From 42031bc4be2516872ccf832b6b09d141cb13c76b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 6 Mar 2005 08:24:34 +0000 Subject: r5668: Add tests to RPC-SAMLOGON to test for user@REALM style logins. These need a NULL domain (or a "" domain, except this breaks NTLMv2, and I need to look into it a bit more). Add support to the Samba4 server for these logins. This will need extension when we handle trusted domains as a DC, as it is a principal name, not just another format for the username. Andrew Bartlett (This used to be commit de02c7c222a32d2b3fb8ee8b715749b96cb647f9) --- source4/auth/auth_util.c | 27 +++++++++++-- source4/libcli/auth/smbencrypt.c | 8 ++++ source4/torture/rpc/samlogon.c | 87 +++++++++++++++++++++++++++++++++++----- 3 files changed, 108 insertions(+), 14 deletions(-) (limited to 'source4') diff --git a/source4/auth/auth_util.c b/source4/auth/auth_util.c index d80e5fdb78..791d12fae6 100644 --- a/source4/auth/auth_util.c +++ b/source4/auth/auth_util.c @@ -68,7 +68,9 @@ static NTSTATUS make_user_info(TALLOC_CTX *mem_ctx, NT_STATUS_HAVE_NO_MEMORY(user_info->account_name); user_info->client.domain_name = talloc_strdup(user_info, c_domain_name); - NT_STATUS_HAVE_NO_MEMORY(user_info->client.domain_name); + if (c_domain_name && !user_info->client.domain_name) { + return NT_STATUS_NO_MEMORY; + } user_info->domain_name = talloc_strdup(user_info, domain_name); NT_STATUS_HAVE_NO_MEMORY(user_info->domain_name); @@ -141,21 +143,38 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx, struct auth_usersupplied_info **user_info) { const char *domain; - + const char *account_name; + char *d; DEBUG(5,("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n", c_domain_name, c_account_name, workstation_name)); + account_name = c_account_name; + /* don't allow "" as a domain, fixes a Win9X bug where it doens't supply a domain for logon script 'net use' commands. */ - if (*c_domain_name) { + + /* Split user@realm names into user and realm components. This is TODO to fix with proper userprincipalname support */ + if (c_domain_name && *c_domain_name) { domain = c_domain_name; + } else if (strchr_m(c_account_name, '@')) { + account_name = talloc_strdup(mem_ctx, c_account_name); + if (!account_name) { + return NT_STATUS_NO_MEMORY; + } + d = strchr_m(account_name, '@'); + if (!d) { + return NT_STATUS_INTERNAL_ERROR; + } + d[0] = '\0'; + d++; + domain = d; } else { domain = lp_workgroup(); } return make_user_info(mem_ctx, - c_account_name, c_account_name, + c_account_name, account_name, c_domain_name, domain, workstation_name, lm_password, nt_password, diff --git a/source4/libcli/auth/smbencrypt.c b/source4/libcli/auth/smbencrypt.c index 00a28a1ad9..f2b6eb00d7 100644 --- a/source4/libcli/auth/smbencrypt.c +++ b/source4/libcli/auth/smbencrypt.c @@ -121,6 +121,14 @@ BOOL ntv2_owf_gen(const uint8_t owf[16], return False; } + if (!user_in) { + user_in = ""; + } + + if (!domain_in) { + domain_in = ""; + } + user_in = strupper_talloc(mem_ctx, user_in); if (user_in == NULL) { talloc_free(mem_ctx); diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c index 06988459fd..4fe7903332 100644 --- a/source4/torture/rpc/samlogon.c +++ b/source4/torture/rpc/samlogon.c @@ -1066,6 +1066,7 @@ static const struct ntlm_tests { */ static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct creds_CredentialState *creds, + const char *account_domain, const char *account_name, int n_subtests) { int i, v, l, f; @@ -1081,8 +1082,8 @@ static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, printf("testing netr_LogonSamLogon and netr_LogonSamLogonWithFlags\n"); samlogon_state.mem_ctx = mem_ctx; - samlogon_state.account_name = lp_parm_string(-1, "torture", "username"); - samlogon_state.account_domain = lp_parm_string(-1, "torture", "userdomain"); + samlogon_state.account_name = account_name; + samlogon_state.account_domain = account_domain; samlogon_state.password = lp_parm_string(-1, "torture", "password"); samlogon_state.p = p; samlogon_state.creds = creds; @@ -1121,7 +1122,9 @@ static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, samlogon_state.r_flags.in.validation_level = validation_levels[v]; samlogon_state.r_flags.in.logon_level = logon_levels[l]; if (!test_table[i].fn(&samlogon_state, &error_string)) { - printf("Testing '%s' at validation level %d, logon level %d, function %d: \n", + printf("Testing [%s]\\[%s] '%s' at validation level %d, logon level %d, function %d: \n", + samlogon_state.account_domain, + samlogon_state.account_name, test_table[i].name, validation_levels[v], logon_levels[l], function_levels[f]); @@ -1145,7 +1148,8 @@ static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, test an ADS style interactive domain logon */ static BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, - struct creds_CredentialState *creds) + struct creds_CredentialState *creds, + const char *account_domain, const char *account_name) { NTSTATUS status; struct netr_LogonSamLogonWithFlags r; @@ -1168,11 +1172,11 @@ static BOOL test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, r.in.validation_level = 6; r.in.flags = 0; - pinfo.identity_info.domain_name.string = lp_parm_string(-1, "torture", "userdomain"); + pinfo.identity_info.domain_name.string = account_domain; pinfo.identity_info.parameter_control = 0; pinfo.identity_info.logon_id_low = 0; pinfo.identity_info.logon_id_high = 0; - pinfo.identity_info.account_name.string = lp_parm_string(-1, "torture", "username"); + pinfo.identity_info.account_name.string = account_name; pinfo.identity_info.workstation.string = TEST_MACHINE_NAME; plain_pass = lp_parm_string(-1, "torture", "password"); @@ -1271,11 +1275,54 @@ BOOL torture_rpc_samlogon(void) goto failed; } - if (!test_InteractiveLogon(p, mem_ctx, creds)) { + if (!test_InteractiveLogon(p, mem_ctx, creds, + lp_parm_string(-1, "torture", "userdomain"), + lp_parm_string(-1, "torture", "username"))) { ret = False; } - if (!test_SamLogon(p, mem_ctx, creds, 0)) { + if (!test_SamLogon(p, mem_ctx, creds, + lp_parm_string(-1, "torture", "userdomain"), + lp_parm_string(-1, "torture", "username"), + 0)) { + ret = False; + } + + if (!test_InteractiveLogon(p, mem_ctx, creds, + NULL, + talloc_asprintf(mem_ctx, + "%s@%s", + lp_parm_string(-1, "torture", "username"), + lp_parm_string(-1, "torture", "userdomain")))) { + ret = False; + } + + if (!test_InteractiveLogon(p, mem_ctx, creds, + NULL, + talloc_asprintf(mem_ctx, + "%s@%s", + lp_parm_string(-1, "torture", "username"), + lp_realm()))) { + ret = False; + } + + if (!test_SamLogon(p, mem_ctx, creds, + NULL, + talloc_asprintf(mem_ctx, + "%s@%s", + lp_parm_string(-1, "torture", "username"), + lp_realm()), + 0)) { + ret = False; + } + + if (!test_SamLogon(p, mem_ctx, creds, + NULL, + talloc_asprintf(mem_ctx, + "%s@%s", + lp_parm_string(-1, "torture", "username"), + lp_realm()), + 0)) { ret = False; } @@ -1287,11 +1334,31 @@ BOOL torture_rpc_samlogon(void) return False; } - if (!test_InteractiveLogon(p, mem_ctx, creds)) { + if (!test_InteractiveLogon(p, mem_ctx, creds, + NULL, + talloc_asprintf(mem_ctx, + "%s@%s", + lp_parm_string(-1, "torture", "username"), + lp_parm_string(-1, "torture", "userdomain")))) { ret = False; } - if (!test_SamLogon(p, mem_ctx, creds, 1)) { + if (!test_InteractiveLogon(p, mem_ctx, creds, + NULL, + talloc_asprintf(mem_ctx, + "%s@%s", + lp_parm_string(-1, "torture", "username"), + lp_realm()))) { + ret = False; + } + + if (!test_SamLogon(p, mem_ctx, creds, + NULL, + talloc_asprintf(mem_ctx, + "%s@%s", + lp_parm_string(-1, "torture", "username"), + lp_realm()), + 1)) { ret = False; } } -- cgit