Changeset 988 for vendor/current/source3/auth/auth.c
- Timestamp:
- Nov 24, 2016, 1:14:11 PM (9 years ago)
- File:
-
- 1 edited
-
vendor/current/source3/auth/auth.c (modified) (15 diffs)
Legend:
- Unmodified
- Added
- Removed
-
vendor/current/source3/auth/auth.c
r740 r988 20 20 #include "includes.h" 21 21 #include "auth.h" 22 #include " smbd/globals.h"22 #include "../lib/tsocket/tsocket.h" 23 23 24 24 #undef DBGC_CLASS … … 79 79 ****************************************************************************/ 80 80 81 static NTSTATUS get_ntlm_challenge(struct auth_context *auth_context, 82 uint8_t chal[8]) 83 { 84 DATA_BLOB challenge = data_blob_null; 85 const char *challenge_set_by = NULL; 86 auth_methods *auth_method; 81 NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context, 82 uint8_t chal[8]) 83 { 84 uchar tmp[8]; 85 87 86 88 87 if (auth_context->challenge.length) { … … 93 92 } 94 93 95 auth_context->challenge_may_be_modified = False; 96 97 for (auth_method = auth_context->auth_method_list; auth_method; auth_method = auth_method->next) { 98 if (auth_method->get_chal == NULL) { 99 DEBUG(5, ("auth_get_challenge: module %s did not want to specify a challenge\n", auth_method->name)); 100 continue; 101 } 102 103 DEBUG(5, ("auth_get_challenge: getting challenge from module %s\n", auth_method->name)); 104 if (challenge_set_by != NULL) { 105 DEBUG(1, ("auth_get_challenge: CONFIGURATION ERROR: authentication method %s has already specified a challenge. Challenge by %s ignored.\n", 106 challenge_set_by, auth_method->name)); 107 continue; 108 } 109 110 challenge = auth_method->get_chal(auth_context, &auth_method->private_data, 111 auth_context); 112 if (!challenge.length) { 113 DEBUG(3, ("auth_get_challenge: getting challenge from authentication method %s FAILED.\n", 114 auth_method->name)); 115 } else { 116 DEBUG(5, ("auth_get_challenge: successfully got challenge from module %s\n", auth_method->name)); 117 auth_context->challenge = challenge; 118 challenge_set_by = auth_method->name; 119 auth_context->challenge_set_method = auth_method; 120 } 121 } 122 123 if (!challenge_set_by) { 124 uchar tmp[8]; 125 126 generate_random_buffer(tmp, sizeof(tmp)); 127 auth_context->challenge = data_blob_talloc(auth_context, 128 tmp, sizeof(tmp)); 129 130 challenge_set_by = "random"; 131 auth_context->challenge_may_be_modified = True; 132 } 133 134 DEBUG(5, ("auth_context challenge created by %s\n", challenge_set_by)); 135 DEBUG(5, ("challenge is: \n")); 136 dump_data(5, auth_context->challenge.data, auth_context->challenge.length); 137 138 SMB_ASSERT(auth_context->challenge.length == 8); 139 140 auth_context->challenge_set_by=challenge_set_by; 94 generate_random_buffer(tmp, sizeof(tmp)); 95 auth_context->challenge = data_blob_talloc(auth_context, 96 tmp, sizeof(tmp)); 97 98 auth_context->challenge_set_by = "random"; 141 99 142 100 memcpy(chal, auth_context->challenge.data, 8); … … 203 161 **/ 204 162 205 static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, 206 const struct auth_usersupplied_info *user_info, 207 struct auth_serversupplied_info **server_info) 163 NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, 164 const struct auth_context *auth_context, 165 const struct auth_usersupplied_info *user_info, 166 struct auth_serversupplied_info **pserver_info) 208 167 { 209 168 /* if all the modules say 'not for me' this is reasonable */ … … 211 170 const char *unix_username; 212 171 auth_methods *auth_method; 213 TALLOC_CTX *mem_ctx; 214 215 if (!user_info || !auth_context || !server_info) 172 173 if (user_info == NULL || auth_context == NULL || pserver_info == NULL) { 216 174 return NT_STATUS_LOGON_FAILURE; 175 } 217 176 218 177 DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", … … 248 207 249 208 for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) { 209 struct auth_serversupplied_info *server_info; 210 TALLOC_CTX *tmp_ctx; 250 211 NTSTATUS result; 251 212 252 mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name, 253 user_info->mapped.domain_name, user_info->client.account_name); 254 255 result = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info); 213 if (user_info->flags & USER_INFO_LOCAL_SAM_ONLY 214 && !(auth_method->flags & AUTH_METHOD_LOCAL_SAM)) { 215 continue; 216 } 217 218 tmp_ctx = talloc_named(mem_ctx, 219 0, 220 "%s authentication for user %s\\%s", 221 auth_method->name, 222 user_info->mapped.domain_name, 223 user_info->client.account_name); 224 225 result = auth_method->auth(auth_context, 226 auth_method->private_data, 227 tmp_ctx, 228 user_info, 229 &server_info); 256 230 257 231 /* check if the module did anything */ 258 232 if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) { 259 233 DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name)); 260 talloc_destroy(mem_ctx); 234 TALLOC_FREE(tmp_ctx); 235 if (user_info->flags & USER_INFO_LOCAL_SAM_ONLY) { 236 /* we don't expose the NT_STATUS_NOT_IMPLEMENTED 237 * internals, except when the caller is only probing 238 * one method, as they may do the fallback 239 */ 240 nt_status = result; 241 } 261 242 continue; 262 243 } … … 272 253 } 273 254 274 talloc_destroy(mem_ctx); 275 276 if ( NT_STATUS_IS_OK(nt_status)) 277 { 278 break; 279 } 255 if (NT_STATUS_IS_OK(nt_status)) { 256 *pserver_info = talloc_steal(mem_ctx, server_info); 257 TALLOC_FREE(tmp_ctx); 258 break; 259 } 260 261 TALLOC_FREE(tmp_ctx); 280 262 } 281 263 … … 283 265 284 266 if (NT_STATUS_IS_OK(nt_status)) { 285 unix_username = (*server_info)->unix_name; 286 if (!(*server_info)->guest) { 267 unix_username = (*pserver_info)->unix_name; 268 269 /* We skip doing this step if the caller asked us not to */ 270 if (!(user_info->flags & USER_INFO_INFO3_AND_NO_AUTHZ) 271 && !(*pserver_info)->guest) { 272 const char *rhost; 273 274 if (tsocket_address_is_inet(user_info->remote_host, "ip")) { 275 rhost = tsocket_address_inet_addr_string(user_info->remote_host, 276 talloc_tos()); 277 if (rhost == NULL) { 278 return NT_STATUS_NO_MEMORY; 279 } 280 } else { 281 rhost = "127.0.0.1"; 282 } 283 287 284 /* We might not be root if we are an RPC call */ 288 285 become_root(); 289 nt_status = smb_pam_accountcheck( 290 unix_username, 291 smbd_server_conn->client_id.name); 286 nt_status = smb_pam_accountcheck(unix_username, 287 rhost); 292 288 unbecome_root(); 293 289 … … 302 298 303 299 if (NT_STATUS_IS_OK(nt_status)) { 304 DEBUG((* server_info)->guest ? 5 : 2,300 DEBUG((*pserver_info)->guest ? 5 : 2, 305 301 ("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] succeeded\n", 306 (* server_info)->guest ? "guest " : "",302 (*pserver_info)->guest ? "guest " : "", 307 303 user_info->client.account_name, 308 304 user_info->mapped.account_name, … … 318 314 user_info->client.account_name, user_info->mapped.account_name, 319 315 nt_errstr(nt_status))); 320 ZERO_STRUCTP( server_info);316 ZERO_STRUCTP(pserver_info); 321 317 322 318 return nt_status; … … 355 351 return NT_STATUS_NO_MEMORY; 356 352 } 357 358 ctx->check_ntlm_password = check_ntlm_password;359 ctx->get_ntlm_challenge = get_ntlm_challenge;360 353 361 354 talloc_set_destructor((TALLOC_CTX *)ctx, auth_context_destructor); … … 428 421 { 429 422 auth_methods *list = NULL; 430 auth_methods *t = NULL;423 auth_methods *t, *method = NULL; 431 424 NTSTATUS nt_status; 432 425 … … 444 437 for (;*text_list; text_list++) { 445 438 if (load_auth_module(*auth_context, *text_list, &t)) { 446 DLIST_ADD_END(list, t , auth_methods *);439 DLIST_ADD_END(list, t); 447 440 } 448 441 } … … 450 443 (*auth_context)->auth_method_list = list; 451 444 452 return nt_status; 445 /* Look for the first module to provide a prepare_gensec and 446 * make_auth4_context hook, and set that if provided */ 447 for (method = (*auth_context)->auth_method_list; method; method = method->next) { 448 if (method->prepare_gensec && method->make_auth4_context) { 449 (*auth_context)->prepare_gensec = method->prepare_gensec; 450 (*auth_context)->make_auth4_context = method->make_auth4_context; 451 break; 452 } 453 } 454 return NT_STATUS_OK; 453 455 } 454 456 … … 470 472 471 473 if (auth_method_list == NULL) { 472 switch (lp_se curity())474 switch (lp_server_role()) 473 475 { 474 case SEC_DOMAIN:475 DEBUG(5,("Making default auth method list for se curity=domain\n"));476 case ROLE_DOMAIN_MEMBER: 477 DEBUG(5,("Making default auth method list for server role = 'domain member'\n")); 476 478 auth_method_list = str_list_make_v3( 477 479 talloc_tos(), "guest sam winbind:ntdomain", 478 480 NULL); 479 481 break; 480 case SEC_SERVER: 481 DEBUG(5,("Making default auth method list for security=server\n")); 482 case ROLE_DOMAIN_BDC: 483 case ROLE_DOMAIN_PDC: 484 DEBUG(5,("Making default auth method list for DC\n")); 482 485 auth_method_list = str_list_make_v3( 483 talloc_tos(), "guest sam smbserver", 486 talloc_tos(), 487 "guest sam winbind:trustdomain", 484 488 NULL); 485 489 break; 486 case SEC_USER: 487 if (lp_encrypted_passwords()) { 488 if ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role() == ROLE_DOMAIN_BDC)) { 489 DEBUG(5,("Making default auth method list for DC, security=user, encrypt passwords = yes\n")); 490 auth_method_list = str_list_make_v3( 491 talloc_tos(), 492 "guest sam winbind:trustdomain", 493 NULL); 494 } else { 495 DEBUG(5,("Making default auth method list for standalone security=user, encrypt passwords = yes\n")); 496 auth_method_list = str_list_make_v3( 490 case ROLE_STANDALONE: 491 DEBUG(5,("Making default auth method list for server role = 'standalone server', encrypt passwords = yes\n")); 492 if (lp_encrypt_passwords()) { 493 auth_method_list = str_list_make_v3( 497 494 talloc_tos(), "guest sam", 498 495 NULL); 499 }500 496 } else { 501 DEBUG(5,("Making default auth method list for se curity=user, encrypt passwords = no\n"));497 DEBUG(5,("Making default auth method list for server role = 'standalone server', encrypt passwords = no\n")); 502 498 auth_method_list = str_list_make_v3( 503 499 talloc_tos(), "guest unix", NULL); 504 500 } 505 501 break; 506 case SEC_SHARE: 507 if (lp_encrypted_passwords()) { 508 DEBUG(5,("Making default auth method list for security=share, encrypt passwords = yes\n")); 509 auth_method_list = str_list_make_v3( 510 talloc_tos(), "guest sam", NULL); 511 } else { 512 DEBUG(5,("Making default auth method list for security=share, encrypt passwords = no\n")); 513 auth_method_list = str_list_make_v3( 514 talloc_tos(), "guest unix", NULL); 515 } 516 break; 517 case SEC_ADS: 518 DEBUG(5,("Making default auth method list for security=ADS\n")); 502 case ROLE_ACTIVE_DIRECTORY_DC: 503 DEBUG(5,("Making default auth method list for server role = 'active directory domain controller'\n")); 519 504 auth_method_list = str_list_make_v3( 520 talloc_tos(), "guest sam winbind:ntdomain", 505 talloc_tos(), 506 "samba4", 521 507 NULL); 522 508 break;
Note:
See TracChangeset
for help on using the changeset viewer.
