Changeset 988 for vendor/current/source3/passdb/passdb.c
- Timestamp:
- Nov 24, 2016, 1:14:11 PM (9 years ago)
- File:
-
- 1 edited
-
vendor/current/source3/passdb/passdb.c (modified) (22 diffs)
Legend:
- Unmodified
- Added
- Removed
-
vendor/current/source3/passdb/passdb.c
r740 r988 31 31 #include "../lib/util/util_pw.h" 32 32 #include "util_tdb.h" 33 #include "auth/credentials/credentials.h" 34 #include "lib/param/param.h" 33 35 34 36 #undef DBGC_CLASS 35 37 #define DBGC_CLASS DBGC_PASSDB 36 37 /******************************************************************38 Get the default domain/netbios name to be used when39 testing authentication.40 41 LEGACY: this function provides the legacy domain mapping used with42 the lp_map_untrusted_to_domain() parameter43 ******************************************************************/44 45 const char *my_sam_name(void)46 {47 /* Standalone servers can only use the local netbios name */48 if ( lp_server_role() == ROLE_STANDALONE )49 return global_myname();50 51 /* Default to the DOMAIN name when not specified */52 return lp_workgroup();53 }54 38 55 39 /********************************************************************** … … 75 59 struct samu *user; 76 60 77 if ( !(user = TALLOC_ZERO_P( ctx, struct samu )) ) {61 if ( !(user = talloc_zero( ctx, struct samu )) ) { 78 62 DEBUG(0,("samuser_new: Talloc failed!\n")); 79 63 return NULL; … … 94 78 user->logoff_time = get_time_t_max(); 95 79 user->kickoff_time = get_time_t_max(); 96 user->pass_must_change_time = get_time_t_max();97 80 user->fields_present = 0x00ffffff; 98 81 user->logon_divs = 168; /* hours per week */ … … 147 130 *********************************************************************/ 148 131 149 static NTSTATUS samu_set_unix_internal(struct samu *user, const struct passwd *pwd, bool create) 150 { 151 const char *guest_account = lp_guestaccount(); 152 const char *domain = global_myname(); 132 static NTSTATUS samu_set_unix_internal(struct pdb_methods *methods, 133 struct samu *user, const struct passwd *pwd, bool create) 134 { 135 const char *guest_account = lp_guest_account(); 136 const char *domain = lp_netbios_name(); 153 137 char *fullname; 154 138 uint32_t urid; … … 229 213 230 214 pdb_set_profile_path(user, talloc_sub_specified(user, 231 lp_logon_path(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),215 lp_logon_path(), pwd->pw_name, NULL, domain, pwd->pw_uid, pwd->pw_gid), 232 216 PDB_DEFAULT); 233 217 pdb_set_homedir(user, talloc_sub_specified(user, 234 lp_logon_home(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),218 lp_logon_home(), pwd->pw_name, NULL, domain, pwd->pw_uid, pwd->pw_gid), 235 219 PDB_DEFAULT); 236 220 pdb_set_dir_drive(user, talloc_sub_specified(user, 237 lp_logon_drive(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),221 lp_logon_drive(), pwd->pw_name, NULL, domain, pwd->pw_uid, pwd->pw_gid), 238 222 PDB_DEFAULT); 239 223 pdb_set_logon_script(user, talloc_sub_specified(user, 240 lp_logon_script(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),224 lp_logon_script(), pwd->pw_name, NULL, domain, pwd->pw_uid, pwd->pw_gid), 241 225 PDB_DEFAULT); 242 226 } … … 247 231 netr_SamInfo3 structure) */ 248 232 249 if ( create && ( pdb_capabilities() & PDB_CAP_STORE_RIDS)) {233 if ( create && (methods->capabilities(methods) & PDB_CAP_STORE_RIDS)) { 250 234 uint32_t user_rid; 251 235 struct dom_sid user_sid; 252 236 253 if ( ! pdb_new_rid( &user_rid) ) {237 if ( !methods->new_rid(methods, &user_rid) ) { 254 238 DEBUG(3, ("Could not allocate a new RID\n")); 255 239 return NT_STATUS_ACCESS_DENIED; … … 283 267 NTSTATUS samu_set_unix(struct samu *user, const struct passwd *pwd) 284 268 { 285 return samu_set_unix_internal( user, pwd, False ); 286 } 287 288 NTSTATUS samu_alloc_rid_unix(struct samu *user, const struct passwd *pwd) 289 { 290 return samu_set_unix_internal( user, pwd, True ); 269 return samu_set_unix_internal( NULL, user, pwd, False ); 270 } 271 272 NTSTATUS samu_alloc_rid_unix(struct pdb_methods *methods, 273 struct samu *user, const struct passwd *pwd) 274 { 275 return samu_set_unix_internal( methods, user, pwd, True ); 291 276 } 292 277 … … 381 366 { 382 367 if (pwd != NULL) { 383 int i; 384 for (i = 0; i < 16; i++) 385 slprintf(&p[i*2], 3, "%02X", pwd[i]); 368 hex_encode_buf(p, pwd, 16); 386 369 } else { 387 370 if (acct_ctrl & ACB_PWNOTREQ) 388 s afe_strcpy(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 32);371 strlcpy(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 33); 389 372 else 390 s afe_strcpy(p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 32);373 strlcpy(p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 33); 391 374 } 392 375 } … … 432 415 { 433 416 if (hours != NULL) { 434 int i; 435 for (i = 0; i < 21; i++) { 436 slprintf(&p[i*2], 3, "%02X", hours[i]); 437 } 417 hex_encode_buf(p, hours, 21); 438 418 } else { 439 s afe_strcpy(p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", 43);419 strlcpy(p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", 44); 440 420 } 441 421 } … … 590 570 enum lsa_SidType *type) 591 571 { 592 GROUP_MAP map;572 GROUP_MAP *map; 593 573 bool ret; 594 574 … … 628 608 629 609 if (ret) { 630 if (!sid_check_is_in_our_ domain(&user_sid)) {610 if (!sid_check_is_in_our_sam(&user_sid)) { 631 611 DEBUG(0, ("User %s with invalid SID %s in passdb\n", 632 612 name, sid_string_dbg(&user_sid))); … … 644 624 */ 645 625 626 map = talloc_zero(NULL, GROUP_MAP); 627 if (!map) { 628 return false; 629 } 630 646 631 become_root(); 647 ret = pdb_getgrnam( &map, name);632 ret = pdb_getgrnam(map, name); 648 633 unbecome_root(); 649 634 650 635 if (!ret) { 636 TALLOC_FREE(map); 651 637 return False; 652 638 } 653 639 654 640 /* BUILTIN groups are looked up elsewhere */ 655 if (!sid_check_is_in_our_ domain(&map.sid)) {641 if (!sid_check_is_in_our_sam(&map->sid)) { 656 642 DEBUG(10, ("Found group %s (%s) not in our domain -- " 657 "ignoring.", name, sid_string_dbg(&map.sid))); 643 "ignoring.\n", 644 name, sid_string_dbg(&map->sid))); 645 TALLOC_FREE(map); 658 646 return False; 659 647 } 660 648 661 649 /* yes it's a mapped group */ 662 sid_peek_rid(&map.sid, rid); 663 *type = map.sid_name_use; 650 sid_peek_rid(&map->sid, rid); 651 *type = map->sid_name_use; 652 TALLOC_FREE(map); 664 653 return True; 665 654 } … … 1019 1008 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET); 1020 1009 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET); 1021 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);1022 1010 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET); 1023 1011 … … 1210 1198 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET); 1211 1199 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET); 1212 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);1213 1200 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET); 1214 1201 … … 1401 1388 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET); 1402 1389 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET); 1403 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);1404 1390 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET); 1405 1391 … … 1637 1623 pdb_set_bad_password_time(sampass, convert_uint32_t_to_time_t(bad_password_time), PDB_SET); 1638 1624 pdb_set_pass_can_change_time(sampass, convert_uint32_t_to_time_t(pass_can_change_time), PDB_SET); 1639 pdb_set_pass_must_change_time(sampass, convert_uint32_t_to_time_t(pass_must_change_time), PDB_SET);1640 1625 pdb_set_pass_last_set_time(sampass, convert_uint32_t_to_time_t(pass_last_set_time), PDB_SET); 1641 1626 … … 2299 2284 *******************************************************************/ 2300 2285 2301 bool get_trust_pw_clear(const char *domain, char **ret_pwd, 2302 const char **account_name, 2303 enum netr_SchannelType *channel) 2286 static bool get_trust_pw_clear2(const char *domain, 2287 const char **account_name, 2288 enum netr_SchannelType *channel, 2289 char **cur_pw, 2290 time_t *_last_set_time, 2291 char **prev_pw) 2304 2292 { 2305 2293 char *pwd; 2306 2294 time_t last_set_time; 2295 2296 if (cur_pw != NULL) { 2297 *cur_pw = NULL; 2298 } 2299 if (_last_set_time != NULL) { 2300 *_last_set_time = 0; 2301 } 2302 if (prev_pw != NULL) { 2303 *prev_pw = NULL; 2304 } 2307 2305 2308 2306 /* if we are a DC and this is not our domain, then lookup an account … … 2314 2312 } 2315 2313 2316 if (!pdb_get_trusteddom_pw(domain, ret_pwd, NULL,2314 if (!pdb_get_trusteddom_pw(domain, cur_pw, NULL, 2317 2315 &last_set_time)) 2318 2316 { … … 2329 2327 if (account_name != NULL) { 2330 2328 *account_name = lp_workgroup(); 2329 } 2330 2331 if (_last_set_time != NULL) { 2332 *_last_set_time = last_set_time; 2331 2333 } 2332 2334 … … 2354 2356 2355 2357 if (pwd != NULL) { 2356 *ret_pwd = pwd; 2358 struct timeval expire; 2359 2360 *cur_pw = pwd; 2361 2357 2362 if (account_name != NULL) { 2358 *account_name = global_myname(); 2363 *account_name = lp_netbios_name(); 2364 } 2365 2366 if (_last_set_time != NULL) { 2367 *_last_set_time = last_set_time; 2368 } 2369 2370 if (prev_pw == NULL) { 2371 return true; 2372 } 2373 2374 ZERO_STRUCT(expire); 2375 expire.tv_sec = lp_machine_password_timeout(); 2376 expire.tv_sec /= 2; 2377 expire.tv_sec += last_set_time; 2378 if (timeval_expired(&expire)) { 2379 return true; 2380 } 2381 2382 pwd = secrets_fetch_prev_machine_password(lp_workgroup()); 2383 if (pwd != NULL) { 2384 *prev_pw = pwd; 2359 2385 } 2360 2386 … … 2362 2388 } 2363 2389 2364 DEBUG(5, ("get_trust_pw_clear : could not fetch clear text trust "2390 DEBUG(5, ("get_trust_pw_clear2: could not fetch clear text trust " 2365 2391 "account password for domain %s\n", domain)); 2366 2392 return false; 2393 } 2394 2395 bool get_trust_pw_clear(const char *domain, char **ret_pwd, 2396 const char **account_name, 2397 enum netr_SchannelType *channel) 2398 { 2399 return get_trust_pw_clear2(domain, 2400 account_name, 2401 channel, 2402 ret_pwd, 2403 NULL, 2404 NULL); 2367 2405 } 2368 2406 … … 2372 2410 *******************************************************************/ 2373 2411 2412 static bool get_trust_pw_hash2(const char *domain, 2413 const char **account_name, 2414 enum netr_SchannelType *channel, 2415 struct samr_Password *current_nt_hash, 2416 time_t *last_set_time, 2417 struct samr_Password **_previous_nt_hash) 2418 { 2419 char *cur_pw = NULL; 2420 char *prev_pw = NULL; 2421 char **_prev_pw = NULL; 2422 bool ok; 2423 2424 if (_previous_nt_hash != NULL) { 2425 *_previous_nt_hash = NULL; 2426 _prev_pw = &prev_pw; 2427 } 2428 2429 ok = get_trust_pw_clear2(domain, account_name, channel, 2430 &cur_pw, last_set_time, _prev_pw); 2431 if (ok) { 2432 struct samr_Password *previous_nt_hash = NULL; 2433 2434 E_md4hash(cur_pw, current_nt_hash->hash); 2435 SAFE_FREE(cur_pw); 2436 2437 if (prev_pw == NULL) { 2438 return true; 2439 } 2440 2441 previous_nt_hash = SMB_MALLOC_P(struct samr_Password); 2442 if (previous_nt_hash == NULL) { 2443 return false; 2444 } 2445 2446 E_md4hash(prev_pw, previous_nt_hash->hash); 2447 SAFE_FREE(prev_pw); 2448 2449 *_previous_nt_hash = previous_nt_hash; 2450 return true; 2451 } else if (is_dc_trusted_domain_situation(domain)) { 2452 return false; 2453 } 2454 2455 /* as a fallback, try to get the hashed pwd directly from the tdb... */ 2456 2457 if (secrets_fetch_trust_account_password_legacy(domain, 2458 current_nt_hash->hash, 2459 last_set_time, 2460 channel)) 2461 { 2462 if (account_name != NULL) { 2463 *account_name = lp_netbios_name(); 2464 } 2465 2466 return true; 2467 } 2468 2469 DEBUG(5, ("get_trust_pw_hash: could not fetch trust account " 2470 "password for domain %s\n", domain)); 2471 return False; 2472 } 2473 2374 2474 bool get_trust_pw_hash(const char *domain, uint8_t ret_pwd[16], 2375 2475 const char **account_name, 2376 2476 enum netr_SchannelType *channel) 2377 2477 { 2378 char *pwd = NULL; 2478 struct samr_Password current_nt_hash; 2479 bool ok; 2480 2481 ok = get_trust_pw_hash2(domain, account_name, channel, 2482 ¤t_nt_hash, NULL, NULL); 2483 if (!ok) { 2484 return false; 2485 } 2486 2487 memcpy(ret_pwd, current_nt_hash.hash, sizeof(current_nt_hash.hash)); 2488 return true; 2489 } 2490 2491 NTSTATUS pdb_get_trust_credentials(const char *netbios_domain, 2492 const char *dns_domain, /* optional */ 2493 TALLOC_CTX *mem_ctx, 2494 struct cli_credentials **_creds) 2495 { 2496 TALLOC_CTX *frame = talloc_stackframe(); 2497 NTSTATUS status = NT_STATUS_INTERNAL_ERROR; 2498 struct loadparm_context *lp_ctx; 2499 enum netr_SchannelType channel; 2379 2500 time_t last_set_time; 2380 2381 if (get_trust_pw_clear(domain, &pwd, account_name, channel)) { 2382 E_md4hash(pwd, ret_pwd); 2383 SAFE_FREE(pwd); 2384 return true; 2385 } else if (is_dc_trusted_domain_situation(domain)) { 2386 return false; 2387 } 2388 2389 /* as a fallback, try to get the hashed pwd directly from the tdb... */ 2390 2391 if (secrets_fetch_trust_account_password_legacy(domain, ret_pwd, 2392 &last_set_time, 2393 channel)) 2394 { 2395 if (account_name != NULL) { 2396 *account_name = global_myname(); 2397 } 2398 2399 return true; 2400 } 2401 2402 DEBUG(5, ("get_trust_pw_hash: could not fetch trust account " 2403 "password for domain %s\n", domain)); 2404 return False; 2405 } 2501 const char *_account_name; 2502 const char *account_name; 2503 char *cur_pw = NULL; 2504 char *prev_pw = NULL; 2505 struct samr_Password cur_nt_hash; 2506 struct cli_credentials *creds = NULL; 2507 bool ok; 2508 2509 /* 2510 * If this is our primary trust relationship, use the common 2511 * code to read the secrets.ldb or secrets.tdb file. 2512 */ 2513 if (strequal(netbios_domain, lp_workgroup())) { 2514 struct db_context *db_ctx = secrets_db_ctx(); 2515 if (db_ctx == NULL) { 2516 DEBUG(1, ("failed to open secrets.tdb to obtain our trust credentials for %s\n", 2517 netbios_domain)); 2518 status = NT_STATUS_INTERNAL_ERROR; 2519 goto fail; 2520 } 2521 2522 lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers()); 2523 if (lp_ctx == NULL) { 2524 DEBUG(1, ("loadparm_init_s3 failed\n")); 2525 status = NT_STATUS_INTERNAL_ERROR; 2526 goto fail; 2527 } 2528 2529 creds = cli_credentials_init(mem_ctx); 2530 if (creds == NULL) { 2531 status = NT_STATUS_NO_MEMORY; 2532 goto fail; 2533 } 2534 2535 cli_credentials_set_conf(creds, lp_ctx); 2536 2537 ok = cli_credentials_set_domain(creds, netbios_domain, CRED_SPECIFIED); 2538 if (!ok) { 2539 status = NT_STATUS_NO_MEMORY; 2540 goto fail; 2541 } 2542 2543 status = cli_credentials_set_machine_account_db_ctx(creds, 2544 lp_ctx, 2545 db_ctx); 2546 if (!NT_STATUS_IS_OK(status)) { 2547 goto fail; 2548 } 2549 goto done; 2550 } else if (!IS_DC) { 2551 DEBUG(1, ("Refusing to get trust account info for %s, " 2552 "which is not our primary domain %s, " 2553 "as we are not a DC\n", 2554 netbios_domain, lp_workgroup())); 2555 status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO; 2556 goto fail; 2557 } 2558 2559 status = pdb_get_trusteddom_creds(netbios_domain, mem_ctx, &creds); 2560 if (NT_STATUS_IS_OK(status)) { 2561 goto done; 2562 } 2563 if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) { 2564 goto fail; 2565 } 2566 2567 ok = get_trust_pw_clear2(netbios_domain, 2568 &_account_name, 2569 &channel, 2570 &cur_pw, 2571 &last_set_time, 2572 &prev_pw); 2573 if (!ok) { 2574 ok = get_trust_pw_hash2(netbios_domain, 2575 &_account_name, 2576 &channel, 2577 &cur_nt_hash, 2578 &last_set_time, 2579 NULL); 2580 if (!ok) { 2581 DEBUG(1, ("get_trust_pw_*2 failed for domain[%s]\n", 2582 netbios_domain)); 2583 status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO; 2584 goto fail; 2585 } 2586 } 2587 2588 account_name = talloc_asprintf(frame, "%s$", _account_name); 2589 if (account_name == NULL) { 2590 status = NT_STATUS_NO_MEMORY; 2591 goto fail; 2592 } 2593 2594 lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers()); 2595 if (lp_ctx == NULL) { 2596 DEBUG(1, ("loadparm_init_s3 failed\n")); 2597 status = NT_STATUS_INTERNAL_ERROR; 2598 goto fail; 2599 } 2600 2601 creds = cli_credentials_init(mem_ctx); 2602 if (creds == NULL) { 2603 status = NT_STATUS_NO_MEMORY; 2604 goto fail; 2605 } 2606 2607 cli_credentials_set_conf(creds, lp_ctx); 2608 2609 cli_credentials_set_secure_channel_type(creds, channel); 2610 cli_credentials_set_password_last_changed_time(creds, last_set_time); 2611 2612 ok = cli_credentials_set_domain(creds, netbios_domain, CRED_SPECIFIED); 2613 if (!ok) { 2614 status = NT_STATUS_NO_MEMORY; 2615 goto fail; 2616 } 2617 2618 if (dns_domain != NULL) { 2619 ok = cli_credentials_set_realm(creds, dns_domain, CRED_SPECIFIED); 2620 if (!ok) { 2621 status = NT_STATUS_NO_MEMORY; 2622 goto fail; 2623 } 2624 } 2625 2626 ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED); 2627 if (!ok) { 2628 status = NT_STATUS_NO_MEMORY; 2629 goto fail; 2630 } 2631 2632 if (cur_pw == NULL) { 2633 ok = cli_credentials_set_nt_hash(creds, &cur_nt_hash, CRED_SPECIFIED); 2634 if (!ok) { 2635 status = NT_STATUS_NO_MEMORY; 2636 goto fail; 2637 } 2638 goto done; 2639 } 2640 2641 ok = cli_credentials_set_password(creds, cur_pw, CRED_SPECIFIED); 2642 if (!ok) { 2643 status = NT_STATUS_NO_MEMORY; 2644 goto fail; 2645 } 2646 2647 if (prev_pw != NULL) { 2648 ok = cli_credentials_set_old_password(creds, prev_pw, CRED_SPECIFIED); 2649 if (!ok) { 2650 status = NT_STATUS_NO_MEMORY; 2651 goto fail; 2652 } 2653 } 2654 2655 done: 2656 *_creds = creds; 2657 creds = NULL; 2658 status = NT_STATUS_OK; 2659 fail: 2660 TALLOC_FREE(creds); 2661 SAFE_FREE(cur_pw); 2662 SAFE_FREE(prev_pw); 2663 TALLOC_FREE(frame); 2664 return status; 2665 }
Note:
See TracChangeset
for help on using the changeset viewer.
