Fix winbind to check machine account.
authorAndrew Bartlett <abartlet@samba.org>
Tue, 15 Apr 2008 14:29:13 +0000 (16:29 +0200)
committerAndrew Bartlett <abartlet@samba.org>
Tue, 15 Apr 2008 14:29:13 +0000 (16:29 +0200)
This enables 'wbinfo -t', by checking the machine account with a
SamLogon call.

Andrew Bartlett
(This used to be commit abefa12029a17e9007f4884f3651d835a10ee9e3)

source4/winbind/wb_async_helpers.c
source4/winbind/wb_pam_auth.c
source4/winbind/wb_samba3_cmd.c
source4/winbind/wb_samba3_protocol.c

index 662dd111dda95ee2e2a0a48abd68dba8ed38efee..25d52a16b5f900d828253cc8cacaf290beb56392 100644 (file)
@@ -305,73 +305,6 @@ NTSTATUS wb_lsa_lookupnames_recv(struct composite_context *c,
        talloc_free(c);
        return status;
 }
        talloc_free(c);
        return status;
 }
-
-
-#if 0
-
-struct cmd_checkmachacc_state {
-       struct composite_context *ctx;
-       struct wbsrv_call *call;
-       struct wbsrv_domain *domain;
-};
-
-static void cmd_checkmachacc_recv_init(struct composite_context *ctx);
-
- struct composite_context *wb_cmd_checkmachacc_send(struct wbsrv_call *call)
-{
-       struct composite_context *result, *ctx;
-       struct cmd_checkmachacc_state *state;
-       struct wbsrv_service *service = call->wbconn->listen_socket->service;
-
-       result = composite_create(mem_ctx, call->event_ctx;
-       if (result == NULL) goto failed;
-
-       state = talloc(result, struct cmd_checkmachacc_state);
-       if (state == NULL) goto failed;
-       state->ctx = result;
-       result->private_data = state;
-       state->call = call;
-
-       state->domain = service->domains;
-
-       ctx = wb_init_domain_send(service, state->domain);
-       if (ctx == NULL) goto failed;
-       ctx->async.fn = cmd_checkmachacc_recv_init;
-       ctx->async.private_data = state;
-
-       return result;
-
- failed:
-       talloc_free(result);
-       return NULL;
-}
-
-static void cmd_checkmachacc_recv_init(struct composite_context *ctx)
-{
-       struct cmd_checkmachacc_state *state =
-               talloc_get_type(ctx->async.private_data,
-                               struct cmd_checkmachacc_state);
-
-       state->ctx->status = wb_init_domain_recv(ctx);
-       if (!composite_is_ok(state->ctx)) return;
-
-       composite_done(state->ctx);
-}
-
- NTSTATUS wb_cmd_checkmachacc_recv(struct composite_context *c)
-{
-       NTSTATUS status = composite_wait(c);
-       talloc_free(c);
-       return status;
-}
-
- NTSTATUS wb_cmd_checkmachacc(struct wbsrv_call *call)
-{
-       struct composite_context *c = wb_cmd_checkmachacc_send(call);
-       return wb_cmd_checkmachacc_recv(c);
-}
-#endif
-
 struct samr_getuserdomgroups_state {
        struct composite_context *ctx;
        struct dcerpc_pipe *samr_pipe;
 struct samr_getuserdomgroups_state {
        struct composite_context *ctx;
        struct dcerpc_pipe *samr_pipe;
index 62744297c64614c681490837e8fe89d1cdb94457..ee54bcd58f7818a1873b53c53e0f0aea007fc9e2 100644 (file)
@@ -214,14 +214,11 @@ NTSTATUS wb_cmd_pam_auth_crap_recv(struct composite_context *c,
 
 struct composite_context *wb_cmd_pam_auth_send(TALLOC_CTX *mem_ctx,
                                               struct wbsrv_service *service,
 
 struct composite_context *wb_cmd_pam_auth_send(TALLOC_CTX *mem_ctx,
                                               struct wbsrv_service *service,
-                                              const char *domain,
-                                              const char *user,
-                                              const char *password)
+                                              struct cli_credentials *credentials)
 {
 {
-       struct cli_credentials *credentials;
        const char *workstation;
        NTSTATUS status;
        const char *workstation;
        NTSTATUS status;
-
+       const char *user, *domain;
        DATA_BLOB chal, nt_resp, lm_resp, names_blob;
        int flags = CLI_CRED_NTLM_AUTH;
        if (lp_client_lanman_auth(service->task->lp_ctx)) {
        DATA_BLOB chal, nt_resp, lm_resp, names_blob;
        int flags = CLI_CRED_NTLM_AUTH;
        if (lp_client_lanman_auth(service->task->lp_ctx)) {
@@ -234,16 +231,6 @@ struct composite_context *wb_cmd_pam_auth_send(TALLOC_CTX *mem_ctx,
 
        DEBUG(5, ("wbsrv_samba3_pam_auth called\n"));
 
 
        DEBUG(5, ("wbsrv_samba3_pam_auth called\n"));
 
-       credentials = cli_credentials_init(mem_ctx);
-       if (!credentials) {
-               return NULL;
-       }
-       cli_credentials_set_conf(credentials, service->task->lp_ctx);
-       cli_credentials_set_domain(credentials, domain, CRED_SPECIFIED);
-       cli_credentials_set_username(credentials, user, CRED_SPECIFIED);
-
-       cli_credentials_set_password(credentials, password, CRED_SPECIFIED);
-
        chal = data_blob_talloc(mem_ctx, NULL, 8);
        if (!chal.data) {
                return NULL;
        chal = data_blob_talloc(mem_ctx, NULL, 8);
        if (!chal.data) {
                return NULL;
@@ -269,7 +256,7 @@ struct composite_context *wb_cmd_pam_auth_send(TALLOC_CTX *mem_ctx,
                return NULL;
        }
        return wb_cmd_pam_auth_crap_send(mem_ctx, service,
                return NULL;
        }
        return wb_cmd_pam_auth_crap_send(mem_ctx, service,
-                                        0 /* logon parameters */, 
+                                        MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT|MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT /* logon parameters */, 
                                         domain, user, workstation,
                                         chal, nt_resp, lm_resp);
 }
                                         domain, user, workstation,
                                         chal, nt_resp, lm_resp);
 }
index 24074700fcd86c2968c826df8f6cc70ae5167e74..8ae330df3527c0c21b5c7f5f71e66ef148d2d6cb 100644 (file)
@@ -30,6 +30,8 @@
 #include "librpc/gen_ndr/netlogon.h"
 #include "libcli/security/security.h"
 #include "auth/pam_errors.h"
 #include "librpc/gen_ndr/netlogon.h"
 #include "libcli/security/security.h"
 #include "auth/pam_errors.h"
+#include "auth/credentials/credentials.h"
+#include "smbd/service_task.h"
 
 /* 
    Send off the reply to an async Samba3 query, handling filling in the PAM, NTSTATUS and string errors.
 
 /* 
    Send off the reply to an async Samba3 query, handling filling in the PAM, NTSTATUS and string errors.
@@ -110,10 +112,12 @@ NTSTATUS wbsrv_samba3_netbios_name(struct wbsrv_samba3_call *s3call)
 
 NTSTATUS wbsrv_samba3_priv_pipe_dir(struct wbsrv_samba3_call *s3call)
 {
 
 NTSTATUS wbsrv_samba3_priv_pipe_dir(struct wbsrv_samba3_call *s3call)
 {
-       s3call->response.result                 = WINBINDD_OK;
-       s3call->response.extra_data.data =
-               smbd_tmp_path(s3call, s3call->wbconn->lp_ctx, WINBINDD_SAMBA3_PRIVILEGED_SOCKET);
-       NT_STATUS_HAVE_NO_MEMORY(s3call->response.extra_data.data);
+       char *path = smbd_tmp_path(s3call, s3call->wbconn->lp_ctx, WINBINDD_SAMBA3_PRIVILEGED_SOCKET);
+       NT_STATUS_HAVE_NO_MEMORY(path);
+       s3call->response.result          = WINBINDD_OK;
+       s3call->response.extra_data.data = path;
+               
+       s3call->response.length += strlen(path) + 1;
        return NT_STATUS_OK;
 }
 
        return NT_STATUS_OK;
 }
 
@@ -123,41 +127,67 @@ NTSTATUS wbsrv_samba3_ping(struct wbsrv_samba3_call *s3call)
        return NT_STATUS_OK;
 }
 
        return NT_STATUS_OK;
 }
 
-#if 0
-/* 
-   Validate that we have a working pipe to the domain controller.
-   Return any NT error found in the process
+/* Plaintext authentication 
+   
+   This interface is used by ntlm_auth in it's 'basic' authentication
+   mode, as well as by pam_winbind to authenticate users where we are
+   given a plaintext password.
 */
 
 */
 
-static void checkmachacc_recv_creds(struct composite_context *ctx);
+static void check_machacc_recv(struct composite_context *ctx);
 
 NTSTATUS wbsrv_samba3_check_machacc(struct wbsrv_samba3_call *s3call)
 {
 
 NTSTATUS wbsrv_samba3_check_machacc(struct wbsrv_samba3_call *s3call)
 {
+       NTSTATUS status;
+       struct cli_credentials *creds;
        struct composite_context *ctx;
        struct composite_context *ctx;
+       struct wbsrv_service *service =
+               s3call->wbconn->listen_socket->service;
+
+       /* Create a credentials structure */
+       creds = cli_credentials_init(s3call);
+       if (creds == NULL) {
+               return NT_STATUS_NO_MEMORY;
+       }
 
 
-       DEBUG(5, ("wbsrv_samba3_check_machacc called\n"));
+       cli_credentials_set_event_context(creds, service->task->event_ctx);
 
 
-       ctx = wb_cmd_checkmachacc_send(s3call->call);
-       NT_STATUS_HAVE_NO_MEMORY(ctx);
+       cli_credentials_set_conf(creds, service->task->lp_ctx);
+
+       /* Connect the machine account to the credentials */
+       status = cli_credentials_set_machine_account(creds, service->task->lp_ctx);
+       if (!NT_STATUS_IS_OK(status)) {
+               talloc_free(creds);
+               return status;
+       }
+
+       ctx = wb_cmd_pam_auth_send(s3call, service, creds);
+
+       if (!ctx) {
+               talloc_free(creds);
+               return NT_STATUS_NO_MEMORY;
+       }
 
 
-       ctx->async.fn = checkmachacc_recv_creds;
+       ctx->async.fn = check_machacc_recv;
        ctx->async.private_data = s3call;
        ctx->async.private_data = s3call;
-       s3call->call->flags |= WBSRV_CALL_FLAGS_REPLY_ASYNC;
+       s3call->flags |= WBSRV_CALL_FLAGS_REPLY_ASYNC;
        return NT_STATUS_OK;
 }
        return NT_STATUS_OK;
 }
-       
-static void checkmachacc_recv_creds(struct composite_context *ctx)
+
+static void check_machacc_recv(struct composite_context *ctx)
 {
        struct wbsrv_samba3_call *s3call =
                talloc_get_type(ctx->async.private_data,
                                struct wbsrv_samba3_call);
        NTSTATUS status;
 
 {
        struct wbsrv_samba3_call *s3call =
                talloc_get_type(ctx->async.private_data,
                                struct wbsrv_samba3_call);
        NTSTATUS status;
 
-       status = wb_cmd_checkmachacc_recv(ctx);
+       status = wb_cmd_pam_auth_recv(ctx);
+
+       if (!NT_STATUS_IS_OK(status)) goto done;
 
 
+ done:
        wbsrv_samba3_async_auth_epilogue(status, s3call);
 }
        wbsrv_samba3_async_auth_epilogue(status, s3call);
 }
-#endif
 
 /*
   Find the name of a suitable domain controller, by query on the
 
 /*
   Find the name of a suitable domain controller, by query on the
@@ -543,6 +573,7 @@ NTSTATUS wbsrv_samba3_pam_auth(struct wbsrv_samba3_call *s3call)
        struct composite_context *ctx;
        struct wbsrv_service *service =
                s3call->wbconn->listen_socket->service;
        struct composite_context *ctx;
        struct wbsrv_service *service =
                s3call->wbconn->listen_socket->service;
+       struct cli_credentials *credentials;
        char *user, *domain;
 
        if (!wb_samba3_split_username(s3call, s3call->wbconn->lp_ctx,
        char *user, *domain;
 
        if (!wb_samba3_split_username(s3call, s3call->wbconn->lp_ctx,
@@ -551,8 +582,17 @@ NTSTATUS wbsrv_samba3_pam_auth(struct wbsrv_samba3_call *s3call)
                return NT_STATUS_NO_SUCH_USER;
        }
 
                return NT_STATUS_NO_SUCH_USER;
        }
 
-       ctx = wb_cmd_pam_auth_send(s3call, service, domain, user,
-                                  s3call->request.data.auth.pass);
+       credentials = cli_credentials_init(s3call);
+       if (!credentials) {
+               return NT_STATUS_NO_MEMORY;
+       }
+       cli_credentials_set_conf(credentials, service->task->lp_ctx);
+       cli_credentials_set_domain(credentials, domain, CRED_SPECIFIED);
+       cli_credentials_set_username(credentials, user, CRED_SPECIFIED);
+
+       cli_credentials_set_password(credentials, s3call->request.data.auth.pass, CRED_SPECIFIED);
+
+       ctx = wb_cmd_pam_auth_send(s3call, service, credentials);
        NT_STATUS_HAVE_NO_MEMORY(ctx);
 
        ctx->async.fn = pam_auth_recv;
        NT_STATUS_HAVE_NO_MEMORY(ctx);
 
        ctx->async.fn = pam_auth_recv;
index b252273cb63bdbd9eade1e57855e4da3d063c16a..3b97dff27626ad35bcd5bbea5497b77c214b44ae 100644 (file)
@@ -78,10 +78,8 @@ NTSTATUS wbsrv_samba3_handle_call(struct wbsrv_samba3_call *s3call)
        case WINBINDD_INTERFACE_VERSION:
                return wbsrv_samba3_interface_version(s3call);
 
        case WINBINDD_INTERFACE_VERSION:
                return wbsrv_samba3_interface_version(s3call);
 
-#if 0
        case WINBINDD_CHECK_MACHACC:
                return wbsrv_samba3_check_machacc(s3call);
        case WINBINDD_CHECK_MACHACC:
                return wbsrv_samba3_check_machacc(s3call);
-#endif
 
        case WINBINDD_PING:
                return wbsrv_samba3_ping(s3call);
 
        case WINBINDD_PING:
                return wbsrv_samba3_ping(s3call);
@@ -187,7 +185,6 @@ NTSTATUS wbsrv_samba3_handle_call(struct wbsrv_samba3_call *s3call)
        case WINBINDD_SET_MAPPING:
        case WINBINDD_SET_HWM:
        case WINBINDD_DUMP_MAPS:
        case WINBINDD_SET_MAPPING:
        case WINBINDD_SET_HWM:
        case WINBINDD_DUMP_MAPS:
-       case WINBINDD_CHECK_MACHACC:
        case WINBINDD_DOMAIN_INFO:
        case WINBINDD_SHOW_SEQUENCE:
        case WINBINDD_WINS_BYIP:
        case WINBINDD_DOMAIN_INFO:
        case WINBINDD_SHOW_SEQUENCE:
        case WINBINDD_WINS_BYIP: