it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
+#include "system/passwd.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
char *pserver = NULL;
bool connected_ok = False;
struct named_mutex *mutex = NULL;
+ NTSTATUS status;
if (!(cli = cli_initialise()))
return NULL;
p = pserver;
while(next_token_talloc(mem_ctx, &p, &desthost, LIST_SEP)) {
- NTSTATUS status;
desthost = talloc_sub_basic(mem_ctx,
current_user_info.smb_name,
}
strupper_m(desthost);
- if(!resolve_name( desthost, &dest_ss, 0x20)) {
+ if(!resolve_name( desthost, &dest_ss, 0x20, false)) {
DEBUG(1,("server_cryptkey: Can't resolve address for %s\n",desthost));
continue;
}
- if (ismyaddr(&dest_ss)) {
+ if (ismyaddr((struct sockaddr *)&dest_ss)) {
DEBUG(1,("Password server loop - disabling password server %s\n",desthost));
continue;
}
DEBUG(3,("got session\n"));
- if (!cli_negprot(cli)) {
+ status = cli_negprot(cli);
+
+ if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(mutex);
- DEBUG(1,("%s rejected the negprot\n",desthost));
+ DEBUG(1, ("%s rejected the negprot: %s\n",
+ desthost, nt_errstr(status)));
cli_shutdown(cli);
return NULL;
}
this one...
*/
- if (!NT_STATUS_IS_OK(cli_session_setup(cli, "", "", 0, "", 0,
- ""))) {
+ status = cli_session_setup(cli, "", "", 0, "", 0, "");
+ if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(mutex);
DEBUG(0,("%s rejected the initial session setup (%s)\n",
- desthost, cli_errstr(cli)));
+ desthost, nt_errstr(status)));
cli_shutdown(cli);
return NULL;
}
interval.tv_sec = lp_keepalive();
interval.tv_usec = 0;
- if (event_add_idle(smbd_event_context(), result, interval,
+ if (event_add_idle(server_event_context(), result, interval,
"server_security_keepalive",
send_server_keepalive,
result) == NULL) {
TALLOC_CTX *mem_ctx)
{
struct cli_state *cli = server_cryptkey(mem_ctx);
-
+
if (cli) {
DEBUG(3,("using password server validation\n"));
/* We can't work with unencrypted password servers
unless 'encrypt passwords = no' */
DEBUG(5,("make_auth_info_server: Server is unencrypted, no challenge available..\n"));
-
+
/* However, it is still a perfectly fine connection
to pass that unencrypted password over */
*my_private_data =
/* The return must be allocated on the caller's mem_ctx, as our own will be
destoyed just after the call. */
- return data_blob_talloc(auth_context->mem_ctx, cli->secblob.data,8);
+ return data_blob_talloc((TALLOC_CTX *)auth_context, cli->secblob.data,8);
} else {
return data_blob_null;
}
static NTSTATUS check_smbserver_security(const struct auth_context *auth_context,
void *my_private_data,
TALLOC_CTX *mem_ctx,
- const auth_usersupplied_info *user_info,
- auth_serversupplied_info **server_info)
+ const struct auth_usersupplied_info *user_info,
+ struct auth_serversupplied_info **server_info)
{
struct server_security_state *state = talloc_get_type_abort(
my_private_data, struct server_security_state);
NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
bool locally_made_cli = False;
+ DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name));
+
cli = state->cli;
-
+
if (cli) {
} else {
cli = server_cryptkey(mem_ctx);
DEBUG(1,("password server is not connected (cli not initialised)\n"));
return NT_STATUS_LOGON_FAILURE;
}
-
+
if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
- if (user_info->encrypted) {
+ if (user_info->password_state != AUTH_PASSWORD_PLAIN) {
DEBUG(1,("password server %s is plaintext, but we are encrypted. This just can't work :-(\n", cli->desthost));
return NT_STATUS_LOGON_FAILURE;
}
memset(badpass, 0x1f, sizeof(badpass));
- if((user_info->nt_resp.length == sizeof(badpass)) &&
- !memcmp(badpass, user_info->nt_resp.data, sizeof(badpass))) {
+ if((user_info->password.response.nt.length == sizeof(badpass)) &&
+ !memcmp(badpass, user_info->password.response.nt.data, sizeof(badpass))) {
/*
* Very unlikely, our random bad password is the same as the users
* password.
sizeof(badpass),
(char *)badpass,
sizeof(badpass),
- user_info->domain))) {
+ user_info->mapped.domain_name))) {
/*
* We connected to the password server so we
* Now we know the password server will correctly set the guest bit, or is
* not guest enabled, we can try with the real password.
*/
-
- if (!user_info->encrypted) {
+ switch (user_info->password_state) {
+ case AUTH_PASSWORD_PLAIN:
/* Plaintext available */
nt_status = cli_session_setup(
- cli, user_info->smb_name,
- (char *)user_info->plaintext_password.data,
- user_info->plaintext_password.length,
- NULL, 0, user_info->domain);
-
- } else {
+ cli, user_info->client.account_name,
+ user_info->password.plaintext,
+ strlen(user_info->password.plaintext),
+ NULL, 0, user_info->mapped.domain_name);
+ break;
+
+ /* currently the hash values include a challenge-response as well */
+ case AUTH_PASSWORD_HASH:
+ case AUTH_PASSWORD_RESPONSE:
nt_status = cli_session_setup(
- cli, user_info->smb_name,
- (char *)user_info->lm_resp.data,
- user_info->lm_resp.length,
- (char *)user_info->nt_resp.data,
- user_info->nt_resp.length,
- user_info->domain);
+ cli, user_info->client.account_name,
+ (char *)user_info->password.response.lanman.data,
+ user_info->password.response.lanman.length,
+ (char *)user_info->password.response.nt.data,
+ user_info->password.response.nt.length,
+ user_info->mapped.domain_name);
+ break;
+ default:
+ DEBUG(0,("user_info constructed for user '%s' was invalid - password_state=%u invalid.\n",user_info->mapped.account_name, user_info->password_state));
+ nt_status = NT_STATUS_INTERNAL_ERROR;
}
if (!NT_STATUS_IS_OK(nt_status)) {
cli_ulogoff(cli);
if (NT_STATUS_IS_OK(nt_status)) {
- fstring real_username;
- struct passwd *pass;
+ char *real_username = NULL;
+ struct passwd *pass = NULL;
- if ( (pass = smb_getpwnam( NULL, user_info->internal_username,
- real_username, True )) != NULL )
+ if ( (pass = smb_getpwnam(talloc_tos(), user_info->mapped.account_name,
+ &real_username, True )) != NULL )
{
- /* if a real user check pam account restrictions */
- /* only really perfomed if "obey pam restriction" is true */
- nt_status = smb_pam_accountcheck(pass->pw_name);
- if ( !NT_STATUS_IS_OK(nt_status)) {
- DEBUG(1, ("PAM account restriction prevents user login\n"));
- } else {
-
- nt_status = make_server_info_pw(server_info, pass->pw_name, pass);
- }
+ nt_status = make_server_info_pw(server_info, pass->pw_name, pass);
TALLOC_FREE(pass);
+ TALLOC_FREE(real_username);
}
else
{
static NTSTATUS auth_init_smbserver(struct auth_context *auth_context, const char* param, auth_methods **auth_method)
{
- if (!make_auth_methods(auth_context, auth_method)) {
+ struct auth_methods *result;
+
+ result = TALLOC_ZERO_P(auth_context, struct auth_methods);
+ if (result == NULL) {
return NT_STATUS_NO_MEMORY;
}
- (*auth_method)->name = "smbserver";
- (*auth_method)->auth = check_smbserver_security;
- (*auth_method)->get_chal = auth_get_challenge_server;
+ result->name = "smbserver";
+ result->auth = check_smbserver_security;
+ result->get_chal = auth_get_challenge_server;
+
+ *auth_method = result;
return NT_STATUS_OK;
}
git.samba.org / kai / samba.git / blobdiff