9af4410a93a63f0927e27d6e428d0d8e142e31f6
[samba.git] / source4 / auth / auth_util.c
1 /* 
2    Unix SMB/CIFS implementation.
3    Authentication utility functions
4    Copyright (C) Andrew Tridgell 1992-1998
5    Copyright (C) Andrew Bartlett 2001
6    Copyright (C) Jeremy Allison 2000-2001
7    Copyright (C) Rafal Szczesniak 2002
8
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 2 of the License, or
12    (at your option) any later version.
13    
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18    
19    You should have received a copy of the GNU General Public License
20    along with this program; if not, write to the Free Software
21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 */
23
24 #include "includes.h"
25 #include "librpc/gen_ndr/ndr_samr.h"
26 #include "librpc/gen_ndr/ndr_netlogon.h"
27 #include "librpc/gen_ndr/ndr_security.h"
28 #include "auth/auth.h"
29
30 #undef DBGC_CLASS
31 #define DBGC_CLASS DBGC_AUTH
32
33 /****************************************************************************
34  Create an auth_usersupplied_data structure
35 ****************************************************************************/
36 static NTSTATUS make_user_info(TALLOC_CTX *mem_ctx,
37                                struct auth_usersupplied_info **user_info, 
38                                const char *smb_name, 
39                                const char *internal_username,
40                                const char *client_domain, 
41                                const char *domain,
42                                const char *wksta_name, 
43                                DATA_BLOB *lm_password, DATA_BLOB *nt_password,
44                                DATA_BLOB *lm_interactive_password, DATA_BLOB *nt_interactive_password,
45                                DATA_BLOB *plaintext, 
46                                BOOL encrypted)
47 {
48
49         DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name));
50
51         *user_info = talloc_p(mem_ctx, struct auth_usersupplied_info);
52         if (!user_info) {
53                 return NT_STATUS_NO_MEMORY;
54         }
55
56         ZERO_STRUCTP(*user_info);
57
58         DEBUG(5,("making strings for %s's user_info struct\n", internal_username));
59
60         (*user_info)->smb_name.str = talloc_strdup(*user_info, smb_name);
61         if ((*user_info)->smb_name.str) { 
62                 (*user_info)->smb_name.len = strlen(smb_name);
63         } else {
64                 free_user_info(user_info);
65                 return NT_STATUS_NO_MEMORY;
66         }
67         
68         (*user_info)->internal_username.str = talloc_strdup(*user_info, internal_username);
69         if ((*user_info)->internal_username.str) { 
70                 (*user_info)->internal_username.len = strlen(internal_username);
71         } else {
72                 free_user_info(user_info);
73                 return NT_STATUS_NO_MEMORY;
74         }
75
76         (*user_info)->domain.str = talloc_strdup(*user_info, domain);
77         if ((*user_info)->domain.str) { 
78                 (*user_info)->domain.len = strlen(domain);
79         } else {
80                 free_user_info(user_info);
81                 return NT_STATUS_NO_MEMORY;
82         }
83
84         (*user_info)->client_domain.str = talloc_strdup(*user_info, client_domain);
85         if ((*user_info)->client_domain.str) { 
86                 (*user_info)->client_domain.len = strlen(client_domain);
87         } else {
88                 free_user_info(user_info);
89                 return NT_STATUS_NO_MEMORY;
90         }
91
92         (*user_info)->wksta_name.str = talloc_strdup(*user_info, wksta_name);
93         if ((*user_info)->wksta_name.str) { 
94                 (*user_info)->wksta_name.len = strlen(wksta_name);
95         } else {
96                 free_user_info(user_info);
97                 return NT_STATUS_NO_MEMORY;
98         }
99
100         DEBUG(5,("making blobs for %s's user_info struct\n", internal_username));
101
102         if (lm_password)
103                 (*user_info)->lm_resp = data_blob_talloc(*user_info, 
104                                                          lm_password->data, 
105                                                          lm_password->length);
106         if (nt_password)
107                 (*user_info)->nt_resp = data_blob_talloc(*user_info,
108                                                          nt_password->data, 
109                                                          nt_password->length);
110         if (lm_interactive_password)
111                 (*user_info)->lm_interactive_password = 
112                         data_blob_talloc(*user_info,
113                                          lm_interactive_password->data, 
114                                          lm_interactive_password->length);
115         if (nt_interactive_password)
116                 (*user_info)->nt_interactive_password = 
117                         data_blob_talloc(*user_info, 
118                                          nt_interactive_password->data, 
119                                          nt_interactive_password->length);
120
121         if (plaintext)
122                 (*user_info)->plaintext_password = 
123                         data_blob_talloc(*user_info, 
124                                          plaintext->data, 
125                                          plaintext->length);
126
127         (*user_info)->encrypted = encrypted;
128
129         DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name));
130
131         return NT_STATUS_OK;
132 }
133
134 /****************************************************************************
135  Create an auth_usersupplied_data structure after appropriate mapping.
136 ****************************************************************************/
137
138 NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
139                             struct auth_usersupplied_info **user_info, 
140                             const char *smb_name, 
141                             const char *client_domain, 
142                             const char *wksta_name, 
143                             DATA_BLOB *lm_password, DATA_BLOB *nt_password,
144                             DATA_BLOB *lm_interactive_password, DATA_BLOB *nt_interactive_password,
145                             DATA_BLOB *plaintext, 
146                             BOOL encrypted)
147 {
148         const char *domain;
149         
150         DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n",
151               client_domain, smb_name, wksta_name));
152         
153         /* don't allow "" as a domain, fixes a Win9X bug 
154            where it doens't supply a domain for logon script
155            'net use' commands.                                 */
156
157         if ( *client_domain )
158                 domain = client_domain;
159         else
160                 domain = lp_workgroup();
161
162         /* we know that it is a trusted domain (and we are allowing
163            them) or it is our domain */
164         
165         return make_user_info(mem_ctx, 
166                               user_info, smb_name, smb_name, 
167                               client_domain, domain, wksta_name, 
168                               lm_password, nt_password,
169                               lm_interactive_password, nt_interactive_password,
170                               plaintext, encrypted);
171 }
172
173 /****************************************************************************
174  Create an auth_usersupplied_data, making the DATA_BLOBs here. 
175  Decrypt and encrypt the passwords.
176 ****************************************************************************/
177
178 NTSTATUS make_user_info_netlogon_network(TALLOC_CTX *mem_ctx,
179                                          struct auth_usersupplied_info **user_info, 
180                                          const char *smb_name, 
181                                          const char *client_domain, 
182                                          const char *wksta_name, 
183                                          const uint8_t *lm_network_password, int lm_password_len,
184                                          const uint8_t *nt_network_password, int nt_password_len)
185 {
186         NTSTATUS nt_status;
187         DATA_BLOB lm_blob = data_blob(lm_network_password, lm_password_len);
188         DATA_BLOB nt_blob = data_blob(nt_network_password, nt_password_len);
189
190         nt_status = make_user_info_map(mem_ctx,
191                                        user_info,
192                                        smb_name, client_domain, 
193                                        wksta_name, 
194                                        lm_password_len ? &lm_blob : NULL, 
195                                        nt_password_len ? &nt_blob : NULL,
196                                        NULL, NULL, NULL,
197                                        True);
198         
199         data_blob_free(&lm_blob);
200         data_blob_free(&nt_blob);
201         return nt_status;
202 }
203
204 /****************************************************************************
205  Create an auth_usersupplied_data, making the DATA_BLOBs here. 
206  Decrypt and encrypt the passwords.
207 ****************************************************************************/
208
209 NTSTATUS make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx,
210                                              struct auth_usersupplied_info **user_info, 
211                                              const char *smb_name, 
212                                              const char *client_domain, 
213                                              const char *wksta_name, 
214                                              const uint8_t chal[8], 
215                                              const struct samr_Password *lm_interactive_password, 
216                                              const struct samr_Password *nt_interactive_password)
217 {
218         NTSTATUS nt_status;
219         DATA_BLOB local_lm_blob;
220         DATA_BLOB local_nt_blob;
221         
222         DATA_BLOB lm_interactive_blob;
223         DATA_BLOB nt_interactive_blob;
224         uint8_t local_lm_response[24];
225         uint8_t local_nt_response[24];
226         
227         SMBOWFencrypt(lm_interactive_password->hash, chal, local_lm_response);
228         SMBOWFencrypt(nt_interactive_password->hash, chal, local_nt_response);
229         
230         local_lm_blob = data_blob(local_lm_response, 
231                                   sizeof(local_lm_response));
232         lm_interactive_blob = data_blob(lm_interactive_password->hash, 
233                                         sizeof(lm_interactive_password->hash));
234         
235         local_nt_blob = data_blob(local_nt_response, 
236                                   sizeof(local_nt_response));
237         nt_interactive_blob = data_blob(nt_interactive_password->hash, 
238                                         sizeof(nt_interactive_password->hash));
239         
240         nt_status = make_user_info_map(mem_ctx,
241                                        user_info, 
242                                        smb_name, client_domain, 
243                                        wksta_name, 
244                                        &local_lm_blob,
245                                        &local_nt_blob,
246                                        &lm_interactive_blob,
247                                        &nt_interactive_blob,
248                                        NULL,
249                                        True);
250         
251         data_blob_free(&local_lm_blob);
252         data_blob_free(&local_nt_blob);
253         data_blob_free(&lm_interactive_blob);
254         data_blob_free(&nt_interactive_blob);
255         return nt_status;
256 }
257 /****************************************************************************
258  Create an auth_usersupplied_data structure
259 ****************************************************************************/
260
261 NTSTATUS make_user_info_for_reply_enc(TALLOC_CTX *mem_ctx,
262                                       struct auth_usersupplied_info **user_info, 
263                                       const char *smb_name,
264                                       const char *client_domain, 
265                                       const char *remote_machine,
266                                       DATA_BLOB lm_resp, DATA_BLOB nt_resp)
267 {
268         return make_user_info_map(mem_ctx,
269                                   user_info, smb_name, 
270                                   client_domain, 
271                                   remote_machine,
272                                   lm_resp.data ? &lm_resp : NULL, 
273                                   nt_resp.data ? &nt_resp : NULL, 
274                                   NULL, NULL, NULL,
275                                   True);
276 }
277
278 /****************************************************************************
279  Create a guest user_info blob, for anonymous authenticaion.
280 ****************************************************************************/
281
282 BOOL make_user_info_guest(TALLOC_CTX *mem_ctx,
283                           struct auth_usersupplied_info **user_info) 
284 {
285         NTSTATUS nt_status;
286
287         nt_status = make_user_info(mem_ctx,
288                                    user_info, 
289                                    "","", 
290                                    "","", 
291                                    "", 
292                                    NULL, NULL, 
293                                    NULL, NULL, 
294                                    NULL,
295                                    True);
296                               
297         return NT_STATUS_IS_OK(nt_status) ? True : False;
298 }
299
300 /****************************************************************************
301  prints a struct security_token to debug output.
302 ****************************************************************************/
303 void debug_security_token(int dbg_class, int dbg_lev, const struct security_token *token)
304 {
305         TALLOC_CTX *mem_ctx;
306
307         size_t     i;
308         
309         if (!token) {
310                 DEBUGC(dbg_class, dbg_lev, ("Security token: (NULL)\n"));
311                 return;
312         }
313         
314         mem_ctx = talloc_init("debug_security_token()");
315         if (!mem_ctx) {
316                 return;
317         }
318
319         DEBUGC(dbg_class, dbg_lev, ("Security token of user %s\n",
320                                     dom_sid_string(mem_ctx, token->user_sid) ));
321         DEBUGADDC(dbg_class, dbg_lev, ("contains %lu SIDs\n", 
322                                        (unsigned long)token->num_sids));
323         for (i = 0; i < token->num_sids; i++) {
324                 DEBUGADDC(dbg_class, dbg_lev, 
325                           ("SID[%3lu]: %s\n", (unsigned long)i, 
326                            dom_sid_string(mem_ctx, token->sids[i])));
327         }
328
329         talloc_destroy(mem_ctx);
330 }
331
332 /****************************************************************************
333  prints a struct auth_session_info security token to debug output.
334 ****************************************************************************/
335 void debug_session_info(int dbg_class, int dbg_lev, 
336                         const struct auth_session_info *session_info)
337 {
338         if (!session_info) {
339                 DEBUGC(dbg_class, dbg_lev, ("Session Info: (NULL)\n"));
340                 return; 
341         }
342
343         debug_security_token(dbg_class, dbg_lev, session_info->security_token);
344 }
345
346 /****************************************************************************
347  Create the SID list for this user.
348 ****************************************************************************/
349 NTSTATUS create_security_token(TALLOC_CTX *mem_ctx, 
350                                struct dom_sid *user_sid, struct dom_sid *group_sid, 
351                                int n_groupSIDs, struct dom_sid **groupSIDs, 
352                                BOOL is_guest, struct security_token **token)
353 {
354         struct security_token *ptoken;
355         int i;
356         NTSTATUS status;
357
358         ptoken = security_token_initialise(mem_ctx);
359         if (ptoken == NULL) {
360                 return NT_STATUS_NO_MEMORY;
361         }
362
363         ptoken->sids = talloc_array_p(ptoken, struct dom_sid *, n_groupSIDs + 5);
364         if (!ptoken->sids) {
365                 return NT_STATUS_NO_MEMORY;
366         }
367
368         ptoken->user_sid = user_sid;
369         ptoken->group_sid = group_sid;
370         ptoken->privilege_mask = 0;
371
372         ptoken->sids[0] = user_sid;
373         ptoken->sids[1] = group_sid;
374
375         /*
376          * Finally add the "standard" SIDs.
377          * The only difference between guest and "anonymous" (which we
378          * don't really support) is the addition of Authenticated_Users.
379          */
380         ptoken->sids[2] = dom_sid_parse_talloc(mem_ctx, SID_WORLD);
381         ptoken->sids[3] = dom_sid_parse_talloc(mem_ctx, SID_NT_NETWORK);
382         ptoken->sids[4] = dom_sid_parse_talloc(mem_ctx, 
383                                                is_guest?SID_BUILTIN_GUESTS:
384                                                SID_NT_AUTHENTICATED_USERS);
385         ptoken->num_sids = 5;
386
387         for (i = 0; i < n_groupSIDs; i++) {
388                 size_t check_sid_idx;
389                 for (check_sid_idx = 1; 
390                      check_sid_idx < ptoken->num_sids; 
391                      check_sid_idx++) {
392                         if (dom_sid_equal(ptoken->sids[check_sid_idx], groupSIDs[i])) {
393                                 break;
394                         }
395                 }
396                 
397                 if (check_sid_idx == ptoken->num_sids) {
398                         ptoken->sids[ptoken->num_sids++] = groupSIDs[i];
399                 }
400         }
401
402         /* setup the privilege mask for this token */
403         status = samdb_privilege_setup(ptoken);
404         if (!NT_STATUS_IS_OK(status)) {
405                 talloc_free(ptoken);
406                 return status;
407         }
408         
409         debug_security_token(DBGC_AUTH, 10, ptoken);
410         
411         *token = ptoken;
412
413         return NT_STATUS_OK;
414 }
415
416 /***************************************************************************
417  Make a user_info struct
418 ***************************************************************************/
419
420 NTSTATUS make_server_info(const TALLOC_CTX *mem_ctx,
421                           struct auth_serversupplied_info **server_info, 
422                           const char *username)
423 {
424         *server_info = talloc_p(mem_ctx, struct auth_serversupplied_info);
425         if (!*server_info) {
426                 return NT_STATUS_NO_MEMORY;
427         }
428         ZERO_STRUCTP(*server_info);
429         
430         return NT_STATUS_OK;
431 }
432
433 /***************************************************************************
434  Make a server_info struct from the info3 returned by a domain logon 
435 ***************************************************************************/
436
437 NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx, 
438                                               const char *internal_username,
439                                               struct auth_serversupplied_info **server_info, 
440                                               uint16 validation_level, 
441                                               union netr_Validation *validation) 
442 {
443         NTSTATUS nt_status;
444         struct netr_SamBaseInfo *base = NULL;
445         switch (validation_level) {
446         case 2:
447                 if (!validation || !validation->sam2) {
448                         return NT_STATUS_INVALID_PARAMETER;
449                 }
450                 base = &validation->sam2->base;
451                 break;
452         case 3:
453                 if (!validation || !validation->sam3) {
454                         return NT_STATUS_INVALID_PARAMETER;
455                 }
456                 base = &validation->sam3->base;
457                 break;
458         case 6:
459                 if (!validation || !validation->sam6) {
460                         return NT_STATUS_INVALID_PARAMETER;
461                 }
462                 base = &validation->sam6->base;
463                 break;
464         default:
465                 return NT_STATUS_INVALID_LEVEL;
466         }
467
468         nt_status = make_server_info(mem_ctx, server_info, internal_username);
469
470         if (!NT_STATUS_IS_OK(nt_status)) {
471                 return nt_status;
472         }
473         
474         (*server_info)->guest = False;
475
476         /* 
477            Here is where we should check the list of
478            trusted domains, and verify that the SID 
479            matches.
480         */
481
482         (*server_info)->user_sid = dom_sid_add_rid(*server_info, dom_sid_dup(*server_info, base->domain_sid), base->rid);
483         (*server_info)->primary_group_sid = dom_sid_add_rid(*server_info, dom_sid_dup(*server_info, base->domain_sid), base->primary_gid);
484
485         (*server_info)->domain_groups = talloc_array_p((*server_info), struct dom_sid*, base->group_count);
486         if (!(*server_info)->domain_groups) {
487                 return NT_STATUS_NO_MEMORY;
488         }
489         
490         for ((*server_info)->n_domain_groups = 0;
491              (*server_info)->n_domain_groups < base->group_count; 
492              (*server_info)->n_domain_groups++) {
493                 struct dom_sid *sid;
494                 sid = dom_sid_dup((*server_info)->domain_groups, base->domain_sid);
495                 if (!sid) {
496                         return NT_STATUS_NO_MEMORY;
497                 }
498                 (*server_info)->domain_groups[(*server_info)->n_domain_groups]
499                         = dom_sid_add_rid(*server_info, sid, 
500                                           base->groupids[(*server_info)->n_domain_groups].rid);
501                 if (!(*server_info)->domain_groups[(*server_info)->n_domain_groups]) {
502                         return NT_STATUS_NO_MEMORY;
503                 }
504         }
505
506         /* Copy 'other' sids.  We need to do sid filtering here to
507            prevent possible elevation of privileges.  See:
508
509            http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
510          */
511
512         if (validation_level == 3) {
513                 int i;
514                 (*server_info)->domain_groups
515                         = talloc_realloc_p((*server_info), 
516                                            (*server_info)->domain_groups, 
517                                            struct dom_sid*, 
518                                            base->group_count + validation->sam3->sidcount);
519                 
520                 if (!(*server_info)->domain_groups) {
521                         return NT_STATUS_NO_MEMORY;
522                 }
523         
524                 for (i = 0; i < validation->sam3->sidcount; i++) {
525                         (*server_info)->domain_groups[(*server_info)->n_domain_groups + i] = 
526                                 dom_sid_dup((*server_info)->domain_groups, 
527                                             validation->sam3->sids[i].sid);
528                 }
529
530                 /* Where are the 'global' sids?... */
531         }
532
533         if (base->account_name.string) {
534                 (*server_info)->account_name = talloc_reference(*server_info, base->account_name.string);
535         } else {
536                 (*server_info)->account_name = talloc_strdup(*server_info, internal_username);
537         }
538         
539         (*server_info)->domain = talloc_reference(*server_info, base->domain.string);
540         (*server_info)->full_name = talloc_reference(*server_info, base->full_name.string);
541         (*server_info)->logon_script = talloc_reference(*server_info, base->logon_script.string);
542         (*server_info)->profile_path = talloc_reference(*server_info, base->profile_path.string);
543         (*server_info)->home_directory = talloc_reference(*server_info, base->home_directory.string);
544         (*server_info)->home_drive = talloc_reference(*server_info, base->home_drive.string);
545         (*server_info)->last_logon = base->last_logon;
546         (*server_info)->last_logoff = base->last_logoff;
547         (*server_info)->acct_expiry = base->acct_expiry;
548         (*server_info)->last_password_change = base->last_password_change;
549         (*server_info)->allow_password_change = base->allow_password_change;
550         (*server_info)->force_password_change = base->force_password_change;
551
552         (*server_info)->logon_count = base->logon_count;
553         (*server_info)->bad_password_count = base->bad_password_count;
554
555         (*server_info)->acct_flags = base->acct_flags;
556
557         /* ensure we are never given NULL session keys */
558         
559         if (all_zero(base->key.key, sizeof(base->key.key))) {
560                 (*server_info)->user_session_key = data_blob(NULL, 0);
561         } else {
562                 (*server_info)->user_session_key = data_blob_talloc((*server_info), base->key.key, sizeof(base->key.key));
563         }
564
565         if (all_zero(base->LMSessKey.key, sizeof(base->LMSessKey.key))) {
566                 (*server_info)->lm_session_key = data_blob(NULL, 0);
567         } else {
568                 (*server_info)->lm_session_key = data_blob_talloc((*server_info), base->LMSessKey.key, sizeof(base->LMSessKey.key));
569         }
570         return NT_STATUS_OK;
571 }
572
573 /***************************************************************************
574  Free a user_info struct
575 ***************************************************************************/
576
577 void free_user_info(struct auth_usersupplied_info **user_info)
578 {
579         DEBUG(5,("attempting to free (and zero) a user_info structure\n"));
580         if (*user_info) {
581                 data_blob_clear(&(*user_info)->plaintext_password);
582         }
583
584         talloc_free(*user_info);
585         *user_info = NULL;
586 }
587
588 /***************************************************************************
589  Clear out a server_info struct that has been allocated
590 ***************************************************************************/
591
592 void free_server_info(struct auth_serversupplied_info **server_info)
593 {
594         DEBUG(5,("attempting to free a server_info structure\n"));
595         talloc_free(*server_info);
596         *server_info = NULL;
597 }
598
599 /***************************************************************************
600  Make an auth_methods struct
601 ***************************************************************************/
602
603 BOOL make_auth_methods(struct auth_context *auth_context, struct auth_methods **auth_method) 
604 {
605         if (!auth_context) {
606                 smb_panic("no auth_context supplied to make_auth_methods()!\n");
607         }
608
609         if (!auth_method) {
610                 smb_panic("make_auth_methods: pointer to auth_method pointer is NULL!\n");
611         }
612
613         *auth_method = talloc_p(auth_context, struct auth_methods);
614         if (!*auth_method) {
615                 return False;
616         }
617         ZERO_STRUCTP(*auth_method);
618         
619         return True;
620 }
621
622 NTSTATUS make_session_info(TALLOC_CTX *mem_ctx, 
623                            struct auth_serversupplied_info *server_info, 
624                            struct auth_session_info **session_info) 
625 {
626         NTSTATUS nt_status;
627
628         *session_info = talloc_p(mem_ctx, struct auth_session_info);
629         if (!*session_info) {
630                 return NT_STATUS_NO_MEMORY;
631         }
632         
633         (*session_info)->server_info = server_info;
634         talloc_reference(*session_info, (*session_info)->server_info);
635
636         /* unless set otherwise, the session key is the user session
637          * key from the auth subsystem */
638  
639         (*session_info)->session_key = server_info->user_session_key;
640
641         /* we should search for local groups here */
642         
643         nt_status = create_security_token((*session_info), 
644                                           server_info->user_sid, 
645                                           server_info->primary_group_sid, 
646                                           server_info->n_domain_groups, 
647                                           server_info->domain_groups,
648                                           False, 
649                                           &(*session_info)->security_token);
650         
651         return nt_status;
652 }
653
654 /***************************************************************************
655  Clear out a server_info struct that has been allocated
656 ***************************************************************************/
657
658 void free_session_info(struct auth_session_info **session_info)
659 {
660         DEBUG(5,("attempting to free a session_info structure\n"));
661         talloc_free((*session_info));
662         *session_info = NULL;
663 }
664
665 /**
666  * Squash an NT_STATUS in line with security requirements.
667  * In an attempt to avoid giving the whole game away when users
668  * are authenticating, NT replaces both NT_STATUS_NO_SUCH_USER and 
669  * NT_STATUS_WRONG_PASSWORD with NT_STATUS_LOGON_FAILURE in certain situations 
670  * (session setups in particular).
671  *
672  * @param nt_status NTSTATUS input for squashing.
673  * @return the 'squashed' nt_status
674  **/
675
676 NTSTATUS nt_status_squash(NTSTATUS nt_status)
677 {
678         if NT_STATUS_IS_OK(nt_status) {
679                 return nt_status;               
680         } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) {
681                 /* Match WinXP and don't give the game away */
682                 return NT_STATUS_LOGON_FAILURE;
683                 
684         } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) {
685                 /* Match WinXP and don't give the game away */
686                 return NT_STATUS_LOGON_FAILURE;
687         } else {
688                 return nt_status;
689         }  
690 }
691
692
693