From a85f5bc268a1c13334b86ac3a44a026359c09371 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 23 Apr 1998 18:54:57 +0000 Subject: genrand.c: Changed SMB_PASSWD_FILE to lp_smb_passwd_file(). password.c: Started the initial code for domain_client_validate(). All bracketed with #ifdef DOMAIN_CLIENT for now. reply.c: Call to domain_client_validate(). All bracketed with #ifdef DOMAIN_CLIENT for now. smbpass.c: New code to get/set machine passwords. Tidied up nesting of lock calls. Jeremy. (This used to be commit 89fe059a6816f32d2cc5c4c04c4089b60590e7e6) --- source3/include/proto.h | 10 +- source3/lib/genrand.c | 2 +- source3/passdb/smbpass.c | 255 +++++++++++++++++++++++++++++++++++++++++------ source3/smbd/password.c | 73 ++++++++++++++ source3/smbd/reply.c | 109 ++++++++++---------- 5 files changed, 359 insertions(+), 90 deletions(-) (limited to 'source3') diff --git a/source3/include/proto.h b/source3/include/proto.h index da1293fa69..9bba68df48 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -1525,6 +1525,9 @@ struct cli_state *server_cryptkey(void); BOOL server_validate(char *user, char *domain, char *pass, int passlen, char *ntpass, int ntpasslen); +BOOL domain_client_validate( char *user, char *domain, + char *smb_apasswd, int smb_apasslen, + char *smb_ntpasswd, int smb_ntpasslen); /*The following definitions come from pcap.c */ @@ -1713,8 +1716,6 @@ char *smb_errstr(char *inbuf); /*The following definitions come from smbpass.c */ -int pw_file_lock(int fd, int type, int secs); -int pw_file_unlock(int fd); void *startsmbpwent(BOOL update); void endsmbpwent(void *vp); struct smb_passwd *getsmbpwent(void *vp); @@ -1725,6 +1726,11 @@ struct smb_passwd *getsmbpwuid(unsigned int uid); char *encode_acct_ctrl(uint16 acct_ctrl); BOOL add_smbpwd_entry(struct smb_passwd *newpwd); BOOL mod_smbpwd_entry(struct smb_passwd* pwd); +void *machine_password_lock( char *doman, char *name, BOOL update); +BOOL machine_password_unlock( void *token ); +BOOL get_machine_account_password( void *mach_tok, unsigned char *ret_pwd, + time_t *last_change_time); +BOOL set_machine_account_password( void *mach_tok, unsigned char *md4_new_pwd); /*The following definitions come from status.c */ diff --git a/source3/lib/genrand.c b/source3/lib/genrand.c index e20f054504..3eae47486f 100644 --- a/source3/lib/genrand.c +++ b/source3/lib/genrand.c @@ -143,7 +143,7 @@ static uint32 do_reseed(unsigned char *md4_outbuf) /* possibly add in some secret file contents */ do_filehash("/etc/shadow", &md4_inbuf[0]); - do_filehash(SMB_PASSWD_FILE, &md4_inbuf[16]); + do_filehash(lp_smb_passwd_file(), &md4_inbuf[16]); /* add in the root encrypted password. On any system where security is taken seriously this will be secret */ diff --git a/source3/passdb/smbpass.c b/source3/passdb/smbpass.c index f247cc100e..f3b38c43e7 100644 --- a/source3/passdb/smbpass.c +++ b/source3/passdb/smbpass.c @@ -38,7 +38,7 @@ static void gotalarm_sig(void) seconds. ****************************************************************/ -static int do_pw_lock(int fd, int waitsecs, int type) +static BOOL do_pw_lock(int fd, int waitsecs, int type) { struct flock lock; int ret; @@ -60,9 +60,10 @@ static int do_pw_lock(int fd, int waitsecs, int type) if (gotalarm) { DEBUG(0, ("do_pw_lock: failed to %s SMB passwd file.\n", type == F_UNLCK ? "unlock" : "lock")); - return -1; + return False; } - return ret; + + return ((ret == 0) ? True : False); } static int pw_file_lock_depth; @@ -71,35 +72,41 @@ static int pw_file_lock_depth; Lock an fd. Abandon after waitsecs seconds. ****************************************************************/ -int pw_file_lock(int fd, int type, int secs) +static BOOL pw_file_lock(int fd, int type, int secs, int *plock_depth) { if (fd < 0) - return (-1); + return False; + + (*plock_depth)++; + if(pw_file_lock_depth == 0) { if (do_pw_lock(fd, secs, type)) { - return -1; + DEBUG(10,("pw_file_lock: locking file failed, error = %s.\n", + strerror(errno))); + return False; } } - pw_file_lock_depth++; - - return fd; + return True; } /*************************************************************** Unlock an fd. Abandon after waitsecs seconds. ****************************************************************/ -int pw_file_unlock(int fd) +static BOOL pw_file_unlock(int fd, int *plock_depth) { - int ret = 0; + BOOL ret; - if(pw_file_lock_depth == 1) - ret = do_pw_lock(fd, 5, F_UNLCK); + if(*plock_depth == 1) + ret = do_pw_lock(fd, 5, F_UNLCK); - pw_file_lock_depth--; + (*plock_depth)--; - return ret; + if(ret == False) + DEBUG(10,("pw_file_unlock: unlocking file failed, error = %s.\n", + strerror(errno))); + return ret; } /*************************************************************** @@ -128,7 +135,7 @@ void *startsmbpwent(BOOL update) /* Set a 16k buffer to do more efficient reads */ setvbuf(fp, s_readbuf, _IOFBF, sizeof(s_readbuf)); - if ((pw_file_lock(fileno(fp), F_RDLCK | (update ? F_WRLCK : 0), 5)) < 0) { + if ((pw_file_lock(fileno(fp), F_RDLCK | (update ? F_WRLCK : 0), 5, &pw_file_lock_depth)) == False) { DEBUG(0, ("startsmbpwent: unable to lock file %s\n", pfile)); fclose(fp); return NULL; @@ -149,7 +156,7 @@ void endsmbpwent(void *vp) { FILE *fp = (FILE *)vp; - pw_file_unlock(fileno(fp)); + pw_file_unlock(fileno(fp), &pw_file_lock_depth); fclose(fp); DEBUG(7, ("endsmbpwent: closed password file.\n")); } @@ -764,7 +771,9 @@ BOOL mod_smbpwd_entry(struct smb_passwd* pwd) /* Set a 16k buffer to do more efficient reads */ setvbuf(fp, readbuf, _IOFBF, sizeof(readbuf)); - if ((lockfd = pw_file_lock(fileno(fp), F_RDLCK | F_WRLCK, 5)) < 0) { + lockfd = fileno(fp); + + if (pw_file_lock(lockfd, F_RDLCK | F_WRLCK, 5, &pw_file_lock_depth) == False) { DEBUG(0, ("mod_smbpwd_entry: unable to lock file %s\n", pfile)); fclose(fp); return False; @@ -782,10 +791,10 @@ BOOL mod_smbpwd_entry(struct smb_passwd* pwd) linebuf[0] = '\0'; - fgets(linebuf, 256, fp); + fgets(linebuf, sizeof(linebuf), fp); if (ferror(fp)) { + pw_file_unlock(lockfd, &pw_file_lock_depth); fclose(fp); - pw_file_unlock(lockfd); return False; } @@ -861,8 +870,8 @@ BOOL mod_smbpwd_entry(struct smb_passwd* pwd) if (!isdigit(*p)) { DEBUG(0, ("mod_smbpwd_entry: malformed password entry (uid not number)\n")); + pw_file_unlock(lockfd, &pw_file_lock_depth); fclose(fp); - pw_file_unlock(lockfd); return False; } @@ -870,8 +879,8 @@ BOOL mod_smbpwd_entry(struct smb_passwd* pwd) p++; if (*p != ':') { DEBUG(0, ("mod_smbpwd_entry: malformed password entry (no : after uid)\n")); + pw_file_unlock(lockfd, &pw_file_lock_depth); fclose(fp); - pw_file_unlock(lockfd); return False; } @@ -888,28 +897,28 @@ BOOL mod_smbpwd_entry(struct smb_passwd* pwd) if (*p == '*' || *p == 'X') { /* Password deliberately invalid - end here. */ DEBUG(10, ("get_smbpwd_entry: entry invalidated for user %s\n", user_name)); + pw_file_unlock(lockfd, &pw_file_lock_depth); fclose(fp); - pw_file_unlock(lockfd); return False; } if (linebuf_len < (PTR_DIFF(p, linebuf) + 33)) { DEBUG(0, ("mod_smbpwd_entry: malformed password entry (passwd too short)\n")); + pw_file_unlock(lockfd,&pw_file_lock_depth); fclose(fp); - pw_file_unlock(lockfd); return (False); } if (p[32] != ':') { DEBUG(0, ("mod_smbpwd_entry: malformed password entry (no terminating :)\n")); + pw_file_unlock(lockfd,&pw_file_lock_depth); fclose(fp); - pw_file_unlock(lockfd); return False; } if (*p == '*' || *p == 'X') { + pw_file_unlock(lockfd,&pw_file_lock_depth); fclose(fp); - pw_file_unlock(lockfd); return False; } @@ -919,15 +928,15 @@ BOOL mod_smbpwd_entry(struct smb_passwd* pwd) the lanman password. */ if (linebuf_len < (PTR_DIFF(p, linebuf) + 33)) { DEBUG(0, ("mod_smbpwd_entry: malformed password entry (passwd too short)\n")); + pw_file_unlock(lockfd,&pw_file_lock_depth); fclose(fp); - pw_file_unlock(lockfd); return (False); } if (p[32] != ':') { DEBUG(0, ("mod_smbpwd_entry: malformed password entry (no terminating :)\n")); + pw_file_unlock(lockfd,&pw_file_lock_depth); fclose(fp); - pw_file_unlock(lockfd); return False; } @@ -989,23 +998,23 @@ BOOL mod_smbpwd_entry(struct smb_passwd* pwd) if (lseek(fd, pwd_seekpos - 1, SEEK_SET) != pwd_seekpos - 1) { DEBUG(0, ("mod_smbpwd_entry: seek fail on file %s.\n", pfile)); + pw_file_unlock(lockfd,&pw_file_lock_depth); fclose(fp); - pw_file_unlock(lockfd); return False; } /* Sanity check - ensure the character is a ':' */ if (read(fd, &c, 1) != 1) { DEBUG(0, ("mod_smbpwd_entry: read fail on file %s.\n", pfile)); + pw_file_unlock(lockfd,&pw_file_lock_depth); fclose(fp); - pw_file_unlock(lockfd); return False; } if (c != ':') { DEBUG(0, ("mod_smbpwd_entry: check on passwd file %s failed.\n", pfile)); + pw_file_unlock(lockfd,&pw_file_lock_depth); fclose(fp); - pw_file_unlock(lockfd); return False; } @@ -1053,12 +1062,192 @@ BOOL mod_smbpwd_entry(struct smb_passwd* pwd) if (write(fd, ascii_p16, wr_len) != wr_len) { DEBUG(0, ("mod_smbpwd_entry: write failed in passwd file %s\n", pfile)); + pw_file_unlock(lockfd,&pw_file_lock_depth); fclose(fp); - pw_file_unlock(lockfd); return False; } + pw_file_unlock(lockfd,&pw_file_lock_depth); fclose(fp); - pw_file_unlock(lockfd); return True; } + +#ifdef DOMAIN_CLIENT + +static int mach_passwd_lock_depth; + +/************************************************************************ + Routine to lock the machine account password file for a domain. +************************************************************************/ + +void *machine_password_lock( char *domain, char *name, BOOL update) +{ + FILE *fp; + pstring mac_file; + unsigned int mac_file_len; + char *p; + + if(mach_passwd_lock_depth == 0) { + pstrcpy(mac_file, lp_smb_passwd_file()); + p = strrchr(mac_file, '/'); + if(p != NULL) + *++p = '\0'; + mac_file_len = strlen(mac_file); + if(sizeof(pstring) - mac_file_len - strlen(domain) - strlen(name) - 6) { + DEBUG(0,("machine_password_lock: path %s too long to add machine details.\n", + mac_file)); + return NULL; + } + + strcat(mac_file, domain); + strcat(mac_file, "."); + strcat(mac_file, name); + strcat(mac_file, ".mac"); + + if((fp = fopen(mac_file, "r+b")) == 0) { + DEBUG(0,("machine_password_lock: cannot open file %s. Error was %s.\n", + mac_file, strerror(errno) )); + return NULL; + } + + chmod(mac_file, 0600); + } + + if(pw_file_lock(fileno(fp), F_RDLCK | (update ? F_WRLCK : 0), + 60, &mach_passwd_lock_depth) == False) { + DEBUG(0,("machine_password_lock: cannot lock file %s.\n", mac_file)); + fclose(fp); + return NULL; + } + + return (void *)fp; +} + +/************************************************************************ + Routine to unlock the machine account password file for a domain. +************************************************************************/ + +BOOL machine_password_unlock( void *token ) +{ + FILE *fp = (FILE *)token; + BOOL ret = pw_file_unlock(fileno(fp), &mach_passwd_lock_depth); + if(mach_passwd_lock_depth == 0) + fclose(fp); + return ret; +} + +/************************************************************************ + Routine to get the machine account password for a domain. + The user of this function must have locked the machine password file. +************************************************************************/ + +BOOL get_machine_account_password( void *mach_tok, unsigned char *ret_pwd, + time_t *last_change_time) +{ + FILE *fp = (FILE *)mach_tok; + char linebuf[256]; + char *p; + int i; + + linebuf[0] = '\0'; + + *last_change_time = (time_t)0; + memset(ret_pwd, '\0', 16); + + if(fseek( fp, 0L, SEEK_SET) == -1) { + DEBUG(0,("get_machine_account_password: Failed to seek to start of file. Error was %s.\n", + strerror(errno) )); + return False; + } + + fgets(linebuf, sizeof(linebuf), fp); + if(ferror(fp)) { + DEBUG(0,("get_machine_account_password: Failed to read password. Error was %s.\n", + strerror(errno) )); + return False; + } + + /* + * The length of the line read + * must be 45 bytes ( <---XXXX 32 bytes-->:TLC-12345678 + */ + + if(strlen(linebuf) != 45) { + DEBUG(0,("get_machine_account_password: Malformed machine password file (wrong length).\n")); +#ifdef DEBUG_PASSWORD + DEBUG(100,("get_machine_account_password: line = |%s|\n", linebuf)); +#endif + return False; + } + + /* + * Get the hex password. + */ + + if (!gethexpwd((char *)linebuf, (char *)ret_pwd) || linebuf[32] != ':' || + strncmp(&linebuf[33], "TLC-", 4)) { + DEBUG(0,("get_machine_account_password: Malformed machine password file (incorrect format).\n")); +#ifdef DEBUG_PASSWORD + DEBUG(100,("get_machine_account_password: line = |%s|\n", linebuf)); +#endif + return False; + } + + /* + * Get the last changed time. + */ + p = &linebuf[37]; + + for(i = 0; i < 8; i++) { + if(p[i] == '\0' || !isxdigit(p[i])) { + DEBUG(0,("get_machine_account_password: Malformed machine password file (no timestamp).\n")); +#ifdef DEBUG_PASSWORD + DEBUG(100,("get_machine_account_password: line = |%s|\n", linebuf)); +#endif + return False; + } + } + + /* + * p points at 8 characters of hex digits - + * read into a time_t as the seconds since + * 1970 that the password was last changed. + */ + + *last_change_time = (time_t)strtol(p, NULL, 16); + + return True; +} + +/************************************************************************ + Routine to get the machine account password for a domain. + The user of this function must have locked the machine password file. +************************************************************************/ + +BOOL set_machine_account_password( void *mach_tok, unsigned char *md4_new_pwd) +{ + char linebuf[64]; + int i; + FILE *fp = (FILE *)mach_tok; + + if(fseek( fp, 0L, SEEK_SET) == -1) { + DEBUG(0,("set_machine_account_password: Failed to seek to start of file. Error was %s.\n", + strerror(errno) )); + return False; + } + + for (i = 0; i < 16; i++) + sprintf(&linebuf[(i*2)], "%02X", md4_new_pwd[i]); + + sprintf(&linebuf[32], ":TLC-%08X\n", (unsigned)time(NULL)); + + if(fwrite( linebuf, 1, 45, fp)!= 45) { + DEBUG(0,("set_machine_account_password: Failed to write file. Warning - the machine \ +machine account is now invalid. Please recreate. Error was %s.\n", strerror(errno) )); + return False; + } + + fflush(fp); + return True; +} +#endif /* DOMAIN_CLIENT */ diff --git a/source3/smbd/password.c b/source3/smbd/password.c index c347f2de0d..04a1795e7f 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -31,6 +31,8 @@ extern int Protocol; /* users from session setup */ static pstring session_users=""; +extern pstring myname; + /* these are kept here to keep the string_combinations function simple */ static char this_user[100]=""; static char this_salt[100]=""; @@ -1860,3 +1862,74 @@ use this machine as the password server.\n")); return(True); } + +#ifdef DOMAIN_CLIENT +BOOL domain_client_validate( char *user, char *domain, + char *smb_apasswd, int smb_apasslen, + char *smb_ntpasswd, int smb_ntpasslen) +{ + unsigned char local_lm_hash[21]; + unsigned char local_nt_hash[21]; + unsigned char local_challenge[8]; + unsigned char local_lm_response[24]; + unsigned char local_nt_reponse[24]; + BOOL encrypted = True; + + /* + * Check that the requested domain is not our own machine name. + * If it is, we should never check the PDC here, we use our own local + * password file. + */ + + if(strequal( domain, myname)) { + DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n")); + return False; + } + + /* + * Next, check that the passwords given were encrypted. + */ + + if(smb_apasslen != 24 || smb_ntpasslen != 24) { + + /* + * Not encrypted - do so. + */ + + DEBUG(3,("domain_client_validate: User passwords not in encrypted format.\n")); + encrypted = False; + memset(local_lm_hash, '\0', sizeof(local_lm_hash)); + E_P16((uchar *) smb_apasswd, local_lm_hash); + memset(local_nt_hash, '\0', sizeof(local_nt_hash)); + E_md4hash((uchar *) smb_ntpasswd, local_nt_hash); + generate_random_buffer( local_challenge, 8, False); + E_P24(local_lm_hash, local_challenge, local_lm_response); + E_P24(local_nt_hash, local_challenge, local_nt_reponse); + smb_apasslen = 24; + smb_ntpasslen = 24; + smb_apasswd = (char *)local_lm_response; + smb_ntpasswd = (char *)local_nt_reponse; + } else { + + /* + * Encrypted - get the challenge we sent for these + * responses. + */ + + if (!last_challenge(local_challenge)) { + DEBUG(0,("domain_client_validate: no challenge done - password failed\n")); + return False; + } + } + + /* + * At this point, smb_apasswd points to the lanman response to + * the challenge in local_challenge, and smb_ntpasswd points to + * the NT response to the challenge in local_challenge. Ship + * these over the secure channel to a domain controller and + * see if they were valid. + */ + + return False; +} +#endif /* DOMAIN_CLIENT */ diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 2f3b3660fc..4472aa16e6 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -377,65 +377,66 @@ static int session_trust_account(char *inbuf, char *outbuf, char *user, char *smb_passwd, int smb_passlen, char *smb_nt_passwd, int smb_nt_passlen) { - struct smb_passwd *smb_trust_acct = NULL; /* check if trust account exists */ - if (lp_security() == SEC_USER) - { - smb_trust_acct = getsmbpwnam(user); - } - else - { - DEBUG(3,("Trust account %s only supported with security = user\n", user)); - SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); - return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE)); - } + struct smb_passwd *smb_trust_acct = NULL; /* check if trust account exists */ + if (lp_security() == SEC_USER) + { + smb_trust_acct = getsmbpwnam(user); + } + else + { + DEBUG(0,("session_trust_account: Trust account %s only supported with security = user\n", user)); + SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); + return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE)); + } - if (smb_trust_acct == NULL) - { - /* lkclXXXX: workstation entry doesn't exist */ - DEBUG(4,("Trust account %s user doesn't exist\n",user)); - SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); - return(ERROR(0, 0xc0000000|NT_STATUS_NO_SUCH_USER)); - } - else - { - if ((smb_passlen != 24) || (smb_nt_passlen != 24)) - { - DEBUG(4,("Trust account %s - password length wrong.\n", user)); - SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); - return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE)); - } + if (smb_trust_acct == NULL) + { + /* lkclXXXX: workstation entry doesn't exist */ + DEBUG(0,("session_trust_account: Trust account %s user doesn't exist\n",user)); + SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); + return(ERROR(0, 0xc0000000|NT_STATUS_NO_SUCH_USER)); + } + else + { + if ((smb_passlen != 24) || (smb_nt_passlen != 24)) + { + DEBUG(0,("session_trust_account: Trust account %s - password length wrong.\n", user)); + SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); + return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE)); + } - if (!smb_password_ok(smb_trust_acct, smb_passwd, smb_nt_passwd)) - { - DEBUG(4,("Trust Account %s - password failed\n", user)); - SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); - return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE)); - } + if (!smb_password_ok(smb_trust_acct, smb_passwd, smb_nt_passwd)) + { + DEBUG(0,("session_trust_account: Trust Account %s - password failed\n", user)); + SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); + return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE)); + } - if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_DOMTRUST)) - { - DEBUG(4,("Domain trust account %s denied by server\n",user)); - SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); - return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)); - } + if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_DOMTRUST)) + { + DEBUG(0,("session_trust_account: Domain trust account %s denied by server\n",user)); + SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); + return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)); + } - if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_SVRTRUST)) - { - DEBUG(4,("Server trust account %s denied by server\n",user)); - SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); - return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT)); - } - if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_WSTRUST)) - { - DEBUG(4,("Wksta trust account %s denied by server\n", user)); - SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); - return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT)); - } - } + if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_SVRTRUST)) + { + DEBUG(0,("session_trust_account: Server trust account %s denied by server\n",user)); + SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); + return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT)); + } + + if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_WSTRUST)) + { + DEBUG(4,("session_trust_account: Wksta trust account %s denied by server\n", user)); + SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); + return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT)); + } + } - /* don't know what to do: indicate logon failure */ - SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); - return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE)); + /* don't know what to do: indicate logon failure */ + SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); + return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE)); } -- cgit