This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
NTSTATUS result;
struct rpc_pipe_client *netlogon_pipe = NULL;
+ *cli = NULL;
+
*pipe_ret = NULL;
/* TODO: Send a SAMLOGON request to determine whether this is a valid
result = NT_STATUS_NO_LOGON_SERVERS;
}
+ if (*cli) {
+ cli_shutdown(*cli);
+ *cli = NULL;
+ }
+
release_server_mutex();
return result;
}
DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
cli_shutdown(*cli);
+ *cli = NULL;
release_server_mutex();
return result;
}
"trust account password for domain '%s'\n",
domain));
cli_shutdown(*cli);
+ *cli = NULL;
release_server_mutex();
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
result = rpccli_netlogon_setup_creds(netlogon_pipe,
- dc_name,
- domain,
- global_myname(),
+ dc_name, /* server name */
+ domain, /* domain */
+ global_myname(), /* client name */
+ global_myname(), /* machine account name */
machine_pwd,
sec_chan_type,
&neg_flags);
if (!NT_STATUS_IS_OK(result)) {
cli_shutdown(*cli);
+ *cli = NULL;
release_server_mutex();
return result;
}
DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
machine %s. Error was : %s.\n", dc_name, cli_errstr(*cli)));
cli_shutdown(*cli);
+ *cli = NULL;
release_server_mutex();
return NT_STATUS_NO_LOGON_SERVERS;
}
return nt_status;
}
+ /* store a successful connection */
+
+ saf_store( domain, cli->desthost );
+
ZERO_STRUCT(info3);
/*
*/
nt_status = rpccli_netlogon_sam_network_logon(netlogon_pipe,
- mem_ctx,
- dc_name, /* server name */
- user_info->smb_name.str, /* user name logging on. */
- user_info->domain.str, /* domain name */
- user_info->wksta_name.str, /* workstation name */
- chal, /* 8 byte challenge. */
- user_info->lm_resp, /* lanman 24 byte response */
- user_info->nt_resp, /* nt 24 byte response */
- &info3); /* info3 out */
+ mem_ctx,
+ user_info->logon_parameters,/* flags such as 'allow workstation logon' */
+ dc_name, /* server name */
+ user_info->smb_name, /* user name logging on. */
+ user_info->client_domain, /* domain name */
+ user_info->wksta_name, /* workstation name */
+ chal, /* 8 byte challenge. */
+ user_info->lm_resp, /* lanman 24 byte response */
+ user_info->nt_resp, /* nt 24 byte response */
+ &info3); /* info3 out */
/* Let go as soon as possible so we avoid any potential deadlocks
with winbind lookup up users or groups. */
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0,("domain_client_validate: unable to validate password "
"for user %s in domain %s to Domain controller %s. "
- "Error was %s.\n", user_info->smb_name.str,
- user_info->domain.str, dc_name,
+ "Error was %s.\n", user_info->smb_name,
+ user_info->domain, dc_name,
nt_errstr(nt_status)));
/* map to something more useful */
}
} else {
nt_status = make_server_info_info3(mem_ctx,
- user_info->internal_username.str,
- user_info->smb_name.str,
+ user_info->smb_name,
domain,
server_info,
&info3);
+
+ if (NT_STATUS_IS_OK(nt_status)) {
+ (*server_info)->was_mapped |= user_info->was_mapped;
+
+ if ( ! (*server_info)->guest) {
+ /* if a real user check pam account restrictions */
+ /* only really perfomed if "obey pam restriction" is true */
+ nt_status = smb_pam_accountcheck((*server_info)->unix_name);
+ if ( !NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(1, ("PAM account restriction prevents user login\n"));
+ cli_shutdown(cli);
+ return nt_status;
+ }
+ }
+ }
+
+ netsamlogon_cache_store( user_info->smb_name, &info3 );
}
/* Note - once the cli stream is shutdown the mem_ctx used
* password file.
*/
- if(strequal(get_global_sam_name(), user_info->domain.str)) {
+ if(strequal(get_global_sam_name(), user_info->domain)) {
DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n"));
return NT_STATUS_NOT_IMPLEMENTED;
}
if ( !get_dc_name(domain, NULL, dc_name, &dc_ip) ) {
DEBUG(5,("check_ntdomain_security: unable to locate a DC for domain %s\n",
- user_info->domain.str));
+ user_info->domain));
return NT_STATUS_NO_LOGON_SERVERS;
}
* Check that the requested domain is not our own machine name or domain name.
*/
- if( strequal(get_global_sam_name(), user_info->domain.str)) {
+ if( strequal(get_global_sam_name(), user_info->domain)) {
DEBUG(3,("check_trustdomain_security: Requested domain [%s] was for this machine.\n",
- user_info->domain.str));
+ user_info->domain));
return NT_STATUS_NOT_IMPLEMENTED;
}
The logic is that if we know nothing about the domain, that
user is not known to us and does not exist */
- if ( !is_trusted_domain( user_info->domain.str ) )
+ if ( !is_trusted_domain( user_info->domain ) )
return NT_STATUS_NOT_IMPLEMENTED;
/*
* No need to become_root() as secrets_init() is done at startup.
*/
- if (!secrets_fetch_trusted_domain_password(user_info->domain.str, &trust_password,
- &sid, &last_change_time)) {
- DEBUG(0, ("check_trustdomain_security: could not fetch trust account password for domain %s\n", user_info->domain.str));
+ if (!pdb_get_trusteddom_pw(user_info->domain, &trust_password,
+ &sid, &last_change_time)) {
+ DEBUG(0, ("check_trustdomain_security: could not fetch trust "
+ "account password for domain %s\n",
+ user_info->domain));
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
#ifdef DEBUG_PASSWORD
- DEBUG(100, ("Trust password for domain %s is %s\n", user_info->domain.str, trust_password));
+ DEBUG(100, ("Trust password for domain %s is %s\n", user_info->domain,
+ trust_password));
#endif
E_md4hash(trust_password, trust_md4_password);
SAFE_FREE(trust_password);
#if 0
/* Test if machine password is expired and need to be changed */
- if (time(NULL) > last_change_time + lp_machine_password_timeout())
+ if (time(NULL) > last_change_time + (time_t)lp_machine_password_timeout())
{
global_machine_password_needs_changing = True;
}
/* use get_dc_name() for consistency even through we know that it will be
a netbios name */
- if ( !get_dc_name(user_info->domain.str, NULL, dc_name, &dc_ip) ) {
+ if ( !get_dc_name(user_info->domain, NULL, dc_name, &dc_ip) ) {
DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n",
- user_info->domain.str));
+ user_info->domain));
return NT_STATUS_NO_LOGON_SERVERS;
}
nt_status = domain_client_validate(mem_ctx,
user_info,
- user_info->domain.str,
+ user_info->domain,
(uchar *)auth_context->challenge.data,
server_info,
dc_name,