersupplied_info *user_info; - auth_serversupplied_info *server_info; + uint32 smb_uid_low; + NET_USER_INFO_3 info3; + NET_ID_INFO_CTR ctr; + struct cli_state *cli; DEBUG(3, ("[%5d]: pam auth crap %s\n", state->pid, state->request.data.auth_crap.user)); @@ -132,36 +140,42 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) parse_domain_user(state->request.data.auth_crap.user, name_domain, name_user); - make_user_info_winbind_crap(&user_info, name_user, - name_domain, state->request.data.auth_crap.chal, - (uchar *)state->request.data.auth_crap.lm_resp, 24, - (uchar *)state->request.data.auth_crap.nt_resp, 24); + make_user_info_winbind_crap( + &user_info, name_user, + name_domain, state->request.data.auth_crap.chal, + (uchar *)state->request.data.auth_crap.lm_resp, + state->request.data.auth_crap.lm_resp_len, + (uchar *)state->request.data.auth_crap.nt_resp, + state->request.data.auth_crap.nt_resp_len); /* * Get the machine account password for our primary domain */ - if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, &last_change_time)) - { - DEBUG(0, ("winbindd_pam_auth: could not fetch trust account password for domain %s\n", lp_workgroup())); + if (!secrets_fetch_trust_account_password( + lp_workgroup(), trust_passwd, &last_change_time)) { + DEBUG(0, ("winbindd_pam_auth: could not fetch trust account " + "password for domain %s\n", lp_workgroup())); return WINBINDD_ERROR; } - if (!cm_get_dc_name(lp_workgroup(), auth_dc)) { - DEBUG(3, ("Could not find dc for workgroup %s\n", - lp_workgroup())); + /* We really don't care what LUID we give the user. */ + + generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False); + + ZERO_STRUCT(info3); + + if (!(cli = cm_get_netlogon_cli(lp_workgroup(), trust_passwd))) { + DEBUG(3, ("could not open handle to NETLOGON pipe\n")); return WINBINDD_ERROR; } - /* So domain_client_validate() actually opens a new connection - for each authentication performed. This can theoretically - be optimised to use an already open IPC$ connection. */ + result = cli_nt_login_network(cli, user_info, smb_uid_low, + &ctr, &info3); - result = domain_client_validate(user_info, &server_info, - auth_dc, trust_passwd, - last_change_time); + free_user_info(&user_info); - free_server_info(&server_info); /* No info needed */ + cli_shutdown(cli); return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; } diff --git a/source3/nsswitch/winbindd_proto.h b/source3/nsswitch/winbindd_proto.h index 8e80b1da71..682bf81a54 100644 --- a/source3/nsswitch/winbindd_proto.h +++ b/source3/nsswitch/winbindd_proto.h @@ -55,6 +55,7 @@ CLI_POLICY_HND *cm_get_sam_user_handle(char *domain, DOM_SID *domain_sid, uint32 user_rid); CLI_POLICY_HND *cm_get_sam_group_handle(char *domain, DOM_SID *domain_sid, uint32 group_rid); +struct cli_state *cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd); /* The following definitions come from nsswitch/winbindd_group.c */ -- cgit