Changeset 988 for vendor/current/source3/auth
- Timestamp:
- Nov 24, 2016, 1:14:11 PM (9 years ago)
- Location:
- vendor/current/source3/auth
- Files:
-
- 2 added
- 3 deleted
- 21 edited
-
auth.c (modified) (15 diffs)
-
auth_builtin.c (modified) (6 diffs)
-
auth_compat.c (deleted)
-
auth_domain.c (modified) (15 diffs)
-
auth_generic.c (added)
-
auth_netlogond.c (deleted)
-
auth_ntlmssp.c (modified) (6 diffs)
-
auth_sam.c (modified) (3 diffs)
-
auth_samba4.c (added)
-
auth_script.c (modified) (5 diffs)
-
auth_server.c (deleted)
-
auth_unix.c (modified) (5 diffs)
-
auth_util.c (modified) (61 diffs)
-
auth_wbc.c (modified) (1 diff)
-
auth_winbind.c (modified) (1 diff)
-
check_samsec.c (modified) (12 diffs)
-
pampass.c (modified) (9 diffs)
-
pass_check.c (modified) (14 diffs)
-
proto.h (modified) (17 diffs)
-
server_info.c (modified) (18 diffs)
-
server_info_sam.c (modified) (3 diffs)
-
token_util.c (modified) (25 diffs)
-
user_info.c (modified) (9 diffs)
-
user_krb5.c (modified) (13 diffs)
-
user_util.c (modified) (6 diffs)
-
wscript_build (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
vendor/current/source3/auth/auth.c
r740 r988 20 20 #include "includes.h" 21 21 #include "auth.h" 22 #include " smbd/globals.h"22 #include "../lib/tsocket/tsocket.h" 23 23 24 24 #undef DBGC_CLASS … … 79 79 ****************************************************************************/ 80 80 81 static NTSTATUS get_ntlm_challenge(struct auth_context *auth_context, 82 uint8_t chal[8]) 83 { 84 DATA_BLOB challenge = data_blob_null; 85 const char *challenge_set_by = NULL; 86 auth_methods *auth_method; 81 NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context, 82 uint8_t chal[8]) 83 { 84 uchar tmp[8]; 85 87 86 88 87 if (auth_context->challenge.length) { … … 93 92 } 94 93 95 auth_context->challenge_may_be_modified = False; 96 97 for (auth_method = auth_context->auth_method_list; auth_method; auth_method = auth_method->next) { 98 if (auth_method->get_chal == NULL) { 99 DEBUG(5, ("auth_get_challenge: module %s did not want to specify a challenge\n", auth_method->name)); 100 continue; 101 } 102 103 DEBUG(5, ("auth_get_challenge: getting challenge from module %s\n", auth_method->name)); 104 if (challenge_set_by != NULL) { 105 DEBUG(1, ("auth_get_challenge: CONFIGURATION ERROR: authentication method %s has already specified a challenge. Challenge by %s ignored.\n", 106 challenge_set_by, auth_method->name)); 107 continue; 108 } 109 110 challenge = auth_method->get_chal(auth_context, &auth_method->private_data, 111 auth_context); 112 if (!challenge.length) { 113 DEBUG(3, ("auth_get_challenge: getting challenge from authentication method %s FAILED.\n", 114 auth_method->name)); 115 } else { 116 DEBUG(5, ("auth_get_challenge: successfully got challenge from module %s\n", auth_method->name)); 117 auth_context->challenge = challenge; 118 challenge_set_by = auth_method->name; 119 auth_context->challenge_set_method = auth_method; 120 } 121 } 122 123 if (!challenge_set_by) { 124 uchar tmp[8]; 125 126 generate_random_buffer(tmp, sizeof(tmp)); 127 auth_context->challenge = data_blob_talloc(auth_context, 128 tmp, sizeof(tmp)); 129 130 challenge_set_by = "random"; 131 auth_context->challenge_may_be_modified = True; 132 } 133 134 DEBUG(5, ("auth_context challenge created by %s\n", challenge_set_by)); 135 DEBUG(5, ("challenge is: \n")); 136 dump_data(5, auth_context->challenge.data, auth_context->challenge.length); 137 138 SMB_ASSERT(auth_context->challenge.length == 8); 139 140 auth_context->challenge_set_by=challenge_set_by; 94 generate_random_buffer(tmp, sizeof(tmp)); 95 auth_context->challenge = data_blob_talloc(auth_context, 96 tmp, sizeof(tmp)); 97 98 auth_context->challenge_set_by = "random"; 141 99 142 100 memcpy(chal, auth_context->challenge.data, 8); … … 203 161 **/ 204 162 205 static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, 206 const struct auth_usersupplied_info *user_info, 207 struct auth_serversupplied_info **server_info) 163 NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, 164 const struct auth_context *auth_context, 165 const struct auth_usersupplied_info *user_info, 166 struct auth_serversupplied_info **pserver_info) 208 167 { 209 168 /* if all the modules say 'not for me' this is reasonable */ … … 211 170 const char *unix_username; 212 171 auth_methods *auth_method; 213 TALLOC_CTX *mem_ctx; 214 215 if (!user_info || !auth_context || !server_info) 172 173 if (user_info == NULL || auth_context == NULL || pserver_info == NULL) { 216 174 return NT_STATUS_LOGON_FAILURE; 175 } 217 176 218 177 DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", … … 248 207 249 208 for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) { 209 struct auth_serversupplied_info *server_info; 210 TALLOC_CTX *tmp_ctx; 250 211 NTSTATUS result; 251 212 252 mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name, 253 user_info->mapped.domain_name, user_info->client.account_name); 254 255 result = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info); 213 if (user_info->flags & USER_INFO_LOCAL_SAM_ONLY 214 && !(auth_method->flags & AUTH_METHOD_LOCAL_SAM)) { 215 continue; 216 } 217 218 tmp_ctx = talloc_named(mem_ctx, 219 0, 220 "%s authentication for user %s\\%s", 221 auth_method->name, 222 user_info->mapped.domain_name, 223 user_info->client.account_name); 224 225 result = auth_method->auth(auth_context, 226 auth_method->private_data, 227 tmp_ctx, 228 user_info, 229 &server_info); 256 230 257 231 /* check if the module did anything */ 258 232 if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) { 259 233 DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name)); 260 talloc_destroy(mem_ctx); 234 TALLOC_FREE(tmp_ctx); 235 if (user_info->flags & USER_INFO_LOCAL_SAM_ONLY) { 236 /* we don't expose the NT_STATUS_NOT_IMPLEMENTED 237 * internals, except when the caller is only probing 238 * one method, as they may do the fallback 239 */ 240 nt_status = result; 241 } 261 242 continue; 262 243 } … … 272 253 } 273 254 274 talloc_destroy(mem_ctx); 275 276 if ( NT_STATUS_IS_OK(nt_status)) 277 { 278 break; 279 } 255 if (NT_STATUS_IS_OK(nt_status)) { 256 *pserver_info = talloc_steal(mem_ctx, server_info); 257 TALLOC_FREE(tmp_ctx); 258 break; 259 } 260 261 TALLOC_FREE(tmp_ctx); 280 262 } 281 263 … … 283 265 284 266 if (NT_STATUS_IS_OK(nt_status)) { 285 unix_username = (*server_info)->unix_name; 286 if (!(*server_info)->guest) { 267 unix_username = (*pserver_info)->unix_name; 268 269 /* We skip doing this step if the caller asked us not to */ 270 if (!(user_info->flags & USER_INFO_INFO3_AND_NO_AUTHZ) 271 && !(*pserver_info)->guest) { 272 const char *rhost; 273 274 if (tsocket_address_is_inet(user_info->remote_host, "ip")) { 275 rhost = tsocket_address_inet_addr_string(user_info->remote_host, 276 talloc_tos()); 277 if (rhost == NULL) { 278 return NT_STATUS_NO_MEMORY; 279 } 280 } else { 281 rhost = "127.0.0.1"; 282 } 283 287 284 /* We might not be root if we are an RPC call */ 288 285 become_root(); 289 nt_status = smb_pam_accountcheck( 290 unix_username, 291 smbd_server_conn->client_id.name); 286 nt_status = smb_pam_accountcheck(unix_username, 287 rhost); 292 288 unbecome_root(); 293 289 … … 302 298 303 299 if (NT_STATUS_IS_OK(nt_status)) { 304 DEBUG((* server_info)->guest ? 5 : 2,300 DEBUG((*pserver_info)->guest ? 5 : 2, 305 301 ("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] succeeded\n", 306 (* server_info)->guest ? "guest " : "",302 (*pserver_info)->guest ? "guest " : "", 307 303 user_info->client.account_name, 308 304 user_info->mapped.account_name, … … 318 314 user_info->client.account_name, user_info->mapped.account_name, 319 315 nt_errstr(nt_status))); 320 ZERO_STRUCTP( server_info);316 ZERO_STRUCTP(pserver_info); 321 317 322 318 return nt_status; … … 355 351 return NT_STATUS_NO_MEMORY; 356 352 } 357 358 ctx->check_ntlm_password = check_ntlm_password;359 ctx->get_ntlm_challenge = get_ntlm_challenge;360 353 361 354 talloc_set_destructor((TALLOC_CTX *)ctx, auth_context_destructor); … … 428 421 { 429 422 auth_methods *list = NULL; 430 auth_methods *t = NULL;423 auth_methods *t, *method = NULL; 431 424 NTSTATUS nt_status; 432 425 … … 444 437 for (;*text_list; text_list++) { 445 438 if (load_auth_module(*auth_context, *text_list, &t)) { 446 DLIST_ADD_END(list, t , auth_methods *);439 DLIST_ADD_END(list, t); 447 440 } 448 441 } … … 450 443 (*auth_context)->auth_method_list = list; 451 444 452 return nt_status; 445 /* Look for the first module to provide a prepare_gensec and 446 * make_auth4_context hook, and set that if provided */ 447 for (method = (*auth_context)->auth_method_list; method; method = method->next) { 448 if (method->prepare_gensec && method->make_auth4_context) { 449 (*auth_context)->prepare_gensec = method->prepare_gensec; 450 (*auth_context)->make_auth4_context = method->make_auth4_context; 451 break; 452 } 453 } 454 return NT_STATUS_OK; 453 455 } 454 456 … … 470 472 471 473 if (auth_method_list == NULL) { 472 switch (lp_se curity())474 switch (lp_server_role()) 473 475 { 474 case SEC_DOMAIN:475 DEBUG(5,("Making default auth method list for se curity=domain\n"));476 case ROLE_DOMAIN_MEMBER: 477 DEBUG(5,("Making default auth method list for server role = 'domain member'\n")); 476 478 auth_method_list = str_list_make_v3( 477 479 talloc_tos(), "guest sam winbind:ntdomain", 478 480 NULL); 479 481 break; 480 case SEC_SERVER: 481 DEBUG(5,("Making default auth method list for security=server\n")); 482 case ROLE_DOMAIN_BDC: 483 case ROLE_DOMAIN_PDC: 484 DEBUG(5,("Making default auth method list for DC\n")); 482 485 auth_method_list = str_list_make_v3( 483 talloc_tos(), "guest sam smbserver", 486 talloc_tos(), 487 "guest sam winbind:trustdomain", 484 488 NULL); 485 489 break; 486 case SEC_USER: 487 if (lp_encrypted_passwords()) { 488 if ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role() == ROLE_DOMAIN_BDC)) { 489 DEBUG(5,("Making default auth method list for DC, security=user, encrypt passwords = yes\n")); 490 auth_method_list = str_list_make_v3( 491 talloc_tos(), 492 "guest sam winbind:trustdomain", 493 NULL); 494 } else { 495 DEBUG(5,("Making default auth method list for standalone security=user, encrypt passwords = yes\n")); 496 auth_method_list = str_list_make_v3( 490 case ROLE_STANDALONE: 491 DEBUG(5,("Making default auth method list for server role = 'standalone server', encrypt passwords = yes\n")); 492 if (lp_encrypt_passwords()) { 493 auth_method_list = str_list_make_v3( 497 494 talloc_tos(), "guest sam", 498 495 NULL); 499 }500 496 } else { 501 DEBUG(5,("Making default auth method list for se curity=user, encrypt passwords = no\n"));497 DEBUG(5,("Making default auth method list for server role = 'standalone server', encrypt passwords = no\n")); 502 498 auth_method_list = str_list_make_v3( 503 499 talloc_tos(), "guest unix", NULL); 504 500 } 505 501 break; 506 case SEC_SHARE: 507 if (lp_encrypted_passwords()) { 508 DEBUG(5,("Making default auth method list for security=share, encrypt passwords = yes\n")); 509 auth_method_list = str_list_make_v3( 510 talloc_tos(), "guest sam", NULL); 511 } else { 512 DEBUG(5,("Making default auth method list for security=share, encrypt passwords = no\n")); 513 auth_method_list = str_list_make_v3( 514 talloc_tos(), "guest unix", NULL); 515 } 516 break; 517 case SEC_ADS: 518 DEBUG(5,("Making default auth method list for security=ADS\n")); 502 case ROLE_ACTIVE_DIRECTORY_DC: 503 DEBUG(5,("Making default auth method list for server role = 'active directory domain controller'\n")); 519 504 auth_method_list = str_list_make_v3( 520 talloc_tos(), "guest sam winbind:ntdomain", 505 talloc_tos(), 506 "samba4", 521 507 NULL); 522 508 break; -
vendor/current/source3/auth/auth_builtin.c
r740 r988 39 39 struct auth_serversupplied_info **server_info) 40 40 { 41 /* mark this as 'not for me' */42 NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;43 44 41 DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name)); 45 42 46 if ( !(user_info->mapped.account_name47 && *user_info->mapped.account_name)) {48 nt_status = make_server_info_guest(NULL, server_info);43 if (user_info->mapped.account_name && *user_info->mapped.account_name) { 44 /* mark this as 'not for me' */ 45 return NT_STATUS_NOT_IMPLEMENTED; 49 46 } 50 47 51 return nt_status; 48 switch (user_info->password_state) { 49 case AUTH_PASSWORD_PLAIN: 50 if (user_info->password.plaintext != NULL && 51 strlen(user_info->password.plaintext) > 0) 52 { 53 /* mark this as 'not for me' */ 54 return NT_STATUS_NOT_IMPLEMENTED; 55 } 56 break; 57 case AUTH_PASSWORD_HASH: 58 if (user_info->password.hash.lanman != NULL) { 59 /* mark this as 'not for me' */ 60 return NT_STATUS_NOT_IMPLEMENTED; 61 } 62 if (user_info->password.hash.nt != NULL) { 63 /* mark this as 'not for me' */ 64 return NT_STATUS_NOT_IMPLEMENTED; 65 } 66 break; 67 case AUTH_PASSWORD_RESPONSE: 68 if (user_info->password.response.lanman.length == 1) { 69 if (user_info->password.response.lanman.data[0] != '\0') { 70 /* mark this as 'not for me' */ 71 return NT_STATUS_NOT_IMPLEMENTED; 72 } 73 } else if (user_info->password.response.lanman.length > 1) { 74 /* mark this as 'not for me' */ 75 return NT_STATUS_NOT_IMPLEMENTED; 76 } 77 if (user_info->password.response.nt.length > 0) { 78 /* mark this as 'not for me' */ 79 return NT_STATUS_NOT_IMPLEMENTED; 80 } 81 break; 82 } 83 84 return make_server_info_guest(NULL, server_info); 52 85 } 53 86 … … 58 91 struct auth_methods *result; 59 92 60 result = TALLOC_ZERO_P(auth_context, struct auth_methods);93 result = talloc_zero(auth_context, struct auth_methods); 61 94 if (result == NULL) { 62 95 return NT_STATUS_NO_MEMORY; … … 98 131 99 132 if (strnequal("NT_STATUS", user, strlen("NT_STATUS"))) { 100 strupper_m(user); 133 if (!strupper_m(user)) { 134 return NT_STATUS_INVALID_PARAMETER; 135 } 101 136 return nt_status_string_to_code(user); 102 137 } 103 138 104 strlower_m(user); 139 if (!strlower_m(user)) { 140 return NT_STATUS_INVALID_PARAMETER; 141 } 105 142 error_num = strtoul(user, NULL, 16); 106 143 … … 118 155 struct auth_methods *result; 119 156 120 result = TALLOC_ZERO_P(auth_context, struct auth_methods);157 result = talloc_zero(auth_context, struct auth_methods); 121 158 if (result == NULL) { 122 159 return NT_STATUS_NO_MEMORY; … … 129 166 } 130 167 131 /**132 * Return a 'fixed' challenge instead of a variable one.133 *134 * The idea of this function is to make packet snifs consistant135 * with a fixed challenge, so as to aid debugging.136 *137 * This module is of no value to end-users.138 *139 * This module does not actually authenticate the user, but140 * just pretenteds to need a specified challenge.141 * This module removes *all* security from the challenge-response system142 *143 * @return NT_STATUS_UNSUCCESSFUL144 **/145 146 static NTSTATUS check_fixed_challenge_security(const struct auth_context *auth_context,147 void *my_private_data,148 TALLOC_CTX *mem_ctx,149 const struct auth_usersupplied_info *user_info,150 struct auth_serversupplied_info **server_info)151 {152 return NT_STATUS_NOT_IMPLEMENTED;153 }154 155 /****************************************************************************156 Get the challenge out of a password server.157 ****************************************************************************/158 159 static DATA_BLOB auth_get_fixed_challenge(const struct auth_context *auth_context,160 void **my_private_data,161 TALLOC_CTX *mem_ctx)162 {163 const char *challenge = "I am a teapot";164 return data_blob(challenge, 8);165 }166 167 168 /** Module initialisation function */169 170 static NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char *param, auth_methods **auth_method)171 {172 struct auth_methods *result;173 174 result = TALLOC_ZERO_P(auth_context, struct auth_methods);175 if (result == NULL) {176 return NT_STATUS_NO_MEMORY;177 }178 result->auth = check_fixed_challenge_security;179 result->get_chal = auth_get_fixed_challenge;180 result->name = "fixed_challenge";181 182 *auth_method = result;183 return NT_STATUS_OK;184 }185 168 #endif /* DEVELOPER */ 186 169 … … 189 172 smb_register_auth(AUTH_INTERFACE_VERSION, "guest", auth_init_guest); 190 173 #ifdef DEVELOPER 191 smb_register_auth(AUTH_INTERFACE_VERSION, "fixed_challenge", auth_init_fixed_challenge);192 174 smb_register_auth(AUTH_INTERFACE_VERSION, "name_to_ntstatus", auth_init_name_to_ntstatus); 193 175 #endif -
vendor/current/source3/auth/auth_domain.c
r740 r988 28 28 #include "passdb.h" 29 29 #include "libsmb/libsmb.h" 30 #include "libcli/auth/netlogon_creds_cli.h" 30 31 31 32 #undef DBGC_CLASS 32 33 #define DBGC_CLASS DBGC_AUTH 33 34 34 extern bool global_machine_password_needs_changing;35 35 static struct named_mutex *mutex; 36 37 /*38 * Change machine password (called from main loop39 * idle timeout. Must be done as root.40 */41 42 void attempt_machine_password_change(void)43 {44 unsigned char trust_passwd_hash[16];45 time_t lct;46 void *lock;47 48 if (!global_machine_password_needs_changing) {49 return;50 }51 52 if (lp_security() != SEC_DOMAIN) {53 return;54 }55 56 /*57 * We're in domain level security, and the code that58 * read the machine password flagged that the machine59 * password needs changing.60 */61 62 /*63 * First, open the machine password file with an exclusive lock.64 */65 66 lock = secrets_get_trust_account_lock(NULL, lp_workgroup());67 68 if (lock == NULL) {69 DEBUG(0,("attempt_machine_password_change: unable to lock "70 "the machine account password for machine %s in "71 "domain %s.\n",72 global_myname(), lp_workgroup() ));73 return;74 }75 76 if(!secrets_fetch_trust_account_password(lp_workgroup(),77 trust_passwd_hash, &lct, NULL)) {78 DEBUG(0,("attempt_machine_password_change: unable to read the "79 "machine account password for %s in domain %s.\n",80 global_myname(), lp_workgroup()));81 TALLOC_FREE(lock);82 return;83 }84 85 /*86 * Make sure someone else hasn't already done this.87 */88 89 if(time(NULL) < lct + lp_machine_password_timeout()) {90 global_machine_password_needs_changing = false;91 TALLOC_FREE(lock);92 return;93 }94 95 /* always just contact the PDC here */96 97 change_trust_account_password( lp_workgroup(), NULL);98 global_machine_password_needs_changing = false;99 TALLOC_FREE(lock);100 }101 36 102 37 /** … … 114 49 **/ 115 50 116 static NTSTATUS connect_to_domain_password_server(struct cli_state **cli ,51 static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret, 117 52 const char *domain, 118 53 const char *dc_name, 119 struct sockaddr_storage *dc_ss, 120 struct rpc_pipe_client **pipe_ret) 121 { 122 NTSTATUS result; 54 const struct sockaddr_storage *dc_ss, 55 struct rpc_pipe_client **pipe_ret, 56 TALLOC_CTX *mem_ctx, 57 struct netlogon_creds_cli_context **creds_ret) 58 { 59 TALLOC_CTX *frame = talloc_stackframe(); 60 struct messaging_context *msg_ctx = server_messaging_context(); 61 NTSTATUS result; 62 struct cli_state *cli = NULL; 123 63 struct rpc_pipe_client *netlogon_pipe = NULL; 124 125 *cli = NULL; 126 64 struct netlogon_creds_cli_context *netlogon_creds = NULL; 65 66 *cli_ret = NULL; 127 67 *pipe_ret = NULL; 68 *creds_ret = NULL; 128 69 129 70 /* TODO: Send a SAMLOGON request to determine whether this is a valid … … 143 84 mutex = grab_named_mutex(NULL, dc_name, 10); 144 85 if (mutex == NULL) { 86 TALLOC_FREE(frame); 145 87 return NT_STATUS_NO_LOGON_SERVERS; 146 88 } 147 89 148 90 /* Attempt connection */ 149 result = cli_full_connection( cli, global_myname(), dc_name, dc_ss, 0,150 "IPC$", "IPC", "", "", "", 0, Undefined);91 result = cli_full_connection(&cli, lp_netbios_name(), dc_name, dc_ss, 0, 92 "IPC$", "IPC", "", "", "", 0, SMB_SIGNING_IPC_DEFAULT); 151 93 152 94 if (!NT_STATUS_IS_OK(result)) { … … 156 98 } 157 99 158 if (*cli) {159 cli_shutdown(*cli);160 *cli = NULL;161 }162 163 100 TALLOC_FREE(mutex); 101 TALLOC_FREE(frame); 164 102 return result; 165 103 } … … 169 107 */ 170 108 171 /* 172 * Even if the connect succeeds we need to setup the netlogon 173 * pipe here. We do this as we may just have changed the domain 174 * account password on the PDC and yet we may be talking to 175 * a BDC that doesn't have this replicated yet. In this case 176 * a successful connect to a DC needs to take the netlogon connect 177 * into account also. This patch from "Bjart Kvarme" <bjart.kvarme@usit.uio.no>. 178 */ 179 180 /* open the netlogon pipe. */ 181 if (lp_client_schannel()) { 182 /* We also setup the creds chain in the open_schannel call. */ 183 result = cli_rpc_pipe_open_schannel( 184 *cli, &ndr_table_netlogon.syntax_id, NCACN_NP, 185 DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe); 186 } else { 187 result = cli_rpc_pipe_open_noauth( 188 *cli, &ndr_table_netlogon.syntax_id, &netlogon_pipe); 189 } 190 109 result = cli_rpc_pipe_open_schannel(cli, 110 msg_ctx, 111 &ndr_table_netlogon, 112 NCACN_NP, 113 domain, 114 &netlogon_pipe, 115 frame, 116 &netlogon_creds); 191 117 if (!NT_STATUS_IS_OK(result)) { 192 DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ 193 machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); 194 cli_shutdown(*cli); 195 *cli = NULL; 118 DEBUG(0,("connect_to_domain_password_server: " 119 "unable to open the domain client session to " 120 "machine %s. Error was : %s.\n", 121 dc_name, nt_errstr(result))); 122 cli_shutdown(cli); 196 123 TALLOC_FREE(mutex); 197 return result; 198 } 199 200 if (!lp_client_schannel()) { 201 /* We need to set up a creds chain on an unauthenticated netlogon pipe. */ 202 uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; 203 enum netr_SchannelType sec_chan_type = 0; 204 unsigned char machine_pwd[16]; 205 const char *account_name; 206 207 if (!get_trust_pw_hash(domain, machine_pwd, &account_name, 208 &sec_chan_type)) 209 { 210 DEBUG(0, ("connect_to_domain_password_server: could not fetch " 211 "trust account password for domain '%s'\n", 212 domain)); 213 cli_shutdown(*cli); 214 *cli = NULL; 215 TALLOC_FREE(mutex); 216 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; 217 } 218 219 result = rpccli_netlogon_setup_creds(netlogon_pipe, 220 dc_name, /* server name */ 221 domain, /* domain */ 222 global_myname(), /* client name */ 223 account_name, /* machine account name */ 224 machine_pwd, 225 sec_chan_type, 226 &neg_flags); 227 228 if (!NT_STATUS_IS_OK(result)) { 229 cli_shutdown(*cli); 230 *cli = NULL; 231 TALLOC_FREE(mutex); 232 return result; 233 } 234 } 235 236 if(!netlogon_pipe) { 237 DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ 238 machine %s. Error was : %s.\n", dc_name, cli_errstr(*cli))); 239 cli_shutdown(*cli); 240 *cli = NULL; 241 TALLOC_FREE(mutex); 124 TALLOC_FREE(frame); 242 125 return NT_STATUS_NO_LOGON_SERVERS; 243 126 } … … 245 128 /* We exit here with the mutex *locked*. JRA */ 246 129 130 *cli_ret = cli; 247 131 *pipe_ret = netlogon_pipe; 248 132 *creds_ret = talloc_move(mem_ctx, &netlogon_creds); 133 134 TALLOC_FREE(frame); 249 135 return NT_STATUS_OK; 250 136 } … … 262 148 struct auth_serversupplied_info **server_info, 263 149 const char *dc_name, 264 struct sockaddr_storage *dc_ss) 265 266 { 150 const struct sockaddr_storage *dc_ss) 151 152 { 153 TALLOC_CTX *frame = talloc_stackframe(); 267 154 struct netr_SamInfo3 *info3 = NULL; 268 155 struct cli_state *cli = NULL; 269 156 struct rpc_pipe_client *netlogon_pipe = NULL; 157 struct netlogon_creds_cli_context *netlogon_creds = NULL; 270 158 NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS; 271 159 int i; 160 uint8_t authoritative = 0; 161 uint32_t flags = 0; 272 162 273 163 /* … … 286 176 dc_name, 287 177 dc_ss, 288 &netlogon_pipe); 178 &netlogon_pipe, 179 frame, 180 &netlogon_creds); 289 181 } 290 182 291 183 if ( !NT_STATUS_IS_OK(nt_status) ) { 292 184 DEBUG(0,("domain_client_validate: Domain password server not available.\n")); 185 TALLOC_FREE(frame); 293 186 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED)) { 294 187 return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE; … … 299 192 /* store a successful connection */ 300 193 301 saf_store( domain, cli->desthost);194 saf_store(domain, dc_name); 302 195 303 196 /* … … 306 199 */ 307 200 308 nt_status = rpccli_netlogon_sam_network_logon(netlogon_pipe, 309 mem_ctx, 310 user_info->logon_parameters, /* flags such as 'allow workstation logon' */ 311 dc_name, /* server name */ 312 user_info->client.account_name, /* user name logging on. */ 313 user_info->client.domain_name, /* domain name */ 314 user_info->workstation_name, /* workstation name */ 315 chal, /* 8 byte challenge. */ 316 3, /* validation level */ 317 user_info->password.response.lanman, /* lanman 24 byte response */ 318 user_info->password.response.nt, /* nt 24 byte response */ 319 &info3); /* info3 out */ 201 nt_status = rpccli_netlogon_network_logon(netlogon_creds, 202 netlogon_pipe->binding_handle, 203 mem_ctx, 204 user_info->logon_parameters, /* flags such as 'allow workstation logon' */ 205 user_info->client.account_name, /* user name logging on. */ 206 user_info->client.domain_name, /* domain name */ 207 user_info->workstation_name, /* workstation name */ 208 chal, /* 8 byte challenge. */ 209 user_info->password.response.lanman, /* lanman 24 byte response */ 210 user_info->password.response.nt, /* nt 24 byte response */ 211 &authoritative, 212 &flags, 213 &info3); /* info3 out */ 320 214 321 215 /* Let go as soon as possible so we avoid any potential deadlocks … … 354 248 355 249 cli_shutdown(cli); 250 TALLOC_FREE(frame); 356 251 return nt_status; 357 252 } … … 420 315 struct auth_methods *result; 421 316 422 result = TALLOC_ZERO_P(auth_context, struct auth_methods);317 result = talloc_zero(auth_context, struct auth_methods); 423 318 if (result == NULL) { 424 319 return NT_STATUS_NO_MEMORY; … … 443 338 { 444 339 NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; 445 unsigned char trust_md4_password[16];446 char *trust_password;447 340 fstring dc_name; 448 341 struct sockaddr_storage dc_ss; … … 472 365 if ( !is_trusted_domain( user_info->mapped.domain_name ) ) 473 366 return NT_STATUS_NOT_IMPLEMENTED; 474 475 /*476 * Get the trusted account password for the trusted domain477 * No need to become_root() as secrets_init() is done at startup.478 */479 480 if (!pdb_get_trusteddom_pw(user_info->mapped.domain_name, &trust_password,481 NULL, NULL)) {482 DEBUG(0, ("check_trustdomain_security: could not fetch trust "483 "account password for domain %s\n",484 user_info->mapped.domain_name));485 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;486 }487 488 #ifdef DEBUG_PASSWORD489 DEBUG(100, ("Trust password for domain %s is %s\n", user_info->mapped.domain_name,490 trust_password));491 #endif492 E_md4hash(trust_password, trust_md4_password);493 SAFE_FREE(trust_password);494 495 #if 0496 /* Test if machine password is expired and need to be changed */497 if (time(NULL) > last_change_time + (time_t)lp_machine_password_timeout())498 {499 global_machine_password_needs_changing = True;500 }501 #endif502 367 503 368 /* use get_dc_name() for consistency even through we know that it will be … … 526 391 struct auth_methods *result; 527 392 528 result = TALLOC_ZERO_P(auth_context, struct auth_methods);393 result = talloc_zero(auth_context, struct auth_methods); 529 394 if (result == NULL) { 530 395 return NT_STATUS_NO_MEMORY; -
vendor/current/source3/auth/auth_ntlmssp.c
r740 r988 5 5 6 6 Copyright (C) Andrew Tridgell 2001 7 Copyright (C) Andrew Bartlett 2001-2003 7 Copyright (C) Andrew Bartlett 2001-2005,2011 8 Copyright (C) Stefan Metzmacher 2005 8 9 9 10 This program is free software; you can redistribute it and/or modify … … 23 24 #include "includes.h" 24 25 #include "auth.h" 25 #include "../libcli/auth/ntlmssp.h" 26 #include "ntlmssp_wrap.h" 27 #include "../librpc/gen_ndr/netlogon.h" 28 #include "smbd/smbd.h" 29 30 NTSTATUS auth_ntlmssp_steal_session_info(TALLOC_CTX *mem_ctx, 31 struct auth_ntlmssp_state *auth_ntlmssp_state, 32 struct auth_serversupplied_info **session_info) 33 { 34 /* Free the current server_info user_session_key and reset it from the 35 * current ntlmssp_state session_key */ 36 data_blob_free(&auth_ntlmssp_state->server_info->user_session_key); 37 /* Set up the final session key for the connection */ 38 auth_ntlmssp_state->server_info->user_session_key = 39 data_blob_talloc( 40 auth_ntlmssp_state->server_info, 41 auth_ntlmssp_state->ntlmssp_state->session_key.data, 42 auth_ntlmssp_state->ntlmssp_state->session_key.length); 43 if (auth_ntlmssp_state->ntlmssp_state->session_key.length && 44 !auth_ntlmssp_state->server_info->user_session_key.data) { 45 *session_info = NULL; 46 return NT_STATUS_NO_MEMORY; 47 } 48 /* Steal session_info away from auth_ntlmssp_state */ 49 *session_info = talloc_move(mem_ctx, &auth_ntlmssp_state->server_info); 26 #include "libcli/security/security.h" 27 28 NTSTATUS auth3_generate_session_info(struct auth4_context *auth_context, 29 TALLOC_CTX *mem_ctx, 30 void *server_returned_info, 31 const char *original_user_name, 32 uint32_t session_info_flags, 33 struct auth_session_info **session_info) 34 { 35 struct auth_user_info_dc *user_info = NULL; 36 struct auth_serversupplied_info *server_info = NULL; 37 NTSTATUS nt_status; 38 39 /* 40 * This is a hack, some callers... 41 * 42 * Some callers pass auth_user_info_dc, the SCHANNEL and 43 * NCALRPC_AS_SYSTEM gensec modules. 44 * 45 * While the reset passes auth3_check_password() returned. 46 */ 47 user_info = talloc_get_type(server_returned_info, 48 struct auth_user_info_dc); 49 if (user_info != NULL) { 50 const struct dom_sid *sid; 51 int cmp; 52 53 /* 54 * This should only be called from SCHANNEL or NCALRPC_AS_SYSTEM 55 */ 56 if (user_info->num_sids != 1) { 57 return NT_STATUS_INTERNAL_ERROR; 58 } 59 sid = &user_info->sids[PRIMARY_USER_SID_INDEX]; 60 61 cmp = dom_sid_compare(sid, &global_sid_System); 62 if (cmp == 0) { 63 return make_session_info_system(mem_ctx, session_info); 64 } 65 66 cmp = dom_sid_compare(sid, &global_sid_Anonymous); 67 if (cmp == 0) { 68 /* 69 * TODO: use auth_anonymous_session_info() here? 70 */ 71 return make_session_info_guest(mem_ctx, session_info); 72 } 73 74 return NT_STATUS_INTERNAL_ERROR; 75 } 76 77 server_info = talloc_get_type_abort(server_returned_info, 78 struct auth_serversupplied_info); 79 nt_status = create_local_token(mem_ctx, 80 server_info, 81 NULL, 82 original_user_name, 83 session_info); 84 if (!NT_STATUS_IS_OK(nt_status)) { 85 DEBUG(10, ("create_local_token failed: %s\n", 86 nt_errstr(nt_status))); 87 return nt_status; 88 } 89 50 90 return NT_STATUS_OK; 51 91 } … … 56 96 */ 57 97 58 static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,98 NTSTATUS auth3_get_challenge(struct auth4_context *auth4_context, 59 99 uint8_t chal[8]) 60 100 { 61 struct auth_ntlmssp_state *auth_ntlmssp_state = 62 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private; 63 auth_ntlmssp_state->auth_context->get_ntlm_challenge( 64 auth_ntlmssp_state->auth_context, chal); 101 struct auth_context *auth_context = talloc_get_type_abort(auth4_context->private_data, 102 struct auth_context); 103 auth_get_ntlm_challenge(auth_context, chal); 65 104 return NT_STATUS_OK; 66 }67 68 /**69 * Some authentication methods 'fix' the challenge, so we may not be able to set it70 *71 * @return If the effective challenge used by the auth subsystem may be modified72 */73 static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)74 {75 struct auth_ntlmssp_state *auth_ntlmssp_state =76 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;77 struct auth_context *auth_context = auth_ntlmssp_state->auth_context;78 79 return auth_context->challenge_may_be_modified;80 105 } 81 106 … … 84 109 * @param challenge The new challenge value 85 110 */ 86 static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge) 87 { 88 struct auth_ntlmssp_state *auth_ntlmssp_state = 89 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private; 90 struct auth_context *auth_context = auth_ntlmssp_state->auth_context; 91 92 SMB_ASSERT(challenge->length == 8); 111 NTSTATUS auth3_set_challenge(struct auth4_context *auth4_context, const uint8_t *chal, 112 const char *challenge_set_by) 113 { 114 struct auth_context *auth_context = talloc_get_type_abort(auth4_context->private_data, 115 struct auth_context); 93 116 94 117 auth_context->challenge = data_blob_talloc(auth_context, 95 challenge->data, challenge->length); 96 97 auth_context->challenge_set_by = "NTLMSSP callback (NTLM2)"; 118 chal, 8); 119 NT_STATUS_HAVE_NO_MEMORY(auth_context->challenge.data); 120 121 auth_context->challenge_set_by = talloc_strdup(auth_context, challenge_set_by); 122 NT_STATUS_HAVE_NO_MEMORY(auth_context->challenge_set_by); 98 123 99 124 DEBUG(5, ("auth_context challenge set by %s\n", auth_context->challenge_set_by)); … … 109 134 */ 110 135 111 static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, TALLOC_CTX *mem_ctx, 112 DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key) 113 { 114 struct auth_ntlmssp_state *auth_ntlmssp_state = 115 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private; 116 struct auth_usersupplied_info *user_info = NULL; 136 NTSTATUS auth3_check_password(struct auth4_context *auth4_context, 137 TALLOC_CTX *mem_ctx, 138 const struct auth_usersupplied_info *user_info, 139 void **server_returned_info, 140 DATA_BLOB *session_key, DATA_BLOB *lm_session_key) 141 { 142 struct auth_context *auth_context = talloc_get_type_abort(auth4_context->private_data, 143 struct auth_context); 144 struct auth_usersupplied_info *mapped_user_info = NULL; 145 struct auth_serversupplied_info *server_info; 117 146 NTSTATUS nt_status; 118 147 bool username_was_mapped; 119 148 120 /* the client has given us its machine name (which we otherwise would not get on port 445).121 we need to possibly reload smb.conf if smb.conf includes depend on the machine name*/122 123 set_remote_machine_name( auth_ntlmssp_state->ntlmssp_state->client.netbios_name, True);149 /* The client has given us its machine name (which we only get over NBT transport). 150 We need to possibly reload smb.conf if smb.conf includes depend on the machine name. */ 151 152 set_remote_machine_name(user_info->workstation_name, True); 124 153 125 154 /* setup the string used by %U */ 126 155 /* sub_set_smb_name checks for weird internally */ 127 sub_set_smb_name(auth_ntlmssp_state->ntlmssp_state->user); 128 129 reload_services(smbd_messaging_context(), -1, True); 130 131 nt_status = make_user_info_map(&user_info, 132 auth_ntlmssp_state->ntlmssp_state->user, 133 auth_ntlmssp_state->ntlmssp_state->domain, 134 auth_ntlmssp_state->ntlmssp_state->client.netbios_name, 135 auth_ntlmssp_state->ntlmssp_state->lm_resp.data ? &auth_ntlmssp_state->ntlmssp_state->lm_resp : NULL, 136 auth_ntlmssp_state->ntlmssp_state->nt_resp.data ? &auth_ntlmssp_state->ntlmssp_state->nt_resp : NULL, 156 sub_set_smb_name(user_info->client.account_name); 157 158 lp_load_with_shares(get_dyn_CONFIGFILE()); 159 160 nt_status = make_user_info_map(talloc_tos(), 161 &mapped_user_info, 162 user_info->client.account_name, 163 user_info->client.domain_name, 164 user_info->workstation_name, 165 user_info->remote_host, 166 user_info->password.response.lanman.data ? &user_info->password.response.lanman : NULL, 167 user_info->password.response.nt.data ? &user_info->password.response.nt : NULL, 137 168 NULL, NULL, NULL, 138 169 AUTH_PASSWORD_RESPONSE); … … 142 173 } 143 174 144 user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT; 145 146 nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context, 147 user_info, &auth_ntlmssp_state->server_info); 148 149 username_was_mapped = user_info->was_mapped; 150 151 free_user_info(&user_info); 152 153 if (!NT_STATUS_IS_OK(nt_status)) { 175 mapped_user_info->logon_parameters = user_info->logon_parameters; 176 177 mapped_user_info->flags = user_info->flags; 178 179 nt_status = auth_check_ntlm_password(mem_ctx, 180 auth_context, 181 mapped_user_info, 182 &server_info); 183 184 if (!NT_STATUS_IS_OK(nt_status)) { 185 DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: %s\n", 186 user_info->client.domain_name, 187 user_info->client.account_name, 188 nt_errstr(nt_status))); 189 } 190 191 username_was_mapped = mapped_user_info->was_mapped; 192 193 TALLOC_FREE(mapped_user_info); 194 195 if (!NT_STATUS_IS_OK(nt_status)) { 196 nt_status = do_map_to_guest_server_info(mem_ctx, 197 nt_status, 198 user_info->client.account_name, 199 user_info->client.domain_name, 200 &server_info); 201 if (NT_STATUS_IS_OK(nt_status)) { 202 *server_returned_info = talloc_steal(mem_ctx, server_info); 203 } 154 204 return nt_status; 155 205 } 156 206 157 auth_ntlmssp_state->server_info->nss_token |= username_was_mapped; 158 159 nt_status = create_local_token(auth_ntlmssp_state->server_info); 160 161 if (!NT_STATUS_IS_OK(nt_status)) { 162 DEBUG(10, ("create_local_token failed: %s\n", 163 nt_errstr(nt_status))); 164 return nt_status; 165 } 207 server_info->nss_token |= username_was_mapped; 166 208 167 209 /* Clear out the session keys, and pass them to the caller. 168 210 * They will not be used in this form again - instead the 169 211 * NTLMSSP code will decide on the final correct session key, 170 * and put it back here at the end of 171 * auth_ntlmssp_steal_server_info */ 172 if (auth_ntlmssp_state->server_info->user_session_key.length) { 212 * and supply it to create_local_token() */ 213 if (session_key) { 173 214 DEBUG(10, ("Got NT session key of length %u\n", 174 (unsigned int) auth_ntlmssp_state->server_info->user_session_key.length));175 * user_session_key = auth_ntlmssp_state->server_info->user_session_key;176 talloc_steal(mem_ctx, auth_ntlmssp_state->server_info->user_session_key.data);177 auth_ntlmssp_state->server_info->user_session_key = data_blob_null;178 } 179 if ( auth_ntlmssp_state->server_info->lm_session_key.length) {215 (unsigned int)server_info->session_key.length)); 216 *session_key = server_info->session_key; 217 talloc_steal(mem_ctx, server_info->session_key.data); 218 server_info->session_key = data_blob_null; 219 } 220 if (lm_session_key) { 180 221 DEBUG(10, ("Got LM session key of length %u\n", 181 (unsigned int)auth_ntlmssp_state->server_info->lm_session_key.length)); 182 *lm_session_key = auth_ntlmssp_state->server_info->lm_session_key; 183 talloc_steal(mem_ctx, auth_ntlmssp_state->server_info->lm_session_key.data); 184 auth_ntlmssp_state->server_info->lm_session_key = data_blob_null; 185 } 222 (unsigned int)server_info->lm_session_key.length)); 223 *lm_session_key = server_info->lm_session_key; 224 talloc_steal(mem_ctx, server_info->lm_session_key.data); 225 server_info->lm_session_key = data_blob_null; 226 } 227 228 *server_returned_info = talloc_steal(mem_ctx, server_info); 186 229 return nt_status; 187 230 } 188 189 static int auth_ntlmssp_state_destructor(void *ptr);190 191 NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state **auth_ntlmssp_state)192 {193 NTSTATUS nt_status;194 bool is_standalone;195 const char *netbios_name;196 const char *netbios_domain;197 const char *dns_name;198 char *dns_domain;199 struct auth_ntlmssp_state *ans;200 struct auth_context *auth_context;201 202 if ((enum server_types)lp_server_role() == ROLE_STANDALONE) {203 is_standalone = true;204 } else {205 is_standalone = false;206 }207 208 netbios_name = global_myname();209 netbios_domain = lp_workgroup();210 /* This should be a 'netbios domain -> DNS domain' mapping */211 dns_domain = get_mydnsdomname(talloc_tos());212 if (dns_domain) {213 strlower_m(dns_domain);214 }215 dns_name = get_mydnsfullname();216 217 ans = talloc_zero(NULL, struct auth_ntlmssp_state);218 if (!ans) {219 DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));220 return NT_STATUS_NO_MEMORY;221 }222 223 nt_status = ntlmssp_server_start(ans,224 is_standalone,225 netbios_name,226 netbios_domain,227 dns_name,228 dns_domain,229 &ans->ntlmssp_state);230 if (!NT_STATUS_IS_OK(nt_status)) {231 return nt_status;232 }233 234 nt_status = make_auth_context_subsystem(talloc_tos(), &auth_context);235 if (!NT_STATUS_IS_OK(nt_status)) {236 return nt_status;237 }238 ans->auth_context = talloc_steal(ans, auth_context);239 240 ans->ntlmssp_state->callback_private = ans;241 ans->ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;242 ans->ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;243 ans->ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;244 ans->ntlmssp_state->check_password = auth_ntlmssp_check_password;245 246 talloc_set_destructor((TALLOC_CTX *)ans, auth_ntlmssp_state_destructor);247 248 *auth_ntlmssp_state = ans;249 return NT_STATUS_OK;250 }251 252 static int auth_ntlmssp_state_destructor(void *ptr)253 {254 struct auth_ntlmssp_state *ans;255 256 ans = talloc_get_type(ptr, struct auth_ntlmssp_state);257 258 TALLOC_FREE(ans->server_info);259 TALLOC_FREE(ans->ntlmssp_state);260 return 0;261 } -
vendor/current/source3/auth/auth_sam.c
r740 r988 45 45 struct auth_methods *result; 46 46 47 result = TALLOC_ZERO_P(auth_context, struct auth_methods);47 result = talloc_zero(auth_context, struct auth_methods); 48 48 if (result == NULL) { 49 49 return NT_STATUS_NO_MEMORY; … … 109 109 struct auth_methods *result; 110 110 111 result = TALLOC_ZERO_P(auth_context, struct auth_methods); 111 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC 112 && !lp_parm_bool(-1, "server role check", "inhibit", false)) { 113 DEBUG(0, ("server role = 'active directory domain controller' not compatible with running the auth_sam module. \n")); 114 DEBUGADD(0, ("You should not set 'auth methods' when running the AD DC.\n")); 115 exit(1); 116 } 117 118 result = talloc_zero(auth_context, struct auth_methods); 112 119 if (result == NULL) { 113 120 return NT_STATUS_NO_MEMORY; … … 115 122 result->auth = auth_samstrict_auth; 116 123 result->name = "sam"; 117 124 result->flags = AUTH_METHOD_LOCAL_SAM; 118 125 *auth_method = result; 119 126 return NT_STATUS_OK; -
vendor/current/source3/auth/auth_script.c
r740 r988 75 75 } 76 76 77 safe_strcpy( secret_str, user_info->mapped.domain_name, secret_str_len - 1); 78 safe_strcat( secret_str, "\n", secret_str_len - 1); 79 safe_strcat( secret_str, user_info->client.account_name, secret_str_len - 1); 80 safe_strcat( secret_str, "\n", secret_str_len - 1); 77 if (strlcpy( secret_str, user_info->mapped.domain_name, secret_str_len) >= secret_str_len) { 78 /* Truncate. */ 79 goto cat_out; 80 } 81 if (strlcat( secret_str, "\n", secret_str_len) >= secret_str_len) { 82 /* Truncate. */ 83 goto cat_out; 84 } 85 if (strlcat( secret_str, user_info->client.account_name, secret_str_len) >= secret_str_len) { 86 /* Truncate. */ 87 goto cat_out; 88 } 89 if (strlcat( secret_str, "\n", secret_str_len) >= secret_str_len) { 90 /* Truncate. */ 91 goto cat_out; 92 } 81 93 82 94 for (i = 0; i < 8; i++) { 83 95 slprintf(&hex_str[i*2], 3, "%02X", auth_context->challenge.data[i]); 84 96 } 85 safe_strcat( secret_str, hex_str, secret_str_len - 1); 86 safe_strcat( secret_str, "\n", secret_str_len - 1); 97 if (strlcat( secret_str, hex_str, secret_str_len) >= secret_str_len) { 98 /* Truncate. */ 99 goto cat_out; 100 } 101 if (strlcat( secret_str, "\n", secret_str_len) >= secret_str_len) { 102 /* Truncate. */ 103 goto cat_out; 104 } 87 105 88 106 if (user_info->password.response.lanman.data) { … … 90 108 slprintf(&hex_str[i*2], 3, "%02X", user_info->password.response.lanman.data[i]); 91 109 } 92 safe_strcat( secret_str, hex_str, secret_str_len - 1); 110 if (strlcat( secret_str, hex_str, secret_str_len) >= secret_str_len) { 111 /* Truncate. */ 112 goto cat_out; 113 } 93 114 } 94 safe_strcat( secret_str, "\n", secret_str_len - 1); 115 if (strlcat( secret_str, "\n", secret_str_len) >= secret_str_len) { 116 /* Truncate. */ 117 goto cat_out; 118 } 95 119 96 120 if (user_info->password.response.nt.data) { … … 98 122 slprintf(&hex_str[i*2], 3, "%02X", user_info->password.response.nt.data[i]); 99 123 } 100 safe_strcat( secret_str, hex_str, secret_str_len - 1); 124 if (strlcat( secret_str, hex_str, secret_str_len) >= secret_str_len) { 125 /* Truncate. */ 126 goto cat_out; 127 } 101 128 } 102 safe_strcat( secret_str, "\n", secret_str_len - 1); 129 if (strlcat( secret_str, "\n", secret_str_len) >= secret_str_len) { 130 /* Truncate. */ 131 goto cat_out; 132 } 103 133 104 134 DEBUG(10,("script_check_user_credentials: running %s with parameters:\n%s\n", … … 118 148 /* Cause the auth system to keep going.... */ 119 149 return NT_STATUS_NOT_IMPLEMENTED; 150 151 cat_out: 152 153 SAFE_FREE(secret_str); 154 return NT_STATUS_NO_MEMORY; 120 155 } 121 156 … … 125 160 struct auth_methods *result; 126 161 127 result = TALLOC_ZERO_P(auth_context, struct auth_methods);162 result = talloc_zero(auth_context, struct auth_methods); 128 163 if (result == NULL) { 129 164 return NT_STATUS_NO_MEMORY; -
vendor/current/source3/auth/auth_unix.c
r740 r988 21 21 #include "auth.h" 22 22 #include "system/passwd.h" 23 #include " smbd/globals.h"23 #include "../lib/tsocket/tsocket.h" 24 24 25 25 #undef DBGC_CLASS … … 40 40 NTSTATUS nt_status; 41 41 struct passwd *pass = NULL; 42 const char *rhost; 42 43 43 44 DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name)); 45 46 if (tsocket_address_is_inet(user_info->remote_host, "ip")) { 47 rhost = tsocket_address_inet_addr_string(user_info->remote_host, 48 talloc_tos()); 49 if (rhost == NULL) { 50 return NT_STATUS_NO_MEMORY; 51 } 52 } else { 53 rhost = "127.0.0.1"; 54 } 44 55 45 56 become_root(); … … 50 61 nt_status = pass_check(pass, 51 62 pass ? pass->pw_name : user_info->mapped.account_name, 52 smbd_server_conn->client_id.name,63 rhost, 53 64 user_info->password.plaintext, 54 65 true); … … 57 68 58 69 if (NT_STATUS_IS_OK(nt_status)) { 59 if (pass) { 60 make_server_info_pw(server_info, pass->pw_name, pass); 70 if (pass != NULL) { 71 nt_status = make_server_info_pw(mem_ctx, 72 pass->pw_name, 73 pass, 74 server_info); 61 75 } else { 62 76 /* we need to do somthing more useful here */ … … 74 88 struct auth_methods *result; 75 89 76 result = TALLOC_ZERO_P(auth_context, struct auth_methods);90 result = talloc_zero(auth_context, struct auth_methods); 77 91 if (result == NULL) { 78 92 return NT_STATUS_NO_MEMORY; -
vendor/current/source3/auth/auth_util.c
r919 r988 3 3 Authentication utility functions 4 4 Copyright (C) Andrew Tridgell 1992-1998 5 Copyright (C) Andrew Bartlett 2001 5 Copyright (C) Andrew Bartlett 2001-2011 6 6 Copyright (C) Jeremy Allison 2000-2001 7 7 Copyright (C) Rafal Szczesniak 2002 8 Copyright (C) Volker Lendecke 2006 8 Copyright (C) Volker Lendecke 2006-2008 9 9 10 10 This program is free software; you can redistribute it and/or modify … … 31 31 #include "lib/winbind_util.h" 32 32 #include "passdb.h" 33 #include "../librpc/gen_ndr/ndr_auth.h" 34 #include "../auth/auth_sam_reply.h" 35 #include "../librpc/gen_ndr/idmap.h" 36 #include "lib/param/loadparm.h" 33 37 #include "../lib/tsocket/tsocket.h" 34 38 … … 46 50 int ret; 47 51 48 add_script = talloc_strdup(ctx, lp_adduser_script());52 add_script = lp_add_user_script(ctx); 49 53 if (!add_script || !*add_script) { 50 54 return -1; … … 87 91 ****************************************************************************/ 88 92 89 NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info, 93 NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx, 94 struct auth_usersupplied_info **user_info, 90 95 const char *smb_name, 91 96 const char *client_domain, 92 97 const char *workstation_name, 93 DATA_BLOB *lm_pwd, 94 DATA_BLOB *nt_pwd, 98 const struct tsocket_address *remote_address, 99 const DATA_BLOB *lm_pwd, 100 const DATA_BLOB *nt_pwd, 95 101 const struct samr_Password *lm_interactive_pwd, 96 102 const struct samr_Password *nt_interactive_pwd, … … 138 144 * primary domain name */ 139 145 140 result = make_user_info( user_info, smb_name, internal_username,146 result = make_user_info(mem_ctx, user_info, smb_name, internal_username, 141 147 client_domain, domain, workstation_name, 142 lm_pwd, nt_pwd,148 remote_address, lm_pwd, nt_pwd, 143 149 lm_interactive_pwd, nt_interactive_pwd, 144 150 plaintext, password_state); 145 151 if (NT_STATUS_IS_OK(result)) { 146 152 /* We have tried mapping */ 147 (*user_info)->mapped_state = True;153 (*user_info)->mapped_state = true; 148 154 /* did we actually map the user to a different name? */ 149 155 (*user_info)->was_mapped = was_mapped; … … 157 163 ****************************************************************************/ 158 164 159 bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info, 165 bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx, 166 struct auth_usersupplied_info **user_info, 160 167 const char *smb_name, 161 168 const char *client_domain, 162 169 const char *workstation_name, 163 uint32 logon_parameters, 170 const struct tsocket_address *remote_address, 171 uint32_t logon_parameters, 164 172 const uchar *lm_network_pwd, 165 173 int lm_pwd_len, … … 172 180 DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); 173 181 174 status = make_user_info_map( user_info,182 status = make_user_info_map(mem_ctx, user_info, 175 183 smb_name, client_domain, 176 184 workstation_name, 185 remote_address, 177 186 lm_pwd_len ? &lm_blob : NULL, 178 187 nt_pwd_len ? &nt_blob : NULL, … … 183 192 (*user_info)->logon_parameters = logon_parameters; 184 193 } 185 ret = NT_STATUS_IS_OK(status) ? True : False;194 ret = NT_STATUS_IS_OK(status) ? true : false; 186 195 187 196 data_blob_free(&lm_blob); … … 195 204 ****************************************************************************/ 196 205 197 bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_info, 206 bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx, 207 struct auth_usersupplied_info **user_info, 198 208 const char *smb_name, 199 209 const char *client_domain, 200 210 const char *workstation_name, 201 uint32 logon_parameters, 211 const struct tsocket_address *remote_address, 212 uint32_t logon_parameters, 202 213 const uchar chal[8], 203 214 const uchar lm_interactive_pwd[16], 204 const uchar nt_interactive_pwd[16], 205 const uchar *dc_sess_key) 215 const uchar nt_interactive_pwd[16]) 206 216 { 207 217 struct samr_Password lm_pwd; … … 209 219 unsigned char local_lm_response[24]; 210 220 unsigned char local_nt_response[24]; 211 unsigned char key[16];212 213 memcpy(key, dc_sess_key, 16);214 221 215 222 if (lm_interactive_pwd) … … 218 225 if (nt_interactive_pwd) 219 226 memcpy(nt_pwd.hash, nt_interactive_pwd, sizeof(nt_pwd.hash)); 220 221 #ifdef DEBUG_PASSWORD222 DEBUG(100,("key:"));223 dump_data(100, key, sizeof(key));224 225 DEBUG(100,("lm owf password:"));226 dump_data(100, lm_pwd.hash, sizeof(lm_pwd.hash));227 228 DEBUG(100,("nt owf password:"));229 dump_data(100, nt_pwd.hash, sizeof(nt_pwd.hash));230 #endif231 232 if (lm_interactive_pwd)233 arcfour_crypt(lm_pwd.hash, key, sizeof(lm_pwd.hash));234 235 if (nt_interactive_pwd)236 arcfour_crypt(nt_pwd.hash, key, sizeof(nt_pwd.hash));237 238 #ifdef DEBUG_PASSWORD239 DEBUG(100,("decrypt of lm owf password:"));240 dump_data(100, lm_pwd.hash, sizeof(lm_pwd));241 242 DEBUG(100,("decrypt of nt owf password:"));243 dump_data(100, nt_pwd.hash, sizeof(nt_pwd));244 #endif245 227 246 228 if (lm_interactive_pwd) … … 252 234 local_nt_response); 253 235 254 /* Password info paranoia */255 ZERO_STRUCT(key);256 257 236 { 258 237 bool ret; 259 238 NTSTATUS nt_status; 260 DATA_BLOB local_lm_blob ;261 DATA_BLOB local_nt_blob ;239 DATA_BLOB local_lm_blob = data_blob_null; 240 DATA_BLOB local_nt_blob = data_blob_null; 262 241 263 242 if (lm_interactive_pwd) { … … 272 251 273 252 nt_status = make_user_info_map( 253 mem_ctx, 274 254 user_info, 275 255 smb_name, client_domain, workstation_name, 256 remote_address, 276 257 lm_interactive_pwd ? &local_lm_blob : NULL, 277 258 nt_interactive_pwd ? &local_nt_blob : NULL, … … 284 265 } 285 266 286 ret = NT_STATUS_IS_OK(nt_status) ? True : False;267 ret = NT_STATUS_IS_OK(nt_status) ? true : false; 287 268 data_blob_free(&local_lm_blob); 288 269 data_blob_free(&local_nt_blob); … … 296 277 ****************************************************************************/ 297 278 298 bool make_user_info_for_reply(struct auth_usersupplied_info **user_info, 279 bool make_user_info_for_reply(TALLOC_CTX *mem_ctx, 280 struct auth_usersupplied_info **user_info, 299 281 const char *smb_name, 300 282 const char *client_domain, 301 const uint8 chal[8], 283 const struct tsocket_address *remote_address, 284 const uint8_t chal[8], 302 285 DATA_BLOB plaintext_password) 303 286 { … … 339 322 plaintext_password.length); 340 323 if (!plaintext_password_string) { 341 return False;342 } 343 344 ret = make_user_info _map(345 user_info, smb_name, client_domain,324 return false; 325 } 326 327 ret = make_user_info(mem_ctx, 328 user_info, smb_name, smb_name, client_domain, client_domain, 346 329 get_remote_machine_name(), 330 remote_address, 347 331 local_lm_blob.data ? &local_lm_blob : NULL, 348 332 local_nt_blob.data ? &local_nt_blob : NULL, … … 357 341 358 342 data_blob_free(&local_lm_blob); 359 return NT_STATUS_IS_OK(ret) ? True : False;343 return NT_STATUS_IS_OK(ret) ? true : false; 360 344 } 361 345 … … 364 348 ****************************************************************************/ 365 349 366 NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info, 350 NTSTATUS make_user_info_for_reply_enc(TALLOC_CTX *mem_ctx, 351 struct auth_usersupplied_info **user_info, 367 352 const char *smb_name, 368 const char *client_domain, 353 const char *client_domain, 354 const struct tsocket_address *remote_address, 369 355 DATA_BLOB lm_resp, DATA_BLOB nt_resp) 370 356 { … … 377 363 */ 378 364 DEBUG(2,("Rejecting raw NTLMv2 authentication with " 379 "user [%s\\%s]\n", 380 client_domain, smb_name)); 365 "user [%s\\%s] from[%s]\n", 366 client_domain, smb_name, 367 tsocket_address_string(remote_address, mem_ctx))); 381 368 return NT_STATUS_INVALID_PARAMETER; 382 369 } 383 370 384 return make_user_info_map(user_info, smb_name, 385 client_domain, 386 get_remote_machine_name(), 387 lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL, 388 nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL, 389 NULL, NULL, NULL, 390 AUTH_PASSWORD_RESPONSE); 371 return make_user_info(mem_ctx, 372 user_info, smb_name, smb_name, 373 client_domain, client_domain, 374 get_remote_machine_name(), 375 remote_address, 376 lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL, 377 nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL, 378 NULL, NULL, NULL, 379 AUTH_PASSWORD_RESPONSE); 391 380 } 392 381 393 382 /**************************************************************************** 394 Create a guest user_info blob, for anonymous authentica ion.383 Create a guest user_info blob, for anonymous authentication. 395 384 ****************************************************************************/ 396 385 397 bool make_user_info_guest(struct auth_usersupplied_info **user_info) 386 bool make_user_info_guest(TALLOC_CTX *mem_ctx, 387 const struct tsocket_address *remote_address, 388 struct auth_usersupplied_info **user_info) 398 389 { 399 390 NTSTATUS nt_status; 400 391 401 nt_status = make_user_info(user_info, 392 nt_status = make_user_info(mem_ctx, 393 user_info, 402 394 "","", 403 395 "","", 404 396 "", 397 remote_address, 405 398 NULL, NULL, 406 399 NULL, NULL, … … 408 401 AUTH_PASSWORD_RESPONSE); 409 402 410 return NT_STATUS_IS_OK(nt_status) ? True : False;403 return NT_STATUS_IS_OK(nt_status) ? true : false; 411 404 } 412 405 … … 418 411 size_t i; 419 412 420 if ((lp_log_nt_token_command( ) == NULL) ||421 (strlen(lp_log_nt_token_command( )) == 0)) {413 if ((lp_log_nt_token_command(frame) == NULL) || 414 (strlen(lp_log_nt_token_command(frame)) == 0)) { 422 415 TALLOC_FREE(frame); 423 416 return NT_STATUS_OK; … … 432 425 433 426 command = talloc_string_sub( 434 frame, lp_log_nt_token_command( ),427 frame, lp_log_nt_token_command(frame), 435 428 "%s", sid_string_talloc(frame, &token->sids[0])); 436 429 command = talloc_string_sub(frame, command, "%t", group_sidstr); … … 457 450 */ 458 451 459 NTSTATUS create_local_token(struct auth_serversupplied_info *server_info) 452 NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, 453 const struct auth_serversupplied_info *server_info, 454 DATA_BLOB *session_key, 455 const char *smb_username, /* for ->sanitized_username, for %U subs */ 456 struct auth_session_info **session_info_out) 460 457 { 461 458 struct security_token *t; … … 463 460 size_t i; 464 461 struct dom_sid tmp_sid; 465 struct wbcUnixId *ids; 462 struct auth_session_info *session_info; 463 struct unixid *ids; 464 fstring tmp; 465 466 /* Ensure we can't possible take a code path leading to a 467 * null defref. */ 468 if (!server_info) { 469 return NT_STATUS_LOGON_FAILURE; 470 } 471 472 session_info = talloc_zero(mem_ctx, struct auth_session_info); 473 if (!session_info) { 474 return NT_STATUS_NO_MEMORY; 475 } 476 477 session_info->unix_token = talloc_zero(session_info, struct security_unix_token); 478 if (!session_info->unix_token) { 479 TALLOC_FREE(session_info); 480 return NT_STATUS_NO_MEMORY; 481 } 482 483 session_info->unix_token->uid = server_info->utok.uid; 484 session_info->unix_token->gid = server_info->utok.gid; 485 486 session_info->unix_info = talloc_zero(session_info, struct auth_user_info_unix); 487 if (!session_info->unix_info) { 488 TALLOC_FREE(session_info); 489 return NT_STATUS_NO_MEMORY; 490 } 491 492 session_info->unix_info->unix_name = talloc_strdup(session_info, server_info->unix_name); 493 if (!session_info->unix_info->unix_name) { 494 TALLOC_FREE(session_info); 495 return NT_STATUS_NO_MEMORY; 496 } 497 498 /* This is a potentially untrusted username for use in %U */ 499 alpha_strcpy(tmp, smb_username, ". _-$", sizeof(tmp)); 500 session_info->unix_info->sanitized_username = 501 talloc_strdup(session_info->unix_info, tmp); 502 503 if (session_key) { 504 data_blob_free(&session_info->session_key); 505 session_info->session_key = data_blob_talloc(session_info, 506 session_key->data, 507 session_key->length); 508 if (!session_info->session_key.data && session_key->length) { 509 return NT_STATUS_NO_MEMORY; 510 } 511 } else { 512 session_info->session_key = data_blob_talloc( session_info, server_info->session_key.data, 513 server_info->session_key.length); 514 } 515 516 /* We need to populate session_info->info with the information found in server_info->info3 */ 517 status = make_user_info_SamBaseInfo(session_info, "", &server_info->info3->base, 518 server_info->guest == false, 519 &session_info->info); 520 if (!NT_STATUS_IS_OK(status)) { 521 DEBUG(0, ("conversion of info3 into auth_user_info failed!\n")); 522 TALLOC_FREE(session_info); 523 return status; 524 } 525 526 if (server_info->security_token) { 527 /* Just copy the token, it has already been finalised 528 * (nasty hack to support a cached guest/system session_info 529 */ 530 531 session_info->security_token = dup_nt_token(session_info, server_info->security_token); 532 if (!session_info->security_token) { 533 TALLOC_FREE(session_info); 534 return NT_STATUS_NO_MEMORY; 535 } 536 537 session_info->unix_token->ngroups = server_info->utok.ngroups; 538 if (server_info->utok.ngroups != 0) { 539 session_info->unix_token->groups = (gid_t *)talloc_memdup( 540 session_info->unix_token, server_info->utok.groups, 541 sizeof(gid_t)*session_info->unix_token->ngroups); 542 } else { 543 session_info->unix_token->groups = NULL; 544 } 545 546 *session_info_out = session_info; 547 return NT_STATUS_OK; 548 } 466 549 467 550 /* … … 473 556 if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) || 474 557 (server_info->nss_token)) { 475 status = create_token_from_username(server_info, 558 char *found_username = NULL; 559 status = create_token_from_username(session_info, 476 560 server_info->unix_name, 477 561 server_info->guest, 478 &server_info->utok.uid, 479 &server_info->utok.gid, 480 &server_info->unix_name, 481 &server_info->security_token); 482 562 &session_info->unix_token->uid, 563 &session_info->unix_token->gid, 564 &found_username, 565 &session_info->security_token); 566 if (NT_STATUS_IS_OK(status)) { 567 session_info->unix_info->unix_name = found_username; 568 } 483 569 } else { 484 status = create_local_nt_token_from_info3(se rver_info,570 status = create_local_nt_token_from_info3(session_info, 485 571 server_info->guest, 486 572 server_info->info3, 487 573 &server_info->extra, 488 &se rver_info->security_token);574 &session_info->security_token); 489 575 } 490 576 … … 495 581 /* Convert the SIDs to gids. */ 496 582 497 se rver_info->utok.ngroups = 0;498 se rver_info->utok.groups = NULL;499 500 t = se rver_info->security_token;501 502 ids = TALLOC_ARRAY(talloc_tos(), struct wbcUnixId,583 session_info->unix_token->ngroups = 0; 584 session_info->unix_token->groups = NULL; 585 586 t = session_info->security_token; 587 588 ids = talloc_array(talloc_tos(), struct unixid, 503 589 t->num_sids); 504 590 if (ids == NULL) { … … 506 592 } 507 593 508 if (!sids_to_unix _ids(t->sids, t->num_sids, ids)) {594 if (!sids_to_unixids(t->sids, t->num_sids, ids)) { 509 595 TALLOC_FREE(ids); 510 596 return NT_STATUS_NO_MEMORY; 511 597 } 512 598 513 /* Start at index 1, where the groups start. */ 514 515 for (i=1; i<t->num_sids; i++) { 516 517 if (ids[i].type != WBC_ID_TYPE_GID) { 599 for (i=0; i<t->num_sids; i++) { 600 601 if (i == 0 && ids[i].type != ID_TYPE_BOTH) { 602 continue; 603 } 604 605 if (ids[i].type != ID_TYPE_GID && 606 ids[i].type != ID_TYPE_BOTH) { 518 607 DEBUG(10, ("Could not convert SID %s to gid, " 519 608 "ignoring it\n", … … 521 610 continue; 522 611 } 523 if (!add_gid_to_array_unique(se rver_info, ids[i].id.gid,524 &se rver_info->utok.groups,525 &se rver_info->utok.ngroups)) {612 if (!add_gid_to_array_unique(session_info, ids[i].id, 613 &session_info->unix_token->groups, 614 &session_info->unix_token->ngroups)) { 526 615 return NT_STATUS_NO_MEMORY; 527 616 } … … 541 630 */ 542 631 543 uid_to_unix_users_sid(se rver_info->utok.uid, &tmp_sid);544 545 add_sid_to_array_unique(se rver_info->security_token, &tmp_sid,546 &se rver_info->security_token->sids,547 &se rver_info->security_token->num_sids);548 549 for ( i=0; i<se rver_info->utok.ngroups; i++ ) {550 gid_to_unix_groups_sid(se rver_info->utok.groups[i], &tmp_sid);551 add_sid_to_array_unique(se rver_info->security_token, &tmp_sid,552 &se rver_info->security_token->sids,553 &se rver_info->security_token->num_sids);554 } 555 556 security_token_debug(DBGC_AUTH, 10, se rver_info->security_token);632 uid_to_unix_users_sid(session_info->unix_token->uid, &tmp_sid); 633 634 add_sid_to_array_unique(session_info->security_token, &tmp_sid, 635 &session_info->security_token->sids, 636 &session_info->security_token->num_sids); 637 638 for ( i=0; i<session_info->unix_token->ngroups; i++ ) { 639 gid_to_unix_groups_sid(session_info->unix_token->groups[i], &tmp_sid); 640 add_sid_to_array_unique(session_info->security_token, &tmp_sid, 641 &session_info->security_token->sids, 642 &session_info->security_token->num_sids); 643 } 644 645 security_token_debug(DBGC_AUTH, 10, session_info->security_token); 557 646 debug_unix_user_token(DBGC_AUTH, 10, 558 server_info->utok.uid, 559 server_info->utok.gid, 560 server_info->utok.ngroups, 561 server_info->utok.groups); 562 563 status = log_nt_token(server_info->security_token); 564 return status; 647 session_info->unix_token->uid, 648 session_info->unix_token->gid, 649 session_info->unix_token->ngroups, 650 session_info->unix_token->groups); 651 652 status = log_nt_token(session_info->security_token); 653 if (!NT_STATUS_IS_OK(status)) { 654 return status; 655 } 656 657 *session_info_out = session_info; 658 return NT_STATUS_OK; 565 659 } 566 660 … … 570 664 ***************************************************************************/ 571 665 572 NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info, 573 char *unix_username, 574 struct passwd *pwd) 666 NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx, 667 const char *unix_username, 668 const struct passwd *pwd, 669 struct auth_serversupplied_info **server_info) 575 670 { 576 671 NTSTATUS status; 577 struct samu *sampass = NULL; 578 char *qualified_name = NULL; 579 TALLOC_CTX *mem_ctx = NULL; 580 struct dom_sid u_sid; 581 enum lsa_SidType type; 672 TALLOC_CTX *tmp_ctx = NULL; 582 673 struct auth_serversupplied_info *result; 583 674 584 /* 585 * The SID returned in server_info->sam_account is based 586 * on our SAM sid even though for a pure UNIX account this should 587 * not be the case as it doesn't really exist in the SAM db. 588 * This causes lookups on "[in]valid users" to fail as they 589 * will lookup this name as a "Unix User" SID to check against 590 * the user token. Fix this by adding the "Unix User"\unix_username 591 * SID to the sid array. The correct fix should probably be 592 * changing the server_info->sam_account user SID to be a 593 * S-1-22 Unix SID, but this might break old configs where 594 * plaintext passwords were used with no SAM backend. 595 */ 596 597 mem_ctx = talloc_init("make_server_info_pw_tmp"); 598 if (!mem_ctx) { 599 return NT_STATUS_NO_MEMORY; 600 } 601 602 qualified_name = talloc_asprintf(mem_ctx, "%s\\%s", 603 unix_users_domain_name(), 604 unix_username ); 605 if (!qualified_name) { 606 TALLOC_FREE(mem_ctx); 607 return NT_STATUS_NO_MEMORY; 608 } 609 610 if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL, 611 NULL, NULL, 612 &u_sid, &type)) { 613 TALLOC_FREE(mem_ctx); 614 return NT_STATUS_NO_SUCH_USER; 615 } 616 617 TALLOC_FREE(mem_ctx); 618 619 if (type != SID_NAME_USER) { 620 return NT_STATUS_NO_SUCH_USER; 621 } 622 623 if ( !(sampass = samu_new( NULL )) ) { 624 return NT_STATUS_NO_MEMORY; 625 } 626 627 status = samu_set_unix( sampass, pwd ); 675 tmp_ctx = talloc_stackframe(); 676 if (tmp_ctx == NULL) { 677 return NT_STATUS_NO_MEMORY; 678 } 679 680 result = make_server_info(tmp_ctx); 681 if (result == NULL) { 682 status = NT_STATUS_NO_MEMORY; 683 goto done; 684 } 685 686 status = passwd_to_SamInfo3(result, 687 unix_username, 688 pwd, 689 &result->info3, 690 &result->extra); 691 if (!NT_STATUS_IS_OK(status)) { 692 goto done; 693 } 694 695 result->unix_name = talloc_strdup(result, unix_username); 696 if (result->unix_name == NULL) { 697 status = NT_STATUS_NO_MEMORY; 698 goto done; 699 } 700 701 result->utok.uid = pwd->pw_uid; 702 result->utok.gid = pwd->pw_gid; 703 704 *server_info = talloc_steal(mem_ctx, result); 705 status = NT_STATUS_OK; 706 done: 707 talloc_free(tmp_ctx); 708 709 return status; 710 } 711 712 static NTSTATUS get_system_info3(TALLOC_CTX *mem_ctx, 713 struct netr_SamInfo3 *info3) 714 { 715 NTSTATUS status; 716 struct dom_sid *system_sid; 717 718 /* Set account name */ 719 init_lsa_String(&info3->base.account_name, "SYSTEM"); 720 721 /* Set domain name */ 722 init_lsa_StringLarge(&info3->base.logon_domain, "NT AUTHORITY"); 723 724 725 /* The SID set here will be overwirtten anyway, but try and make it SID_NT_SYSTEM anyway */ 726 /* Domain sid is NT_AUTHORITY */ 727 728 system_sid = dom_sid_parse_talloc(mem_ctx, SID_NT_SYSTEM); 729 if (system_sid == NULL) { 730 return NT_STATUS_NO_MEMORY; 731 } 732 733 status = dom_sid_split_rid(mem_ctx, system_sid, &info3->base.domain_sid, 734 &info3->base.rid); 735 TALLOC_FREE(system_sid); 628 736 if (!NT_STATUS_IS_OK(status)) { 629 737 return status; 630 738 } 631 632 /* In pathological cases the above call can set the account 633 * name to the DOMAIN\username form. Reset the account name 634 * using unix_username */ 635 pdb_set_username(sampass, unix_username, PDB_SET); 636 637 /* set the user sid to be the calculated u_sid */ 638 pdb_set_user_sid(sampass, &u_sid, PDB_SET); 639 640 result = make_server_info(NULL); 641 if (result == NULL) { 642 TALLOC_FREE(sampass); 643 return NT_STATUS_NO_MEMORY; 644 } 645 646 status = samu_to_SamInfo3(result, sampass, global_myname(), 647 &result->info3, &result->extra); 648 TALLOC_FREE(sampass); 649 if (!NT_STATUS_IS_OK(status)) { 650 DEBUG(10, ("Failed to convert samu to info3: %s\n", 651 nt_errstr(status))); 652 TALLOC_FREE(result); 653 return status; 654 } 655 656 result->unix_name = talloc_strdup(result, unix_username); 657 result->sanitized_username = sanitize_username(result, unix_username); 658 659 if ((result->unix_name == NULL) 660 || (result->sanitized_username == NULL)) { 661 TALLOC_FREE(result); 662 return NT_STATUS_NO_MEMORY; 663 } 664 665 result->utok.uid = pwd->pw_uid; 666 result->utok.gid = pwd->pw_gid; 667 668 *server_info = result; 669 670 return NT_STATUS_OK; 671 } 672 673 static NTSTATUS get_system_info3(TALLOC_CTX *mem_ctx, 674 struct passwd *pwd, 675 struct netr_SamInfo3 *info3) 676 { 677 struct dom_sid domain_sid; 678 const char *tmp; 679 680 /* Set account name */ 681 tmp = talloc_strdup(mem_ctx, pwd->pw_name); 682 if (tmp == NULL) { 683 return NT_STATUS_NO_MEMORY; 684 } 685 init_lsa_String(&info3->base.account_name, tmp); 686 687 /* Set domain name */ 688 tmp = talloc_strdup(mem_ctx, get_global_sam_name()); 689 if (tmp == NULL) { 690 return NT_STATUS_NO_MEMORY; 691 } 692 init_lsa_StringLarge(&info3->base.domain, tmp); 693 694 /* Domain sid */ 695 sid_copy(&domain_sid, get_global_sam_sid()); 696 697 info3->base.domain_sid = dom_sid_dup(mem_ctx, &domain_sid); 698 if (info3->base.domain_sid == NULL) { 699 return NT_STATUS_NO_MEMORY; 700 } 701 702 /* Admin rid */ 703 info3->base.rid = DOMAIN_RID_ADMINISTRATOR; 704 705 /* Primary gid */ 706 info3->base.primary_gid = BUILTIN_RID_ADMINISTRATORS; 739 740 /* Primary gid is the same */ 741 info3->base.primary_gid = info3->base.rid; 707 742 708 743 return NT_STATUS_OK; … … 712 747 struct netr_SamInfo3 *info3) 713 748 { 714 const char *guest_account = lp_guest account();749 const char *guest_account = lp_guest_account(); 715 750 struct dom_sid domain_sid; 716 751 struct passwd *pwd; … … 724 759 } 725 760 726 /* Set ac ount name */761 /* Set account name */ 727 762 tmp = talloc_strdup(mem_ctx, pwd->pw_name); 728 763 if (tmp == NULL) { … … 736 771 return NT_STATUS_NO_MEMORY; 737 772 } 738 init_lsa_StringLarge(&info3->base. domain, tmp);773 init_lsa_StringLarge(&info3->base.logon_domain, tmp); 739 774 740 775 /* Domain sid */ … … 751 786 /* Primary gid */ 752 787 info3->base.primary_gid = DOMAIN_RID_GUESTS; 788 789 /* Set as guest */ 790 info3->base.user_flags = NETLOGON_GUEST; 753 791 754 792 TALLOC_FREE(pwd); … … 760 798 This *must* succeed for smbd to start. If there is no mapping entry for 761 799 the guest gid, then create one. 800 801 The resulting structure is a 'session_info' because 802 create_local_token() has already been called on it. This is quite 803 nasty, as the auth subsystem isn't expect this, but the behavior is 804 left as-is for now. 762 805 ***************************************************************************/ 763 806 764 static NTSTATUS make_new_se rver_info_guest(struct auth_serversupplied_info **server_info)807 static NTSTATUS make_new_session_info_guest(struct auth_session_info **session_info, struct auth_serversupplied_info **server_info) 765 808 { 766 809 static const char zeros[16] = {0}; 767 const char *guest_account = lp_guest account();768 const char *domain = global_myname();810 const char *guest_account = lp_guest_account(); 811 const char *domain = lp_netbios_name(); 769 812 struct netr_SamInfo3 info3; 770 813 TALLOC_CTX *tmp_ctx; 771 814 NTSTATUS status; 772 fstring tmp;773 815 774 816 tmp_ctx = talloc_stackframe(); … … 781 823 status = get_guest_info3(tmp_ctx, &info3); 782 824 if (!NT_STATUS_IS_OK(status)) { 825 DEBUG(0, ("get_guest_info3 failed with %s\n", 826 nt_errstr(status))); 783 827 goto done; 784 828 } … … 786 830 status = make_server_info_info3(tmp_ctx, 787 831 guest_account, 788 domain,789 server_info,790 &info3);791 if (!NT_STATUS_IS_OK(status)) {792 goto done;793 }794 795 (*server_info)->guest = True;796 797 status = create_local_token(*server_info);798 if (!NT_STATUS_IS_OK(status)) {799 DEBUG(10, ("create_local_token failed: %s\n",800 nt_errstr(status)));801 goto done;802 }803 804 /* annoying, but the Guest really does have a session key, and it is805 all zeros! */806 (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));807 (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));808 809 alpha_strcpy(tmp, (*server_info)->info3->base.account_name.string,810 ". _-$", sizeof(tmp));811 (*server_info)->sanitized_username = talloc_strdup(*server_info, tmp);812 813 status = NT_STATUS_OK;814 done:815 TALLOC_FREE(tmp_ctx);816 return status;817 }818 819 /****************************************************************************820 Fake a auth_session_info just from a username (as a821 session_info structure, with create_local_token() already called on822 it.823 ****************************************************************************/824 825 static NTSTATUS make_system_session_info_from_pw(TALLOC_CTX *mem_ctx,826 struct passwd *pwd,827 struct auth_serversupplied_info **server_info)828 {829 const char *domain = global_myname();830 struct netr_SamInfo3 info3;831 TALLOC_CTX *tmp_ctx;832 NTSTATUS status;833 834 tmp_ctx = talloc_stackframe();835 if (tmp_ctx == NULL) {836 return NT_STATUS_NO_MEMORY;837 }838 839 ZERO_STRUCT(info3);840 841 status = get_system_info3(tmp_ctx, pwd, &info3);842 if (!NT_STATUS_IS_OK(status)) {843 DEBUG(0, ("Failed creating system info3 with %s\n",844 nt_errstr(status)));845 goto done;846 }847 848 status = make_server_info_info3(mem_ctx,849 pwd->pw_name,850 832 domain, 851 833 server_info, … … 857 839 } 858 840 859 (*server_info)->nss_token = true; 860 861 /* Now turn the server_info into a session_info with the full token etc */ 862 status = create_local_token(*server_info); 841 (*server_info)->guest = true; 842 843 /* This should not be done here (we should produce a server 844 * info, and later construct a session info from it), but for 845 * now this does not change the previous behavior */ 846 status = create_local_token(tmp_ctx, *server_info, NULL, 847 (*server_info)->info3->base.account_name.string, 848 session_info); 863 849 if (!NT_STATUS_IS_OK(status)) { 864 850 DEBUG(0, ("create_local_token failed: %s\n", … … 866 852 goto done; 867 853 } 854 talloc_steal(NULL, *session_info); 855 talloc_steal(NULL, *server_info); 856 857 /* annoying, but the Guest really does have a session key, and it is 858 all zeros! */ 859 (*session_info)->session_key = data_blob(zeros, sizeof(zeros)); 868 860 869 861 status = NT_STATUS_OK; … … 879 871 880 872 static NTSTATUS make_new_session_info_system(TALLOC_CTX *mem_ctx, 881 struct auth_serversupplied_info **session_info) 873 struct auth_session_info **session_info) 874 { 875 NTSTATUS status; 876 struct auth_serversupplied_info *server_info; 877 TALLOC_CTX *tmp_ctx; 878 879 tmp_ctx = talloc_stackframe(); 880 if (tmp_ctx == NULL) { 881 return NT_STATUS_NO_MEMORY; 882 } 883 884 server_info = make_server_info(tmp_ctx); 885 if (!server_info) { 886 status = NT_STATUS_NO_MEMORY; 887 DEBUG(0, ("failed making server_info\n")); 888 goto done; 889 } 890 891 server_info->info3 = talloc_zero(server_info, struct netr_SamInfo3); 892 if (!server_info->info3) { 893 status = NT_STATUS_NO_MEMORY; 894 DEBUG(0, ("talloc failed setting info3\n")); 895 goto done; 896 } 897 898 status = get_system_info3(server_info, server_info->info3); 899 if (!NT_STATUS_IS_OK(status)) { 900 DEBUG(0, ("Failed creating system info3 with %s\n", 901 nt_errstr(status))); 902 goto done; 903 } 904 905 server_info->utok.uid = sec_initial_uid(); 906 server_info->utok.gid = sec_initial_gid(); 907 server_info->unix_name = talloc_asprintf(server_info, 908 "NT AUTHORITY%cSYSTEM", 909 *lp_winbind_separator()); 910 911 if (!server_info->unix_name) { 912 status = NT_STATUS_NO_MEMORY; 913 DEBUG(0, ("talloc_asprintf failed setting unix_name\n")); 914 goto done; 915 } 916 917 server_info->security_token = talloc_zero(server_info, struct security_token); 918 if (!server_info->security_token) { 919 status = NT_STATUS_NO_MEMORY; 920 DEBUG(0, ("talloc failed setting security token\n")); 921 goto done; 922 } 923 924 status = add_sid_to_array_unique(server_info->security_token->sids, 925 &global_sid_System, 926 &server_info->security_token->sids, 927 &server_info->security_token->num_sids); 928 if (!NT_STATUS_IS_OK(status)) { 929 goto done; 930 } 931 932 /* SYSTEM has all privilages */ 933 server_info->security_token->privilege_mask = ~0; 934 935 /* Now turn the server_info into a session_info with the full token etc */ 936 status = create_local_token(mem_ctx, server_info, NULL, "SYSTEM", session_info); 937 talloc_free(server_info); 938 939 if (!NT_STATUS_IS_OK(status)) { 940 DEBUG(0, ("create_local_token failed: %s\n", 941 nt_errstr(status))); 942 goto done; 943 } 944 945 talloc_steal(mem_ctx, *session_info); 946 947 done: 948 TALLOC_FREE(tmp_ctx); 949 return status; 950 } 951 952 /**************************************************************************** 953 Fake a auth_session_info just from a username (as a 954 session_info structure, with create_local_token() already called on 955 it. 956 ****************************************************************************/ 957 958 NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx, 959 const char *username, 960 bool is_guest, 961 struct auth_session_info **session_info) 882 962 { 883 963 struct passwd *pwd; 884 964 NTSTATUS status; 885 886 pwd = getpwuid_alloc(mem_ctx, sec_initial_uid()); 965 struct auth_serversupplied_info *result; 966 TALLOC_CTX *tmp_ctx; 967 968 tmp_ctx = talloc_stackframe(); 969 if (tmp_ctx == NULL) { 970 return NT_STATUS_NO_MEMORY; 971 } 972 973 pwd = Get_Pwnam_alloc(tmp_ctx, username); 887 974 if (pwd == NULL) { 888 return NT_STATUS_NO_SUCH_USER; 889 } 890 891 status = make_system_session_info_from_pw(mem_ctx, 892 pwd, 893 session_info); 894 TALLOC_FREE(pwd); 975 status = NT_STATUS_NO_SUCH_USER; 976 goto done; 977 } 978 979 status = make_server_info_pw(tmp_ctx, pwd->pw_name, pwd, &result); 895 980 if (!NT_STATUS_IS_OK(status)) { 896 return status; 897 } 898 899 (*session_info)->system = true; 900 901 status = add_sid_to_array_unique((*session_info)->security_token->sids, 902 &global_sid_System, 903 &(*session_info)->security_token->sids, 904 &(*session_info)->security_token->num_sids); 905 if (!NT_STATUS_IS_OK(status)) { 906 TALLOC_FREE((*session_info)); 907 return status; 908 } 909 910 return NT_STATUS_OK; 911 } 912 913 /**************************************************************************** 914 Fake a auth_serversupplied_info just from a username 915 ****************************************************************************/ 916 917 NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx, 918 const char *username, 919 bool use_guest_token, 920 bool is_guest, 921 struct auth_serversupplied_info **presult) 922 { 923 struct auth_serversupplied_info *result; 924 struct passwd *pwd; 925 NTSTATUS status; 926 927 pwd = Get_Pwnam_alloc(talloc_tos(), username); 928 if (pwd == NULL) { 929 return NT_STATUS_NO_SUCH_USER; 930 } 931 932 status = make_server_info_pw(&result, pwd->pw_name, pwd); 933 934 TALLOC_FREE(pwd); 935 936 if (!NT_STATUS_IS_OK(status)) { 937 return status; 981 goto done; 938 982 } 939 983 … … 941 985 result->guest = is_guest; 942 986 943 if (use_guest_token) { 944 status = make_server_info_guest(mem_ctx, &result); 945 } else { 946 status = create_local_token(result); 947 } 948 949 if (!NT_STATUS_IS_OK(status)) { 950 TALLOC_FREE(result); 951 return status; 952 } 953 954 *presult = talloc_steal(mem_ctx, result); 955 return NT_STATUS_OK; 956 } 957 958 959 struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx, 960 const struct auth_serversupplied_info *src) 987 /* Now turn the server_info into a session_info with the full token etc */ 988 status = create_local_token(mem_ctx, 989 result, 990 NULL, 991 pwd->pw_name, 992 session_info); 993 994 done: 995 talloc_free(tmp_ctx); 996 997 return status; 998 } 999 1000 /* This function MUST only used to create the cached server_info for 1001 * guest. 1002 * 1003 * This is a lossy conversion. Variables known to be lost so far 1004 * include: 1005 * 1006 * - nss_token (not needed because the only read doesn't happen 1007 * for the GUEST user, as this routine populates ->security_token 1008 * 1009 * - extra (not needed because the guest account must have valid RIDs per the output of get_guest_info3()) 1010 * 1011 * - The 'server_info' parameter allows the missing 'info3' to be copied across. 1012 */ 1013 static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLOC_CTX *mem_ctx, 1014 const struct auth_session_info *src, 1015 struct auth_serversupplied_info *server_info) 961 1016 { 962 1017 struct auth_serversupplied_info *dst; … … 967 1022 } 968 1023 969 dst->guest = src->guest; 970 dst->system = src->system; 971 dst->utok.uid = src->utok.uid; 972 dst->utok.gid = src->utok.gid; 973 dst->utok.ngroups = src->utok.ngroups; 974 if (src->utok.ngroups != 0) { 975 dst->utok.groups = (gid_t *)TALLOC_MEMDUP( 976 dst, src->utok.groups, 1024 /* This element must be provided to convert back to an auth_serversupplied_info */ 1025 SMB_ASSERT(src->unix_info); 1026 1027 dst->guest = true; 1028 dst->system = false; 1029 1030 /* This element must be provided to convert back to an 1031 * auth_serversupplied_info. This needs to be from the 1032 * auth_session_info because the group values in particular 1033 * may change during create_local_token() processing */ 1034 SMB_ASSERT(src->unix_token); 1035 dst->utok.uid = src->unix_token->uid; 1036 dst->utok.gid = src->unix_token->gid; 1037 dst->utok.ngroups = src->unix_token->ngroups; 1038 if (src->unix_token->ngroups != 0) { 1039 dst->utok.groups = (gid_t *)talloc_memdup( 1040 dst, src->unix_token->groups, 977 1041 sizeof(gid_t)*dst->utok.ngroups); 978 1042 } else { … … 980 1044 } 981 1045 982 if (src->security_token) { 983 dst->security_token = dup_nt_token(dst, src->security_token); 984 if (!dst->security_token) { 985 TALLOC_FREE(dst); 986 return NULL; 987 } 988 } 989 990 dst->user_session_key = data_blob_talloc( dst, src->user_session_key.data, 991 src->user_session_key.length); 992 993 dst->lm_session_key = data_blob_talloc(dst, src->lm_session_key.data, 994 src->lm_session_key.length); 995 996 dst->info3 = copy_netr_SamInfo3(dst, src->info3); 1046 /* We must have a security_token as otherwise the lossy 1047 * conversion without nss_token would cause create_local_token 1048 * to take the wrong path */ 1049 SMB_ASSERT(src->security_token); 1050 1051 dst->security_token = dup_nt_token(dst, src->security_token); 1052 if (!dst->security_token) { 1053 TALLOC_FREE(dst); 1054 return NULL; 1055 } 1056 1057 dst->session_key = data_blob_talloc( dst, src->session_key.data, 1058 src->session_key.length); 1059 1060 /* This is OK because this functions is only used for the 1061 * GUEST account, which has all-zero keys for both values */ 1062 dst->lm_session_key = data_blob_talloc(dst, src->session_key.data, 1063 src->session_key.length); 1064 1065 dst->info3 = copy_netr_SamInfo3(dst, server_info->info3); 997 1066 if (!dst->info3) { 998 1067 TALLOC_FREE(dst); 999 1068 return NULL; 1000 1069 } 1001 dst->extra = src->extra; 1002 1003 dst->unix_name = talloc_strdup(dst, src->unix_name); 1070 1071 dst->unix_name = talloc_strdup(dst, src->unix_info->unix_name); 1004 1072 if (!dst->unix_name) { 1005 1073 TALLOC_FREE(dst); … … 1007 1075 } 1008 1076 1009 dst->sanitized_username = talloc_strdup(dst, src->sanitized_username); 1010 if (!dst->sanitized_username) { 1077 return dst; 1078 } 1079 1080 struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx, 1081 const struct auth_session_info *src) 1082 { 1083 struct auth_session_info *dst; 1084 DATA_BLOB blob; 1085 enum ndr_err_code ndr_err; 1086 1087 ndr_err = ndr_push_struct_blob( 1088 &blob, talloc_tos(), src, 1089 (ndr_push_flags_fn_t)ndr_push_auth_session_info); 1090 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { 1091 DEBUG(0, ("copy_session_info(): ndr_push_auth_session_info failed: " 1092 "%s\n", ndr_errstr(ndr_err))); 1093 return NULL; 1094 } 1095 1096 dst = talloc(mem_ctx, struct auth_session_info); 1097 if (dst == NULL) { 1098 DEBUG(0, ("talloc failed\n")); 1099 TALLOC_FREE(blob.data); 1100 return NULL; 1101 } 1102 1103 ndr_err = ndr_pull_struct_blob( 1104 &blob, dst, dst, 1105 (ndr_pull_flags_fn_t)ndr_pull_auth_session_info); 1106 TALLOC_FREE(blob.data); 1107 1108 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { 1109 DEBUG(0, ("copy_session_info(): ndr_pull_auth_session_info failed: " 1110 "%s\n", ndr_errstr(ndr_err))); 1011 1111 TALLOC_FREE(dst); 1012 1112 return NULL; … … 1021 1121 */ 1022 1122 1023 bool session_info_set_session_key(struct auth_se rversupplied_info *info,1123 bool session_info_set_session_key(struct auth_session_info *info, 1024 1124 DATA_BLOB session_key) 1025 1125 { 1026 TALLOC_FREE(info-> user_session_key.data);1027 1028 info-> user_session_key = data_blob_talloc(1126 TALLOC_FREE(info->session_key.data); 1127 1128 info->session_key = data_blob_talloc( 1029 1129 info, session_key.data, session_key.length); 1030 1130 1031 return (info->user_session_key.data != NULL); 1032 } 1033 1034 static struct auth_serversupplied_info *guest_info = NULL; 1131 return (info->session_key.data != NULL); 1132 } 1133 1134 static struct auth_session_info *guest_info = NULL; 1135 1136 static struct auth_serversupplied_info *guest_server_info = NULL; 1035 1137 1036 1138 bool init_guest_info(void) 1037 1139 { 1038 1140 if (guest_info != NULL) 1039 return True;1040 1041 return NT_STATUS_IS_OK(make_new_se rver_info_guest(&guest_info));1141 return true; 1142 1143 return NT_STATUS_IS_OK(make_new_session_info_guest(&guest_info, &guest_server_info)); 1042 1144 } 1043 1145 … … 1045 1147 struct auth_serversupplied_info **server_info) 1046 1148 { 1047 *server_info = copy_serverinfo(mem_ctx, guest_info); 1149 /* This is trickier than it would appear to need to be because 1150 * we are trying to avoid certain costly operations when the 1151 * structure is converted to a 'auth_session_info' again in 1152 * create_local_token() */ 1153 *server_info = copy_session_info_serverinfo_guest(mem_ctx, guest_info, guest_server_info); 1048 1154 return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; 1049 1155 } 1050 1156 1051 static struct auth_serversupplied_info *system_info = NULL; 1052 1053 NTSTATUS init_system_info(void) 1157 NTSTATUS make_session_info_guest(TALLOC_CTX *mem_ctx, 1158 struct auth_session_info **session_info) 1159 { 1160 *session_info = copy_session_info(mem_ctx, guest_info); 1161 return (*session_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; 1162 } 1163 1164 static struct auth_session_info *system_info = NULL; 1165 1166 NTSTATUS init_system_session_info(void) 1054 1167 { 1055 1168 if (system_info != NULL) … … 1060 1173 1061 1174 NTSTATUS make_session_info_system(TALLOC_CTX *mem_ctx, 1062 struct auth_se rversupplied_info **session_info)1175 struct auth_session_info **session_info) 1063 1176 { 1064 1177 if (system_info == NULL) return NT_STATUS_UNSUCCESSFUL; 1065 *session_info = copy_se rverinfo(mem_ctx, system_info);1178 *session_info = copy_session_info(mem_ctx, system_info); 1066 1179 return (*session_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; 1067 1180 } 1068 1181 1069 const struct auth_se rversupplied_info *get_session_info_system(void)1182 const struct auth_session_info *get_session_info_system(void) 1070 1183 { 1071 1184 return system_info; 1072 }1073 1074 bool copy_current_user(struct current_user *dst, struct current_user *src)1075 {1076 gid_t *groups;1077 struct security_token *nt_token;1078 1079 groups = (gid_t *)memdup(src->ut.groups,1080 sizeof(gid_t) * src->ut.ngroups);1081 if ((src->ut.ngroups != 0) && (groups == NULL)) {1082 return False;1083 }1084 1085 nt_token = dup_nt_token(NULL, src->nt_user_token);1086 if (nt_token == NULL) {1087 SAFE_FREE(groups);1088 return False;1089 }1090 1091 dst->conn = src->conn;1092 dst->vuid = src->vuid;1093 dst->ut.uid = src->ut.uid;1094 dst->ut.gid = src->ut.gid;1095 dst->ut.ngroups = src->ut.ngroups;1096 dst->ut.groups = groups;1097 dst->nt_user_token = nt_token;1098 return True;1099 1185 } 1100 1186 … … 1118 1204 return NT_STATUS_NO_MEMORY; 1119 1205 } 1120 strlower_m( lower_username ); 1206 if (!strlower_m( lower_username )) { 1207 return NT_STATUS_INVALID_PARAMETER; 1208 } 1121 1209 1122 1210 orig_dom_user = talloc_asprintf(mem_ctx, … … 1136 1224 } 1137 1225 1138 passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, True );1226 passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, true ); 1139 1227 if (!passwd) { 1140 1228 DEBUG(3, ("Failed to find authenticated user %s via " … … 1149 1237 *pwd = passwd; 1150 1238 1151 /* This is pointless -- there is no sup ort for differing1239 /* This is pointless -- there is no support for differing 1152 1240 unix and windows names. Make sure to always store the 1153 1241 one we actually looked up and succeeded. Have I mentioned … … 1264 1352 const char *domain, 1265 1353 struct auth_serversupplied_info **server_info, 1266 struct netr_SamInfo3 *info3)1354 const struct netr_SamInfo3 *info3) 1267 1355 { 1268 1356 static const char zeros[16] = {0, }; … … 1277 1365 struct passwd *pwd; 1278 1366 struct auth_serversupplied_info *result; 1367 TALLOC_CTX *tmp_ctx = talloc_stackframe(); 1279 1368 1280 1369 /* … … 1285 1374 1286 1375 if (!sid_compose(&user_sid, info3->base.domain_sid, info3->base.rid)) { 1287 return NT_STATUS_INVALID_PARAMETER; 1376 nt_status = NT_STATUS_INVALID_PARAMETER; 1377 goto out; 1288 1378 } 1289 1379 1290 1380 if (!sid_compose(&group_sid, info3->base.domain_sid, 1291 1381 info3->base.primary_gid)) { 1292 return NT_STATUS_INVALID_PARAMETER; 1293 } 1294 1295 nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string); 1382 nt_status = NT_STATUS_INVALID_PARAMETER; 1383 goto out; 1384 } 1385 1386 nt_username = talloc_strdup(tmp_ctx, info3->base.account_name.string); 1296 1387 if (!nt_username) { 1297 1388 /* If the server didn't give us one, just use the one we sent … … 1300 1391 } 1301 1392 1302 nt_domain = talloc_strdup(mem_ctx, info3->base. domain.string);1393 nt_domain = talloc_strdup(mem_ctx, info3->base.logon_domain.string); 1303 1394 if (!nt_domain) { 1304 1395 /* If the server didn't give us one, just use the one we sent … … 1320 1411 /* this call will try to create the user if necessary */ 1321 1412 1322 nt_status = check_account(mem_ctx, nt_domain, sent_nt_username, 1323 &found_username, &pwd, 1324 &username_was_mapped); 1413 nt_status = check_account(tmp_ctx, 1414 nt_domain, 1415 nt_username, 1416 &found_username, 1417 &pwd, 1418 &username_was_mapped); 1325 1419 1326 1420 if (!NT_STATUS_IS_OK(nt_status)) { 1327 return nt_status; 1328 } 1329 1330 result = make_server_info(NULL); 1421 /* Handle 'map to guest = Bad Uid */ 1422 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) && 1423 (lp_security() == SEC_ADS || lp_security() == SEC_DOMAIN) && 1424 lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID) { 1425 DBG_NOTICE("Try to map %s to guest account", 1426 nt_username); 1427 nt_status = make_server_info_guest(tmp_ctx, &result); 1428 if (NT_STATUS_IS_OK(nt_status)) { 1429 *server_info = talloc_move(mem_ctx, &result); 1430 } 1431 } 1432 goto out; 1433 } 1434 1435 result = make_server_info(tmp_ctx); 1331 1436 if (result == NULL) { 1332 1437 DEBUG(4, ("make_server_info failed!\n")); 1333 return NT_STATUS_NO_MEMORY; 1438 nt_status = NT_STATUS_NO_MEMORY; 1439 goto out; 1334 1440 } 1335 1441 1336 1442 result->unix_name = talloc_strdup(result, found_username); 1337 1338 result->sanitized_username = sanitize_username(result,1339 result->unix_name);1340 if (result->sanitized_username == NULL) {1341 TALLOC_FREE(result);1342 return NT_STATUS_NO_MEMORY;1343 }1344 1443 1345 1444 /* copy in the info3 */ 1346 1445 result->info3 = copy_netr_SamInfo3(result, info3); 1347 1446 if (result->info3 == NULL) { 1348 TALLOC_FREE(result);1349 return NT_STATUS_NO_MEMORY;1447 nt_status = NT_STATUS_NO_MEMORY; 1448 goto out; 1350 1449 } 1351 1450 … … 1358 1457 1359 1458 if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) { 1360 result-> user_session_key = data_blob_null;1459 result->session_key = data_blob_null; 1361 1460 } else { 1362 result-> user_session_key = data_blob_talloc(1461 result->session_key = data_blob_talloc( 1363 1462 result, info3->base.key.key, 1364 1463 sizeof(info3->base.key.key)); … … 1375 1474 result->nss_token |= username_was_mapped; 1376 1475 1377 *server_info = result; 1378 1379 return NT_STATUS_OK; 1476 result->guest = (info3->base.user_flags & NETLOGON_GUEST); 1477 1478 *server_info = talloc_move(mem_ctx, &result); 1479 1480 nt_status = NT_STATUS_OK; 1481 out: 1482 talloc_free(tmp_ctx); 1483 1484 return nt_status; 1380 1485 } 1381 1486 … … 1418 1523 1419 1524 if ( lp_server_role() == ROLE_STANDALONE ) 1420 return False;1525 return false; 1421 1526 1422 1527 if (dom_name == NULL || dom_name[0] == '\0') { … … 1437 1542 unbecome_root(); 1438 1543 if (ret) 1439 return True;1544 return true; 1440 1545 } 1441 1546 else { … … 1447 1552 1448 1553 if (result == WBC_ERR_SUCCESS) { 1449 return True;1554 return true; 1450 1555 } 1451 1556 1452 1557 if (result == WBC_ERR_DOMAIN_NOT_FOUND) { 1453 1558 /* winbind could not find the domain */ 1454 return False; 1455 } 1559 return false; 1560 } 1561 1562 DEBUG(10, ("wb_is_trusted_domain returned error: %s\n", 1563 wbcErrorString(result))); 1456 1564 1457 1565 /* The only other possible result is that winbind is not up … … 1467 1575 1468 1576 if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) { 1469 return True; 1470 } 1471 1472 return False; 1473 } 1474 1577 return true; 1578 } 1579 1580 return false; 1581 } 1582 1583 1584 1585 /* 1586 on a logon error possibly map the error to success if "map to guest" 1587 is set approriately 1588 */ 1589 NTSTATUS do_map_to_guest_server_info(TALLOC_CTX *mem_ctx, 1590 NTSTATUS status, 1591 const char *user, 1592 const char *domain, 1593 struct auth_serversupplied_info **server_info) 1594 { 1595 user = user ? user : ""; 1596 domain = domain ? domain : ""; 1597 1598 if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) { 1599 if ((lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) || 1600 (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) { 1601 DEBUG(3,("No such user %s [%s] - using guest account\n", 1602 user, domain)); 1603 return make_server_info_guest(mem_ctx, server_info); 1604 } 1605 } else if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) { 1606 if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) { 1607 DEBUG(3,("Registered username %s for guest access\n", 1608 user)); 1609 return make_server_info_guest(mem_ctx, server_info); 1610 } 1611 } 1612 1613 return status; 1614 } 1615 1616 /* 1617 Extract session key from a session info and return it in a blob 1618 if intent is KEY_USE_16BYTES, truncate it to 16 bytes 1619 1620 See sections 3.2.4.15 and 3.3.4.2 of MS-SMB 1621 Also see https://lists.samba.org/archive/cifs-protocol/2012-January/002265.html for details 1622 1623 Note that returned session_key is referencing the original key, it is supposed to be 1624 short-lived. If original session_info->session_key is gone, the reference will be broken. 1625 */ 1626 NTSTATUS session_extract_session_key(const struct auth_session_info *session_info, DATA_BLOB *session_key, enum session_key_use_intent intent) 1627 { 1628 1629 if (session_key == NULL || session_info == NULL) { 1630 return NT_STATUS_INVALID_PARAMETER; 1631 } 1632 1633 if (session_info->session_key.length == 0) { 1634 return NT_STATUS_NO_USER_SESSION_KEY; 1635 } 1636 1637 *session_key = session_info->session_key; 1638 if (intent == KEY_USE_16BYTES) { 1639 session_key->length = MIN(session_info->session_key.length, 16); 1640 } 1641 return NT_STATUS_OK; 1642 } -
vendor/current/source3/auth/auth_wbc.c
r740 r988 183 183 struct auth_methods *result; 184 184 185 result = TALLOC_ZERO_P(auth_context, struct auth_methods);185 result = talloc_zero(auth_context, struct auth_methods); 186 186 if (result == NULL) { 187 187 return NT_STATUS_NO_MEMORY; -
vendor/current/source3/auth/auth_winbind.c
r860 r988 149 149 struct auth_methods *result; 150 150 151 result = TALLOC_ZERO_P(auth_context, struct auth_methods);151 result = talloc_zero(auth_context, struct auth_methods); 152 152 if (result == NULL) { 153 153 return NT_STATUS_NO_MEMORY; -
vendor/current/source3/auth/check_samsec.c
r860 r988 120 120 { 121 121 /* In logon hours first bit is Sunday from 12AM to 1AM */ 122 const uint8 *hours;122 const uint8_t *hours; 123 123 struct tm *utctime; 124 124 time_t lasttime; 125 125 const char *asct; 126 uint8 bitmask, bitpos;126 uint8_t bitmask, bitpos; 127 127 128 128 hours = pdb_get_hours(sampass); … … 177 177 const struct auth_usersupplied_info *user_info) 178 178 { 179 uint32 179 uint32_t acct_ctrl = pdb_get_acct_ctrl(sampass); 180 180 char *workstation_list; 181 181 time_t kickoff_time; … … 380 380 const uint8_t *nt_pw; 381 381 const uint8_t *lm_pw; 382 uint32_t acct_ctrl; 382 383 383 384 /* the returned struct gets kept on the server_info, by means … … 402 403 } 403 404 405 acct_ctrl = pdb_get_acct_ctrl(sampass); 404 406 username = pdb_get_username(sampass); 405 407 nt_pw = pdb_get_nt_passwd(sampass); … … 407 409 408 410 /* Quit if the account was locked out. */ 409 if ( pdb_get_acct_ctrl(sampass)& ACB_AUTOLOCK) {411 if (acct_ctrl & ACB_AUTOLOCK) { 410 412 DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", username)); 411 413 TALLOC_FREE(sampass); … … 414 416 415 417 nt_status = sam_password_ok(mem_ctx, 416 username, pdb_get_acct_ctrl(sampass),418 username, acct_ctrl, 417 419 challenge, lm_pw, nt_pw, 418 420 user_info, &user_sess_key, &lm_sess_key); … … 427 429 428 430 if (NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD) && 429 pdb_get_acct_ctrl(sampass) & ACB_NORMAL&&431 (acct_ctrl & ACB_NORMAL) && 430 432 NT_STATUS_IS_OK(update_login_attempts_status)) 431 433 { … … 457 459 } 458 460 459 if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) && 461 /* 462 * We must only reset the bad password count if the login was 463 * successful, including checking account policies 464 */ 465 nt_status = sam_account_ok(mem_ctx, sampass, user_info); 466 if (!NT_STATUS_IS_OK(nt_status)) { 467 goto done; 468 } 469 470 if ((acct_ctrl & ACB_NORMAL) && 460 471 (pdb_get_bad_password_count(sampass) > 0)){ 472 NTSTATUS status; 473 461 474 pdb_set_bad_password_count(sampass, 0, PDB_CHANGED); 462 475 pdb_set_bad_password_time(sampass, 0, PDB_CHANGED); 463 updated_badpw = True;464 }465 466 if (updated_badpw){467 NTSTATUS status;468 476 469 477 become_root(); … … 477 485 } 478 486 479 nt_status = sam_account_ok(mem_ctx, sampass, user_info);480 481 if (!NT_STATUS_IS_OK(nt_status)) {482 goto done;483 }484 485 487 become_root(); 486 nt_status = make_server_info_sam( server_info, sampass);488 nt_status = make_server_info_sam(mem_ctx, sampass, server_info); 487 489 unbecome_root(); 488 490 … … 494 496 } 495 497 496 (*server_info)-> user_session_key =498 (*server_info)->session_key = 497 499 data_blob_talloc(*server_info, user_sess_key.data, 498 500 user_sess_key.length); … … 533 535 } 534 536 535 info3 = TALLOC_ZERO_P(mem_ctx, struct netr_SamInfo3);537 info3 = talloc_zero(mem_ctx, struct netr_SamInfo3); 536 538 if (info3 == NULL) { 537 539 status = NT_STATUS_NO_MEMORY; … … 539 541 } 540 542 541 status = serverinfo_to_SamInfo3(server_info, NULL, 0,info3);543 status = serverinfo_to_SamInfo3(server_info, info3); 542 544 if (!NT_STATUS_IS_OK(status)) { 543 545 DEBUG(10, ("serverinfo_to_SamInfo3 failed: %s\n", -
vendor/current/source3/auth/pampass.c
r740 r988 238 238 ZERO_STRUCTP(t); 239 239 240 DLIST_ADD_END(list, t , struct chat_struct*);240 DLIST_ADD_END(list, t); 241 241 242 242 if (!next_token_talloc(frame, &p, &prompt, NULL)) { … … 250 250 special_char_sub(prompt); 251 251 fstrcpy(t->prompt, prompt); 252 strlower_m(t->prompt);252 (void)strlower_m(t->prompt); 253 253 trim_char(t->prompt, ' ', ' '); 254 254 … … 263 263 special_char_sub(reply); 264 264 fstrcpy(t->reply, reply); 265 strlower_m(t->reply);265 (void)strlower_m(t->reply); 266 266 trim_char(t->reply, ' ', ' '); 267 267 … … 300 300 return PAM_CONV_ERR; 301 301 302 if ((pw_chat = make_pw_chat(lp_passwd_chat( ))) == NULL)302 if ((pw_chat = make_pw_chat(lp_passwd_chat(talloc_tos()))) == NULL) 303 303 return PAM_CONV_ERR; 304 304 … … 525 525 526 526 DEBUG(4,("smb_pam_auth: PAM: Authenticate User: %s\n", user)); 527 pam_error = pam_authenticate(pamh, PAM_SILENT | lp_null_passwords() ? 0 : PAM_DISALLOW_NULL_AUTHTOK);527 pam_error = pam_authenticate(pamh, PAM_SILENT | (lp_null_passwords() ? 0 : PAM_DISALLOW_NULL_AUTHTOK)); 528 528 switch( pam_error ){ 529 529 case PAM_AUTH_ERR: … … 721 721 */ 722 722 723 bool smb_pam_claim_session(c har *user, char *tty,char *rhost)723 bool smb_pam_claim_session(const char *user, const char *tty, const char *rhost) 724 724 { 725 725 pam_handle_t *pamh = NULL; … … 749 749 */ 750 750 751 bool smb_pam_close_session(c har *user, char *tty,char *rhost)751 bool smb_pam_close_session(const char *user, const char *tty, const char *rhost) 752 752 { 753 753 pam_handle_t *pamh = NULL; … … 881 881 882 882 /* If PAM not used, also no PAM restrictions on sessions. */ 883 bool smb_pam_claim_session(c har *user, char *tty,char *rhost)883 bool smb_pam_claim_session(const char *user, const char *tty, const char *rhost) 884 884 { 885 885 return True; … … 887 887 888 888 /* If PAM not used, also no PAM restrictions on sessions. */ 889 bool smb_pam_close_session(c har *in_user, char *tty,char *rhost)889 bool smb_pam_close_session(const char *in_user, const char *tty, const char *rhost) 890 890 { 891 891 return True; -
vendor/current/source3/auth/pass_check.c
r740 r988 28 28 #define DBGC_CLASS DBGC_AUTH 29 29 30 /* what is the longest significant password available on your system?31 Knowing this speeds up password searches a lot */32 #ifndef PASSWORD_LENGTH33 #define PASSWORD_LENGTH 834 #endif35 36 /* these are kept here to keep the string_combinations function simple */37 static char *ths_user;38 39 static const char *get_this_user(void)40 {41 if (!ths_user) {42 return "";43 }44 return ths_user;45 }46 47 #if defined(WITH_PAM) || defined(OSF1_ENH_SEC)48 static const char *set_this_user(const char *newuser)49 {50 char *orig_user = ths_user;51 ths_user = SMB_STRDUP(newuser);52 SAFE_FREE(orig_user);53 return ths_user;54 }55 #endif56 57 30 #if !defined(WITH_PAM) 58 31 static char *ths_salt; … … 92 65 #endif 93 66 94 #ifdef WITH_AFS 95 96 #include <afs/stds.h> 97 #include <afs/kautils.h> 98 99 /******************************************************************* 100 check on AFS authentication 101 ********************************************************************/ 102 static bool afs_auth(char *user, char *password) 103 { 104 long password_expires = 0; 105 char *reason; 106 107 /* For versions of AFS prior to 3.3, this routine has few arguments, */ 108 /* but since I can't find the old documentation... :-) */ 109 setpag(); 110 if (ka_UserAuthenticateGeneral 111 (KA_USERAUTH_VERSION + KA_USERAUTH_DOSETPAG, user, (char *)0, /* instance */ 112 (char *)0, /* cell */ 113 password, 0, /* lifetime, default */ 114 &password_expires, /*days 'til it expires */ 115 0, /* spare 2 */ 116 &reason) == 0) 117 { 118 return (True); 119 } 120 DEBUG(1, 121 ("AFS authentication for \"%s\" failed (%s)\n", user, reason)); 122 return (False); 123 } 124 #endif 125 126 127 #ifdef WITH_DFS 128 129 #include <dce/dce_error.h> 130 #include <dce/sec_login.h> 131 132 /***************************************************************** 133 This new version of the DFS_AUTH code was donated by Karsten Muuss 134 <muuss@or.uni-bonn.de>. It fixes the following problems with the 135 old code : 136 137 - Server credentials may expire 138 - Client credential cache files have wrong owner 139 - purge_context() function is called with invalid argument 140 141 This new code was modified to ensure that on exit the uid/gid is 142 still root, and the original directory is restored. JRA. 143 ******************************************************************/ 144 145 sec_login_handle_t my_dce_sec_context; 146 int dcelogin_atmost_once = 0; 147 148 /******************************************************************* 149 check on a DCE/DFS authentication 150 ********************************************************************/ 151 static bool dfs_auth(char *user, char *password) 152 { 153 struct tm *t; 154 error_status_t err; 155 int err2; 156 int prterr; 157 signed32 expire_time, current_time; 158 boolean32 password_reset; 159 struct passwd *pw; 160 sec_passwd_rec_t passwd_rec; 161 sec_login_auth_src_t auth_src = sec_login_auth_src_network; 162 unsigned char dce_errstr[dce_c_error_string_len]; 163 gid_t egid; 164 165 if (dcelogin_atmost_once) 166 return (False); 167 168 #ifdef HAVE_CRYPT 169 /* 170 * We only go for a DCE login context if the given password 171 * matches that stored in the local password file.. 172 * Assumes local passwd file is kept in sync w/ DCE RGY! 173 */ 174 175 if (strcmp((char *)crypt(password, get_this_salt()), get_this_crypted())) 176 { 177 return (False); 178 } 179 #endif 180 181 sec_login_get_current_context(&my_dce_sec_context, &err); 182 if (err != error_status_ok) 183 { 184 dce_error_inq_text(err, dce_errstr, &err2); 185 DEBUG(0, ("DCE can't get current context. %s\n", dce_errstr)); 186 187 return (False); 188 } 189 190 sec_login_certify_identity(my_dce_sec_context, &err); 191 if (err != error_status_ok) 192 { 193 dce_error_inq_text(err, dce_errstr, &err2); 194 DEBUG(0, ("DCE can't get current context. %s\n", dce_errstr)); 195 196 return (False); 197 } 198 199 sec_login_get_expiration(my_dce_sec_context, &expire_time, &err); 200 if (err != error_status_ok) 201 { 202 dce_error_inq_text(err, dce_errstr, &err2); 203 DEBUG(0, ("DCE can't get expiration. %s\n", dce_errstr)); 204 205 return (False); 206 } 207 208 time(¤t_time); 209 210 if (expire_time < (current_time + 60)) 211 { 212 struct passwd *pw; 213 sec_passwd_rec_t *key; 214 215 sec_login_get_pwent(my_dce_sec_context, 216 (sec_login_passwd_t *) & pw, &err); 217 if (err != error_status_ok) 218 { 219 dce_error_inq_text(err, dce_errstr, &err2); 220 DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr)); 221 222 return (False); 223 } 224 225 sec_login_refresh_identity(my_dce_sec_context, &err); 226 if (err != error_status_ok) 227 { 228 dce_error_inq_text(err, dce_errstr, &err2); 229 DEBUG(0, ("DCE can't refresh identity. %s\n", 230 dce_errstr)); 231 232 return (False); 233 } 234 235 sec_key_mgmt_get_key(rpc_c_authn_dce_secret, NULL, 236 (unsigned char *)pw->pw_name, 237 sec_c_key_version_none, 238 (void **)&key, &err); 239 if (err != error_status_ok) 240 { 241 dce_error_inq_text(err, dce_errstr, &err2); 242 DEBUG(0, ("DCE can't get key for %s. %s\n", 243 pw->pw_name, dce_errstr)); 244 245 return (False); 246 } 247 248 sec_login_valid_and_cert_ident(my_dce_sec_context, key, 249 &password_reset, &auth_src, 250 &err); 251 if (err != error_status_ok) 252 { 253 dce_error_inq_text(err, dce_errstr, &err2); 254 DEBUG(0, 255 ("DCE can't validate and certify identity for %s. %s\n", 256 pw->pw_name, dce_errstr)); 257 } 258 259 sec_key_mgmt_free_key(key, &err); 260 if (err != error_status_ok) 261 { 262 dce_error_inq_text(err, dce_errstr, &err2); 263 DEBUG(0, ("DCE can't free key.\n", dce_errstr)); 264 } 265 } 266 267 if (sec_login_setup_identity((unsigned char *)user, 268 sec_login_no_flags, 269 &my_dce_sec_context, &err) == 0) 270 { 271 dce_error_inq_text(err, dce_errstr, &err2); 272 DEBUG(0, ("DCE Setup Identity for %s failed: %s\n", 273 user, dce_errstr)); 274 return (False); 275 } 276 277 sec_login_get_pwent(my_dce_sec_context, 278 (sec_login_passwd_t *) & pw, &err); 279 if (err != error_status_ok) 280 { 281 dce_error_inq_text(err, dce_errstr, &err2); 282 DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr)); 283 284 return (False); 285 } 286 287 sec_login_purge_context(&my_dce_sec_context, &err); 288 if (err != error_status_ok) 289 { 290 dce_error_inq_text(err, dce_errstr, &err2); 291 DEBUG(0, ("DCE can't purge context. %s\n", dce_errstr)); 292 293 return (False); 294 } 295 296 /* 297 * NB. I'd like to change these to call something like change_to_user() 298 * instead but currently we don't have a connection 299 * context to become the correct user. This is already 300 * fairly platform specific code however, so I think 301 * this should be ok. I have added code to go 302 * back to being root on error though. JRA. 303 */ 304 305 egid = getegid(); 306 307 set_effective_gid(pw->pw_gid); 308 set_effective_uid(pw->pw_uid); 309 310 if (sec_login_setup_identity((unsigned char *)user, 311 sec_login_no_flags, 312 &my_dce_sec_context, &err) == 0) 313 { 314 dce_error_inq_text(err, dce_errstr, &err2); 315 DEBUG(0, ("DCE Setup Identity for %s failed: %s\n", 316 user, dce_errstr)); 317 goto err; 318 } 319 320 sec_login_get_pwent(my_dce_sec_context, 321 (sec_login_passwd_t *) & pw, &err); 322 if (err != error_status_ok) 323 { 324 dce_error_inq_text(err, dce_errstr, &err2); 325 DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr)); 326 goto err; 327 } 328 329 passwd_rec.version_number = sec_passwd_c_version_none; 330 passwd_rec.pepper = NULL; 331 passwd_rec.key.key_type = sec_passwd_plain; 332 passwd_rec.key.tagged_union.plain = (idl_char *) password; 333 334 sec_login_validate_identity(my_dce_sec_context, 335 &passwd_rec, &password_reset, 336 &auth_src, &err); 337 if (err != error_status_ok) 338 { 339 dce_error_inq_text(err, dce_errstr, &err2); 340 DEBUG(0, 341 ("DCE Identity Validation failed for principal %s: %s\n", 342 user, dce_errstr)); 343 goto err; 344 } 345 346 sec_login_certify_identity(my_dce_sec_context, &err); 347 if (err != error_status_ok) 348 { 349 dce_error_inq_text(err, dce_errstr, &err2); 350 DEBUG(0, ("DCE certify identity failed: %s\n", dce_errstr)); 351 goto err; 352 } 353 354 if (auth_src != sec_login_auth_src_network) 355 { 356 DEBUG(0, ("DCE context has no network credentials.\n")); 357 } 358 359 sec_login_set_context(my_dce_sec_context, &err); 360 if (err != error_status_ok) 361 { 362 dce_error_inq_text(err, dce_errstr, &err2); 363 DEBUG(0, 364 ("DCE login failed for principal %s, cant set context: %s\n", 365 user, dce_errstr)); 366 367 sec_login_purge_context(&my_dce_sec_context, &err); 368 goto err; 369 } 370 371 sec_login_get_pwent(my_dce_sec_context, 372 (sec_login_passwd_t *) & pw, &err); 373 if (err != error_status_ok) 374 { 375 dce_error_inq_text(err, dce_errstr, &err2); 376 DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr)); 377 goto err; 378 } 379 380 DEBUG(0, ("DCE login succeeded for principal %s on pid %d\n", 381 user, sys_getpid())); 382 383 DEBUG(3, ("DCE principal: %s\n" 384 " uid: %d\n" 385 " gid: %d\n", 386 pw->pw_name, pw->pw_uid, pw->pw_gid)); 387 DEBUG(3, (" info: %s\n" 388 " dir: %s\n" 389 " shell: %s\n", 390 pw->pw_gecos, pw->pw_dir, pw->pw_shell)); 391 392 sec_login_get_expiration(my_dce_sec_context, &expire_time, &err); 393 if (err != error_status_ok) 394 { 395 dce_error_inq_text(err, dce_errstr, &err2); 396 DEBUG(0, ("DCE can't get expiration. %s\n", dce_errstr)); 397 goto err; 398 } 399 400 set_effective_uid(0); 401 set_effective_gid(0); 402 403 t = localtime(&expire_time); 404 if (t) { 405 const char *asct = asctime(t); 406 if (asct) { 407 DEBUG(0,("DCE context expires: %s", asct)); 408 } 409 } 410 411 dcelogin_atmost_once = 1; 412 return (True); 413 414 err: 415 416 /* Go back to root, JRA. */ 417 set_effective_uid(0); 418 set_effective_gid(egid); 419 return (False); 420 } 421 422 void dfs_unlogin(void) 423 { 424 error_status_t err; 425 int err2; 426 unsigned char dce_errstr[dce_c_error_string_len]; 427 428 sec_login_purge_context(&my_dce_sec_context, &err); 429 if (err != error_status_ok) 430 { 431 dce_error_inq_text(err, dce_errstr, &err2); 432 DEBUG(0, 433 ("DCE purge login context failed for server instance %d: %s\n", 434 sys_getpid(), dce_errstr)); 435 } 436 } 437 #endif 438 439 #ifdef LINUX_BIGCRYPT 440 /**************************************************************************** 441 an enhanced crypt for Linux to handle password longer than 8 characters 442 ****************************************************************************/ 443 static int linux_bigcrypt(char *password, char *salt1, char *crypted) 444 { 445 #define LINUX_PASSWORD_SEG_CHARS 8 446 char salt[3]; 447 int i; 448 449 StrnCpy(salt, salt1, 2); 450 crypted += 2; 451 452 for (i = strlen(password); i > 0; i -= LINUX_PASSWORD_SEG_CHARS) { 453 char *p = crypt(password, salt) + 2; 454 if (strncmp(p, crypted, LINUX_PASSWORD_SEG_CHARS) != 0) 455 return (0); 456 password += LINUX_PASSWORD_SEG_CHARS; 457 crypted += strlen(p); 458 } 459 460 return (1); 461 } 462 #endif 463 464 #ifdef OSF1_ENH_SEC 465 /**************************************************************************** 466 an enhanced crypt for OSF1 467 ****************************************************************************/ 468 static char *osf1_bigcrypt(char *password, char *salt1) 469 { 470 static char result[AUTH_MAX_PASSWD_LENGTH] = ""; 471 char *p1; 472 char *p2 = password; 473 char salt[3]; 474 int i; 475 int parts = strlen(password) / AUTH_CLEARTEXT_SEG_CHARS; 476 if (strlen(password) % AUTH_CLEARTEXT_SEG_CHARS) 477 parts++; 478 479 StrnCpy(salt, salt1, 2); 480 StrnCpy(result, salt1, 2); 481 result[2] = '\0'; 482 483 for (i = 0; i < parts; i++) { 484 p1 = crypt(p2, salt); 485 strncat(result, p1 + 2, 486 AUTH_MAX_PASSWD_LENGTH - strlen(p1 + 2) - 1); 487 StrnCpy(salt, &result[2 + i * AUTH_CIPHERTEXT_SEG_CHARS], 2); 488 p2 += AUTH_CLEARTEXT_SEG_CHARS; 489 } 490 491 return (result); 492 } 493 #endif 494 495 496 /**************************************************************************** 497 apply a function to upper/lower case combinations 498 of a string and return true if one of them returns true. 499 try all combinations with N uppercase letters. 500 offset is the first char to try and change (start with 0) 501 it assumes the string starts lowercased 502 ****************************************************************************/ 503 static NTSTATUS string_combinations2(char *s, int offset, 504 NTSTATUS (*fn)(const char *s, 505 void *private_data), 506 int N, void *private_data) 507 { 508 int len = strlen(s); 509 int i; 510 NTSTATUS nt_status; 511 512 #ifdef PASSWORD_LENGTH 513 len = MIN(len, PASSWORD_LENGTH); 514 #endif 515 516 if (N <= 0 || offset >= len) 517 return (fn(s, private_data)); 518 519 for (i = offset; i < (len - (N - 1)); i++) { 520 char c = s[i]; 521 if (!islower_m(c)) 522 continue; 523 s[i] = toupper_m(c); 524 nt_status = string_combinations2(s, i + 1, fn, N - 1, 525 private_data); 526 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) { 527 return nt_status; 528 } 529 s[i] = c; 530 } 531 return (NT_STATUS_WRONG_PASSWORD); 532 } 533 534 /**************************************************************************** 535 apply a function to upper/lower case combinations 536 of a string and return true if one of them returns true. 537 try all combinations with up to N uppercase letters. 538 offset is the first char to try and change (start with 0) 539 it assumes the string starts lowercased 540 ****************************************************************************/ 541 static NTSTATUS string_combinations(char *s, 542 NTSTATUS (*fn)(const char *s, 543 void *private_data), 544 int N, void *private_data) 545 { 546 int n; 547 NTSTATUS nt_status; 548 for (n = 1; n <= N; n++) { 549 nt_status = string_combinations2(s, 0, fn, n, private_data); 550 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) { 551 return nt_status; 552 } 553 } 554 return NT_STATUS_WRONG_PASSWORD; 555 } 67 68 69 70 556 71 557 72 … … 559 74 core of password checking routine 560 75 ****************************************************************************/ 561 static NTSTATUS password_check(const char * password,void *private_data)76 static NTSTATUS password_check(const char *user, const char *password, const void *private_data) 562 77 { 563 78 #ifdef WITH_PAM 564 79 const char *rhost = (const char *)private_data; 565 return smb_pam_passcheck( get_this_user(), rhost, password);80 return smb_pam_passcheck(user, rhost, password); 566 81 #else 567 82 568 83 bool ret; 569 84 570 #ifdef WITH_AFS 571 if (afs_auth(get_this_user(), password)) 572 return NT_STATUS_OK; 573 #endif /* WITH_AFS */ 574 575 #ifdef WITH_DFS 576 if (dfs_auth(get_this_user(), password)) 577 return NT_STATUS_OK; 578 #endif /* WITH_DFS */ 579 580 #ifdef OSF1_ENH_SEC 581 582 ret = (strcmp(osf1_bigcrypt(password, get_this_salt()), 583 get_this_crypted()) == 0); 584 if (!ret) { 585 DEBUG(2, 586 ("OSF1_ENH_SEC failed. Trying normal crypt.\n")); 587 ret = (strcmp((char *)crypt(password, get_this_salt()), get_this_crypted()) == 0); 588 } 589 if (ret) { 590 return NT_STATUS_OK; 591 } else { 592 return NT_STATUS_WRONG_PASSWORD; 593 } 594 595 #endif /* OSF1_ENH_SEC */ 85 86 596 87 597 88 #ifdef ULTRIX_AUTH … … 605 96 #endif /* ULTRIX_AUTH */ 606 97 607 #ifdef LINUX_BIGCRYPT 608 ret = (linux_bigcrypt(password, get_this_salt(), get_this_crypted())); 609 if (ret) { 610 return NT_STATUS_OK; 611 } else { 612 return NT_STATUS_WRONG_PASSWORD; 613 } 614 #endif /* LINUX_BIGCRYPT */ 615 616 #if defined(HAVE_BIGCRYPT) && defined(HAVE_CRYPT) && defined(USE_BOTH_CRYPT_CALLS) 617 618 /* 619 * Some systems have bigcrypt in the C library but might not 620 * actually use it for the password hashes (HPUX 10.20) is 621 * a noteable example. So we try bigcrypt first, followed 622 * by crypt. 623 */ 624 625 if (strcmp(bigcrypt(password, get_this_salt()), get_this_crypted()) == 0) 626 return NT_STATUS_OK; 627 else 628 ret = (strcmp((char *)crypt(password, get_this_salt()), get_this_crypted()) == 0); 629 if (ret) { 630 return NT_STATUS_OK; 631 } else { 632 return NT_STATUS_WRONG_PASSWORD; 633 } 634 #else /* HAVE_BIGCRYPT && HAVE_CRYPT && USE_BOTH_CRYPT_CALLS */ 98 635 99 636 100 #ifdef HAVE_BIGCRYPT … … 654 118 } 655 119 #endif /* HAVE_CRYPT */ 656 #endif /* HAVE_BIGCRYPT && HAVE_CRYPT && USE_BOTH_CRYPT_CALLS */657 120 #endif /* WITH_PAM */ 658 121 } … … 674 137 { 675 138 char *pass2 = NULL; 676 int level = lp_passwordlevel();677 139 678 140 NTSTATUS nt_status; … … 694 156 * checks below and dive straight into the PAM code. 695 157 */ 696 697 if (set_this_user(user) == NULL) {698 return NT_STATUS_NO_MEMORY;699 }700 158 701 159 DEBUG(4, ("pass_check: Checking (PAM) password for user %s\n", user)); … … 752 210 #endif 753 211 754 #ifdef HAVE_GETPRPWNAM755 {756 struct pr_passwd *pr_pw = getprpwnam(pass->pw_name);757 if (pr_pw && pr_pw->ufld.fd_encrypt) {758 if (set_this_crypted(pr_pw->ufld.fd_encrypt) == NULL) {759 return NT_STATUS_NO_MEMORY;760 }761 }762 }763 #endif764 212 765 213 #ifdef HAVE_GETPWANAM … … 775 223 #endif 776 224 777 #ifdef OSF1_ENH_SEC778 {779 struct pr_passwd *mypasswd;780 DEBUG(5, ("Checking password for user %s in OSF1_ENH_SEC\n",781 user));782 mypasswd = getprpwnam(user);783 if (mypasswd) {784 if (set_this_user(mypasswd->ufld.fd_name) == NULL) {785 return NT_STATUS_NO_MEMORY;786 }787 if (set_this_crypted(mypasswd->ufld.fd_encrypt) == NULL) {788 return NT_STATUS_NO_MEMORY;789 }790 } else {791 DEBUG(5,792 ("OSF1_ENH_SEC: No entry for user %s in protected database !\n",793 user));794 }795 }796 #endif797 225 798 226 #ifdef ULTRIX_AUTH … … 809 237 #endif 810 238 811 #if defined(HAVE_TRUNCATED_SALT)812 /* crypt on some platforms (HPUX in particular)813 won't work with more than 2 salt characters. */814 {815 char *trunc_salt = get_this_salt();816 if (!trunc_salt || strlen(trunc_salt) < 2) {817 return NT_STATUS_LOGON_FAILURE;818 }819 trunc_salt[2] = 0;820 if (set_this_salt(trunc_salt) == NULL) {821 return NT_STATUS_NO_MEMORY;822 }823 }824 #endif825 239 826 240 if (!get_this_crypted() || !*get_this_crypted()) { 827 241 if (!lp_null_passwords()) { 828 242 DEBUG(2, ("Disallowing %s with null password\n", 829 get_this_user()));243 user)); 830 244 return NT_STATUS_LOGON_FAILURE; 831 245 } … … 833 247 DEBUG(3, 834 248 ("Allowing access to %s with null password\n", 835 get_this_user()));249 user)); 836 250 return NT_STATUS_OK; 837 251 } … … 841 255 842 256 /* try it as it came to us */ 843 nt_status = password_check( password, (void *)rhost);257 nt_status = password_check(user, password, (const void *)rhost); 844 258 if NT_STATUS_IS_OK(nt_status) { 845 259 return (nt_status); … … 868 282 /* try all lowercase if it's currently all uppercase */ 869 283 if (strhasupper(pass2)) { 870 strlower_m(pass2); 871 nt_status = password_check(pass2, (void *)rhost); 284 if (!strlower_m(pass2)) { 285 return NT_STATUS_INVALID_PARAMETER; 286 } 287 nt_status = password_check(user, pass2, (const void *)rhost); 872 288 if (NT_STATUS_IS_OK(nt_status)) { 873 289 return (nt_status); … … 875 291 } 876 292 877 /* give up? */878 if (level < 1) {879 return NT_STATUS_WRONG_PASSWORD;880 }881 882 /* last chance - all combinations of up to level chars upper! */883 strlower_m(pass2);884 885 nt_status = string_combinations(pass2, password_check, level,886 (void *)rhost);887 if (NT_STATUS_IS_OK(nt_status)) {888 return nt_status;889 }890 891 293 return NT_STATUS_WRONG_PASSWORD; 892 294 } -
vendor/current/source3/auth/proto.h
r860 r988 45 45 uchar chal[8]) ; 46 46 47 /**************************************************************************** 48 Try to get a challenge out of the various authentication modules. 49 Returns a const char of length 8 bytes. 50 ****************************************************************************/ 51 52 NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context, 53 uint8_t chal[8]); 54 55 /** 56 * Check a user's Plaintext, LM or NTLM password. 57 * 58 * Check a user's password, as given in the user_info struct and return various 59 * interesting details in the server_info struct. 60 * 61 * This function does NOT need to be in a become_root()/unbecome_root() pair 62 * as it makes the calls itself when needed. 63 * 64 * The return value takes precedence over the contents of the server_info 65 * struct. When the return is other than NT_STATUS_OK the contents 66 * of that structure is undefined. 67 * 68 * @param mem_ctx The memory context to use to allocate server_info 69 * 70 * @param user_info Contains the user supplied components, including the passwords. 71 * Must be created with make_user_info() or one of its wrappers. 72 * 73 * @param auth_context Supplies the challenges and some other data. 74 * Must be created with make_auth_context(), and the challenges should be 75 * filled in, either at creation or by calling the challenge geneation 76 * function auth_get_challenge(). 77 * 78 * @param server_info If successful, contains information about the authentication, 79 * including a struct samu struct describing the user. 80 * 81 * @return An NTSTATUS with NT_STATUS_OK or an appropriate error. 82 * 83 **/ 84 NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, 85 const struct auth_context *auth_context, 86 const struct auth_usersupplied_info *user_info, 87 struct auth_serversupplied_info **server_info); 88 47 89 /* The following definitions come from auth/auth_builtin.c */ 48 90 49 91 NTSTATUS auth_builtin_init(void); 50 51 /* The following definitions come from auth/auth_compat.c */52 53 NTSTATUS check_plaintext_password(const char *smb_name,54 DATA_BLOB plaintext_password,55 struct auth_serversupplied_info **server_info);56 bool password_ok(struct auth_context *actx, bool global_encrypted,57 const char *session_workgroup,58 const char *smb_name, DATA_BLOB password_blob);59 92 60 93 /* The following definitions come from auth/auth_domain.c */ … … 63 96 NTSTATUS auth_domain_init(void); 64 97 65 NTSTATUS auth_netlogond_init(void); 98 /* The following definitions come from auth/auth_generic.c */ 99 100 NTSTATUS make_auth4_context(TALLOC_CTX *mem_ctx, struct auth4_context **auth4_context_out); 101 NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx, const struct tsocket_address *remote_address, 102 struct gensec_security **gensec_security_out); 103 104 NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context, 105 TALLOC_CTX *mem_ctx, 106 struct auth_usersupplied_info *user_info, 107 struct auth_session_info **session_info); 66 108 67 109 /* The following definitions come from auth/auth_ntlmssp.c */ 68 110 69 NTSTATUS auth_ntlmssp_steal_session_info(TALLOC_CTX *mem_ctx, 70 struct auth_ntlmssp_state *auth_ntlmssp_state, 71 struct auth_serversupplied_info **session_info); 72 NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state **auth_ntlmssp_state); 73 111 NTSTATUS auth3_generate_session_info(struct auth4_context *auth_context, 112 TALLOC_CTX *mem_ctx, 113 void *server_returned_info, 114 const char *original_user_name, 115 uint32_t session_info_flags, 116 struct auth_session_info **session_info); 117 118 NTSTATUS auth3_get_challenge(struct auth4_context *auth4_context, 119 uint8_t chal[8]); 120 121 bool auth3_may_set_challenge(struct auth4_context *auth4_context); 122 NTSTATUS auth3_set_challenge(struct auth4_context *auth4_context, const uint8_t *chal, 123 const char *challenge_set_by); 124 125 NTSTATUS auth3_check_password(struct auth4_context *auth4_context, 126 TALLOC_CTX *mem_ctx, 127 const struct auth_usersupplied_info *user_info, 128 void **server_returned_info, 129 DATA_BLOB *session_key, DATA_BLOB *lm_session_key); 74 130 75 131 /* The following definitions come from auth/auth_sam.c */ … … 85 141 NTSTATUS auth_sam_init(void); 86 142 87 /* The following definitions come from auth/auth_server.c */88 89 NTSTATUS auth_server_init(void);90 91 143 /* The following definitions come from auth/auth_unix.c */ 92 144 … … 94 146 95 147 /* The following definitions come from auth/auth_util.c */ 96 97 NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info, 148 struct tsocket_address; 149 150 NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx, 151 struct auth_usersupplied_info **user_info, 98 152 const char *smb_name, 99 153 const char *client_domain, 100 154 const char *workstation_name, 101 DATA_BLOB *lm_pwd, 102 DATA_BLOB *nt_pwd, 155 const struct tsocket_address *remote_address, 156 const DATA_BLOB *lm_pwd, 157 const DATA_BLOB *nt_pwd, 103 158 const struct samr_Password *lm_interactive_pwd, 104 159 const struct samr_Password *nt_interactive_pwd, 105 160 const char *plaintext, 106 161 enum auth_password_state password_state); 107 bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info, 162 bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx, 163 struct auth_usersupplied_info **user_info, 108 164 const char *smb_name, 109 165 const char *client_domain, 110 166 const char *workstation_name, 111 uint32 logon_parameters, 167 const struct tsocket_address *remote_address, 168 uint32_t logon_parameters, 112 169 const uchar *lm_network_pwd, 113 170 int lm_pwd_len, 114 171 const uchar *nt_network_pwd, 115 172 int nt_pwd_len); 116 bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_info, 173 bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx, 174 struct auth_usersupplied_info **user_info, 117 175 const char *smb_name, 118 176 const char *client_domain, 119 177 const char *workstation_name, 120 uint32 logon_parameters, 178 const struct tsocket_address *remote_address, 179 uint32_t logon_parameters, 121 180 const uchar chal[8], 122 181 const uchar lm_interactive_pwd[16], 123 const uchar nt_interactive_pwd[16] ,124 const uchar *dc_sess_key); 125 bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,182 const uchar nt_interactive_pwd[16]); 183 bool make_user_info_for_reply(TALLOC_CTX *mem_ctx, 184 struct auth_usersupplied_info **user_info, 126 185 const char *smb_name, 127 186 const char *client_domain, 128 const uint8 chal[8], 187 const struct tsocket_address *remote_address, 188 const uint8_t chal[8], 129 189 DATA_BLOB plaintext_password); 130 NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info, 190 NTSTATUS make_user_info_for_reply_enc(TALLOC_CTX *mem_ctx, 191 struct auth_usersupplied_info **user_info, 131 192 const char *smb_name, 132 193 const char *client_domain, 194 const struct tsocket_address *remote_address, 133 195 DATA_BLOB lm_resp, DATA_BLOB nt_resp); 134 bool make_user_info_guest(struct auth_usersupplied_info **user_info) ; 196 bool make_user_info_guest(TALLOC_CTX *mem_ctx, 197 const struct tsocket_address *remote_address, 198 struct auth_usersupplied_info **user_info); 199 135 200 struct samu; 136 NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info, 137 struct samu *sampass); 138 NTSTATUS create_local_token(struct auth_serversupplied_info *server_info); 201 NTSTATUS make_server_info_sam(TALLOC_CTX *mem_ctx, 202 struct samu *sampass, 203 struct auth_serversupplied_info **pserver_info); 204 NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, 205 const struct auth_serversupplied_info *server_info, 206 DATA_BLOB *session_key, 207 const char *smb_name, 208 struct auth_session_info **session_info_out); 139 209 NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, 140 210 bool is_guest, … … 143 213 struct security_token **token); 144 214 bool user_in_group_sid(const char *username, const struct dom_sid *group_sid); 215 bool user_sid_in_group_sid(const struct dom_sid *sid, const struct dom_sid *group_sid); 145 216 bool user_in_group(const char *username, const char *groupname); 146 217 struct passwd; 147 NTSTATUS make_server_info_pw( struct auth_serversupplied_info **server_info,148 149 struct passwd *pwd);150 NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx, 151 const char *username,152 bool use_guest_token,153 154 struct auth_serversupplied_info **presult);155 struct auth_se rversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx,156 const struct auth_serversupplied_info *src);218 NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx, 219 const char *unix_username, 220 const struct passwd *pwd, 221 struct auth_serversupplied_info **server_info); 222 NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx, 223 const char *username, 224 bool is_guest, 225 struct auth_session_info **session_info); 226 struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx, 227 const struct auth_session_info *src); 157 228 bool init_guest_info(void); 158 NTSTATUS init_system_ info(void);159 bool session_info_set_session_key(struct auth_se rversupplied_info *info,229 NTSTATUS init_system_session_info(void); 230 bool session_info_set_session_key(struct auth_session_info *info, 160 231 DATA_BLOB session_key); 161 232 NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx, 162 233 struct auth_serversupplied_info **server_info); 234 NTSTATUS make_session_info_guest(TALLOC_CTX *mem_ctx, 235 struct auth_session_info **server_info); 163 236 NTSTATUS make_session_info_system(TALLOC_CTX *mem_ctx, 164 struct auth_serversupplied_info **session_info); 165 const struct auth_serversupplied_info *get_session_info_system(void); 166 bool copy_current_user(struct current_user *dst, struct current_user *src); 237 struct auth_session_info **session_info); 238 const struct auth_session_info *get_session_info_system(void); 167 239 struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser, 168 240 char **p_save_username, bool create ); … … 171 243 const char *domain, 172 244 struct auth_serversupplied_info **server_info, 173 struct netr_SamInfo3 *info3);245 const struct netr_SamInfo3 *info3); 174 246 struct wbcAuthUserInfo; 175 247 NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx, … … 179 251 struct auth_serversupplied_info **server_info); 180 252 void free_user_info(struct auth_usersupplied_info **user_info); 181 bool make_auth_methods(struct auth_context *auth_context, auth_methods **auth_method) ;182 253 bool is_trusted_domain(const char* dom_name); 254 NTSTATUS session_extract_session_key(const struct auth_session_info *session_info, DATA_BLOB *session_key, enum session_key_use_intent intent); 183 255 184 256 /* The following definitions come from auth/user_info.c */ 185 257 186 NTSTATUS make_user_info(struct auth_usersupplied_info **ret_user_info, 258 NTSTATUS make_user_info(TALLOC_CTX *mem_ctx, 259 struct auth_usersupplied_info **ret_user_info, 187 260 const char *smb_name, 188 261 const char *internal_username, … … 190 263 const char *domain, 191 264 const char *workstation_name, 265 const struct tsocket_address *remote_address, 192 266 const DATA_BLOB *lm_pwd, 193 267 const DATA_BLOB *nt_pwd, … … 198 272 void free_user_info(struct auth_usersupplied_info **user_info); 199 273 274 NTSTATUS do_map_to_guest_server_info(TALLOC_CTX *mem_ctx, 275 NTSTATUS status, 276 const char *user, 277 const char *domain, 278 struct auth_serversupplied_info **server_info); 279 200 280 /* The following definitions come from auth/auth_winbind.c */ 201 281 … … 210 290 struct auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx); 211 291 NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info, 212 uint8_t *pipe_session_key,213 size_t pipe_session_key_len,214 292 struct netr_SamInfo2 *sam2); 215 293 NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_info, 216 uint8_t *pipe_session_key,217 size_t pipe_session_key_len,218 294 struct netr_SamInfo3 *sam3); 219 295 NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info, 220 uint8_t *pipe_session_key,221 size_t pipe_session_key_len,222 296 struct netr_SamInfo6 *sam6); 297 NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx, 298 const struct PAC_LOGON_INFO *logon_info, 299 struct netr_SamInfo3 **pp_info3); 223 300 NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, 224 301 struct samu *samu, … … 226 303 struct netr_SamInfo3 **_info3, 227 304 struct extra_auth_info *extra); 305 NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx, 306 const char *unix_username, 307 const struct passwd *pwd, 308 struct netr_SamInfo3 **pinfo3, 309 struct extra_auth_info *extra); 228 310 struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx, 229 struct netr_SamInfo3 *orig); 230 struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx, 231 const struct wbcAuthUserInfo *info); 311 const struct netr_SamInfo3 *orig); 232 312 233 313 /* The following definitions come from auth/auth_wbc.c */ … … 237 317 /* The following definitions come from auth/pampass.c */ 238 318 239 bool smb_pam_claim_session(c har *user, char *tty,char *rhost);240 bool smb_pam_close_session(c har *user, char *tty,char *rhost);319 bool smb_pam_claim_session(const char *user, const char *tty, const char *rhost); 320 bool smb_pam_close_session(const char *user, const char *tty, const char *rhost); 241 321 NTSTATUS smb_pam_accountcheck(const char *user, const char *rhost); 242 322 NTSTATUS smb_pam_passcheck(const char * user, const char * rhost, … … 244 324 bool smb_pam_passchange(const char *user, const char *rhost, 245 325 const char *oldpassword, const char *newpassword); 246 bool smb_pam_claim_session(char *user, char *tty, char *rhost);247 bool smb_pam_close_session(char *in_user, char *tty, char *rhost);248 326 249 327 /* The following definitions come from auth/pass_check.c */ … … 259 337 260 338 bool nt_token_check_sid ( const struct dom_sid *sid, const struct security_token *token ); 261 bool nt_token_check_domain_rid( struct security_token *token, uint32 rid );339 bool nt_token_check_domain_rid( struct security_token *token, uint32_t rid ); 262 340 struct security_token *get_root_nt_token( void ); 263 341 NTSTATUS add_aliases(const struct dom_sid *domain_sid, … … 270 348 NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx, 271 349 bool is_guest, 272 struct netr_SamInfo3 *info3,273 struct extra_auth_info *extra,350 const struct netr_SamInfo3 *info3, 351 const struct extra_auth_info *extra, 274 352 struct security_token **ntok); 275 353 void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid, … … 280 358 bool map_username(TALLOC_CTX *ctx, const char *user_in, char **p_user_out); 281 359 bool user_in_netgroup(TALLOC_CTX *ctx, const char *user, const char *ngname); 282 bool user_in_list(TALLOC_CTX *ctx, const char *user, const char **list);360 bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list); 283 361 284 362 /* The following definitions come from auth/user_krb5.c */ … … 294 372 char **username, 295 373 struct passwd **_pw); 296 NTSTATUS make_se rver_info_krb5(TALLOC_CTX *mem_ctx,374 NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, 297 375 char *ntuser, 298 376 char *ntdomain, 299 377 char *username, 300 378 struct passwd *pw, 301 struct PAC_LOGON_INFO *logon_info, 302 bool mapped_to_guest, 303 struct auth_serversupplied_info **server_info); 379 const struct netr_SamInfo3 *info3, 380 bool mapped_to_guest, bool username_was_mapped, 381 DATA_BLOB *session_key, 382 struct auth_session_info **session_info); 383 384 /* The following definitions come from auth/auth_samba4.c */ 385 386 NTSTATUS auth_samba4_init(void); 304 387 305 388 #endif /* _AUTH_PROTO_H_ */ -
vendor/current/source3/auth/server_info.c
r860 r988 25 25 #include "rpc_client/util_netlogon.h" 26 26 #include "nsswitch/libwbclient/wbclient.h" 27 #include "lib/winbind_util.h" 27 28 #include "passdb.h" 28 29 29 30 #undef DBGC_CLASS 30 31 #define DBGC_CLASS DBGC_AUTH 31 32 /* FIXME: do we really still need this ? */33 static int server_info_dtor(struct auth_serversupplied_info *server_info)34 {35 TALLOC_FREE(server_info->info3);36 ZERO_STRUCTP(server_info);37 return 0;38 }39 32 40 33 /*************************************************************************** … … 46 39 struct auth_serversupplied_info *result; 47 40 48 result = TALLOC_ZERO_P(mem_ctx, struct auth_serversupplied_info);41 result = talloc_zero(mem_ctx, struct auth_serversupplied_info); 49 42 if (result == NULL) { 50 43 DEBUG(0, ("talloc failed\n")); 51 44 return NULL; 52 45 } 53 54 talloc_set_destructor(result, server_info_dtor);55 46 56 47 /* Initialise the uid and gid values to something non-zero … … 70 61 71 62 NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info, 72 uint8_t *pipe_session_key,73 size_t pipe_session_key_len,74 63 struct netr_SamInfo2 *sam2) 75 64 { … … 81 70 } 82 71 83 if (server_info-> user_session_key.length) {72 if (server_info->session_key.length) { 84 73 memcpy(info3->base.key.key, 85 server_info-> user_session_key.data,74 server_info->session_key.data, 86 75 MIN(sizeof(info3->base.key.key), 87 server_info->user_session_key.length)); 88 if (pipe_session_key) { 89 arcfour_crypt(info3->base.key.key, 90 pipe_session_key, 16); 91 } 76 server_info->session_key.length)); 92 77 } 93 78 if (server_info->lm_session_key.length) { … … 96 81 MIN(sizeof(info3->base.LMSessKey.key), 97 82 server_info->lm_session_key.length)); 98 if (pipe_session_key) {99 arcfour_crypt(info3->base.LMSessKey.key,100 pipe_session_key, 8);101 }102 83 } 103 84 … … 113 94 114 95 NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_info, 115 uint8_t *pipe_session_key,116 size_t pipe_session_key_len,117 96 struct netr_SamInfo3 *sam3) 118 97 { … … 124 103 } 125 104 126 if (server_info-> user_session_key.length) {105 if (server_info->session_key.length) { 127 106 memcpy(info3->base.key.key, 128 server_info-> user_session_key.data,107 server_info->session_key.data, 129 108 MIN(sizeof(info3->base.key.key), 130 server_info->user_session_key.length)); 131 if (pipe_session_key) { 132 arcfour_crypt(info3->base.key.key, 133 pipe_session_key, 16); 134 } 109 server_info->session_key.length)); 135 110 } 136 111 if (server_info->lm_session_key.length) { … … 139 114 MIN(sizeof(info3->base.LMSessKey.key), 140 115 server_info->lm_session_key.length)); 141 if (pipe_session_key) {142 arcfour_crypt(info3->base.LMSessKey.key,143 pipe_session_key, 8);144 }145 116 } 146 117 … … 159 130 160 131 NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info, 161 uint8_t *pipe_session_key,162 size_t pipe_session_key_len,163 132 struct netr_SamInfo6 *sam6) 164 133 { … … 182 151 } 183 152 184 if (server_info-> user_session_key.length) {153 if (server_info->session_key.length) { 185 154 memcpy(info3->base.key.key, 186 server_info-> user_session_key.data,155 server_info->session_key.data, 187 156 MIN(sizeof(info3->base.key.key), 188 server_info->user_session_key.length)); 189 if (pipe_session_key) { 190 arcfour_crypt(info3->base.key.key, 191 pipe_session_key, 16); 192 } 157 server_info->session_key.length)); 193 158 } 194 159 if (server_info->lm_session_key.length) { … … 197 162 MIN(sizeof(info3->base.LMSessKey.key), 198 163 server_info->lm_session_key.length)); 199 if (pipe_session_key) {200 arcfour_crypt(info3->base.LMSessKey.key,201 pipe_session_key, 8);202 }203 164 } 204 165 … … 293 254 } 294 255 295 #define RET_NOMEM(ptr) do { \ 296 if (!ptr) { \ 297 TALLOC_FREE(info3); \ 298 return NT_STATUS_NO_MEMORY; \ 299 } } while(0) 300 301 NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, 302 struct samu *samu, 303 const char *login_server, 304 struct netr_SamInfo3 **_info3, 305 struct extra_auth_info *extra) 306 { 307 struct netr_SamInfo3 *info3; 308 const struct dom_sid *user_sid; 309 const struct dom_sid *group_sid; 310 struct dom_sid domain_sid; 311 struct dom_sid *group_sids; 312 uint32_t num_group_sids = 0; 313 const char *tmp; 314 gid_t *gids; 256 /* 257 * Merge resource SIDs, if any, into the passed in info3 structure. 258 */ 259 260 static NTSTATUS merge_resource_sids(const struct PAC_LOGON_INFO *logon_info, 261 struct netr_SamInfo3 *info3) 262 { 263 uint32_t i = 0; 264 265 if (!(logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS)) { 266 return NT_STATUS_OK; 267 } 268 269 /* 270 * If there are any resource groups (SID Compression) add 271 * them to the extra sids portion of the info3 in the PAC. 272 * 273 * This makes the info3 look like it would if we got the info 274 * from the DC rather than the PAC. 275 */ 276 277 /* 278 * Construct a SID for each RID in the list and then append it 279 * to the info3. 280 */ 281 for (i = 0; i < logon_info->res_groups.count; i++) { 282 NTSTATUS status; 283 struct dom_sid new_sid; 284 uint32_t attributes = logon_info->res_groups.rids[i].attributes; 285 286 sid_compose(&new_sid, 287 logon_info->res_group_dom_sid, 288 logon_info->res_groups.rids[i].rid); 289 290 DEBUG(10, ("Adding SID %s to extra SIDS\n", 291 sid_string_dbg(&new_sid))); 292 293 status = append_netr_SidAttr(info3, &info3->sids, 294 &info3->sidcount, 295 &new_sid, 296 attributes); 297 if (!NT_STATUS_IS_OK(status)) { 298 DEBUG(1, ("failed to append SID %s to extra SIDS: %s\n", 299 sid_string_dbg(&new_sid), 300 nt_errstr(status))); 301 return status; 302 } 303 } 304 305 return NT_STATUS_OK; 306 } 307 308 /* 309 * Create a copy of an info3 struct from the struct PAC_LOGON_INFO, 310 * then merge resource SIDs, if any, into it. If successful return 311 * the created info3 struct. 312 */ 313 314 NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx, 315 const struct PAC_LOGON_INFO *logon_info, 316 struct netr_SamInfo3 **pp_info3) 317 { 315 318 NTSTATUS status; 316 bool ok; 317 318 user_sid = pdb_get_user_sid(samu); 319 group_sid = pdb_get_group_sid(samu); 320 321 if (!user_sid || !group_sid) { 322 DEBUG(1, ("Sam account is missing sids!\n")); 323 return NT_STATUS_UNSUCCESSFUL; 324 } 325 326 info3 = talloc_zero(mem_ctx, struct netr_SamInfo3); 327 if (!info3) { 328 return NT_STATUS_NO_MEMORY; 329 } 330 331 ZERO_STRUCT(domain_sid); 332 333 /* check if this is a "Unix Users" domain user, 334 * we need to handle it in a special way if that's the case */ 319 struct netr_SamInfo3 *info3 = copy_netr_SamInfo3(mem_ctx, 320 &logon_info->info3); 321 if (info3 == NULL) { 322 return NT_STATUS_NO_MEMORY; 323 } 324 status = merge_resource_sids(logon_info, info3); 325 if (!NT_STATUS_IS_OK(status)) { 326 TALLOC_FREE(info3); 327 return status; 328 } 329 *pp_info3 = info3; 330 return NT_STATUS_OK; 331 } 332 333 /* 334 * Check if this is a "Unix Users" domain user, or a 335 * "Unix Groups" domain group, we need to handle it 336 * in a special way if that's the case. 337 */ 338 339 static NTSTATUS SamInfo3_handle_sids(const char *username, 340 const struct dom_sid *user_sid, 341 const struct dom_sid *group_sid, 342 struct netr_SamInfo3 *info3, 343 struct dom_sid *domain_sid, 344 struct extra_auth_info *extra) 345 { 335 346 if (sid_check_is_in_unix_users(user_sid)) { 336 347 /* in info3 you can only set rids for the user and the … … 345 356 sid_copy(&extra->user_sid, user_sid); 346 357 347 DEBUG(10, ("Unix User found in struct samu. Rid marked as "348 349 358 DEBUG(10, ("Unix User found. Rid marked as " 359 "special and sid (%s) saved as extra sid\n", 360 sid_string_dbg(user_sid))); 350 361 } else { 351 sid_copy( &domain_sid, user_sid);352 sid_split_rid( &domain_sid, &info3->base.rid);353 } 354 355 if (is_null_sid( &domain_sid)) {356 sid_copy( &domain_sid, get_global_sam_sid());362 sid_copy(domain_sid, user_sid); 363 sid_split_rid(domain_sid, &info3->base.rid); 364 } 365 366 if (is_null_sid(domain_sid)) { 367 sid_copy(domain_sid, get_global_sam_sid()); 357 368 } 358 369 … … 371 382 sid_copy(&extra->pgid_sid, group_sid); 372 383 373 DEBUG(10, ("Unix Group found in struct samu. Rid marked as " 374 "special and sid (%s) saved as extra sid\n", 375 sid_string_dbg(group_sid))); 376 384 DEBUG(10, ("Unix Group found. Rid marked as " 385 "special and sid (%s) saved as extra sid\n", 386 sid_string_dbg(group_sid))); 377 387 } else { 378 ok = sid_peek_check_rid(&domain_sid, group_sid,388 bool ok = sid_peek_check_rid(domain_sid, group_sid, 379 389 &info3->base.primary_gid); 380 390 if (!ok) { 381 391 DEBUG(1, ("The primary group domain sid(%s) does not " 382 "match the domain sid(%s) for %s(%s)\n", 383 sid_string_dbg(group_sid), 384 sid_string_dbg(&domain_sid), 385 pdb_get_username(samu), 386 sid_string_dbg(user_sid))); 387 TALLOC_FREE(info3); 388 return NT_STATUS_UNSUCCESSFUL; 389 } 390 } 391 392 unix_to_nt_time(&info3->base.last_logon, pdb_get_logon_time(samu)); 393 unix_to_nt_time(&info3->base.last_logoff, get_time_t_max()); 394 unix_to_nt_time(&info3->base.acct_expiry, get_time_t_max()); 392 "match the domain sid(%s) for %s(%s)\n", 393 sid_string_dbg(group_sid), 394 sid_string_dbg(domain_sid), 395 username, 396 sid_string_dbg(user_sid))); 397 return NT_STATUS_INVALID_SID; 398 } 399 } 400 return NT_STATUS_OK; 401 } 402 403 #define RET_NOMEM(ptr) do { \ 404 if (!ptr) { \ 405 TALLOC_FREE(info3); \ 406 return NT_STATUS_NO_MEMORY; \ 407 } } while(0) 408 409 NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, 410 struct samu *samu, 411 const char *login_server, 412 struct netr_SamInfo3 **_info3, 413 struct extra_auth_info *extra) 414 { 415 struct netr_SamInfo3 *info3; 416 const struct dom_sid *user_sid; 417 const struct dom_sid *group_sid; 418 struct dom_sid domain_sid; 419 struct dom_sid *group_sids; 420 uint32_t num_group_sids = 0; 421 const char *tmp; 422 gid_t *gids; 423 NTSTATUS status; 424 425 user_sid = pdb_get_user_sid(samu); 426 group_sid = pdb_get_group_sid(samu); 427 428 if (!user_sid || !group_sid) { 429 DEBUG(1, ("Sam account is missing sids!\n")); 430 return NT_STATUS_UNSUCCESSFUL; 431 } 432 433 info3 = talloc_zero(mem_ctx, struct netr_SamInfo3); 434 if (!info3) { 435 return NT_STATUS_NO_MEMORY; 436 } 437 438 ZERO_STRUCT(domain_sid); 439 440 status = SamInfo3_handle_sids(pdb_get_username(samu), 441 user_sid, 442 group_sid, 443 info3, 444 &domain_sid, 445 extra); 446 447 if (!NT_STATUS_IS_OK(status)) { 448 TALLOC_FREE(info3); 449 return status; 450 } 451 452 unix_to_nt_time(&info3->base.logon_time, pdb_get_logon_time(samu)); 453 unix_to_nt_time(&info3->base.logoff_time, get_time_t_max()); 454 unix_to_nt_time(&info3->base.kickoff_time, get_time_t_max()); 395 455 unix_to_nt_time(&info3->base.last_password_change, 396 456 pdb_get_pass_last_set_time(samu)); … … 434 494 info3->base.bad_password_count = pdb_get_bad_password_count(samu); 435 495 436 info3->base. domain.string = talloc_strdup(info3,496 info3->base.logon_domain.string = talloc_strdup(info3, 437 497 pdb_get_domain(samu)); 438 RET_NOMEM(info3->base. domain.string);498 RET_NOMEM(info3->base.logon_domain.string); 439 499 440 500 info3->base.domain_sid = dom_sid_dup(info3, &domain_sid); … … 477 537 } 478 538 539 NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx, 540 const char *unix_username, 541 const struct passwd *pwd, 542 struct netr_SamInfo3 **pinfo3, 543 struct extra_auth_info *extra) 544 { 545 struct netr_SamInfo3 *info3; 546 NTSTATUS status; 547 TALLOC_CTX *tmp_ctx; 548 const char *domain_name = NULL; 549 const char *user_name = NULL; 550 struct dom_sid domain_sid; 551 struct dom_sid user_sid; 552 struct dom_sid group_sid; 553 enum lsa_SidType type; 554 uint32_t num_sids = 0; 555 struct dom_sid *user_sids = NULL; 556 bool is_null; 557 bool ok; 558 559 tmp_ctx = talloc_stackframe(); 560 561 ok = lookup_name_smbconf(tmp_ctx, 562 unix_username, 563 LOOKUP_NAME_ALL, 564 &domain_name, 565 &user_name, 566 &user_sid, 567 &type); 568 if (!ok) { 569 status = NT_STATUS_NO_SUCH_USER; 570 goto done; 571 } 572 573 if (type != SID_NAME_USER) { 574 status = NT_STATUS_NO_SUCH_USER; 575 goto done; 576 } 577 578 ok = winbind_lookup_usersids(tmp_ctx, 579 &user_sid, 580 &num_sids, 581 &user_sids); 582 /* Check if winbind is running */ 583 if (ok) { 584 /* 585 * Winbind is running and the first element of the user_sids 586 * is the primary group. 587 */ 588 if (num_sids > 0) { 589 group_sid = user_sids[0]; 590 } 591 } else { 592 /* 593 * Winbind is not running, try to create the group_sid from the 594 * passwd group id. 595 */ 596 597 /* 598 * This can lead to a primary group of S-1-22-2-XX which 599 * will be rejected by other Samba code. 600 */ 601 gid_to_sid(&group_sid, pwd->pw_gid); 602 } 603 604 /* 605 * If we are a unix group, or a wellknown/builtin alias, 606 * set the group_sid to the 607 * 'Domain Users' RID of 513 which will always resolve to a 608 * name. 609 */ 610 if (sid_check_is_in_unix_groups(&group_sid) || 611 sid_check_is_in_builtin(&group_sid) || 612 sid_check_is_in_wellknown_domain(&group_sid)) { 613 if (sid_check_is_in_unix_users(&user_sid)) { 614 sid_compose(&group_sid, 615 get_global_sam_sid(), 616 DOMAIN_RID_USERS); 617 } else { 618 sid_copy(&domain_sid, &user_sid); 619 sid_split_rid(&domain_sid, NULL); 620 sid_compose(&group_sid, 621 &domain_sid, 622 DOMAIN_RID_USERS); 623 } 624 } 625 626 /* Make sure we have a valid group sid */ 627 is_null = is_null_sid(&group_sid); 628 if (is_null) { 629 status = NT_STATUS_NO_SUCH_USER; 630 goto done; 631 } 632 633 /* Construct a netr_SamInfo3 from the information we have */ 634 info3 = talloc_zero(tmp_ctx, struct netr_SamInfo3); 635 if (!info3) { 636 status = NT_STATUS_NO_MEMORY; 637 goto done; 638 } 639 640 info3->base.account_name.string = talloc_strdup(info3, unix_username); 641 if (info3->base.account_name.string == NULL) { 642 status = NT_STATUS_NO_MEMORY; 643 goto done; 644 } 645 646 ZERO_STRUCT(domain_sid); 647 648 status = SamInfo3_handle_sids(unix_username, 649 &user_sid, 650 &group_sid, 651 info3, 652 &domain_sid, 653 extra); 654 655 if (!NT_STATUS_IS_OK(status)) { 656 goto done; 657 } 658 659 info3->base.domain_sid = dom_sid_dup(info3, &domain_sid); 660 if (info3->base.domain_sid == NULL) { 661 status = NT_STATUS_NO_MEMORY; 662 goto done; 663 } 664 665 ok = sid_peek_check_rid(&domain_sid, &group_sid, 666 &info3->base.primary_gid); 667 if (!ok) { 668 DEBUG(1, ("The primary group domain sid(%s) does not " 669 "match the domain sid(%s) for %s(%s)\n", 670 sid_string_dbg(&group_sid), 671 sid_string_dbg(&domain_sid), 672 unix_username, 673 sid_string_dbg(&user_sid))); 674 status = NT_STATUS_INVALID_SID; 675 goto done; 676 } 677 678 info3->base.acct_flags = ACB_NORMAL; 679 680 if (num_sids) { 681 status = group_sids_to_info3(info3, user_sids, num_sids); 682 if (!NT_STATUS_IS_OK(status)) { 683 goto done; 684 } 685 } 686 687 *pinfo3 = talloc_steal(mem_ctx, info3); 688 689 status = NT_STATUS_OK; 690 done: 691 talloc_free(tmp_ctx); 692 693 return status; 694 } 695 479 696 #undef RET_NOMEM 480 697 … … 486 703 487 704 struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx, 488 struct netr_SamInfo3 *orig)705 const struct netr_SamInfo3 *orig) 489 706 { 490 707 struct netr_SamInfo3 *info3; … … 518 735 } 519 736 520 static NTSTATUS wbcsids_to_samr_RidWithAttributeArray(521 TALLOC_CTX *mem_ctx,522 struct samr_RidWithAttributeArray *groups,523 const struct dom_sid *domain_sid,524 const struct wbcSidWithAttr *sids,525 size_t num_sids)526 {527 unsigned int i, j = 0;528 bool ok;529 530 groups->rids = talloc_array(mem_ctx,531 struct samr_RidWithAttribute, num_sids);532 if (!groups->rids) {533 return NT_STATUS_NO_MEMORY;534 }535 536 /* a wbcDomainSid is the same as a dom_sid */537 for (i = 0; i < num_sids; i++) {538 ok = sid_peek_check_rid(domain_sid,539 (const struct dom_sid *)&sids[i].sid,540 &groups->rids[j].rid);541 if (!ok) continue;542 543 groups->rids[j].attributes = SE_GROUP_MANDATORY |544 SE_GROUP_ENABLED_BY_DEFAULT |545 SE_GROUP_ENABLED;546 j++;547 }548 549 groups->count = j;550 return NT_STATUS_OK;551 }552 553 static NTSTATUS wbcsids_to_netr_SidAttrArray(554 const struct dom_sid *domain_sid,555 const struct wbcSidWithAttr *sids,556 size_t num_sids,557 TALLOC_CTX *mem_ctx,558 struct netr_SidAttr **_info3_sids,559 uint32_t *info3_num_sids)560 {561 unsigned int i, j = 0;562 struct netr_SidAttr *info3_sids;563 564 info3_sids = talloc_array(mem_ctx, struct netr_SidAttr, num_sids);565 if (info3_sids == NULL) {566 return NT_STATUS_NO_MEMORY;567 }568 569 /* a wbcDomainSid is the same as a dom_sid */570 for (i = 0; i < num_sids; i++) {571 const struct dom_sid *sid;572 573 sid = (const struct dom_sid *)&sids[i].sid;574 575 if (dom_sid_in_domain(domain_sid, sid)) {576 continue;577 }578 579 info3_sids[j].sid = dom_sid_dup(info3_sids, sid);580 if (info3_sids[j].sid == NULL) {581 talloc_free(info3_sids);582 return NT_STATUS_NO_MEMORY;583 }584 info3_sids[j].attributes = SE_GROUP_MANDATORY |585 SE_GROUP_ENABLED_BY_DEFAULT |586 SE_GROUP_ENABLED;587 j++;588 }589 590 *info3_num_sids = j;591 *_info3_sids = info3_sids;592 return NT_STATUS_OK;593 }594 595 struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx,596 const struct wbcAuthUserInfo *info)597 {598 struct netr_SamInfo3 *info3;599 struct dom_sid user_sid;600 struct dom_sid group_sid;601 struct dom_sid domain_sid;602 NTSTATUS status;603 bool ok;604 605 memcpy(&user_sid, &info->sids[0].sid, sizeof(user_sid));606 memcpy(&group_sid, &info->sids[1].sid, sizeof(group_sid));607 608 info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);609 if (!info3) return NULL;610 611 unix_to_nt_time(&info3->base.last_logon, info->logon_time);612 unix_to_nt_time(&info3->base.last_logoff, info->logoff_time);613 unix_to_nt_time(&info3->base.acct_expiry, info->kickoff_time);614 unix_to_nt_time(&info3->base.last_password_change, info->pass_last_set_time);615 unix_to_nt_time(&info3->base.allow_password_change,616 info->pass_can_change_time);617 unix_to_nt_time(&info3->base.force_password_change,618 info->pass_must_change_time);619 620 if (info->account_name) {621 info3->base.account_name.string =622 talloc_strdup(info3, info->account_name);623 RET_NOMEM(info3->base.account_name.string);624 }625 if (info->full_name) {626 info3->base.full_name.string =627 talloc_strdup(info3, info->full_name);628 RET_NOMEM(info3->base.full_name.string);629 }630 if (info->logon_script) {631 info3->base.logon_script.string =632 talloc_strdup(info3, info->logon_script);633 RET_NOMEM(info3->base.logon_script.string);634 }635 if (info->profile_path) {636 info3->base.profile_path.string =637 talloc_strdup(info3, info->profile_path);638 RET_NOMEM(info3->base.profile_path.string);639 }640 if (info->home_directory) {641 info3->base.home_directory.string =642 talloc_strdup(info3, info->home_directory);643 RET_NOMEM(info3->base.home_directory.string);644 }645 if (info->home_drive) {646 info3->base.home_drive.string =647 talloc_strdup(info3, info->home_drive);648 RET_NOMEM(info3->base.home_drive.string);649 }650 651 info3->base.logon_count = info->logon_count;652 info3->base.bad_password_count = info->bad_password_count;653 654 sid_copy(&domain_sid, &user_sid);655 sid_split_rid(&domain_sid, &info3->base.rid);656 657 ok = sid_peek_check_rid(&domain_sid, &group_sid,658 &info3->base.primary_gid);659 if (!ok) {660 DEBUG(1, ("The primary group sid domain does not"661 "match user sid domain for user: %s\n",662 info->account_name));663 TALLOC_FREE(info3);664 return NULL;665 }666 667 status = wbcsids_to_samr_RidWithAttributeArray(info3,668 &info3->base.groups,669 &domain_sid,670 &info->sids[1],671 info->num_sids - 1);672 if (!NT_STATUS_IS_OK(status)) {673 TALLOC_FREE(info3);674 return NULL;675 }676 677 status = wbcsids_to_netr_SidAttrArray(&domain_sid,678 &info->sids[1],679 info->num_sids - 1,680 info3,681 &info3->sids,682 &info3->sidcount);683 if (!NT_STATUS_IS_OK(status)) {684 TALLOC_FREE(info3);685 return NULL;686 }687 688 info3->base.user_flags = info->user_flags;689 memcpy(info3->base.key.key, info->user_session_key, 16);690 691 if (info->logon_server) {692 info3->base.logon_server.string =693 talloc_strdup(info3, info->logon_server);694 RET_NOMEM(info3->base.logon_server.string);695 }696 if (info->domain_name) {697 info3->base.domain.string =698 talloc_strdup(info3, info->domain_name);699 RET_NOMEM(info3->base.domain.string);700 }701 702 info3->base.domain_sid = dom_sid_dup(info3, &domain_sid);703 RET_NOMEM(info3->base.domain_sid);704 705 memcpy(info3->base.LMSessKey.key, info->lm_session_key, 8);706 info3->base.acct_flags = info->acct_flags;707 708 return info3;709 } -
vendor/current/source3/auth/server_info_sam.c
r860 r988 50 50 } 51 51 truncname[ulen-1] = '\0'; 52 ret = strequal(truncname, global_myname());52 ret = strequal(truncname, lp_netbios_name()); 53 53 SAFE_FREE(truncname); 54 54 return ret; … … 59 59 ***************************************************************************/ 60 60 61 NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info, 62 struct samu *sampass) 61 NTSTATUS make_server_info_sam(TALLOC_CTX *mem_ctx, 62 struct samu *sampass, 63 struct auth_serversupplied_info **pserver_info) 63 64 { 64 65 struct passwd *pwd; 65 struct auth_serversupplied_info * result;66 struct auth_serversupplied_info *server_info; 66 67 const char *username = pdb_get_username(sampass); 68 TALLOC_CTX *tmp_ctx; 67 69 NTSTATUS status; 68 70 69 if ( !(result = make_server_info(NULL)) ) { 71 tmp_ctx = talloc_stackframe(); 72 if (tmp_ctx == NULL) { 70 73 return NT_STATUS_NO_MEMORY; 71 74 } 72 75 73 if ( !(pwd = Get_Pwnam_alloc(result, username)) ) { 76 server_info = make_server_info(tmp_ctx); 77 if (server_info == NULL) { 78 status = NT_STATUS_NO_MEMORY; 79 goto out; 80 } 81 82 pwd = Get_Pwnam_alloc(tmp_ctx, username); 83 if (pwd == NULL) { 74 84 DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", 75 85 pdb_get_username(sampass))); 76 TALLOC_FREE(result);77 return NT_STATUS_NO_SUCH_USER;86 status = NT_STATUS_NO_SUCH_USER; 87 goto out; 78 88 } 79 89 80 status = samu_to_SamInfo3(result, sampass, global_myname(), 81 &result->info3, &result->extra); 90 status = samu_to_SamInfo3(server_info, 91 sampass, 92 lp_netbios_name(), 93 &server_info->info3, 94 &server_info->extra); 82 95 if (!NT_STATUS_IS_OK(status)) { 83 TALLOC_FREE(result); 84 return status; 96 goto out; 85 97 } 86 98 87 result->unix_name = pwd->pw_name; 88 /* Ensure that we keep pwd->pw_name, because we will free pwd below */ 89 talloc_steal(result, pwd->pw_name); 90 result->utok.gid = pwd->pw_gid; 91 result->utok.uid = pwd->pw_uid; 99 server_info->unix_name = talloc_steal(server_info, pwd->pw_name); 92 100 93 TALLOC_FREE(pwd); 94 95 result->sanitized_username = sanitize_username(result, 96 result->unix_name); 97 if (result->sanitized_username == NULL) { 98 TALLOC_FREE(result); 99 return NT_STATUS_NO_MEMORY; 100 } 101 server_info->utok.gid = pwd->pw_gid; 102 server_info->utok.uid = pwd->pw_uid; 101 103 102 104 if (IS_DC && is_our_machine_account(username)) { … … 118 120 119 121 DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n", 120 pdb_get_username(sampass), result->unix_name));122 pdb_get_username(sampass), server_info->unix_name)); 121 123 122 * server_info = result;124 *pserver_info = talloc_steal(mem_ctx, server_info); 123 125 124 return NT_STATUS_OK; 126 status = NT_STATUS_OK; 127 out: 128 talloc_free(tmp_ctx); 129 130 return status; 125 131 } -
vendor/current/source3/auth/token_util.c
r740 r988 26 26 27 27 #include "includes.h" 28 #include "system/passwd.h" 28 29 #include "auth.h" 29 30 #include "secrets.h" 30 #include " memcache.h"31 #include "../lib/util/memcache.h" 31 32 #include "../librpc/gen_ndr/netlogon.h" 32 33 #include "../libcli/security/security.h" … … 47 48 } 48 49 49 bool nt_token_check_domain_rid( struct security_token *token, uint32 rid )50 bool nt_token_check_domain_rid( struct security_token *token, uint32_t rid ) 50 51 { 51 52 struct dom_sid domain_sid; … … 93 94 } 94 95 95 if ( !(pw = sys_getpwuid(0)) ) {96 if ( !(pw = sys_getpwnam("root")) ) {97 DEBUG(0,("get_root_nt_token: both sys_getpwuid(0) "98 "and sys_getpwnam(\"root\") failed!\n"));96 if ( !(pw = getpwuid(0)) ) { 97 if ( !(pw = getpwnam("root")) ) { 98 DEBUG(0,("get_root_nt_token: both getpwuid(0) " 99 "and getpwnam(\"root\") failed!\n")); 99 100 return NULL; 100 101 } … … 129 130 struct security_token *token) 130 131 { 131 uint32 *aliases;132 uint32_t *aliases; 132 133 size_t i, num_aliases; 133 134 NTSTATUS status; … … 212 213 NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx, 213 214 bool is_guest, 214 struct netr_SamInfo3 *info3,215 struct extra_auth_info *extra,215 const struct netr_SamInfo3 *info3, 216 const struct extra_auth_info *extra, 216 217 struct security_token **ntok) 217 218 { … … 339 340 sid_string_dbg(user_sid))); 340 341 341 if (!(result = TALLOC_ZERO_P(mem_ctx, struct security_token))) {342 if (!(result = talloc_zero(mem_ctx, struct security_token))) { 342 343 DEBUG(0, ("talloc failed\n")); 343 344 return NULL; … … 389 390 } 390 391 392 /*************************************************** 393 Merge in any groups from /etc/group. 394 ***************************************************/ 395 396 static NTSTATUS add_local_groups(struct security_token *result, 397 bool is_guest) 398 { 399 gid_t *gids = NULL; 400 uint32_t getgroups_num_group_sids = 0; 401 struct passwd *pass = NULL; 402 TALLOC_CTX *tmp_ctx = talloc_stackframe(); 403 int i; 404 405 if (is_guest) { 406 /* 407 * Guest is a special case. It's always 408 * a user that can be looked up, but 409 * result->sids[0] is set to DOMAIN\Guest. 410 * Lookup by account name instead. 411 */ 412 pass = Get_Pwnam_alloc(tmp_ctx, lp_guest_account()); 413 } else { 414 uid_t uid; 415 416 /* For non-guest result->sids[0] is always the user sid. */ 417 if (!sid_to_uid(&result->sids[0], &uid)) { 418 /* 419 * Non-mappable SID like SYSTEM. 420 * Can't be in any /etc/group groups. 421 */ 422 TALLOC_FREE(tmp_ctx); 423 return NT_STATUS_OK; 424 } 425 426 pass = getpwuid_alloc(tmp_ctx, uid); 427 if (pass == NULL) { 428 DEBUG(1, ("SID %s -> getpwuid(%u) failed\n", 429 sid_string_dbg(&result->sids[0]), 430 (unsigned int)uid)); 431 } 432 } 433 434 if (!pass) { 435 TALLOC_FREE(tmp_ctx); 436 return NT_STATUS_UNSUCCESSFUL; 437 } 438 439 /* 440 * Now we must get any groups this user has been 441 * added to in /etc/group and merge them in. 442 * This has to be done in every code path 443 * that creates an NT token, as remote users 444 * may have been added to the local /etc/group 445 * database. Tokens created merely from the 446 * info3 structs (via the DC or via the krb5 PAC) 447 * won't have these local groups. Note the 448 * groups added here will only be UNIX groups 449 * (S-1-22-2-XXXX groups) as getgroups_unix_user() 450 * turns off winbindd before calling getgroups(). 451 * 452 * NB. This is duplicating work already 453 * done in the 'unix_user:' case of 454 * create_token_from_sid() but won't 455 * do anything other than be inefficient 456 * in that case. 457 */ 458 459 if (!getgroups_unix_user(tmp_ctx, pass->pw_name, pass->pw_gid, 460 &gids, &getgroups_num_group_sids)) { 461 DEBUG(1, ("getgroups_unix_user for user %s failed\n", 462 pass->pw_name)); 463 TALLOC_FREE(tmp_ctx); 464 return NT_STATUS_UNSUCCESSFUL; 465 } 466 467 for (i=0; i<getgroups_num_group_sids; i++) { 468 NTSTATUS status; 469 struct dom_sid grp_sid; 470 gid_to_sid(&grp_sid, gids[i]); 471 472 status = add_sid_to_array_unique(result, 473 &grp_sid, 474 &result->sids, 475 &result->num_sids); 476 if (!NT_STATUS_IS_OK(status)) { 477 DEBUG(3, ("Failed to add UNIX SID to nt token\n")); 478 TALLOC_FREE(tmp_ctx); 479 return status; 480 } 481 } 482 TALLOC_FREE(tmp_ctx); 483 return NT_STATUS_OK; 484 } 485 391 486 static NTSTATUS finalize_local_nt_token(struct security_token *result, 392 487 bool is_guest) 393 488 { 394 489 struct dom_sid dom_sid; 395 gid_t gid;396 490 NTSTATUS status; 491 struct acct_info *info; 492 493 /* Add any local groups. */ 494 495 status = add_local_groups(result, is_guest); 496 if (!NT_STATUS_IS_OK(status)) { 497 return status; 498 } 397 499 398 500 /* Add in BUILTIN sids */ … … 426 528 } 427 529 530 info = talloc_zero(talloc_tos(), struct acct_info); 531 if (info == NULL) { 532 DEBUG(0, ("talloc failed!\n")); 533 return NT_STATUS_NO_MEMORY; 534 } 535 428 536 /* Deal with the BUILTIN\Administrators group. If the SID can 429 537 be resolved then assume that the add_aliasmem( S-1-5-32 ) 430 538 handled it. */ 431 539 432 if (!sid_to_gid(&global_sid_Builtin_Administrators, &gid)) { 540 status = pdb_get_aliasinfo(&global_sid_Builtin_Administrators, info); 541 if (!NT_STATUS_IS_OK(status)) { 433 542 434 543 become_root(); … … 461 570 handled it. */ 462 571 463 if (!sid_to_gid(&global_sid_Builtin_Users, &gid)) { 572 status = pdb_get_aliasinfo(&global_sid_Builtin_Users, info); 573 if (!NT_STATUS_IS_OK(status)) { 464 574 465 575 become_root(); … … 481 591 } 482 592 593 TALLOC_FREE(info); 594 483 595 /* Deal with local groups */ 484 596 … … 536 648 537 649 /* 538 * Create an artificial NT token given just a username. (Initially intended 539 * for force user) 540 * 541 * We go through lookup_name() to avoid problems we had with 'winbind use 542 * default domain'. 650 * Create an artificial NT token given just a domain SID. 543 651 * 544 652 * We have 3 cases: … … 554 662 */ 555 663 556 NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, 557 bool is_guest, 558 uid_t *uid, gid_t *gid, 559 char **found_username, 560 struct security_token **token) 664 static NTSTATUS create_token_from_sid(TALLOC_CTX *mem_ctx, 665 const struct dom_sid *user_sid, 666 bool is_guest, 667 uid_t *uid, gid_t *gid, 668 char **found_username, 669 struct security_token **token) 561 670 { 562 671 NTSTATUS result = NT_STATUS_NO_SUCH_USER; 563 672 TALLOC_CTX *tmp_ctx = talloc_stackframe(); 564 struct dom_sid user_sid;565 enum lsa_SidType type;566 673 gid_t *gids; 567 674 struct dom_sid *group_sids; 568 struct dom_sid unix_group_sid;569 675 uint32_t num_group_sids; 570 676 uint32_t num_gids; 571 677 uint32_t i; 572 573 if (!lookup_name_smbconf(tmp_ctx, username, LOOKUP_NAME_ALL, 574 NULL, NULL, &user_sid, &type)) { 575 DEBUG(1, ("lookup_name_smbconf for %s failed\n", username)); 576 goto done; 577 } 578 579 if (type != SID_NAME_USER) { 580 DEBUG(1, ("%s is a %s, not a user\n", username, 581 sid_type_lookup(type))); 582 goto done; 583 } 584 585 if (sid_check_is_in_our_domain(&user_sid)) { 678 uint32_t high, low; 679 bool range_ok; 680 681 if (sid_check_is_in_our_sam(user_sid)) { 586 682 bool ret; 587 683 uint32_t pdb_num_group_sids; … … 596 692 597 693 become_root(); 598 ret = pdb_getsampwsid(sam_acct, &user_sid);694 ret = pdb_getsampwsid(sam_acct, user_sid); 599 695 unbecome_root(); 600 696 601 697 if (!ret) { 602 DEBUG(1, ("pdb_getsampwsid(%s) f or user %s failed\n",603 sid_string_dbg( &user_sid), username));604 DEBUGADD(1, ("Fall back to unix user %s\n", username));698 DEBUG(1, ("pdb_getsampwsid(%s) failed\n", 699 sid_string_dbg(user_sid))); 700 DEBUGADD(1, ("Fall back to unix user\n")); 605 701 goto unix_user; 606 702 } … … 610 706 &pdb_num_group_sids); 611 707 if (!NT_STATUS_IS_OK(result)) { 612 DEBUG(1, ("enum_group_memberships failed for %s (%s): "613 "%s\n", username, sid_string_dbg(&user_sid),708 DEBUG(1, ("enum_group_memberships failed for %s: " 709 "%s\n", sid_string_dbg(user_sid), 614 710 nt_errstr(result))); 615 DEBUGADD(1, ("Fall back to unix u ser %s\n", username));711 DEBUGADD(1, ("Fall back to unix uid lookup\n")); 616 712 goto unix_user; 617 713 } … … 620 716 /* see the smb_panic() in pdb_default_enum_group_memberships */ 621 717 SMB_ASSERT(num_group_sids > 0); 622 623 *gid = gids[0];624 718 625 719 /* Ensure we're returning the found_username on the right context. */ … … 627 721 pdb_get_username(sam_acct)); 628 722 723 if (*found_username == NULL) { 724 result = NT_STATUS_NO_MEMORY; 725 goto done; 726 } 727 629 728 /* 630 729 * If the SID from lookup_name() was the guest sid, passdb knows 631 * about the mapping of guest sid to lp_guest account()730 * about the mapping of guest sid to lp_guest_account() 632 731 * username and will return the unix_pw info for a guest 633 732 * user. Use it if it's there, else lookup the *uid details … … 654 753 *uid = sam_acct->unix_pw->pw_uid; 655 754 656 } else if (sid_check_is_in_unix_users(&user_sid)) { 755 } else if (sid_check_is_in_unix_users(user_sid)) { 756 struct dom_sid tmp_sid; 657 757 uint32_t getgroups_num_group_sids; 658 758 /* This is a unix user not in passdb. We need to ask nss … … 669 769 unix_user: 670 770 671 if (!sid_to_uid( &user_sid, uid)) {672 DEBUG(1, ("unix_user case, sid_to_uid for %s (%s)failed\n",673 username, sid_string_dbg(&user_sid)));771 if (!sid_to_uid(user_sid, uid)) { 772 DEBUG(1, ("unix_user case, sid_to_uid for %s failed\n", 773 sid_string_dbg(user_sid))); 674 774 result = NT_STATUS_NO_SUCH_USER; 675 775 goto done; 676 776 } 677 777 678 uid_to_unix_users_sid(*uid, &user_sid); 778 uid_to_unix_users_sid(*uid, &tmp_sid); 779 user_sid = &tmp_sid; 679 780 680 781 pass = getpwuid_alloc(tmp_ctx, *uid); 681 782 if (pass == NULL) { 682 DEBUG(1, ("getpwuid(%u) f or user %s failed\n",683 (unsigned int)*uid , username));684 goto done; 685 } 686 687 if (!getgroups_unix_user(tmp_ctx, username, pass->pw_gid,783 DEBUG(1, ("getpwuid(%u) failed\n", 784 (unsigned int)*uid)); 785 goto done; 786 } 787 788 if (!getgroups_unix_user(tmp_ctx, pass->pw_name, pass->pw_gid, 688 789 &gids, &getgroups_num_group_sids)) { 689 790 DEBUG(1, ("getgroups_unix_user for user %s failed\n", 690 username));791 pass->pw_name)); 691 792 goto done; 692 793 } 693 794 num_group_sids = getgroups_num_group_sids; 694 795 695 if (num_group_sids) { 696 group_sids = TALLOC_ARRAY(tmp_ctx, struct dom_sid, num_group_sids); 697 if (group_sids == NULL) { 698 DEBUG(1, ("TALLOC_ARRAY failed\n")); 699 result = NT_STATUS_NO_MEMORY; 700 goto done; 701 } 702 } else { 703 group_sids = NULL; 796 group_sids = talloc_array(tmp_ctx, struct dom_sid, num_group_sids); 797 if (group_sids == NULL) { 798 DEBUG(1, ("talloc_array failed\n")); 799 result = NT_STATUS_NO_MEMORY; 800 goto done; 704 801 } 705 802 … … 711 808 SMB_ASSERT(num_group_sids > 0); 712 809 713 *gid = gids[0];714 715 810 /* Ensure we're returning the found_username on the right context. */ 716 811 *found_username = talloc_strdup(mem_ctx, pass->pw_name); 812 if (*found_username == NULL) { 813 result = NT_STATUS_NO_MEMORY; 814 goto done; 815 } 717 816 } else { 718 817 … … 725 824 726 825 /* We must always assign the *uid. */ 727 if (!sid_to_uid( &user_sid, uid)) {728 DEBUG(1, ("winbindd case, sid_to_uid for %s (%s)failed\n",729 username, sid_string_dbg(&user_sid)));826 if (!sid_to_uid(user_sid, uid)) { 827 DEBUG(1, ("winbindd case, sid_to_uid for %s failed\n", 828 sid_string_dbg(user_sid))); 730 829 result = NT_STATUS_NO_SUCH_USER; 731 830 goto done; … … 733 832 734 833 num_group_sids = 1; 735 group_sids = TALLOC_ARRAY(tmp_ctx, struct dom_sid, num_group_sids);834 group_sids = talloc_array(tmp_ctx, struct dom_sid, num_group_sids); 736 835 if (group_sids == NULL) { 737 DEBUG(1, (" TALLOC_ARRAYfailed\n"));836 DEBUG(1, ("talloc_array failed\n")); 738 837 result = NT_STATUS_NO_MEMORY; 739 838 goto done; 740 839 } 741 840 742 sid_copy(&group_sids[0], &user_sid); 841 gids = talloc_array(tmp_ctx, gid_t, num_group_sids); 842 if (gids == NULL) { 843 result = NT_STATUS_NO_MEMORY; 844 goto done; 845 } 846 847 sid_copy(&group_sids[0], user_sid); 743 848 sid_split_rid(&group_sids[0], NULL); 744 849 sid_append_rid(&group_sids[0], DOMAIN_RID_USERS); 745 850 746 if (!sid_to_gid(&group_sids[0], gid)) {851 if (!sid_to_gid(&group_sids[0], &gids[0])) { 747 852 DEBUG(1, ("sid_to_gid(%s) failed\n", 748 853 sid_string_dbg(&group_sids[0]))); … … 750 855 } 751 856 752 gids = gid; 753 754 /* Ensure we're returning the found_username on the right context. */ 755 *found_username = talloc_strdup(mem_ctx, username); 756 } 857 *found_username = NULL; 858 } 859 860 *gid = gids[0]; 757 861 758 862 /* Add the "Unix Group" SID for each gid to catch mapped groups … … 764 868 765 869 num_gids = num_group_sids; 870 range_ok = lp_idmap_default_range(&low, &high); 766 871 for ( i=0; i<num_gids; i++ ) { 767 gid_t high, low;872 struct dom_sid unix_group_sid; 768 873 769 874 /* don't pickup anything managed by Winbind */ 770 771 if ( lp_idmap_gid(&low, &high) && (gids[i] >= low) && (gids[i] <= high) ) 875 if (range_ok && (gids[i] >= low) && (gids[i] <= high)) { 772 876 continue; 877 } 773 878 774 879 gid_to_unix_groups_sid(gids[i], &unix_group_sid); … … 782 887 783 888 /* Ensure we're creating the nt_token on the right context. */ 784 *token = create_local_nt_token(mem_ctx, &user_sid,889 *token = create_local_nt_token(mem_ctx, user_sid, 785 890 is_guest, num_group_sids, group_sids); 786 891 787 if ( (*token == NULL) || (*found_username == NULL)) {892 if (*token == NULL) { 788 893 result = NT_STATUS_NO_MEMORY; 789 894 goto done; … … 793 898 done: 794 899 TALLOC_FREE(tmp_ctx); 900 return result; 901 } 902 903 /* 904 * Create an artificial NT token given just a username. (Initially intended 905 * for force user) 906 * 907 * We go through lookup_name() to avoid problems we had with 'winbind use 908 * default domain'. 909 * 910 * We have 3 cases: 911 * 912 * unmapped unix users: Go directly to nss to find the user's group. 913 * 914 * A passdb user: The list of groups is provided by pdb_enum_group_memberships. 915 * 916 * If the user is provided by winbind, the primary gid is set to "domain 917 * users" of the user's domain. For an explanation why this is necessary, see 918 * the thread starting at 919 * http://lists.samba.org/archive/samba-technical/2006-January/044803.html. 920 */ 921 922 NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, 923 bool is_guest, 924 uid_t *uid, gid_t *gid, 925 char **found_username, 926 struct security_token **token) 927 { 928 NTSTATUS result = NT_STATUS_NO_SUCH_USER; 929 TALLOC_CTX *tmp_ctx = talloc_stackframe(); 930 struct dom_sid user_sid; 931 enum lsa_SidType type; 932 933 if (!lookup_name_smbconf(tmp_ctx, username, LOOKUP_NAME_ALL, 934 NULL, NULL, &user_sid, &type)) { 935 DEBUG(1, ("lookup_name_smbconf for %s failed\n", username)); 936 goto done; 937 } 938 939 if (type != SID_NAME_USER) { 940 DEBUG(1, ("%s is a %s, not a user\n", username, 941 sid_type_lookup(type))); 942 goto done; 943 } 944 945 result = create_token_from_sid(mem_ctx, &user_sid, is_guest, uid, gid, found_username, token); 946 947 if (!NT_STATUS_IS_OK(result)) { 948 goto done; 949 } 950 951 /* 952 * If result == NT_STATUS_OK then 953 * we know we have a valid token. Ensure 954 * we also have a valid username to match. 955 */ 956 957 if (*found_username == NULL) { 958 *found_username = talloc_strdup(mem_ctx, username); 959 if (*found_username == NULL) { 960 result = NT_STATUS_NO_MEMORY; 961 } 962 } 963 964 done: 965 TALLOC_FREE(tmp_ctx); 966 return result; 967 } 968 969 /*************************************************************************** 970 Build upon create_token_from_sid: 971 972 Expensive helper function to figure out whether a user given its sid is 973 member of a particular group. 974 ***************************************************************************/ 975 976 bool user_sid_in_group_sid(const struct dom_sid *sid, const struct dom_sid *group_sid) 977 { 978 NTSTATUS status; 979 uid_t uid; 980 gid_t gid; 981 char *found_username; 982 struct security_token *token; 983 bool result = false; 984 enum lsa_SidType type; 985 TALLOC_CTX *mem_ctx = talloc_stackframe(); 986 987 if (!lookup_sid(mem_ctx, sid, 988 NULL, NULL, &type)) { 989 DEBUG(1, ("lookup_sid for %s failed\n", dom_sid_string(mem_ctx, sid))); 990 goto done; 991 } 992 993 if (type != SID_NAME_USER) { 994 DEBUG(5, ("%s is a %s, not a user\n", dom_sid_string(mem_ctx, sid), 995 sid_type_lookup(type))); 996 goto done; 997 } 998 999 status = create_token_from_sid(mem_ctx, sid, False, 1000 &uid, &gid, &found_username, 1001 &token); 1002 1003 if (!NT_STATUS_IS_OK(status)) { 1004 DEBUG(10, ("could not create token for %s\n", dom_sid_string(mem_ctx, sid))); 1005 goto done; 1006 } 1007 1008 result = security_token_has_sid(token, group_sid); 1009 1010 done: 1011 TALLOC_FREE(mem_ctx); 795 1012 return result; 796 1013 } -
vendor/current/source3/auth/user_info.c
r740 r988 21 21 #include "auth.h" 22 22 #include "librpc/gen_ndr/samr.h" 23 #include "../lib/tsocket/tsocket.h" 23 24 24 25 #undef DBGC_CLASS … … 41 42 ****************************************************************************/ 42 43 43 NTSTATUS make_user_info(struct auth_usersupplied_info **ret_user_info, 44 NTSTATUS make_user_info(TALLOC_CTX *mem_ctx, 45 struct auth_usersupplied_info **ret_user_info, 44 46 const char *smb_name, 45 47 const char *internal_username, … … 47 49 const char *domain, 48 50 const char *workstation_name, 51 const struct tsocket_address *remote_address, 49 52 const DATA_BLOB *lm_pwd, 50 53 const DATA_BLOB *nt_pwd, … … 59 62 DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name)); 60 63 61 /* FIXME: Have the caller provide a talloc context of the 62 * correct lifetime (possibly talloc_tos(), but it depends on 63 * the caller) */ 64 user_info = talloc_zero(NULL, struct auth_usersupplied_info); 64 user_info = talloc_zero(mem_ctx, struct auth_usersupplied_info); 65 65 if (user_info == NULL) { 66 66 DEBUG(0,("talloc failed for user_info\n")); … … 71 71 72 72 user_info->client.account_name = talloc_strdup(user_info, smb_name); 73 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info->client.account_name, user_info); 73 if (user_info->client.account_name == NULL) { 74 TALLOC_FREE(user_info); 75 return NT_STATUS_NO_MEMORY; 76 } 74 77 75 78 user_info->mapped.account_name = talloc_strdup(user_info, internal_username); 76 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info->mapped.account_name, user_info); 79 if (user_info->mapped.account_name == NULL) { 80 TALLOC_FREE(user_info); 81 return NT_STATUS_NO_MEMORY; 82 } 77 83 78 84 user_info->mapped.domain_name = talloc_strdup(user_info, domain); 79 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info->mapped.domain_name, user_info); 85 if (user_info->mapped.domain_name == NULL) { 86 TALLOC_FREE(user_info); 87 return NT_STATUS_NO_MEMORY; 88 } 80 89 81 90 user_info->client.domain_name = talloc_strdup(user_info, client_domain); 82 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info->client.domain_name, user_info); 91 if (user_info->client.domain_name == NULL) { 92 TALLOC_FREE(user_info); 93 return NT_STATUS_NO_MEMORY; 94 } 83 95 84 96 user_info->workstation_name = talloc_strdup(user_info, workstation_name); 85 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info->workstation_name, user_info); 97 if (user_info->workstation_name == NULL) { 98 TALLOC_FREE(user_info); 99 return NT_STATUS_NO_MEMORY; 100 } 101 102 user_info->remote_host = tsocket_address_copy(remote_address, user_info); 103 if (user_info->remote_host == NULL) { 104 TALLOC_FREE(user_info); 105 return NT_STATUS_NO_MEMORY; 106 } 86 107 87 108 DEBUG(5,("making blobs for %s's user_info struct\n", internal_username)); … … 89 110 if (lm_pwd && lm_pwd->data) { 90 111 user_info->password.response.lanman = data_blob_talloc(user_info, lm_pwd->data, lm_pwd->length); 91 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info->password.response.lanman.data, user_info); 112 if (user_info->password.response.lanman.data == NULL) { 113 TALLOC_FREE(user_info); 114 return NT_STATUS_NO_MEMORY; 115 } 92 116 } 93 117 if (nt_pwd && nt_pwd->data) { 94 118 user_info->password.response.nt = data_blob_talloc(user_info, nt_pwd->data, nt_pwd->length); 95 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info->password.response.nt.data, user_info); 119 if (user_info->password.response.nt.data == NULL) { 120 TALLOC_FREE(user_info); 121 return NT_STATUS_NO_MEMORY; 122 } 96 123 } 97 124 if (lm_interactive_pwd) { 98 125 user_info->password.hash.lanman = talloc(user_info, struct samr_Password); 99 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info->password.hash.lanman, user_info); 126 if (user_info->password.hash.lanman == NULL) { 127 TALLOC_FREE(user_info); 128 return NT_STATUS_NO_MEMORY; 129 } 100 130 memcpy(user_info->password.hash.lanman->hash, lm_interactive_pwd->hash, 101 131 sizeof(user_info->password.hash.lanman->hash)); … … 105 135 if (nt_interactive_pwd) { 106 136 user_info->password.hash.nt = talloc(user_info, struct samr_Password); 107 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info->password.hash.nt, user_info); 137 if (user_info->password.hash.nt == NULL) { 138 TALLOC_FREE(user_info); 139 return NT_STATUS_NO_MEMORY; 140 } 108 141 memcpy(user_info->password.hash.nt->hash, nt_interactive_pwd->hash, 109 142 sizeof(user_info->password.hash.nt->hash)); … … 113 146 if (plaintext_password) { 114 147 user_info->password.plaintext = talloc_strdup(user_info, plaintext_password); 115 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info->password.plaintext, user_info); 148 if (user_info->password.plaintext == NULL) { 149 TALLOC_FREE(user_info); 150 return NT_STATUS_NO_MEMORY; 151 } 116 152 talloc_set_destructor(user_info->password.plaintext, clear_string); 117 153 } … … 125 161 return NT_STATUS_OK; 126 162 } 127 128 /***************************************************************************129 Free a user_info struct130 ***************************************************************************/131 132 void free_user_info(struct auth_usersupplied_info **user_info)133 {134 TALLOC_FREE(*user_info);135 } -
vendor/current/source3/auth/user_krb5.c
r740 r988 23 23 #include "nsswitch/libwbclient/wbclient.h" 24 24 #include "passdb.h" 25 #include "lib/param/loadparm.h" 25 26 26 27 #undef DBGC_CLASS … … 74 75 } 75 76 76 if (logon_info && logon_info->info3.base. domain.string) {77 if (logon_info && logon_info->info3.base.logon_domain.string) { 77 78 domain = talloc_strdup(mem_ctx, 78 logon_info->info3.base. domain.string);79 logon_info->info3.base.logon_domain.string); 79 80 if (!domain) { 80 81 return NT_STATUS_NO_MEMORY; … … 126 127 return NT_STATUS_NO_MEMORY; 127 128 } 129 *mapped_to_guest = false; 128 130 129 131 pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true); … … 150 152 if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID) { 151 153 *mapped_to_guest = true; 152 fuser = talloc_strdup(mem_ctx, lp_guest account());154 fuser = talloc_strdup(mem_ctx, lp_guest_account()); 153 155 if (!fuser) { 154 156 return NT_STATUS_NO_MEMORY; … … 159 161 /* extra sanity check that the guest account is valid */ 160 162 if (!pw) { 161 D EBUG(1,("Username %s is invalid on this system\n",162 fuser) );163 DBG_NOTICE("Username %s is invalid on this system\n", 164 fuser); 163 165 return NT_STATUS_LOGON_FAILURE; 164 166 } … … 180 182 } 181 183 182 NTSTATUS make_se rver_info_krb5(TALLOC_CTX *mem_ctx,184 NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, 183 185 char *ntuser, 184 186 char *ntdomain, 185 187 char *username, 186 188 struct passwd *pw, 187 struct PAC_LOGON_INFO *logon_info, 188 bool mapped_to_guest, 189 struct auth_serversupplied_info **server_info) 189 const struct netr_SamInfo3 *info3, 190 bool mapped_to_guest, bool username_was_mapped, 191 DATA_BLOB *session_key, 192 struct auth_session_info **session_info) 190 193 { 191 194 NTSTATUS status; 195 struct auth_serversupplied_info *server_info; 192 196 193 197 if (mapped_to_guest) { 194 status = make_server_info_guest(mem_ctx, server_info);198 status = make_server_info_guest(mem_ctx, &server_info); 195 199 if (!NT_STATUS_IS_OK(status)) { 196 200 DEBUG(1, ("make_server_info_guest failed: %s!\n", … … 199 203 } 200 204 201 } else if ( logon_info) {205 } else if (info3) { 202 206 /* pass the unmapped username here since map_username() 203 207 will be called again in make_server_info_info3() */ … … 205 209 status = make_server_info_info3(mem_ctx, 206 210 ntuser, ntdomain, 207 server_info,208 &logon_info->info3);211 &server_info, 212 info3); 209 213 if (!NT_STATUS_IS_OK(status)) { 210 214 DEBUG(1, ("make_server_info_info3 failed: %s!\n", … … 220 224 */ 221 225 struct samu *sampass; 222 /* The stupid make_server_info_XX functions here223 don't take a talloc context. */224 struct auth_serversupplied_info *tmp = NULL;225 226 226 227 sampass = samu_new(talloc_tos()); … … 232 233 DEBUG(10, ("found user %s in passdb, calling " 233 234 "make_server_info_sam\n", username)); 234 status = make_server_info_sam(&tmp, sampass); 235 status = make_server_info_sam(mem_ctx, 236 sampass, 237 &server_info); 235 238 } else { 236 239 /* … … 239 242 DEBUG(10, ("didn't find user %s in passdb, calling " 240 243 "make_server_info_pw\n", username)); 241 status = make_server_info_pw(&tmp, username, pw); 242 } 244 status = make_server_info_pw(mem_ctx, 245 username, 246 pw, 247 &server_info); 248 } 249 243 250 TALLOC_FREE(sampass); 244 251 … … 249 256 } 250 257 251 /* Steal tmp server info into the server_info pointer. */252 *server_info = talloc_move(mem_ctx, &tmp);253 254 258 /* make_server_info_pw does not set the domain. Without this 255 259 * we end up with the local netbios name in substitutions for 256 260 * %D. */ 257 261 258 if ((*server_info)->info3 != NULL) { 259 (*server_info)->info3->base.domain.string = 260 talloc_strdup((*server_info)->info3, ntdomain); 261 } 262 262 if (server_info->info3 != NULL) { 263 server_info->info3->base.logon_domain.string = 264 talloc_strdup(server_info->info3, ntdomain); 265 } 266 } 267 268 server_info->nss_token |= username_was_mapped; 269 270 status = create_local_token(mem_ctx, server_info, session_key, ntuser, session_info); 271 talloc_free(server_info); 272 if (!NT_STATUS_IS_OK(status)) { 273 DEBUG(10,("failed to create local token: %s\n", 274 nt_errstr(status))); 275 return status; 263 276 } 264 277 … … 281 294 } 282 295 283 NTSTATUS make_se rver_info_krb5(TALLOC_CTX *mem_ctx,296 NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, 284 297 char *ntuser, 285 298 char *ntdomain, 286 299 char *username, 287 300 struct passwd *pw, 288 struct PAC_LOGON_INFO *logon_info, 289 bool mapped_to_guest, 290 struct auth_serversupplied_info **server_info) 301 const struct netr_SamInfo3 *info3, 302 bool mapped_to_guest, bool username_was_mapped, 303 DATA_BLOB *session_key, 304 struct auth_session_info **session_info) 291 305 { 292 306 return NT_STATUS_NOT_IMPLEMENTED; -
vendor/current/source3/auth/user_util.c
r860 r988 97 97 return false; 98 98 } 99 found = gencache_get(key, &value, NULL);99 found = gencache_get(key, ctx, &value, NULL); 100 100 TALLOC_FREE(key); 101 101 if (!found) { … … 103 103 } 104 104 TALLOC_FREE(*p_user_out); 105 *p_user_out = talloc_strdup(ctx, value); 106 SAFE_FREE(value); 105 *p_user_out = value; 107 106 if (!*p_user_out) { 108 107 return false; … … 165 164 return false; 166 165 } 167 strlower_m(lowercase_user); 166 if (!strlower_m(lowercase_user)) { 167 return false; 168 } 168 169 169 170 if (strcmp(user,lowercase_user) == 0) { … … 188 189 ****************************************************************************/ 189 190 190 bool user_in_list(TALLOC_CTX *ctx, const char *user, const char **list)191 bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list) 191 192 { 192 193 if (!list || !*list) … … 268 269 { 269 270 XFILE *f; 270 char *mapfile = lp_username_map( );271 char *mapfile = lp_username_map(talloc_tos()); 271 272 char *s; 272 273 char buf[512]; 273 274 bool mapped_user = False; 274 char *cmd = lp_username_map_script( );275 char *cmd = lp_username_map_script(talloc_tos()); 275 276 276 277 *p_user_out = NULL; … … 399 400 400 401 if (strchr_m(dosname,'*') || 401 user_in_list(ctx, user_in, (const char * *)dosuserlist)) {402 user_in_list(ctx, user_in, (const char * const *)dosuserlist)) { 402 403 DEBUG(3,("Mapped user %s to %s\n",user_in,unixname)); 403 404 mapped_user = True; -
vendor/current/source3/auth/wscript_build
r740 r988 1 1 #!/usr/bin/env python 2 3 AUTH_BUILTIN_SRC = 'auth_builtin.c'4 AUTH_DOMAIN_SRC = 'auth_domain.c'5 AUTH_SAM_SRC = 'auth_sam.c'6 AUTH_SERVER_SRC = 'auth_server.c'7 AUTH_UNIX_SRC = 'auth_unix.c'8 AUTH_WINBIND_SRC = 'auth_winbind.c'9 AUTH_WBC_SRC = 'auth_wbc.c'10 AUTH_SCRIPT_SRC = 'auth_script.c'11 AUTH_NETLOGOND_SRC = 'auth_netlogond.c'12 13 AUTH_SRC = '''auth.c14 user_krb5.c15 auth_compat.c auth_ntlmssp.c'''16 2 17 3 bld.SAMBA3_SUBSYSTEM('TOKEN_UTIL', 18 4 source='token_util.c', 19 vars=locals()) 5 deps='samba-util pdb') 6 7 bld.SAMBA3_SUBSYSTEM('USER_UTIL', 8 source='user_util.c', 9 deps='TOKEN_UTIL') 20 10 21 11 bld.SAMBA3_SUBSYSTEM('AUTH_COMMON', 22 12 source='''auth_util.c 23 user_util.c24 13 check_samsec.c 25 14 server_info.c 26 15 server_info_sam.c 27 user_info.c 28 user_util.c''', 29 vars=locals()) 16 user_info.c''', 17 deps='TOKEN_UTIL DCUTIL USER_UTIL') 30 18 31 bld.SAMBA3_SUBSYSTEM('auth', 32 source=AUTH_SRC, 33 deps='''PLAINTEXT_AUTH SLCACHE DCUTIL TOKEN_UTIL AUTH_COMMON''', 34 vars=locals()) 19 bld.SAMBA3_LIBRARY('auth', 20 source='''auth.c 21 user_krb5.c 22 auth_ntlmssp.c 23 auth_generic.c''', 24 deps='''PLAINTEXT_AUTH SLCACHE DCUTIL TOKEN_UTIL AUTH_COMMON libcli_netlogon3 samba-hostconfig''', 25 private_library=True) 35 26 36 27 bld.SAMBA3_MODULE('auth_sam', 37 28 subsystem='auth', 38 source=AUTH_SAM_SRC, 29 source='auth_sam.c', 30 deps='samba-util', 39 31 init_function='', 40 internal_module=bld.SAMBA3_IS_STATIC_MODULE('auth_sam'), 41 enabled=bld.SAMBA3_IS_ENABLED_MODULE('auth_sam')) 32 internal_module=True) 42 33 43 34 bld.SAMBA3_MODULE('auth_unix', 44 35 subsystem='auth', 45 source=AUTH_UNIX_SRC, 36 source='auth_unix.c', 37 deps='samba-util', 46 38 init_function='', 47 39 internal_module=bld.SAMBA3_IS_STATIC_MODULE('auth_unix'), … … 50 42 bld.SAMBA3_MODULE('auth_winbind', 51 43 subsystem='auth', 52 source=AUTH_WINBIND_SRC, 44 source='auth_winbind.c', 45 deps='samba-util', 53 46 init_function='', 54 internal_module=bld.SAMBA3_IS_STATIC_MODULE('auth_winbind'), 55 enabled=bld.SAMBA3_IS_ENABLED_MODULE('auth_winbind')) 47 internal_module=True) 56 48 57 49 bld.SAMBA3_MODULE('auth_wbc', 58 50 subsystem='auth', 59 source=AUTH_WBC_SRC, 51 source='auth_wbc.c', 52 deps='samba-util', 60 53 init_function='', 61 54 internal_module=bld.SAMBA3_IS_STATIC_MODULE('auth_wbc'), 62 55 enabled=bld.SAMBA3_IS_ENABLED_MODULE('auth_wbc')) 63 56 64 bld.SAMBA3_MODULE('auth_server',65 subsystem='auth',66 source=AUTH_SERVER_SRC,67 init_function='',68 internal_module=bld.SAMBA3_IS_STATIC_MODULE('auth_server'),69 enabled=bld.SAMBA3_IS_ENABLED_MODULE('auth_server'))70 71 57 bld.SAMBA3_MODULE('auth_domain', 72 58 subsystem='auth', 73 source= AUTH_DOMAIN_SRC,74 deps='RPC_CLIENT_SCHANNEL ',59 source='auth_domain.c', 60 deps='RPC_CLIENT_SCHANNEL trusts_util', 75 61 init_function='', 76 internal_module=bld.SAMBA3_IS_STATIC_MODULE('auth_domain'), 77 enabled=bld.SAMBA3_IS_ENABLED_MODULE('auth_domain')) 62 internal_module=True) 78 63 79 64 bld.SAMBA3_MODULE('auth_builtin', 80 65 subsystem='auth', 81 source=AUTH_BUILTIN_SRC, 66 source='auth_builtin.c', 67 deps='samba-util', 82 68 init_function='', 83 internal_module=bld.SAMBA3_IS_STATIC_MODULE('auth_builtin'), 84 enabled=bld.SAMBA3_IS_ENABLED_MODULE('auth_builtin')) 85 86 bld.SAMBA3_MODULE('auth_netlogond', 87 subsystem='auth', 88 source=AUTH_NETLOGOND_SRC, 89 init_function='', 90 internal_module=bld.SAMBA3_IS_STATIC_MODULE('auth_netlogond'), 91 enabled=bld.SAMBA3_IS_ENABLED_MODULE('auth_netlogond')) 69 internal_module=True) 92 70 93 71 bld.SAMBA3_MODULE('auth_script', 94 72 subsystem='auth', 95 source= AUTH_SCRIPT_SRC,73 source='auth_script.c', 96 74 init_function='', 97 75 internal_module=bld.SAMBA3_IS_STATIC_MODULE('auth_script'), 98 76 enabled=bld.SAMBA3_IS_ENABLED_MODULE('auth_script')) 77 78 bld.SAMBA3_MODULE('auth_samba4', 79 subsystem='auth', 80 source='auth_samba4.c', 81 init_function='', 82 deps='auth4 samba_server_gensec gensec', 83 internal_module=bld.SAMBA3_IS_STATIC_MODULE('auth_samba4') and bld.AD_DC_BUILD_IS_ENABLED(), 84 enabled=bld.SAMBA3_IS_ENABLED_MODULE('auth_samba4') and bld.AD_DC_BUILD_IS_ENABLED())
Note:
See TracChangeset
for help on using the changeset viewer.
