Changeset 745 for trunk/server/source3/auth/auth_server.c

Timestamp:

Nov 27, 2012, 4:43:17 PM (13 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: updated trunk to 3.6.0

Location:

trunk/server

Files:

• . (modified) (1 prop)
• source3/auth/auth_server.c (modified) (16 diffs)

trunk/server/source3/auth/auth_server.c

@@ -9 +9 @@
    the Free Software Foundation; either version 3 of the License, or
    (at your option) any later version.
-   
+
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
-   
+
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
@@ -20 +20 @@
 
 #include "includes.h"
+#include "auth.h"
+#include "system/passwd.h"
+#include "smbd/smbd.h"
+#include "libsmb/libsmb.h"
 
 #undef DBGC_CLASS
@@ -136 +140 @@
         */
 
-        if (!NT_STATUS_IS_OK(cli_session_setup(cli, "", "", 0, "", 0,
-                                               ""))) {
+        status = cli_session_setup(cli, "", "", 0, "", 0, "");
+        if (!NT_STATUS_IS_OK(status)) {
                 TALLOC_FREE(mutex);
                 DEBUG(0,("%s rejected the initial session setup (%s)\n",
-                         desthost, cli_errstr(cli)));
+                         desthost, nt_errstr(status)));
                 cli_shutdown(cli);
                 return NULL;
@@ -207 +211 @@
                 interval.tv_usec = 0;
 
-                if (event_add_idle(smbd_event_context(), result, interval,
+                if (event_add_idle(server_event_context(), result, interval,
                                    "server_security_keepalive",
                                    send_server_keepalive,
@@ -229 +233 @@
 {
         struct cli_state *cli = server_cryptkey(mem_ctx);
-        
+
         if (cli) {
                 DEBUG(3,("using password server validation\n"));
@@ -237 +241 @@
                            unless 'encrypt passwords = no' */
                         DEBUG(5,("make_auth_info_server: Server is unencrypted, no challenge available..\n"));
-                        
+
                         /* However, it is still a perfectly fine connection
                            to pass that unencrypted password over */
@@ -256 +260 @@
                 /* The return must be allocated on the caller's mem_ctx, as our own will be
                    destoyed just after the call. */
-                return data_blob_talloc(auth_context->mem_ctx, cli->secblob.data,8);
+                return data_blob_talloc((TALLOC_CTX *)auth_context, cli->secblob.data,8);
         } else {
                 return data_blob_null;
@@ -271 +275 @@
                                          void *my_private_data, 
                                          TALLOC_CTX *mem_ctx,
-                                         const auth_usersupplied_info *user_info, 
-                                         auth_serversupplied_info **server_info)
-{
-        struct server_security_state *state = talloc_get_type_abort(
-                my_private_data, struct server_security_state);
-        struct cli_state *cli;
+                                         const struct auth_usersupplied_info *user_info,
+                                         struct auth_serversupplied_info **server_info)
+{
+        struct server_security_state *state = NULL;
+        struct cli_state *cli = NULL;
         static bool tested_password_server = False;
         static bool bad_password_server = False;
@@ -282 +285 @@
         bool locally_made_cli = False;
 
+        DEBUG(10, ("check_smbserver_security: Check auth for: [%s]\n",
+                user_info->mapped.account_name));
+
+        if (my_private_data == NULL) {
+                DEBUG(10,("check_smbserver_security: "
+                        "password server is not connected\n"));
+                return NT_STATUS_LOGON_FAILURE;
+        }
+
+        state = talloc_get_type_abort(my_private_data, struct server_security_state);
         cli = state->cli;
-        
+
         if (cli) {
         } else {
@@ -294 +307 @@
                 return NT_STATUS_LOGON_FAILURE;
         }  
-        
+
         if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
-                if (user_info->encrypted) {
+                if (user_info->password_state != AUTH_PASSWORD_PLAIN) {
                         DEBUG(1,("password server %s is plaintext, but we are encrypted. This just can't work :-(\n", cli->desthost));
                         return NT_STATUS_LOGON_FAILURE;         
@@ -325 +338 @@
                 memset(badpass, 0x1f, sizeof(badpass));
 
-                if((user_info->nt_resp.length == sizeof(badpass)) && 
-                   !memcmp(badpass, user_info->nt_resp.data, sizeof(badpass))) {
+                if((user_info->password.response.nt.length == sizeof(badpass)) &&
+                   !memcmp(badpass, user_info->password.response.nt.data, sizeof(badpass))) {
                         /* 
                          * Very unlikely, our random bad password is the same as the users
@@ -347 +360 @@
                                                       (char *)badpass,
                                                       sizeof(badpass),
-                                                      user_info->domain))) {
+                                                      user_info->mapped.domain_name))) {
 
                         /*
@@ -390 +403 @@
          * not guest enabled, we can try with the real password.
          */
-
-        if (!user_info->encrypted) {
+        switch (user_info->password_state) {
+        case AUTH_PASSWORD_PLAIN:
                 /* Plaintext available */
                 nt_status = cli_session_setup(
-                        cli, user_info->smb_name, 
-                        (char *)user_info->plaintext_password.data, 
-                        user_info->plaintext_password.length, 
-                        NULL, 0, user_info->domain);
-
-        } else {
+                        cli, user_info->client.account_name,
+                        user_info->password.plaintext,
+                        strlen(user_info->password.plaintext),
+                        NULL, 0, user_info->mapped.domain_name);
+                break;
+
+        /* currently the hash values include a challenge-response as well */
+        case AUTH_PASSWORD_HASH:
+        case AUTH_PASSWORD_RESPONSE:
                 nt_status = cli_session_setup(
-                        cli, user_info->smb_name, 
-                        (char *)user_info->lm_resp.data, 
-                        user_info->lm_resp.length, 
-                        (char *)user_info->nt_resp.data, 
-                        user_info->nt_resp.length, 
-                        user_info->domain);
+                        cli, user_info->client.account_name,
+                        (char *)user_info->password.response.lanman.data,
+                        user_info->password.response.lanman.length,
+                        (char *)user_info->password.response.nt.data,
+                        user_info->password.response.nt.length,
+                        user_info->mapped.domain_name);
+                break;
+        default:
+                DEBUG(0,("user_info constructed for user '%s' was invalid - password_state=%u invalid.\n",user_info->mapped.account_name, user_info->password_state));
+                nt_status = NT_STATUS_INTERNAL_ERROR;
         }
 
@@ -415 +435 @@
 
         /* if logged in as guest then reject */
-        if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) {
+        if (cli->is_guestlogin) {
                 DEBUG(1,("password server %s gave us guest only\n", cli->desthost));
                 nt_status = NT_STATUS_LOGON_FAILURE;
@@ -423 +443 @@
 
         if (NT_STATUS_IS_OK(nt_status)) {
-                fstring real_username;
-                struct passwd *pass;
-
-                if ( (pass = smb_getpwnam( NULL, user_info->internal_username, 
-                        real_username, True )) != NULL ) 
+                char *real_username = NULL;
+                struct passwd *pass = NULL;
+
+                if ( (pass = smb_getpwnam(talloc_tos(), user_info->mapped.account_name,
+                        &real_username, True )) != NULL )
                 {
-                        /* if a real user check pam account restrictions */
-                        /* only really perfomed if "obey pam restriction" is true */
-                        nt_status = smb_pam_accountcheck(pass->pw_name);
-                        if (  !NT_STATUS_IS_OK(nt_status)) {
-                                DEBUG(1, ("PAM account restriction prevents user login\n"));
-                        } else {
-
-                                nt_status = make_server_info_pw(server_info, pass->pw_name, pass);
-                        }
+                        nt_status = make_server_info_pw(server_info, pass->pw_name, pass);
                         TALLOC_FREE(pass);
+                        TALLOC_FREE(real_username);
                 }
                 else
@@ -455 +468 @@
 static NTSTATUS auth_init_smbserver(struct auth_context *auth_context, const char* param, auth_methods **auth_method) 
 {
-        if (!make_auth_methods(auth_context, auth_method)) {
+        struct auth_methods *result;
+
+        result = TALLOC_ZERO_P(auth_context, struct auth_methods);
+        if (result == NULL) {
                 return NT_STATUS_NO_MEMORY;
         }
-        (*auth_method)->name = "smbserver";
-        (*auth_method)->auth = check_smbserver_security;
-        (*auth_method)->get_chal = auth_get_challenge_server;
+        result->name = "smbserver";
+        result->auth = check_smbserver_security;
+        result->get_chal = auth_get_challenge_server;
+
+        *auth_method = result;
         return NT_STATUS_OK;
 }