From ef2e26c91b80556af033d3335e55f5dfa6fff31d Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 13 Aug 2003 01:53:07 +0000 Subject: first public release of samba4 code (This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f) --- source4/utils/ntlm_auth.c | 551 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 551 insertions(+) create mode 100644 source4/utils/ntlm_auth.c (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c new file mode 100644 index 0000000000..b76308c55f --- /dev/null +++ b/source4/utils/ntlm_auth.c @@ -0,0 +1,551 @@ +/* + Unix SMB/CIFS implementation. + + Winbind status program. + + Copyright (C) Tim Potter 2000-2002 + Copyright (C) Andrew Bartlett 2003 + Copyright (C) Francesco Chemolli 2000 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_WINBIND + +#define SQUID_BUFFER_SIZE 2010 + +enum squid_mode { + SQUID_2_4_BASIC, + SQUID_2_5_BASIC, + SQUID_2_5_NTLMSSP +}; + + +extern int winbindd_fd; + +static const char *helper_protocol; +static const char *username; +static const char *domain; +static const char *workstation; +static const char *hex_challenge; +static const char *hex_lm_response; +static const char *hex_nt_response; +static unsigned char *challenge; +static size_t challenge_len; +static unsigned char *lm_response; +static size_t lm_response_len; +static unsigned char *nt_response; +static size_t nt_response_len; + +static char *password; + +static char winbind_separator(void) +{ + struct winbindd_response response; + static BOOL got_sep; + static char sep; + + if (got_sep) + return sep; + + ZERO_STRUCT(response); + + /* Send off request */ + + if (winbindd_request(WINBINDD_INFO, NULL, &response) != + NSS_STATUS_SUCCESS) { + d_printf("could not obtain winbind separator!\n"); + return '\\'; + } + + sep = response.data.info.winbind_separator; + got_sep = True; + + if (!sep) { + d_printf("winbind separator was NULL!\n"); + return '\\'; + } + + return sep; +} + +static const char *get_winbind_domain(void) +{ + struct winbindd_response response; + + static fstring winbind_domain; + if (*winbind_domain) { + return winbind_domain; + } + + ZERO_STRUCT(response); + + /* Send off request */ + + if (winbindd_request(WINBINDD_DOMAIN_NAME, NULL, &response) != + NSS_STATUS_SUCCESS) { + d_printf("could not obtain winbind domain name!\n"); + return NULL; + } + + fstrcpy(winbind_domain, response.data.domain_name); + + return winbind_domain; + +} + +static const char *get_winbind_netbios_name(void) +{ + struct winbindd_response response; + + static fstring winbind_netbios_name; + + if (*winbind_netbios_name) { + return winbind_netbios_name; + } + + ZERO_STRUCT(response); + + /* Send off request */ + + if (winbindd_request(WINBINDD_NETBIOS_NAME, NULL, &response) != + NSS_STATUS_SUCCESS) { + d_printf("could not obtain winbind netbios name!\n"); + return NULL; + } + + fstrcpy(winbind_netbios_name, response.data.netbios_name); + + return winbind_netbios_name; + +} + +/* Authenticate a user with a plaintext password */ + +static BOOL check_plaintext_auth(const char *user, const char *pass, BOOL stdout_diagnostics) +{ + struct winbindd_request request; + struct winbindd_response response; + NSS_STATUS result; + + /* Send off request */ + + ZERO_STRUCT(request); + ZERO_STRUCT(response); + + fstrcpy(request.data.auth.user, user); + fstrcpy(request.data.auth.pass, pass); + + result = winbindd_request(WINBINDD_PAM_AUTH, &request, &response); + + /* Display response */ + + if (stdout_diagnostics) { + if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0)) { + d_printf("Reading winbind reply failed! (0x01)\n"); + } + + d_printf("%s (0x%x)\n", + response.data.auth.nt_status_string, + response.data.auth.nt_status); + } else { + if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0)) { + DEBUG(1, ("Reading winbind reply failed! (0x01)\n")); + } + + DEBUG(3, ("%s (0x%x)\n", + response.data.auth.nt_status_string, + response.data.auth.nt_status)); + } + + return (result == NSS_STATUS_SUCCESS); +} + +static NTSTATUS winbind_pw_check(struct ntlmssp_state *ntlmssp_state) +{ + struct winbindd_request request; + struct winbindd_response response; + NSS_STATUS result; + /* Send off request */ + + ZERO_STRUCT(request); + ZERO_STRUCT(response); + + fstrcpy(request.data.auth_crap.user, ntlmssp_state->user); + + fstrcpy(request.data.auth_crap.domain, ntlmssp_state->domain); + fstrcpy(request.data.auth_crap.workstation, ntlmssp_state->workstation); + + memcpy(request.data.auth_crap.chal, ntlmssp_state->chal.data, + MIN(ntlmssp_state->chal.length, 8)); + + memcpy(request.data.auth_crap.lm_resp, ntlmssp_state->lm_resp.data, + MIN(ntlmssp_state->lm_resp.length, sizeof(request.data.auth_crap.lm_resp))); + + memcpy(request.data.auth_crap.nt_resp, ntlmssp_state->lm_resp.data, + MIN(ntlmssp_state->nt_resp.length, sizeof(request.data.auth_crap.nt_resp))); + + request.data.auth_crap.lm_resp_len = ntlmssp_state->lm_resp.length; + request.data.auth_crap.nt_resp_len = ntlmssp_state->nt_resp.length; + + result = winbindd_request(WINBINDD_PAM_AUTH_CRAP, &request, &response); + + /* Display response */ + + if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0)) { + return NT_STATUS_UNSUCCESSFUL; + } + + return NT_STATUS(response.data.auth.nt_status); +} + +static void manage_squid_ntlmssp_request(enum squid_mode squid_mode, + char *buf, int length) +{ + static NTLMSSP_STATE *ntlmssp_state; + DATA_BLOB request, reply; + NTSTATUS nt_status; + + if (!ntlmssp_state) { + ntlmssp_server_start(&ntlmssp_state); + ntlmssp_state->check_password = winbind_pw_check; + ntlmssp_state->get_domain = get_winbind_domain; + ntlmssp_state->get_global_myname = get_winbind_netbios_name; + } + + if (strlen(buf) < 3) { + x_fprintf(x_stdout, "BH\n"); + return; + } + + request = base64_decode_data_blob(buf + 3); + + DEBUG(0, ("got NTLMSSP packet:\n")); + dump_data(0, request.data, request.length); + + nt_status = ntlmssp_server_update(ntlmssp_state, request, &reply); + + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + char *reply_base64 = base64_encode_data_blob(reply); + x_fprintf(x_stdout, "TT %s\n", reply_base64); + SAFE_FREE(reply_base64); + data_blob_free(&reply); + } else if (!NT_STATUS_IS_OK(nt_status)) { + x_fprintf(x_stdout, "NA %s\n", nt_errstr(nt_status)); + } else { + x_fprintf(x_stdout, "AF %s\\%s\n", ntlmssp_state->domain, ntlmssp_state->user); + } + + data_blob_free(&request); +} + +static void manage_squid_basic_request(enum squid_mode squid_mode, + char *buf, int length) +{ + char *user, *pass; + user=buf; + + pass=memchr(buf,' ',length); + if (!pass) { + DEBUG(2, ("Password not found. Denying access\n")); + x_fprintf(x_stderr, "ERR\n"); + return; + } + *pass='\0'; + pass++; + + if (squid_mode == SQUID_2_5_BASIC) { + rfc1738_unescape(user); + rfc1738_unescape(pass); + } + + if (check_plaintext_auth(user, pass, False)) { + x_fprintf(x_stdout, "OK\n"); + } else { + x_fprintf(x_stdout, "ERR\n"); + } +} + +static void manage_squid_request(enum squid_mode squid_mode) +{ + char buf[SQUID_BUFFER_SIZE+1]; + int length; + char *c; + static BOOL err; + + if (x_fgets(buf, sizeof(buf)-1, x_stdin) == NULL) { + DEBUG(1, ("fgets() failed! dying..... errno=%d (%s)\n", errno, + strerror(errno))); + exit(1); /* BIIG buffer */ + } + + c=memchr(buf,'\n',sizeof(buf)-1); + if (c) { + *c = '\0'; + length = c-buf; + } else { + err = 1; + return; + } + if (err) { + DEBUG(2, ("Oversized message\n")); + x_fprintf(x_stderr, "ERR\n"); + err = 0; + return; + } + + DEBUG(10, ("Got '%s' from squid (length: %d).\n",buf,length)); + + if (buf[0] == '\0') { + DEBUG(2, ("Invalid Request\n")); + x_fprintf(x_stderr, "ERR\n"); + return; + } + + if (squid_mode == SQUID_2_5_BASIC || squid_mode == SQUID_2_4_BASIC) { + manage_squid_basic_request(squid_mode, buf, length); + } else if (squid_mode == SQUID_2_5_NTLMSSP) { + manage_squid_ntlmssp_request(squid_mode, buf, length); + } +} + + +static void squid_stream(enum squid_mode squid_mode) { + /* initialize FDescs */ + x_setbuf(x_stdout, NULL); + x_setbuf(x_stderr, NULL); + while(1) { + manage_squid_request(squid_mode); + } +} + + +/* Authenticate a user with a challenge/response */ + +static BOOL check_auth_crap(void) +{ + struct winbindd_request request; + struct winbindd_response response; + NSS_STATUS result; + /* Send off request */ + + ZERO_STRUCT(request); + ZERO_STRUCT(response); + + fstrcpy(request.data.auth_crap.user, username); + + fstrcpy(request.data.auth_crap.domain, domain); + fstrcpy(request.data.auth_crap.workstation, workstation); + + memcpy(request.data.auth_crap.chal, challenge, MIN(challenge_len, 8)); + + memcpy(request.data.auth_crap.lm_resp, lm_response, MIN(lm_response_len, sizeof(request.data.auth_crap.lm_resp))); + + memcpy(request.data.auth_crap.nt_resp, nt_response, MIN(nt_response_len, sizeof(request.data.auth_crap.nt_resp))); + + request.data.auth_crap.lm_resp_len = lm_response_len; + request.data.auth_crap.nt_resp_len = nt_response_len; + + result = winbindd_request(WINBINDD_PAM_AUTH_CRAP, &request, &response); + + /* Display response */ + + if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0)) { + d_printf("Reading winbind reply failed! (0x01)\n"); + } + + d_printf("%s (0x%x)\n", + response.data.auth.nt_status_string, + response.data.auth.nt_status); + + return result == NSS_STATUS_SUCCESS; +} + +/* Main program */ + +enum { + OPT_USERNAME = 1000, + OPT_DOMAIN, + OPT_WORKSTATION, + OPT_CHALLENGE, + OPT_RESPONSE, + OPT_LM, + OPT_NT, + OPT_PASSWORD +}; + +/************************************************************* + Routine to set hex password characters into an allocated array. +**************************************************************/ + +static void hex_encode(const unsigned char *buff_in, size_t len, char **out_hex_buffer) +{ + int i; + char *hex_buffer; + + *out_hex_buffer = smb_xmalloc((len*2)+1); + hex_buffer = *out_hex_buffer; + + for (i = 0; i < len; i++) + slprintf(&hex_buffer[i*2], 3, "%02X", buff_in[i]); +} + +/************************************************************* + Routine to get the 32 hex characters and turn them + into a 16 byte array. +**************************************************************/ + +static BOOL hex_decode(const char *hex_buf_in, unsigned char **out_buffer, size_t *size) +{ + int i; + size_t hex_buf_in_len = strlen(hex_buf_in); + unsigned char partial_byte_hex; + unsigned char partial_byte; + const char *hexchars = "0123456789ABCDEF"; + char *p; + BOOL high = True; + + if (!hex_buf_in) + return (False); + + *size = (hex_buf_in_len + 1) / 2; + + *out_buffer = smb_xmalloc(*size); + + for (i = 0; i < hex_buf_in_len; i++) { + partial_byte_hex = toupper(hex_buf_in[i]); + + p = strchr(hexchars, partial_byte_hex); + + if (!p) + return (False); + + partial_byte = PTR_DIFF(p, hexchars); + + if (high) { + (*out_buffer)[i / 2] = (partial_byte << 4); + } else { + (*out_buffer)[i / 2] |= partial_byte; + } + high = !high; + } + return (True); +} + + +int main(int argc, const char **argv) +{ + int opt; + + poptContext pc; + struct poptOption long_options[] = { + POPT_AUTOHELP + + { "helper-protocol", 0, POPT_ARG_STRING, &helper_protocol, OPT_DOMAIN, "operate as a stdio-based helper", "helper protocol to use"}, + { "username", 0, POPT_ARG_STRING, &username, OPT_USERNAME, "username"}, + { "domain", 0, POPT_ARG_STRING, &domain, OPT_DOMAIN, "domain name"}, + { "workstation", 0, POPT_ARG_STRING, &domain, OPT_WORKSTATION, "workstation"}, + { "challenge", 0, POPT_ARG_STRING, &hex_challenge, OPT_CHALLENGE, "challenge (HEX encoded)"}, + { "lm-response", 0, POPT_ARG_STRING, &hex_lm_response, OPT_LM, "LM Response to the challenge (HEX encoded)"}, + { "nt-response", 0, POPT_ARG_STRING, &hex_nt_response, OPT_NT, "NT or NTLMv2 Response to the challenge (HEX encoded)"}, + { "password", 0, POPT_ARG_STRING, &password, OPT_PASSWORD, "User's plaintext password"}, + { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_debug }, + { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_configfile }, + { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_version}, + { 0, 0, 0, 0 } + }; + + /* Samba client initialisation */ + + dbf = x_stderr; + + /* Parse options */ + + pc = poptGetContext("ntlm_auth", argc, argv, long_options, 0); + + /* Parse command line options */ + + if (argc == 1) { + poptPrintHelp(pc, stderr, 0); + return 1; + } + + pc = poptGetContext(NULL, argc, (const char **)argv, long_options, + POPT_CONTEXT_KEEP_FIRST); + + while((opt = poptGetNextOpt(pc)) != -1) { + switch (opt) { + case OPT_CHALLENGE: + if (!hex_decode(hex_challenge, &challenge, &challenge_len)) { + fprintf(stderr, "hex decode of %s failed!\n", hex_challenge); + exit(1); + } + break; + case OPT_LM: + if (!hex_decode(hex_lm_response, &lm_response, &lm_response_len)) { + fprintf(stderr, "hex decode of %s failed!\n", lm_response); + exit(1); + } + break; + case OPT_NT: + if (!hex_decode(hex_lm_response, &lm_response, &lm_response_len)) { + fprintf(stderr, "hex decode of %s failed!\n", lm_response); + exit(1); + } + break; + } + } + + if (helper_protocol) { + if (strcmp(helper_protocol, "squid-2.5-ntlmssp")== 0) { + squid_stream(SQUID_2_5_NTLMSSP); + } else if (strcmp(helper_protocol, "squid-2.5-basic")== 0) { + squid_stream(SQUID_2_5_BASIC); + } else if (strcmp(helper_protocol, "squid-2.4-basic")== 0) { + squid_stream(SQUID_2_4_BASIC); + } else { + fprintf(stderr, "unknown helper protocol [%s]\n", helper_protocol); + exit(1); + } + } + + if (domain == NULL) { + domain = get_winbind_domain(); + } + + if (workstation == NULL) { + workstation = ""; + } + + if (challenge) { + if (!check_auth_crap()) { + exit(1); + } + } else if (password) { + fstring user; + snprintf(user, sizeof(user)-1, "%s%c%s", domain, winbind_separator(), username); + if (!check_plaintext_auth(user, password, True)) { + exit(1); + } + } + + /* Exit code */ + + poptFreeContext(pc); + return 0; +} -- cgit From 45e93c19ef95978f908f5b14962770510634cd3b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 29 May 2004 08:11:46 +0000 Subject: r943: change samba4 to use 'uint8_t' instead of 'unsigned char' metze (This used to be commit b5378803fdcb3b3afe7c2932a38828e83470f61a) --- source4/utils/ntlm_auth.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index b76308c55f..a966a0461d 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -45,11 +45,11 @@ static const char *workstation; static const char *hex_challenge; static const char *hex_lm_response; static const char *hex_nt_response; -static unsigned char *challenge; +static uint8_t *challenge; static size_t challenge_len; -static unsigned char *lm_response; +static uint8_t *lm_response; static size_t lm_response_len; -static unsigned char *nt_response; +static uint8_t *nt_response; static size_t nt_response_len; static char *password; @@ -393,7 +393,7 @@ enum { Routine to set hex password characters into an allocated array. **************************************************************/ -static void hex_encode(const unsigned char *buff_in, size_t len, char **out_hex_buffer) +static void hex_encode(const uint8_t *buff_in, size_t len, char **out_hex_buffer) { int i; char *hex_buffer; @@ -410,12 +410,12 @@ static void hex_encode(const unsigned char *buff_in, size_t len, char **out_hex_ into a 16 byte array. **************************************************************/ -static BOOL hex_decode(const char *hex_buf_in, unsigned char **out_buffer, size_t *size) +static BOOL hex_decode(const char *hex_buf_in, uint8_t **out_buffer, size_t *size) { int i; size_t hex_buf_in_len = strlen(hex_buf_in); - unsigned char partial_byte_hex; - unsigned char partial_byte; + uint8_t partial_byte_hex; + uint8_t partial_byte; const char *hexchars = "0123456789ABCDEF"; char *p; BOOL high = True; -- cgit From bf598954f75bfd924b9aa22649975b372c74a49e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 19 Jun 2004 08:15:41 +0000 Subject: r1198: Merge the Samba 3.0 ntlm_auth, including the kerberos and SPENGO parts. I have moved the SPNEGO and Kerberos code into libcli/auth, and intend to refactor them into the same format as NTLMSSP. Andrew Bartlett (This used to be commit 58da78a7460d5d0a4abee7d7b84799c228e6bc0b) --- source4/utils/ntlm_auth.c | 1611 ++++++++++++++++++++++++++++++++++++--------- 1 file changed, 1290 insertions(+), 321 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index a966a0461d..d70b0b5d2b 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -3,8 +3,8 @@ Winbind status program. - Copyright (C) Tim Potter 2000-2002 - Copyright (C) Andrew Bartlett 2003 + Copyright (C) Tim Potter 2000-2003 + Copyright (C) Andrew Bartlett 2003-2004 Copyright (C) Francesco Chemolli 2000 This program is free software; you can redistribute it and/or modify @@ -29,232 +29,441 @@ #define SQUID_BUFFER_SIZE 2010 -enum squid_mode { +enum stdio_helper_mode { SQUID_2_4_BASIC, SQUID_2_5_BASIC, - SQUID_2_5_NTLMSSP + SQUID_2_5_NTLMSSP, + NTLMSSP_CLIENT_1, + GSS_SPNEGO, + GSS_SPNEGO_CLIENT, + NTLM_SERVER_1, + NUM_HELPER_MODES }; - -extern int winbindd_fd; +#define NTLM_AUTH_FLAG_USER_SESSION_KEY 0x0004 +#define NTLM_AUTH_FLAG_LMKEY 0x0008 -static const char *helper_protocol; -static const char *username; -static const char *domain; -static const char *workstation; -static const char *hex_challenge; -static const char *hex_lm_response; -static const char *hex_nt_response; -static uint8_t *challenge; -static size_t challenge_len; -static uint8_t *lm_response; -static size_t lm_response_len; -static uint8_t *nt_response; -static size_t nt_response_len; - -static char *password; - -static char winbind_separator(void) -{ - struct winbindd_response response; - static BOOL got_sep; - static char sep; - if (got_sep) - return sep; +typedef void (*stdio_helper_function)(enum stdio_helper_mode stdio_helper_mode, + char *buf, int length); - ZERO_STRUCT(response); +static void manage_squid_basic_request (enum stdio_helper_mode stdio_helper_mode, + char *buf, int length); - /* Send off request */ +static void manage_squid_ntlmssp_request (enum stdio_helper_mode stdio_helper_mode, + char *buf, int length); - if (winbindd_request(WINBINDD_INFO, NULL, &response) != - NSS_STATUS_SUCCESS) { - d_printf("could not obtain winbind separator!\n"); - return '\\'; - } +static void manage_client_ntlmssp_request (enum stdio_helper_mode stdio_helper_mode, + char *buf, int length); - sep = response.data.info.winbind_separator; - got_sep = True; +static void manage_gss_spnego_request (enum stdio_helper_mode stdio_helper_mode, + char *buf, int length); - if (!sep) { - d_printf("winbind separator was NULL!\n"); - return '\\'; - } - - return sep; -} +static void manage_gss_spnego_client_request (enum stdio_helper_mode stdio_helper_mode, + char *buf, int length); -static const char *get_winbind_domain(void) -{ - struct winbindd_response response; +static void manage_ntlm_server_1_request (enum stdio_helper_mode stdio_helper_mode, + char *buf, int length); - static fstring winbind_domain; - if (*winbind_domain) { - return winbind_domain; - } +static const struct { + enum stdio_helper_mode mode; + const char *name; + stdio_helper_function fn; +} stdio_helper_protocols[] = { + { SQUID_2_4_BASIC, "squid-2.4-basic", manage_squid_basic_request}, + { SQUID_2_5_BASIC, "squid-2.5-basic", manage_squid_basic_request}, + { SQUID_2_5_NTLMSSP, "squid-2.5-ntlmssp", manage_squid_ntlmssp_request}, + { NTLMSSP_CLIENT_1, "ntlmssp-client-1", manage_client_ntlmssp_request}, + { GSS_SPNEGO, "gss-spnego", manage_gss_spnego_request}, + { GSS_SPNEGO_CLIENT, "gss-spnego-client", manage_gss_spnego_client_request}, + { NTLM_SERVER_1, "ntlm-server-1", manage_ntlm_server_1_request}, + { NUM_HELPER_MODES, NULL, NULL} +}; + +extern int winbindd_fd; - ZERO_STRUCT(response); +const char *opt_username; +const char *opt_domain; +const char *opt_workstation; +const char *opt_password; - /* Send off request */ - if (winbindd_request(WINBINDD_DOMAIN_NAME, NULL, &response) != - NSS_STATUS_SUCCESS) { - d_printf("could not obtain winbind domain name!\n"); - return NULL; +/* Copy of parse_domain_user from winbindd_util.c. Parse a string of the + form DOMAIN/user into a domain and a user */ + +static BOOL parse_ntlm_auth_domain_user(const char *domuser, fstring domain, + fstring user) +{ + + char *p = strchr(domuser,*lp_winbind_separator()); + + if (!p) { + return False; } + + fstrcpy(user, p+1); + fstrcpy(domain, domuser); + domain[PTR_DIFF(p, domuser)] = 0; + strupper_m(domain); - fstrcpy(winbind_domain, response.data.domain_name); + return True; +} - return winbind_domain; +/* Authenticate a user with a plaintext password */ + +static BOOL check_plaintext_auth(const char *user, const char *pass, + BOOL stdout_diagnostics) +{ + return (strcmp(pass, opt_password) == 0); +} +/* authenticate a user with an encrypted username/password */ + +static NTSTATUS local_pw_check_specified(const char *username, + const char *domain, + const char *workstation, + const DATA_BLOB *challenge, + const DATA_BLOB *lm_response, + const DATA_BLOB *nt_response, + uint32 flags, + DATA_BLOB *lm_session_key, + DATA_BLOB *user_session_key, + char **error_string, + char **unix_name) +{ + NTSTATUS nt_status; + uint8_t lm_pw[16], nt_pw[16]; + uint8_t *lm_pwd, *nt_pwd; + TALLOC_CTX *mem_ctx = talloc_init("local_pw_check_specified"); + if (!mem_ctx) { + nt_status = NT_STATUS_NO_MEMORY; + } else { + + E_md4hash(opt_password, nt_pw); + if (E_deshash(opt_password, lm_pw)) { + lm_pwd = lm_pw; + } else { + lm_pwd = NULL; + } + nt_pwd = nt_pw; + + + nt_status = ntlm_password_check(mem_ctx, + challenge, + lm_response, + nt_response, + NULL, NULL, + username, + username, + domain, + lm_pwd, nt_pwd, user_session_key, lm_session_key); + + if (NT_STATUS_IS_OK(nt_status)) { + if (unix_name) { + asprintf(unix_name, + "%s%c%s", domain, + *lp_winbind_separator(), + username); + } + } else { + DEBUG(3, ("Login for user [%s]\\[%s]@[%s] failed due to [%s]\n", + domain, username, workstation, + nt_errstr(nt_status))); + } + talloc_destroy(mem_ctx); + } + if (error_string) { + *error_string = strdup(nt_errstr(nt_status)); + } + return nt_status; + + } -static const char *get_winbind_netbios_name(void) +static NTSTATUS local_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key) { - struct winbindd_response response; + NTSTATUS nt_status; + uint8 lm_pw[16], nt_pw[16]; + uint8_t *lm_pwd, *nt_pwd; - static fstring winbind_netbios_name; + E_md4hash(opt_password, nt_pw); + if (E_deshash(opt_password, lm_pw)) { + lm_pwd = lm_pw; + } else { + lm_pwd = NULL; + } + nt_pwd = nt_pw; + + nt_status = ntlm_password_check(ntlmssp_state->mem_ctx, + &ntlmssp_state->chal, + &ntlmssp_state->lm_resp, + &ntlmssp_state->nt_resp, + NULL, NULL, + ntlmssp_state->user, + ntlmssp_state->user, + ntlmssp_state->domain, + lm_pwd, nt_pwd, user_session_key, lm_session_key); + + if (NT_STATUS_IS_OK(nt_status)) { + ntlmssp_state->auth_context = talloc_asprintf(ntlmssp_state->mem_ctx, + "%s%c%s", ntlmssp_state->domain, + *lp_winbind_separator(), + ntlmssp_state->user); + } else { + DEBUG(3, ("Login for user [%s]\\[%s]@[%s] failed due to [%s]\n", + ntlmssp_state->domain, ntlmssp_state->user, ntlmssp_state->workstation, + nt_errstr(nt_status))); + ntlmssp_state->auth_context = NULL; + } + return nt_status; +} - if (*winbind_netbios_name) { - return winbind_netbios_name; +static NTSTATUS ntlm_auth_start_ntlmssp_client(struct ntlmssp_state **client_ntlmssp_state) +{ + NTSTATUS status; + if ( (opt_username == NULL) || (opt_domain == NULL) ) { + DEBUG(1, ("Need username and domain for NTLMSSP\n")); + return status; } - ZERO_STRUCT(response); + status = ntlmssp_client_start(client_ntlmssp_state); - /* Send off request */ + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Could not start NTLMSSP client: %s\n", + nt_errstr(status))); + ntlmssp_end(client_ntlmssp_state); + return status; + } - if (winbindd_request(WINBINDD_NETBIOS_NAME, NULL, &response) != - NSS_STATUS_SUCCESS) { - d_printf("could not obtain winbind netbios name!\n"); - return NULL; + status = ntlmssp_set_username(*client_ntlmssp_state, opt_username); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Could not set username: %s\n", + nt_errstr(status))); + ntlmssp_end(client_ntlmssp_state); + return status; } - fstrcpy(winbind_netbios_name, response.data.netbios_name); + status = ntlmssp_set_domain(*client_ntlmssp_state, opt_domain); - return winbind_netbios_name; + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Could not set domain: %s\n", + nt_errstr(status))); + ntlmssp_end(client_ntlmssp_state); + return status; + } + status = ntlmssp_set_password(*client_ntlmssp_state, opt_password); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Could not set password: %s\n", + nt_errstr(status))); + ntlmssp_end(client_ntlmssp_state); + return status; + } + return NT_STATUS_OK; } -/* Authenticate a user with a plaintext password */ +static NTSTATUS ntlm_auth_start_ntlmssp_server(struct ntlmssp_state **ntlmssp_state) +{ + NTSTATUS status = ntlmssp_server_start(ntlmssp_state); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Could not start NTLMSSP client: %s\n", + nt_errstr(status))); + return status; + } + + /* Have we been given a local password, or should we ask winbind? */ + if (opt_password) { + (*ntlmssp_state)->check_password = local_pw_check; + (*ntlmssp_state)->get_domain = lp_workgroup; + (*ntlmssp_state)->get_global_myname = global_myname; + } else { + DEBUG(0, ("Winbind not supported in Samba4 ntlm_auth yet, specify --password\n")); + exit(1); + } + return NT_STATUS_OK; +} -static BOOL check_plaintext_auth(const char *user, const char *pass, BOOL stdout_diagnostics) +static void manage_squid_ntlmssp_request(enum stdio_helper_mode stdio_helper_mode, + char *buf, int length) { - struct winbindd_request request; - struct winbindd_response response; - NSS_STATUS result; + static struct ntlmssp_state *ntlmssp_state = NULL; + DATA_BLOB request, reply; + NTSTATUS nt_status; - /* Send off request */ + if (strlen(buf) < 2) { + DEBUG(1, ("NTLMSSP query [%s] invalid", buf)); + x_fprintf(x_stdout, "BH\n"); + return; + } - ZERO_STRUCT(request); - ZERO_STRUCT(response); + if (strlen(buf) > 3) { + request = base64_decode_data_blob(buf + 3); + } else { + request = data_blob(NULL, 0); + } - fstrcpy(request.data.auth.user, user); - fstrcpy(request.data.auth.pass, pass); + if ((strncmp(buf, "PW ", 3) == 0)) { + /* The calling application wants us to use a local password (rather than winbindd) */ - result = winbindd_request(WINBINDD_PAM_AUTH, &request, &response); + opt_password = strndup((const char *)request.data, request.length); - /* Display response */ - - if (stdout_diagnostics) { - if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0)) { - d_printf("Reading winbind reply failed! (0x01)\n"); + if (opt_password == NULL) { + DEBUG(1, ("Out of memory\n")); + x_fprintf(x_stdout, "BH\n"); + data_blob_free(&request); + return; } + + x_fprintf(x_stdout, "OK\n"); + data_blob_free(&request); + return; + } + + if (strncmp(buf, "YR", 2) == 0) { + if (ntlmssp_state) + ntlmssp_end(&ntlmssp_state); + } else if (strncmp(buf, "KK", 2) == 0) { - d_printf("%s (0x%x)\n", - response.data.auth.nt_status_string, - response.data.auth.nt_status); } else { - if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0)) { - DEBUG(1, ("Reading winbind reply failed! (0x01)\n")); - } - - DEBUG(3, ("%s (0x%x)\n", - response.data.auth.nt_status_string, - response.data.auth.nt_status)); + DEBUG(1, ("NTLMSSP query [%s] invalid", buf)); + x_fprintf(x_stdout, "BH\n"); + return; } - - return (result == NSS_STATUS_SUCCESS); -} -static NTSTATUS winbind_pw_check(struct ntlmssp_state *ntlmssp_state) -{ - struct winbindd_request request; - struct winbindd_response response; - NSS_STATUS result; - /* Send off request */ - - ZERO_STRUCT(request); - ZERO_STRUCT(response); + if (!ntlmssp_state) { + if (!NT_STATUS_IS_OK(nt_status = ntlm_auth_start_ntlmssp_server(&ntlmssp_state))) { + x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status)); + return; + } + } - fstrcpy(request.data.auth_crap.user, ntlmssp_state->user); + DEBUG(10, ("got NTLMSSP packet:\n")); + dump_data(10, (const char *)request.data, request.length); - fstrcpy(request.data.auth_crap.domain, ntlmssp_state->domain); - fstrcpy(request.data.auth_crap.workstation, ntlmssp_state->workstation); + nt_status = ntlmssp_update(ntlmssp_state, NULL, request, &reply); - memcpy(request.data.auth_crap.chal, ntlmssp_state->chal.data, - MIN(ntlmssp_state->chal.length, 8)); - - memcpy(request.data.auth_crap.lm_resp, ntlmssp_state->lm_resp.data, - MIN(ntlmssp_state->lm_resp.length, sizeof(request.data.auth_crap.lm_resp))); - - memcpy(request.data.auth_crap.nt_resp, ntlmssp_state->lm_resp.data, - MIN(ntlmssp_state->nt_resp.length, sizeof(request.data.auth_crap.nt_resp))); - - request.data.auth_crap.lm_resp_len = ntlmssp_state->lm_resp.length; - request.data.auth_crap.nt_resp_len = ntlmssp_state->nt_resp.length; - - result = winbindd_request(WINBINDD_PAM_AUTH_CRAP, &request, &response); - - /* Display response */ + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + char *reply_base64 = base64_encode_data_blob(reply); + x_fprintf(x_stdout, "TT %s\n", reply_base64); + SAFE_FREE(reply_base64); + data_blob_free(&reply); + DEBUG(10, ("NTLMSSP challenge\n")); + } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED)) { + x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status)); + DEBUG(0, ("NTLMSSP BH: %s\n", nt_errstr(nt_status))); - if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0)) { - return NT_STATUS_UNSUCCESSFUL; + ntlmssp_end(&ntlmssp_state); + } else if (!NT_STATUS_IS_OK(nt_status)) { + x_fprintf(x_stdout, "NA %s\n", nt_errstr(nt_status)); + DEBUG(10, ("NTLMSSP %s\n", nt_errstr(nt_status))); + } else { + x_fprintf(x_stdout, "AF %s\n", (char *)ntlmssp_state->auth_context); + DEBUG(10, ("NTLMSSP OK!\n")); } - return NT_STATUS(response.data.auth.nt_status); + data_blob_free(&request); } -static void manage_squid_ntlmssp_request(enum squid_mode squid_mode, +static void manage_client_ntlmssp_request(enum stdio_helper_mode stdio_helper_mode, char *buf, int length) { - static NTLMSSP_STATE *ntlmssp_state; + static struct ntlmssp_state *ntlmssp_state = NULL; DATA_BLOB request, reply; NTSTATUS nt_status; + BOOL first = False; + + if (strlen(buf) < 2) { + DEBUG(1, ("NTLMSSP query [%s] invalid", buf)); + x_fprintf(x_stdout, "BH\n"); + return; + } - if (!ntlmssp_state) { - ntlmssp_server_start(&ntlmssp_state); - ntlmssp_state->check_password = winbind_pw_check; - ntlmssp_state->get_domain = get_winbind_domain; - ntlmssp_state->get_global_myname = get_winbind_netbios_name; + if (strlen(buf) > 3) { + request = base64_decode_data_blob(buf + 3); + } else { + request = data_blob(NULL, 0); + } + + if (strncmp(buf, "PW ", 3) == 0) { + /* We asked for a password and obviously got it :-) */ + + opt_password = strndup((const char *)request.data, request.length); + + if (opt_password == NULL) { + DEBUG(1, ("Out of memory\n")); + x_fprintf(x_stdout, "BH\n"); + data_blob_free(&request); + return; + } + + x_fprintf(x_stdout, "OK\n"); + data_blob_free(&request); + return; + } + + if (opt_password == NULL) { + + /* Request a password from the calling process. After + sending it, the calling process should retry asking for the negotiate. */ + + DEBUG(10, ("Requesting password\n")); + x_fprintf(x_stdout, "PW\n"); + return; } - if (strlen(buf) < 3) { + if (strncmp(buf, "YR", 2) == 0) { + if (ntlmssp_state) + ntlmssp_end(&ntlmssp_state); + } else if (strncmp(buf, "TT", 2) == 0) { + + } else { + DEBUG(1, ("NTLMSSP query [%s] invalid", buf)); x_fprintf(x_stdout, "BH\n"); return; } - - request = base64_decode_data_blob(buf + 3); - - DEBUG(0, ("got NTLMSSP packet:\n")); - dump_data(0, request.data, request.length); - nt_status = ntlmssp_server_update(ntlmssp_state, request, &reply); + if (!ntlmssp_state) { + if (!NT_STATUS_IS_OK(nt_status = ntlm_auth_start_ntlmssp_client(&ntlmssp_state))) { + x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status)); + return; + } + first = True; + } + + DEBUG(10, ("got NTLMSSP packet:\n")); + dump_data(10, (const char *)request.data, request.length); + + nt_status = ntlmssp_update(ntlmssp_state, NULL, request, &reply); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { char *reply_base64 = base64_encode_data_blob(reply); - x_fprintf(x_stdout, "TT %s\n", reply_base64); + if (first) { + x_fprintf(x_stdout, "YR %s\n", reply_base64); + } else { + x_fprintf(x_stdout, "KK %s\n", reply_base64); + } SAFE_FREE(reply_base64); data_blob_free(&reply); - } else if (!NT_STATUS_IS_OK(nt_status)) { - x_fprintf(x_stdout, "NA %s\n", nt_errstr(nt_status)); + DEBUG(10, ("NTLMSSP challenge\n")); + } else if (NT_STATUS_IS_OK(nt_status)) { + x_fprintf(x_stdout, "AF\n"); + DEBUG(10, ("NTLMSSP OK!\n")); + if (ntlmssp_state) + ntlmssp_end(&ntlmssp_state); } else { - x_fprintf(x_stdout, "AF %s\\%s\n", ntlmssp_state->domain, ntlmssp_state->user); + x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status)); + DEBUG(0, ("NTLMSSP BH: %s\n", nt_errstr(nt_status))); + if (ntlmssp_state) + ntlmssp_end(&ntlmssp_state); } data_blob_free(&request); } -static void manage_squid_basic_request(enum squid_mode squid_mode, +static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode, char *buf, int length) { char *user, *pass; @@ -263,13 +472,13 @@ static void manage_squid_basic_request(enum squid_mode squid_mode, pass=memchr(buf,' ',length); if (!pass) { DEBUG(2, ("Password not found. Denying access\n")); - x_fprintf(x_stderr, "ERR\n"); + x_fprintf(x_stdout, "ERR\n"); return; } *pass='\0'; pass++; - if (squid_mode == SQUID_2_5_BASIC) { + if (stdio_helper_mode == SQUID_2_5_BASIC) { rfc1738_unescape(user); rfc1738_unescape(pass); } @@ -281,17 +490,868 @@ static void manage_squid_basic_request(enum squid_mode squid_mode, } } -static void manage_squid_request(enum squid_mode squid_mode) +static void offer_gss_spnego_mechs(void) { + + DATA_BLOB token; + struct spnego_data spnego; + ssize_t len; + char *reply_base64; + + pstring principal; + pstring myname_lower; + + ZERO_STRUCT(spnego); + + pstrcpy(myname_lower, global_myname()); + strlower_m(myname_lower); + + pstr_sprintf(principal, "%s$@%s", myname_lower, lp_realm()); + + /* Server negTokenInit (mech offerings) */ + spnego.type = SPNEGO_NEG_TOKEN_INIT; + spnego.negTokenInit.mechTypes = smb_xmalloc(sizeof(char *) * 3); +#ifdef HAVE_KRB5 + spnego.negTokenInit.mechTypes[0] = smb_xstrdup(OID_KERBEROS5_OLD); + spnego.negTokenInit.mechTypes[1] = smb_xstrdup(OID_NTLMSSP); + spnego.negTokenInit.mechTypes[2] = NULL; +#else + spnego.negTokenInit.mechTypes[0] = smb_xstrdup(OID_NTLMSSP); + spnego.negTokenInit.mechTypes[1] = NULL; +#endif + + + spnego.negTokenInit.mechListMIC = data_blob(principal, + strlen(principal)); + + len = write_spnego_data(&token, &spnego); + free_spnego_data(&spnego); + + if (len == -1) { + DEBUG(1, ("Could not write SPNEGO data blob\n")); + x_fprintf(x_stdout, "BH\n"); + return; + } + + reply_base64 = base64_encode_data_blob(token); + x_fprintf(x_stdout, "TT %s *\n", reply_base64); + + SAFE_FREE(reply_base64); + data_blob_free(&token); + DEBUG(10, ("sent SPNEGO negTokenInit\n")); + return; +} + +static void manage_gss_spnego_request(enum stdio_helper_mode stdio_helper_mode, + char *buf, int length) +{ + static struct ntlmssp_state *ntlmssp_state = NULL; + struct spnego_data request, response; + DATA_BLOB token; + NTSTATUS status; + ssize_t len; + + char *user = NULL; + char *domain = NULL; + + const char *reply_code; + char *reply_base64; + pstring reply_argument; + + if (strlen(buf) < 2) { + DEBUG(1, ("SPENGO query [%s] invalid", buf)); + x_fprintf(x_stdout, "BH\n"); + return; + } + + if (strncmp(buf, "YR", 2) == 0) { + if (ntlmssp_state) + ntlmssp_end(&ntlmssp_state); + } else if (strncmp(buf, "KK", 2) == 0) { + + } else { + DEBUG(1, ("SPENGO query [%s] invalid", buf)); + x_fprintf(x_stdout, "BH\n"); + return; + } + + if ( (strlen(buf) == 2)) { + + /* no client data, get the negTokenInit offering + mechanisms */ + + offer_gss_spnego_mechs(); + return; + } + + /* All subsequent requests have a blob. This might be negTokenInit or negTokenTarg */ + + if (strlen(buf) <= 3) { + DEBUG(1, ("GSS-SPNEGO query [%s] invalid\n", buf)); + x_fprintf(x_stdout, "BH\n"); + return; + } + + token = base64_decode_data_blob(buf + 3); + len = read_spnego_data(token, &request); + data_blob_free(&token); + + if (len == -1) { + DEBUG(1, ("GSS-SPNEGO query [%s] invalid", buf)); + x_fprintf(x_stdout, "BH\n"); + return; + } + + if (request.type == SPNEGO_NEG_TOKEN_INIT) { + + /* Second request from Client. This is where the + client offers its mechanism to use. */ + + if ( (request.negTokenInit.mechTypes == NULL) || + (request.negTokenInit.mechTypes[0] == NULL) ) { + DEBUG(1, ("Client did not offer any mechanism")); + x_fprintf(x_stdout, "BH\n"); + return; + } + + if (strcmp(request.negTokenInit.mechTypes[0], OID_NTLMSSP) == 0) { + + if ( request.negTokenInit.mechToken.data == NULL ) { + DEBUG(1, ("Client did not provide NTLMSSP data\n")); + x_fprintf(x_stdout, "BH\n"); + return; + } + + if ( ntlmssp_state != NULL ) { + DEBUG(1, ("Client wants a new NTLMSSP challenge, but " + "already got one\n")); + x_fprintf(x_stdout, "BH\n"); + ntlmssp_end(&ntlmssp_state); + return; + } + + if (!NT_STATUS_IS_OK(status = ntlm_auth_start_ntlmssp_server(&ntlmssp_state))) { + x_fprintf(x_stdout, "BH %s\n", nt_errstr(status)); + return; + } + + DEBUG(10, ("got NTLMSSP packet:\n")); + dump_data(10, (const char *)request.negTokenInit.mechToken.data, + request.negTokenInit.mechToken.length); + + response.type = SPNEGO_NEG_TOKEN_TARG; + response.negTokenTarg.supportedMech = strdup(OID_NTLMSSP); + response.negTokenTarg.mechListMIC = data_blob(NULL, 0); + + status = ntlmssp_update(ntlmssp_state, + NULL, + request.negTokenInit.mechToken, + &response.negTokenTarg.responseToken); + } + +#ifdef HAVE_KRB5 + if (strcmp(request.negTokenInit.mechTypes[0], OID_KERBEROS5_OLD) == 0) { + + char *principal; + DATA_BLOB auth_data; + DATA_BLOB ap_rep; + DATA_BLOB session_key; + + if ( request.negTokenInit.mechToken.data == NULL ) { + DEBUG(1, ("Client did not provide Kerberos data\n")); + x_fprintf(x_stdout, "BH\n"); + return; + } + + response.type = SPNEGO_NEG_TOKEN_TARG; + response.negTokenTarg.supportedMech = strdup(OID_KERBEROS5_OLD); + response.negTokenTarg.mechListMIC = data_blob(NULL, 0); + response.negTokenTarg.responseToken = data_blob(NULL, 0); + + status = ads_verify_ticket(lp_realm(), + &request.negTokenInit.mechToken, + &principal, &auth_data, &ap_rep, + &session_key); + + /* Now in "principal" we have the name we are + authenticated as. */ + + if (NT_STATUS_IS_OK(status)) { + + domain = strchr(principal, '@'); + + if (domain == NULL) { + DEBUG(1, ("Did not get a valid principal " + "from ads_verify_ticket\n")); + x_fprintf(x_stdout, "BH\n"); + return; + } + + *domain++ = '\0'; + domain = strdup(domain); + user = strdup(principal); + + data_blob_free(&ap_rep); + data_blob_free(&auth_data); + + SAFE_FREE(principal); + } + } +#endif + + } else { + + if ( (request.negTokenTarg.supportedMech == NULL) || + ( strcmp(request.negTokenTarg.supportedMech, OID_NTLMSSP) != 0 ) ) { + /* Kerberos should never send a negTokenTarg, OID_NTLMSSP + is the only one we support that sends this stuff */ + DEBUG(1, ("Got a negTokenTarg for something non-NTLMSSP: %s\n", + request.negTokenTarg.supportedMech)); + x_fprintf(x_stdout, "BH\n"); + return; + } + + if (request.negTokenTarg.responseToken.data == NULL) { + DEBUG(1, ("Got a negTokenTarg without a responseToken!\n")); + x_fprintf(x_stdout, "BH\n"); + return; + } + + status = ntlmssp_update(ntlmssp_state, + NULL, + request.negTokenTarg.responseToken, + &response.negTokenTarg.responseToken); + + response.type = SPNEGO_NEG_TOKEN_TARG; + response.negTokenTarg.supportedMech = strdup(OID_NTLMSSP); + response.negTokenTarg.mechListMIC = data_blob(NULL, 0); + + if (NT_STATUS_IS_OK(status)) { + user = strdup(ntlmssp_state->user); + domain = strdup(ntlmssp_state->domain); + ntlmssp_end(&ntlmssp_state); + } + } + + free_spnego_data(&request); + + if (NT_STATUS_IS_OK(status)) { + response.negTokenTarg.negResult = SPNEGO_ACCEPT_COMPLETED; + reply_code = "AF"; + pstr_sprintf(reply_argument, "%s\\%s", domain, user); + } else if (NT_STATUS_EQUAL(status, + NT_STATUS_MORE_PROCESSING_REQUIRED)) { + response.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE; + reply_code = "TT"; + pstr_sprintf(reply_argument, "*"); + } else { + response.negTokenTarg.negResult = SPNEGO_REJECT; + reply_code = "NA"; + pstrcpy(reply_argument, nt_errstr(status)); + } + + SAFE_FREE(user); + SAFE_FREE(domain); + + len = write_spnego_data(&token, &response); + free_spnego_data(&response); + + if (len == -1) { + DEBUG(1, ("Could not write SPNEGO data blob\n")); + x_fprintf(x_stdout, "BH\n"); + return; + } + + reply_base64 = base64_encode_data_blob(token); + + x_fprintf(x_stdout, "%s %s %s\n", + reply_code, reply_base64, reply_argument); + + SAFE_FREE(reply_base64); + data_blob_free(&token); + + return; +} + +static struct ntlmssp_state *client_ntlmssp_state = NULL; + +static BOOL manage_client_ntlmssp_init(struct spnego_data spnego) +{ + NTSTATUS status; + DATA_BLOB null_blob = data_blob(NULL, 0); + DATA_BLOB to_server; + char *to_server_base64; + const char *my_mechs[] = {OID_NTLMSSP, NULL}; + + DEBUG(10, ("Got spnego negTokenInit with NTLMSSP\n")); + + if (client_ntlmssp_state != NULL) { + DEBUG(1, ("Request for initial SPNEGO request where " + "we already have a state\n")); + return False; + } + + if (!client_ntlmssp_state) { + if (!NT_STATUS_IS_OK(status = ntlm_auth_start_ntlmssp_client(&client_ntlmssp_state))) { + x_fprintf(x_stdout, "BH %s\n", nt_errstr(status)); + return False; + } + } + + + if (opt_password == NULL) { + + /* Request a password from the calling process. After + sending it, the calling process should retry with + the negTokenInit. */ + + DEBUG(10, ("Requesting password\n")); + x_fprintf(x_stdout, "PW\n"); + return True; + } + + spnego.type = SPNEGO_NEG_TOKEN_INIT; + spnego.negTokenInit.mechTypes = my_mechs; + spnego.negTokenInit.reqFlags = 0; + spnego.negTokenInit.mechListMIC = null_blob; + + status = ntlmssp_update(client_ntlmssp_state, + NULL, + null_blob, + &spnego.negTokenInit.mechToken); + + if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + DEBUG(1, ("Expected MORE_PROCESSING_REQUIRED, got: %s\n", + nt_errstr(status))); + ntlmssp_end(&client_ntlmssp_state); + return False; + } + + write_spnego_data(&to_server, &spnego); + data_blob_free(&spnego.negTokenInit.mechToken); + + to_server_base64 = base64_encode_data_blob(to_server); + data_blob_free(&to_server); + x_fprintf(x_stdout, "KK %s\n", to_server_base64); + SAFE_FREE(to_server_base64); + return True; +} + +static void manage_client_ntlmssp_targ(struct spnego_data spnego) +{ + NTSTATUS status; + DATA_BLOB null_blob = data_blob(NULL, 0); + DATA_BLOB request; + DATA_BLOB to_server; + char *to_server_base64; + + DEBUG(10, ("Got spnego negTokenTarg with NTLMSSP\n")); + + if (client_ntlmssp_state == NULL) { + DEBUG(1, ("Got NTLMSSP tArg without a client state\n")); + x_fprintf(x_stdout, "BH\n"); + ntlmssp_end(&client_ntlmssp_state); + return; + } + + if (spnego.negTokenTarg.negResult == SPNEGO_REJECT) { + x_fprintf(x_stdout, "NA\n"); + ntlmssp_end(&client_ntlmssp_state); + return; + } + + if (spnego.negTokenTarg.negResult == SPNEGO_ACCEPT_COMPLETED) { + x_fprintf(x_stdout, "AF\n"); + ntlmssp_end(&client_ntlmssp_state); + return; + } + + status = ntlmssp_update(client_ntlmssp_state, + NULL, + spnego.negTokenTarg.responseToken, + &request); + + if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + DEBUG(1, ("Expected MORE_PROCESSING_REQUIRED from " + "ntlmssp_update, got: %s\n", + nt_errstr(status))); + x_fprintf(x_stdout, "BH\n"); + data_blob_free(&request); + ntlmssp_end(&client_ntlmssp_state); + return; + } + + spnego.type = SPNEGO_NEG_TOKEN_TARG; + spnego.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE; + spnego.negTokenTarg.supportedMech = OID_NTLMSSP; + spnego.negTokenTarg.responseToken = request; + spnego.negTokenTarg.mechListMIC = null_blob; + + write_spnego_data(&to_server, &spnego); + data_blob_free(&request); + + to_server_base64 = base64_encode_data_blob(to_server); + data_blob_free(&to_server); + x_fprintf(x_stdout, "KK %s\n", to_server_base64); + SAFE_FREE(to_server_base64); + return; +} + +#ifdef HAVE_KRB5 + +static BOOL manage_client_krb5_init(struct spnego_data spnego) +{ + char *principal; + DATA_BLOB tkt, to_server; + DATA_BLOB session_key_krb5 = data_blob(NULL, 0); + struct spnego_data reply; + char *reply_base64; + int retval; + + const char *my_mechs[] = {OID_KERBEROS5_OLD, NULL}; + ssize_t len; + + if ( (spnego.negTokenInit.mechListMIC.data == NULL) || + (spnego.negTokenInit.mechListMIC.length == 0) ) { + DEBUG(1, ("Did not get a principal for krb5\n")); + return False; + } + + principal = malloc(spnego.negTokenInit.mechListMIC.length+1); + + if (principal == NULL) { + DEBUG(1, ("Could not malloc principal\n")); + return False; + } + + memcpy(principal, spnego.negTokenInit.mechListMIC.data, + spnego.negTokenInit.mechListMIC.length); + principal[spnego.negTokenInit.mechListMIC.length] = '\0'; + + retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5); + + if (retval) { + + pstring user; + + /* Let's try to first get the TGT, for that we need a + password. */ + + if (opt_password == NULL) { + DEBUG(10, ("Requesting password\n")); + x_fprintf(x_stdout, "PW\n"); + return True; + } + + pstr_sprintf(user, "%s@%s", opt_username, opt_domain); + + if ((retval = kerberos_kinit_password(user, opt_password, + 0, NULL))) { + DEBUG(10, ("Requesting TGT failed: %s\n", error_message(retval))); + return False; + } + + retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5); + + if (retval) { + DEBUG(10, ("Kinit suceeded, but getting a ticket failed: %s\n", error_message(retval))); + return False; + } + } + + data_blob_free(&session_key_krb5); + + ZERO_STRUCT(reply); + + reply.type = SPNEGO_NEG_TOKEN_INIT; + reply.negTokenInit.mechTypes = my_mechs; + reply.negTokenInit.reqFlags = 0; + reply.negTokenInit.mechToken = tkt; + reply.negTokenInit.mechListMIC = data_blob(NULL, 0); + + len = write_spnego_data(&to_server, &reply); + data_blob_free(&tkt); + + if (len == -1) { + DEBUG(1, ("Could not write SPNEGO data blob\n")); + return False; + } + + reply_base64 = base64_encode_data_blob(to_server); + x_fprintf(x_stdout, "KK %s *\n", reply_base64); + + SAFE_FREE(reply_base64); + data_blob_free(&to_server); + DEBUG(10, ("sent GSS-SPNEGO KERBEROS5 negTokenInit\n")); + return True; +} + +static void manage_client_krb5_targ(struct spnego_data spnego) +{ + switch (spnego.negTokenTarg.negResult) { + case SPNEGO_ACCEPT_INCOMPLETE: + DEBUG(1, ("Got a Kerberos negTokenTarg with ACCEPT_INCOMPLETE\n")); + x_fprintf(x_stdout, "BH\n"); + break; + case SPNEGO_ACCEPT_COMPLETED: + DEBUG(10, ("Accept completed\n")); + x_fprintf(x_stdout, "AF\n"); + break; + case SPNEGO_REJECT: + DEBUG(10, ("Rejected\n")); + x_fprintf(x_stdout, "NA\n"); + break; + default: + DEBUG(1, ("Got an invalid negTokenTarg\n")); + x_fprintf(x_stdout, "AF\n"); + } +} + +#endif + +static void manage_gss_spnego_client_request(enum stdio_helper_mode stdio_helper_mode, + char *buf, int length) +{ + DATA_BLOB request; + struct spnego_data spnego; + ssize_t len; + + if (strlen(buf) <= 3) { + DEBUG(1, ("SPNEGO query [%s] too short\n", buf)); + x_fprintf(x_stdout, "BH\n"); + return; + } + + request = base64_decode_data_blob(buf+3); + + if (strncmp(buf, "PW ", 3) == 0) { + + /* We asked for a password and obviously got it :-) */ + + opt_password = strndup((const char *)request.data, request.length); + + if (opt_password == NULL) { + DEBUG(1, ("Out of memory\n")); + x_fprintf(x_stdout, "BH\n"); + data_blob_free(&request); + return; + } + + x_fprintf(x_stdout, "OK\n"); + data_blob_free(&request); + return; + } + + if ( (strncmp(buf, "TT ", 3) != 0) && + (strncmp(buf, "AF ", 3) != 0) && + (strncmp(buf, "NA ", 3) != 0) ) { + DEBUG(1, ("SPNEGO request [%s] invalid\n", buf)); + x_fprintf(x_stdout, "BH\n"); + data_blob_free(&request); + return; + } + + /* So we got a server challenge to generate a SPNEGO + client-to-server request... */ + + len = read_spnego_data(request, &spnego); + data_blob_free(&request); + + if (len == -1) { + DEBUG(1, ("Could not read SPNEGO data for [%s]\n", buf)); + x_fprintf(x_stdout, "BH\n"); + return; + } + + if (spnego.type == SPNEGO_NEG_TOKEN_INIT) { + + /* The server offers a list of mechanisms */ + + char **mechType = spnego.negTokenInit.mechTypes; + + while (*mechType != NULL) { + +#ifdef HAVE_KRB5 + if ( (strcmp(*mechType, OID_KERBEROS5_OLD) == 0) || + (strcmp(*mechType, OID_KERBEROS5) == 0) ) { + if (manage_client_krb5_init(spnego)) + goto out; + } +#endif + + if (strcmp(*mechType, OID_NTLMSSP) == 0) { + if (manage_client_ntlmssp_init(spnego)) + goto out; + } + + mechType++; + } + + DEBUG(1, ("Server offered no compatible mechanism\n")); + x_fprintf(x_stdout, "BH\n"); + return; + } + + if (spnego.type == SPNEGO_NEG_TOKEN_TARG) { + + if (spnego.negTokenTarg.supportedMech == NULL) { + /* On accept/reject Windows does not send the + mechanism anymore. Handle that here and + shut down the mechanisms. */ + + switch (spnego.negTokenTarg.negResult) { + case SPNEGO_ACCEPT_COMPLETED: + x_fprintf(x_stdout, "AF\n"); + break; + case SPNEGO_REJECT: + x_fprintf(x_stdout, "NA\n"); + break; + default: + DEBUG(1, ("Got a negTokenTarg with no mech and an " + "unknown negResult: %d\n", + spnego.negTokenTarg.negResult)); + x_fprintf(x_stdout, "BH\n"); + } + + ntlmssp_end(&client_ntlmssp_state); + goto out; + } + + if (strcmp(spnego.negTokenTarg.supportedMech, + OID_NTLMSSP) == 0) { + manage_client_ntlmssp_targ(spnego); + goto out; + } + +#if HAVE_KRB5 + if (strcmp(spnego.negTokenTarg.supportedMech, + OID_KERBEROS5_OLD) == 0) { + manage_client_krb5_targ(spnego); + goto out; + } +#endif + + } + + DEBUG(1, ("Got an SPNEGO token I could not handle [%s]!\n", buf)); + x_fprintf(x_stdout, "BH\n"); + return; + + out: + free_spnego_data(&spnego); + return; +} + +static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mode, + char *buf, int length) +{ + char *request, *parameter; + static DATA_BLOB challenge; + static DATA_BLOB lm_response; + static DATA_BLOB nt_response; + static char *full_username; + static char *username; + static char *domain; + static char *plaintext_password; + static BOOL ntlm_server_1_user_session_key; + static BOOL ntlm_server_1_lm_session_key; + + if (strequal(buf, ".")) { + if (!full_username && !username) { + x_fprintf(x_stdout, "Error: No username supplied!\n"); + } else if (plaintext_password) { + /* handle this request as plaintext */ + if (!full_username) { + if (asprintf(&full_username, "%s%c%s", domain, *lp_winbind_separator(), username) == -1) { + x_fprintf(x_stdout, "Error: Out of memory in asprintf!\n.\n"); + return; + } + } + if (check_plaintext_auth(full_username, plaintext_password, False)) { + x_fprintf(x_stdout, "Authenticated: Yes\n"); + } else { + x_fprintf(x_stdout, "Authenticated: No\n"); + } + } else if (!lm_response.data && !nt_response.data) { + x_fprintf(x_stdout, "Error: No password supplied!\n"); + } else if (!challenge.data) { + x_fprintf(x_stdout, "Error: No lanman-challenge supplied!\n"); + } else { + char *error_string = NULL; + DATA_BLOB lm_key; + DATA_BLOB user_session_key; + uint32 flags = 0; + + if (full_username && !username) { + fstring fstr_user; + fstring fstr_domain; + + if (!parse_ntlm_auth_domain_user(full_username, fstr_user, fstr_domain)) { + /* username might be 'tainted', don't print into our new-line deleimianted stream */ + x_fprintf(x_stdout, "Error: Could not parse into domain and username\n"); + } + SAFE_FREE(username); + SAFE_FREE(domain); + username = smb_xstrdup(fstr_user); + domain = smb_xstrdup(fstr_domain); + } + + if (!domain) { + domain = smb_xstrdup(lp_workgroup()); + } + + if (ntlm_server_1_lm_session_key) + flags |= NTLM_AUTH_FLAG_LMKEY; + + if (ntlm_server_1_user_session_key) + flags |= NTLM_AUTH_FLAG_USER_SESSION_KEY; + + if (!NT_STATUS_IS_OK( + local_pw_check_specified(username, + domain, + global_myname(), + &challenge, + &lm_response, + &nt_response, + flags, + &lm_key, + &user_session_key, + &error_string, + NULL))) { + + x_fprintf(x_stdout, "Authenticated: No\n"); + x_fprintf(x_stdout, "Authentication-Error: %s\n.\n", error_string); + SAFE_FREE(error_string); + } else { + static char zeros[16]; + char *hex_lm_key; + char *hex_user_session_key; + + x_fprintf(x_stdout, "Authenticated: Yes\n"); + + if (ntlm_server_1_lm_session_key + && lm_key.length + && (memcmp(zeros, lm_key.data, + lm_key.length) != 0)) { + hex_encode(lm_key.data, + lm_key.length, + &hex_lm_key); + x_fprintf(x_stdout, "LANMAN-Session-Key: %s\n", hex_lm_key); + SAFE_FREE(hex_lm_key); + } + + if (ntlm_server_1_user_session_key + && user_session_key.length + && (memcmp(zeros, user_session_key.data, + user_session_key.length) != 0)) { + hex_encode(user_session_key.data, + user_session_key.length, + &hex_user_session_key); + x_fprintf(x_stdout, "User-Session-Key: %s\n", hex_user_session_key); + SAFE_FREE(hex_user_session_key); + } + } + } + /* clear out the state */ + challenge = data_blob(NULL, 0); + nt_response = data_blob(NULL, 0); + lm_response = data_blob(NULL, 0); + SAFE_FREE(full_username); + SAFE_FREE(username); + SAFE_FREE(domain); + SAFE_FREE(plaintext_password); + ntlm_server_1_user_session_key = False; + ntlm_server_1_lm_session_key = False; + x_fprintf(x_stdout, ".\n"); + + return; + } + + request = buf; + + /* Indicates a base64 encoded structure */ + parameter = strstr(request, ":: "); + if (!parameter) { + parameter = strstr(request, ": "); + + if (!parameter) { + DEBUG(0, ("Parameter not found!\n")); + x_fprintf(x_stdout, "Error: Parameter not found!\n.\n"); + return; + } + + parameter[0] ='\0'; + parameter++; + parameter[0] ='\0'; + parameter++; + + } else { + parameter[0] ='\0'; + parameter++; + parameter[0] ='\0'; + parameter++; + parameter[0] ='\0'; + parameter++; + + base64_decode_inplace(parameter); + } + + if (strequal(request, "LANMAN-Challenge")) { + challenge = strhex_to_data_blob(parameter); + if (challenge.length != 8) { + x_fprintf(x_stdout, "Error: hex decode of %s failed! (got %d bytes, expected 8)\n.\n", + parameter, + (int)challenge.length); + challenge = data_blob(NULL, 0); + } + } else if (strequal(request, "NT-Response")) { + nt_response = strhex_to_data_blob(parameter); + if (nt_response.length < 24) { + x_fprintf(x_stdout, "Error: hex decode of %s failed! (only got %d bytes, needed at least 24)\n.\n", + parameter, + (int)nt_response.length); + nt_response = data_blob(NULL, 0); + } + } else if (strequal(request, "LANMAN-Response")) { + lm_response = strhex_to_data_blob(parameter); + if (lm_response.length != 24) { + x_fprintf(x_stdout, "Error: hex decode of %s failed! (got %d bytes, expected 24)\n.\n", + parameter, + (int)lm_response.length); + lm_response = data_blob(NULL, 0); + } + } else if (strequal(request, "Password")) { + plaintext_password = smb_xstrdup(parameter); + } else if (strequal(request, "NT-Domain")) { + domain = smb_xstrdup(parameter); + } else if (strequal(request, "Username")) { + username = smb_xstrdup(parameter); + } else if (strequal(request, "Full-Username")) { + full_username = smb_xstrdup(parameter); + } else if (strequal(request, "Request-User-Session-Key")) { + ntlm_server_1_user_session_key = strequal(parameter, "Yes"); + } else if (strequal(request, "Request-LanMan-Session-Key")) { + ntlm_server_1_lm_session_key = strequal(parameter, "Yes"); + } else { + x_fprintf(x_stdout, "Error: Unknown request %s\n.\n", request); + } +} + +static void manage_squid_request(enum stdio_helper_mode helper_mode, stdio_helper_function fn) { char buf[SQUID_BUFFER_SIZE+1]; int length; char *c; static BOOL err; - - if (x_fgets(buf, sizeof(buf)-1, x_stdin) == NULL) { - DEBUG(1, ("fgets() failed! dying..... errno=%d (%s)\n", errno, - strerror(errno))); - exit(1); /* BIIG buffer */ + + /* this is not a typo - x_fgets doesn't work too well under squid */ + if (fgets(buf, sizeof(buf)-1, stdin) == NULL) { + if (ferror(stdin)) { + DEBUG(1, ("fgets() failed! dying..... errno=%d (%s)\n", ferror(stdin), + strerror(ferror(stdin)))); + + exit(1); /* BIIG buffer */ + } + exit(0); } c=memchr(buf,'\n',sizeof(buf)-1); @@ -317,65 +1377,20 @@ static void manage_squid_request(enum squid_mode squid_mode) return; } - if (squid_mode == SQUID_2_5_BASIC || squid_mode == SQUID_2_4_BASIC) { - manage_squid_basic_request(squid_mode, buf, length); - } else if (squid_mode == SQUID_2_5_NTLMSSP) { - manage_squid_ntlmssp_request(squid_mode, buf, length); - } + fn(helper_mode, buf, length); } -static void squid_stream(enum squid_mode squid_mode) { +static void squid_stream(enum stdio_helper_mode stdio_mode, stdio_helper_function fn) { /* initialize FDescs */ x_setbuf(x_stdout, NULL); x_setbuf(x_stderr, NULL); while(1) { - manage_squid_request(squid_mode); + manage_squid_request(stdio_mode, fn); } } -/* Authenticate a user with a challenge/response */ - -static BOOL check_auth_crap(void) -{ - struct winbindd_request request; - struct winbindd_response response; - NSS_STATUS result; - /* Send off request */ - - ZERO_STRUCT(request); - ZERO_STRUCT(response); - - fstrcpy(request.data.auth_crap.user, username); - - fstrcpy(request.data.auth_crap.domain, domain); - fstrcpy(request.data.auth_crap.workstation, workstation); - - memcpy(request.data.auth_crap.chal, challenge, MIN(challenge_len, 8)); - - memcpy(request.data.auth_crap.lm_resp, lm_response, MIN(lm_response_len, sizeof(request.data.auth_crap.lm_resp))); - - memcpy(request.data.auth_crap.nt_resp, nt_response, MIN(nt_response_len, sizeof(request.data.auth_crap.nt_resp))); - - request.data.auth_crap.lm_resp_len = lm_response_len; - request.data.auth_crap.nt_resp_len = nt_response_len; - - result = winbindd_request(WINBINDD_PAM_AUTH_CRAP, &request, &response); - - /* Display response */ - - if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0)) { - d_printf("Reading winbind reply failed! (0x01)\n"); - } - - d_printf("%s (0x%x)\n", - response.data.auth.nt_status_string, - response.data.auth.nt_status); - - return result == NSS_STATUS_SUCCESS; -} - /* Main program */ enum { @@ -386,94 +1401,48 @@ enum { OPT_RESPONSE, OPT_LM, OPT_NT, - OPT_PASSWORD + OPT_PASSWORD, + OPT_LM_KEY, + OPT_USER_SESSION_KEY, + OPT_DIAGNOSTICS, + OPT_REQUIRE_MEMBERSHIP }; -/************************************************************* - Routine to set hex password characters into an allocated array. -**************************************************************/ - -static void hex_encode(const uint8_t *buff_in, size_t len, char **out_hex_buffer) + int main(int argc, const char **argv) { - int i; - char *hex_buffer; - - *out_hex_buffer = smb_xmalloc((len*2)+1); - hex_buffer = *out_hex_buffer; - - for (i = 0; i < len; i++) - slprintf(&hex_buffer[i*2], 3, "%02X", buff_in[i]); -} - -/************************************************************* - Routine to get the 32 hex characters and turn them - into a 16 byte array. -**************************************************************/ - -static BOOL hex_decode(const char *hex_buf_in, uint8_t **out_buffer, size_t *size) -{ - int i; - size_t hex_buf_in_len = strlen(hex_buf_in); - uint8_t partial_byte_hex; - uint8_t partial_byte; - const char *hexchars = "0123456789ABCDEF"; - char *p; - BOOL high = True; - - if (!hex_buf_in) - return (False); - - *size = (hex_buf_in_len + 1) / 2; - - *out_buffer = smb_xmalloc(*size); - - for (i = 0; i < hex_buf_in_len; i++) { - partial_byte_hex = toupper(hex_buf_in[i]); - - p = strchr(hexchars, partial_byte_hex); - - if (!p) - return (False); - - partial_byte = PTR_DIFF(p, hexchars); + static const char *helper_protocol; + int opt; - if (high) { - (*out_buffer)[i / 2] = (partial_byte << 4); - } else { - (*out_buffer)[i / 2] |= partial_byte; - } - high = !high; - } - return (True); -} + poptContext pc; + /* NOTE: DO NOT change this interface without considering the implications! + This is an external interface, which other programs will use to interact + with this helper. + */ -int main(int argc, const char **argv) -{ - int opt; + /* We do not use single-letter command abbreviations, because they harm future + interface stability. */ - poptContext pc; struct poptOption long_options[] = { POPT_AUTOHELP - { "helper-protocol", 0, POPT_ARG_STRING, &helper_protocol, OPT_DOMAIN, "operate as a stdio-based helper", "helper protocol to use"}, - { "username", 0, POPT_ARG_STRING, &username, OPT_USERNAME, "username"}, - { "domain", 0, POPT_ARG_STRING, &domain, OPT_DOMAIN, "domain name"}, - { "workstation", 0, POPT_ARG_STRING, &domain, OPT_WORKSTATION, "workstation"}, - { "challenge", 0, POPT_ARG_STRING, &hex_challenge, OPT_CHALLENGE, "challenge (HEX encoded)"}, - { "lm-response", 0, POPT_ARG_STRING, &hex_lm_response, OPT_LM, "LM Response to the challenge (HEX encoded)"}, - { "nt-response", 0, POPT_ARG_STRING, &hex_nt_response, OPT_NT, "NT or NTLMv2 Response to the challenge (HEX encoded)"}, - { "password", 0, POPT_ARG_STRING, &password, OPT_PASSWORD, "User's plaintext password"}, - { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_debug }, - { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_configfile }, - { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_version}, - { 0, 0, 0, 0 } + { "domain", 0, POPT_ARG_STRING, &opt_domain, OPT_DOMAIN, "domain name"}, + { "workstation", 0, POPT_ARG_STRING, &opt_workstation, OPT_WORKSTATION, "workstation"}, + { "password", 0, POPT_ARG_STRING, &opt_password, OPT_PASSWORD, "User's plaintext password"}, + POPT_COMMON_SAMBA + POPT_TABLEEND }; /* Samba client initialisation */ - dbf = x_stderr; - + setup_logging("ntlm_auth", DEBUG_STDOUT); + + if (!lp_load(dyn_CONFIGFILE, True, False, False)) { + d_fprintf(stderr, "wbinfo: error opening config file %s. Error was %s\n", + dyn_CONFIGFILE, strerror(errno)); + exit(1); + } + /* Parse options */ pc = poptGetContext("ntlm_auth", argc, argv, long_options, 0); @@ -489,58 +1458,58 @@ int main(int argc, const char **argv) POPT_CONTEXT_KEEP_FIRST); while((opt = poptGetNextOpt(pc)) != -1) { - switch (opt) { - case OPT_CHALLENGE: - if (!hex_decode(hex_challenge, &challenge, &challenge_len)) { - fprintf(stderr, "hex decode of %s failed!\n", hex_challenge); - exit(1); - } - break; - case OPT_LM: - if (!hex_decode(hex_lm_response, &lm_response, &lm_response_len)) { - fprintf(stderr, "hex decode of %s failed!\n", lm_response); - exit(1); - } - break; - case OPT_NT: - if (!hex_decode(hex_lm_response, &lm_response, &lm_response_len)) { - fprintf(stderr, "hex decode of %s failed!\n", lm_response); - exit(1); - } + if (opt < -1) { break; } } + if (opt < -1) { + fprintf(stderr, "%s: %s\n", + poptBadOption(pc, POPT_BADOPTION_NOALIAS), + poptStrerror(opt)); + return 1; + } if (helper_protocol) { - if (strcmp(helper_protocol, "squid-2.5-ntlmssp")== 0) { - squid_stream(SQUID_2_5_NTLMSSP); - } else if (strcmp(helper_protocol, "squid-2.5-basic")== 0) { - squid_stream(SQUID_2_5_BASIC); - } else if (strcmp(helper_protocol, "squid-2.4-basic")== 0) { - squid_stream(SQUID_2_4_BASIC); - } else { - fprintf(stderr, "unknown helper protocol [%s]\n", helper_protocol); - exit(1); + int i; + for (i=0; i Date: Sun, 20 Jun 2004 00:58:09 +0000 Subject: r1200: Add 'gensec', our generic security layer. This layer is used for DCERPC security, as well as ntlm_auth at this time. It expect things like SASL and the CIFS layer to use it as well. The particular purpose of this layer is to introduce SPENGO, which needs generic access to the actual implementation mechanisms. Schannel, due to it's 'interesting' setup properties is in GENSEC, but is only in the RPC code. Andrew Bartlett (This used to be commit 902af49006fb8cfecaadd3cc0c10e2e542083fb1) --- source4/utils/ntlm_auth.c | 832 ++++------------------------------------------ 1 file changed, 70 insertions(+), 762 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index d70b0b5d2b..7690a549f7 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -34,7 +34,6 @@ enum stdio_helper_mode { SQUID_2_5_BASIC, SQUID_2_5_NTLMSSP, NTLMSSP_CLIENT_1, - GSS_SPNEGO, GSS_SPNEGO_CLIENT, NTLM_SERVER_1, NUM_HELPER_MODES @@ -53,14 +52,8 @@ static void manage_squid_basic_request (enum stdio_helper_mode stdio_helper_mode static void manage_squid_ntlmssp_request (enum stdio_helper_mode stdio_helper_mode, char *buf, int length); -static void manage_client_ntlmssp_request (enum stdio_helper_mode stdio_helper_mode, - char *buf, int length); - -static void manage_gss_spnego_request (enum stdio_helper_mode stdio_helper_mode, - char *buf, int length); - -static void manage_gss_spnego_client_request (enum stdio_helper_mode stdio_helper_mode, - char *buf, int length); +static void manage_gensec_client_request (enum stdio_helper_mode stdio_helper_mode, + char *buf, int length); static void manage_ntlm_server_1_request (enum stdio_helper_mode stdio_helper_mode, char *buf, int length); @@ -73,9 +66,8 @@ static const struct { { SQUID_2_4_BASIC, "squid-2.4-basic", manage_squid_basic_request}, { SQUID_2_5_BASIC, "squid-2.5-basic", manage_squid_basic_request}, { SQUID_2_5_NTLMSSP, "squid-2.5-ntlmssp", manage_squid_ntlmssp_request}, - { NTLMSSP_CLIENT_1, "ntlmssp-client-1", manage_client_ntlmssp_request}, - { GSS_SPNEGO, "gss-spnego", manage_gss_spnego_request}, - { GSS_SPNEGO_CLIENT, "gss-spnego-client", manage_gss_spnego_client_request}, + { NTLMSSP_CLIENT_1, "ntlmssp-client-1", manage_gensec_client_request}, + { GSS_SPNEGO_CLIENT, "gss-spnego-client", manage_gensec_client_request}, { NTLM_SERVER_1, "ntlm-server-1", manage_ntlm_server_1_request}, { NUM_HELPER_MODES, NULL, NULL} }; @@ -218,52 +210,6 @@ static NTSTATUS local_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *u return nt_status; } -static NTSTATUS ntlm_auth_start_ntlmssp_client(struct ntlmssp_state **client_ntlmssp_state) -{ - NTSTATUS status; - if ( (opt_username == NULL) || (opt_domain == NULL) ) { - DEBUG(1, ("Need username and domain for NTLMSSP\n")); - return status; - } - - status = ntlmssp_client_start(client_ntlmssp_state); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Could not start NTLMSSP client: %s\n", - nt_errstr(status))); - ntlmssp_end(client_ntlmssp_state); - return status; - } - - status = ntlmssp_set_username(*client_ntlmssp_state, opt_username); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Could not set username: %s\n", - nt_errstr(status))); - ntlmssp_end(client_ntlmssp_state); - return status; - } - - status = ntlmssp_set_domain(*client_ntlmssp_state, opt_domain); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Could not set domain: %s\n", - nt_errstr(status))); - ntlmssp_end(client_ntlmssp_state); - return status; - } - - status = ntlmssp_set_password(*client_ntlmssp_state, opt_password); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Could not set password: %s\n", - nt_errstr(status))); - ntlmssp_end(client_ntlmssp_state); - return status; - } - return NT_STATUS_OK; -} - static NTSTATUS ntlm_auth_start_ntlmssp_server(struct ntlmssp_state **ntlmssp_state) { NTSTATUS status = ntlmssp_server_start(ntlmssp_state); @@ -367,102 +313,6 @@ static void manage_squid_ntlmssp_request(enum stdio_helper_mode stdio_helper_mod data_blob_free(&request); } -static void manage_client_ntlmssp_request(enum stdio_helper_mode stdio_helper_mode, - char *buf, int length) -{ - static struct ntlmssp_state *ntlmssp_state = NULL; - DATA_BLOB request, reply; - NTSTATUS nt_status; - BOOL first = False; - - if (strlen(buf) < 2) { - DEBUG(1, ("NTLMSSP query [%s] invalid", buf)); - x_fprintf(x_stdout, "BH\n"); - return; - } - - if (strlen(buf) > 3) { - request = base64_decode_data_blob(buf + 3); - } else { - request = data_blob(NULL, 0); - } - - if (strncmp(buf, "PW ", 3) == 0) { - /* We asked for a password and obviously got it :-) */ - - opt_password = strndup((const char *)request.data, request.length); - - if (opt_password == NULL) { - DEBUG(1, ("Out of memory\n")); - x_fprintf(x_stdout, "BH\n"); - data_blob_free(&request); - return; - } - - x_fprintf(x_stdout, "OK\n"); - data_blob_free(&request); - return; - } - - if (opt_password == NULL) { - - /* Request a password from the calling process. After - sending it, the calling process should retry asking for the negotiate. */ - - DEBUG(10, ("Requesting password\n")); - x_fprintf(x_stdout, "PW\n"); - return; - } - - if (strncmp(buf, "YR", 2) == 0) { - if (ntlmssp_state) - ntlmssp_end(&ntlmssp_state); - } else if (strncmp(buf, "TT", 2) == 0) { - - } else { - DEBUG(1, ("NTLMSSP query [%s] invalid", buf)); - x_fprintf(x_stdout, "BH\n"); - return; - } - - if (!ntlmssp_state) { - if (!NT_STATUS_IS_OK(nt_status = ntlm_auth_start_ntlmssp_client(&ntlmssp_state))) { - x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status)); - return; - } - first = True; - } - - DEBUG(10, ("got NTLMSSP packet:\n")); - dump_data(10, (const char *)request.data, request.length); - - nt_status = ntlmssp_update(ntlmssp_state, NULL, request, &reply); - - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - char *reply_base64 = base64_encode_data_blob(reply); - if (first) { - x_fprintf(x_stdout, "YR %s\n", reply_base64); - } else { - x_fprintf(x_stdout, "KK %s\n", reply_base64); - } - SAFE_FREE(reply_base64); - data_blob_free(&reply); - DEBUG(10, ("NTLMSSP challenge\n")); - } else if (NT_STATUS_IS_OK(nt_status)) { - x_fprintf(x_stdout, "AF\n"); - DEBUG(10, ("NTLMSSP OK!\n")); - if (ntlmssp_state) - ntlmssp_end(&ntlmssp_state); - } else { - x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status)); - DEBUG(0, ("NTLMSSP BH: %s\n", nt_errstr(nt_status))); - if (ntlmssp_state) - ntlmssp_end(&ntlmssp_state); - } - - data_blob_free(&request); -} - static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode, char *buf, int length) { @@ -490,654 +340,111 @@ static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode, } } -static void offer_gss_spnego_mechs(void) { - - DATA_BLOB token; - struct spnego_data spnego; - ssize_t len; - char *reply_base64; - - pstring principal; - pstring myname_lower; - - ZERO_STRUCT(spnego); - - pstrcpy(myname_lower, global_myname()); - strlower_m(myname_lower); - - pstr_sprintf(principal, "%s$@%s", myname_lower, lp_realm()); - - /* Server negTokenInit (mech offerings) */ - spnego.type = SPNEGO_NEG_TOKEN_INIT; - spnego.negTokenInit.mechTypes = smb_xmalloc(sizeof(char *) * 3); -#ifdef HAVE_KRB5 - spnego.negTokenInit.mechTypes[0] = smb_xstrdup(OID_KERBEROS5_OLD); - spnego.negTokenInit.mechTypes[1] = smb_xstrdup(OID_NTLMSSP); - spnego.negTokenInit.mechTypes[2] = NULL; -#else - spnego.negTokenInit.mechTypes[0] = smb_xstrdup(OID_NTLMSSP); - spnego.negTokenInit.mechTypes[1] = NULL; -#endif - - - spnego.negTokenInit.mechListMIC = data_blob(principal, - strlen(principal)); - - len = write_spnego_data(&token, &spnego); - free_spnego_data(&spnego); - - if (len == -1) { - DEBUG(1, ("Could not write SPNEGO data blob\n")); - x_fprintf(x_stdout, "BH\n"); - return; - } - - reply_base64 = base64_encode_data_blob(token); - x_fprintf(x_stdout, "TT %s *\n", reply_base64); - - SAFE_FREE(reply_base64); - data_blob_free(&token); - DEBUG(10, ("sent SPNEGO negTokenInit\n")); - return; -} - -static void manage_gss_spnego_request(enum stdio_helper_mode stdio_helper_mode, - char *buf, int length) +static void manage_gensec_client_request(enum stdio_helper_mode stdio_helper_mode, + char *buf, int length) { - static struct ntlmssp_state *ntlmssp_state = NULL; - struct spnego_data request, response; - DATA_BLOB token; - NTSTATUS status; - ssize_t len; - - char *user = NULL; - char *domain = NULL; - - const char *reply_code; - char *reply_base64; - pstring reply_argument; + DATA_BLOB in; + DATA_BLOB out; + char *out_base64; + static struct gensec_security gensec_state; + NTSTATUS nt_status; + BOOL first = False; if (strlen(buf) < 2) { - DEBUG(1, ("SPENGO query [%s] invalid", buf)); + DEBUG(1, ("query [%s] invalid", buf)); x_fprintf(x_stdout, "BH\n"); return; } - if (strncmp(buf, "YR", 2) == 0) { - if (ntlmssp_state) - ntlmssp_end(&ntlmssp_state); - } else if (strncmp(buf, "KK", 2) == 0) { - - } else { - DEBUG(1, ("SPENGO query [%s] invalid", buf)); - x_fprintf(x_stdout, "BH\n"); - return; - } - - if ( (strlen(buf) == 2)) { - - /* no client data, get the negTokenInit offering - mechanisms */ - - offer_gss_spnego_mechs(); - return; - } - - /* All subsequent requests have a blob. This might be negTokenInit or negTokenTarg */ - - if (strlen(buf) <= 3) { - DEBUG(1, ("GSS-SPNEGO query [%s] invalid\n", buf)); - x_fprintf(x_stdout, "BH\n"); - return; - } - - token = base64_decode_data_blob(buf + 3); - len = read_spnego_data(token, &request); - data_blob_free(&token); - - if (len == -1) { - DEBUG(1, ("GSS-SPNEGO query [%s] invalid", buf)); - x_fprintf(x_stdout, "BH\n"); - return; - } - - if (request.type == SPNEGO_NEG_TOKEN_INIT) { - - /* Second request from Client. This is where the - client offers its mechanism to use. */ - - if ( (request.negTokenInit.mechTypes == NULL) || - (request.negTokenInit.mechTypes[0] == NULL) ) { - DEBUG(1, ("Client did not offer any mechanism")); - x_fprintf(x_stdout, "BH\n"); - return; - } - - if (strcmp(request.negTokenInit.mechTypes[0], OID_NTLMSSP) == 0) { - - if ( request.negTokenInit.mechToken.data == NULL ) { - DEBUG(1, ("Client did not provide NTLMSSP data\n")); - x_fprintf(x_stdout, "BH\n"); - return; - } - - if ( ntlmssp_state != NULL ) { - DEBUG(1, ("Client wants a new NTLMSSP challenge, but " - "already got one\n")); - x_fprintf(x_stdout, "BH\n"); - ntlmssp_end(&ntlmssp_state); - return; - } - - if (!NT_STATUS_IS_OK(status = ntlm_auth_start_ntlmssp_server(&ntlmssp_state))) { - x_fprintf(x_stdout, "BH %s\n", nt_errstr(status)); - return; - } - - DEBUG(10, ("got NTLMSSP packet:\n")); - dump_data(10, (const char *)request.negTokenInit.mechToken.data, - request.negTokenInit.mechToken.length); - - response.type = SPNEGO_NEG_TOKEN_TARG; - response.negTokenTarg.supportedMech = strdup(OID_NTLMSSP); - response.negTokenTarg.mechListMIC = data_blob(NULL, 0); - - status = ntlmssp_update(ntlmssp_state, - NULL, - request.negTokenInit.mechToken, - &response.negTokenTarg.responseToken); - } - -#ifdef HAVE_KRB5 - if (strcmp(request.negTokenInit.mechTypes[0], OID_KERBEROS5_OLD) == 0) { - - char *principal; - DATA_BLOB auth_data; - DATA_BLOB ap_rep; - DATA_BLOB session_key; - - if ( request.negTokenInit.mechToken.data == NULL ) { - DEBUG(1, ("Client did not provide Kerberos data\n")); - x_fprintf(x_stdout, "BH\n"); - return; - } - - response.type = SPNEGO_NEG_TOKEN_TARG; - response.negTokenTarg.supportedMech = strdup(OID_KERBEROS5_OLD); - response.negTokenTarg.mechListMIC = data_blob(NULL, 0); - response.negTokenTarg.responseToken = data_blob(NULL, 0); - - status = ads_verify_ticket(lp_realm(), - &request.negTokenInit.mechToken, - &principal, &auth_data, &ap_rep, - &session_key); - - /* Now in "principal" we have the name we are - authenticated as. */ - - if (NT_STATUS_IS_OK(status)) { - - domain = strchr(principal, '@'); - - if (domain == NULL) { - DEBUG(1, ("Did not get a valid principal " - "from ads_verify_ticket\n")); - x_fprintf(x_stdout, "BH\n"); - return; - } - - *domain++ = '\0'; - domain = strdup(domain); - user = strdup(principal); - - data_blob_free(&ap_rep); - data_blob_free(&auth_data); - - SAFE_FREE(principal); - } - } -#endif - - } else { - - if ( (request.negTokenTarg.supportedMech == NULL) || - ( strcmp(request.negTokenTarg.supportedMech, OID_NTLMSSP) != 0 ) ) { - /* Kerberos should never send a negTokenTarg, OID_NTLMSSP - is the only one we support that sends this stuff */ - DEBUG(1, ("Got a negTokenTarg for something non-NTLMSSP: %s\n", - request.negTokenTarg.supportedMech)); - x_fprintf(x_stdout, "BH\n"); - return; - } - - if (request.negTokenTarg.responseToken.data == NULL) { - DEBUG(1, ("Got a negTokenTarg without a responseToken!\n")); - x_fprintf(x_stdout, "BH\n"); - return; - } - - status = ntlmssp_update(ntlmssp_state, - NULL, - request.negTokenTarg.responseToken, - &response.negTokenTarg.responseToken); - - response.type = SPNEGO_NEG_TOKEN_TARG; - response.negTokenTarg.supportedMech = strdup(OID_NTLMSSP); - response.negTokenTarg.mechListMIC = data_blob(NULL, 0); - - if (NT_STATUS_IS_OK(status)) { - user = strdup(ntlmssp_state->user); - domain = strdup(ntlmssp_state->domain); - ntlmssp_end(&ntlmssp_state); - } - } - - free_spnego_data(&request); - - if (NT_STATUS_IS_OK(status)) { - response.negTokenTarg.negResult = SPNEGO_ACCEPT_COMPLETED; - reply_code = "AF"; - pstr_sprintf(reply_argument, "%s\\%s", domain, user); - } else if (NT_STATUS_EQUAL(status, - NT_STATUS_MORE_PROCESSING_REQUIRED)) { - response.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE; - reply_code = "TT"; - pstr_sprintf(reply_argument, "*"); + if (strlen(buf) > 3) { + in = base64_decode_data_blob(buf + 3); } else { - response.negTokenTarg.negResult = SPNEGO_REJECT; - reply_code = "NA"; - pstrcpy(reply_argument, nt_errstr(status)); - } - - SAFE_FREE(user); - SAFE_FREE(domain); - - len = write_spnego_data(&token, &response); - free_spnego_data(&response); - - if (len == -1) { - DEBUG(1, ("Could not write SPNEGO data blob\n")); - x_fprintf(x_stdout, "BH\n"); - return; - } - - reply_base64 = base64_encode_data_blob(token); - - x_fprintf(x_stdout, "%s %s %s\n", - reply_code, reply_base64, reply_argument); - - SAFE_FREE(reply_base64); - data_blob_free(&token); - - return; -} - -static struct ntlmssp_state *client_ntlmssp_state = NULL; - -static BOOL manage_client_ntlmssp_init(struct spnego_data spnego) -{ - NTSTATUS status; - DATA_BLOB null_blob = data_blob(NULL, 0); - DATA_BLOB to_server; - char *to_server_base64; - const char *my_mechs[] = {OID_NTLMSSP, NULL}; - - DEBUG(10, ("Got spnego negTokenInit with NTLMSSP\n")); - - if (client_ntlmssp_state != NULL) { - DEBUG(1, ("Request for initial SPNEGO request where " - "we already have a state\n")); - return False; - } - - if (!client_ntlmssp_state) { - if (!NT_STATUS_IS_OK(status = ntlm_auth_start_ntlmssp_client(&client_ntlmssp_state))) { - x_fprintf(x_stdout, "BH %s\n", nt_errstr(status)); - return False; - } - } - - - if (opt_password == NULL) { - - /* Request a password from the calling process. After - sending it, the calling process should retry with - the negTokenInit. */ - - DEBUG(10, ("Requesting password\n")); - x_fprintf(x_stdout, "PW\n"); - return True; - } - - spnego.type = SPNEGO_NEG_TOKEN_INIT; - spnego.negTokenInit.mechTypes = my_mechs; - spnego.negTokenInit.reqFlags = 0; - spnego.negTokenInit.mechListMIC = null_blob; - - status = ntlmssp_update(client_ntlmssp_state, - NULL, - null_blob, - &spnego.negTokenInit.mechToken); - - if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - DEBUG(1, ("Expected MORE_PROCESSING_REQUIRED, got: %s\n", - nt_errstr(status))); - ntlmssp_end(&client_ntlmssp_state); - return False; - } - - write_spnego_data(&to_server, &spnego); - data_blob_free(&spnego.negTokenInit.mechToken); - - to_server_base64 = base64_encode_data_blob(to_server); - data_blob_free(&to_server); - x_fprintf(x_stdout, "KK %s\n", to_server_base64); - SAFE_FREE(to_server_base64); - return True; -} - -static void manage_client_ntlmssp_targ(struct spnego_data spnego) -{ - NTSTATUS status; - DATA_BLOB null_blob = data_blob(NULL, 0); - DATA_BLOB request; - DATA_BLOB to_server; - char *to_server_base64; - - DEBUG(10, ("Got spnego negTokenTarg with NTLMSSP\n")); - - if (client_ntlmssp_state == NULL) { - DEBUG(1, ("Got NTLMSSP tArg without a client state\n")); - x_fprintf(x_stdout, "BH\n"); - ntlmssp_end(&client_ntlmssp_state); - return; - } - - if (spnego.negTokenTarg.negResult == SPNEGO_REJECT) { - x_fprintf(x_stdout, "NA\n"); - ntlmssp_end(&client_ntlmssp_state); - return; - } - - if (spnego.negTokenTarg.negResult == SPNEGO_ACCEPT_COMPLETED) { - x_fprintf(x_stdout, "AF\n"); - ntlmssp_end(&client_ntlmssp_state); - return; - } - - status = ntlmssp_update(client_ntlmssp_state, - NULL, - spnego.negTokenTarg.responseToken, - &request); - - if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - DEBUG(1, ("Expected MORE_PROCESSING_REQUIRED from " - "ntlmssp_update, got: %s\n", - nt_errstr(status))); - x_fprintf(x_stdout, "BH\n"); - data_blob_free(&request); - ntlmssp_end(&client_ntlmssp_state); - return; - } - - spnego.type = SPNEGO_NEG_TOKEN_TARG; - spnego.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE; - spnego.negTokenTarg.supportedMech = OID_NTLMSSP; - spnego.negTokenTarg.responseToken = request; - spnego.negTokenTarg.mechListMIC = null_blob; - - write_spnego_data(&to_server, &spnego); - data_blob_free(&request); - - to_server_base64 = base64_encode_data_blob(to_server); - data_blob_free(&to_server); - x_fprintf(x_stdout, "KK %s\n", to_server_base64); - SAFE_FREE(to_server_base64); - return; -} - -#ifdef HAVE_KRB5 - -static BOOL manage_client_krb5_init(struct spnego_data spnego) -{ - char *principal; - DATA_BLOB tkt, to_server; - DATA_BLOB session_key_krb5 = data_blob(NULL, 0); - struct spnego_data reply; - char *reply_base64; - int retval; - - const char *my_mechs[] = {OID_KERBEROS5_OLD, NULL}; - ssize_t len; - - if ( (spnego.negTokenInit.mechListMIC.data == NULL) || - (spnego.negTokenInit.mechListMIC.length == 0) ) { - DEBUG(1, ("Did not get a principal for krb5\n")); - return False; + in = data_blob(NULL, 0); } - principal = malloc(spnego.negTokenInit.mechListMIC.length+1); - - if (principal == NULL) { - DEBUG(1, ("Could not malloc principal\n")); - return False; - } - - memcpy(principal, spnego.negTokenInit.mechListMIC.data, - spnego.negTokenInit.mechListMIC.length); - principal[spnego.negTokenInit.mechListMIC.length] = '\0'; - - retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5); - - if (retval) { - - pstring user; - - /* Let's try to first get the TGT, for that we need a - password. */ - - if (opt_password == NULL) { - DEBUG(10, ("Requesting password\n")); - x_fprintf(x_stdout, "PW\n"); - return True; - } - - pstr_sprintf(user, "%s@%s", opt_username, opt_domain); - - if ((retval = kerberos_kinit_password(user, opt_password, - 0, NULL))) { - DEBUG(10, ("Requesting TGT failed: %s\n", error_message(retval))); - return False; - } - - retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5); - - if (retval) { - DEBUG(10, ("Kinit suceeded, but getting a ticket failed: %s\n", error_message(retval))); - return False; - } - } - - data_blob_free(&session_key_krb5); - - ZERO_STRUCT(reply); - - reply.type = SPNEGO_NEG_TOKEN_INIT; - reply.negTokenInit.mechTypes = my_mechs; - reply.negTokenInit.reqFlags = 0; - reply.negTokenInit.mechToken = tkt; - reply.negTokenInit.mechListMIC = data_blob(NULL, 0); - - len = write_spnego_data(&to_server, &reply); - data_blob_free(&tkt); - - if (len == -1) { - DEBUG(1, ("Could not write SPNEGO data blob\n")); - return False; - } - - reply_base64 = base64_encode_data_blob(to_server); - x_fprintf(x_stdout, "KK %s *\n", reply_base64); - - SAFE_FREE(reply_base64); - data_blob_free(&to_server); - DEBUG(10, ("sent GSS-SPNEGO KERBEROS5 negTokenInit\n")); - return True; -} - -static void manage_client_krb5_targ(struct spnego_data spnego) -{ - switch (spnego.negTokenTarg.negResult) { - case SPNEGO_ACCEPT_INCOMPLETE: - DEBUG(1, ("Got a Kerberos negTokenTarg with ACCEPT_INCOMPLETE\n")); - x_fprintf(x_stdout, "BH\n"); - break; - case SPNEGO_ACCEPT_COMPLETED: - DEBUG(10, ("Accept completed\n")); - x_fprintf(x_stdout, "AF\n"); - break; - case SPNEGO_REJECT: - DEBUG(10, ("Rejected\n")); - x_fprintf(x_stdout, "NA\n"); - break; - default: - DEBUG(1, ("Got an invalid negTokenTarg\n")); - x_fprintf(x_stdout, "AF\n"); - } -} - -#endif - -static void manage_gss_spnego_client_request(enum stdio_helper_mode stdio_helper_mode, - char *buf, int length) -{ - DATA_BLOB request; - struct spnego_data spnego; - ssize_t len; - - if (strlen(buf) <= 3) { - DEBUG(1, ("SPNEGO query [%s] too short\n", buf)); - x_fprintf(x_stdout, "BH\n"); - return; - } - - request = base64_decode_data_blob(buf+3); - if (strncmp(buf, "PW ", 3) == 0) { /* We asked for a password and obviously got it :-) */ - opt_password = strndup((const char *)request.data, request.length); + opt_password = strndup((const char *)in.data, in.length); if (opt_password == NULL) { DEBUG(1, ("Out of memory\n")); x_fprintf(x_stdout, "BH\n"); - data_blob_free(&request); + data_blob_free(&in); return; } x_fprintf(x_stdout, "OK\n"); - data_blob_free(&request); + data_blob_free(&in); return; } - - if ( (strncmp(buf, "TT ", 3) != 0) && + if (strncmp(buf, "YR", 2) == 0) { + if (gensec_state.ops) { + gensec_state.ops->end(&gensec_state); + gensec_state.ops = NULL; + } + } else if ( (strncmp(buf, "TT ", 3) != 0) && (strncmp(buf, "AF ", 3) != 0) && (strncmp(buf, "NA ", 3) != 0) ) { DEBUG(1, ("SPNEGO request [%s] invalid\n", buf)); x_fprintf(x_stdout, "BH\n"); - data_blob_free(&request); + data_blob_free(&in); return; } - /* So we got a server challenge to generate a SPNEGO - client-to-server request... */ - - len = read_spnego_data(request, &spnego); - data_blob_free(&request); - - if (len == -1) { - DEBUG(1, ("Could not read SPNEGO data for [%s]\n", buf)); - x_fprintf(x_stdout, "BH\n"); + if (!opt_password) { + x_fprintf(x_stdout, "PW\n"); + data_blob_free(&in); return; } - if (spnego.type == SPNEGO_NEG_TOKEN_INIT) { - - /* The server offers a list of mechanisms */ - - char **mechType = spnego.negTokenInit.mechTypes; - - while (*mechType != NULL) { - -#ifdef HAVE_KRB5 - if ( (strcmp(*mechType, OID_KERBEROS5_OLD) == 0) || - (strcmp(*mechType, OID_KERBEROS5) == 0) ) { - if (manage_client_krb5_init(spnego)) - goto out; - } -#endif - - if (strcmp(*mechType, OID_NTLMSSP) == 0) { - if (manage_client_ntlmssp_init(spnego)) - goto out; - } - - mechType++; + /* setup gensec */ + if (!gensec_state.ops) { + if (stdio_helper_mode == GSS_SPNEGO_CLIENT) { + gensec_state.ops = gensec_security_by_oid(OID_SPNEGO); + } else if (stdio_helper_mode == NTLMSSP_CLIENT_1) { + gensec_state.ops = gensec_security_by_oid(OID_NTLMSSP); + } else { + exit(1); } + gensec_state.user.name = opt_username; + gensec_state.user.domain = opt_domain; + gensec_state.user.password = opt_password; + nt_status = gensec_state.ops->client_start(&gensec_state); - DEBUG(1, ("Server offered no compatible mechanism\n")); - x_fprintf(x_stdout, "BH\n"); - return; + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("SPENGO login failed to initialise: %s\n", nt_errstr(nt_status))); + x_fprintf(x_stdout, "BH\n"); + return; + } + if (!in.length) { + first = True; + } } + + /* update */ - if (spnego.type == SPNEGO_NEG_TOKEN_TARG) { - - if (spnego.negTokenTarg.supportedMech == NULL) { - /* On accept/reject Windows does not send the - mechanism anymore. Handle that here and - shut down the mechanisms. */ - - switch (spnego.negTokenTarg.negResult) { - case SPNEGO_ACCEPT_COMPLETED: - x_fprintf(x_stdout, "AF\n"); - break; - case SPNEGO_REJECT: - x_fprintf(x_stdout, "NA\n"); - break; - default: - DEBUG(1, ("Got a negTokenTarg with no mech and an " - "unknown negResult: %d\n", - spnego.negTokenTarg.negResult)); - x_fprintf(x_stdout, "BH\n"); - } - - ntlmssp_end(&client_ntlmssp_state); - goto out; - } + nt_status = gensec_state.ops->update(&gensec_state, NULL, in, &out); + + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - if (strcmp(spnego.negTokenTarg.supportedMech, - OID_NTLMSSP) == 0) { - manage_client_ntlmssp_targ(spnego); - goto out; + out_base64 = base64_encode_data_blob(out); + if (first) { + x_fprintf(x_stdout, "YR %s\n", out_base64); + } else { + x_fprintf(x_stdout, "KK %s\n", out_base64); } + SAFE_FREE(out_base64); -#if HAVE_KRB5 - if (strcmp(spnego.negTokenTarg.supportedMech, - OID_KERBEROS5_OLD) == 0) { - manage_client_krb5_targ(spnego); - goto out; - } -#endif + } else if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("SPENGO login failed: %s\n", nt_errstr(nt_status))); + x_fprintf(x_stdout, "BH\n"); + } else { + x_fprintf(x_stdout, "AF\n"); } - DEBUG(1, ("Got an SPNEGO token I could not handle [%s]!\n", buf)); - x_fprintf(x_stdout, "BH\n"); - return; - - out: - free_spnego_data(&spnego); return; } @@ -1428,6 +735,7 @@ enum { { "helper-protocol", 0, POPT_ARG_STRING, &helper_protocol, OPT_DOMAIN, "operate as a stdio-based helper", "helper protocol to use"}, { "domain", 0, POPT_ARG_STRING, &opt_domain, OPT_DOMAIN, "domain name"}, { "workstation", 0, POPT_ARG_STRING, &opt_workstation, OPT_WORKSTATION, "workstation"}, + { "username", 0, POPT_ARG_STRING, &opt_username, OPT_PASSWORD, "Username"}, { "password", 0, POPT_ARG_STRING, &opt_password, OPT_PASSWORD, "User's plaintext password"}, POPT_COMMON_SAMBA POPT_TABLEEND @@ -1469,6 +777,10 @@ enum { return 1; } + if (opt_domain == NULL) { + opt_domain = lp_workgroup(); + } + if (helper_protocol) { int i; for (i=0; i Date: Tue, 29 Jun 2004 09:40:10 +0000 Subject: r1294: A nice, large, commit... This implements gensec for Samba's server side, and brings gensec up to the standards of a full subsystem. This means that use of the subsystem is by gensec_* functions, not function pointers in structures (this is internal). This causes changes in all the existing gensec users. Our RPC server no longer contains it's own generalised security scheme, and now calls gensec directly. Gensec has also taken over the role of auth/auth_ntlmssp.c An important part of gensec, is the output of the 'session_info' struct. This is now reference counted, so that we can correctly free it when a pipe is closed, no matter if it was inherited, or created by per-pipe authentication. The schannel code is reworked, to be in the same file for client and server. ntlm_auth is reworked to use gensec. The major problem with this code is the way it relies on subsystem auto-initialisation. The primary reason for this commit now.is to allow these problems to be looked at, and fixed. There are problems with the new code: - I've tested it with smbtorture, but currently don't have VMware and valgrind working (this I'll fix soon). - The SPNEGO code is client-only at this point. - We still do not do kerberos. Andrew Bartlett (This used to be commit 07fd885fd488fd1051eacc905a2d4962f8a018ec) --- source4/utils/ntlm_auth.c | 416 ++++++++++++++++++++++++---------------------- 1 file changed, 215 insertions(+), 201 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 7690a549f7..1ae9075fba 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -35,6 +35,7 @@ enum stdio_helper_mode { SQUID_2_5_NTLMSSP, NTLMSSP_CLIENT_1, GSS_SPNEGO_CLIENT, + GSS_SPNEGO_SERVER, NTLM_SERVER_1, NUM_HELPER_MODES }; @@ -44,19 +45,19 @@ enum stdio_helper_mode { typedef void (*stdio_helper_function)(enum stdio_helper_mode stdio_helper_mode, - char *buf, int length); + char *buf, int length, void **private); static void manage_squid_basic_request (enum stdio_helper_mode stdio_helper_mode, - char *buf, int length); + char *buf, int length, void **private); -static void manage_squid_ntlmssp_request (enum stdio_helper_mode stdio_helper_mode, - char *buf, int length); - -static void manage_gensec_client_request (enum stdio_helper_mode stdio_helper_mode, - char *buf, int length); +static void manage_gensec_request (enum stdio_helper_mode stdio_helper_mode, + char *buf, int length, void **private); static void manage_ntlm_server_1_request (enum stdio_helper_mode stdio_helper_mode, - char *buf, int length); + char *buf, int length, void **private); + +static void manage_squid_request(enum stdio_helper_mode helper_mode, + stdio_helper_function fn, void *private); static const struct { enum stdio_helper_mode mode; @@ -65,9 +66,10 @@ static const struct { } stdio_helper_protocols[] = { { SQUID_2_4_BASIC, "squid-2.4-basic", manage_squid_basic_request}, { SQUID_2_5_BASIC, "squid-2.5-basic", manage_squid_basic_request}, - { SQUID_2_5_NTLMSSP, "squid-2.5-ntlmssp", manage_squid_ntlmssp_request}, - { NTLMSSP_CLIENT_1, "ntlmssp-client-1", manage_gensec_client_request}, - { GSS_SPNEGO_CLIENT, "gss-spnego-client", manage_gensec_client_request}, + { SQUID_2_5_NTLMSSP, "squid-2.5-ntlmssp", manage_gensec_request}, + { GSS_SPNEGO_CLIENT, "gss-spnego-client", manage_gensec_request}, + { GSS_SPNEGO_SERVER, "gss-spnego-server", manage_gensec_request}, + { NTLMSSP_CLIENT_1, "ntlmssp-client-1", manage_gensec_request}, { NTLM_SERVER_1, "ntlm-server-1", manage_ntlm_server_1_request}, { NUM_HELPER_MODES, NULL, NULL} }; @@ -172,149 +174,8 @@ static NTSTATUS local_pw_check_specified(const char *username, } -static NTSTATUS local_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key) -{ - NTSTATUS nt_status; - uint8 lm_pw[16], nt_pw[16]; - uint8_t *lm_pwd, *nt_pwd; - - E_md4hash(opt_password, nt_pw); - if (E_deshash(opt_password, lm_pw)) { - lm_pwd = lm_pw; - } else { - lm_pwd = NULL; - } - nt_pwd = nt_pw; - - nt_status = ntlm_password_check(ntlmssp_state->mem_ctx, - &ntlmssp_state->chal, - &ntlmssp_state->lm_resp, - &ntlmssp_state->nt_resp, - NULL, NULL, - ntlmssp_state->user, - ntlmssp_state->user, - ntlmssp_state->domain, - lm_pwd, nt_pwd, user_session_key, lm_session_key); - - if (NT_STATUS_IS_OK(nt_status)) { - ntlmssp_state->auth_context = talloc_asprintf(ntlmssp_state->mem_ctx, - "%s%c%s", ntlmssp_state->domain, - *lp_winbind_separator(), - ntlmssp_state->user); - } else { - DEBUG(3, ("Login for user [%s]\\[%s]@[%s] failed due to [%s]\n", - ntlmssp_state->domain, ntlmssp_state->user, ntlmssp_state->workstation, - nt_errstr(nt_status))); - ntlmssp_state->auth_context = NULL; - } - return nt_status; -} - -static NTSTATUS ntlm_auth_start_ntlmssp_server(struct ntlmssp_state **ntlmssp_state) -{ - NTSTATUS status = ntlmssp_server_start(ntlmssp_state); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Could not start NTLMSSP client: %s\n", - nt_errstr(status))); - return status; - } - - /* Have we been given a local password, or should we ask winbind? */ - if (opt_password) { - (*ntlmssp_state)->check_password = local_pw_check; - (*ntlmssp_state)->get_domain = lp_workgroup; - (*ntlmssp_state)->get_global_myname = global_myname; - } else { - DEBUG(0, ("Winbind not supported in Samba4 ntlm_auth yet, specify --password\n")); - exit(1); - } - return NT_STATUS_OK; -} - -static void manage_squid_ntlmssp_request(enum stdio_helper_mode stdio_helper_mode, - char *buf, int length) -{ - static struct ntlmssp_state *ntlmssp_state = NULL; - DATA_BLOB request, reply; - NTSTATUS nt_status; - - if (strlen(buf) < 2) { - DEBUG(1, ("NTLMSSP query [%s] invalid", buf)); - x_fprintf(x_stdout, "BH\n"); - return; - } - - if (strlen(buf) > 3) { - request = base64_decode_data_blob(buf + 3); - } else { - request = data_blob(NULL, 0); - } - - if ((strncmp(buf, "PW ", 3) == 0)) { - /* The calling application wants us to use a local password (rather than winbindd) */ - - opt_password = strndup((const char *)request.data, request.length); - - if (opt_password == NULL) { - DEBUG(1, ("Out of memory\n")); - x_fprintf(x_stdout, "BH\n"); - data_blob_free(&request); - return; - } - - x_fprintf(x_stdout, "OK\n"); - data_blob_free(&request); - return; - } - - if (strncmp(buf, "YR", 2) == 0) { - if (ntlmssp_state) - ntlmssp_end(&ntlmssp_state); - } else if (strncmp(buf, "KK", 2) == 0) { - - } else { - DEBUG(1, ("NTLMSSP query [%s] invalid", buf)); - x_fprintf(x_stdout, "BH\n"); - return; - } - - if (!ntlmssp_state) { - if (!NT_STATUS_IS_OK(nt_status = ntlm_auth_start_ntlmssp_server(&ntlmssp_state))) { - x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status)); - return; - } - } - - DEBUG(10, ("got NTLMSSP packet:\n")); - dump_data(10, (const char *)request.data, request.length); - - nt_status = ntlmssp_update(ntlmssp_state, NULL, request, &reply); - - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - char *reply_base64 = base64_encode_data_blob(reply); - x_fprintf(x_stdout, "TT %s\n", reply_base64); - SAFE_FREE(reply_base64); - data_blob_free(&reply); - DEBUG(10, ("NTLMSSP challenge\n")); - } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED)) { - x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status)); - DEBUG(0, ("NTLMSSP BH: %s\n", nt_errstr(nt_status))); - - ntlmssp_end(&ntlmssp_state); - } else if (!NT_STATUS_IS_OK(nt_status)) { - x_fprintf(x_stdout, "NA %s\n", nt_errstr(nt_status)); - DEBUG(10, ("NTLMSSP %s\n", nt_errstr(nt_status))); - } else { - x_fprintf(x_stdout, "AF %s\n", (char *)ntlmssp_state->auth_context); - DEBUG(10, ("NTLMSSP OK!\n")); - } - - data_blob_free(&request); -} - static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode, - char *buf, int length) + char *buf, int length, void **private) { char *user, *pass; user=buf; @@ -340,16 +201,14 @@ static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode, } } -static void manage_gensec_client_request(enum stdio_helper_mode stdio_helper_mode, - char *buf, int length) +/* This is a bit hairy, but the basic idea is to do a password callback + to the calling application. The callback comes from within gensec */ + +static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mode, + char *buf, int length, void **private) { DATA_BLOB in; - DATA_BLOB out; - char *out_base64; - static struct gensec_security gensec_state; - NTSTATUS nt_status; - BOOL first = False; - + struct gensec_security **gensec_state = (struct gensec_security **)private; if (strlen(buf) < 2) { DEBUG(1, ("query [%s] invalid", buf)); x_fprintf(x_stdout, "BH\n"); @@ -364,11 +223,10 @@ static void manage_gensec_client_request(enum stdio_helper_mode stdio_helper_mod if (strncmp(buf, "PW ", 3) == 0) { - /* We asked for a password and obviously got it :-) */ - - opt_password = strndup((const char *)in.data, in.length); + (*gensec_state)->password_callback_private = talloc_strndup((*gensec_state)->mem_ctx, + (const char *)in.data, in.length); - if (opt_password == NULL) { + if ((*gensec_state)->password_callback_private == NULL) { DEBUG(1, ("Out of memory\n")); x_fprintf(x_stdout, "BH\n"); data_blob_free(&in); @@ -379,39 +237,124 @@ static void manage_gensec_client_request(enum stdio_helper_mode stdio_helper_mod data_blob_free(&in); return; } + DEBUG(1, ("Asked for (and expected) a password\n")); + x_fprintf(x_stdout, "BH\n"); + data_blob_free(&in); +} + +/* + * Callback for gensec, to ask the calling application for a password. Uses the above function + * for the stdio part of this. + */ + +static NTSTATUS get_password(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx, + char **password) +{ + *password = NULL; + + /* Ask for a password */ + x_fprintf(x_stdout, "PW\n"); + gensec_security->password_callback_private = NULL; + + manage_squid_request(NUM_HELPER_MODES /* bogus */, manage_gensec_get_pw_request, &gensec_security); + *password = (char *)gensec_security->password_callback_private; + if (*password) { + return NT_STATUS_OK; + } else { + return NT_STATUS_INVALID_PARAMETER; + } +} + +static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, + char *buf, int length, void **private) +{ + DATA_BLOB in; + DATA_BLOB out = data_blob(NULL, 0); + char *out_base64 = NULL; + const char *reply_arg = NULL; + struct gensec_security **gensec_state = (struct gensec_security **)private; + NTSTATUS nt_status; + BOOL first = False; + const char *reply_code; + + if (strlen(buf) < 2) { + DEBUG(1, ("query [%s] invalid", buf)); + x_fprintf(x_stdout, "BH\n"); + return; + } + + if (strlen(buf) > 3) { + in = base64_decode_data_blob(buf + 3); + } else { + in = data_blob(NULL, 0); + } + if (strncmp(buf, "YR", 2) == 0) { - if (gensec_state.ops) { - gensec_state.ops->end(&gensec_state); - gensec_state.ops = NULL; + if (gensec_state && *gensec_state) { + gensec_end(gensec_state); + *gensec_state = NULL; } + } else if ( (strncmp(buf, "OK", 2) == 0)) { + /* do nothing */ + data_blob_free(&in); + return; } else if ( (strncmp(buf, "TT ", 3) != 0) && - (strncmp(buf, "AF ", 3) != 0) && - (strncmp(buf, "NA ", 3) != 0) ) { + (strncmp(buf, "KK ", 3) != 0) && + (strncmp(buf, "AF ", 3) != 0) && + (strncmp(buf, "NA ", 3) != 0) && + (strncmp(buf, "PW ", 3) != 0)) { DEBUG(1, ("SPNEGO request [%s] invalid\n", buf)); x_fprintf(x_stdout, "BH\n"); data_blob_free(&in); return; } - if (!opt_password) { - x_fprintf(x_stdout, "PW\n"); - data_blob_free(&in); - return; - } - /* setup gensec */ - if (!gensec_state.ops) { - if (stdio_helper_mode == GSS_SPNEGO_CLIENT) { - gensec_state.ops = gensec_security_by_oid(OID_SPNEGO); - } else if (stdio_helper_mode == NTLMSSP_CLIENT_1) { - gensec_state.ops = gensec_security_by_oid(OID_NTLMSSP); - } else { - exit(1); + if (!(gensec_state && *gensec_state)) { + switch (stdio_helper_mode) { + case GSS_SPNEGO_CLIENT: + case NTLMSSP_CLIENT_1: + /* setup the client side */ + + if (!NT_STATUS_IS_OK(gensec_client_start(gensec_state))) { + exit(1); + } + gensec_set_username(*gensec_state, opt_username); + gensec_set_domain(*gensec_state, opt_domain); + if (opt_password) { + if (!NT_STATUS_IS_OK(gensec_set_password(*gensec_state, opt_password))) { + DEBUG(1, ("Out of memory\n")); + x_fprintf(x_stdout, "BH\n"); + data_blob_free(&in); + return; + } + } else { + gensec_set_password_callback(*gensec_state, get_password, NULL); + } + + break; + case GSS_SPNEGO_SERVER: + case SQUID_2_5_NTLMSSP: + if (!NT_STATUS_IS_OK(gensec_server_start(gensec_state))) { + exit(1); + } + break; + default: + abort(); + } + + switch (stdio_helper_mode) { + case GSS_SPNEGO_CLIENT: + case GSS_SPNEGO_SERVER: + nt_status = gensec_start_mech_by_oid(*gensec_state, OID_SPNEGO); + break; + case NTLMSSP_CLIENT_1: + case SQUID_2_5_NTLMSSP: + nt_status = gensec_start_mech_by_oid(*gensec_state, OID_NTLMSSP); + break; + default: + abort(); } - gensec_state.user.name = opt_username; - gensec_state.user.domain = opt_domain; - gensec_state.user.password = opt_password; - nt_status = gensec_state.ops->client_start(&gensec_state); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("SPENGO login failed to initialise: %s\n", nt_errstr(nt_status))); @@ -423,33 +366,104 @@ static void manage_gensec_client_request(enum stdio_helper_mode stdio_helper_mod } } + if (strncmp(buf, "PW ", 3) == 0) { + + if (!NT_STATUS_IS_OK(gensec_set_password(*gensec_state, + talloc_strndup((*gensec_state)->mem_ctx, + (const char *)in.data, + in.length)))) { + DEBUG(1, ("Out of memory\n")); + x_fprintf(x_stdout, "BH\n"); + data_blob_free(&in); + return; + } + + x_fprintf(x_stdout, "OK\n"); + data_blob_free(&in); + return; + } + /* update */ - nt_status = gensec_state.ops->update(&gensec_state, NULL, in, &out); + nt_status = gensec_update(*gensec_state, NULL, in, &out); - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + /* don't leak 'bad password'/'no such user' info to the network client */ + nt_status = nt_status_squash(nt_status); + if (out.length) { out_base64 = base64_encode_data_blob(out); + } else { + out_base64 = NULL; + } + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + reply_arg = "*"; if (first) { - x_fprintf(x_stdout, "YR %s\n", out_base64); - } else { - x_fprintf(x_stdout, "KK %s\n", out_base64); + reply_code = "YR"; + } else if ((*gensec_state)->gensec_role == GENSEC_CLIENT) { + reply_code = "KK"; + } else if ((*gensec_state)->gensec_role == GENSEC_SERVER) { + reply_code = "TT"; + } else { + abort(); } - SAFE_FREE(out_base64); + } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED)) { + reply_code = "BH"; + reply_arg = nt_errstr(nt_status); + DEBUG(1, ("GENSEC login failed: %s\n", nt_errstr(nt_status))); + } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_UNSUCCESSFUL)) { + reply_code = "BH"; + reply_arg = nt_errstr(nt_status); + DEBUG(1, ("GENSEC login failed: %s\n", nt_errstr(nt_status))); } else if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(1, ("SPENGO login failed: %s\n", nt_errstr(nt_status))); - x_fprintf(x_stdout, "BH\n"); + reply_code = "NA"; + reply_arg = nt_errstr(nt_status); + DEBUG(1, ("GENSEC login failed: %s\n", nt_errstr(nt_status))); + } else if /* OK */ ((*gensec_state)->gensec_role == GENSEC_SERVER) { + struct auth_session_info *session_info; + + nt_status = gensec_session_info(*gensec_state, &session_info); + if (!NT_STATUS_IS_OK(nt_status)) { + reply_code = "BH"; + reply_arg = nt_errstr(nt_status); + DEBUG(1, ("GENSEC failed to retreive the session info: %s\n", nt_errstr(nt_status))); + } else { + + reply_code = "AF"; + reply_arg = talloc_asprintf((*gensec_state)->mem_ctx, + "%s%s%s", session_info->server_info->domain, + lp_winbind_separator(), session_info->server_info->account_name); + talloc_destroy(session_info->mem_ctx); + } + } else if ((*gensec_state)->gensec_role == GENSEC_SERVER) { + reply_code = "AF"; + reply_arg = NULL; } else { - x_fprintf(x_stdout, "AF\n"); + abort(); } + switch (stdio_helper_mode) { + case GSS_SPNEGO_SERVER: + if (out_base64) { + x_fprintf(x_stdout, "%s %s %s\n", reply_code, out_base64, reply_arg); + } else { + x_fprintf(x_stdout, "%s %s\n", reply_code, reply_arg); + } + default: + if (out_base64) { + x_fprintf(x_stdout, "%s %s\n", reply_code, out_base64); + } else { + x_fprintf(x_stdout, "%s %s\n", reply_code, reply_arg); + } + } + + SAFE_FREE(out_base64); return; } static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mode, - char *buf, int length) + char *buf, int length, void **private) { char *request, *parameter; static DATA_BLOB challenge; @@ -643,7 +657,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod } } -static void manage_squid_request(enum stdio_helper_mode helper_mode, stdio_helper_function fn) +static void manage_squid_request(enum stdio_helper_mode helper_mode, stdio_helper_function fn, void *private) { char buf[SQUID_BUFFER_SIZE+1]; int length; @@ -684,16 +698,16 @@ static void manage_squid_request(enum stdio_helper_mode helper_mode, stdio_helpe return; } - fn(helper_mode, buf, length); + fn(helper_mode, buf, length, private); } - static void squid_stream(enum stdio_helper_mode stdio_mode, stdio_helper_function fn) { /* initialize FDescs */ x_setbuf(x_stdout, NULL); x_setbuf(x_stderr, NULL); + void *private = NULL; while(1) { - manage_squid_request(stdio_mode, fn); + manage_squid_request(stdio_mode, fn, &private); } } -- cgit From fb667783ac59959ac37f1ae8b6b29c32addc5e1b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 30 Jun 2004 02:05:26 +0000 Subject: r1305: Grrr, fix my build breakage... Declare variables at the start of a block. Andrew Bartlett (This used to be commit 9f5394703e81db9ed93648e06e48b0364a04a696) --- source4/utils/ntlm_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 1ae9075fba..1685f8387f 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -702,10 +702,10 @@ static void manage_squid_request(enum stdio_helper_mode helper_mode, stdio_helpe } static void squid_stream(enum stdio_helper_mode stdio_mode, stdio_helper_function fn) { + void *private = NULL; /* initialize FDescs */ x_setbuf(x_stdout, NULL); x_setbuf(x_stderr, NULL); - void *private = NULL; while(1) { manage_squid_request(stdio_mode, fn, &private); } -- cgit From 66ac77dd124c0a3a65ef3ef835015433366d3e44 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 6 Jul 2004 02:56:26 +0000 Subject: r1356: Fix logic bugs in ntlm_auth. Andrew Bartlett (This used to be commit 871e98ce5771bc96527f7ad4da07a7d6c1ae1c3c) --- source4/utils/ntlm_auth.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 1685f8387f..ad804eda3c 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -436,7 +436,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, lp_winbind_separator(), session_info->server_info->account_name); talloc_destroy(session_info->mem_ctx); } - } else if ((*gensec_state)->gensec_role == GENSEC_SERVER) { + } else if ((*gensec_state)->gensec_role == GENSEC_CLIENT) { reply_code = "AF"; reply_arg = NULL; } else { @@ -447,14 +447,18 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, case GSS_SPNEGO_SERVER: if (out_base64) { x_fprintf(x_stdout, "%s %s %s\n", reply_code, out_base64, reply_arg); - } else { + } else if (reply_arg) { x_fprintf(x_stdout, "%s %s\n", reply_code, reply_arg); + } else { + x_fprintf(x_stdout, "%s\n", reply_code); } default: if (out_base64) { x_fprintf(x_stdout, "%s %s\n", reply_code, out_base64); - } else { + } else if (reply_arg) { x_fprintf(x_stdout, "%s %s\n", reply_code, reply_arg); + } else { + x_fprintf(x_stdout, "%s\n", reply_code); } } -- cgit From 94fb514376e7cb1c3ba4f89e10289350052d1294 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 3 Aug 2004 05:47:24 +0000 Subject: r1630: - fixed the replacement timegm() function to work correctly for DST changes - got rid of global_myname(), using lp_netbios_name() instead (This used to be commit e8d4b390884e487163d81f66a5a7ac1de1305d9a) --- source4/utils/ntlm_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index ad804eda3c..1c0b454718 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -533,7 +533,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod if (!NT_STATUS_IS_OK( local_pw_check_specified(username, domain, - global_myname(), + lp_netbios_name(), &challenge, &lm_response, &nt_response, -- cgit From 3318a6e2c67670cd86c12cfcec4c2578087744dd Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 23 Sep 2004 00:01:16 +0000 Subject: r2546: Remove another strupper_m() that we don't need. Andrew Bartlett (This used to be commit 5c5b45c1a870693c6201a09b508109b121ddc030) --- source4/utils/ntlm_auth.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 1c0b454718..c6e09cf711 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -98,7 +98,6 @@ static BOOL parse_ntlm_auth_domain_user(const char *domuser, fstring domain, fstrcpy(user, p+1); fstrcpy(domain, domuser); domain[PTR_DIFF(p, domuser)] = 0; - strupper_m(domain); return True; } -- cgit From bfd924725ee77a37270fed351b30fc9fdbeab443 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 25 Sep 2004 02:54:56 +0000 Subject: r2611: Try to make Samba4's ntlm_auth more consistant with Samba 3.0. Andrew Bartlett (This used to be commit 8f4dab5d44480b40fc14afc70172861c229ba77d) --- source4/utils/ntlm_auth.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index c6e09cf711..d986922cb9 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -68,7 +68,7 @@ static const struct { { SQUID_2_5_BASIC, "squid-2.5-basic", manage_squid_basic_request}, { SQUID_2_5_NTLMSSP, "squid-2.5-ntlmssp", manage_gensec_request}, { GSS_SPNEGO_CLIENT, "gss-spnego-client", manage_gensec_request}, - { GSS_SPNEGO_SERVER, "gss-spnego-server", manage_gensec_request}, + { GSS_SPNEGO_SERVER, "gss-spnego", manage_gensec_request}, { NTLMSSP_CLIENT_1, "ntlmssp-client-1", manage_gensec_request}, { NTLM_SERVER_1, "ntlm-server-1", manage_ntlm_server_1_request}, { NUM_HELPER_MODES, NULL, NULL} @@ -444,13 +444,10 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, switch (stdio_helper_mode) { case GSS_SPNEGO_SERVER: - if (out_base64) { - x_fprintf(x_stdout, "%s %s %s\n", reply_code, out_base64, reply_arg); - } else if (reply_arg) { - x_fprintf(x_stdout, "%s %s\n", reply_code, reply_arg); - } else { - x_fprintf(x_stdout, "%s\n", reply_code); - } + x_fprintf(x_stdout, "%s %s %s\n", reply_code, + out_base64 ? out_base64 : "*", + reply_arg ? reply_arg : "*"); + default: if (out_base64) { x_fprintf(x_stdout, "%s %s\n", reply_code, out_base64); -- cgit From cf938f14a20f0a5f9db1afbd51f7aa4fb7c26be8 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 25 Sep 2004 03:39:35 +0000 Subject: r2612: Ensure ntlm_auth always logs to stderr. Add missing break; Andrew Bartlett (This used to be commit cdb8261775a3100e1b95b485d91ba1f94c879905) --- source4/utils/ntlm_auth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index d986922cb9..ec5f5c6abd 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -447,7 +447,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, x_fprintf(x_stdout, "%s %s %s\n", reply_code, out_base64 ? out_base64 : "*", reply_arg ? reply_arg : "*"); - + break; default: if (out_base64) { x_fprintf(x_stdout, "%s %s\n", reply_code, out_base64); @@ -757,7 +757,7 @@ enum { /* Samba client initialisation */ - setup_logging("ntlm_auth", DEBUG_STDOUT); + setup_logging("ntlm_auth", DEBUG_STDERR); if (!lp_load(dyn_CONFIGFILE, True, False, False)) { d_fprintf(stderr, "wbinfo: error opening config file %s. Error was %s\n", -- cgit From c5f4378361b9671e39fa83b043f28c972ab30b70 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 25 Sep 2004 12:08:57 +0000 Subject: r2629: convert gensec to the new talloc model by making our gensec structures a talloc child of the open connection we can be sure that it will be destroyed when the connection is dropped. (This used to be commit f12ee2f241aab1549bc1d9ca4c35a35a1ca0d09d) --- source4/utils/ntlm_auth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index ec5f5c6abd..d1e2b80fcf 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -315,7 +315,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, case NTLMSSP_CLIENT_1: /* setup the client side */ - if (!NT_STATUS_IS_OK(gensec_client_start(gensec_state))) { + if (!NT_STATUS_IS_OK(gensec_client_start(NULL, gensec_state))) { exit(1); } gensec_set_username(*gensec_state, opt_username); @@ -334,7 +334,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, break; case GSS_SPNEGO_SERVER: case SQUID_2_5_NTLMSSP: - if (!NT_STATUS_IS_OK(gensec_server_start(gensec_state))) { + if (!NT_STATUS_IS_OK(gensec_server_start(NULL, gensec_state))) { exit(1); } break; -- cgit From a2f3527d96a15aeac6ad41bcbd4935405da992c7 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 25 Sep 2004 12:30:10 +0000 Subject: r2630: I missed a couple of places in the gensec talloc conversion (This used to be commit 7124949140141513193f41bb8491aa6a283efed7) --- source4/utils/ntlm_auth.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index d1e2b80fcf..576996502d 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -222,7 +222,7 @@ static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mod if (strncmp(buf, "PW ", 3) == 0) { - (*gensec_state)->password_callback_private = talloc_strndup((*gensec_state)->mem_ctx, + (*gensec_state)->password_callback_private = talloc_strndup((*gensec_state), (const char *)in.data, in.length); if ((*gensec_state)->password_callback_private == NULL) { @@ -368,7 +368,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, if (strncmp(buf, "PW ", 3) == 0) { if (!NT_STATUS_IS_OK(gensec_set_password(*gensec_state, - talloc_strndup((*gensec_state)->mem_ctx, + talloc_strndup((*gensec_state), (const char *)in.data, in.length)))) { DEBUG(1, ("Out of memory\n")); @@ -430,7 +430,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, } else { reply_code = "AF"; - reply_arg = talloc_asprintf((*gensec_state)->mem_ctx, + reply_arg = talloc_asprintf(*gensec_state, "%s%s%s", session_info->server_info->domain, lp_winbind_separator(), session_info->server_info->account_name); talloc_destroy(session_info->mem_ctx); -- cgit From 6bea5bea4ccd4eb45b9cd4dd1e16538b14e2180e Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 26 Sep 2004 01:43:05 +0000 Subject: r2643: convert more of the auth subsyystem to the new talloc methods. This also fixes a memory leak found with --leak-check. (This used to be commit f19201ea274f0a542314c61c4af676197bf154ad) --- source4/utils/ntlm_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 576996502d..e83aa76cf4 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -433,7 +433,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, reply_arg = talloc_asprintf(*gensec_state, "%s%s%s", session_info->server_info->domain, lp_winbind_separator(), session_info->server_info->account_name); - talloc_destroy(session_info->mem_ctx); + talloc_free(session_info); } } else if ((*gensec_state)->gensec_role == GENSEC_CLIENT) { reply_code = "AF"; -- cgit From edbfc0f6e70150e321822365bf0eead2821551bd Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 2 Nov 2004 02:57:18 +0000 Subject: r3453: - split out the auth and popt includes - tidied up some of the system includes - moved a few more structures back from misc.idl to netlogon.idl and samr.idl now that pidl knows about inter-IDL dependencies (This used to be commit 7b7477ac42d96faac1b0ff361525d2c63cedfc64) --- source4/utils/ntlm_auth.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index e83aa76cf4..060e590d15 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -23,6 +23,8 @@ */ #include "includes.h" +#include "lib/cmdline/popt_common.h" +#include "auth/auth.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_WINBIND -- cgit From 6148deca663f7b6504b044120b166d6c9ae28750 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 2 Nov 2004 03:13:06 +0000 Subject: r3454: moved a few more things out if includes.h into the include/system/ include files. this brings us down to about 11k lines of headers included with includes.h, while still retaining the speed of building with pch (This used to be commit 10188869ef072309ca580b8b933e172571fcdda7) --- source4/utils/ntlm_auth.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 060e590d15..787977abce 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -23,6 +23,7 @@ */ #include "includes.h" +#include "system/passwd.h" #include "lib/cmdline/popt_common.h" #include "auth/auth.h" -- cgit From 3643fb11092e28a9538ef32cedce8ff21ad86a28 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 2 Nov 2004 06:42:15 +0000 Subject: r3463: separated out some more headers (asn_1.h, messages.h, dlinklist.h and ioctl.h) (This used to be commit b97e395c814762024336c1cf4d7c25be8da5813a) --- source4/utils/ntlm_auth.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 787977abce..14f8e46b21 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -26,6 +26,7 @@ #include "system/passwd.h" #include "lib/cmdline/popt_common.h" #include "auth/auth.h" +#include "asn_1.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_WINBIND -- cgit From 6f214cc510a59b7a65ee9d4486baf14a3e579f73 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 3 Nov 2004 00:17:12 +0000 Subject: r3494: got rid of include/rewrite.h, and split out the dynconfig.h header (This used to be commit 558de54ec6432a4ae90aa14a585f32c6cd03ced2) --- source4/utils/ntlm_auth.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 14f8e46b21..b038ad9879 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -23,6 +23,7 @@ */ #include "includes.h" +#include "dynconfig.h" #include "system/passwd.h" #include "lib/cmdline/popt_common.h" #include "auth/auth.h" -- cgit From c772c754001a62cd86581cfd634b925e491f44f9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 5 Nov 2004 04:26:48 +0000 Subject: r3541: Add support (to be verified with the squid team) for the Squid 3.0 multiplexed helper system. This system prefixes every request with a number, and we maintian a state machine for each of these integers. This means that we can have multiple outstanding challenges, without the overhead of a whole ntlm_auth process. In future, the actual password check will also be async. Andrew Bartlett (This used to be commit 9ea34abce384214e35b1b2c5f405c5f91f27d195) --- source4/utils/ntlm_auth.c | 197 +++++++++++++++++++++++++++++++--------------- 1 file changed, 135 insertions(+), 62 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index b038ad9879..feaae17abb 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -50,19 +50,23 @@ enum stdio_helper_mode { typedef void (*stdio_helper_function)(enum stdio_helper_mode stdio_helper_mode, - char *buf, int length, void **private); + char *buf, int length, void **private, + unsigned int mux_id); static void manage_squid_basic_request (enum stdio_helper_mode stdio_helper_mode, - char *buf, int length, void **private); + char *buf, int length, void **private, + unsigned int mux_id); static void manage_gensec_request (enum stdio_helper_mode stdio_helper_mode, - char *buf, int length, void **private); + char *buf, int length, void **private, + unsigned int mux_id); static void manage_ntlm_server_1_request (enum stdio_helper_mode stdio_helper_mode, - char *buf, int length, void **private); + char *buf, int length, void **private, + unsigned int mux_id); static void manage_squid_request(enum stdio_helper_mode helper_mode, - stdio_helper_function fn, void *private); + stdio_helper_function fn); static const struct { enum stdio_helper_mode mode; @@ -85,13 +89,31 @@ const char *opt_username; const char *opt_domain; const char *opt_workstation; const char *opt_password; +int opt_multiplex; + + +static void mux_printf(unsigned int mux_id, const char *format, ...) PRINTF_ATTRIBUTE(2, 3); + +static void mux_printf(unsigned int mux_id, const char *format, ...) +{ + va_list ap; + + if (opt_multiplex) { + x_fprintf(x_stdout, "%d ", mux_id); + } + + va_start(ap, format); + x_vfprintf(x_stdout, format, ap); + va_end(ap); +} + /* Copy of parse_domain_user from winbindd_util.c. Parse a string of the form DOMAIN/user into a domain and a user */ static BOOL parse_ntlm_auth_domain_user(const char *domuser, fstring domain, - fstring user) + fstring user) { char *p = strchr(domuser,*lp_winbind_separator()); @@ -179,7 +201,8 @@ static NTSTATUS local_pw_check_specified(const char *username, } static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode, - char *buf, int length, void **private) + char *buf, int length, void **private, + unsigned int mux_id) { char *user, *pass; user=buf; @@ -187,7 +210,7 @@ static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode, pass=memchr(buf,' ',length); if (!pass) { DEBUG(2, ("Password not found. Denying access\n")); - x_fprintf(x_stdout, "ERR\n"); + mux_printf(mux_id, "ERR\n"); return; } *pass='\0'; @@ -199,9 +222,9 @@ static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode, } if (check_plaintext_auth(user, pass, False)) { - x_fprintf(x_stdout, "OK\n"); + mux_printf(mux_id, "OK\n"); } else { - x_fprintf(x_stdout, "ERR\n"); + mux_printf(mux_id, "ERR\n"); } } @@ -209,13 +232,14 @@ static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode, to the calling application. The callback comes from within gensec */ static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mode, - char *buf, int length, void **private) + char *buf, int length, void **private, + unsigned int mux_id) { DATA_BLOB in; struct gensec_security **gensec_state = (struct gensec_security **)private; if (strlen(buf) < 2) { DEBUG(1, ("query [%s] invalid", buf)); - x_fprintf(x_stdout, "BH\n"); + mux_printf(mux_id, "BH\n"); return; } @@ -232,17 +256,17 @@ static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mod if ((*gensec_state)->password_callback_private == NULL) { DEBUG(1, ("Out of memory\n")); - x_fprintf(x_stdout, "BH\n"); + mux_printf(mux_id, "BH\n"); data_blob_free(&in); return; } - x_fprintf(x_stdout, "OK\n"); + mux_printf(mux_id, "OK\n"); data_blob_free(&in); return; } DEBUG(1, ("Asked for (and expected) a password\n")); - x_fprintf(x_stdout, "BH\n"); + mux_printf(mux_id, "BH\n"); data_blob_free(&in); } @@ -251,16 +275,17 @@ static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mod * for the stdio part of this. */ -static NTSTATUS get_password(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx, +static NTSTATUS get_password(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, char **password) { *password = NULL; /* Ask for a password */ - x_fprintf(x_stdout, "PW\n"); + mux_printf((unsigned int)gensec_security->password_callback_private, "PW\n"); gensec_security->password_callback_private = NULL; - manage_squid_request(NUM_HELPER_MODES /* bogus */, manage_gensec_get_pw_request, &gensec_security); + manage_squid_request(NUM_HELPER_MODES /* bogus */, manage_gensec_get_pw_request); *password = (char *)gensec_security->password_callback_private; if (*password) { return NT_STATUS_OK; @@ -270,7 +295,8 @@ static NTSTATUS get_password(struct gensec_security *gensec_security, TALLOC_CTX } static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, - char *buf, int length, void **private) + char *buf, int length, void **private, + unsigned int mux_id) { DATA_BLOB in; DATA_BLOB out = data_blob(NULL, 0); @@ -283,7 +309,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, if (strlen(buf) < 2) { DEBUG(1, ("query [%s] invalid", buf)); - x_fprintf(x_stdout, "BH\n"); + mux_printf(mux_id, "BH\n"); return; } @@ -308,7 +334,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, (strncmp(buf, "NA ", 3) != 0) && (strncmp(buf, "PW ", 3) != 0)) { DEBUG(1, ("SPNEGO request [%s] invalid\n", buf)); - x_fprintf(x_stdout, "BH\n"); + mux_printf(mux_id, "BH\n"); data_blob_free(&in); return; } @@ -328,12 +354,12 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, if (opt_password) { if (!NT_STATUS_IS_OK(gensec_set_password(*gensec_state, opt_password))) { DEBUG(1, ("Out of memory\n")); - x_fprintf(x_stdout, "BH\n"); + mux_printf(mux_id, "BH\n"); data_blob_free(&in); return; } } else { - gensec_set_password_callback(*gensec_state, get_password, NULL); + gensec_set_password_callback(*gensec_state, get_password, (void*)mux_id); } break; @@ -351,8 +377,14 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, case GSS_SPNEGO_CLIENT: case GSS_SPNEGO_SERVER: nt_status = gensec_start_mech_by_oid(*gensec_state, OID_SPNEGO); + if (!in.length) { + first = True; + } break; case NTLMSSP_CLIENT_1: + if (!in.length) { + first = True; + } case SQUID_2_5_NTLMSSP: nt_status = gensec_start_mech_by_oid(*gensec_state, OID_NTLMSSP); break; @@ -362,12 +394,9 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("SPENGO login failed to initialise: %s\n", nt_errstr(nt_status))); - x_fprintf(x_stdout, "BH\n"); + mux_printf(mux_id, "BH\n"); return; } - if (!in.length) { - first = True; - } } if (strncmp(buf, "PW ", 3) == 0) { @@ -377,12 +406,12 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, (const char *)in.data, in.length)))) { DEBUG(1, ("Out of memory\n")); - x_fprintf(x_stdout, "BH\n"); + mux_printf(mux_id, "BH\n"); data_blob_free(&in); return; } - x_fprintf(x_stdout, "OK\n"); + mux_printf(mux_id, "OK\n"); data_blob_free(&in); return; } @@ -449,17 +478,17 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, switch (stdio_helper_mode) { case GSS_SPNEGO_SERVER: - x_fprintf(x_stdout, "%s %s %s\n", reply_code, + mux_printf(mux_id, "%s %s %s\n", reply_code, out_base64 ? out_base64 : "*", reply_arg ? reply_arg : "*"); break; default: if (out_base64) { - x_fprintf(x_stdout, "%s %s\n", reply_code, out_base64); + mux_printf(mux_id, "%s %s\n", reply_code, out_base64); } else if (reply_arg) { - x_fprintf(x_stdout, "%s %s\n", reply_code, reply_arg); + mux_printf(mux_id, "%s %s\n", reply_code, reply_arg); } else { - x_fprintf(x_stdout, "%s\n", reply_code); + mux_printf(mux_id, "%s\n", reply_code); } } @@ -468,7 +497,8 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, } static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mode, - char *buf, int length, void **private) + char *buf, int length, void **private, + unsigned int mux_id) { char *request, *parameter; static DATA_BLOB challenge; @@ -483,24 +513,24 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod if (strequal(buf, ".")) { if (!full_username && !username) { - x_fprintf(x_stdout, "Error: No username supplied!\n"); + mux_printf(mux_id, "Error: No username supplied!\n"); } else if (plaintext_password) { /* handle this request as plaintext */ if (!full_username) { if (asprintf(&full_username, "%s%c%s", domain, *lp_winbind_separator(), username) == -1) { - x_fprintf(x_stdout, "Error: Out of memory in asprintf!\n.\n"); + mux_printf(mux_id, "Error: Out of memory in asprintf!\n.\n"); return; } } if (check_plaintext_auth(full_username, plaintext_password, False)) { - x_fprintf(x_stdout, "Authenticated: Yes\n"); + mux_printf(mux_id, "Authenticated: Yes\n"); } else { - x_fprintf(x_stdout, "Authenticated: No\n"); + mux_printf(mux_id, "Authenticated: No\n"); } } else if (!lm_response.data && !nt_response.data) { - x_fprintf(x_stdout, "Error: No password supplied!\n"); + mux_printf(mux_id, "Error: No password supplied!\n"); } else if (!challenge.data) { - x_fprintf(x_stdout, "Error: No lanman-challenge supplied!\n"); + mux_printf(mux_id, "Error: No lanman-challenge supplied!\n"); } else { char *error_string = NULL; DATA_BLOB lm_key; @@ -513,7 +543,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod if (!parse_ntlm_auth_domain_user(full_username, fstr_user, fstr_domain)) { /* username might be 'tainted', don't print into our new-line deleimianted stream */ - x_fprintf(x_stdout, "Error: Could not parse into domain and username\n"); + mux_printf(mux_id, "Error: Could not parse into domain and username\n"); } SAFE_FREE(username); SAFE_FREE(domain); @@ -544,15 +574,15 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod &error_string, NULL))) { - x_fprintf(x_stdout, "Authenticated: No\n"); - x_fprintf(x_stdout, "Authentication-Error: %s\n.\n", error_string); + mux_printf(mux_id, "Authenticated: No\n"); + mux_printf(mux_id, "Authentication-Error: %s\n.\n", error_string); SAFE_FREE(error_string); } else { static char zeros[16]; char *hex_lm_key; char *hex_user_session_key; - x_fprintf(x_stdout, "Authenticated: Yes\n"); + mux_printf(mux_id, "Authenticated: Yes\n"); if (ntlm_server_1_lm_session_key && lm_key.length @@ -561,7 +591,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod hex_encode(lm_key.data, lm_key.length, &hex_lm_key); - x_fprintf(x_stdout, "LANMAN-Session-Key: %s\n", hex_lm_key); + mux_printf(mux_id, "LANMAN-Session-Key: %s\n", hex_lm_key); SAFE_FREE(hex_lm_key); } @@ -572,7 +602,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod hex_encode(user_session_key.data, user_session_key.length, &hex_user_session_key); - x_fprintf(x_stdout, "User-Session-Key: %s\n", hex_user_session_key); + mux_printf(mux_id, "User-Session-Key: %s\n", hex_user_session_key); SAFE_FREE(hex_user_session_key); } } @@ -587,7 +617,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod SAFE_FREE(plaintext_password); ntlm_server_1_user_session_key = False; ntlm_server_1_lm_session_key = False; - x_fprintf(x_stdout, ".\n"); + mux_printf(mux_id, ".\n"); return; } @@ -601,7 +631,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod if (!parameter) { DEBUG(0, ("Parameter not found!\n")); - x_fprintf(x_stdout, "Error: Parameter not found!\n.\n"); + mux_printf(mux_id, "Error: Parameter not found!\n.\n"); return; } @@ -624,7 +654,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod if (strequal(request, "LANMAN-Challenge")) { challenge = strhex_to_data_blob(parameter); if (challenge.length != 8) { - x_fprintf(x_stdout, "Error: hex decode of %s failed! (got %d bytes, expected 8)\n.\n", + mux_printf(mux_id, "Error: hex decode of %s failed! (got %d bytes, expected 8)\n.\n", parameter, (int)challenge.length); challenge = data_blob(NULL, 0); @@ -632,7 +662,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod } else if (strequal(request, "NT-Response")) { nt_response = strhex_to_data_blob(parameter); if (nt_response.length < 24) { - x_fprintf(x_stdout, "Error: hex decode of %s failed! (only got %d bytes, needed at least 24)\n.\n", + mux_printf(mux_id, "Error: hex decode of %s failed! (only got %d bytes, needed at least 24)\n.\n", parameter, (int)nt_response.length); nt_response = data_blob(NULL, 0); @@ -640,7 +670,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod } else if (strequal(request, "LANMAN-Response")) { lm_response = strhex_to_data_blob(parameter); if (lm_response.length != 24) { - x_fprintf(x_stdout, "Error: hex decode of %s failed! (got %d bytes, expected 24)\n.\n", + mux_printf(mux_id, "Error: hex decode of %s failed! (got %d bytes, expected 24)\n.\n", parameter, (int)lm_response.length); lm_response = data_blob(NULL, 0); @@ -658,16 +688,26 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod } else if (strequal(request, "Request-LanMan-Session-Key")) { ntlm_server_1_lm_session_key = strequal(parameter, "Yes"); } else { - x_fprintf(x_stdout, "Error: Unknown request %s\n.\n", request); + mux_printf(mux_id, "Error: Unknown request %s\n.\n", request); } } -static void manage_squid_request(enum stdio_helper_mode helper_mode, stdio_helper_function fn, void *private) +static void manage_squid_request(enum stdio_helper_mode helper_mode, + stdio_helper_function fn) { char buf[SQUID_BUFFER_SIZE+1]; + unsigned int mux_id; int length; char *c; static BOOL err; + struct mux_private { + unsigned int max_mux; + void **private_pointers; + }; + + static struct mux_private *mux_private; + static void *normal_private; + void **private; /* this is not a typo - x_fgets doesn't work too well under squid */ if (fgets(buf, sizeof(buf)-1, stdin) == NULL) { @@ -689,8 +729,8 @@ static void manage_squid_request(enum stdio_helper_mode helper_mode, stdio_helpe return; } if (err) { - DEBUG(2, ("Oversized message\n")); - x_fprintf(x_stderr, "ERR\n"); + DEBUG(0, ("Oversized message\n")); + x_fprintf(x_stdout, "ERR\n"); err = 0; return; } @@ -698,21 +738,52 @@ static void manage_squid_request(enum stdio_helper_mode helper_mode, stdio_helpe DEBUG(10, ("Got '%s' from squid (length: %d).\n",buf,length)); if (buf[0] == '\0') { - DEBUG(2, ("Invalid Request\n")); - x_fprintf(x_stderr, "ERR\n"); + DEBUG(0, ("Invalid Request (empty)\n")); + x_fprintf(x_stdout, "ERR\n"); return; } + + if (opt_multiplex) { + if (sscanf(buf, "%u ", &mux_id) != 1) { + DEBUG(0, ("Invalid Request - no multiplex id\n")); + x_fprintf(x_stdout, "ERR\n"); + return; + } + if (!mux_private) { + mux_private = talloc_p(NULL, struct mux_private); + mux_private->max_mux = 0; + mux_private->private_pointers = NULL; + } + + c=memchr(buf,' ',sizeof(buf)-1); + c++; + if (mux_id >= mux_private->max_mux) { + unsigned int prev_max = mux_private->max_mux; + mux_private->max_mux = mux_id + 1; + mux_private->private_pointers + = talloc_realloc_p(mux_private, + mux_private->private_pointers, + void *, mux_private->max_mux); + memset(&mux_private->private_pointers[prev_max], '\0', + (sizeof(*mux_private->private_pointers) * (mux_private->max_mux - prev_max))); + }; + + private = &mux_private->private_pointers[mux_id]; + } else { + c = buf; + private = &normal_private; + } - fn(helper_mode, buf, length, private); + fn(helper_mode, c, length, private, mux_id); } -static void squid_stream(enum stdio_helper_mode stdio_mode, stdio_helper_function fn) { - void *private = NULL; +static void squid_stream(enum stdio_helper_mode stdio_mode, + stdio_helper_function fn) { /* initialize FDescs */ x_setbuf(x_stdout, NULL); x_setbuf(x_stderr, NULL); while(1) { - manage_squid_request(stdio_mode, fn, &private); + manage_squid_request(stdio_mode, fn); } } @@ -731,7 +802,8 @@ enum { OPT_LM_KEY, OPT_USER_SESSION_KEY, OPT_DIAGNOSTICS, - OPT_REQUIRE_MEMBERSHIP + OPT_REQUIRE_MEMBERSHIP, + OPT_MULTIPLEX, }; int main(int argc, const char **argv) @@ -756,6 +828,7 @@ enum { { "workstation", 0, POPT_ARG_STRING, &opt_workstation, OPT_WORKSTATION, "workstation"}, { "username", 0, POPT_ARG_STRING, &opt_username, OPT_PASSWORD, "Username"}, { "password", 0, POPT_ARG_STRING, &opt_password, OPT_PASSWORD, "User's plaintext password"}, + { "multiplex", 0, POPT_ARG_NONE, &opt_multiplex, OPT_MULTIPLEX, "Multiplex Mode"}, POPT_COMMON_SAMBA POPT_TABLEEND }; -- cgit From ac29f519363d994052e4f6ec44c7bae40cd0d9a9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 6 Nov 2004 01:20:28 +0000 Subject: r3570: Export the user's group list from ntlm_auth, via a new command 'UG' (user groups). The form of this is not final, but is this should be a discussion point with the squid team. Andrew Bartlett (This used to be commit cbb0c67d06f75c2d8841a95ba8837124160ffd49) --- source4/utils/ntlm_auth.c | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index feaae17abb..8d7f750af6 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -332,6 +332,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, (strncmp(buf, "KK ", 3) != 0) && (strncmp(buf, "AF ", 3) != 0) && (strncmp(buf, "NA ", 3) != 0) && + (strncmp(buf, "UG", 2) != 0) && (strncmp(buf, "PW ", 3) != 0)) { DEBUG(1, ("SPNEGO request [%s] invalid\n", buf)); mux_printf(mux_id, "BH\n"); @@ -405,8 +406,8 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, talloc_strndup((*gensec_state), (const char *)in.data, in.length)))) { - DEBUG(1, ("Out of memory\n")); - mux_printf(mux_id, "BH\n"); + DEBUG(1, ("gensec_set_password failed: %s\n", nt_errstr(nt_status))); + mux_printf(mux_id, "BH %s\n", nt_errstr(nt_status)); data_blob_free(&in); return; } @@ -416,6 +417,33 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, return; } + if (strncmp(buf, "UG", 2) == 0) { + int i; + char *grouplist = NULL; + struct auth_session_info *session_info; + + if (!NT_STATUS_IS_OK(gensec_session_info(*gensec_state, &session_info))) { + DEBUG(1, ("gensec_session_info failed: %s\n", nt_errstr(nt_status))); + mux_printf(mux_id, "BH %s\n", nt_errstr(nt_status)); + data_blob_free(&in); + return; + } + + /* get the string onto the context */ + grouplist = talloc_strdup(session_info, ""); + + for (i=0; i< session_info->nt_user_token->num_sids; i++) { + grouplist = talloc_asprintf_append(grouplist, "%s,", + dom_sid_string(session_info, + session_info->nt_user_token->user_sids[i])); + } + + mux_printf(mux_id, "GL %s\n", grouplist); + free_session_info(&session_info); + data_blob_free(&in); + return; + } + /* update */ nt_status = gensec_update(*gensec_state, NULL, in, &out); -- cgit From 71db46ea665606384f2be1be708c74c97c9adfb2 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 6 Nov 2004 23:23:15 +0000 Subject: r3586: Fix some of the issues with the module init functions. Both subsystems and modules can now have init functions, which can be specified in .mk files (INIT_FUNCTION = ...) The build system will define : - SUBSYSTEM_init_static_modules that calls the init functions of all statically compiled modules. Failing to load will generate an error which is not fatal - BINARY_init_subsystems that calls the init functions (if defined) for the subsystems the binary depends on This removes the hack with the "static bool Initialised = " and the "lazy_init" functions (This used to be commit 7a8244761bfdfdfb48f8264d76951ebdfbf7bd8a) --- source4/utils/ntlm_auth.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 8d7f750af6..5cc02ffbb2 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -861,6 +861,8 @@ enum { POPT_TABLEEND }; + ntlm_auth_init_subsystems; + /* Samba client initialisation */ setup_logging("ntlm_auth", DEBUG_STDERR); -- cgit From 4815480bb6ed44081076bac5471267609f7668cf Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 9 Nov 2004 09:26:47 +0000 Subject: r3633: - moved module init functions to after smb.conf and command line parsing, so that module init can take account of lp_ parms (thats why gensec:krb5=no wasn't working) - added a BASE-DISCONNECT torture test that tests server response to clients disconnecting with open lock and open requests pending (This used to be commit 5205f598b8c0be6985e61cc842cc5da109ba5b7e) --- source4/utils/ntlm_auth.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 5cc02ffbb2..23586b1db5 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -861,8 +861,6 @@ enum { POPT_TABLEEND }; - ntlm_auth_init_subsystems; - /* Samba client initialisation */ setup_logging("ntlm_auth", DEBUG_STDERR); @@ -899,6 +897,9 @@ enum { return 1; } + ntlm_auth_init_subsystems; + + if (opt_domain == NULL) { opt_domain = lp_workgroup(); } -- cgit From f99c93ec57691a393b4ae5ba57176b98f33efc17 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sun, 5 Dec 2004 16:29:27 +0000 Subject: r4070: move some defines from asn_1.h to the places they belong to metze (This used to be commit ab2c2f27e1c61516e885f02bf26350f97209057a) --- source4/utils/ntlm_auth.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 23586b1db5..448559e350 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -27,7 +27,6 @@ #include "system/passwd.h" #include "lib/cmdline/popt_common.h" #include "auth/auth.h" -#include "asn_1.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_WINBIND @@ -377,7 +376,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, switch (stdio_helper_mode) { case GSS_SPNEGO_CLIENT: case GSS_SPNEGO_SERVER: - nt_status = gensec_start_mech_by_oid(*gensec_state, OID_SPNEGO); + nt_status = gensec_start_mech_by_oid(*gensec_state, GENSEC_OID_SPNEGO); if (!in.length) { first = True; } @@ -387,7 +386,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, first = True; } case SQUID_2_5_NTLMSSP: - nt_status = gensec_start_mech_by_oid(*gensec_state, OID_NTLMSSP); + nt_status = gensec_start_mech_by_oid(*gensec_state, GENSEC_OID_NTLMSSP); break; default: abort(); -- cgit From 6ca874f71ad77c82d6e161a3e4772100de2ad6c5 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 11 Dec 2004 05:41:19 +0000 Subject: r4147: converted from NT_USER_TOKEN to struct security_token this is mostly just a tidyup, but also adds the privilege_mask, which I will be using shortly in ACL checking. note that I had to move the definition of struct security_token out of security.idl as pidl doesn't yet handle arrays of pointers, and the usual workaround (to use a intermediate structure) would make things too cumbersome for this structure, especially given we never encode it to NDR. (This used to be commit 7b446af09b8050746bfc2c50e9d56aa94397cc1a) --- source4/utils/ntlm_auth.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 448559e350..c99dcb1b7a 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -431,10 +431,11 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, /* get the string onto the context */ grouplist = talloc_strdup(session_info, ""); - for (i=0; i< session_info->nt_user_token->num_sids; i++) { - grouplist = talloc_asprintf_append(grouplist, "%s,", - dom_sid_string(session_info, - session_info->nt_user_token->user_sids[i])); + for (i=0; isecurity_token->num_sids; i++) { + struct security_token *token = session_info->security_token; + const char *sidstr = dom_sid_string(session_info, + token->sids[i]); + grouplist = talloc_asprintf_append(grouplist, "%s,", sidstr); } mux_printf(mux_id, "GL %s\n", grouplist); -- cgit From 0f1444b77232d59aaa025fa44e5b88c4aabaf877 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 24 Dec 2004 23:02:39 +0000 Subject: r4358: At metze's request, the Christmas elves have removed gensec_end in favor of talloc_free(). Andrew Bartlett (This used to be commit 1933cd12fbaed56e13f2386b19de6ade99bf9478) --- source4/utils/ntlm_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index c99dcb1b7a..f741999ac9 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -320,7 +320,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, if (strncmp(buf, "YR", 2) == 0) { if (gensec_state && *gensec_state) { - gensec_end(gensec_state); + talloc_free(*gensec_state); *gensec_state = NULL; } } else if ( (strncmp(buf, "OK", 2) == 0)) { -- cgit From b5b1c52a9850de18e756cdd073cf5f44f26882fe Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 30 Dec 2004 20:34:20 +0000 Subject: r4419: move security_token stuff to the libcli/security/ and debug privileges metze (This used to be commit c981808ed4cfa63c7ba7c4f9190b6b14f74bab40) --- source4/utils/ntlm_auth.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index f741999ac9..569e1e7cb8 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -27,6 +27,7 @@ #include "system/passwd.h" #include "lib/cmdline/popt_common.h" #include "auth/auth.h" +#include "libcli/security/security.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_WINBIND -- cgit From 46a32687da249174a666d9166fccbe705c8beba0 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sun, 9 Jan 2005 12:55:25 +0000 Subject: r4620: - add interface functions to the auth subsystem so that callers doesn't need to use function pointers anymore - make the module init much easier - a lot of cleanups don't try to read the diff in auth/ better read the new files it passes test_echo.sh and test_rpc.sh abartlet: please fix spelling fixes metze (This used to be commit 3c0d16b8236451f2cfd38fc3db8ae2906106d847) --- source4/utils/ntlm_auth.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 569e1e7cb8..804c8d3c17 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -440,7 +440,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, } mux_printf(mux_id, "GL %s\n", grouplist); - free_session_info(&session_info); + talloc_free(session_info); data_blob_free(&in); return; } @@ -450,7 +450,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, nt_status = gensec_update(*gensec_state, NULL, in, &out); /* don't leak 'bad password'/'no such user' info to the network client */ - nt_status = nt_status_squash(nt_status); + nt_status = auth_nt_status_squash(nt_status); if (out.length) { out_base64 = base64_encode_data_blob(out); @@ -494,7 +494,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, reply_code = "AF"; reply_arg = talloc_asprintf(*gensec_state, - "%s%s%s", session_info->server_info->domain, + "%s%s%s", session_info->server_info->domain_name, lp_winbind_separator(), session_info->server_info->account_name); talloc_free(session_info); } -- cgit From 759da3b915e2006d4c87b5ace47f399accd9ce91 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 27 Jan 2005 07:08:20 +0000 Subject: r5037: got rid of all of the TALLOC_DEPRECATED stuff. My apologies for the large commit. I thought this was worthwhile to get done for consistency. (This used to be commit ec32b22ed5ec224f6324f5e069d15e92e38e15c0) --- source4/utils/ntlm_auth.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 804c8d3c17..b5e3f3b3ea 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -190,7 +190,7 @@ static NTSTATUS local_pw_check_specified(const char *username, domain, username, workstation, nt_errstr(nt_status))); } - talloc_destroy(mem_ctx); + talloc_free(mem_ctx); } if (error_string) { *error_string = strdup(nt_errstr(nt_status)); @@ -779,7 +779,7 @@ static void manage_squid_request(enum stdio_helper_mode helper_mode, return; } if (!mux_private) { - mux_private = talloc_p(NULL, struct mux_private); + mux_private = talloc(NULL, struct mux_private); mux_private->max_mux = 0; mux_private->private_pointers = NULL; } @@ -790,7 +790,7 @@ static void manage_squid_request(enum stdio_helper_mode helper_mode, unsigned int prev_max = mux_private->max_mux; mux_private->max_mux = mux_id + 1; mux_private->private_pointers - = talloc_realloc_p(mux_private, + = talloc_realloc(mux_private, mux_private->private_pointers, void *, mux_private->max_mux); memset(&mux_private->private_pointers[prev_max], '\0', -- cgit From e82aad1ce39a6b7a2e51b9e2cb494d74ec70e158 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 10 Feb 2005 05:09:35 +0000 Subject: r5298: - got rid of pstring.h from includes.h. This at least makes it a bit less likely that anyone will use pstring for new code - got rid of winbind_client.h from includes.h. This one triggered a huge change, as winbind_client.h was including system/filesys.h and defining the old uint32 and uint16 types, as well as its own pstring and fstring. (This used to be commit 9db6c79e902ec538108d6b7d3324039aabe1704f) --- source4/utils/ntlm_auth.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index b5e3f3b3ea..3c46b0ca70 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -25,6 +25,7 @@ #include "includes.h" #include "dynconfig.h" #include "system/passwd.h" +#include "system/filesys.h" #include "lib/cmdline/popt_common.h" #include "auth/auth.h" #include "libcli/security/security.h" @@ -145,7 +146,7 @@ static NTSTATUS local_pw_check_specified(const char *username, const DATA_BLOB *challenge, const DATA_BLOB *lm_response, const DATA_BLOB *nt_response, - uint32 flags, + uint32_t flags, DATA_BLOB *lm_session_key, DATA_BLOB *user_session_key, char **error_string, @@ -564,7 +565,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod char *error_string = NULL; DATA_BLOB lm_key; DATA_BLOB user_session_key; - uint32 flags = 0; + uint32_t flags = 0; if (full_username && !username) { fstring fstr_user; -- cgit From 8674eaa5cc9b1ddeb65f05527a5b539f15e4afcb Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 10 Feb 2005 05:22:53 +0000 Subject: r5300: more uint32 and system/filesys.h build fixes when developer mode is enabled (This used to be commit 93931b1a741a3722c311ada80c4c9d3d670f91b2) --- source4/utils/ntlm_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 3c46b0ca70..b527504046 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -24,8 +24,8 @@ #include "includes.h" #include "dynconfig.h" -#include "system/passwd.h" #include "system/filesys.h" +#include "system/passwd.h" #include "lib/cmdline/popt_common.h" #include "auth/auth.h" #include "libcli/security/security.h" -- cgit From df643022136a4b229aca817f5b57f7302a97f852 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 19 Mar 2005 08:34:43 +0000 Subject: r5902: A rather large change... I wanted to add a simple 'workstation' argument to the DCERPC authenticated binding calls, but this patch kind of grew from there. With SCHANNEL, the 'workstation' name (the netbios name of the client) matters, as this is what ties the session between the NETLOGON ops and the SCHANNEL bind. This changes a lot of files, and these will again be changed when jelmer does the credentials work. I also correct some schannel IDL to distinguish between workstation names and account names. The distinction matters for domain trust accounts. Issues in handling this (issues with lifetime of talloc pointers) caused me to change the 'creds_CredentialsState' and 'struct dcerpc_binding' pointers to always be talloc()ed pointers. In the schannel DB, we now store both the domain and computername, and query on both. This should ensure we fault correctly when the domain is specified incorrectly in the SCHANNEL bind. In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out, where the comment claimed we re-used a connection, but in fact we made a new connection. This was achived by breaking apart some of the dcerpc_secondary_connection() logic. The addition of workstation handling was also propogated to NTLMSSP and GENSEC, for completeness. The RPC-SAMSYNC test has been cleaned up a little, using a loop over usernames/passwords rather than manually expanded tests. This will be expanded further (the code in #if 0 in this patch) to use a newly created user account for testing. In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO server, caused by the removal of [ref] and the assoicated pointer from the IDL. This has been re-added, until the underlying pidl issues are solved. (This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9) --- source4/utils/ntlm_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index b527504046..81c7f90c9b 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -395,7 +395,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, } if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(1, ("SPENGO login failed to initialise: %s\n", nt_errstr(nt_status))); + DEBUG(1, ("SPNEGO login failed to initialise: %s\n", nt_errstr(nt_status))); mux_printf(mux_id, "BH\n"); return; } -- cgit From 2eb3d680625286431a3a60e37b75f47e0738f253 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 24 Mar 2005 04:14:06 +0000 Subject: r6028: A MAJOR update to intergrate the new credentails system fully with GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'. GENSEC now no longer has it's own handling of 'set username' etc, instead it uses cli_credentials calls. In order to link the credentails code right though Samba, a lot of interfaces have changed to remove 'username, domain, password' arguments, and these have been replaced with a single 'struct cli_credentials'. In the session setup code, a new parameter 'workgroup' contains the client/server current workgroup, which seems unrelated to the authentication exchange (it was being filled in from the auth info). This allows in particular kerberos to only call back for passwords when it actually needs to perform the kinit. The kerberos code has been modified not to use the SPNEGO provided 'principal name' (in the mechListMIC), but to instead use the name the host was connected to as. This better matches Microsoft behaviour, is more secure and allows better use of standard kerberos functions. To achieve this, I made changes to our socket code so that the hostname (before name resolution) is now recorded on the socket. In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now in libcli/auth/schannel.c, and it looks much more like a standard GENSEC module. The actual sign/seal code moved to libcli/auth/schannel_sign.c in a previous commit. The schannel credentails structure is now merged with the rest of the credentails, as many of the values (username, workstation, domain) where already present there. This makes handling this in a generic manner much easier, as there is no longer a custom entry-point. The auth_domain module continues to be developed, but is now just as functional as auth_winbind. The changes here are consequential to the schannel changes. The only removed function at this point is the RPC-LOGIN test (simulating the load of a WinXP login), which needs much more work to clean it up (it contains copies of too much code from all over the torture suite, and I havn't been able to penetrate its 'structure'). Andrew Bartlett (This used to be commit 2301a4b38a21aa60917973451687063d83d18d66) --- source4/utils/ntlm_auth.c | 108 +++++++++++++++++++++++----------------------- 1 file changed, 54 insertions(+), 54 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 81c7f90c9b..3bc479e061 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -52,22 +52,22 @@ enum stdio_helper_mode { typedef void (*stdio_helper_function)(enum stdio_helper_mode stdio_helper_mode, char *buf, int length, void **private, - unsigned int mux_id); + unsigned int mux_id, void **private2); static void manage_squid_basic_request (enum stdio_helper_mode stdio_helper_mode, char *buf, int length, void **private, - unsigned int mux_id); + unsigned int mux_id, void **private2); static void manage_gensec_request (enum stdio_helper_mode stdio_helper_mode, char *buf, int length, void **private, - unsigned int mux_id); + unsigned int mux_id, void **private2); static void manage_ntlm_server_1_request (enum stdio_helper_mode stdio_helper_mode, char *buf, int length, void **private, - unsigned int mux_id); + unsigned int mux_id, void **private2); static void manage_squid_request(enum stdio_helper_mode helper_mode, - stdio_helper_function fn); + stdio_helper_function fn, void **private2); static const struct { enum stdio_helper_mode mode; @@ -203,7 +203,7 @@ static NTSTATUS local_pw_check_specified(const char *username, static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode, char *buf, int length, void **private, - unsigned int mux_id) + unsigned int mux_id, void **private2) { char *user, *pass; user=buf; @@ -234,10 +234,9 @@ static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode, static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mode, char *buf, int length, void **private, - unsigned int mux_id) + unsigned int mux_id, void **password) { DATA_BLOB in; - struct gensec_security **gensec_state = (struct gensec_security **)private; if (strlen(buf) < 2) { DEBUG(1, ("query [%s] invalid", buf)); mux_printf(mux_id, "BH\n"); @@ -252,10 +251,10 @@ static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mod if (strncmp(buf, "PW ", 3) == 0) { - (*gensec_state)->password_callback_private = talloc_strndup((*gensec_state), - (const char *)in.data, in.length); + *password = talloc_strndup(*private /* hopefully the right gensec context, useful to use for talloc */, + (const char *)in.data, in.length); - if ((*gensec_state)->password_callback_private == NULL) { + if (*password == NULL) { DEBUG(1, ("Out of memory\n")); mux_printf(mux_id, "BH\n"); data_blob_free(&in); @@ -271,33 +270,27 @@ static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mod data_blob_free(&in); } -/* - * Callback for gensec, to ask the calling application for a password. Uses the above function - * for the stdio part of this. +/** + * Callback for password credentails. This is not async, and when + * GENSEC and the credentails code is made async, it will look rather + * different. */ -static NTSTATUS get_password(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - char **password) +static const char *get_password(struct cli_credentials *credentials) { - *password = NULL; + char *password = NULL; /* Ask for a password */ - mux_printf((unsigned int)gensec_security->password_callback_private, "PW\n"); - gensec_security->password_callback_private = NULL; + mux_printf((unsigned int)credentials->priv_data, "PW\n"); + credentials->priv_data = NULL; - manage_squid_request(NUM_HELPER_MODES /* bogus */, manage_gensec_get_pw_request); - *password = (char *)gensec_security->password_callback_private; - if (*password) { - return NT_STATUS_OK; - } else { - return NT_STATUS_INVALID_PARAMETER; - } + manage_squid_request(NUM_HELPER_MODES /* bogus */, manage_gensec_get_pw_request, (void **)&password); + return password; } static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, char *buf, int length, void **private, - unsigned int mux_id) + unsigned int mux_id, void **private2) { DATA_BLOB in; DATA_BLOB out = data_blob(NULL, 0); @@ -307,6 +300,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, NTSTATUS nt_status; BOOL first = False; const char *reply_code; + struct cli_credentials *creds; if (strlen(buf) < 2) { DEBUG(1, ("query [%s] invalid", buf)); @@ -351,19 +345,25 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, if (!NT_STATUS_IS_OK(gensec_client_start(NULL, gensec_state))) { exit(1); } - gensec_set_username(*gensec_state, opt_username); - gensec_set_domain(*gensec_state, opt_domain); + + creds = cli_credentials_init(*gensec_state); + cli_credentials_set_conf(creds); + if (opt_username) { + cli_credentials_set_username(creds, opt_username, CRED_SPECIFIED); + } + if (opt_domain) { + cli_credentials_set_domain(creds, opt_domain, CRED_SPECIFIED); + } if (opt_password) { - if (!NT_STATUS_IS_OK(gensec_set_password(*gensec_state, opt_password))) { - DEBUG(1, ("Out of memory\n")); - mux_printf(mux_id, "BH\n"); - data_blob_free(&in); - return; - } + cli_credentials_set_password(creds, opt_password, CRED_SPECIFIED); } else { - gensec_set_password_callback(*gensec_state, get_password, (void*)mux_id); + creds->password_obtained = CRED_CALLBACK; + creds->password_cb = get_password; + creds->priv_data = (void*)mux_id; } - + + gensec_set_credentials(*gensec_state, creds); + break; case GSS_SPNEGO_SERVER: case SQUID_2_5_NTLMSSP: @@ -395,7 +395,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, } if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(1, ("SPNEGO login failed to initialise: %s\n", nt_errstr(nt_status))); + DEBUG(1, ("GENSEC mech failed to start: %s\n", nt_errstr(nt_status))); mux_printf(mux_id, "BH\n"); return; } @@ -403,16 +403,11 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, if (strncmp(buf, "PW ", 3) == 0) { - if (!NT_STATUS_IS_OK(gensec_set_password(*gensec_state, - talloc_strndup((*gensec_state), - (const char *)in.data, - in.length)))) { - DEBUG(1, ("gensec_set_password failed: %s\n", nt_errstr(nt_status))); - mux_printf(mux_id, "BH %s\n", nt_errstr(nt_status)); - data_blob_free(&in); - return; - } - + cli_credentials_set_password((*gensec_state)->credentials, + talloc_strndup((*gensec_state), + (const char *)in.data, + in.length), + CRED_SPECIFIED); mux_printf(mux_id, "OK\n"); data_blob_free(&in); return; @@ -528,7 +523,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mode, char *buf, int length, void **private, - unsigned int mux_id) + unsigned int mux_id, void **private2) { char *request, *parameter; static DATA_BLOB challenge; @@ -723,7 +718,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod } static void manage_squid_request(enum stdio_helper_mode helper_mode, - stdio_helper_function fn) + stdio_helper_function fn, void **private2) { char buf[SQUID_BUFFER_SIZE+1]; unsigned int mux_id; @@ -785,7 +780,12 @@ static void manage_squid_request(enum stdio_helper_mode helper_mode, mux_private->private_pointers = NULL; } - c=memchr(buf,' ',sizeof(buf)-1); + c=strchr(buf,' '); + if (!c) { + DEBUG(0, ("Invalid Request - no data after multiplex id\n")); + x_fprintf(x_stdout, "ERR\n"); + return; + } c++; if (mux_id >= mux_private->max_mux) { unsigned int prev_max = mux_private->max_mux; @@ -804,7 +804,7 @@ static void manage_squid_request(enum stdio_helper_mode helper_mode, private = &normal_private; } - fn(helper_mode, c, length, private, mux_id); + fn(helper_mode, c, length, private, mux_id, private2); } static void squid_stream(enum stdio_helper_mode stdio_mode, @@ -813,7 +813,7 @@ static void squid_stream(enum stdio_helper_mode stdio_mode, x_setbuf(x_stdout, NULL); x_setbuf(x_stderr, NULL); while(1) { - manage_squid_request(stdio_mode, fn); + manage_squid_request(stdio_mode, fn, NULL); } } -- cgit From 5b18cf22680c76abb1262a6b75a30b8a37899467 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 15 May 2005 20:16:26 +0000 Subject: r6795: Make some functions static and remove some unused ones. (This used to be commit 46509eb89980bfe6dabd71264d570ea356ee5a22) --- source4/utils/ntlm_auth.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 3bc479e061..4c7286a4c1 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -86,11 +86,11 @@ static const struct { extern int winbindd_fd; -const char *opt_username; -const char *opt_domain; -const char *opt_workstation; -const char *opt_password; -int opt_multiplex; +static const char *opt_username; +static const char *opt_domain; +static const char *opt_workstation; +static const char *opt_password; +static int opt_multiplex; static void mux_printf(unsigned int mux_id, const char *format, ...) PRINTF_ATTRIBUTE(2, 3); -- cgit From 2b4791ae733488845b2c36bca64db695203de571 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 13 Jun 2005 08:12:39 +0000 Subject: r7525: Unify lp_load(), load_interfaces and logging setup into popt(). There is now a new --debug-stderr option to enable debug to STDERR. popt isn't perfect, but the callbacks are used in all the main Samba binaries, and should be used in the rest. This avoids duplicated code, and ensures every binary is setup correctly. This also ensures the setup happens early enough to have -s function, and have a correct impact on the credentials code. (Fixing a bug that frustrated tridge earlier today). The only 'subtle' aspect of all this is that I'm pretty sure that the SAMBA_COMMON popt code must be above the CREDENTIALS code, in the popt tables. Andrew Bartlett (This used to be commit 50f3c2b3a22971f40e0d3a88127b5120bfc47591) --- source4/utils/ntlm_auth.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 4c7286a4c1..8e858e2970 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -865,13 +865,7 @@ enum { /* Samba client initialisation */ - setup_logging("ntlm_auth", DEBUG_STDERR); - - if (!lp_load(dyn_CONFIGFILE, True, False, False)) { - d_fprintf(stderr, "wbinfo: error opening config file %s. Error was %s\n", - dyn_CONFIGFILE, strerror(errno)); - exit(1); - } + setup_logging(NULL, DEBUG_STDERR); /* Parse options */ -- cgit From af237084ecd4f9928c6c282b9c5c73598d5c73d6 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 16 Jun 2005 11:36:09 +0000 Subject: r7633: this patch started as an attempt to make the dcerpc code use a given event_context for the socket_connect() call, so that when things that use dcerpc are running alongside anything else it doesn't block the whole process during a connect. Then of course I needed to change any code that created a dcerpc connection (such as the auth code) to also take an event context, and anything that called that and so on .... thus the size of the patch. There were 3 places where I punted: - abartlet wanted me to add a gensec_set_event_context() call instead of adding it to the gensec init calls. Andrew, my apologies for not doing this. I didn't do it as adding a new parameter allowed me to catch all the callers with the compiler. Now that its done, we could go back and use gensec_set_event_context() - the ejs code calls auth initialisation, which means it should pass in the event context from the web server. I punted on that. Needs fixing. - I used a NULL event context in dcom_get_pipe(). This is equivalent to what we did already, but should be fixed to use a callers event context. Jelmer, can you think of a clean way to do that? I also cleaned up a couple of things: - libnet_context_destroy() makes no sense. I removed it. - removed some unused vars in various places (This used to be commit 3a3025485bdb8f600ab528c0b4b4eef0c65e3fc9) --- source4/utils/ntlm_auth.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 8e858e2970..3a94d82c0c 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -341,8 +341,9 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, case GSS_SPNEGO_CLIENT: case NTLMSSP_CLIENT_1: /* setup the client side */ - - if (!NT_STATUS_IS_OK(gensec_client_start(NULL, gensec_state))) { + + nt_status = gensec_client_start(NULL, gensec_state, NULL); + if (!NT_STATUS_IS_OK(nt_status)) { exit(1); } @@ -367,7 +368,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, break; case GSS_SPNEGO_SERVER: case SQUID_2_5_NTLMSSP: - if (!NT_STATUS_IS_OK(gensec_server_start(NULL, gensec_state))) { + if (!NT_STATUS_IS_OK(gensec_server_start(NULL, gensec_state, NULL))) { exit(1); } break; -- cgit From 56cc32800036472ebc29362d65e422c0b410e3fc Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 19 Jun 2005 01:31:27 +0000 Subject: r7740: get rid of our duplicate base64 routines (This used to be commit cf17f90a83cf04815544c5408eb56d00546b3e88) --- source4/utils/ntlm_auth.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 3a94d82c0c..fe857f3bc8 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -244,7 +244,7 @@ static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mod } if (strlen(buf) > 3) { - in = base64_decode_data_blob(buf + 3); + in = base64_decode_data_blob(NULL, buf + 3); } else { in = data_blob(NULL, 0); } @@ -309,7 +309,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, } if (strlen(buf) > 3) { - in = base64_decode_data_blob(buf + 3); + in = base64_decode_data_blob(NULL, buf + 3); } else { in = data_blob(NULL, 0); } @@ -450,7 +450,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, nt_status = auth_nt_status_squash(nt_status); if (out.length) { - out_base64 = base64_encode_data_blob(out); + out_base64 = base64_encode_data_blob(NULL, out); } else { out_base64 = NULL; } -- cgit From 4d28d20a02da7b2174e7f3f819565c55be681262 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 22 Jul 2005 04:30:11 +0000 Subject: r8702: fixed ntlm_auth build. Andrew, can you check I got this right? (This used to be commit 3c12b46e320412e4746fced7e2898f892e815118) --- source4/utils/ntlm_auth.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index fe857f3bc8..809f155174 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -153,27 +153,26 @@ static NTSTATUS local_pw_check_specified(const char *username, char **unix_name) { NTSTATUS nt_status; - uint8_t lm_pw[16], nt_pw[16]; - uint8_t *lm_pwd, *nt_pwd; + struct samr_Password lm_pw, nt_pw; + struct samr_Password *lm_pwd, *nt_pwd; TALLOC_CTX *mem_ctx = talloc_init("local_pw_check_specified"); if (!mem_ctx) { nt_status = NT_STATUS_NO_MEMORY; } else { - E_md4hash(opt_password, nt_pw); - if (E_deshash(opt_password, lm_pw)) { - lm_pwd = lm_pw; + E_md4hash(opt_password, nt_pw.hash); + if (E_deshash(opt_password, lm_pw.hash)) { + lm_pwd = &lm_pw; } else { lm_pwd = NULL; } - nt_pwd = nt_pw; + nt_pwd = &nt_pw; nt_status = ntlm_password_check(mem_ctx, challenge, lm_response, nt_response, - NULL, NULL, username, username, domain, -- cgit From 46a41994c9a0f62c19b6319813ff50126f2b214a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 1 Aug 2005 22:04:25 +0000 Subject: r8901: Fix ntlm_auth segfault (invalid free()). We have moved to talloc here. Andrew Bartlett (This used to be commit b341bd4487f81a48de2e479e85d90f64c7f071e0) --- source4/utils/ntlm_auth.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 809f155174..1431f7f415 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -300,6 +300,8 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, BOOL first = False; const char *reply_code; struct cli_credentials *creds; + + TALLOC_CTX *mem_ctx; if (strlen(buf) < 2) { DEBUG(1, ("query [%s] invalid", buf)); @@ -413,6 +415,9 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, return; } + /* update */ + mem_ctx = talloc_named(NULL, 0, "manage_gensec_request internal mem_ctx"); + if (strncmp(buf, "UG", 2) == 0) { int i; char *grouplist = NULL; @@ -426,7 +431,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, } /* get the string onto the context */ - grouplist = talloc_strdup(session_info, ""); + grouplist = talloc_strdup(mem_ctx, ""); for (i=0; isecurity_token->num_sids; i++) { struct security_token *token = session_info->security_token; @@ -438,21 +443,21 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, mux_printf(mux_id, "GL %s\n", grouplist); talloc_free(session_info); data_blob_free(&in); + talloc_free(mem_ctx); return; } - /* update */ - - nt_status = gensec_update(*gensec_state, NULL, in, &out); + nt_status = gensec_update(*gensec_state, mem_ctx, in, &out); /* don't leak 'bad password'/'no such user' info to the network client */ nt_status = auth_nt_status_squash(nt_status); if (out.length) { - out_base64 = base64_encode_data_blob(NULL, out); + out_base64 = base64_encode_data_blob(mem_ctx, out); } else { out_base64 = NULL; } + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { reply_arg = "*"; if (first) { @@ -517,7 +522,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, } } - SAFE_FREE(out_base64); + talloc_free(mem_ctx); return; } -- cgit From 3be75a4c6d4b9d86f1b85c75fb2f41c6c0eeec94 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 11 Aug 2005 13:12:45 +0000 Subject: r9240: - move struct security_token to the idl file, with this we can the ndr_pull/push/print functions for it in the ntacl-lsm module - fix compiler warnings in the ldap_encode_ndr_* code metze (This used to be commit 83d65d0d7ed9c240ad44aa2c881c1f07212bfda4) --- source4/utils/ntlm_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 1431f7f415..61d6ff3b85 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -28,7 +28,7 @@ #include "system/passwd.h" #include "lib/cmdline/popt_common.h" #include "auth/auth.h" -#include "libcli/security/security.h" +#include "librpc/gen_ndr/ndr_security.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_WINBIND -- cgit From 878e139f09e6e2f87de35341f4340119959469e5 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 17 Aug 2005 12:51:07 +0000 Subject: r9357: Remove DBGC_CLASS cruft copied over from Samba 3. I would like to replace this with something funkier. (This used to be commit 8d376d56c78894b9bbd27ed7fa70da415c0cd038) --- source4/utils/ntlm_auth.c | 3 --- 1 file changed, 3 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 61d6ff3b85..35520756e7 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -30,9 +30,6 @@ #include "auth/auth.h" #include "librpc/gen_ndr/ndr_security.h" -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_WINBIND - #define SQUID_BUFFER_SIZE 2010 enum stdio_helper_mode { -- cgit From bfe1ea62446594885a027d13fc9caa29b17793ad Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 18 Aug 2005 22:36:12 +0000 Subject: r9396: ntlm_auth updates, including again support for the NTLMSSP client mode, and specification of the workstation. Andrew Bartlett (This used to be commit 8f53d995c63b718b40fb52ec102fa74f94719b65) --- source4/utils/ntlm_auth.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 35520756e7..7e1ca011e4 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -349,7 +349,9 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, cli_credentials_set_conf(creds); if (opt_username) { cli_credentials_set_username(creds, opt_username, CRED_SPECIFIED); - } + } else { + cli_credentials_set_username(creds, "", CRED_GUESSED); + } if (opt_domain) { cli_credentials_set_domain(creds, opt_domain, CRED_SPECIFIED); } @@ -360,6 +362,9 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, creds->password_cb = get_password; creds->priv_data = (void*)mux_id; } + if (opt_workstation) { + cli_credentials_set_workstation(creds, opt_workstation, CRED_SPECIFIED); + } gensec_set_credentials(*gensec_state, creds); @@ -498,7 +503,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, } } else if ((*gensec_state)->gensec_role == GENSEC_CLIENT) { reply_code = "AF"; - reply_arg = NULL; + reply_arg = out_base64; } else { abort(); } @@ -862,6 +867,7 @@ enum { { "password", 0, POPT_ARG_STRING, &opt_password, OPT_PASSWORD, "User's plaintext password"}, { "multiplex", 0, POPT_ARG_NONE, &opt_multiplex, OPT_MULTIPLEX, "Multiplex Mode"}, POPT_COMMON_SAMBA + POPT_COMMON_VERSION POPT_TABLEEND }; -- cgit From 24186a80eb4887b5fb3e72e4b877b456cbe8e35f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 29 Aug 2005 04:30:22 +0000 Subject: r9728: A *major* update to the credentials system, to incorporate the Kerberos CCACHE into the system. This again allows the use of the system ccache when no username is specified, and brings more code in common between gensec_krb5 and gensec_gssapi. It also has a side-effect that may (or may not) be expected: If there is a ccache, even if it is not used (perhaps the remote server didn't want kerberos), it will change the default username. Andrew Bartlett (This used to be commit 6202267f6ec1446d6bd11d1d37d05a977bc8d315) --- source4/utils/ntlm_auth.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 7e1ca011e4..b10d4af6ce 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -349,8 +349,6 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, cli_credentials_set_conf(creds); if (opt_username) { cli_credentials_set_username(creds, opt_username, CRED_SPECIFIED); - } else { - cli_credentials_set_username(creds, "", CRED_GUESSED); } if (opt_domain) { cli_credentials_set_domain(creds, opt_domain, CRED_SPECIFIED); -- cgit From 6f9b901fa0db18faae603db67d8d31e229d92c27 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 30 Aug 2005 01:19:41 +0000 Subject: r9772: Make credentials callbacks more consistant with the abstraction function interface used in the credentials code. Fix bug in ntlm_auth, where we would overwrite the PW specified as a first input. (Reported and chased by Kai Blin , bug #3040) Andrew Bartlett (This used to be commit 04af95bd31de39ad6aff349a4838dd77cb300034) --- source4/utils/ntlm_auth.c | 113 +++++++++++++++++++++++++++------------------- 1 file changed, 67 insertions(+), 46 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index b10d4af6ce..fe29cff021 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -292,13 +292,32 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, DATA_BLOB out = data_blob(NULL, 0); char *out_base64 = NULL; const char *reply_arg = NULL; - struct gensec_security **gensec_state = (struct gensec_security **)private; + struct gensec_ntlm_state { + struct gensec_security *gensec_state; + const char *set_password; + }; + struct gensec_ntlm_state *state; + NTSTATUS nt_status; BOOL first = False; const char *reply_code; struct cli_credentials *creds; TALLOC_CTX *mem_ctx; + + if (*private) { + state = *private; + } else { + state = talloc_zero(NULL, struct gensec_ntlm_state); + if (!state) { + mux_printf(mux_id, "BH No Memory\n"); + exit(1); + } + *private = state; + if (opt_password) { + state->set_password = opt_password; + } + } if (strlen(buf) < 2) { DEBUG(1, ("query [%s] invalid", buf)); @@ -313,9 +332,9 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, } if (strncmp(buf, "YR", 2) == 0) { - if (gensec_state && *gensec_state) { - talloc_free(*gensec_state); - *gensec_state = NULL; + if (state->gensec_state) { + talloc_free(state->gensec_state); + state->gensec_state = NULL; } } else if ( (strncmp(buf, "OK", 2) == 0)) { /* do nothing */ @@ -334,42 +353,21 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, } /* setup gensec */ - if (!(gensec_state && *gensec_state)) { + if (!(state->gensec_state)) { switch (stdio_helper_mode) { case GSS_SPNEGO_CLIENT: case NTLMSSP_CLIENT_1: /* setup the client side */ - nt_status = gensec_client_start(NULL, gensec_state, NULL); + nt_status = gensec_client_start(NULL, &state->gensec_state, NULL); if (!NT_STATUS_IS_OK(nt_status)) { exit(1); } - creds = cli_credentials_init(*gensec_state); - cli_credentials_set_conf(creds); - if (opt_username) { - cli_credentials_set_username(creds, opt_username, CRED_SPECIFIED); - } - if (opt_domain) { - cli_credentials_set_domain(creds, opt_domain, CRED_SPECIFIED); - } - if (opt_password) { - cli_credentials_set_password(creds, opt_password, CRED_SPECIFIED); - } else { - creds->password_obtained = CRED_CALLBACK; - creds->password_cb = get_password; - creds->priv_data = (void*)mux_id; - } - if (opt_workstation) { - cli_credentials_set_workstation(creds, opt_workstation, CRED_SPECIFIED); - } - - gensec_set_credentials(*gensec_state, creds); - break; case GSS_SPNEGO_SERVER: case SQUID_2_5_NTLMSSP: - if (!NT_STATUS_IS_OK(gensec_server_start(NULL, gensec_state, NULL))) { + if (!NT_STATUS_IS_OK(gensec_server_start(NULL, &state->gensec_state, NULL))) { exit(1); } break; @@ -377,10 +375,29 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, abort(); } + creds = cli_credentials_init(state->gensec_state); + cli_credentials_set_conf(creds); + if (opt_username) { + cli_credentials_set_username(creds, opt_username, CRED_SPECIFIED); + } + if (opt_domain) { + cli_credentials_set_domain(creds, opt_domain, CRED_SPECIFIED); + } + if (state->set_password) { + cli_credentials_set_password(creds, state->set_password, CRED_SPECIFIED); + } else { + cli_credentials_set_password_callback(creds, get_password); + creds->priv_data = (void*)mux_id; + } + if (opt_workstation) { + cli_credentials_set_workstation(creds, opt_workstation, CRED_SPECIFIED); + } + gensec_set_credentials(state->gensec_state, creds); + switch (stdio_helper_mode) { case GSS_SPNEGO_CLIENT: case GSS_SPNEGO_SERVER: - nt_status = gensec_start_mech_by_oid(*gensec_state, GENSEC_OID_SPNEGO); + nt_status = gensec_start_mech_by_oid(state->gensec_state, GENSEC_OID_SPNEGO); if (!in.length) { first = True; } @@ -390,7 +407,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, first = True; } case SQUID_2_5_NTLMSSP: - nt_status = gensec_start_mech_by_oid(*gensec_state, GENSEC_OID_NTLMSSP); + nt_status = gensec_start_mech_by_oid(state->gensec_state, GENSEC_OID_NTLMSSP); break; default: abort(); @@ -401,32 +418,36 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, mux_printf(mux_id, "BH\n"); return; } + } + + /* update */ + mem_ctx = talloc_named(NULL, 0, "manage_gensec_request internal mem_ctx"); if (strncmp(buf, "PW ", 3) == 0) { - - cli_credentials_set_password((*gensec_state)->credentials, - talloc_strndup((*gensec_state), - (const char *)in.data, - in.length), + state->set_password = talloc_strndup(state, + (const char *)in.data, + in.length); + + cli_credentials_set_password(gensec_get_credentials(state->gensec_state), + state->set_password, CRED_SPECIFIED); mux_printf(mux_id, "OK\n"); data_blob_free(&in); + talloc_free(mem_ctx); return; } - /* update */ - mem_ctx = talloc_named(NULL, 0, "manage_gensec_request internal mem_ctx"); - if (strncmp(buf, "UG", 2) == 0) { int i; char *grouplist = NULL; struct auth_session_info *session_info; - if (!NT_STATUS_IS_OK(gensec_session_info(*gensec_state, &session_info))) { + if (!NT_STATUS_IS_OK(gensec_session_info(state->gensec_state, &session_info))) { DEBUG(1, ("gensec_session_info failed: %s\n", nt_errstr(nt_status))); mux_printf(mux_id, "BH %s\n", nt_errstr(nt_status)); data_blob_free(&in); + talloc_free(mem_ctx); return; } @@ -447,7 +468,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, return; } - nt_status = gensec_update(*gensec_state, mem_ctx, in, &out); + nt_status = gensec_update(state->gensec_state, mem_ctx, in, &out); /* don't leak 'bad password'/'no such user' info to the network client */ nt_status = auth_nt_status_squash(nt_status); @@ -462,9 +483,9 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, reply_arg = "*"; if (first) { reply_code = "YR"; - } else if ((*gensec_state)->gensec_role == GENSEC_CLIENT) { + } else if (state->gensec_state->gensec_role == GENSEC_CLIENT) { reply_code = "KK"; - } else if ((*gensec_state)->gensec_role == GENSEC_SERVER) { + } else if (state->gensec_state->gensec_role == GENSEC_SERVER) { reply_code = "TT"; } else { abort(); @@ -483,10 +504,10 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, reply_code = "NA"; reply_arg = nt_errstr(nt_status); DEBUG(1, ("GENSEC login failed: %s\n", nt_errstr(nt_status))); - } else if /* OK */ ((*gensec_state)->gensec_role == GENSEC_SERVER) { + } else if /* OK */ (state->gensec_state->gensec_role == GENSEC_SERVER) { struct auth_session_info *session_info; - nt_status = gensec_session_info(*gensec_state, &session_info); + nt_status = gensec_session_info(state->gensec_state, &session_info); if (!NT_STATUS_IS_OK(nt_status)) { reply_code = "BH"; reply_arg = nt_errstr(nt_status); @@ -494,12 +515,12 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, } else { reply_code = "AF"; - reply_arg = talloc_asprintf(*gensec_state, + reply_arg = talloc_asprintf(state->gensec_state, "%s%s%s", session_info->server_info->domain_name, lp_winbind_separator(), session_info->server_info->account_name); talloc_free(session_info); } - } else if ((*gensec_state)->gensec_role == GENSEC_CLIENT) { + } else if (state->gensec_state->gensec_role == GENSEC_CLIENT) { reply_code = "AF"; reply_arg = out_base64; } else { -- cgit From 349294d358481e1af460d1ade97987474dad9e43 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 19 Sep 2005 12:58:43 +0000 Subject: r10315: Remove use of fstring and pstring in dynconfig.c Remove unused includes of dynconfig.h (This used to be commit 59083b7ba60d518ddb59646c4fd69938afd079b3) --- source4/utils/ntlm_auth.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index fe29cff021..5d46e9aad4 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -23,7 +23,6 @@ */ #include "includes.h" -#include "dynconfig.h" #include "system/filesys.h" #include "system/passwd.h" #include "lib/cmdline/popt_common.h" -- cgit From f801ad359290c51d3216c755fb2a8344babb484f Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 26 Sep 2005 15:59:43 +0000 Subject: r10510: Decrease the amount of data included by includes.h a bit (This used to be commit 03647e1321cf6c9bd6ced3945265f635e9468973) --- source4/utils/ntlm_auth.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 5d46e9aad4..87cd16daaa 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -28,6 +28,7 @@ #include "lib/cmdline/popt_common.h" #include "auth/auth.h" #include "librpc/gen_ndr/ndr_security.h" +#include "credentials.h" #define SQUID_BUFFER_SIZE 2010 -- cgit From 49839f356f493d0de1b719c8c3bfdee4713c0728 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 26 Sep 2005 16:57:08 +0000 Subject: r10513: Reduce some use of pstring. The main reason some parts of the code still use pstring is next_token() now. (This used to be commit a5b88bcd420eb7ae42283293541519e142be36e3) --- source4/utils/ntlm_auth.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 87cd16daaa..d2be631d99 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -29,6 +29,7 @@ #include "auth/auth.h" #include "librpc/gen_ndr/ndr_security.h" #include "credentials.h" +#include "pstring.h" #define SQUID_BUFFER_SIZE 2010 -- cgit From 42b81d7c3e8ac9ad4c35d5377decbdd5ab18ffbb Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 27 Sep 2005 10:00:27 +0000 Subject: r10528: Add credentials.h back into includes.h as some compilers don't seem to be able to handle incomplete enum types. (This used to be commit 540155fad3c8e3d79fb631bb3f14273f82130a73) --- source4/utils/ntlm_auth.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index d2be631d99..3b94640f22 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -28,7 +28,6 @@ #include "lib/cmdline/popt_common.h" #include "auth/auth.h" #include "librpc/gen_ndr/ndr_security.h" -#include "credentials.h" #include "pstring.h" #define SQUID_BUFFER_SIZE 2010 -- cgit From 372ca26b2052e267711a45c8bf341f55505f3f8f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 20 Oct 2005 03:47:55 +0000 Subject: r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5 authentication. This pulls the creating of the keytab back to the credentials code, and removes the special case of 'use keberos keytab = yes' for now. This allows (and requires) the callers to specify the credentials for the server credentails to GENSEC. This allows kpasswdd (soon to be added) to use a different set of kerberos credentials. The 'use kerberos keytab' code will be moved into the credentials layer, as the layers below now expect a keytab. We also now allow for the old secret to be stored into the credentials, allowing service password changes. Andrew Bartlett (This used to be commit 205f77c579ac8680c85f713a76de5767189c627b) --- source4/utils/ntlm_auth.c | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 3b94640f22..7072262653 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -392,6 +392,16 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, if (opt_workstation) { cli_credentials_set_workstation(creds, opt_workstation, CRED_SPECIFIED); } + + switch (stdio_helper_mode) { + case GSS_SPNEGO_SERVER: + case SQUID_2_5_NTLMSSP: + cli_credentials_set_machine_account(creds); + break; + default: + break; + } + gensec_set_credentials(state->gensec_state, creds); switch (stdio_helper_mode) { -- cgit From ea2d6d482fc8e18b0f1b61c245c4e371fa6dd24f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 28 Oct 2005 11:21:33 +0000 Subject: r11371: Fix the ntlm_auth build. Andrew Bartlett (This used to be commit 708476d0b2d178b9fd80583ac02fdadd4f9650b0) --- source4/utils/ntlm_auth.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 7072262653..10e8110deb 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -167,6 +167,8 @@ static NTSTATUS local_pw_check_specified(const char *username, nt_status = ntlm_password_check(mem_ctx, + MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | + MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT, challenge, lm_response, nt_response, -- cgit From 6aafed9600a3fa05932668c70fc0e20f3724dab6 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 26 Dec 2005 18:48:23 +0000 Subject: r12499: Move smb_build.h out of includes.h (This used to be commit c92ace494f92084ddf178626cdf392d151043bc7) --- source4/utils/ntlm_auth.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 10e8110deb..22fd377dca 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -29,6 +29,7 @@ #include "auth/auth.h" #include "librpc/gen_ndr/ndr_security.h" #include "pstring.h" +#include "smb_build.h" #define SQUID_BUFFER_SIZE 2010 -- cgit From acd6a086b341096fcbea1775ce748587fcc8020a Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 27 Dec 2005 14:28:01 +0000 Subject: r12510: Change the DCE/RPC interfaces to take a pointer to a dcerpc_interface_table struct rather then a tuple of interface name, UUID and version. This removes the requirement for having a global list of DCE/RPC interfaces, except for these parts of the code that use that list explicitly (ndrdump and the scanner torture test). This should also allow us to remove the hack that put the authservice parameter in the dcerpc_binding struct as it can now be read directly from dcerpc_interface_table. I will now modify some of these functions to take a dcerpc_syntax_id structure rather then a full dcerpc_interface_table. (This used to be commit 8aae0f168e54c01d0866ad6e0da141dbd828574f) --- source4/utils/ntlm_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 22fd377dca..54920664ec 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -875,7 +875,7 @@ enum { OPT_MULTIPLEX, }; - int main(int argc, const char **argv) +int main(int argc, const char **argv) { static const char *helper_protocol; int opt; -- cgit From d4de4c2d210d2e8c9b5aedf70695594809ad6a0b Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 30 Dec 2005 13:16:54 +0000 Subject: r12608: Remove some unused #include lines. (This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981) --- source4/utils/ntlm_auth.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 54920664ec..ffdbd2f2f6 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -24,10 +24,8 @@ #include "includes.h" #include "system/filesys.h" -#include "system/passwd.h" #include "lib/cmdline/popt_common.h" #include "auth/auth.h" -#include "librpc/gen_ndr/ndr_security.h" #include "pstring.h" #include "smb_build.h" -- cgit From aa9f67163cd2df2a815ef585edad1951343b82c8 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 30 Dec 2005 22:46:16 +0000 Subject: r12620: Get rid of automatically generated lists of init functions of subsystems. This allows Samba libraries to be used by other projects (and parts of Samba to be built as shared libraries). (This used to be commit 44f0aba715bfedc7e1ee3d07e9a101a91dbd84b3) --- source4/utils/ntlm_auth.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index ffdbd2f2f6..d6b65d75d7 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -27,7 +27,6 @@ #include "lib/cmdline/popt_common.h" #include "auth/auth.h" #include "pstring.h" -#include "smb_build.h" #define SQUID_BUFFER_SIZE 2010 @@ -931,8 +930,7 @@ int main(int argc, const char **argv) return 1; } - ntlm_auth_init_subsystems; - + gensec_init(); if (opt_domain == NULL) { opt_domain = lp_workgroup(); -- cgit From 4ac2be99588b48b0652a524bf12fb1aa9c3f5fbb Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 7 Mar 2006 11:07:23 +0000 Subject: r13924: Split more prototypes out of include/proto.h + initial work on header file dependencies (This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781) --- source4/utils/ntlm_auth.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index d6b65d75d7..be5739eade 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -27,6 +27,7 @@ #include "lib/cmdline/popt_common.h" #include "auth/auth.h" #include "pstring.h" +#include "libcli/auth/proto.h" #define SQUID_BUFFER_SIZE 2010 -- cgit From e3f2414cf9e582a4e4deecc662b64a7bb2679a34 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 14 Mar 2006 15:03:25 +0000 Subject: r14380: Reduce the size of structs.h (This used to be commit 1a16a6f1dfa66499af43a6b88b3ea69a6a75f1fe) --- source4/utils/ntlm_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index be5739eade..cb32345c2b 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -27,7 +27,7 @@ #include "lib/cmdline/popt_common.h" #include "auth/auth.h" #include "pstring.h" -#include "libcli/auth/proto.h" +#include "libcli/auth/libcli_auth.h" #define SQUID_BUFFER_SIZE 2010 -- cgit From 8528016978b084213ef53d66e1b6e831b1a01acc Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 16 Mar 2006 00:23:11 +0000 Subject: r14464: Don't include ndr_BASENAME.h files unless strictly required, instead try to include just the BASENAME.h files (containing only structs) (This used to be commit 3dd477ca5147f28a962b8437e2611a8222d706bd) --- source4/utils/ntlm_auth.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index cb32345c2b..79267882fa 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -28,6 +28,7 @@ #include "auth/auth.h" #include "pstring.h" #include "libcli/auth/libcli_auth.h" +#include "librpc/gen_ndr/ndr_security.h" #define SQUID_BUFFER_SIZE 2010 -- cgit From 64587cbf9eec5b44bd4b78c5e87d84d2ce7c344a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sun, 2 Apr 2006 11:18:34 +0000 Subject: r14858: fix bugs noticed by the ibm code checker metze (This used to be commit 152e7e3d024cbc1ae60f8595507d39b647551a71) --- source4/utils/ntlm_auth.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 79267882fa..5841adbf40 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -455,7 +455,8 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, char *grouplist = NULL; struct auth_session_info *session_info; - if (!NT_STATUS_IS_OK(gensec_session_info(state->gensec_state, &session_info))) { + nt_status = gensec_session_info(state->gensec_state, &session_info); + if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("gensec_session_info failed: %s\n", nt_errstr(nt_status))); mux_printf(mux_id, "BH %s\n", nt_errstr(nt_status)); data_blob_free(&in); @@ -759,7 +760,7 @@ static void manage_squid_request(enum stdio_helper_mode helper_mode, stdio_helper_function fn, void **private2) { char buf[SQUID_BUFFER_SIZE+1]; - unsigned int mux_id; + unsigned int mux_id = 0; int length; char *c; static BOOL err; -- cgit From 9a357370b5897e6818c40d3d4bf3b085944f3785 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 8 Apr 2006 02:58:54 +0000 Subject: r14982: mark a deliberate missing break (This used to be commit 3b66cf35a783a1524e21b3f99125eb032968969e) --- source4/utils/ntlm_auth.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 5841adbf40..6e600dc33d 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -418,6 +418,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, if (!in.length) { first = True; } + /* fall through */ case SQUID_2_5_NTLMSSP: nt_status = gensec_start_mech_by_oid(state->gensec_state, GENSEC_OID_NTLMSSP); break; -- cgit From 70d10653ad3dcc4c12c83d4ca14752d0a0c89fe8 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 27 Apr 2006 16:06:18 +0000 Subject: r15296: Move ntlm_auth-specific functions from util to ntlm_auth so libutil doesn't need ldb (This used to be commit 137ace965e3477c4d92dfd33758d59db346acbcf) --- source4/utils/ntlm_auth.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 6e600dc33d..5532a9ad0b 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -29,6 +29,7 @@ #include "pstring.h" #include "libcli/auth/libcli_auth.h" #include "librpc/gen_ndr/ndr_security.h" +#include "lib/ldb/include/ldb.h" #define SQUID_BUFFER_SIZE 2010 @@ -127,6 +128,34 @@ static BOOL parse_ntlm_auth_domain_user(const char *domuser, fstring domain, return True; } +/** + * Decode a base64 string into a DATA_BLOB - simple and slow algorithm + **/ +static DATA_BLOB base64_decode_data_blob(TALLOC_CTX *mem_ctx, const char *s) +{ + DATA_BLOB ret = data_blob_talloc(mem_ctx, s, strlen(s)+1); + ret.length = ldb_base64_decode((char *)ret.data); + return ret; +} + +/** + * Encode a base64 string into a talloc()ed string caller to free. + **/ +static char *base64_encode_data_blob(TALLOC_CTX *mem_ctx, DATA_BLOB data) +{ + return ldb_base64_encode(mem_ctx, (const char *)data.data, data.length); +} + +/** + * Decode a base64 string in-place - wrapper for the above + **/ +static void base64_decode_inplace(char *s) +{ + ldb_base64_decode(s); +} + + + /* Authenticate a user with a plaintext password */ static BOOL check_plaintext_auth(const char *user, const char *pass, -- cgit From e002300f238dd0937dd9f768e366c006945e8baa Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 29 Apr 2006 17:34:49 +0000 Subject: r15328: Move some functions around, remove dependencies. Remove some autogenerated headers (which had prototypes now autogenerated by pidl) Remove ndr_security.h from a few places - it's no longer necessary (This used to be commit c19c2b51d3e1ad347120b06a22bda5ec586c22e8) --- source4/utils/ntlm_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 5532a9ad0b..c7f3767a22 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -28,7 +28,7 @@ #include "auth/auth.h" #include "pstring.h" #include "libcli/auth/libcli_auth.h" -#include "librpc/gen_ndr/ndr_security.h" +#include "libcli/security/security.h" #include "lib/ldb/include/ldb.h" #define SQUID_BUFFER_SIZE 2010 -- cgit From e0e8743baf6c34987d56c8b7166a7c928bbdd6a5 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 30 Apr 2006 18:46:14 +0000 Subject: r15363: Fix dependencies for shared library (This used to be commit f2ca71f1229f4c20296895116c09bacbd6a53b55) --- source4/utils/ntlm_auth.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index c7f3767a22..55aa4e65a9 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -26,6 +26,7 @@ #include "system/filesys.h" #include "lib/cmdline/popt_common.h" #include "auth/auth.h" +#include "auth/auth_sam.h" #include "pstring.h" #include "libcli/auth/libcli_auth.h" #include "libcli/security/security.h" -- cgit From 7a845bcb0141a895d5685afcef1ffe7f93428d0f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 31 Jul 2006 14:05:08 +0000 Subject: r17341: pass a messaging context to auth_context_create() and gensec_server_start(). calling them with NULL for event context or messaging context is no longer allowed! metze (This used to be commit 679ac74e71b111344f1097ab389c0b83a9247710) --- source4/utils/ntlm_auth.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 55aa4e65a9..9609ce59da 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -31,6 +31,9 @@ #include "libcli/auth/libcli_auth.h" #include "libcli/security/security.h" #include "lib/ldb/include/ldb.h" +#include "lib/events/events.h" +#include "lib/messaging/messaging.h" +#include "lib/messaging/irpc.h" #define SQUID_BUFFER_SIZE 2010 @@ -329,6 +332,8 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, const char *set_password; }; struct gensec_ntlm_state *state; + struct event_context *ev; + struct messaging_context *msg; NTSTATUS nt_status; BOOL first = False; @@ -399,7 +404,15 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, break; case GSS_SPNEGO_SERVER: case SQUID_2_5_NTLMSSP: - if (!NT_STATUS_IS_OK(gensec_server_start(NULL, &state->gensec_state, NULL))) { + ev = event_context_init(state); + if (!ev) { + exit(1); + } + msg = messaging_client_init(state, ev); + if (!msg) { + exit(1); + } + if (!NT_STATUS_IS_OK(gensec_server_start(state, ev, msg, &state->gensec_state))) { exit(1); } break; -- cgit From 7d6bfb45bae5edfa4f58ef6c40a5cc7d048d6b1a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 17 Aug 2006 00:44:29 +0000 Subject: r17577: Patch from Kai Blin : This is the Samba4 version of the ntlm_auth patch that was committed to Samba3 in revision 17216. The purpose of this patch is to return session key information, as well as NTLMSSP negotiated flags to ntlm_auth's caller. This allows the bulk data signing and sealing to be handled in a library, supplied by the caller. This also allows the caller to ask for features, so that the right flags get negotiated. (This used to be commit eb28aff4e0c9688ba886c3dd886ab7af81c6326a) --- source4/utils/ntlm_auth.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 62 insertions(+), 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 9609ce59da..1b25c96ab2 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -34,6 +34,7 @@ #include "lib/events/events.h" #include "lib/messaging/messaging.h" #include "lib/messaging/irpc.h" +#include "auth/ntlmssp/ntlmssp.h" #define SQUID_BUFFER_SIZE 2010 @@ -319,6 +320,22 @@ static const char *get_password(struct cli_credentials *credentials) return password; } +static void gensec_want_feature_list(struct gensec_security *state, char* feature_list) +{ + if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) { + DEBUG(10, ("want GENSEC_FEATURE_SESSION_KEY\n")); + gensec_want_feature(state, GENSEC_FEATURE_SESSION_KEY); + } + if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, True)) { + DEBUG(10, ("want GENSEC_FEATURE_SIGN\n")); + gensec_want_feature(state, GENSEC_FEATURE_SIGN); + } + if (in_list("NTLMSSP_FEATURE_SEAL", feature_list, True)) { + DEBUG(10, ("want GENSEC_FEATURE_SEAL\n")); + gensec_want_feature(state, GENSEC_FEATURE_SEAL); + } +} + static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, char *buf, int length, void **private, unsigned int mux_id, void **private2) @@ -340,6 +357,9 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, const char *reply_code; struct cli_credentials *creds; + static char *want_feature_list = NULL; + static DATA_BLOB session_key; + TALLOC_CTX *mem_ctx; if (*private) { @@ -363,6 +383,13 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, } if (strlen(buf) > 3) { + if(strncmp(buf, "SF ", 3) == 0) { + DEBUG(10, ("Setting flags to negotiate\n")); + talloc_free(want_feature_list); + want_feature_list = talloc_strndup(state, buf+3, strlen(buf)-3); + mux_printf(mux_id, "OK\n"); + return; + } in = base64_decode_data_blob(NULL, buf + 3); } else { in = data_blob(NULL, 0); @@ -382,7 +409,9 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, (strncmp(buf, "AF ", 3) != 0) && (strncmp(buf, "NA ", 3) != 0) && (strncmp(buf, "UG", 2) != 0) && - (strncmp(buf, "PW ", 3) != 0)) { + (strncmp(buf, "PW ", 3) != 0) && + (strncmp(buf, "GK", 2) != 0) && + (strncmp(buf, "GF", 2) != 0)) { DEBUG(1, ("SPNEGO request [%s] invalid\n", buf)); mux_printf(mux_id, "BH\n"); data_blob_free(&in); @@ -448,6 +477,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, } gensec_set_credentials(state->gensec_state, creds); + gensec_want_feature_list(state->gensec_state, want_feature_list); switch (stdio_helper_mode) { case GSS_SPNEGO_CLIENT: @@ -525,6 +555,37 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, return; } + if (strncmp(buf, "GK", 2) == 0) { + char *base64_key; + DEBUG(10, ("Requested session key\n")); + nt_status = gensec_session_key(state->gensec_state, &session_key); + if(!NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("gensec_session_key failed: %s\n", nt_errstr(nt_status))); + mux_printf(mux_id, "BH No session key\n"); + talloc_free(mem_ctx); + return; + } else { + base64_key = base64_encode_data_blob(state, session_key); + mux_printf(mux_id, "GK %s\n", base64_key); + talloc_free(base64_key); + } + talloc_free(mem_ctx); + return; + } + + if (strncmp(buf, "GF", 2) == 0) { + struct gensec_ntlmssp_state *gensec_ntlmssp_state; + uint32_t neg_flags; + + gensec_ntlmssp_state = talloc_get_type(state->gensec_state->private_data, + struct gensec_ntlmssp_state); + neg_flags = gensec_ntlmssp_state->neg_flags; + + DEBUG(10, ("Requested negotiated feature flags\n")); + mux_printf(mux_id, "GF 0x%08x\n", neg_flags); + return; + } + nt_status = gensec_update(state->gensec_state, mem_ctx, in, &out); /* don't leak 'bad password'/'no such user' info to the network client */ -- cgit From 873749f2189ecf1fbfdc681df4dd304a17716279 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 6 Sep 2006 12:28:01 +0000 Subject: r18168: Use {NULL} rather than POPT_TABLEEND, which is not always available. (This used to be commit 8b622c5ded0732df0eaf9f6226f52a27b6eacd73) --- source4/utils/ntlm_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 1b25c96ab2..1961daeb10 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -1005,7 +1005,7 @@ int main(int argc, const char **argv) { "multiplex", 0, POPT_ARG_NONE, &opt_multiplex, OPT_MULTIPLEX, "Multiplex Mode"}, POPT_COMMON_SAMBA POPT_COMMON_VERSION - POPT_TABLEEND + { NULL } }; /* Samba client initialisation */ -- cgit From a882f619c9360e8c8457f71a1466c10edb6906d0 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 4 Nov 2006 19:38:08 +0000 Subject: r19555: Silently ignore --use-cached-creds for compatibility with Samba3's ntlm_auth. Patch by Kai Blin. (This used to be commit 2167552b9a869c408c5ba17dcba3367241934767) --- source4/utils/ntlm_auth.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 1961daeb10..ceefd0de09 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -94,6 +94,7 @@ static const char *opt_domain; static const char *opt_workstation; static const char *opt_password; static int opt_multiplex; +static int use_cached_creds; static void mux_printf(unsigned int mux_id, const char *format, ...) PRINTF_ATTRIBUTE(2, 3); @@ -978,6 +979,7 @@ enum { OPT_DIAGNOSTICS, OPT_REQUIRE_MEMBERSHIP, OPT_MULTIPLEX, + OPT_USE_CACHED_CREDS, }; int main(int argc, const char **argv) @@ -1003,6 +1005,7 @@ int main(int argc, const char **argv) { "username", 0, POPT_ARG_STRING, &opt_username, OPT_PASSWORD, "Username"}, { "password", 0, POPT_ARG_STRING, &opt_password, OPT_PASSWORD, "User's plaintext password"}, { "multiplex", 0, POPT_ARG_NONE, &opt_multiplex, OPT_MULTIPLEX, "Multiplex Mode"}, + { "use-cached-creds", 0, POPT_ARG_NONE, &use_cached_creds, OPT_USE_CACHED_CREDS, "silently ignored for compatibility reasons"}, POPT_COMMON_SAMBA POPT_COMMON_VERSION { NULL } -- cgit From 5d034a9d5dd79cbef89b3dc85b73296e6e63d359 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 4 Nov 2006 20:57:32 +0000 Subject: r19558: Make behaviour of "OK" match that of Samba3's ntlm_auth. Patch by Kai Blin. (This used to be commit d599bb8f98c01459dfbafe041f481d301316057c) --- source4/utils/ntlm_auth.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index ceefd0de09..68ee70fdbb 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -402,7 +402,8 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, state->gensec_state = NULL; } } else if ( (strncmp(buf, "OK", 2) == 0)) { - /* do nothing */ + /* Just return BH, like ntlm_auth from Samba 3 does. */ + mux_printf(mux_id, "BH\n"); data_blob_free(&in); return; } else if ( (strncmp(buf, "TT ", 3) != 0) && -- cgit From 13dbee3ffea6065a826f010e50c9b4eb2c6ad109 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 7 Nov 2006 00:48:36 +0000 Subject: r19598: Ahead of a merge to current lorikeet-heimdal: Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9) --- source4/utils/ntlm_auth.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 68ee70fdbb..a0c02af447 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -25,12 +25,15 @@ #include "includes.h" #include "system/filesys.h" #include "lib/cmdline/popt_common.h" +#include "lib/ldb/include/ldb.h" +#include "auth/credentials/credentials.h" +#include "auth/gensec/gensec.h" #include "auth/auth.h" +#include "librpc/gen_ndr/ndr_netlogon.h" #include "auth/auth_sam.h" #include "pstring.h" #include "libcli/auth/libcli_auth.h" #include "libcli/security/security.h" -#include "lib/ldb/include/ldb.h" #include "lib/events/events.h" #include "lib/messaging/messaging.h" #include "lib/messaging/irpc.h" -- cgit From 0479a2f1cbae51fcd8dbdc3c148c808421fb4d25 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 02:07:03 +0000 Subject: r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa) --- source4/utils/ntlm_auth.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index a0c02af447..fc864fd50e 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -9,7 +9,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, @@ -18,8 +18,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" -- cgit From 96539eb14343dd5e9ed554924dacf824fa2734cd Mon Sep 17 00:00:00 2001 From: Kai Blin Date: Thu, 30 Aug 2007 06:45:11 +0000 Subject: r24795: When talking to squid, allocate the buffer size dynamically. (This used to be commit 2b72738e4ecc6ad25a08ce7bf41d8d46fcee4115) --- source4/utils/ntlm_auth.c | 63 +++++++++++++++++++++++++++-------------------- 1 file changed, 36 insertions(+), 27 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index fc864fd50e..162470dd95 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -38,7 +38,7 @@ #include "lib/messaging/irpc.h" #include "auth/ntlmssp/ntlmssp.h" -#define SQUID_BUFFER_SIZE 2010 +#define INITIAL_BUFFER_SIZE 200 enum stdio_helper_mode { SQUID_2_4_BASIC, @@ -868,51 +868,57 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod static void manage_squid_request(enum stdio_helper_mode helper_mode, stdio_helper_function fn, void **private2) { - char buf[SQUID_BUFFER_SIZE+1]; + char *buf; + char tmp[INITIAL_BUFFER_SIZE+1]; unsigned int mux_id = 0; int length; char *c; - static BOOL err; struct mux_private { unsigned int max_mux; void **private_pointers; }; - + static struct mux_private *mux_private; static void *normal_private; void **private; - /* this is not a typo - x_fgets doesn't work too well under squid */ - if (fgets(buf, sizeof(buf)-1, stdin) == NULL) { - if (ferror(stdin)) { - DEBUG(1, ("fgets() failed! dying..... errno=%d (%s)\n", ferror(stdin), - strerror(ferror(stdin)))); - - exit(1); /* BIIG buffer */ - } - exit(0); - } - - c=memchr(buf,'\n',sizeof(buf)-1); - if (c) { - *c = '\0'; - length = c-buf; - } else { - err = 1; - return; - } - if (err) { - DEBUG(0, ("Oversized message\n")); + buf = talloc(NULL, char); + buf[0] = '\0'; + + if (buf == NULL) { + DEBUG(0, ("Failed to allocate memory for reading the input " + "buffer.\n")); x_fprintf(x_stdout, "ERR\n"); - err = 0; return; } + do { + /* this is not a typo - x_fgets doesn't work too well under + * squid */ + if (fgets(tmp, INITIAL_BUFFER_SIZE, stdin) == NULL) { + if (ferror(stdin)) { + DEBUG(1, ("fgets() failed! dying..... errno=%d " + "(%s)\n", ferror(stdin), + strerror(ferror(stdin)))); + + exit(1); /* BIIG buffer */ + } + exit(0); + } + + buf = talloc_append_string(buf, buf, tmp); + c = strchr(buf, '\n'); + } while (c == NULL); + + *c = '\0'; + length = c-buf; + DEBUG(10, ("Got '%s' from squid (length: %d).\n",buf,length)); if (buf[0] == '\0') { DEBUG(0, ("Invalid Request (empty)\n")); x_fprintf(x_stdout, "ERR\n"); + talloc_free(buf); return; } @@ -920,6 +926,7 @@ static void manage_squid_request(enum stdio_helper_mode helper_mode, if (sscanf(buf, "%u ", &mux_id) != 1) { DEBUG(0, ("Invalid Request - no multiplex id\n")); x_fprintf(x_stdout, "ERR\n"); + talloc_free(buf); return; } if (!mux_private) { @@ -932,6 +939,7 @@ static void manage_squid_request(enum stdio_helper_mode helper_mode, if (!c) { DEBUG(0, ("Invalid Request - no data after multiplex id\n")); x_fprintf(x_stdout, "ERR\n"); + talloc_free(buf); return; } c++; @@ -951,8 +959,9 @@ static void manage_squid_request(enum stdio_helper_mode helper_mode, c = buf; private = &normal_private; } - + fn(helper_mode, c, length, private, mux_id, private2); + talloc_free(buf); } static void squid_stream(enum stdio_helper_mode stdio_mode, -- cgit From d510accb39f07ae0abfa0b5cdf2e834a41872cde Mon Sep 17 00:00:00 2001 From: Kai Blin Date: Thu, 30 Aug 2007 09:02:40 +0000 Subject: r24796: Add bounds checking to ntlm_auth, increase initial buffer size to 300 to avoid one talloc/fgets loop in the common case, which is slightly over 200 for the KK response. (This used to be commit ba5ac4eeb8086d50e829e1a9944ea89a28eeef2c) --- source4/utils/ntlm_auth.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 162470dd95..f999995daf 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -38,7 +38,8 @@ #include "lib/messaging/irpc.h" #include "auth/ntlmssp/ntlmssp.h" -#define INITIAL_BUFFER_SIZE 200 +#define INITIAL_BUFFER_SIZE 300 +#define MAX_BUFFER_SIZE 63000 enum stdio_helper_mode { SQUID_2_4_BASIC, @@ -871,7 +872,7 @@ static void manage_squid_request(enum stdio_helper_mode helper_mode, char *buf; char tmp[INITIAL_BUFFER_SIZE+1]; unsigned int mux_id = 0; - int length; + int length, buf_size = 0; char *c; struct mux_private { unsigned int max_mux; @@ -907,6 +908,15 @@ static void manage_squid_request(enum stdio_helper_mode helper_mode, } buf = talloc_append_string(buf, buf, tmp); + buf_size += INITIAL_BUFFER_SIZE; + + if (buf_size > MAX_BUFFER_SIZE) { + DEBUG(0, ("Invalid Request (too large)\n")); + x_fprintf(x_stdout, "ERR\n"); + talloc_free(buf); + return; + } + c = strchr(buf, '\n'); } while (c == NULL); -- cgit From cd962355abad90a2161765a7be7d26e63572cab7 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 7 Sep 2007 15:08:14 +0000 Subject: r25000: Fix some more C++ compatibility warnings. (This used to be commit 08bb1ef643ab906f1645cf6f32763dc73b1884e4) --- source4/utils/ntlm_auth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index f999995daf..4ce8fc6d3f 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -244,7 +244,7 @@ static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode, char *user, *pass; user=buf; - pass=memchr(buf,' ',length); + pass = memchr(buf, ' ', length); if (!pass) { DEBUG(2, ("Password not found. Denying access\n")); mux_printf(mux_id, "ERR\n"); @@ -367,7 +367,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, TALLOC_CTX *mem_ctx; if (*private) { - state = *private; + state = (struct gensec_ntlm_state *)*private; } else { state = talloc_zero(NULL, struct gensec_ntlm_state); if (!state) { -- cgit From b50ef4caef44e3b45445728818f3bca09273249d Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 7 Sep 2007 16:54:39 +0000 Subject: r25007: Remove more uses of pstring, move ntlmauth-specific utility function to ntlm-auth.c (This used to be commit 6f224480b230ab7ccfc0417c13e7f4fc3f6f2a13) --- source4/utils/ntlm_auth.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 4ce8fc6d3f..9659541319 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -120,7 +120,7 @@ static void mux_printf(unsigned int mux_id, const char *format, ...) /* Copy of parse_domain_user from winbindd_util.c. Parse a string of the form DOMAIN/user into a domain and a user */ -static BOOL parse_ntlm_auth_domain_user(const char *domuser, fstring domain, +static bool parse_ntlm_auth_domain_user(const char *domuser, fstring domain, fstring user) { @@ -324,6 +324,24 @@ static const char *get_password(struct cli_credentials *credentials) return password; } +/** + Check if a string is part of a list. +**/ +static bool in_list(const char *s, const char *list, bool casesensitive) +{ + pstring tok; + const char *p=list; + + if (!list) + return false; + + while (next_token(&p, tok, LIST_SEP, sizeof(tok))) { + if ((casesensitive?strcmp:strcasecmp_m)(tok,s) == 0) + return true; + } + return false; +} + static void gensec_want_feature_list(struct gensec_security *state, char* feature_list) { if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) { -- cgit From ffeee68e4b72dd94fee57366bd8d38b8c284c3d4 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 8 Sep 2007 12:42:09 +0000 Subject: r25026: Move param/param.h out of includes.h (This used to be commit abe8349f9b4387961ff3665d8c589d61cd2edf31) --- source4/utils/ntlm_auth.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 9659541319..8775bab2db 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -37,6 +37,7 @@ #include "lib/messaging/messaging.h" #include "lib/messaging/irpc.h" #include "auth/ntlmssp/ntlmssp.h" +#include "param/param.h" #define INITIAL_BUFFER_SIZE 300 #define MAX_BUFFER_SIZE 63000 -- cgit From 9a012df08ee829c1d40fc88ba12a0ea479f60be0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 14 Sep 2007 23:21:00 +0000 Subject: r25175: Change to talloc_asprintf_append_buffer(). Jeremy. (This used to be commit 0844dbf597191b3e4d35a696695b229e986daec4) --- source4/utils/ntlm_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 8775bab2db..6055670d77 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -569,7 +569,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, struct security_token *token = session_info->security_token; const char *sidstr = dom_sid_string(session_info, token->sids[i]); - grouplist = talloc_asprintf_append(grouplist, "%s,", sidstr); + grouplist = talloc_asprintf_append_buffer(grouplist, "%s,", sidstr); } mux_printf(mux_id, "GL %s\n", grouplist); -- cgit From 68256289a4a9326544748fb21ea1a2b018e6711d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 18 Sep 2007 13:31:55 +0000 Subject: r25213: use talloc_strdup_append_buffer() instead of talloc_append_string() metze (This used to be commit d0306ed16b55034f48cb514ea1f4dcd1d388ac50) --- source4/utils/ntlm_auth.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 6055670d77..72bd94e630 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -902,8 +902,7 @@ static void manage_squid_request(enum stdio_helper_mode helper_mode, static void *normal_private; void **private; - buf = talloc(NULL, char); - buf[0] = '\0'; + buf = talloc_strdup(NULL, ""); if (buf == NULL) { DEBUG(0, ("Failed to allocate memory for reading the input " @@ -926,7 +925,7 @@ static void manage_squid_request(enum stdio_helper_mode helper_mode, exit(0); } - buf = talloc_append_string(buf, buf, tmp); + buf = talloc_strdup_append_buffer(buf, tmp); buf_size += INITIAL_BUFFER_SIZE; if (buf_size > MAX_BUFFER_SIZE) { -- cgit From 37d53832a4623653f706e77985a79d84bd7c6694 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 28 Sep 2007 01:17:46 +0000 Subject: r25398: Parse loadparm context to all lp_*() functions. (This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238) --- source4/utils/ntlm_auth.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 72bd94e630..8d9ff4ff0c 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -125,7 +125,7 @@ static bool parse_ntlm_auth_domain_user(const char *domuser, fstring domain, fstring user) { - char *p = strchr(domuser,*lp_winbind_separator()); + char *p = strchr(domuser,*lp_winbind_separator(global_loadparm)); if (!p) { return False; @@ -220,7 +220,7 @@ static NTSTATUS local_pw_check_specified(const char *username, if (unix_name) { asprintf(unix_name, "%s%c%s", domain, - *lp_winbind_separator(), + *lp_winbind_separator(global_loadparm), username); } } else { @@ -474,7 +474,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, } creds = cli_credentials_init(state->gensec_state); - cli_credentials_set_conf(creds); + cli_credentials_set_conf(creds, global_loadparm); if (opt_username) { cli_credentials_set_username(creds, opt_username, CRED_SPECIFIED); } @@ -659,7 +659,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, reply_code = "AF"; reply_arg = talloc_asprintf(state->gensec_state, "%s%s%s", session_info->server_info->domain_name, - lp_winbind_separator(), session_info->server_info->account_name); + lp_winbind_separator(global_loadparm), session_info->server_info->account_name); talloc_free(session_info); } } else if (state->gensec_state->gensec_role == GENSEC_CLIENT) { @@ -710,7 +710,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod } else if (plaintext_password) { /* handle this request as plaintext */ if (!full_username) { - if (asprintf(&full_username, "%s%c%s", domain, *lp_winbind_separator(), username) == -1) { + if (asprintf(&full_username, "%s%c%s", domain, *lp_winbind_separator(global_loadparm), username) == -1) { mux_printf(mux_id, "Error: Out of memory in asprintf!\n.\n"); return; } @@ -745,7 +745,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod } if (!domain) { - domain = smb_xstrdup(lp_workgroup()); + domain = smb_xstrdup(lp_workgroup(global_loadparm)); } if (ntlm_server_1_lm_session_key) @@ -757,7 +757,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod if (!NT_STATUS_IS_OK( local_pw_check_specified(username, domain, - lp_netbios_name(), + lp_netbios_name(global_loadparm), &challenge, &lm_response, &nt_response, @@ -1084,7 +1084,7 @@ int main(int argc, const char **argv) gensec_init(); if (opt_domain == NULL) { - opt_domain = lp_workgroup(); + opt_domain = lp_workgroup(global_loadparm); } if (helper_protocol) { @@ -1111,7 +1111,7 @@ int main(int argc, const char **argv) } if (opt_workstation == NULL) { - opt_workstation = lp_netbios_name(); + opt_workstation = lp_netbios_name(global_loadparm); } if (!opt_password) { @@ -1121,7 +1121,7 @@ int main(int argc, const char **argv) { char *user; - asprintf(&user, "%s%c%s", opt_domain, *lp_winbind_separator(), opt_username); + asprintf(&user, "%s%c%s", opt_domain, *lp_winbind_separator(global_loadparm), opt_username); if (!check_plaintext_auth(user, opt_password, True)) { return 1; } -- cgit From 2f3551ca7cee59d4d053cceb87abdf1da1b3a1ad Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 1 Oct 2007 18:52:55 +0000 Subject: r25446: Merge some changes I made on the way home from SFO: 2007-09-29 More higher-level passing around of lp_ctx. 2007-09-29 Fix warning. 2007-09-29 Pass loadparm contexts on a higher level. 2007-09-29 Avoid using global loadparm context. (This used to be commit 3468952e771ab31f90b6c374ade01c5550810f42) --- source4/utils/ntlm_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 8d9ff4ff0c..2fa393a9d4 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -461,7 +461,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, if (!ev) { exit(1); } - msg = messaging_client_init(state, ev); + msg = messaging_client_init(state, global_loadparm, ev); if (!msg) { exit(1); } -- cgit From efa384375f61049d7e7c43a77dc8abe0e034e04d Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 1 Oct 2007 22:13:02 +0000 Subject: r25454: Use standard bool types in a couple more places. (This used to be commit 9243b551f30c7aa2763115516a6adcfe5bbddc58) --- source4/utils/ntlm_auth.c | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 2fa393a9d4..c51b35aa03 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -128,14 +128,14 @@ static bool parse_ntlm_auth_domain_user(const char *domuser, fstring domain, char *p = strchr(domuser,*lp_winbind_separator(global_loadparm)); if (!p) { - return False; + return false; } fstrcpy(user, p+1); fstrcpy(domain, domuser); domain[PTR_DIFF(p, domuser)] = 0; - return True; + return true; } /** @@ -168,8 +168,8 @@ static void base64_decode_inplace(char *s) /* Authenticate a user with a plaintext password */ -static BOOL check_plaintext_auth(const char *user, const char *pass, - BOOL stdout_diagnostics) +static bool check_plaintext_auth(const char *user, const char *pass, + bool stdout_diagnostics) { return (strcmp(pass, opt_password) == 0); } @@ -259,7 +259,7 @@ static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode, rfc1738_unescape(pass); } - if (check_plaintext_auth(user, pass, False)) { + if (check_plaintext_auth(user, pass, false)) { mux_printf(mux_id, "OK\n"); } else { mux_printf(mux_id, "ERR\n"); @@ -345,15 +345,15 @@ static bool in_list(const char *s, const char *list, bool casesensitive) static void gensec_want_feature_list(struct gensec_security *state, char* feature_list) { - if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) { + if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, true)) { DEBUG(10, ("want GENSEC_FEATURE_SESSION_KEY\n")); gensec_want_feature(state, GENSEC_FEATURE_SESSION_KEY); } - if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, True)) { + if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, true)) { DEBUG(10, ("want GENSEC_FEATURE_SIGN\n")); gensec_want_feature(state, GENSEC_FEATURE_SIGN); } - if (in_list("NTLMSSP_FEATURE_SEAL", feature_list, True)) { + if (in_list("NTLMSSP_FEATURE_SEAL", feature_list, true)) { DEBUG(10, ("want GENSEC_FEATURE_SEAL\n")); gensec_want_feature(state, GENSEC_FEATURE_SEAL); } @@ -376,7 +376,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, struct messaging_context *msg; NTSTATUS nt_status; - BOOL first = False; + bool first = false; const char *reply_code; struct cli_credentials *creds; @@ -461,7 +461,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, if (!ev) { exit(1); } - msg = messaging_client_init(state, global_loadparm, ev); + msg = messaging_client_init(state, lp_messaging_path(state, global_loadparm), ev); if (!msg) { exit(1); } @@ -508,12 +508,12 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, case GSS_SPNEGO_SERVER: nt_status = gensec_start_mech_by_oid(state->gensec_state, GENSEC_OID_SPNEGO); if (!in.length) { - first = True; + first = true; } break; case NTLMSSP_CLIENT_1: if (!in.length) { - first = True; + first = true; } /* fall through */ case SQUID_2_5_NTLMSSP: @@ -701,8 +701,8 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod static char *username; static char *domain; static char *plaintext_password; - static BOOL ntlm_server_1_user_session_key; - static BOOL ntlm_server_1_lm_session_key; + static bool ntlm_server_1_user_session_key; + static bool ntlm_server_1_lm_session_key; if (strequal(buf, ".")) { if (!full_username && !username) { @@ -715,7 +715,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod return; } } - if (check_plaintext_auth(full_username, plaintext_password, False)) { + if (check_plaintext_auth(full_username, plaintext_password, false)) { mux_printf(mux_id, "Authenticated: Yes\n"); } else { mux_printf(mux_id, "Authenticated: No\n"); @@ -808,8 +808,8 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod SAFE_FREE(username); SAFE_FREE(domain); SAFE_FREE(plaintext_password); - ntlm_server_1_user_session_key = False; - ntlm_server_1_lm_session_key = False; + ntlm_server_1_user_session_key = false; + ntlm_server_1_lm_session_key = false; mux_printf(mux_id, ".\n"); return; @@ -1122,7 +1122,7 @@ int main(int argc, const char **argv) char *user; asprintf(&user, "%s%c%s", opt_domain, *lp_winbind_separator(global_loadparm), opt_username); - if (!check_plaintext_auth(user, opt_password, True)) { + if (!check_plaintext_auth(user, opt_password, true)) { return 1; } } -- cgit From 2fa338cdc99276a5f85ad54cb88b372ffe8ab063 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 2 Dec 2007 17:09:43 +0100 Subject: r26226: Avoid more uses of global_loadparm. (This used to be commit 6cbce47a3eaef76a89db7cd0ab0d4f6441fc720d) --- source4/utils/ntlm_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index c51b35aa03..80ecfff572 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -1081,7 +1081,7 @@ int main(int argc, const char **argv) return 1; } - gensec_init(); + gensec_init(global_loadparm); if (opt_domain == NULL) { opt_domain = lp_workgroup(global_loadparm); -- cgit From 51db4c3f3d81d1ed03beae6426786c843ac59807 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 2 Dec 2007 17:56:09 +0100 Subject: r26228: Store loadparm context in auth context, move more loadparm_contexts up the call stack. (This used to be commit ba75f1613a9aac69dd5df94dd8a2b37820acd166) --- source4/utils/ntlm_auth.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 80ecfff572..bb9b5d89fa 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -176,7 +176,8 @@ static bool check_plaintext_auth(const char *user, const char *pass, /* authenticate a user with an encrypted username/password */ -static NTSTATUS local_pw_check_specified(const char *username, +static NTSTATUS local_pw_check_specified(struct loadparm_context *lp_ctx, + const char *username, const char *domain, const char *workstation, const DATA_BLOB *challenge, @@ -206,6 +207,7 @@ static NTSTATUS local_pw_check_specified(const char *username, nt_status = ntlm_password_check(mem_ctx, + lp_ctx, MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT, challenge, @@ -755,7 +757,8 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod flags |= NTLM_AUTH_FLAG_USER_SESSION_KEY; if (!NT_STATUS_IS_OK( - local_pw_check_specified(username, + local_pw_check_specified(global_loadparm, + username, domain, lp_netbios_name(global_loadparm), &challenge, -- cgit From b5594df87d054d203e9bfb52a49c87bc3ecf46a1 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 2 Dec 2007 19:27:49 +0100 Subject: r26230: Use task-provided loadparm context in a couple more places, avoid loadparm context inside ntlm_auth. (This used to be commit 3a946d1ffd7739e40beab673ecb0100c178c2e28) --- source4/utils/ntlm_auth.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index bb9b5d89fa..20673775a5 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -58,18 +58,22 @@ enum stdio_helper_mode { typedef void (*stdio_helper_function)(enum stdio_helper_mode stdio_helper_mode, + struct loadparm_context *lp_ctx, char *buf, int length, void **private, unsigned int mux_id, void **private2); static void manage_squid_basic_request (enum stdio_helper_mode stdio_helper_mode, + struct loadparm_context *lp_ctx, char *buf, int length, void **private, unsigned int mux_id, void **private2); static void manage_gensec_request (enum stdio_helper_mode stdio_helper_mode, + struct loadparm_context *lp_ctx, char *buf, int length, void **private, unsigned int mux_id, void **private2); static void manage_ntlm_server_1_request (enum stdio_helper_mode stdio_helper_mode, + struct loadparm_context *lp_ctx, char *buf, int length, void **private, unsigned int mux_id, void **private2); @@ -241,6 +245,7 @@ static NTSTATUS local_pw_check_specified(struct loadparm_context *lp_ctx, } static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode, + struct loadparm_context *lp_ctx, char *buf, int length, void **private, unsigned int mux_id, void **private2) { @@ -272,6 +277,7 @@ static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode, to the calling application. The callback comes from within gensec */ static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mode, + struct loadparm_context *lp_ctx, char *buf, int length, void **private, unsigned int mux_id, void **password) { @@ -362,6 +368,7 @@ static void gensec_want_feature_list(struct gensec_security *state, char* featur } static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, + struct loadparm_context *lp_ctx, char *buf, int length, void **private, unsigned int mux_id, void **private2) { @@ -692,6 +699,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, } static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mode, + struct loadparm_context *lp_ctx, char *buf, int length, void **private, unsigned int mux_id, void **private2) { @@ -712,7 +720,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod } else if (plaintext_password) { /* handle this request as plaintext */ if (!full_username) { - if (asprintf(&full_username, "%s%c%s", domain, *lp_winbind_separator(global_loadparm), username) == -1) { + if (asprintf(&full_username, "%s%c%s", domain, *lp_winbind_separator(lp_ctx), username) == -1) { mux_printf(mux_id, "Error: Out of memory in asprintf!\n.\n"); return; } @@ -747,7 +755,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod } if (!domain) { - domain = smb_xstrdup(lp_workgroup(global_loadparm)); + domain = smb_xstrdup(lp_workgroup(lp_ctx)); } if (ntlm_server_1_lm_session_key) @@ -757,10 +765,10 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod flags |= NTLM_AUTH_FLAG_USER_SESSION_KEY; if (!NT_STATUS_IS_OK( - local_pw_check_specified(global_loadparm, + local_pw_check_specified(lp_ctx, username, domain, - lp_netbios_name(global_loadparm), + lp_netbios_name(lp_ctx), &challenge, &lm_response, &nt_response, @@ -991,7 +999,7 @@ static void manage_squid_request(enum stdio_helper_mode helper_mode, private = &normal_private; } - fn(helper_mode, c, length, private, mux_id, private2); + fn(helper_mode, global_loadparm, c, length, private, mux_id, private2); talloc_free(buf); } -- cgit From fface33dd731a711688b56593bb703c38090e782 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 2 Dec 2007 19:31:14 +0100 Subject: r26231: Spell check: credentails -> credentials. (This used to be commit 4b46888bd0195ab12190f76868719fc018baafd6) --- source4/utils/ntlm_auth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 20673775a5..75c87fc111 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -316,8 +316,8 @@ static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mod } /** - * Callback for password credentails. This is not async, and when - * GENSEC and the credentails code is made async, it will look rather + * Callback for password credentials. This is not async, and when + * GENSEC and the credentials code is made async, it will look rather * different. */ -- cgit From 6c999cd12344f2bb8b1d2941210b4c205b3e0aad Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 2 Dec 2007 22:32:11 +0100 Subject: r26236: Remove more uses of global_loadparm or specify loadparm_context explicitly. (This used to be commit 5b29ef7c03d9ae76b0ca909e9f03a58e1bad3521) --- source4/utils/ntlm_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 75c87fc111..72c99c1126 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -129,7 +129,7 @@ static bool parse_ntlm_auth_domain_user(const char *domuser, fstring domain, fstring user) { - char *p = strchr(domuser,*lp_winbind_separator(global_loadparm)); + char *p = strchr(domuser, *lp_winbind_separator(global_loadparm)); if (!p) { return false; -- cgit From 0a2f1a46a02d2c9497d05d7e534829dc6e9430dc Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 3 Dec 2007 15:53:07 +0100 Subject: r26249: Remove a couple more uses of global_loadparm. (This used to be commit 80a61200508a00d5b16a3e748ce92d54b9fefcd2) --- source4/utils/ntlm_auth.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 72c99c1126..8b767c8436 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -126,10 +126,10 @@ static void mux_printf(unsigned int mux_id, const char *format, ...) form DOMAIN/user into a domain and a user */ static bool parse_ntlm_auth_domain_user(const char *domuser, fstring domain, - fstring user) + fstring user, char winbind_separator) { - char *p = strchr(domuser, *lp_winbind_separator(global_loadparm)); + char *p = strchr(domuser, winbind_separator); if (!p) { return false; @@ -470,7 +470,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, if (!ev) { exit(1); } - msg = messaging_client_init(state, lp_messaging_path(state, global_loadparm), ev); + msg = messaging_client_init(state, lp_messaging_path(state, lp_ctx), ev); if (!msg) { exit(1); } @@ -483,7 +483,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, } creds = cli_credentials_init(state->gensec_state); - cli_credentials_set_conf(creds, global_loadparm); + cli_credentials_set_conf(creds, lp_ctx); if (opt_username) { cli_credentials_set_username(creds, opt_username, CRED_SPECIFIED); } @@ -668,7 +668,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, reply_code = "AF"; reply_arg = talloc_asprintf(state->gensec_state, "%s%s%s", session_info->server_info->domain_name, - lp_winbind_separator(global_loadparm), session_info->server_info->account_name); + lp_winbind_separator(lp_ctx), session_info->server_info->account_name); talloc_free(session_info); } } else if (state->gensec_state->gensec_role == GENSEC_CLIENT) { @@ -744,7 +744,8 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod fstring fstr_user; fstring fstr_domain; - if (!parse_ntlm_auth_domain_user(full_username, fstr_user, fstr_domain)) { + if (!parse_ntlm_auth_domain_user(full_username, fstr_user, fstr_domain, + *lp_winbind_separator(lp_ctx))) { /* username might be 'tainted', don't print into our new-line deleimianted stream */ mux_printf(mux_id, "Error: Could not parse into domain and username\n"); } -- cgit From ab69eb8d8901d23794c6a298718e67656ef4820e Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 3 Dec 2007 15:53:17 +0100 Subject: r26250: Avoid global_loadparm in a couple more places. (This used to be commit 2c6b755309fdf685cd0b0564272bf83038574a43) --- source4/utils/ntlm_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 8b767c8436..f76eb8390a 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -226,7 +226,7 @@ static NTSTATUS local_pw_check_specified(struct loadparm_context *lp_ctx, if (unix_name) { asprintf(unix_name, "%s%c%s", domain, - *lp_winbind_separator(global_loadparm), + *lp_winbind_separator(lp_ctx), username); } } else { -- cgit From ecea5ce24553989103d4a06296b24f4d29f30a36 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 3 Dec 2007 17:41:50 +0100 Subject: r26260: Store loadparm context in gensec context. (This used to be commit b9e3a4862e267be39d603fed8207a237c3d72081) --- source4/utils/ntlm_auth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index f76eb8390a..cb2fbd63c1 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -458,7 +458,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, case NTLMSSP_CLIENT_1: /* setup the client side */ - nt_status = gensec_client_start(NULL, &state->gensec_state, NULL); + nt_status = gensec_client_start(NULL, &state->gensec_state, NULL, lp_ctx); if (!NT_STATUS_IS_OK(nt_status)) { exit(1); } @@ -474,7 +474,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, if (!msg) { exit(1); } - if (!NT_STATUS_IS_OK(gensec_server_start(state, ev, msg, &state->gensec_state))) { + if (!NT_STATUS_IS_OK(gensec_server_start(state, ev, lp_ctx, msg, &state->gensec_state))) { exit(1); } break; -- cgit From b65dba2245bf382c47d65c95ac9b1efa43918fc0 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 10 Dec 2007 04:33:16 +0100 Subject: r26355: Eliminate global_loadparm in more places. (This used to be commit 5d589a0d94bd76a9b4c9fc748854e8098ea43c4d) --- source4/utils/ntlm_auth.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index cb2fbd63c1..93d1909a56 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -77,7 +77,8 @@ static void manage_ntlm_server_1_request (enum stdio_helper_mode stdio_helper_mo char *buf, int length, void **private, unsigned int mux_id, void **private2); -static void manage_squid_request(enum stdio_helper_mode helper_mode, +static void manage_squid_request(struct loadparm_context *lp_ctx, + enum stdio_helper_mode helper_mode, stdio_helper_function fn, void **private2); static const struct { @@ -329,7 +330,7 @@ static const char *get_password(struct cli_credentials *credentials) mux_printf((unsigned int)credentials->priv_data, "PW\n"); credentials->priv_data = NULL; - manage_squid_request(NUM_HELPER_MODES /* bogus */, manage_gensec_get_pw_request, (void **)&password); + manage_squid_request(cmdline_lp_ctx, NUM_HELPER_MODES /* bogus */, manage_gensec_get_pw_request, (void **)&password); return password; } @@ -897,7 +898,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod } } -static void manage_squid_request(enum stdio_helper_mode helper_mode, +static void manage_squid_request(struct loadparm_context *lp_ctx, enum stdio_helper_mode helper_mode, stdio_helper_function fn, void **private2) { char *buf; @@ -1000,17 +1001,18 @@ static void manage_squid_request(enum stdio_helper_mode helper_mode, private = &normal_private; } - fn(helper_mode, global_loadparm, c, length, private, mux_id, private2); + fn(helper_mode, lp_ctx, c, length, private, mux_id, private2); talloc_free(buf); } -static void squid_stream(enum stdio_helper_mode stdio_mode, +static void squid_stream(struct loadparm_context *lp_ctx, + enum stdio_helper_mode stdio_mode, stdio_helper_function fn) { /* initialize FDescs */ x_setbuf(x_stdout, NULL); x_setbuf(x_stderr, NULL); while(1) { - manage_squid_request(stdio_mode, fn, NULL); + manage_squid_request(lp_ctx, stdio_mode, fn, NULL); } } @@ -1093,17 +1095,17 @@ int main(int argc, const char **argv) return 1; } - gensec_init(global_loadparm); + gensec_init(cmdline_lp_ctx); if (opt_domain == NULL) { - opt_domain = lp_workgroup(global_loadparm); + opt_domain = lp_workgroup(cmdline_lp_ctx); } if (helper_protocol) { int i; for (i=0; i Date: Thu, 13 Dec 2007 22:46:17 +0100 Subject: r26430: require explicit specification of loadparm context. (This used to be commit 1b947fe0e6e16318e5a8127bb4932d6b5d20bcf6) --- source4/utils/ntlm_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 93d1909a56..299be37765 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -504,7 +504,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, switch (stdio_helper_mode) { case GSS_SPNEGO_SERVER: case SQUID_2_5_NTLMSSP: - cli_credentials_set_machine_account(creds); + cli_credentials_set_machine_account(creds, lp_ctx); break; default: break; -- cgit From 84b476394713d4f2b84782c59dcc084a25af360f Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 13 Dec 2007 23:23:25 +0100 Subject: r26441: Remove global_loadparm uses. (This used to be commit 32007c6277efa46341da7741b749a98633d71640) --- source4/utils/ntlm_auth.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 299be37765..b224689d70 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -471,7 +471,8 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, if (!ev) { exit(1); } - msg = messaging_client_init(state, lp_messaging_path(state, lp_ctx), ev); + msg = messaging_client_init(state, lp_messaging_path(state, lp_ctx), + lp_iconv_convenience(lp_ctx), ev); if (!msg) { exit(1); } -- cgit From 3dc7779c6138b6a89d778dba0571abf01e7f7c7a Mon Sep 17 00:00:00 2001 From: Kai Blin Date: Sat, 15 Dec 2007 23:15:18 +0100 Subject: r26465: ntlm_auth: Remoce pstring. (This used to be commit 15b388ce51cafcf09301fe6d8a50922a3b9b43d1) --- source4/utils/ntlm_auth.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index b224689d70..3144fe91b1 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -339,16 +339,25 @@ static const char *get_password(struct cli_credentials *credentials) **/ static bool in_list(const char *s, const char *list, bool casesensitive) { - pstring tok; + char *tok; + size_t tok_len = 1024; const char *p=list; if (!list) return false; - while (next_token(&p, tok, LIST_SEP, sizeof(tok))) { - if ((casesensitive?strcmp:strcasecmp_m)(tok,s) == 0) + tok = (char *)malloc(tok_len); + if (!tok) { + return false; + } + + while (next_token(&p, tok, LIST_SEP, tok_len)) { + if ((casesensitive?strcmp:strcasecmp_m)(tok,s) == 0) { + free(tok); return true; + } } + free(tok); return false; } -- cgit From 3e75f222bcdf114238cc4f2bcc61332dc059135f Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 19 Dec 2007 23:27:42 +0100 Subject: r26539: Remove unnecessary statics. (This used to be commit e53e79eebef3ece6978f0a2b4a1ee0a0814bb5d2) --- source4/utils/ntlm_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 3144fe91b1..b85ddec7d0 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -1048,7 +1048,7 @@ enum { int main(int argc, const char **argv) { - static const char *helper_protocol; + const char *helper_protocol; int opt; poptContext pc; -- cgit From 0500b87092540d300b4e021a0fb95ce16a44fbd2 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 20 Dec 2007 00:02:15 +0100 Subject: r26540: Revert my previous commit after concerns raised by Andrew. (This used to be commit 6ac86f8be7d9a8c5ab396a93e6d1e6819e11f173) --- source4/utils/ntlm_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index b85ddec7d0..3144fe91b1 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -1048,7 +1048,7 @@ enum { int main(int argc, const char **argv) { - const char *helper_protocol; + static const char *helper_protocol; int opt; poptContext pc; -- cgit From 028ba4682caa874be70ceb7f0df1a3c138998641 Mon Sep 17 00:00:00 2001 From: Kai Blin Date: Thu, 20 Mar 2008 00:42:42 +0100 Subject: ntlm_auth: Improve compliance to the Squid helper protocol. This fixes bug #4235 for Samba4. (This used to be commit b6bb7621053bccc9d06b1b2ee9f71b1b1acf3b70) --- source4/utils/ntlm_auth.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 3144fe91b1..0c9a41fd70 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -285,7 +285,7 @@ static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mod DATA_BLOB in; if (strlen(buf) < 2) { DEBUG(1, ("query [%s] invalid", buf)); - mux_printf(mux_id, "BH\n"); + mux_printf(mux_id, "BH Query invalid\n"); return; } @@ -302,7 +302,7 @@ static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mod if (*password == NULL) { DEBUG(1, ("Out of memory\n")); - mux_printf(mux_id, "BH\n"); + mux_printf(mux_id, "BH Out of memory\n"); data_blob_free(&in); return; } @@ -312,7 +312,7 @@ static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mod return; } DEBUG(1, ("Asked for (and expected) a password\n")); - mux_printf(mux_id, "BH\n"); + mux_printf(mux_id, "BH Expected a password\n"); data_blob_free(&in); } @@ -420,7 +420,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, if (strlen(buf) < 2) { DEBUG(1, ("query [%s] invalid", buf)); - mux_printf(mux_id, "BH\n"); + mux_printf(mux_id, "BH Query invalid\n"); return; } @@ -444,7 +444,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, } } else if ( (strncmp(buf, "OK", 2) == 0)) { /* Just return BH, like ntlm_auth from Samba 3 does. */ - mux_printf(mux_id, "BH\n"); + mux_printf(mux_id, "BH Command expected\n"); data_blob_free(&in); return; } else if ( (strncmp(buf, "TT ", 3) != 0) && @@ -456,7 +456,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, (strncmp(buf, "GK", 2) != 0) && (strncmp(buf, "GF", 2) != 0)) { DEBUG(1, ("SPNEGO request [%s] invalid\n", buf)); - mux_printf(mux_id, "BH\n"); + mux_printf(mux_id, "BH SPNEGO request invalid\n"); data_blob_free(&in); return; } @@ -545,7 +545,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("GENSEC mech failed to start: %s\n", nt_errstr(nt_status))); - mux_printf(mux_id, "BH\n"); + mux_printf(mux_id, "BH GENSEC mech failed to start\n"); return; } @@ -655,11 +655,11 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED)) { - reply_code = "BH"; + reply_code = "BH NT_STATUS_ACCESS_DENIED"; reply_arg = nt_errstr(nt_status); DEBUG(1, ("GENSEC login failed: %s\n", nt_errstr(nt_status))); } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_UNSUCCESSFUL)) { - reply_code = "BH"; + reply_code = "BH NT_STATUS_UNSUCCESSFUL"; reply_arg = nt_errstr(nt_status); DEBUG(1, ("GENSEC login failed: %s\n", nt_errstr(nt_status))); } else if (!NT_STATUS_IS_OK(nt_status)) { @@ -671,7 +671,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, nt_status = gensec_session_info(state->gensec_state, &session_info); if (!NT_STATUS_IS_OK(nt_status)) { - reply_code = "BH"; + reply_code = "BH Failed to retrive session info"; reply_arg = nt_errstr(nt_status); DEBUG(1, ("GENSEC failed to retreive the session info: %s\n", nt_errstr(nt_status))); } else { -- cgit From 4e83011f72ba3df387512755a17760b42a7bf2f2 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 21 Apr 2008 17:58:23 -0400 Subject: Remove more event_context_init() uses from function calls within deep down the code. Make sure we pass around the event_context where we need it instead. All test but a few python ones fail. Jelmer promised to fix them. (This used to be commit 3045d391626fba169aa26be52174883e18d323e9) --- source4/utils/ntlm_auth.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 0c9a41fd70..07c0e4f31e 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -461,6 +461,10 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, return; } + ev = event_context_init(state); + if (!ev) { + exit(1); + } /* setup gensec */ if (!(state->gensec_state)) { switch (stdio_helper_mode) { @@ -468,7 +472,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, case NTLMSSP_CLIENT_1: /* setup the client side */ - nt_status = gensec_client_start(NULL, &state->gensec_state, NULL, lp_ctx); + nt_status = gensec_client_start(NULL, &state->gensec_state, ev, lp_ctx); if (!NT_STATUS_IS_OK(nt_status)) { exit(1); } @@ -476,10 +480,6 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, break; case GSS_SPNEGO_SERVER: case SQUID_2_5_NTLMSSP: - ev = event_context_init(state); - if (!ev) { - exit(1); - } msg = messaging_client_init(state, lp_messaging_path(state, lp_ctx), lp_iconv_convenience(lp_ctx), ev); if (!msg) { -- cgit From 7ee76eeae5b3e9e5f5b226039e7276897f5e6764 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 5 May 2008 15:23:57 +1000 Subject: Move NTLM authentication details into auth/ntlm This should help clarify the role of the various files around here (done on Jelmer's request). Andrew Bartlett (This used to be commit efa399037511ced8978f2e7661a71aac7a384883) --- source4/utils/ntlm_auth.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 07c0e4f31e..95029deffa 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -30,6 +30,7 @@ #include "auth/auth.h" #include "librpc/gen_ndr/ndr_netlogon.h" #include "auth/auth_sam.h" +#include "auth/ntlm/ntlm_check.h" #include "pstring.h" #include "libcli/auth/libcli_auth.h" #include "libcli/security/security.h" -- cgit From 2daf2897d5c70c0efbeba9b827c62700b9a9537c Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sat, 14 Jun 2008 13:00:53 -0400 Subject: Use a custom init function for samba4 that sets a samba4 specific debug function. By default do not debug, this is the most appropriate action for a library as we cannot assume what stderr is use for in the main app. The main app is responsible to set ev_debug_stderr if they so desire. (This used to be commit e566a2f308ac6fb4b526a744f7059b565670aea5) --- source4/utils/ntlm_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 95029deffa..6d62968b05 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -462,7 +462,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, return; } - ev = event_context_init(state); + ev = s4_event_context_init(state); if (!ev) { exit(1); } -- cgit From 261d41a639b2a5deb14d875d3fafc7eb3b996d4c Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Fri, 27 Jun 2008 13:21:42 +0200 Subject: ntlm_auth: eliminate "cast pointer from integer of different size" warnings on 64bit. Michael (This used to be commit a0b2440c70a3f453c22159a02ff4a82fe6439cad) --- source4/utils/ntlm_auth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/utils/ntlm_auth.c') diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 6d62968b05..6a6302837e 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -328,7 +328,7 @@ static const char *get_password(struct cli_credentials *credentials) char *password = NULL; /* Ask for a password */ - mux_printf((unsigned int)credentials->priv_data, "PW\n"); + mux_printf((unsigned int)(uintptr_t)credentials->priv_data, "PW\n"); credentials->priv_data = NULL; manage_squid_request(cmdline_lp_ctx, NUM_HELPER_MODES /* bogus */, manage_gensec_get_pw_request, (void **)&password); @@ -506,7 +506,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, cli_credentials_set_password(creds, state->set_password, CRED_SPECIFIED); } else { cli_credentials_set_password_callback(creds, get_password); - creds->priv_data = (void*)mux_id; + creds->priv_data = (void*)(uintptr_t)mux_id; } if (opt_workstation) { cli_credentials_set_workstation(creds, opt_workstation, CRED_SPECIFIED); -- cgit