From 67580434cfa58d197d8fd403a5a8f60b9423b4d8 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 12 Oct 2005 20:22:45 +0000 Subject: r10936: Commit work in progress: wb_pam_auth_crap made async. This does not work yet, but the version before did not either, so we're not worse than before. One thing this does better is to call the domain init code if it's not there yet. Volker (This used to be commit 35bcfb185b9763a3677d7ac9e748f3a3ba7d2593) --- source4/winbind/wb_pam_auth.c | 265 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 265 insertions(+) create mode 100644 source4/winbind/wb_pam_auth.c (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c new file mode 100644 index 0000000000..2a3873ce6e --- /dev/null +++ b/source4/winbind/wb_pam_auth.c @@ -0,0 +1,265 @@ +/* + Unix SMB/CIFS implementation. + + Authenticate a user + + Copyright (C) Volker Lendecke 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "libcli/composite/composite.h" +#include "winbind/wb_async_helpers.h" +#include "winbind/wb_server.h" +#include "smbd/service_stream.h" +#include "libcli/auth/credentials.h" + +struct pam_auth_crap_state { + struct composite_context *ctx; + struct wbsrv_domain *domain; + const char *domain_name; + const char *user_name; + const char *workstation; + DATA_BLOB chal, nt_resp, lm_resp; + + struct creds_CredentialState *creds_state; + struct netr_Authenticator auth, auth2; + struct netr_NetworkInfo ninfo; + struct netr_LogonSamLogon r; + + struct netr_UserSessionKey user_session_key; + struct netr_LMSessionKey lm_key; + DATA_BLOB info3; +}; + +static struct rpc_request *send_samlogon(struct pam_auth_crap_state *state); +static void pam_auth_crap_recv_init(struct composite_context *ctx); +static void pam_auth_crap_recv_samlogon(struct rpc_request *req); + +struct composite_context *wb_pam_auth_crap_send(struct wbsrv_call *call, + const char *domain, + const char *user, + const char *workstation, + DATA_BLOB chal, + DATA_BLOB nt_resp, + DATA_BLOB lm_resp) +{ + struct composite_context *result, *ctx; + struct pam_auth_crap_state *state; + struct wbsrv_service *service = call->wbconn->listen_socket->service; + + result = talloc(NULL, struct composite_context); + if (result == NULL) goto failed; + result->state = COMPOSITE_STATE_IN_PROGRESS; + result->event_ctx = call->event_ctx; + result->async.fn = NULL; + + state = talloc(result, struct pam_auth_crap_state); + if (state == NULL) goto failed; + state->ctx = result; + result->private_data = state; + + state->domain = service->domains; + + state->domain_name = talloc_strdup(state, domain); + if (state->domain_name == NULL) goto failed; + + state->user_name = talloc_strdup(state, user); + if (state->user_name == NULL) goto failed; + + state->workstation = talloc_strdup(state, workstation); + if (state->workstation == NULL) goto failed; + + state->chal = data_blob_talloc(state, chal.data, chal.length); + if ((chal.data != NULL) && (state->chal.data == NULL)) goto failed; + + state->nt_resp = data_blob_talloc(state, nt_resp.data, nt_resp.length); + if ((nt_resp.data != NULL) && + (state->nt_resp.data == NULL)) goto failed; + + state->lm_resp = data_blob_talloc(state, lm_resp.data, lm_resp.length); + if ((lm_resp.data != NULL) && + (state->lm_resp.data == NULL)) goto failed; + + if (state->domain->initialized) { + struct rpc_request *req = send_samlogon(state); + if (req == NULL) goto failed; + req->async.callback = pam_auth_crap_recv_samlogon; + req->async.private = state; + return result; + } + + ctx = wb_init_domain_send(state->domain, result->event_ctx, + call->wbconn->conn->msg_ctx); + if (ctx == NULL) goto failed; + ctx->async.fn = pam_auth_crap_recv_init; + ctx->async.private_data = state; + return result; + + failed: + talloc_free(result); + return NULL; +} + +static void pam_auth_crap_recv_init(struct composite_context *ctx) +{ + struct pam_auth_crap_state *state = + talloc_get_type(ctx->async.private_data, + struct pam_auth_crap_state); + struct rpc_request *req; + + state->ctx->status = wb_init_domain_recv(ctx); + if (!composite_is_ok(state->ctx)) return; + + req = send_samlogon(state); + composite_continue_rpc(state->ctx, req, + pam_auth_crap_recv_samlogon, state); +} + +struct rpc_request *send_samlogon(struct pam_auth_crap_state *state) +{ + state->creds_state = cli_credentials_get_netlogon_creds( + state->domain->schannel_creds); + creds_client_authenticator(state->creds_state, &state->auth); + + state->ninfo.identity_info.account_name.string = state->user_name; + state->ninfo.identity_info.domain_name.string = state->domain_name; + state->ninfo.identity_info.parameter_control = 0; + state->ninfo.identity_info.logon_id_low = 0; + state->ninfo.identity_info.logon_id_high = 0; + state->ninfo.identity_info.workstation.string = state->workstation; + + SMB_ASSERT(state->chal.length == sizeof(state->ninfo.challenge)); + memcpy(state->ninfo.challenge, state->chal.data, + sizeof(state->ninfo.challenge)); + + state->ninfo.nt.length = state->nt_resp.length; + state->ninfo.nt.data = state->nt_resp.data; + state->ninfo.lm.length = state->lm_resp.length; + state->ninfo.lm.data = state->lm_resp.data; + + state->r.in.server_name = talloc_asprintf( + state, "\\\\%s", + dcerpc_server_name(state->domain->netlogon_pipe)); + if (state->r.in.server_name == NULL) return NULL; + + state->r.in.workstation = cli_credentials_get_workstation( + state->domain->schannel_creds); + state->r.in.credential = &state->auth; + state->r.in.return_authenticator = &state->auth2; + state->r.in.logon_level = 2; + state->r.in.validation_level = 3; + state->r.in.logon.network = &state->ninfo; + state->r.out.return_authenticator = NULL; + + return dcerpc_netr_LogonSamLogon_send(state->domain->netlogon_pipe, + state, &state->r); +} + +static void pam_auth_crap_recv_samlogon(struct rpc_request *req) +{ + struct pam_auth_crap_state *state = + talloc_get_type(req->async.private, + struct pam_auth_crap_state); + struct netr_SamBaseInfo *base; + DATA_BLOB tmp_blob; + + state->ctx->status = dcerpc_ndr_request_recv(req); + if (!composite_is_ok(state->ctx)) return; + state->ctx->status = state->r.out.result; + if (!composite_is_ok(state->ctx)) return; + + if ((state->r.out.return_authenticator == NULL) || + (!creds_client_check(state->creds_state, + &state->r.out.return_authenticator->cred))) { + DEBUG(0, ("Credentials check failed!\n")); + composite_error(state->ctx, NT_STATUS_ACCESS_DENIED); + return; + } + + creds_decrypt_samlogon(state->creds_state, + state->r.in.validation_level, + &state->r.out.validation); + + state->ctx->status = ndr_push_struct_blob( + &tmp_blob, state, state->r.out.validation.sam3, + (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3); + if (!composite_is_ok(state->ctx)) return; + + state->info3 = data_blob_talloc(state, NULL, tmp_blob.length+4); + if (composite_nomem(state->info3.data, state->ctx)) return; + + SIVAL(state->info3.data, 0, 1); + memcpy(state->info3.data+4, tmp_blob.data, tmp_blob.length); + + base = NULL; + switch(state->r.in.validation_level) { + case 2: + base = &state->r.out.validation.sam2->base; + break; + case 3: + base = &state->r.out.validation.sam3->base; + break; + case 6: + base = &state->r.out.validation.sam6->base; + break; + } + if (base == NULL) { + composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR); + return; + } + + state->user_session_key = base->key; + state->lm_key = base->LMSessKey; + + composite_done(state->ctx); +} + +NTSTATUS wb_pam_auth_crap_recv(struct composite_context *c, + TALLOC_CTX *mem_ctx, + DATA_BLOB *info3, + struct netr_UserSessionKey *user_session_key, + struct netr_LMSessionKey *lm_key) +{ + NTSTATUS status = composite_wait(c); + if (NT_STATUS_IS_OK(status)) { + struct pam_auth_crap_state *state = + talloc_get_type(c->private_data, + struct pam_auth_crap_state); + info3->length = state->info3.length; + info3->data = talloc_steal(mem_ctx, state->info3.data); + *user_session_key = state->user_session_key; + *lm_key = state->lm_key; + } + talloc_free(c); + return status; +} + +NTSTATUS wb_pam_auth_crap(struct wbsrv_call *call, + const char *domain, const char *user, + const char *workstation, + DATA_BLOB chal, DATA_BLOB nt_resp, + DATA_BLOB lm_resp, TALLOC_CTX *mem_ctx, + DATA_BLOB *info3, + struct netr_UserSessionKey *user_session_key, + struct netr_LMSessionKey *lm_key) +{ + struct composite_context *c = + wb_pam_auth_crap_send(call, domain, user, workstation, + chal, nt_resp, lm_resp); + return wb_pam_auth_crap_recv(c, mem_ctx, info3, user_session_key, + lm_key); +} -- cgit From 0a8291404912ba1873b8158e5aec9ba2541f37f7 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 12 Oct 2005 20:56:39 +0000 Subject: r10941: Hmmm. Making that fn static is more correct. (This used to be commit eaf347bdeaaddb655fe72ddb98f3a67ace795937) --- source4/winbind/wb_pam_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index 2a3873ce6e..bd295e476b 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -129,7 +129,7 @@ static void pam_auth_crap_recv_init(struct composite_context *ctx) pam_auth_crap_recv_samlogon, state); } -struct rpc_request *send_samlogon(struct pam_auth_crap_state *state) +static struct rpc_request *send_samlogon(struct pam_auth_crap_state *state) { state->creds_state = cli_credentials_get_netlogon_creds( state->domain->schannel_creds); -- cgit From 207a6bf3976d516e40c1ffa7312243e6ff92c791 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 14 Oct 2005 21:05:45 +0000 Subject: r11068: Fix pam_auth_crap, remove the sync code. I don't know what it was when I tested it, but I can not reproduce the problem I had with abartlett's initial implementation anymore. Fix a bug found using valgrind. Volker (This used to be commit 0c6c71ae3cd0a2f97eab2cc24a752976c32a39fc) --- source4/winbind/wb_pam_auth.c | 48 +++++++++++++++++++++---------------------- 1 file changed, 24 insertions(+), 24 deletions(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index bd295e476b..f35ff4703d 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -49,13 +49,13 @@ static struct rpc_request *send_samlogon(struct pam_auth_crap_state *state); static void pam_auth_crap_recv_init(struct composite_context *ctx); static void pam_auth_crap_recv_samlogon(struct rpc_request *req); -struct composite_context *wb_pam_auth_crap_send(struct wbsrv_call *call, - const char *domain, - const char *user, - const char *workstation, - DATA_BLOB chal, - DATA_BLOB nt_resp, - DATA_BLOB lm_resp) +struct composite_context *wb_cmd_pam_auth_crap_send(struct wbsrv_call *call, + const char *domain, + const char *user, + const char *workstation, + DATA_BLOB chal, + DATA_BLOB nt_resp, + DATA_BLOB lm_resp) { struct composite_context *result, *ctx; struct pam_auth_crap_state *state; @@ -228,11 +228,11 @@ static void pam_auth_crap_recv_samlogon(struct rpc_request *req) composite_done(state->ctx); } -NTSTATUS wb_pam_auth_crap_recv(struct composite_context *c, - TALLOC_CTX *mem_ctx, - DATA_BLOB *info3, - struct netr_UserSessionKey *user_session_key, - struct netr_LMSessionKey *lm_key) +NTSTATUS wb_cmd_pam_auth_crap_recv(struct composite_context *c, + TALLOC_CTX *mem_ctx, + DATA_BLOB *info3, + struct netr_UserSessionKey *user_session_key, + struct netr_LMSessionKey *lm_key) { NTSTATUS status = composite_wait(c); if (NT_STATUS_IS_OK(status)) { @@ -248,18 +248,18 @@ NTSTATUS wb_pam_auth_crap_recv(struct composite_context *c, return status; } -NTSTATUS wb_pam_auth_crap(struct wbsrv_call *call, - const char *domain, const char *user, - const char *workstation, - DATA_BLOB chal, DATA_BLOB nt_resp, - DATA_BLOB lm_resp, TALLOC_CTX *mem_ctx, - DATA_BLOB *info3, - struct netr_UserSessionKey *user_session_key, - struct netr_LMSessionKey *lm_key) +NTSTATUS wb_cmd_pam_auth_crap(struct wbsrv_call *call, + const char *domain, const char *user, + const char *workstation, + DATA_BLOB chal, DATA_BLOB nt_resp, + DATA_BLOB lm_resp, TALLOC_CTX *mem_ctx, + DATA_BLOB *info3, + struct netr_UserSessionKey *user_session_key, + struct netr_LMSessionKey *lm_key) { struct composite_context *c = - wb_pam_auth_crap_send(call, domain, user, workstation, - chal, nt_resp, lm_resp); - return wb_pam_auth_crap_recv(c, mem_ctx, info3, user_session_key, - lm_key); + wb_cmd_pam_auth_crap_send(call, domain, user, workstation, + chal, nt_resp, lm_resp); + return wb_cmd_pam_auth_crap_recv(c, mem_ctx, info3, user_session_key, + lm_key); } -- cgit From 42ececdfae15a34205638cc6e3ec53d6f3ac2148 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 15 Oct 2005 19:18:05 +0000 Subject: r11093: Implement wb_queue_domain_send: If the domain is not yet initialized, do that first. And if a request is being processed, queue it. This correctly survived 3 endless loops with wbinfo's doing different things while starting up smbd. The number of indirections starts to become a bit scary, but what can you do without a decent programming language that provides closures :-) One thing that we might consider is to auto-generate async rpc requests that return composite_context structs instead of rpc_requests. Otherwise I'd have to write a lot of wrappers like composite_netr_LogonSamLogon_send. The alternative would be to write two versions of wb_queue_domain_send which I would like to avoid. This is cluttered enough already. Volker (This used to be commit 66c1b674f9870de73cce0e611909caf9eff34baa) --- source4/winbind/wb_pam_auth.c | 100 ++++++++++++++++-------------------------- 1 file changed, 38 insertions(+), 62 deletions(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index f35ff4703d..ef43aededd 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -29,6 +29,7 @@ struct pam_auth_crap_state { struct composite_context *ctx; + struct event_context *event_ctx; struct wbsrv_domain *domain; const char *domain_name; const char *user_name; @@ -45,9 +46,8 @@ struct pam_auth_crap_state { DATA_BLOB info3; }; -static struct rpc_request *send_samlogon(struct pam_auth_crap_state *state); -static void pam_auth_crap_recv_init(struct composite_context *ctx); -static void pam_auth_crap_recv_samlogon(struct rpc_request *req); +static struct composite_context *crap_samlogon_send_req(void *p); +static NTSTATUS crap_samlogon_recv_req(struct composite_context *ctx, void *p); struct composite_context *wb_cmd_pam_auth_crap_send(struct wbsrv_call *call, const char *domain, @@ -57,22 +57,14 @@ struct composite_context *wb_cmd_pam_auth_crap_send(struct wbsrv_call *call, DATA_BLOB nt_resp, DATA_BLOB lm_resp) { - struct composite_context *result, *ctx; struct pam_auth_crap_state *state; struct wbsrv_service *service = call->wbconn->listen_socket->service; - result = talloc(NULL, struct composite_context); - if (result == NULL) goto failed; - result->state = COMPOSITE_STATE_IN_PROGRESS; - result->event_ctx = call->event_ctx; - result->async.fn = NULL; - - state = talloc(result, struct pam_auth_crap_state); + state = talloc(NULL, struct pam_auth_crap_state); if (state == NULL) goto failed; - state->ctx = result; - result->private_data = state; state->domain = service->domains; + state->event_ctx = call->event_ctx; state->domain_name = talloc_strdup(state, domain); if (state->domain_name == NULL) goto failed; @@ -94,45 +86,28 @@ struct composite_context *wb_cmd_pam_auth_crap_send(struct wbsrv_call *call, if ((lm_resp.data != NULL) && (state->lm_resp.data == NULL)) goto failed; - if (state->domain->initialized) { - struct rpc_request *req = send_samlogon(state); - if (req == NULL) goto failed; - req->async.callback = pam_auth_crap_recv_samlogon; - req->async.private = state; - return result; - } - - ctx = wb_init_domain_send(state->domain, result->event_ctx, - call->wbconn->conn->msg_ctx); - if (ctx == NULL) goto failed; - ctx->async.fn = pam_auth_crap_recv_init; - ctx->async.private_data = state; - return result; + state->ctx = wb_queue_domain_send(state, state->domain, + call->event_ctx, + call->wbconn->conn->msg_ctx, + crap_samlogon_send_req, + crap_samlogon_recv_req, + state); + if (state->ctx == NULL) goto failed; + state->ctx->private_data = state; + return state->ctx; failed: - talloc_free(result); + talloc_free(state); return NULL; } -static void pam_auth_crap_recv_init(struct composite_context *ctx) +static struct composite_context *crap_samlogon_send_req(void *p) { struct pam_auth_crap_state *state = - talloc_get_type(ctx->async.private_data, - struct pam_auth_crap_state); - struct rpc_request *req; - - state->ctx->status = wb_init_domain_recv(ctx); - if (!composite_is_ok(state->ctx)) return; - - req = send_samlogon(state); - composite_continue_rpc(state->ctx, req, - pam_auth_crap_recv_samlogon, state); -} - -static struct rpc_request *send_samlogon(struct pam_auth_crap_state *state) -{ + talloc_get_type(p, struct pam_auth_crap_state); state->creds_state = cli_credentials_get_netlogon_creds( state->domain->schannel_creds); + creds_client_authenticator(state->creds_state, &state->auth); state->ninfo.identity_info.account_name.string = state->user_name; @@ -165,42 +140,44 @@ static struct rpc_request *send_samlogon(struct pam_auth_crap_state *state) state->r.in.logon.network = &state->ninfo; state->r.out.return_authenticator = NULL; - return dcerpc_netr_LogonSamLogon_send(state->domain->netlogon_pipe, - state, &state->r); + return composite_netr_LogonSamLogon_send(state->domain->netlogon_pipe, + state, &state->r); } -static void pam_auth_crap_recv_samlogon(struct rpc_request *req) +static NTSTATUS crap_samlogon_recv_req(struct composite_context *ctx, + void *p) { struct pam_auth_crap_state *state = - talloc_get_type(req->async.private, - struct pam_auth_crap_state); + talloc_get_type(p, struct pam_auth_crap_state); struct netr_SamBaseInfo *base; DATA_BLOB tmp_blob; + NTSTATUS status; - state->ctx->status = dcerpc_ndr_request_recv(req); - if (!composite_is_ok(state->ctx)) return; - state->ctx->status = state->r.out.result; - if (!composite_is_ok(state->ctx)) return; + status = composite_netr_LogonSamLogon_recv(ctx); + if (!NT_STATUS_IS_OK(status)) return status; + + status = state->r.out.result; + if (!NT_STATUS_IS_OK(status)) return status; if ((state->r.out.return_authenticator == NULL) || (!creds_client_check(state->creds_state, &state->r.out.return_authenticator->cred))) { DEBUG(0, ("Credentials check failed!\n")); - composite_error(state->ctx, NT_STATUS_ACCESS_DENIED); - return; + return NT_STATUS_ACCESS_DENIED; } creds_decrypt_samlogon(state->creds_state, state->r.in.validation_level, &state->r.out.validation); - state->ctx->status = ndr_push_struct_blob( - &tmp_blob, state, state->r.out.validation.sam3, + status = ndr_push_struct_blob( + &tmp_blob, state, + state->r.out.validation.sam3, (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3); - if (!composite_is_ok(state->ctx)) return; - + NT_STATUS_NOT_OK_RETURN(status); + state->info3 = data_blob_talloc(state, NULL, tmp_blob.length+4); - if (composite_nomem(state->info3.data, state->ctx)) return; + NT_STATUS_HAVE_NO_MEMORY(state->info3.data); SIVAL(state->info3.data, 0, 1); memcpy(state->info3.data+4, tmp_blob.data, tmp_blob.length); @@ -218,14 +195,13 @@ static void pam_auth_crap_recv_samlogon(struct rpc_request *req) break; } if (base == NULL) { - composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR); - return; + return NT_STATUS_INTERNAL_ERROR; } state->user_session_key = base->key; state->lm_key = base->LMSessKey; - composite_done(state->ctx); + return NT_STATUS_OK; } NTSTATUS wb_cmd_pam_auth_crap_recv(struct composite_context *c, -- cgit From 0f51ae83f09fa90362cae12a37ca4debc35f8491 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 19 Oct 2005 13:45:44 +0000 Subject: r11181: Implement wbinfo -s and wbinfo --user-sids. The patch is so large because --user-sids required the extension to trusted domains. Implement "winbind sealed pipes" parameter for debugging purposes. Volker (This used to be commit 3821a17bdb68b2f1389b5a150502c057d28569d2) --- source4/winbind/wb_pam_auth.c | 32 +++++++++++++++----------------- 1 file changed, 15 insertions(+), 17 deletions(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index ef43aededd..b6864a39cc 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -30,7 +30,6 @@ struct pam_auth_crap_state { struct composite_context *ctx; struct event_context *event_ctx; - struct wbsrv_domain *domain; const char *domain_name; const char *user_name; const char *workstation; @@ -46,7 +45,8 @@ struct pam_auth_crap_state { DATA_BLOB info3; }; -static struct composite_context *crap_samlogon_send_req(void *p); +static struct composite_context *crap_samlogon_send_req(struct wbsrv_domain *domain, + void *p); static NTSTATUS crap_samlogon_recv_req(struct composite_context *ctx, void *p); struct composite_context *wb_cmd_pam_auth_crap_send(struct wbsrv_call *call, @@ -63,7 +63,6 @@ struct composite_context *wb_cmd_pam_auth_crap_send(struct wbsrv_call *call, state = talloc(NULL, struct pam_auth_crap_state); if (state == NULL) goto failed; - state->domain = service->domains; state->event_ctx = call->event_ctx; state->domain_name = talloc_strdup(state, domain); @@ -86,12 +85,11 @@ struct composite_context *wb_cmd_pam_auth_crap_send(struct wbsrv_call *call, if ((lm_resp.data != NULL) && (state->lm_resp.data == NULL)) goto failed; - state->ctx = wb_queue_domain_send(state, state->domain, - call->event_ctx, - call->wbconn->conn->msg_ctx, - crap_samlogon_send_req, - crap_samlogon_recv_req, - state); + state->ctx = wb_domain_request_send(state, service, + service->primary_sid, + crap_samlogon_send_req, + crap_samlogon_recv_req, + state); if (state->ctx == NULL) goto failed; state->ctx->private_data = state; return state->ctx; @@ -101,12 +99,13 @@ struct composite_context *wb_cmd_pam_auth_crap_send(struct wbsrv_call *call, return NULL; } -static struct composite_context *crap_samlogon_send_req(void *p) +static struct composite_context *crap_samlogon_send_req(struct wbsrv_domain *domain, + void *p) { struct pam_auth_crap_state *state = talloc_get_type(p, struct pam_auth_crap_state); - state->creds_state = cli_credentials_get_netlogon_creds( - state->domain->schannel_creds); + state->creds_state = + cli_credentials_get_netlogon_creds(domain->schannel_creds); creds_client_authenticator(state->creds_state, &state->auth); @@ -127,12 +126,11 @@ static struct composite_context *crap_samlogon_send_req(void *p) state->ninfo.lm.data = state->lm_resp.data; state->r.in.server_name = talloc_asprintf( - state, "\\\\%s", - dcerpc_server_name(state->domain->netlogon_pipe)); + state, "\\\\%s", dcerpc_server_name(domain->netlogon_pipe)); if (state->r.in.server_name == NULL) return NULL; - state->r.in.workstation = cli_credentials_get_workstation( - state->domain->schannel_creds); + state->r.in.workstation = + cli_credentials_get_workstation(domain->schannel_creds); state->r.in.credential = &state->auth; state->r.in.return_authenticator = &state->auth2; state->r.in.logon_level = 2; @@ -140,7 +138,7 @@ static struct composite_context *crap_samlogon_send_req(void *p) state->r.in.logon.network = &state->ninfo; state->r.out.return_authenticator = NULL; - return composite_netr_LogonSamLogon_send(state->domain->netlogon_pipe, + return composite_netr_LogonSamLogon_send(domain->netlogon_pipe, state, &state->r); } -- cgit From 28a3bc645b49ea6e997b3576ba7a8ba55e7caa9c Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 23 Oct 2005 17:22:00 +0000 Subject: r11267: Fix a memleak and an uninitialized variable. Andrew Bartlett, this was the one I sent to you. Sorry for bothering you. Volker (This used to be commit 3a9f2291ae6e96a715f463899957c6c598fc7627) --- source4/winbind/wb_pam_auth.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index b6864a39cc..c3a9d1fec3 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -129,6 +129,8 @@ static struct composite_context *crap_samlogon_send_req(struct wbsrv_domain *dom state, "\\\\%s", dcerpc_server_name(domain->netlogon_pipe)); if (state->r.in.server_name == NULL) return NULL; + ZERO_STRUCT(state->auth2); + state->r.in.workstation = cli_credentials_get_workstation(domain->schannel_creds); state->r.in.credential = &state->auth; @@ -208,17 +210,16 @@ NTSTATUS wb_cmd_pam_auth_crap_recv(struct composite_context *c, struct netr_UserSessionKey *user_session_key, struct netr_LMSessionKey *lm_key) { + struct pam_auth_crap_state *state = + talloc_get_type(c->private_data, struct pam_auth_crap_state); NTSTATUS status = composite_wait(c); if (NT_STATUS_IS_OK(status)) { - struct pam_auth_crap_state *state = - talloc_get_type(c->private_data, - struct pam_auth_crap_state); info3->length = state->info3.length; info3->data = talloc_steal(mem_ctx, state->info3.data); *user_session_key = state->user_session_key; *lm_key = state->lm_key; } - talloc_free(c); + talloc_free(state); return status; } -- cgit From 17f8b87cb0731d716ac717b7796f50c252904b36 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 28 Oct 2005 13:42:00 +0000 Subject: r11374: On request from VL, put the plaintext auth patch in. I still have some gremlins that get in the my way in testing this. Andrew Bartlett (This used to be commit 3353e906adb3b3116551026e3ae18fd4d7ae1764) --- source4/winbind/wb_pam_auth.c | 105 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 102 insertions(+), 3 deletions(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index c3a9d1fec3..1316122eab 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -4,6 +4,7 @@ Authenticate a user Copyright (C) Volker Lendecke 2005 + Copyright (C) Andrew Bartlett 2005 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -201,6 +202,16 @@ static NTSTATUS crap_samlogon_recv_req(struct composite_context *ctx, state->user_session_key = base->key; state->lm_key = base->LMSessKey; + /* Give the caller the most accurate username possible */ + if (base->account_name.string) { + state->user_name = base->account_name.string; + talloc_steal(state, base->account_name.string); + } + if (base->domain.string) { + state->domain_name = base->domain.string; + talloc_steal(state, base->domain.string); + } + return NT_STATUS_OK; } @@ -208,7 +219,8 @@ NTSTATUS wb_cmd_pam_auth_crap_recv(struct composite_context *c, TALLOC_CTX *mem_ctx, DATA_BLOB *info3, struct netr_UserSessionKey *user_session_key, - struct netr_LMSessionKey *lm_key) + struct netr_LMSessionKey *lm_key, + char **unix_username) { struct pam_auth_crap_state *state = talloc_get_type(c->private_data, struct pam_auth_crap_state); @@ -218,6 +230,12 @@ NTSTATUS wb_cmd_pam_auth_crap_recv(struct composite_context *c, info3->data = talloc_steal(mem_ctx, state->info3.data); *user_session_key = state->user_session_key; *lm_key = state->lm_key; + *unix_username = talloc_asprintf(mem_ctx, "%s%s%s", + state->domain_name, lp_winbind_separator(), + state->user_name); + if (!*unix_username) { + status = NT_STATUS_NO_MEMORY; + } } talloc_free(state); return status; @@ -230,11 +248,92 @@ NTSTATUS wb_cmd_pam_auth_crap(struct wbsrv_call *call, DATA_BLOB lm_resp, TALLOC_CTX *mem_ctx, DATA_BLOB *info3, struct netr_UserSessionKey *user_session_key, - struct netr_LMSessionKey *lm_key) + struct netr_LMSessionKey *lm_key, + char **unix_username) { struct composite_context *c = wb_cmd_pam_auth_crap_send(call, domain, user, workstation, chal, nt_resp, lm_resp); return wb_cmd_pam_auth_crap_recv(c, mem_ctx, info3, user_session_key, - lm_key); + lm_key, unix_username); +} + +struct composite_context *wb_cmd_pam_auth_send(struct wbsrv_call *call, + const char *domain, + const char *user, + const char *password) +{ + struct composite_context *c; + struct cli_credentials *credentials; + const char *workstation; + NTSTATUS status; + + DATA_BLOB chal, nt_resp, lm_resp, names_blob; + int flags = CLI_CRED_NTLM_AUTH; + if (lp_client_lanman_auth()) { + flags |= CLI_CRED_LANMAN_AUTH; + } + + if (lp_client_ntlmv2_auth()) { + flags |= CLI_CRED_NTLMv2_AUTH; + } + + DEBUG(5, ("wbsrv_samba3_pam_auth_crap called\n")); + + credentials = cli_credentials_init(call); + if (!credentials) { + return NULL; + } + cli_credentials_set_conf(credentials); + cli_credentials_set_domain(credentials, domain, CRED_SPECIFIED); + cli_credentials_set_username(credentials, user, CRED_SPECIFIED); + + cli_credentials_set_password(credentials, password, CRED_SPECIFIED); + + chal = data_blob_talloc(call, NULL, 8); + if (!chal.data) { + return NULL; + } + generate_random_buffer(chal.data, chal.length); + cli_credentials_get_ntlm_username_domain(credentials, call, + &user, &domain); + /* for best compatability with multiple vitual netbios names + * on the host, this should be generated from the + * cli_credentials associated with the machine account */ + workstation = cli_credentials_get_workstation(credentials); + + names_blob = NTLMv2_generate_names_blob(call, cli_credentials_get_workstation(credentials), + cli_credentials_get_domain(credentials)); + + status = cli_credentials_get_ntlm_response(credentials, call, + &flags, + chal, + names_blob, + &lm_resp, &nt_resp, + NULL, NULL); + if (!NT_STATUS_IS_OK(status)) { + return NULL; + } + c = wb_cmd_pam_auth_crap_send(call, domain, user, workstation, + chal, nt_resp, lm_resp); + return c; +} + +NTSTATUS wb_cmd_pam_auth_recv(struct composite_context *c) +{ + struct pam_auth_crap_state *state = + talloc_get_type(c->private_data, struct pam_auth_crap_state); + NTSTATUS status = composite_wait(c); + talloc_free(state); + return status; +} + +NTSTATUS wb_cmd_pam_auth(struct wbsrv_call *call, + const char *domain, const char *user, + const char *password) +{ + struct composite_context *c = + wb_cmd_pam_auth_send(call, domain, user, + password); + return wb_cmd_pam_auth_recv(c); } -- cgit From 0f44011f6f6e49611ec4a65f6d1dc3b5e8983584 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 31 Oct 2005 04:17:51 +0000 Subject: r11411: Add to Samba4 the Samba3 patch I just posted for machine account logins (changing the winbindd interface). Clean up the wbsrv_samba3_async_epilogue() handling, as it was mixing auth and other replies, such that all replies were having the auth error strings set. We now do a better job of filling in the right errors in the right places. Andrew Bartlett (This used to be commit 8ed975df52bcac9646672f6a39c51481b5c59226) --- source4/winbind/wb_pam_auth.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index 1316122eab..68cd5fc4b2 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -31,6 +31,7 @@ struct pam_auth_crap_state { struct composite_context *ctx; struct event_context *event_ctx; + uint32_t logon_parameters; const char *domain_name; const char *user_name; const char *workstation; @@ -51,6 +52,7 @@ static struct composite_context *crap_samlogon_send_req(struct wbsrv_domain *dom static NTSTATUS crap_samlogon_recv_req(struct composite_context *ctx, void *p); struct composite_context *wb_cmd_pam_auth_crap_send(struct wbsrv_call *call, + uint32_t logon_parameters, const char *domain, const char *user, const char *workstation, @@ -66,6 +68,8 @@ struct composite_context *wb_cmd_pam_auth_crap_send(struct wbsrv_call *call, state->event_ctx = call->event_ctx; + state->logon_parameters = logon_parameters; + state->domain_name = talloc_strdup(state, domain); if (state->domain_name == NULL) goto failed; @@ -112,7 +116,7 @@ static struct composite_context *crap_samlogon_send_req(struct wbsrv_domain *dom state->ninfo.identity_info.account_name.string = state->user_name; state->ninfo.identity_info.domain_name.string = state->domain_name; - state->ninfo.identity_info.parameter_control = 0; + state->ninfo.identity_info.parameter_control = state->logon_parameters; state->ninfo.identity_info.logon_id_low = 0; state->ninfo.identity_info.logon_id_high = 0; state->ninfo.identity_info.workstation.string = state->workstation; @@ -242,6 +246,7 @@ NTSTATUS wb_cmd_pam_auth_crap_recv(struct composite_context *c, } NTSTATUS wb_cmd_pam_auth_crap(struct wbsrv_call *call, + uint32_t logon_parameters, const char *domain, const char *user, const char *workstation, DATA_BLOB chal, DATA_BLOB nt_resp, @@ -252,7 +257,8 @@ NTSTATUS wb_cmd_pam_auth_crap(struct wbsrv_call *call, char **unix_username) { struct composite_context *c = - wb_cmd_pam_auth_crap_send(call, domain, user, workstation, + wb_cmd_pam_auth_crap_send(call, logon_parameters, + domain, user, workstation, chal, nt_resp, lm_resp); return wb_cmd_pam_auth_crap_recv(c, mem_ctx, info3, user_session_key, lm_key, unix_username); @@ -314,7 +320,8 @@ struct composite_context *wb_cmd_pam_auth_send(struct wbsrv_call *call, if (!NT_STATUS_IS_OK(status)) { return NULL; } - c = wb_cmd_pam_auth_crap_send(call, domain, user, workstation, + c = wb_cmd_pam_auth_crap_send(call, 0 /* logon parameters */, + domain, user, workstation, chal, nt_resp, lm_resp); return c; } -- cgit From 55c6d93184c79b58a5dbd81d7a2b452bc02c037f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 31 Oct 2005 06:01:55 +0000 Subject: r11413: More comments, plus always check (and update) the credentials chain, regardless the authentication result on a particular user. Andrew Bartlett (This used to be commit 2ee7ed000ef099b2e38d540be75cbc8de386839a) --- source4/winbind/wb_pam_auth.c | 38 +++++++++++++++++++++++++++++++++----- 1 file changed, 33 insertions(+), 5 deletions(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index 68cd5fc4b2..0724875151 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -28,6 +28,7 @@ #include "smbd/service_stream.h" #include "libcli/auth/credentials.h" +/* Oh, there is so much to keep an eye on when authenticating a user. Oh my! */ struct pam_auth_crap_state { struct composite_context *ctx; struct event_context *event_ctx; @@ -51,6 +52,14 @@ static struct composite_context *crap_samlogon_send_req(struct wbsrv_domain *dom void *p); static NTSTATUS crap_samlogon_recv_req(struct composite_context *ctx, void *p); +/* NTLM authentication. + + Fill parameters into a control block to pass to the next function. + No application logic, this is done by the helper function paramters + to wb_domain_request_send() + +*/ + struct composite_context *wb_cmd_pam_auth_crap_send(struct wbsrv_call *call, uint32_t logon_parameters, const char *domain, @@ -104,6 +113,11 @@ struct composite_context *wb_cmd_pam_auth_crap_send(struct wbsrv_call *call, return NULL; } +/* + NTLM Authentication + + Send of a SamLogon request to authenticate a user. +*/ static struct composite_context *crap_samlogon_send_req(struct wbsrv_domain *domain, void *p) { @@ -149,6 +163,11 @@ static struct composite_context *crap_samlogon_send_req(struct wbsrv_domain *dom state, &state->r); } +/* + NTLM Authentication + + Check the SamLogon reply, decrypt and parse out the session keys and the info3 structure +*/ static NTSTATUS crap_samlogon_recv_req(struct composite_context *ctx, void *p) { @@ -161,9 +180,6 @@ static NTSTATUS crap_samlogon_recv_req(struct composite_context *ctx, status = composite_netr_LogonSamLogon_recv(ctx); if (!NT_STATUS_IS_OK(status)) return status; - status = state->r.out.result; - if (!NT_STATUS_IS_OK(status)) return status; - if ((state->r.out.return_authenticator == NULL) || (!creds_client_check(state->creds_state, &state->r.out.return_authenticator->cred))) { @@ -171,6 +187,12 @@ static NTSTATUS crap_samlogon_recv_req(struct composite_context *ctx, return NT_STATUS_ACCESS_DENIED; } + status = state->r.out.result; + if (!NT_STATUS_IS_OK(status)) return status; + + /* Decrypt the session keys before we reform the info3, so the + * person on the other end of winbindd pipe doesn't have to. + * They won't have the encryption key anyway */ creds_decrypt_samlogon(state->creds_state, state->r.in.validation_level, &state->r.out.validation); @@ -180,13 +202,17 @@ static NTSTATUS crap_samlogon_recv_req(struct composite_context *ctx, state->r.out.validation.sam3, (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3); NT_STATUS_NOT_OK_RETURN(status); - + + /* The Samba3 protocol is a bit broken (due to non-IDL + * heritage, so for compatability we must add a non-zero 4 + * bytes to the info3 */ state->info3 = data_blob_talloc(state, NULL, tmp_blob.length+4); NT_STATUS_HAVE_NO_MEMORY(state->info3.data); SIVAL(state->info3.data, 0, 1); memcpy(state->info3.data+4, tmp_blob.data, tmp_blob.length); + /* We actually only ask for level 3, and assume it above, but anyway... */ base = NULL; switch(state->r.in.validation_level) { case 2: @@ -206,7 +232,9 @@ static NTSTATUS crap_samlogon_recv_req(struct composite_context *ctx, state->user_session_key = base->key; state->lm_key = base->LMSessKey; - /* Give the caller the most accurate username possible */ + /* Give the caller the most accurate username possible. + * Assists where case sensitive comparisons may be done by our + * ntlm_auth callers */ if (base->account_name.string) { state->user_name = base->account_name.string; talloc_steal(state, base->account_name.string); -- cgit From 6b6a739eca1e16c0c101289b1984a639fce10223 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 5 Nov 2005 09:34:07 +0000 Subject: r11517: Cleanup time, this looks larger than it is. This mainly gets rid of wb_domain_request, now that we have queued rpc requests. Volker (This used to be commit 848522d1b64c1c283ac1ea7ce7f1a7a1b014a2aa) --- source4/winbind/wb_pam_auth.c | 154 ++++++++++++++++++++++-------------------- 1 file changed, 82 insertions(+), 72 deletions(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index 0724875151..dfe3374b0b 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -26,6 +26,7 @@ #include "winbind/wb_async_helpers.h" #include "winbind/wb_server.h" #include "smbd/service_stream.h" +#include "smbd/service_task.h" #include "libcli/auth/credentials.h" /* Oh, there is so much to keep an eye on when authenticating a user. Oh my! */ @@ -48,19 +49,15 @@ struct pam_auth_crap_state { DATA_BLOB info3; }; -static struct composite_context *crap_samlogon_send_req(struct wbsrv_domain *domain, - void *p); -static NTSTATUS crap_samlogon_recv_req(struct composite_context *ctx, void *p); - -/* NTLM authentication. - - Fill parameters into a control block to pass to the next function. - No application logic, this is done by the helper function paramters - to wb_domain_request_send() - +/* + * NTLM authentication. */ -struct composite_context *wb_cmd_pam_auth_crap_send(struct wbsrv_call *call, +static void pam_auth_crap_recv_domain(struct composite_context *ctx); +static void pam_auth_crap_recv_samlogon(struct rpc_request *req); + +struct composite_context *wb_cmd_pam_auth_crap_send(TALLOC_CTX *mem_ctx, + struct wbsrv_service *service, uint32_t logon_parameters, const char *domain, const char *user, @@ -69,13 +66,19 @@ struct composite_context *wb_cmd_pam_auth_crap_send(struct wbsrv_call *call, DATA_BLOB nt_resp, DATA_BLOB lm_resp) { + struct composite_context *result, *ctx; struct pam_auth_crap_state *state; - struct wbsrv_service *service = call->wbconn->listen_socket->service; - state = talloc(NULL, struct pam_auth_crap_state); - if (state == NULL) goto failed; + result = talloc(mem_ctx, struct composite_context); + if (result == NULL) goto failed; + result->state = COMPOSITE_STATE_IN_PROGRESS; + result->async.fn = NULL; + result->event_ctx = service->task->event_ctx; - state->event_ctx = call->event_ctx; + state = talloc(result, struct pam_auth_crap_state); + if (state == NULL) goto failed; + state->ctx = result; + result->private_data = state; state->logon_parameters = logon_parameters; @@ -99,17 +102,15 @@ struct composite_context *wb_cmd_pam_auth_crap_send(struct wbsrv_call *call, if ((lm_resp.data != NULL) && (state->lm_resp.data == NULL)) goto failed; - state->ctx = wb_domain_request_send(state, service, - service->primary_sid, - crap_samlogon_send_req, - crap_samlogon_recv_req, - state); - if (state->ctx == NULL) goto failed; - state->ctx->private_data = state; - return state->ctx; + ctx = wb_sid2domain_send(state, service, service->primary_sid); + if (ctx == NULL) goto failed; + + ctx->async.fn = pam_auth_crap_recv_domain; + ctx->async.private_data = state; + return result; failed: - talloc_free(state); + talloc_free(result); return NULL; } @@ -118,11 +119,15 @@ struct composite_context *wb_cmd_pam_auth_crap_send(struct wbsrv_call *call, Send of a SamLogon request to authenticate a user. */ -static struct composite_context *crap_samlogon_send_req(struct wbsrv_domain *domain, - void *p) +static void pam_auth_crap_recv_domain(struct composite_context *ctx) { struct pam_auth_crap_state *state = - talloc_get_type(p, struct pam_auth_crap_state); + talloc_get_type(ctx->async.private_data, + struct pam_auth_crap_state); + struct rpc_request *req; + struct wbsrv_domain *domain; + + state->ctx->status = wb_sid2domain_recv(ctx, &domain); state->creds_state = cli_credentials_get_netlogon_creds(domain->schannel_creds); @@ -146,7 +151,7 @@ static struct composite_context *crap_samlogon_send_req(struct wbsrv_domain *dom state->r.in.server_name = talloc_asprintf( state, "\\\\%s", dcerpc_server_name(domain->netlogon_pipe)); - if (state->r.in.server_name == NULL) return NULL; + if (composite_nomem(state->r.in.server_name, state->ctx)) return; ZERO_STRUCT(state->auth2); @@ -159,36 +164,39 @@ static struct composite_context *crap_samlogon_send_req(struct wbsrv_domain *dom state->r.in.logon.network = &state->ninfo; state->r.out.return_authenticator = NULL; - return composite_netr_LogonSamLogon_send(domain->netlogon_pipe, - state, &state->r); + req = dcerpc_netr_LogonSamLogon_send(domain->netlogon_pipe, state, + &state->r); + composite_continue_rpc(state->ctx, req, pam_auth_crap_recv_samlogon, + state); } /* NTLM Authentication - Check the SamLogon reply, decrypt and parse out the session keys and the info3 structure + Check the SamLogon reply, decrypt and parse out the session keys and the + info3 structure. */ -static NTSTATUS crap_samlogon_recv_req(struct composite_context *ctx, - void *p) +static void pam_auth_crap_recv_samlogon(struct rpc_request *req) { struct pam_auth_crap_state *state = - talloc_get_type(p, struct pam_auth_crap_state); + talloc_get_type(req->async.private, + struct pam_auth_crap_state); struct netr_SamBaseInfo *base; DATA_BLOB tmp_blob; - NTSTATUS status; - status = composite_netr_LogonSamLogon_recv(ctx); - if (!NT_STATUS_IS_OK(status)) return status; + state->ctx->status = dcerpc_ndr_request_recv(req); + if (!composite_is_ok(state->ctx)) return; if ((state->r.out.return_authenticator == NULL) || (!creds_client_check(state->creds_state, &state->r.out.return_authenticator->cred))) { DEBUG(0, ("Credentials check failed!\n")); - return NT_STATUS_ACCESS_DENIED; + composite_error(state->ctx, NT_STATUS_ACCESS_DENIED); + return; } - status = state->r.out.result; - if (!NT_STATUS_IS_OK(status)) return status; + state->ctx->status = state->r.out.result; + if (!composite_is_ok(state->ctx)) return; /* Decrypt the session keys before we reform the info3, so the * person on the other end of winbindd pipe doesn't have to. @@ -197,22 +205,23 @@ static NTSTATUS crap_samlogon_recv_req(struct composite_context *ctx, state->r.in.validation_level, &state->r.out.validation); - status = ndr_push_struct_blob( - &tmp_blob, state, - state->r.out.validation.sam3, + state->ctx->status = ndr_push_struct_blob( + &tmp_blob, state, state->r.out.validation.sam3, (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3); - NT_STATUS_NOT_OK_RETURN(status); + if (!composite_is_ok(state->ctx)) return; /* The Samba3 protocol is a bit broken (due to non-IDL * heritage, so for compatability we must add a non-zero 4 * bytes to the info3 */ state->info3 = data_blob_talloc(state, NULL, tmp_blob.length+4); - NT_STATUS_HAVE_NO_MEMORY(state->info3.data); + if (composite_nomem(state->info3.data, state->ctx)) return; SIVAL(state->info3.data, 0, 1); memcpy(state->info3.data+4, tmp_blob.data, tmp_blob.length); - /* We actually only ask for level 3, and assume it above, but anyway... */ + /* We actually only ask for level 3, and assume it above, but + * anyway... */ + base = NULL; switch(state->r.in.validation_level) { case 2: @@ -226,7 +235,8 @@ static NTSTATUS crap_samlogon_recv_req(struct composite_context *ctx, break; } if (base == NULL) { - return NT_STATUS_INTERNAL_ERROR; + composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR); + return; } state->user_session_key = base->key; @@ -244,7 +254,7 @@ static NTSTATUS crap_samlogon_recv_req(struct composite_context *ctx, talloc_steal(state, base->domain.string); } - return NT_STATUS_OK; + composite_done(state->ctx); } NTSTATUS wb_cmd_pam_auth_crap_recv(struct composite_context *c, @@ -263,7 +273,8 @@ NTSTATUS wb_cmd_pam_auth_crap_recv(struct composite_context *c, *user_session_key = state->user_session_key; *lm_key = state->lm_key; *unix_username = talloc_asprintf(mem_ctx, "%s%s%s", - state->domain_name, lp_winbind_separator(), + state->domain_name, + lp_winbind_separator(), state->user_name); if (!*unix_username) { status = NT_STATUS_NO_MEMORY; @@ -273,31 +284,32 @@ NTSTATUS wb_cmd_pam_auth_crap_recv(struct composite_context *c, return status; } -NTSTATUS wb_cmd_pam_auth_crap(struct wbsrv_call *call, +NTSTATUS wb_cmd_pam_auth_crap(TALLOC_CTX *mem_ctx, + struct wbsrv_service *service, uint32_t logon_parameters, const char *domain, const char *user, const char *workstation, DATA_BLOB chal, DATA_BLOB nt_resp, - DATA_BLOB lm_resp, TALLOC_CTX *mem_ctx, + DATA_BLOB lm_resp, DATA_BLOB *info3, struct netr_UserSessionKey *user_session_key, struct netr_LMSessionKey *lm_key, char **unix_username) { struct composite_context *c = - wb_cmd_pam_auth_crap_send(call, logon_parameters, + wb_cmd_pam_auth_crap_send(mem_ctx, service, logon_parameters, domain, user, workstation, chal, nt_resp, lm_resp); return wb_cmd_pam_auth_crap_recv(c, mem_ctx, info3, user_session_key, lm_key, unix_username); } -struct composite_context *wb_cmd_pam_auth_send(struct wbsrv_call *call, +struct composite_context *wb_cmd_pam_auth_send(TALLOC_CTX *mem_ctx, + struct wbsrv_service *service, const char *domain, const char *user, const char *password) { - struct composite_context *c; struct cli_credentials *credentials; const char *workstation; NTSTATUS status; @@ -314,7 +326,7 @@ struct composite_context *wb_cmd_pam_auth_send(struct wbsrv_call *call, DEBUG(5, ("wbsrv_samba3_pam_auth_crap called\n")); - credentials = cli_credentials_init(call); + credentials = cli_credentials_init(mem_ctx); if (!credentials) { return NULL; } @@ -324,34 +336,33 @@ struct composite_context *wb_cmd_pam_auth_send(struct wbsrv_call *call, cli_credentials_set_password(credentials, password, CRED_SPECIFIED); - chal = data_blob_talloc(call, NULL, 8); + chal = data_blob_talloc(mem_ctx, NULL, 8); if (!chal.data) { return NULL; } generate_random_buffer(chal.data, chal.length); - cli_credentials_get_ntlm_username_domain(credentials, call, + cli_credentials_get_ntlm_username_domain(credentials, mem_ctx, &user, &domain); /* for best compatability with multiple vitual netbios names * on the host, this should be generated from the * cli_credentials associated with the machine account */ workstation = cli_credentials_get_workstation(credentials); - names_blob = NTLMv2_generate_names_blob(call, cli_credentials_get_workstation(credentials), - cli_credentials_get_domain(credentials)); + names_blob = NTLMv2_generate_names_blob( + mem_ctx, + cli_credentials_get_workstation(credentials), + cli_credentials_get_domain(credentials)); - status = cli_credentials_get_ntlm_response(credentials, call, - &flags, - chal, - names_blob, - &lm_resp, &nt_resp, - NULL, NULL); + status = cli_credentials_get_ntlm_response( + credentials, mem_ctx, &flags, chal, names_blob, + &lm_resp, &nt_resp, NULL, NULL); if (!NT_STATUS_IS_OK(status)) { return NULL; } - c = wb_cmd_pam_auth_crap_send(call, 0 /* logon parameters */, - domain, user, workstation, - chal, nt_resp, lm_resp); - return c; + return wb_cmd_pam_auth_crap_send(mem_ctx, service, + 0 /* logon parameters */, + domain, user, workstation, + chal, nt_resp, lm_resp); } NTSTATUS wb_cmd_pam_auth_recv(struct composite_context *c) @@ -363,12 +374,11 @@ NTSTATUS wb_cmd_pam_auth_recv(struct composite_context *c) return status; } -NTSTATUS wb_cmd_pam_auth(struct wbsrv_call *call, +NTSTATUS wb_cmd_pam_auth(TALLOC_CTX *mem_ctx, struct wbsrv_service *service, const char *domain, const char *user, const char *password) { struct composite_context *c = - wb_cmd_pam_auth_send(call, domain, user, - password); + wb_cmd_pam_auth_send(mem_ctx, service, domain, user, password); return wb_cmd_pam_auth_recv(c); } -- cgit From ddc632378a27e809765138c799c170c284bf6977 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 21 Nov 2005 10:28:54 +0000 Subject: r11825: Fix a debug msg (This used to be commit fc6458d0d4d9059e00b19ad6c54e3fd5a4119341) --- source4/winbind/wb_pam_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index dfe3374b0b..856d621a17 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -324,7 +324,7 @@ struct composite_context *wb_cmd_pam_auth_send(TALLOC_CTX *mem_ctx, flags |= CLI_CRED_NTLMv2_AUTH; } - DEBUG(5, ("wbsrv_samba3_pam_auth_crap called\n")); + DEBUG(5, ("wbsrv_samba3_pam_auth called\n")); credentials = cli_credentials_init(mem_ctx); if (!credentials) { -- cgit From d4de4c2d210d2e8c9b5aedf70695594809ad6a0b Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 30 Dec 2005 13:16:54 +0000 Subject: r12608: Remove some unused #include lines. (This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981) --- source4/winbind/wb_pam_auth.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index 856d621a17..593cd22291 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -23,9 +23,7 @@ #include "includes.h" #include "libcli/composite/composite.h" -#include "winbind/wb_async_helpers.h" #include "winbind/wb_server.h" -#include "smbd/service_stream.h" #include "smbd/service_task.h" #include "libcli/auth/credentials.h" -- cgit From 9d1954c25d646c46daa38c3f96f4c4029b9bb417 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 21 Feb 2006 00:07:59 +0000 Subject: r13583: Realise that the member server name appears in all calls that use the credentials. Consistantly rename these elements in the IDL to computer_name. Fix the server-side code to always lookup by this name. Add new, even nastier tests to RPC-SCHANNEL to prove this. Andrew Bartlett (This used to be commit 341a0abeb4a9f88d64ffd4681249cb1f643a7a5a) --- source4/winbind/wb_pam_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index 593cd22291..f85cfd1f1a 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -153,7 +153,7 @@ static void pam_auth_crap_recv_domain(struct composite_context *ctx) ZERO_STRUCT(state->auth2); - state->r.in.workstation = + state->r.in.computer_name = cli_credentials_get_workstation(domain->schannel_creds); state->r.in.credential = &state->auth; state->r.in.return_authenticator = &state->auth2; -- cgit From 4ac2be99588b48b0652a524bf12fb1aa9c3f5fbb Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 7 Mar 2006 11:07:23 +0000 Subject: r13924: Split more prototypes out of include/proto.h + initial work on header file dependencies (This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781) --- source4/winbind/wb_pam_auth.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index f85cfd1f1a..b57f918669 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -26,6 +26,7 @@ #include "winbind/wb_server.h" #include "smbd/service_task.h" #include "libcli/auth/credentials.h" +#include "libcli/auth/proto.h" /* Oh, there is so much to keep an eye on when authenticating a user. Oh my! */ struct pam_auth_crap_state { -- cgit From 3f16241a1d3243447d0244ebac05b447aec94df8 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 14 Mar 2006 01:29:56 +0000 Subject: r14363: Remove credentials.h from the global includes. (This used to be commit 98c4c3051391c6f89df5d133665f51bef66b1563) --- source4/winbind/wb_pam_auth.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index b57f918669..97f0845467 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -27,6 +27,7 @@ #include "smbd/service_task.h" #include "libcli/auth/credentials.h" #include "libcli/auth/proto.h" +#include "auth/credentials/credentials.h" /* Oh, there is so much to keep an eye on when authenticating a user. Oh my! */ struct pam_auth_crap_state { -- cgit From e3f2414cf9e582a4e4deecc662b64a7bb2679a34 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 14 Mar 2006 15:03:25 +0000 Subject: r14380: Reduce the size of structs.h (This used to be commit 1a16a6f1dfa66499af43a6b88b3ea69a6a75f1fe) --- source4/winbind/wb_pam_auth.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index 97f0845467..2967414fec 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -26,8 +26,7 @@ #include "winbind/wb_server.h" #include "smbd/service_task.h" #include "libcli/auth/credentials.h" -#include "libcli/auth/proto.h" -#include "auth/credentials/credentials.h" +#include "libcli/auth/libcli_auth.h" /* Oh, there is so much to keep an eye on when authenticating a user. Oh my! */ struct pam_auth_crap_state { -- cgit From 1060f6b3f621cb70b075a879f129e57f10fdbf8a Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 14 Mar 2006 23:35:30 +0000 Subject: r14402: Generate seperate headers for RPC client functions. (This used to be commit 7054ebf0249930843a2baf4d023ae8f62cedb109) --- source4/winbind/wb_pam_auth.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index 2967414fec..558dfcae49 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -27,6 +27,7 @@ #include "smbd/service_task.h" #include "libcli/auth/credentials.h" #include "libcli/auth/libcli_auth.h" +#include "librpc/gen_ndr/ndr_netlogon_c.h" /* Oh, there is so much to keep an eye on when authenticating a user. Oh my! */ struct pam_auth_crap_state { -- cgit From 8528016978b084213ef53d66e1b6e831b1a01acc Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 16 Mar 2006 00:23:11 +0000 Subject: r14464: Don't include ndr_BASENAME.h files unless strictly required, instead try to include just the BASENAME.h files (containing only structs) (This used to be commit 3dd477ca5147f28a962b8437e2611a8222d706bd) --- source4/winbind/wb_pam_auth.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index 558dfcae49..5db0f3054a 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -27,6 +27,7 @@ #include "smbd/service_task.h" #include "libcli/auth/credentials.h" #include "libcli/auth/libcli_auth.h" +#include "librpc/gen_ndr/ndr_netlogon.h" #include "librpc/gen_ndr/ndr_netlogon_c.h" /* Oh, there is so much to keep an eye on when authenticating a user. Oh my! */ -- cgit From 689bbb41b91b82c7467a1a51d11efcff268ea3d2 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 28 Jul 2006 11:51:07 +0000 Subject: r17290: don't do any stuff that can fail in the _recv function metze (This used to be commit 88bcb57e82c799197b1d87212466a9b21d61edf8) --- source4/winbind/wb_pam_auth.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index 5db0f3054a..07c7e0eb02 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -37,6 +37,7 @@ struct pam_auth_crap_state { uint32_t logon_parameters; const char *domain_name; const char *user_name; + const char *unix_username; const char *workstation; DATA_BLOB chal, nt_resp, lm_resp; @@ -89,6 +90,8 @@ struct composite_context *wb_cmd_pam_auth_crap_send(TALLOC_CTX *mem_ctx, state->user_name = talloc_strdup(state, user); if (state->user_name == NULL) goto failed; + state->unix_username = NULL; + state->workstation = talloc_strdup(state, workstation); if (state->workstation == NULL) goto failed; @@ -255,6 +258,12 @@ static void pam_auth_crap_recv_samlogon(struct rpc_request *req) talloc_steal(state, base->domain.string); } + state->unix_username = talloc_asprintf(state, "%s%s%s", + state->domain_name, + lp_winbind_separator(), + state->user_name); + if (composite_nomem(state->unix_username, state->ctx)) return; + composite_done(state->ctx); } @@ -273,13 +282,7 @@ NTSTATUS wb_cmd_pam_auth_crap_recv(struct composite_context *c, info3->data = talloc_steal(mem_ctx, state->info3.data); *user_session_key = state->user_session_key; *lm_key = state->lm_key; - *unix_username = talloc_asprintf(mem_ctx, "%s%s%s", - state->domain_name, - lp_winbind_separator(), - state->user_name); - if (!*unix_username) { - status = NT_STATUS_NO_MEMORY; - } + *unix_username = talloc_steal(mem_ctx, state->unix_username); } talloc_free(state); return status; -- cgit From edcbd24b6a98c25be083fa30971ea4ca04600871 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 29 Jul 2006 07:56:03 +0000 Subject: r17306: fix compiler warning metze (This used to be commit cee012c5702da225c81f82d90193b500e3707613) --- source4/winbind/wb_pam_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index 07c7e0eb02..3eb49e2def 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -37,7 +37,7 @@ struct pam_auth_crap_state { uint32_t logon_parameters; const char *domain_name; const char *user_name; - const char *unix_username; + char *unix_username; const char *workstation; DATA_BLOB chal, nt_resp, lm_resp; -- cgit From 13dbee3ffea6065a826f010e50c9b4eb2c6ad109 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 7 Nov 2006 00:48:36 +0000 Subject: r19598: Ahead of a merge to current lorikeet-heimdal: Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9) --- source4/winbind/wb_pam_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index 3eb49e2def..97798861ca 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -25,7 +25,7 @@ #include "libcli/composite/composite.h" #include "winbind/wb_server.h" #include "smbd/service_task.h" -#include "libcli/auth/credentials.h" +#include "auth/credentials/credentials.h" #include "libcli/auth/libcli_auth.h" #include "librpc/gen_ndr/ndr_netlogon.h" #include "librpc/gen_ndr/ndr_netlogon_c.h" -- cgit From fcdb99f7ce049494063c88a495dabd8849cf251c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 29 Apr 2007 21:40:48 +0000 Subject: r22582: Cleanups towards making winbind work again. We still have a long way to go, as this has bitrotted over the past months. This change in particular catches winbind up with the next composite_create() function. We also needed to remove an unused flags field, and fill in the lm response. Andrew Bartlett (This used to be commit bd26e4ffaf1c060fdc3aae28fd4393e83c5a83ea) --- source4/winbind/wb_pam_auth.c | 42 +++++++++--------------------------------- 1 file changed, 9 insertions(+), 33 deletions(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index 97798861ca..b8c1cacbf0 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -267,6 +267,8 @@ static void pam_auth_crap_recv_samlogon(struct rpc_request *req) composite_done(state->ctx); } +/* Having received a NTLM authentication reply, parse out the useful + * reply data for the caller */ NTSTATUS wb_cmd_pam_auth_crap_recv(struct composite_context *c, TALLOC_CTX *mem_ctx, DATA_BLOB *info3, @@ -288,25 +290,8 @@ NTSTATUS wb_cmd_pam_auth_crap_recv(struct composite_context *c, return status; } -NTSTATUS wb_cmd_pam_auth_crap(TALLOC_CTX *mem_ctx, - struct wbsrv_service *service, - uint32_t logon_parameters, - const char *domain, const char *user, - const char *workstation, - DATA_BLOB chal, DATA_BLOB nt_resp, - DATA_BLOB lm_resp, - DATA_BLOB *info3, - struct netr_UserSessionKey *user_session_key, - struct netr_LMSessionKey *lm_key, - char **unix_username) -{ - struct composite_context *c = - wb_cmd_pam_auth_crap_send(mem_ctx, service, logon_parameters, - domain, user, workstation, - chal, nt_resp, lm_resp); - return wb_cmd_pam_auth_crap_recv(c, mem_ctx, info3, user_session_key, - lm_key, unix_username); -} +/* Handle plaintext authentication, by encrypting the password and + * then sending via the NTLM calls */ struct composite_context *wb_cmd_pam_auth_send(TALLOC_CTX *mem_ctx, struct wbsrv_service *service, @@ -371,18 +356,9 @@ struct composite_context *wb_cmd_pam_auth_send(TALLOC_CTX *mem_ctx, NTSTATUS wb_cmd_pam_auth_recv(struct composite_context *c) { - struct pam_auth_crap_state *state = - talloc_get_type(c->private_data, struct pam_auth_crap_state); - NTSTATUS status = composite_wait(c); - talloc_free(state); - return status; -} - -NTSTATUS wb_cmd_pam_auth(TALLOC_CTX *mem_ctx, struct wbsrv_service *service, - const char *domain, const char *user, - const char *password) -{ - struct composite_context *c = - wb_cmd_pam_auth_send(mem_ctx, service, domain, user, password); - return wb_cmd_pam_auth_recv(c); + struct pam_auth_crap_state *state = + talloc_get_type(c->private_data, struct pam_auth_crap_state); + NTSTATUS status = composite_wait(c); + talloc_free(state); + return status; } -- cgit From f5a94f978b9221bbf79e3d0d3fe8ad5d735509a1 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 30 Apr 2007 16:52:30 +0000 Subject: r22612: Fix more cases where we have uninitialised values in the composite_context, because we don't use the creation function. Andrew Bartlett (This used to be commit e37064e356c17d0c87bb7fa7adf0c0d04d8daba2) --- source4/winbind/wb_pam_auth.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index b8c1cacbf0..c89870c3a2 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -71,11 +71,8 @@ struct composite_context *wb_cmd_pam_auth_crap_send(TALLOC_CTX *mem_ctx, struct composite_context *result, *ctx; struct pam_auth_crap_state *state; - result = talloc(mem_ctx, struct composite_context); + result = composite_create(mem_ctx, service->task->event_ctx); if (result == NULL) goto failed; - result->state = COMPOSITE_STATE_IN_PROGRESS; - result->async.fn = NULL; - result->event_ctx = service->task->event_ctx; state = talloc(result, struct pam_auth_crap_state); if (state == NULL) goto failed; -- cgit From 40cd2d778093d7799b27b6beb37166d8a53f965c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 May 2007 14:52:54 +0000 Subject: r22944: fix bug #4618: rename private -> private_data metze (This used to be commit 58551f2f28fce8f1fcd04736c47ecd7458f32ea2) --- source4/winbind/wb_pam_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index c89870c3a2..6c8e9430bb 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -180,7 +180,7 @@ static void pam_auth_crap_recv_domain(struct composite_context *ctx) static void pam_auth_crap_recv_samlogon(struct rpc_request *req) { struct pam_auth_crap_state *state = - talloc_get_type(req->async.private, + talloc_get_type(req->async.private_data, struct pam_auth_crap_state); struct netr_SamBaseInfo *base; DATA_BLOB tmp_blob; -- cgit From 0479a2f1cbae51fcd8dbdc3c148c808421fb4d25 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 02:07:03 +0000 Subject: r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa) --- source4/winbind/wb_pam_auth.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index 6c8e9430bb..e29bb7c472 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -8,7 +8,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, @@ -17,8 +17,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" -- cgit From b9d77db587f42c2c7a26b7fd8082740c617cb467 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 15 Jul 2007 10:46:34 +0000 Subject: r23880: Don't crash when we run wbinfo -a against our own winbind when we are a DC. Next step is to make it work... Andrew Bartlett (This used to be commit a1b6c9ecb9a6f17bcbabf81a8128398df6447490) --- source4/winbind/wb_pam_auth.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index e29bb7c472..fffb7c408c 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -128,6 +128,7 @@ static void pam_auth_crap_recv_domain(struct composite_context *ctx) struct wbsrv_domain *domain; state->ctx->status = wb_sid2domain_recv(ctx, &domain); + if (!composite_is_ok(state->ctx)) return; state->creds_state = cli_credentials_get_netlogon_creds(domain->schannel_creds); -- cgit From c86e98aa8070137834f0587b613e215db8802f27 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 16 Jul 2007 11:27:29 +0000 Subject: r23890: Allow wbinfo -a to work against Samba4's winbind. Add a test for wbinfo -a to test_member.sh Reimplement the server-side 'pam_auth' and 'pam_auth_crap' calls to use the same SamLogon code as auth_winbind uses. In my previous code, we did not bind to the LSA and SAMR pipes, before attempting operations. We now do this (how we passed any tests before is beyond me). This required some rework, particularly to make it easier to setup secondary connections. The new rpc_secondary_auth_connection() function also performs the bind. The dcerpc_connect.c file was getting to big, so things have been merged into dcerpc_secondary.c. Andrew Bartlett (This used to be commit 365778a993b7d76af6d53ba2a598b7e271741dc5) --- source4/winbind/wb_pam_auth.c | 176 +++++++++++------------------------------- 1 file changed, 45 insertions(+), 131 deletions(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index fffb7c408c..4874254eff 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -28,23 +28,22 @@ #include "libcli/auth/libcli_auth.h" #include "librpc/gen_ndr/ndr_netlogon.h" #include "librpc/gen_ndr/ndr_netlogon_c.h" +#include "librpc/gen_ndr/winbind.h" /* Oh, there is so much to keep an eye on when authenticating a user. Oh my! */ struct pam_auth_crap_state { struct composite_context *ctx; struct event_context *event_ctx; - uint32_t logon_parameters; - const char *domain_name; - const char *user_name; + + struct winbind_SamLogon *req; char *unix_username; - const char *workstation; - DATA_BLOB chal, nt_resp, lm_resp; - struct creds_CredentialState *creds_state; - struct netr_Authenticator auth, auth2; struct netr_NetworkInfo ninfo; struct netr_LogonSamLogon r; + const char *user_name; + const char *domain_name; + struct netr_UserSessionKey user_session_key; struct netr_LMSessionKey lm_key; DATA_BLOB info3; @@ -54,8 +53,7 @@ struct pam_auth_crap_state { * NTLM authentication. */ -static void pam_auth_crap_recv_domain(struct composite_context *ctx); -static void pam_auth_crap_recv_samlogon(struct rpc_request *req); +static void pam_auth_crap_recv_logon(struct composite_context *ctx); struct composite_context *wb_cmd_pam_auth_crap_send(TALLOC_CTX *mem_ctx, struct wbsrv_service *service, @@ -69,6 +67,8 @@ struct composite_context *wb_cmd_pam_auth_crap_send(TALLOC_CTX *mem_ctx, { struct composite_context *result, *ctx; struct pam_auth_crap_state *state; + struct netr_NetworkInfo *ninfo; + DATA_BLOB tmp_nt_resp, tmp_lm_resp; result = composite_create(mem_ctx, service->task->event_ctx); if (result == NULL) goto failed; @@ -78,35 +78,43 @@ struct composite_context *wb_cmd_pam_auth_crap_send(TALLOC_CTX *mem_ctx, state->ctx = result; result->private_data = state; - state->logon_parameters = logon_parameters; + state->req = talloc(state, struct winbind_SamLogon); + + state->req->in.logon_level = 2; + state->req->in.validation_level = 3; + ninfo = state->req->in.logon.network = talloc(state, struct netr_NetworkInfo); + if (ninfo == NULL) goto failed; + + ninfo->identity_info.account_name.string = talloc_strdup(state, user); + ninfo->identity_info.domain_name.string = talloc_strdup(state, domain); + ninfo->identity_info.parameter_control = logon_parameters; + ninfo->identity_info.logon_id_low = 0; + ninfo->identity_info.logon_id_high = 0; + ninfo->identity_info.workstation.string = talloc_strdup(state, workstation); + + SMB_ASSERT(chal.length == sizeof(ninfo->challenge)); + memcpy(ninfo->challenge, chal.data, + sizeof(ninfo->challenge)); + + tmp_nt_resp = data_blob_talloc(ninfo, nt_resp.data, nt_resp.length); + if ((nt_resp.data != NULL) && + (tmp_nt_resp.data == NULL)) goto failed; - state->domain_name = talloc_strdup(state, domain); - if (state->domain_name == NULL) goto failed; + tmp_lm_resp = data_blob_talloc(ninfo, lm_resp.data, lm_resp.length); + if ((lm_resp.data != NULL) && + (tmp_lm_resp.data == NULL)) goto failed; - state->user_name = talloc_strdup(state, user); - if (state->user_name == NULL) goto failed; + ninfo->nt.length = tmp_nt_resp.length; + ninfo->nt.data = tmp_nt_resp.data; + ninfo->lm.length = tmp_lm_resp.length; + ninfo->lm.data = tmp_lm_resp.data; state->unix_username = NULL; - state->workstation = talloc_strdup(state, workstation); - if (state->workstation == NULL) goto failed; - - state->chal = data_blob_talloc(state, chal.data, chal.length); - if ((chal.data != NULL) && (state->chal.data == NULL)) goto failed; - - state->nt_resp = data_blob_talloc(state, nt_resp.data, nt_resp.length); - if ((nt_resp.data != NULL) && - (state->nt_resp.data == NULL)) goto failed; - - state->lm_resp = data_blob_talloc(state, lm_resp.data, lm_resp.length); - if ((lm_resp.data != NULL) && - (state->lm_resp.data == NULL)) goto failed; - - ctx = wb_sid2domain_send(state, service, service->primary_sid); + ctx = wb_sam_logon_send(mem_ctx, service, state->req); if (ctx == NULL) goto failed; - ctx->async.fn = pam_auth_crap_recv_domain; - ctx->async.private_data = state; + composite_continue(result, ctx, pam_auth_crap_recv_logon, state); return result; failed: @@ -119,95 +127,19 @@ struct composite_context *wb_cmd_pam_auth_crap_send(TALLOC_CTX *mem_ctx, Send of a SamLogon request to authenticate a user. */ -static void pam_auth_crap_recv_domain(struct composite_context *ctx) +static void pam_auth_crap_recv_logon(struct composite_context *ctx) { + DATA_BLOB tmp_blob; + struct netr_SamBaseInfo *base; struct pam_auth_crap_state *state = talloc_get_type(ctx->async.private_data, struct pam_auth_crap_state); - struct rpc_request *req; - struct wbsrv_domain *domain; - - state->ctx->status = wb_sid2domain_recv(ctx, &domain); - if (!composite_is_ok(state->ctx)) return; - state->creds_state = - cli_credentials_get_netlogon_creds(domain->schannel_creds); - - creds_client_authenticator(state->creds_state, &state->auth); - - state->ninfo.identity_info.account_name.string = state->user_name; - state->ninfo.identity_info.domain_name.string = state->domain_name; - state->ninfo.identity_info.parameter_control = state->logon_parameters; - state->ninfo.identity_info.logon_id_low = 0; - state->ninfo.identity_info.logon_id_high = 0; - state->ninfo.identity_info.workstation.string = state->workstation; - - SMB_ASSERT(state->chal.length == sizeof(state->ninfo.challenge)); - memcpy(state->ninfo.challenge, state->chal.data, - sizeof(state->ninfo.challenge)); - - state->ninfo.nt.length = state->nt_resp.length; - state->ninfo.nt.data = state->nt_resp.data; - state->ninfo.lm.length = state->lm_resp.length; - state->ninfo.lm.data = state->lm_resp.data; - - state->r.in.server_name = talloc_asprintf( - state, "\\\\%s", dcerpc_server_name(domain->netlogon_pipe)); - if (composite_nomem(state->r.in.server_name, state->ctx)) return; - - ZERO_STRUCT(state->auth2); - - state->r.in.computer_name = - cli_credentials_get_workstation(domain->schannel_creds); - state->r.in.credential = &state->auth; - state->r.in.return_authenticator = &state->auth2; - state->r.in.logon_level = 2; - state->r.in.validation_level = 3; - state->r.in.logon.network = &state->ninfo; - state->r.out.return_authenticator = NULL; - - req = dcerpc_netr_LogonSamLogon_send(domain->netlogon_pipe, state, - &state->r); - composite_continue_rpc(state->ctx, req, pam_auth_crap_recv_samlogon, - state); -} - -/* - NTLM Authentication - - Check the SamLogon reply, decrypt and parse out the session keys and the - info3 structure. -*/ -static void pam_auth_crap_recv_samlogon(struct rpc_request *req) -{ - struct pam_auth_crap_state *state = - talloc_get_type(req->async.private_data, - struct pam_auth_crap_state); - struct netr_SamBaseInfo *base; - DATA_BLOB tmp_blob; - state->ctx->status = dcerpc_ndr_request_recv(req); + state->ctx->status = wb_sam_logon_recv(ctx, state, state->req); if (!composite_is_ok(state->ctx)) return; - if ((state->r.out.return_authenticator == NULL) || - (!creds_client_check(state->creds_state, - &state->r.out.return_authenticator->cred))) { - DEBUG(0, ("Credentials check failed!\n")); - composite_error(state->ctx, NT_STATUS_ACCESS_DENIED); - return; - } - - state->ctx->status = state->r.out.result; - if (!composite_is_ok(state->ctx)) return; - - /* Decrypt the session keys before we reform the info3, so the - * person on the other end of winbindd pipe doesn't have to. - * They won't have the encryption key anyway */ - creds_decrypt_samlogon(state->creds_state, - state->r.in.validation_level, - &state->r.out.validation); - state->ctx->status = ndr_push_struct_blob( - &tmp_blob, state, state->r.out.validation.sam3, + &tmp_blob, state, state->req->out.validation.sam3, (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3); if (!composite_is_ok(state->ctx)) return; @@ -220,25 +152,7 @@ static void pam_auth_crap_recv_samlogon(struct rpc_request *req) SIVAL(state->info3.data, 0, 1); memcpy(state->info3.data+4, tmp_blob.data, tmp_blob.length); - /* We actually only ask for level 3, and assume it above, but - * anyway... */ - - base = NULL; - switch(state->r.in.validation_level) { - case 2: - base = &state->r.out.validation.sam2->base; - break; - case 3: - base = &state->r.out.validation.sam3->base; - break; - case 6: - base = &state->r.out.validation.sam6->base; - break; - } - if (base == NULL) { - composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR); - return; - } + base = &state->req->out.validation.sam3->base; state->user_session_key = base->key; state->lm_key = base->LMSessKey; -- cgit From ffeee68e4b72dd94fee57366bd8d38b8c284c3d4 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 8 Sep 2007 12:42:09 +0000 Subject: r25026: Move param/param.h out of includes.h (This used to be commit abe8349f9b4387961ff3665d8c589d61cd2edf31) --- source4/winbind/wb_pam_auth.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index 4874254eff..ef19c32331 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -29,6 +29,7 @@ #include "librpc/gen_ndr/ndr_netlogon.h" #include "librpc/gen_ndr/ndr_netlogon_c.h" #include "librpc/gen_ndr/winbind.h" +#include "param/param.h" /* Oh, there is so much to keep an eye on when authenticating a user. Oh my! */ struct pam_auth_crap_state { -- cgit From 37d53832a4623653f706e77985a79d84bd7c6694 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 28 Sep 2007 01:17:46 +0000 Subject: r25398: Parse loadparm context to all lp_*() functions. (This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238) --- source4/winbind/wb_pam_auth.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index ef19c32331..4a9be62228 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -172,7 +172,7 @@ static void pam_auth_crap_recv_logon(struct composite_context *ctx) state->unix_username = talloc_asprintf(state, "%s%s%s", state->domain_name, - lp_winbind_separator(), + lp_winbind_separator(global_loadparm), state->user_name); if (composite_nomem(state->unix_username, state->ctx)) return; @@ -217,11 +217,11 @@ struct composite_context *wb_cmd_pam_auth_send(TALLOC_CTX *mem_ctx, DATA_BLOB chal, nt_resp, lm_resp, names_blob; int flags = CLI_CRED_NTLM_AUTH; - if (lp_client_lanman_auth()) { + if (lp_client_lanman_auth(global_loadparm)) { flags |= CLI_CRED_LANMAN_AUTH; } - if (lp_client_ntlmv2_auth()) { + if (lp_client_ntlmv2_auth(global_loadparm)) { flags |= CLI_CRED_NTLMv2_AUTH; } @@ -231,7 +231,7 @@ struct composite_context *wb_cmd_pam_auth_send(TALLOC_CTX *mem_ctx, if (!credentials) { return NULL; } - cli_credentials_set_conf(credentials); + cli_credentials_set_conf(credentials, global_loadparm); cli_credentials_set_domain(credentials, domain, CRED_SPECIFIED); cli_credentials_set_username(credentials, user, CRED_SPECIFIED); -- cgit From 529763a9aa192a6785ba878aceeb1683c2510913 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 9 Nov 2007 19:24:51 +0100 Subject: r25920: ndr: change NTSTAUS into enum ndr_err_code (samba4 callers) lib/messaging/ lib/registry/ lib/ldb-samba/ librpc/rpc/ auth/auth_winbind.c auth/gensec/ auth/kerberos/ dsdb/repl/ dsdb/samdb/ dsdb/schema/ torture/ cluster/ctdb/ kdc/ ntvfs/ipc/ torture/rap/ ntvfs/ utils/getntacl.c ntptr/ smb_server/ libcli/wrepl/ wrepl_server/ libcli/cldap/ libcli/dgram/ libcli/ldap/ libcli/raw/ libcli/nbt/ libnet/ winbind/ rpc_server/ metze (This used to be commit 6223c7fddc972687eb577e04fc1c8e0604c35435) --- source4/winbind/wb_pam_auth.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index 4a9be62228..06e2bff990 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -131,6 +131,7 @@ struct composite_context *wb_cmd_pam_auth_crap_send(TALLOC_CTX *mem_ctx, static void pam_auth_crap_recv_logon(struct composite_context *ctx) { DATA_BLOB tmp_blob; + enum ndr_err_code ndr_err; struct netr_SamBaseInfo *base; struct pam_auth_crap_state *state = talloc_get_type(ctx->async.private_data, @@ -139,10 +140,13 @@ static void pam_auth_crap_recv_logon(struct composite_context *ctx) state->ctx->status = wb_sam_logon_recv(ctx, state, state->req); if (!composite_is_ok(state->ctx)) return; - state->ctx->status = ndr_push_struct_blob( + ndr_err = ndr_push_struct_blob( &tmp_blob, state, state->req->out.validation.sam3, (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3); - if (!composite_is_ok(state->ctx)) return; + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + state->ctx->status = ndr_map_error2ntstatus(ndr_err); + if (!composite_is_ok(state->ctx)) return; + } /* The Samba3 protocol is a bit broken (due to non-IDL * heritage, so for compatability we must add a non-zero 4 -- cgit From b83a7a135f3247f553cb04173646b2d871b97235 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 3 Dec 2007 21:25:17 +0100 Subject: r26268: Avoid more use of global_loadparm - put lp_ctx in smb_server and wbsrv_connection. (This used to be commit 7c008664238ed966cb82adf5b25b22157bb50730) --- source4/winbind/wb_pam_auth.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index 06e2bff990..9045c63d63 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -221,11 +221,11 @@ struct composite_context *wb_cmd_pam_auth_send(TALLOC_CTX *mem_ctx, DATA_BLOB chal, nt_resp, lm_resp, names_blob; int flags = CLI_CRED_NTLM_AUTH; - if (lp_client_lanman_auth(global_loadparm)) { + if (lp_client_lanman_auth(service->task->lp_ctx)) { flags |= CLI_CRED_LANMAN_AUTH; } - if (lp_client_ntlmv2_auth(global_loadparm)) { + if (lp_client_ntlmv2_auth(service->task->lp_ctx)) { flags |= CLI_CRED_NTLMv2_AUTH; } @@ -235,7 +235,7 @@ struct composite_context *wb_cmd_pam_auth_send(TALLOC_CTX *mem_ctx, if (!credentials) { return NULL; } - cli_credentials_set_conf(credentials, global_loadparm); + cli_credentials_set_conf(credentials, service->task->lp_ctx); cli_credentials_set_domain(credentials, domain, CRED_SPECIFIED); cli_credentials_set_username(credentials, user, CRED_SPECIFIED); -- cgit From a693e6f1c71d9772b52cf40a85b0504cea837240 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 4 Dec 2007 19:33:00 +0100 Subject: r26295: Remove use of global_loadparm for net and wb_pam_auth. (This used to be commit 47696b42987ea67ae1c6c09a4bec5858e5db4542) --- source4/winbind/wb_pam_auth.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index 9045c63d63..c8e81e09f2 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -35,6 +35,7 @@ struct pam_auth_crap_state { struct composite_context *ctx; struct event_context *event_ctx; + struct loadparm_context *lp_ctx; struct winbind_SamLogon *req; char *unix_username; @@ -77,6 +78,7 @@ struct composite_context *wb_cmd_pam_auth_crap_send(TALLOC_CTX *mem_ctx, state = talloc(result, struct pam_auth_crap_state); if (state == NULL) goto failed; state->ctx = result; + state->lp_ctx = service->task->lp_ctx; result->private_data = state; state->req = talloc(state, struct winbind_SamLogon); @@ -176,7 +178,7 @@ static void pam_auth_crap_recv_logon(struct composite_context *ctx) state->unix_username = talloc_asprintf(state, "%s%s%s", state->domain_name, - lp_winbind_separator(global_loadparm), + lp_winbind_separator(state->lp_ctx), state->user_name); if (composite_nomem(state->unix_username, state->ctx)) return; -- cgit From 86dc05e99f124db47f2743d1fc23117a7f5145ab Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 1 Jan 2008 22:05:05 -0600 Subject: r26638: libndr: Require explicitly specifying iconv_convenience for ndr_struct_push_blob(). (This used to be commit 61ad78ac98937ef7a9aa32075a91a1c95b7606b3) --- source4/winbind/wb_pam_auth.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index c8e81e09f2..a34f3fbdd0 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -143,7 +143,8 @@ static void pam_auth_crap_recv_logon(struct composite_context *ctx) if (!composite_is_ok(state->ctx)) return; ndr_err = ndr_push_struct_blob( - &tmp_blob, state, state->req->out.validation.sam3, + &tmp_blob, state, lp_iconv_convenience(global_loadparm), + state->req->out.validation.sam3, (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { state->ctx->status = ndr_map_error2ntstatus(ndr_err); -- cgit From 263a77c5618daddb0c1e4f0ad0a922bca55faf0d Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 21 Feb 2008 15:45:32 +0100 Subject: Remove more uses of global_loadparm. (This used to be commit a1715b1f48ba44bd94844418cc9299649aaf1a5e) --- source4/winbind/wb_pam_auth.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index a34f3fbdd0..0073e3fdf8 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -258,6 +258,7 @@ struct composite_context *wb_cmd_pam_auth_send(TALLOC_CTX *mem_ctx, names_blob = NTLMv2_generate_names_blob( mem_ctx, + lp_iconv_convenience(service->task->lp_ctx), cli_credentials_get_workstation(credentials), cli_credentials_get_domain(credentials)); -- cgit From 3101cb888d5cbad785050b8491b138d683d444fb Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 25 Feb 2008 12:51:55 +0100 Subject: Remove uses of global_loadparm. (This used to be commit a16c9a2129ce92e7e1a613b2badd168e42ead436) --- source4/winbind/wb_pam_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index 0073e3fdf8..62744297c6 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -143,7 +143,7 @@ static void pam_auth_crap_recv_logon(struct composite_context *ctx) if (!composite_is_ok(state->ctx)) return; ndr_err = ndr_push_struct_blob( - &tmp_blob, state, lp_iconv_convenience(global_loadparm), + &tmp_blob, state, lp_iconv_convenience(state->lp_ctx), state->req->out.validation.sam3, (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- cgit From e0eba5232d3f2cd366b1cbe64fbd3547889c7635 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 15 Apr 2008 16:29:13 +0200 Subject: Fix winbind to check machine account. This enables 'wbinfo -t', by checking the machine account with a SamLogon call. Andrew Bartlett (This used to be commit abefa12029a17e9007f4884f3651d835a10ee9e3) --- source4/winbind/wb_pam_auth.c | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) (limited to 'source4/winbind/wb_pam_auth.c') diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index 62744297c6..ee54bcd58f 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -214,14 +214,11 @@ NTSTATUS wb_cmd_pam_auth_crap_recv(struct composite_context *c, struct composite_context *wb_cmd_pam_auth_send(TALLOC_CTX *mem_ctx, struct wbsrv_service *service, - const char *domain, - const char *user, - const char *password) + struct cli_credentials *credentials) { - struct cli_credentials *credentials; const char *workstation; NTSTATUS status; - + const char *user, *domain; DATA_BLOB chal, nt_resp, lm_resp, names_blob; int flags = CLI_CRED_NTLM_AUTH; if (lp_client_lanman_auth(service->task->lp_ctx)) { @@ -234,16 +231,6 @@ struct composite_context *wb_cmd_pam_auth_send(TALLOC_CTX *mem_ctx, DEBUG(5, ("wbsrv_samba3_pam_auth called\n")); - credentials = cli_credentials_init(mem_ctx); - if (!credentials) { - return NULL; - } - cli_credentials_set_conf(credentials, service->task->lp_ctx); - cli_credentials_set_domain(credentials, domain, CRED_SPECIFIED); - cli_credentials_set_username(credentials, user, CRED_SPECIFIED); - - cli_credentials_set_password(credentials, password, CRED_SPECIFIED); - chal = data_blob_talloc(mem_ctx, NULL, 8); if (!chal.data) { return NULL; @@ -269,7 +256,7 @@ struct composite_context *wb_cmd_pam_auth_send(TALLOC_CTX *mem_ctx, return NULL; } return wb_cmd_pam_auth_crap_send(mem_ctx, service, - 0 /* logon parameters */, + MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT|MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT /* logon parameters */, domain, user, workstation, chal, nt_resp, lm_resp); } -- cgit