From 6ef65389fd2f2bdcafe840e0cd0221bb9f26bdfc Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 26 May 2009 12:31:39 +1000 Subject: Don't use crossRef records to find our own domain A single AD server can only host a single domain, so don't stuff about with looking up our crossRef record in the cn=Partitions container. We instead trust that lp_realm() and lp_workgroup() works correctly. Andrew Bartlett --- source4/auth/auth.h | 8 ++- source4/auth/ntlm/auth_sam.c | 144 ++++++++----------------------------------- source4/auth/sam.c | 49 +++++---------- 3 files changed, 47 insertions(+), 154 deletions(-) (limited to 'source4/auth') diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 973102d842..f6d739325d 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -221,24 +221,26 @@ struct auth_critical_sizes { struct ldb_message; struct ldb_context; +struct ldb_dn; struct gensec_security; NTSTATUS auth_get_challenge(struct auth_context *auth_ctx, const uint8_t **_chal); NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, uint32_t logon_parameters, + struct ldb_dn *domain_dn, struct ldb_message *msg, - struct ldb_message *msg_domain_ref, const char *logon_workstation, const char *name_for_logs, bool allow_domain_trust); struct auth_session_info *system_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx); NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, const char *netbios_name, + const char *domain_name, + struct ldb_dn *domain_dn, struct ldb_message *msg, - struct ldb_message *msg_domain_ref, DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key, - struct auth_serversupplied_info **_server_info); + struct auth_serversupplied_info **_server_info); NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx, struct loadparm_context *lp_ctx, struct auth_session_info **_session_info) ; diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index e99d0e1f51..75ed3243d4 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -42,26 +42,12 @@ extern const char *domain_ref_attrs[]; static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, const char *account_name, - const char *domain_name, - struct ldb_message ***ret_msgs, - struct ldb_message ***ret_msgs_domain_ref) + struct ldb_dn *domain_dn, + struct ldb_message ***ret_msgs) { - struct ldb_message **msgs_tmp; struct ldb_message **msgs; - struct ldb_message **msgs_domain_ref; - struct ldb_dn *partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx); int ret; - int ret_domain; - - struct ldb_dn *domain_dn = NULL; - - if (domain_name) { - domain_dn = samdb_domain_to_dn(sam_ctx, mem_ctx, domain_name); - if (!domain_dn) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - } /* pull the user attributes */ ret = gendb_search(sam_ctx, mem_ctx, domain_dn, &msgs, user_attrs, @@ -72,8 +58,8 @@ static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context * } if (ret == 0) { - DEBUG(3,("sam_search_user: Couldn't find user [%s\\%s] in samdb, under %s\n", - domain_name, account_name, ldb_dn_get_linearized(domain_dn))); + DEBUG(3,("sam_search_user: Couldn't find user [%s] in samdb, under %s\n", + account_name, ldb_dn_get_linearized(domain_dn))); return NT_STATUS_NO_SUCH_USER; } @@ -82,57 +68,7 @@ static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context * return NT_STATUS_INTERNAL_DB_CORRUPTION; } - if (!domain_dn) { - struct dom_sid *domain_sid; - - domain_sid = samdb_result_sid_prefix(mem_ctx, msgs[0], "objectSid"); - if (!domain_sid) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - /* find the domain's DN */ - ret = gendb_search(sam_ctx, mem_ctx, NULL, &msgs_tmp, NULL, - "(&(objectSid=%s)(objectClass=domain))", - ldap_encode_ndr_dom_sid(mem_ctx, domain_sid)); - if (ret == -1) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - if (ret == 0) { - DEBUG(3,("check_sam_security: Couldn't find domain_sid [%s] in passdb file.\n", - dom_sid_string(mem_ctx, domain_sid))); - return NT_STATUS_NO_SUCH_USER; - } - - if (ret > 1) { - DEBUG(0,("Found %d records matching domain_sid [%s]\n", - ret, dom_sid_string(mem_ctx, domain_sid))); - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - domain_dn = msgs_tmp[0]->dn; - } - - ret_domain = gendb_search(sam_ctx, mem_ctx, partitions_basedn, &msgs_domain_ref, domain_ref_attrs, - "(nCName=%s)", ldb_dn_get_linearized(domain_dn)); - if (ret_domain == -1) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - if (ret_domain == 0) { - DEBUG(3,("check_sam_security: Couldn't find domain [%s] in passdb file.\n", - ldb_dn_get_linearized(msgs_tmp[0]->dn))); - return NT_STATUS_NO_SUCH_USER; - } - - if (ret_domain > 1) { - DEBUG(0,("Found %d records matching domain [%s]\n", - ret_domain, ldb_dn_get_linearized(msgs_tmp[0]->dn))); - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - *ret_msgs = msgs; - *ret_msgs_domain_ref = msgs_domain_ref; return NT_STATUS_OK; } @@ -210,14 +146,13 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context, static NTSTATUS authsam_authenticate(struct auth_context *auth_context, TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, + struct ldb_dn *domain_dn, struct ldb_message **msgs, - struct ldb_message **msgs_domain_ref, const struct auth_usersupplied_info *user_info, DATA_BLOB *user_sess_key, DATA_BLOB *lm_sess_key) { struct samr_Password *lm_pwd, *nt_pwd; NTSTATUS nt_status; - struct ldb_dn *domain_dn = samdb_result_dn(sam_ctx, mem_ctx, msgs_domain_ref[0], "nCName", NULL); uint16_t acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, msgs[0], domain_dn); @@ -245,8 +180,8 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context, nt_status = authsam_account_ok(mem_ctx, sam_ctx, user_info->logon_parameters, + domain_dn, msgs[0], - msgs_domain_ref[0], user_info->workstation_name, user_info->mapped.account_name, false); @@ -258,15 +193,14 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context, static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, - const char *domain, const struct auth_usersupplied_info *user_info, struct auth_serversupplied_info **server_info) { NTSTATUS nt_status; const char *account_name = user_info->mapped.account_name; struct ldb_message **msgs; - struct ldb_message **domain_ref_msgs; struct ldb_context *sam_ctx; + struct ldb_dn *domain_dn; DATA_BLOB user_sess_key, lm_sess_key; TALLOC_CTX *tmp_ctx; @@ -286,13 +220,19 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx return NT_STATUS_INVALID_SYSTEM_SERVICE; } - nt_status = authsam_search_account(tmp_ctx, sam_ctx, account_name, domain, &msgs, &domain_ref_msgs); + domain_dn = ldb_get_default_basedn(sam_ctx); + if (domain_dn == NULL) { + talloc_free(tmp_ctx); + return NT_STATUS_NO_SUCH_DOMAIN; + } + + nt_status = authsam_search_account(tmp_ctx, sam_ctx, account_name, domain_dn, &msgs); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return nt_status; } - nt_status = authsam_authenticate(ctx->auth_ctx, tmp_ctx, sam_ctx, msgs, domain_ref_msgs, user_info, + nt_status = authsam_authenticate(ctx->auth_ctx, tmp_ctx, sam_ctx, domain_dn, msgs, user_info, &user_sess_key, &lm_sess_key); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); @@ -300,7 +240,9 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx } nt_status = authsam_make_server_info(tmp_ctx, sam_ctx, lp_netbios_name(ctx->auth_ctx->lp_ctx), - msgs[0], domain_ref_msgs[0], + lp_sam_name(ctx->auth_ctx->lp_ctx), + domain_dn, + msgs[0], user_sess_key, lm_sess_key, server_info); if (!NT_STATUS_IS_OK(nt_status)) { @@ -325,14 +267,6 @@ static NTSTATUS authsam_ignoredomain_want_check(struct auth_method_context *ctx, return NT_STATUS_OK; } -static NTSTATUS authsam_ignoredomain_check_password(struct auth_method_context *ctx, - TALLOC_CTX *mem_ctx, - const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **server_info) -{ - return authsam_check_password_internals(ctx, mem_ctx, NULL, user_info, server_info); -} - /**************************************************************************** Check SAM security (above) but with a few extra checks. ****************************************************************************/ @@ -377,34 +311,6 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx, return NT_STATUS_NOT_IMPLEMENTED; } -/**************************************************************************** -Check SAM security (above) but with a few extra checks. -****************************************************************************/ -static NTSTATUS authsam_check_password(struct auth_method_context *ctx, - TALLOC_CTX *mem_ctx, - const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **server_info) -{ - const char *domain; - - /* check whether or not we service this domain/workgroup name */ - switch (lp_server_role(ctx->auth_ctx->lp_ctx)) { - case ROLE_STANDALONE: - case ROLE_DOMAIN_MEMBER: - domain = lp_netbios_name(ctx->auth_ctx->lp_ctx); - break; - - case ROLE_DOMAIN_CONTROLLER: - domain = lp_workgroup(ctx->auth_ctx->lp_ctx); - break; - - default: - return NT_STATUS_NO_SUCH_USER; - } - - return authsam_check_password_internals(ctx, mem_ctx, domain, user_info, server_info); -} - /* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available */ NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx, @@ -417,9 +323,9 @@ NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx, DATA_BLOB lm_sess_key = data_blob(NULL, 0); struct ldb_message **msgs; - struct ldb_message **msgs_domain_ref; struct ldb_context *sam_ctx; - + struct ldb_dn *domain_dn; + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); if (!tmp_ctx) { return NT_STATUS_NO_MEMORY; @@ -433,14 +339,16 @@ NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx, } nt_status = sam_get_results_principal(sam_ctx, tmp_ctx, principal, - &msgs, &msgs_domain_ref); + &domain_dn, &msgs); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } nt_status = authsam_make_server_info(tmp_ctx, sam_ctx, lp_netbios_name(auth_context->lp_ctx), - msgs[0], msgs_domain_ref[0], + lp_workgroup(auth_context->lp_ctx), + domain_dn, + msgs[0], user_sess_key, lm_sess_key, server_info); if (NT_STATUS_IS_OK(nt_status)) { @@ -454,7 +362,7 @@ static const struct auth_operations sam_ignoredomain_ops = { .name = "sam_ignoredomain", .get_challenge = auth_get_challenge_not_implemented, .want_check = authsam_ignoredomain_want_check, - .check_password = authsam_ignoredomain_check_password, + .check_password = authsam_check_password_internals, .get_server_info_principal = authsam_get_server_info_principal }; @@ -462,7 +370,7 @@ static const struct auth_operations sam_ops = { .name = "sam", .get_challenge = auth_get_challenge_not_implemented, .want_check = authsam_want_check, - .check_password = authsam_check_password, + .check_password = authsam_check_password_internals, .get_server_info_principal = authsam_get_server_info_principal }; diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 819bca0db0..ebdf1932af 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -139,21 +139,19 @@ static bool logon_hours_ok(struct ldb_message *msg, const char *name_for_logs) (ie not disabled, expired and the like). ****************************************************************************/ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, - struct ldb_context *sam_ctx, - uint32_t logon_parameters, - struct ldb_message *msg, - struct ldb_message *msg_domain_ref, - const char *logon_workstation, - const char *name_for_logs, - bool allow_domain_trust) + struct ldb_context *sam_ctx, + uint32_t logon_parameters, + struct ldb_dn *domain_dn, + struct ldb_message *msg, + const char *logon_workstation, + const char *name_for_logs, + bool allow_domain_trust) { uint16_t acct_flags; const char *workstation_list; NTTIME acct_expiry; NTTIME must_change_time; - struct ldb_dn *domain_dn = samdb_result_dn(sam_ctx, mem_ctx, msg_domain_ref, "nCName", ldb_dn_new(mem_ctx, sam_ctx, NULL)); - NTTIME now; DEBUG(4,("authsam_account_ok: Checking SMB password for user %s\n", name_for_logs)); @@ -256,8 +254,9 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, const char *netbios_name, + const char *domain_name, + struct ldb_dn *domain_dn, struct ldb_message *msg, - struct ldb_message *msg_domain_ref, DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key, struct auth_serversupplied_info **_server_info) { @@ -269,7 +268,6 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte struct dom_sid **groupSIDs = NULL; struct dom_sid *account_sid; struct dom_sid *primary_group_sid; - struct ldb_dn *domain_dn; const char *str; struct ldb_dn *ncname; int i; @@ -327,7 +325,8 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte server_info->account_name = talloc_steal(server_info, samdb_result_string(msg, "sAMAccountName", NULL)); - server_info->domain_name = talloc_steal(server_info, samdb_result_string(msg_domain_ref, "nETBIOSName", NULL)); + server_info->domain_name = talloc_strdup(server_info, domain_name); + NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name); str = samdb_result_string(msg, "displayName", ""); server_info->full_name = talloc_strdup(server_info, str); @@ -357,10 +356,6 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte server_info->acct_expiry = samdb_result_account_expires(msg); server_info->last_password_change = samdb_result_nttime(msg, "pwdLastSet", 0); - ncname = samdb_result_dn(sam_ctx, mem_ctx, msg_domain_ref, "nCName", NULL); - if (!ncname) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } server_info->allow_password_change = samdb_result_allow_password_change(sam_ctx, mem_ctx, ncname, msg, "pwdLastSet"); @@ -371,8 +366,6 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte server_info->logon_count = samdb_result_uint(msg, "logonCount", 0); server_info->bad_password_count = samdb_result_uint(msg, "badPwdCount", 0); - domain_dn = samdb_result_dn(sam_ctx, mem_ctx, msg_domain_ref, "nCName", NULL); - server_info->acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, msg, domain_dn); @@ -388,34 +381,24 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, const char *principal, - struct ldb_message ***msgs, - struct ldb_message ***msgs_domain_ref) + struct ldb_dn **domain_dn, + struct ldb_message ***msgs) { - struct ldb_dn *user_dn, *domain_dn; + struct ldb_dn *user_dn; NTSTATUS nt_status; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); int ret; - struct ldb_dn *partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx); if (!tmp_ctx) { return NT_STATUS_NO_MEMORY; } - nt_status = crack_user_principal_name(sam_ctx, tmp_ctx, principal, &user_dn, &domain_dn); + nt_status = crack_user_principal_name(sam_ctx, tmp_ctx, principal, &user_dn, domain_dn); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return nt_status; } - /* grab domain info from the reference */ - ret = gendb_search(sam_ctx, tmp_ctx, partitions_basedn, msgs_domain_ref, domain_ref_attrs, - "(ncName=%s)", ldb_dn_get_linearized(domain_dn)); - - if (ret != 1) { - talloc_free(tmp_ctx); - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - /* pull the user attributes */ ret = gendb_search_dn(sam_ctx, tmp_ctx, user_dn, msgs, user_attrs); if (ret != 1) { @@ -423,7 +406,7 @@ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx, return NT_STATUS_INTERNAL_DB_CORRUPTION; } talloc_steal(mem_ctx, *msgs); - talloc_steal(mem_ctx, *msgs_domain_ref); + talloc_steal(mem_ctx, *domain_dn); talloc_free(tmp_ctx); return NT_STATUS_OK; -- cgit