This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
+static_decl_auth;
+
static struct auth_init_function_entry *backends = NULL;
static struct auth_init_function_entry *auth_find_backend_entry(const char *name);
return NT_STATUS_OBJECT_NAME_COLLISION;
}
- entry = smb_xmalloc(sizeof(struct auth_init_function_entry));
+ entry = SMB_XMALLOC_P(struct auth_init_function_entry);
entry->name = smb_xstrdup(name);
entry->init = init;
struct auth_init_function_entry *entry = backends;
while(entry) {
- if (strequal(entry->name, name)) return entry;
+ if (strcmp(entry->name, name)==0) return entry;
entry = entry->next;
}
static const uint8 *get_ntlm_challenge(struct auth_context *auth_context)
{
- DATA_BLOB challenge = data_blob(NULL, 0);
+ DATA_BLOB challenge = data_blob_null;
const char *challenge_set_by = NULL;
auth_methods *auth_method;
TALLOC_CTX *mem_ctx;
return auth_context->challenge.data;
}
+ auth_context->challenge_may_be_modified = False;
+
for (auth_method = auth_context->auth_method_list; auth_method; auth_method = auth_method->next) {
if (auth_method->get_chal == NULL) {
DEBUG(5, ("auth_get_challenge: module %s did not want to specify a challenge\n", auth_method->name));
if (!challenge_set_by) {
uchar chal[8];
- generate_random_buffer(chal, sizeof(chal), False);
+ generate_random_buffer(chal, sizeof(chal));
auth_context->challenge = data_blob_talloc(auth_context->mem_ctx,
chal, sizeof(chal));
challenge_set_by = "random";
+ auth_context->challenge_may_be_modified = True;
}
DEBUG(5, ("auth_context challenge created by %s\n", challenge_set_by));
* function auth_get_challenge().
*
* @param server_info If successful, contains information about the authentication,
- * including a SAM_ACCOUNT struct describing the user.
+ * including a struct samu struct describing the user.
*
* @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
*
const struct auth_usersupplied_info *user_info,
struct auth_serversupplied_info **server_info)
{
-
- NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
- const char *pdb_username;
+ /* if all the modules say 'not for me' this is reasonable */
+ NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
+ const char *unix_username;
auth_methods *auth_method;
TALLOC_CTX *mem_ctx;
return NT_STATUS_LOGON_FAILURE;
DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n",
- user_info->client_domain.str, user_info->smb_name.str, user_info->wksta_name.str));
+ user_info->client_domain, user_info->smb_name, user_info->wksta_name));
DEBUG(3, ("check_ntlm_password: mapped user is: [%s]\\[%s]@[%s]\n",
- user_info->domain.str, user_info->internal_username.str, user_info->wksta_name.str));
+ user_info->domain, user_info->internal_username, user_info->wksta_name));
if (auth_context->challenge.length != 8) {
DEBUG(0, ("check_ntlm_password: Invalid challenge stored for this auth context - cannot continue\n"));
#ifdef DEBUG_PASSWORD
DEBUG(100, ("user_info has passwords of length %d and %d\n",
- user_info->lm_resp.length, user_info->nt_resp.length));
+ (int)user_info->lm_resp.length, (int)user_info->nt_resp.length));
DEBUG(100, ("lm:\n"));
dump_data(100, user_info->lm_resp.data, user_info->lm_resp.length);
DEBUG(100, ("nt:\n"));
#endif
/* This needs to be sorted: If it doesn't match, what should we do? */
- if (!check_domain_match(user_info->smb_name.str, user_info->domain.str))
+ if (!check_domain_match(user_info->smb_name, user_info->domain))
return NT_STATUS_LOGON_FAILURE;
for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) {
+ NTSTATUS result;
+
mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name,
- user_info->domain.str, user_info->smb_name.str);
+ user_info->domain, user_info->smb_name);
+
+ result = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info);
+
+ /* check if the module did anything */
+ if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) {
+ DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name));
+ talloc_destroy(mem_ctx);
+ continue;
+ }
+
+ nt_status = result;
- nt_status = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info);
if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(3, ("check_ntlm_password: %s authentication for user [%s] suceeded\n",
- auth_method->name, user_info->smb_name.str));
+ DEBUG(3, ("check_ntlm_password: %s authentication for user [%s] succeeded\n",
+ auth_method->name, user_info->smb_name));
} else {
DEBUG(5, ("check_ntlm_password: %s authentication for user [%s] FAILED with error %s\n",
- auth_method->name, user_info->smb_name.str, nt_errstr(nt_status)));
+ auth_method->name, user_info->smb_name, nt_errstr(nt_status)));
}
talloc_destroy(mem_ctx);
- if (NT_STATUS_IS_OK(nt_status))
- break;
+ if ( NT_STATUS_IS_OK(nt_status))
+ {
+ break;
+ }
}
- /* This is one of the few places the *relies* (rather than just sets defaults
- on the value of lp_security(). This needs to change. A new paramater
- perhaps? */
- if (lp_security() >= SEC_SERVER)
- smb_user_control(user_info, *server_info, nt_status);
-
+ /* successful authentication */
+
if (NT_STATUS_IS_OK(nt_status)) {
- pdb_username = pdb_get_username((*server_info)->sam_account);
+ unix_username = (*server_info)->unix_name;
if (!(*server_info)->guest) {
/* We might not be root if we are an RPC call */
become_root();
- nt_status = smb_pam_accountcheck(pdb_username);
+ nt_status = smb_pam_accountcheck(unix_username);
unbecome_root();
if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(5, ("check_ntlm_password: PAM Account for user [%s] suceeded\n",
- pdb_username));
+ DEBUG(5, ("check_ntlm_password: PAM Account for user [%s] succeeded\n",
+ unix_username));
} else {
DEBUG(3, ("check_ntlm_password: PAM Account for user [%s] FAILED with error %s\n",
- pdb_username, nt_errstr(nt_status)));
+ unix_username, nt_errstr(nt_status)));
}
}
if (NT_STATUS_IS_OK(nt_status)) {
DEBUG((*server_info)->guest ? 5 : 2,
- ("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] suceeded\n",
+ ("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] succeeded\n",
(*server_info)->guest ? "guest " : "",
- user_info->smb_name.str,
- user_info->internal_username.str,
- pdb_username));
+ user_info->smb_name,
+ user_info->internal_username,
+ unix_username));
}
+
+ return nt_status;
}
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n",
- user_info->smb_name.str, user_info->internal_username.str,
- nt_errstr(nt_status)));
- ZERO_STRUCTP(server_info);
- }
+
+ /* failed authentication; check for guest lapping */
+
+ DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n",
+ user_info->smb_name, user_info->internal_username,
+ nt_errstr(nt_status)));
+ ZERO_STRUCTP(server_info);
+
return nt_status;
}
static void free_auth_context(struct auth_context **auth_context)
{
- if (*auth_context != NULL)
+ auth_methods *auth_method;
+
+ if (*auth_context) {
+ /* Free private data of context's authentication methods */
+ for (auth_method = (*auth_context)->auth_method_list; auth_method; auth_method = auth_method->next) {
+ TALLOC_FREE(auth_method->private_data);
+ }
+
talloc_destroy((*auth_context)->mem_ctx);
- *auth_context = NULL;
+ *auth_context = NULL;
+ }
}
/***************************************************************************
mem_ctx = talloc_init("authentication context");
- *auth_context = talloc(mem_ctx, sizeof(**auth_context));
+ *auth_context = TALLOC_P(mem_ctx, struct auth_context);
if (!*auth_context) {
DEBUG(0,("make_auth_context: talloc failed!\n"));
talloc_destroy(mem_ctx);
if (p) {
*p = 0;
module_params = p+1;
- trim_string(module_params, " ", " ");
+ trim_char(module_params, ' ', ' ');
}
- trim_string(module_name, " ", " ");
+ trim_char(module_name, ' ', ' ');
entry = auth_find_backend_entry(module_name);
{
auth_methods *list = NULL;
auth_methods *t = NULL;
- auth_methods *tmp;
NTSTATUS nt_status;
if (!text_list) {
for (;*text_list; text_list++) {
if (load_auth_module(*auth_context, *text_list, &t)) {
- DLIST_ADD_END(list, t, tmp);
+ DLIST_ADD_END(list, t, auth_methods *);
}
}
break;
case SEC_USER:
if (lp_encrypted_passwords()) {
- DEBUG(5,("Making default auth method list for security=user, encrypt passwords = yes\n"));
- auth_method_list = str_list_make("guest sam", NULL);
+ if ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role() == ROLE_DOMAIN_BDC)) {
+ DEBUG(5,("Making default auth method list for DC, security=user, encrypt passwords = yes\n"));
+ auth_method_list = str_list_make("guest sam winbind:trustdomain", NULL);
+ } else {
+ DEBUG(5,("Making default auth method list for standalone security=user, encrypt passwords = yes\n"));
+ auth_method_list = str_list_make("guest sam", NULL);
+ }
} else {
DEBUG(5,("Making default auth method list for security=user, encrypt passwords = no\n"));
auth_method_list = str_list_make("guest unix", NULL);
return nt_status;
}
- (*auth_context)->challenge = data_blob(chal, 8);
+ (*auth_context)->challenge = data_blob_talloc((*auth_context)->mem_ctx, chal, 8);
(*auth_context)->challenge_set_by = "fixed";
return nt_status;
}