Support for server level security.
****************************************************************************/
-static struct smbcli_state *server_cryptkey(TALLOC_CTX *mem_ctx)
+static struct smbcli_state *server_cryptkey(TALLOC_CTX *mem_ctx, int maxprotocol)
{
struct smbcli_state *cli = NULL;
fstring desthost;
DEBUG(3,("got session\n"));
- if (!smbcli_negprot(cli, lp_cli_maxprotocol(global_loadparm))) {
+ if (!smbcli_negprot(cli, maxprotocol)) {
DEBUG(1,("%s rejected the negprot\n",desthost));
release_server_mutex();
talloc_free(cli);
void **my_private_data,
TALLOC_CTX *mem_ctx)
{
- struct smbcli_state *cli = server_cryptkey(mem_ctx);
+ struct smbcli_state *cli = server_cryptkey(mem_ctx, lp_cli_maxprotocol(auth_context->lp_ctx));
if (cli) {
DEBUG(3,("using password server validation\n"));
if (cli) {
} else {
- cli = server_cryptkey(mem_ctx);
+ cli = server_cryptkey(mem_ctx, lp_cli_maxprotocol(auth_context->lp_ctx));
locally_made_cli = true;
}
/*
* PAM Authentication Handler
*/
-static NTSTATUS smb_pam_auth(pam_handle_t *pamh, const char *user)
+static NTSTATUS smb_pam_auth(pam_handle_t *pamh, bool allow_null_passwords, const char *user)
{
int pam_error;
DEBUG(4,("smb_pam_auth: PAM: Authenticate User: %s\n", user));
- pam_error = pam_authenticate(pamh, PAM_SILENT | lp_null_passwords(global_loadparm) ? 0 : PAM_DISALLOW_NULL_AUTHTOK);
+ pam_error = pam_authenticate(pamh, PAM_SILENT | allow_null_passwords ? 0 : PAM_DISALLOW_NULL_AUTHTOK);
switch( pam_error ){
case PAM_AUTH_ERR:
DEBUG(2, ("smb_pam_auth: PAM: Authentication Error for user %s\n", user));
return nt_status;
}
- nt_status = smb_pam_auth(pamh, user_info->mapped.account_name);
+ nt_status = smb_pam_auth(pamh, lp_null_passwords(lp_ctx), user_info->mapped.account_name);
if (!NT_STATUS_IS_OK(nt_status)) {
smb_pam_end(pamh);
return nt_status;
}
/* don't allow "" as a domain, fixes a Win9X bug
- where it doens't supply a domain for logon script
+ where it doesn't supply a domain for logon script
'net use' commands. */
/* Split user@realm names into user and realm components. This is TODO to fix with proper userprincipalname support */
* @retval NTSTATUS error detailing any failure
*/
NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
+ struct loadparm_context *lp_ctx,
struct ldb_context *ldb,
const char *base,
const char *filter)
if (!ldb) {
/* Local secrets are stored in secrets.ldb */
- ldb = secrets_db_connect(mem_ctx, global_loadparm);
+ ldb = secrets_db_connect(mem_ctx, lp_ctx);
if (!ldb) {
/* set anonymous as the fallback, if the machine account won't work */
cli_credentials_set_anonymous(cred);
} else {
keytab = ldb_msg_find_attr_as_string(msgs[0], "privateKeytab", NULL);
if (keytab) {
- keytab = talloc_asprintf(mem_ctx, "FILE:%s", private_path(mem_ctx, global_loadparm, keytab));
+ keytab = talloc_asprintf(mem_ctx, "FILE:%s", private_path(mem_ctx, lp_ctx, keytab));
if (keytab) {
cli_credentials_set_keytab_name(cred, keytab, CRED_SPECIFIED);
}
cred->machine_account_pending = false;
filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
cli_credentials_get_domain(cred));
- return cli_credentials_set_secrets(cred, NULL, SECRETS_PRIMARY_DOMAIN_DN,
+ return cli_credentials_set_secrets(cred, global_loadparm, NULL, SECRETS_PRIMARY_DOMAIN_DN,
filter);
}
filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH,
cli_credentials_get_realm(cred),
cli_credentials_get_domain(cred));
- return cli_credentials_set_secrets(cred, NULL, SECRETS_PRINCIPALS_DN,
+ return cli_credentials_set_secrets(cred, global_loadparm, NULL, SECRETS_PRINCIPALS_DN,
filter);
}
cli_credentials_get_realm(cred),
cli_credentials_get_domain(cred),
serviceprincipal);
- return cli_credentials_set_secrets(cred, NULL, SECRETS_PRINCIPALS_DN,
+ return cli_credentials_set_secrets(cred, global_loadparm, NULL, SECRETS_PRINCIPALS_DN,
filter);
}
session_info->session_key = server_info->user_session_key;
nt_status = security_token_create(session_info,
+ global_loadparm,
server_info->account_sid,
server_info->primary_group_sid,
server_info->n_domain_groups,
return LDB_ERR_OPERATIONS_ERROR;
}
- if (lp_parm_bool(global_loadparm, NULL, "password_hash", "create_aes_key", false)) {
+ if (lp_parm_bool(ldb_get_opaque(io->ac->module->ldb, "loadparm"), NULL, "password_hash", "create_aes_key", false)) {
/*
* TODO:
*
return LDB_ERR_OPERATIONS_ERROR;
}
- cli_credentials_set_conf(item->creds, global_loadparm);
- status = cli_credentials_set_secrets(item->creds, module->ldb, NULL, filter);
+ cli_credentials_set_conf(item->creds, ldb_get_opaque(module->ldb, "loadparm"));
+ status = cli_credentials_set_secrets(item->creds, ldb_get_opaque(module->ldb, "loadparm"), module->ldb, NULL, filter);
talloc_free(filter);
if (NT_STATUS_IS_OK(status)) {
if (delete) {
Create the SID list for this user.
****************************************************************************/
NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
+ struct loadparm_context *lp_ctx,
struct dom_sid *user_sid,
struct dom_sid *group_sid,
int n_groupSIDs,
}
/* setup the privilege mask for this token */
- status = samdb_privilege_setup(ptoken);
+ status = samdb_privilege_setup(lp_ctx, ptoken);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(ptoken);
return status;
setup the privilege mask for this security token based on our
local SAM
*/
-_PUBLIC_ NTSTATUS samdb_privilege_setup(struct security_token *token)
+_PUBLIC_ NTSTATUS samdb_privilege_setup(struct loadparm_context *lp_ctx, struct security_token *token)
{
void *samctx;
TALLOC_CTX *mem_ctx;
}
mem_ctx = talloc_new(token);
- samctx = samdb_connect(mem_ctx, global_loadparm, system_session(mem_ctx));
+ samctx = samdb_connect(mem_ctx, lp_ctx, system_session(mem_ctx));
if (samctx == NULL) {
talloc_free(mem_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
/*
setup our listening sockets on the configured network interfaces
*/
-static NTSTATUS kdc_startup_interfaces(struct kdc_server *kdc)
+static NTSTATUS kdc_startup_interfaces(struct kdc_server *kdc, struct loadparm_context *lp_ctx)
{
int num_interfaces = iface_count();
TALLOC_CTX *tmp_ctx = talloc_new(kdc);
for (i=0; i<num_interfaces; i++) {
const char *address = talloc_strdup(tmp_ctx, iface_n_ip(i));
- status = kdc_add_socket(kdc, address, lp_krb5_port(global_loadparm),
- lp_kpasswd_port(global_loadparm));
+ status = kdc_add_socket(kdc, address, lp_krb5_port(lp_ctx),
+ lp_kpasswd_port(lp_ctx));
NT_STATUS_NOT_OK_RETURN(status);
}
NTSTATUS status;
krb5_error_code ret;
- switch (lp_server_role(global_loadparm)) {
+ switch (lp_server_role(task->lp_ctx)) {
case ROLE_STANDALONE:
task_server_terminate(task, "kdc: no KDC required in standalone configuration");
return;
kdc_mem_ctx = kdc->smb_krb5_context;
/* start listening on the configured network interfaces */
- status = kdc_startup_interfaces(kdc);
+ status = kdc_startup_interfaces(kdc, task->lp_ctx);
if (!NT_STATUS_IS_OK(status)) {
task_server_terminate(task, "kdc failed to setup interfaces");
return;
status = crack_auto_name_to_nt4_name(call, req->dn, &nt4_domain, &nt4_account);
if (NT_STATUS_IS_OK(status)) {
- status = authenticate_username_pw(global_loadparm, call,
+ status = authenticate_username_pw(call,
call->conn->connection->event.ctx,
call->conn->connection->msg_ctx,
+ global_loadparm,
nt4_domain, nt4_account,
req->creds.password,
&session_info);
talloc_free(ldb);
return NULL;
}
+
+ if (ldb_set_opaque(ldb, "loadparm", lp_ctx)) {
+ talloc_free(ldb);
+ return NULL;
+ }
if (strcmp(lp_sam_url(lp_ctx), url) == 0) {
dsdb_set_global_schema(ldb);