extern int DEBUGLEVEL;
extern int Protocol;
+extern struct in_addr ipzero;
/* users from session setup */
static pstring session_users="";
}
+/****************************************************************************
+Setup the groups a user belongs to.
+****************************************************************************/
+int setup_groups(char *user, uid_t uid, gid_t gid, int *p_ngroups, gid_t **p_groups)
+{
+ int i,ngroups;
+ gid_t grp = 0;
+ gid_t *groups = NULL;
+
+ if (-1 == initgroups(user,gid))
+ {
+ DEBUG(0,("Unable to initgroups. Error was %s\n", strerror(errno) ));
+ if (getuid() == 0)
+ {
+ if (gid < 0 || gid > 32767 || uid < 0 || uid > 32767)
+ {
+ DEBUG(0,("This is probably a problem with the account %s\n", user));
+ }
+ }
+ return -1;
+ }
+
+ ngroups = sys_getgroups(0,&grp);
+ if (ngroups <= 0)
+ {
+ ngroups = 32;
+ }
+
+#ifdef NGROUPS_MAX
+ if((groups = (gid_t *)malloc(sizeof(gid_t)*NGROUPS_MAX)) == NULL)
+#else /* NGROUPS_MAX */
+ if((groups = (gid_t *)malloc(sizeof(gid_t)*ngroups)) == NULL)
+#endif /* NGROUPS_MAX */
+ {
+ DEBUG(0,("setup_groups malloc fail !\n"));
+ return -1;
+ }
+
+ ngroups = sys_getgroups(ngroups,groups);
+
+ (*p_ngroups) = ngroups;
+ (*p_groups) = groups;
+
+ DEBUG( 3, ( "%s is in %d groups: ", user, ngroups ) );
+ for (i = 0; i < ngroups; i++ )
+ {
+ DEBUG( 3, ( "%s%d", (i ? ", " : ""), (int)groups[i] ) );
+ }
+ DEBUG( 3, ( "\n" ) );
+
+ return 0;
+}
+
/****************************************************************************
register a uid/name pair as being valid and that a valid password
has been given. vuid is biased by an offset. This allows us to
tell random client vuid's (normally zero) from valid vuids.
****************************************************************************/
-uint16 register_vuid(uid_t uid,gid_t gid, char *unix_name, char *requested_name, BOOL guest, uchar user_sess_key[16])
+uint16 register_vuid(uid_t uid,gid_t gid, char *unix_name, char *requested_name, BOOL guest)
{
user_struct *vuser;
struct passwd *pwfile; /* for getting real name from passwd file */
vuser->guest = guest;
fstrcpy(vuser->name,unix_name);
fstrcpy(vuser->requested_name,requested_name);
- memcpy(vuser->dc.user_sess_key, user_sess_key, sizeof(vuser->dc.user_sess_key));
vuser->n_sids = 0;
vuser->sids = NULL;
/* Find all the groups this uid is in and store them.
Used by become_user() */
- get_unixgroups(unix_name,uid,gid,
+ setup_groups(unix_name,uid,gid,
&vuser->n_groups,
&vuser->groups);
DEBUG(3, ("Clearing default real name\n"));
fstrcpy(vuser->real_name, "<Full Name>\0");
if (lp_unix_realname()) {
- if ((pwfile=hashed_getpwnam(vuser->name))!= NULL)
+ if ((pwfile=sys_getpwnam(vuser->name))!= NULL)
{
DEBUG(3, ("User name: %s\tReal name: %s\n",vuser->name,pwfile->pw_gecos));
fstrcpy(vuser->real_name, pwfile->pw_gecos);
DEBUG(0,("getsmbpwnam returned NULL\n"));
return False;
}
-
+
+ /*
+ * Remove the account disabled flag - we are updating the
+ * users password from a login.
+ */
+ smbpw->acct_ctrl &= ~ACB_DISABLED;
+
/* Here, the flag is one, because we want to ignore the
XXXXXXX'd out password */
ret = change_oem_password( smbpw, password, True);
/****************************************************************************
core of smb password checking routine.
****************************************************************************/
-static BOOL smb_pwd_check_ntlmv1(char *password, unsigned char *part_passwd,
- unsigned char *c8)
+BOOL smb_password_check(char *password, unsigned char *part_passwd, unsigned char *c8)
{
/* Finish the encryption of part_passwd. */
+ unsigned char p21[21];
unsigned char p24[24];
if (part_passwd == NULL)
DEBUG(10,("No password set - allowing access\n"));
/* No password set - always true ! */
if (part_passwd == NULL)
- return True;
+ return 1;
- SMBOWFencrypt(part_passwd, c8, p24);
+ memset(p21,'\0',21);
+ memcpy(p21,part_passwd,16);
+ E_P24(p21, c8, p24);
#if DEBUG_PASSWORD
- DEBUG(100,("Part password (P16) was |"));
- dump_data(100, part_passwd, 16);
- DEBUG(100,("Password from client was |"));
- dump_data(100, password, 24);
- DEBUG(100,("Given challenge was |"));
- dump_data(100, c8, 8);
- DEBUG(100,("Value from encryption was |"));
- dump_data(100, p24, 24);
+ {
+ int i;
+ DEBUG(100,("Part password (P16) was |"));
+ for(i = 0; i < 16; i++)
+ DEBUG(100,("%X ", (unsigned char)part_passwd[i]));
+ DEBUG(100,("|\n"));
+ DEBUG(100,("Password from client was |"));
+ for(i = 0; i < 24; i++)
+ DEBUG(100,("%X ", (unsigned char)password[i]));
+ DEBUG(100,("|\n"));
+ DEBUG(100,("Given challenge was |"));
+ for(i = 0; i < 8; i++)
+ DEBUG(100,("%X ", (unsigned char)c8[i]));
+ DEBUG(100,("|\n"));
+ DEBUG(100,("Value from encryption was |"));
+ for(i = 0; i < 24; i++)
+ DEBUG(100,("%X ", (unsigned char)p24[i]));
+ DEBUG(100,("|\n"));
+ }
#endif
return (memcmp(p24, password, 24) == 0);
}
-/****************************************************************************
-core of smb password checking routine.
-****************************************************************************/
-static BOOL smb_pwd_check_ntlmv2(char *password, size_t pwd_len,
- unsigned char *part_passwd,
- unsigned char const *c8,
- const char *user, const char *domain)
-{
- /* Finish the encryption of part_passwd. */
- unsigned char kr[16];
-
- if (part_passwd == NULL)
- {
- DEBUG(10,("No password set - allowing access\n"));
- }
- /* No password set - always true ! */
- if (part_passwd == NULL)
- {
- return True;
- }
-
- ntv2_owf_gen(part_passwd, user, domain, kr);
- SMBOWFencrypt_ntv2(kr, c8, 8, password+16, pwd_len-16, kr);
-
-#if DEBUG_PASSWORD
- DEBUG(100,("Part password (P16) was |"));
- dump_data(100, part_passwd, 16);
- DEBUG(100,("Password from client was |"));
- dump_data(100, password, pwd_len);
- DEBUG(100,("Given challenge was |"));
- dump_data(100, c8, 8);
- DEBUG(100,("Value from encryption was |"));
- dump_data(100, kr, 16);
-#endif
-
- return (memcmp(kr, password, 16) == 0);
-}
-
/****************************************************************************
Do a specific test for an smb password being correct, given a smb_password and
the lanman and NT responses.
****************************************************************************/
BOOL smb_password_ok(struct smb_passwd *smb_pass, uchar chal[8],
- const char *user, const char *domain,
- uchar *lm_pass, size_t lm_pwd_len,
- uchar *nt_pass, size_t nt_pwd_len)
+ uchar lm_pass[24], uchar nt_pass[24])
{
uchar challenge[8];
if (!lm_pass || !smb_pass) return(False);
DEBUG(4,("Checking SMB password for user %s\n",
- smb_pass->unix_name));
+ smb_pass->smb_name));
- if (smb_pass->acct_ctrl & ACB_DISABLED)
- {
- DEBUG(3,("account for user %s was disabled.\n",
- smb_pass->unix_name));
+ if(smb_pass->acct_ctrl & ACB_DISABLED) {
+ DEBUG(1,("account for user %s was disabled.\n",
+ smb_pass->smb_name));
return(False);
}
memcpy(challenge, chal, 8);
}
- if ((Protocol >= PROTOCOL_NT1) && (smb_pass->smb_nt_passwd != NULL))
- {
+ if ((Protocol >= PROTOCOL_NT1) && (smb_pass->smb_nt_passwd != NULL)) {
/* We have the NT MD4 hash challenge available - see if we can
use it (ie. does it exist in the smbpasswd file).
*/
- if (lp_server_ntlmv2())
- {
- DEBUG(4,("smb_password_ok: Check NTLMv2 password\n"));
- if (smb_pwd_check_ntlmv2(nt_pass, nt_pwd_len,
- (uchar *)smb_pass->smb_nt_passwd,
- challenge, user, domain))
- {
- return True;
- }
- }
- if (lp_server_ntlmv2() != True && nt_pwd_len == 24)
- {
- DEBUG(4,("smb_password_ok: Check NT MD4 password\n"));
- if (smb_pwd_check_ntlmv1((char *)nt_pass,
+ DEBUG(4,("smb_password_ok: Checking NT MD4 password\n"));
+ if (smb_password_check((char *)nt_pass,
(uchar *)smb_pass->smb_nt_passwd,
- challenge))
- {
- DEBUG(4,("NT MD4 password check succeeded\n"));
- return True;
- }
+ challenge)) {
+ DEBUG(4,("NT MD4 password check succeeded\n"));
+ return(True);
}
DEBUG(4,("NT MD4 password check failed\n"));
}
- if (lp_server_ntlmv2() == False)
- {
- DEBUG(4,("Not checking LM MD4 password\n"));
- return False;
- }
-
/* Try against the lanman password. smb_pass->smb_passwd == NULL means
no password, allow access. */
DEBUG(4,("Checking LM MD4 password\n"));
- if ((smb_pass->smb_passwd == NULL) &&
- (smb_pass->acct_ctrl & ACB_PWNOTREQ))
- {
+ if((smb_pass->smb_passwd == NULL) &&
+ (smb_pass->acct_ctrl & ACB_PWNOTREQ)) {
DEBUG(4,("no password required for user %s\n",
- smb_pass->unix_name));
+ smb_pass->smb_name));
return True;
}
- if ((smb_pass->smb_passwd != NULL) &&
- smb_pwd_check_ntlmv1((char *)lm_pass,
- (uchar *)smb_pass->smb_passwd,
- challenge))
- {
+ if((smb_pass->smb_passwd != NULL) &&
+ smb_password_check((char *)lm_pass,
+ (uchar *)smb_pass->smb_passwd, challenge)) {
DEBUG(4,("LM MD4 password check succeeded\n"));
return(True);
}
return True if the password is correct, False otherwise
****************************************************************************/
-BOOL pass_check_smb(char *user, char *domain, uchar *chal,
- uchar *lm_pwd, size_t lm_pwd_len,
- uchar *nt_pwd, size_t nt_pwd_len,
- struct passwd *pwd, uchar user_sess_key[16])
+BOOL pass_check_smb(char *user, char *domain,
+ uchar *chal, uchar *lm_pwd, uchar *nt_pwd,
+ struct passwd *pwd)
{
- const struct passwd *pass;
+ struct passwd *pass;
struct smb_passwd *smb_pass;
if (!lm_pwd || !nt_pwd)
if (pass == NULL)
{
- DEBUG(3,("Couldn't find user %s\n",user));
+ DEBUG(1,("Couldn't find user '%s' in UNIX password database.\n",user));
return(False);
}
if (smb_pass == NULL)
{
- DEBUG(3,("Couldn't find user %s in smb_passwd file.\n", user));
+ DEBUG(1,("Couldn't find user '%s' in smb_passwd file.\n", user));
return(False);
}
/* Quit if the account was disabled. */
if(smb_pass->acct_ctrl & ACB_DISABLED) {
- DEBUG(3,("account for user %s was disabled.\n", user));
+ DEBUG(1,("Account for user '%s' was disabled.\n", user));
return(False);
}
/* Ensure the uid's match */
- if (smb_pass->unix_uid != pass->pw_uid)
+ if (smb_pass->smb_userid != pass->pw_uid)
{
- DEBUG(3,("Error : UNIX and SMB uids in password files do not match !\n"));
+ DEBUG(0,("Error : UNIX and SMB uids in password files do not match for user '%s'!\n", user));
return(False);
}
if (lm_pwd[0] == '\0' && IS_BITS_SET_ALL(smb_pass->acct_ctrl, ACB_PWNOTREQ) && lp_null_passwords())
{
- DEBUG(3,("account for user %s has no password and null passwords are allowed.\n", smb_pass->unix_name));
+ DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", smb_pass->smb_name));
return(True);
}
- if (smb_password_ok(smb_pass, chal, user, domain,
- lm_pwd, lm_pwd_len,
- nt_pwd, nt_pwd_len))
+ if (smb_password_ok(smb_pass, chal, lm_pwd, nt_pwd))
{
- if (user_sess_key != NULL)
- {
- mdfour(user_sess_key, smb_pass->smb_nt_passwd, 16);
-#ifdef DEBUG_PASSWORD
- DEBUG(100,("user session key: "));
- dump_data(100, user_sess_key, 16);
-#endif
- }
return(True);
}
- DEBUG(3,("Error pass_check_smb failed\n"));
+ DEBUG(2,("pass_check_smb failed - invalid password for user [%s]\n", user));
return False;
}
database or the encrypted SMB password database
return True if the password is correct, False otherwise
****************************************************************************/
-BOOL password_ok(char *user, char *password, int pwlen, struct passwd *pwd,
- uchar user_sess_key[16])
+BOOL password_ok(char *user, char *password, int pwlen, struct passwd *pwd)
{
- if (pwlen >= 24 || (lp_encrypted_passwords() && (pwlen == 0) && lp_null_passwords()))
+ if (pwlen == 24 || (lp_encrypted_passwords() && (pwlen == 0) && lp_null_passwords()))
{
- /* if 24 bytes or longer assume it is an encrypted password */
+ /* if 24 bytes long assume it is an encrypted password */
uchar challenge[8];
if (!last_challenge(challenge))
}
return pass_check_smb(user, global_myworkgroup,
- challenge, (uchar *)password,
- pwlen, (uchar *)password, pwlen,
- pwd, user_sess_key);
+ challenge, (uchar *)password, (uchar *)password, pwd);
}
return pass_check(user, password, pwlen, pwd,
pstring valid, invalid;
BOOL ret;
- StrnCpy(valid, lp_valid_users(snum), sizeof(pstring));
- StrnCpy(invalid, lp_invalid_users(snum), sizeof(pstring));
+ StrnCpy(valid, lp_valid_users(snum), sizeof(pstring)-1);
+ StrnCpy(invalid, lp_invalid_users(snum), sizeof(pstring)-1);
- string_sub(valid,"%S",lp_servicename(snum));
- string_sub(invalid,"%S",lp_servicename(snum));
+ pstring_sub(valid,"%S",lp_servicename(snum));
+ pstring_sub(invalid,"%S",lp_servicename(snum));
ret = !user_in_list(user,invalid);
if (ret && lp_onlyuser(snum)) {
char *user_list = lp_username(snum);
- string_sub(user_list,"%S",lp_servicename(snum));
+ pstring_sub(user_list,"%S",lp_servicename(snum));
ret = user_in_list(user,user_list);
}
/****************************************************************************
validate a group username entry. Return the username or NULL
****************************************************************************/
-static char *validate_group(char *group,char *password,int pwlen,int snum,
- uchar user_sess_key[16])
+static char *validate_group(char *group,char *password,int pwlen,int snum)
{
-#if defined(HAVE_NETGROUP) && defined(HAVE_GETNETGRENT) && defined(HAVE_SETNETGRENT) && defined(HAVE_ENDNETGRENT)
- {
- char *host, *user, *domain;
- setnetgrent(group);
- while (getnetgrent(&host, &user, &domain)) {
- if (user) {
- if (user_ok(user, snum) &&
- password_ok(user,password,pwlen,NULL, user_sess_key)) {
- endnetgrent();
- return(user);
+#ifdef HAVE_NETGROUP
+ {
+ char *host, *user, *domain;
+ setnetgrent(group);
+ while (getnetgrent(&host, &user, &domain)) {
+ if (user) {
+ if (user_ok(user, snum) &&
+ password_ok(user,password,pwlen,NULL)) {
+ endnetgrent();
+ return(user);
+ }
+ }
+ }
+ endnetgrent();
}
- }
- }
- endnetgrent();
- }
#endif
-#ifdef HAVE_GETGRNAM
- {
- struct group *gptr = (struct group *)getgrnam(group);
- char **member;
- if (gptr)
- {
- member = gptr->gr_mem;
- while (member && *member)
- {
- static fstring name;
- fstrcpy(name,*member);
- if (user_ok(name,snum) &&
- password_ok(name,password,pwlen,NULL, user_sess_key))
- return(&name[0]);
- member++;
- }
-#ifdef GROUP_CHECK_PWENT
+#ifdef HAVE_GETGRENT
{
- struct passwd *pwd;
- static fstring tm;
-
- setpwent ();
- while (pwd = getpwent ()) {
- if (*(pwd->pw_passwd) && pwd->pw_gid == gptr->gr_gid) {
- /* This Entry have PASSWORD and same GID then check pwd */
- if (password_ok(NULL, password, pwlen, pwd, user_sess_key)) {
- fstrcpy(tm, pwd->pw_name);
- endpwent ();
- return tm;
- }
- }
- }
- endpwent ();
+ struct group *gptr;
+ char **member;
+ setgrent();
+ while ((gptr = (struct group *)getgrent())) {
+ if (!strequal(gptr->gr_name,group))
+ continue;
+ member = gptr->gr_mem;
+ while (member && *member) {
+ static fstring name;
+ fstrcpy(name,*member);
+ if (user_ok(name,snum) &&
+ password_ok(name,password,pwlen,NULL)) {
+ endgrent();
+ return(&name[0]);
+ }
+ member++;
+ }
+ }
+ endgrent();
}
-#endif /* GROUP_CHECK_PWENT */
- }
- }
#endif
- return(NULL);
+ return(NULL);
}
/* check the given username and password */
if (!ok && (*user) && user_ok(user,snum)) {
- ok = password_ok(user,password, pwlen, NULL, vuser->dc.user_sess_key);
+ ok = password_ok(user,password, pwlen, NULL);
if (ok) DEBUG(3,("ACCEPTED: given username password ok\n"));
}
/* check for a previously registered guest username */
if (!ok && (vuser != 0) && vuser->guest) {
if (user_ok(vuser->name,snum) &&
- password_ok(vuser->name, password, pwlen, NULL, vuser->dc.user_sess_key)) {
+ password_ok(vuser->name, password, pwlen, NULL)) {
fstrcpy(user, vuser->name);
vuser->guest = False;
DEBUG(3,("ACCEPTED: given password with registered user %s\n", user));
fstrcpy(user2,auser);
if (!user_ok(user2,snum)) continue;
- if (password_ok(user2,password, pwlen, NULL, vuser->dc.user_sess_key)) {
+ if (password_ok(user2,password, pwlen, NULL)) {
ok = True;
fstrcpy(user,user2);
DEBUG(3,("ACCEPTED: session list username and given password ok\n"));
pstring user_list;
StrnCpy(user_list,lp_username(snum),sizeof(pstring));
- string_sub(user_list,"%S",lp_servicename(snum));
+ pstring_sub(user_list,"%S",lp_servicename(snum));
for (auser=strtok(user_list,LIST_SEP);
auser && !ok;
{
if (*auser == '@')
{
- auser = validate_group(auser+1,password,pwlen,snum, vuser->dc.user_sess_key);
+ auser = validate_group(auser+1,password,pwlen,snum);
if (auser)
{
ok = True;
fstring user2;
fstrcpy(user2,auser);
if (user_ok(user2,snum) &&
- password_ok(user2,password,pwlen,NULL, vuser->dc.user_sess_key))
+ password_ok(user2,password,pwlen,NULL))
{
ok = True;
fstrcpy(user,user2);
{
char *fname = NULL;
pstring rhostsfile;
- const struct passwd *pass = Get_Pwnam(user,True);
+ struct passwd *pass = Get_Pwnam(user,True);
if (!pass)
return(False);
if (lp_use_rhosts())
{
- char *home = get_home_dir(user);
+ char *home = get_user_home_dir(user);
if (home) {
extern int Client;
slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home);
/****************************************************************************
-return the client state structure
+ Return the client state structure.
****************************************************************************/
+
struct cli_state *server_client(void)
{
static struct cli_state pw_cli;
}
/****************************************************************************
-support for server level security
+ Support for server level security.
****************************************************************************/
+
struct cli_state *server_cryptkey(void)
{
- if (cli_connect_serverlist(server_client(), lp_passwordserver()))
- {
- return server_client();
+ struct cli_state *cli;
+ fstring desthost;
+ struct in_addr dest_ip;
+ char *p;
+ BOOL connected_ok = False;
+
+ cli = server_client();
+
+ if (!cli_initialise(cli))
+ return NULL;
+
+ p = lp_passwordserver();
+ while(p && next_token( &p, desthost, LIST_SEP, sizeof(desthost))) {
+ standard_sub_basic(desthost);
+ strupper(desthost);
+
+ if(!resolve_name( desthost, &dest_ip, 0x20)) {
+ DEBUG(1,("server_cryptkey: Can't resolve address for %s\n",desthost));
+ continue;
+ }
+
+ if (ismyip(dest_ip)) {
+ DEBUG(1,("Password server loop - disabling password server %s\n",desthost));
+ continue;
+ }
+
+ if (cli_connect(cli, desthost, &dest_ip)) {
+ DEBUG(3,("connected to password server %s\n",desthost));
+ connected_ok = True;
+ break;
+ }
+ }
+
+ if (!connected_ok) {
+ DEBUG(0,("password server not available\n"));
+ cli_shutdown(cli);
+ return NULL;
+ }
+
+ if (!attempt_netbios_session_request(cli, global_myname, desthost, &dest_ip))
+ return NULL;
+
+ DEBUG(3,("got session\n"));
+
+ if (!cli_negprot(cli)) {
+ DEBUG(1,("%s rejected the negprot\n",desthost));
+ cli_shutdown(cli);
+ return NULL;
}
- return NULL;
+
+ if (cli->protocol < PROTOCOL_LANMAN2 ||
+ !(cli->sec_mode & 1)) {
+ DEBUG(1,("%s isn't in user level security mode\n",desthost));
+ cli_shutdown(cli);
+ return NULL;
+ }
+
+ DEBUG(3,("password server OK\n"));
+
+ return cli;
}
/****************************************************************************
-validate a password with the password server
+ Validate a password with the password server.
****************************************************************************/
+
BOOL server_validate(char *user, char *domain,
char *pass, int passlen,
char *ntpass, int ntpasslen)
return(False);
}
-
cli_ulogoff(cli);
return(True);
}
+/***********************************************************************
+ Connect to a remote machine for domain security authentication
+ given a name or IP address.
+************************************************************************/
+
+static BOOL connect_to_domain_password_server(struct cli_state *pcli, char *remote_machine,
+ unsigned char *trust_passwd)
+{
+ struct in_addr dest_ip;
+
+ if(cli_initialise(pcli) == False) {
+ DEBUG(0,("connect_to_domain_password_server: unable to initialize client connection.\n"));
+ return False;
+ }
+
+ standard_sub_basic(remote_machine);
+ strupper(remote_machine);
+
+ if(!resolve_name( remote_machine, &dest_ip, 0x20)) {
+ DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", remote_machine));
+ cli_shutdown(pcli);
+ return False;
+ }
+
+ if (ismyip(dest_ip)) {
+ DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n",
+ remote_machine));
+ cli_shutdown(pcli);
+ return False;
+ }
+
+ if (!cli_connect(pcli, remote_machine, &dest_ip)) {
+ DEBUG(0,("connect_to_domain_password_server: unable to connect to SMB server on \
+machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
+ cli_shutdown(pcli);
+ return False;
+ }
+
+ if (!attempt_netbios_session_request(pcli, global_myname, remote_machine, &dest_ip)) {
+ DEBUG(0,("connect_to_password_server: machine %s rejected the NetBIOS \
+session request. Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
+ return False;
+ }
+
+ pcli->protocol = PROTOCOL_NT1;
+
+ if (!cli_negprot(pcli)) {
+ DEBUG(0,("connect_to_domain_password_server: machine %s rejected the negotiate protocol. \
+Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
+ cli_shutdown(pcli);
+ return False;
+ }
+
+ if (pcli->protocol != PROTOCOL_NT1) {
+ DEBUG(0,("connect_to_domain_password_server: machine %s didn't negotiate NT protocol.\n",
+ remote_machine));
+ cli_shutdown(pcli);
+ return False;
+ }
+
+ /*
+ * Do an anonymous session setup.
+ */
+
+ if (!cli_session_setup(pcli, "", "", 0, "", 0, "")) {
+ DEBUG(0,("connect_to_domain_password_server: machine %s rejected the session setup. \
+Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
+ cli_shutdown(pcli);
+ return False;
+ }
+
+ if (!(pcli->sec_mode & 1)) {
+ DEBUG(1,("connect_to_domain_password_server: machine %s isn't in user level security mode\n",
+ remote_machine));
+ cli_shutdown(pcli);
+ return False;
+ }
+
+ if (!cli_send_tconX(pcli, "IPC$", "IPC", "", 1)) {
+ DEBUG(0,("connect_to_domain_password_server: machine %s rejected the tconX on the IPC$ share. \
+Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
+ cli_shutdown(pcli);
+ return False;
+ }
+
+ /*
+ * We now have an anonymous connection to IPC$ on the domain password server.
+ */
+
+ /*
+ * Even if the connect succeeds we need to setup the netlogon
+ * pipe here. We do this as we may just have changed the domain
+ * account password on the PDC and yet we may be talking to
+ * a BDC that doesn't have this replicated yet. In this case
+ * a successful connect to a DC needs to take the netlogon connect
+ * into account also. This patch from "Bjart Kvarme" <bjart.kvarme@usit.uio.no>.
+ */
+
+ if(cli_nt_session_open(pcli, PIPE_NETLOGON) == False) {
+ DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
+machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli)));
+ cli_nt_session_close(pcli);
+ cli_ulogoff(pcli);
+ cli_shutdown(pcli);
+ return False;
+ }
+
+ if (cli_nt_setup_creds(pcli, trust_passwd) == False) {
+ DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \
+%s. Error was : %s.\n", remote_machine, cli_errstr(pcli)));
+ cli_nt_session_close(pcli);
+ cli_ulogoff(pcli);
+ cli_shutdown(pcli);
+ return(False);
+ }
+
+ return True;
+}
+
+/***********************************************************************
+ Utility function to attempt a connection to an IP address of a DC.
+************************************************************************/
+
+static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, unsigned char *trust_passwd)
+{
+ fstring dc_name;
+
+ /*
+ * Ignore addresses we have already tried.
+ */
+
+ if(ip_equal(ipzero, *ip))
+ return False;
+
+ if(!lookup_pdc_name(global_myname, lp_workgroup(), ip, dc_name))
+ return False;
+
+ return connect_to_domain_password_server(pcli, dc_name, trust_passwd);
+}
+
/***********************************************************************
Do the same as security=server, but using NT Domain calls and a session
- key from the workstation trust account password.
+ key from the machine password.
************************************************************************/
BOOL domain_client_validate( char *user, char *domain,
char *smb_apasswd, int smb_apasslen,
- char *smb_ntpasswd, int smb_ntpasslen)
+ char *smb_ntpasswd, int smb_ntpasslen,
+ BOOL *user_exists)
{
- uint16 nt_pipe_fnum;
- unsigned char local_challenge[8];
- unsigned char local_lm_response[24];
- unsigned char local_nt_reponse[24];
- unsigned char trust_passwd[16];
- NET_ID_INFO_CTR ctr;
- NET_USER_INFO_3 info3;
- struct cli_state cli;
- uint32 smb_uid_low;
-
- /*
- * Check that the requested domain is not our own machine name.
- * If it is, we should never check the PDC here, we use our own local
- * password file.
- */
-
- if(strequal( domain, global_myname))
- {
- DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n"));
- return False;
- }
+ unsigned char local_challenge[8];
+ unsigned char local_lm_response[24];
+ unsigned char local_nt_reponse[24];
+ unsigned char trust_passwd[16];
+ fstring remote_machine;
+ char *p;
+ NET_ID_INFO_CTR ctr;
+ NET_USER_INFO_3 info3;
+ struct cli_state cli;
+ uint32 smb_uid_low;
+ BOOL connected_ok = False;
+
+ if(user_exists != NULL)
+ *user_exists = True; /* Only set false on a very specific error. */
+
+ /*
+ * Check that the requested domain is not our own machine name.
+ * If it is, we should never check the PDC here, we use our own local
+ * password file.
+ */
- /*
- * Next, check that the passwords given were encrypted.
- */
+ if(strequal( domain, global_myname)) {
+ DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n"));
+ return False;
+ }
- if(((smb_apasslen != 24) && (smb_apasslen != 0)) ||
- ((smb_ntpasslen != 24) && (smb_ntpasslen != 0)))
- {
- /*
- * Not encrypted - do so.
- */
-
- DEBUG(3,("domain_client_validate: User passwords not in encrypted format.\n"));
- generate_random_buffer( local_challenge, 8, False);
- SMBencrypt( (uchar *)smb_apasswd, local_challenge, local_lm_response);
- SMBNTencrypt((uchar *)smb_ntpasswd, local_challenge, local_nt_reponse);
- smb_apasslen = 24;
- smb_ntpasslen = 24;
- smb_apasswd = (char *)local_lm_response;
- smb_ntpasswd = (char *)local_nt_reponse;
- }
- else
- {
- /*
- * Encrypted - get the challenge we sent for these
- * responses.
- */
+ /*
+ * Next, check that the passwords given were encrypted.
+ */
- if (!last_challenge(local_challenge))
- {
- DEBUG(0,("domain_client_validate: no challenge done - password failed\n"));
- return False;
- }
- }
+ if(((smb_apasslen != 24) && (smb_apasslen != 0)) ||
+ ((smb_ntpasslen != 24) && (smb_ntpasslen != 0))) {
- /*
- * Get the workstation trust account password.
- */
- if (!trust_get_passwd( trust_passwd, global_myworkgroup, global_myname))
- {
- return False;
- }
+ /*
+ * Not encrypted - do so.
+ */
- /*
- * At this point, smb_apasswd points to the lanman response to
- * the challenge in local_challenge, and smb_ntpasswd points to
- * the NT response to the challenge in local_challenge. Ship
- * these over the secure channel to a domain controller and
- * see if they were valid.
- */
+ DEBUG(3,("domain_client_validate: User passwords not in encrypted format.\n"));
+ generate_random_buffer( local_challenge, 8, False);
+ SMBencrypt( (uchar *)smb_apasswd, local_challenge, local_lm_response);
+ SMBNTencrypt((uchar *)smb_ntpasswd, local_challenge, local_nt_reponse);
+ smb_apasslen = 24;
+ smb_ntpasslen = 24;
+ smb_apasswd = (char *)local_lm_response;
+ smb_ntpasswd = (char *)local_nt_reponse;
+ } else {
- if (!cli_connect_serverlist(&cli, lp_passwordserver()))
- {
- DEBUG(0,("domain_client_validate: Domain password server not available.\n"));
- return False;
- }
+ /*
+ * Encrypted - get the challenge we sent for these
+ * responses.
+ */
- /*
- * Ok - we have an anonymous connection to the IPC$ share.
- * Now start the NT Domain stuff :-).
- */
-
- if(cli_nt_session_open(&cli, PIPE_NETLOGON, &nt_pipe_fnum) == False) {
- DEBUG(0,("domain_client_validate: unable to open the domain client session to \
- machine %s. Error was : %s.\n", cli.desthost, cli_errstr(&cli)));
- cli_nt_session_close(&cli, nt_pipe_fnum);
- cli_ulogoff(&cli);
- cli_shutdown(&cli);
- return False;
- }
+ if (!last_challenge(local_challenge)) {
+ DEBUG(0,("domain_client_validate: no challenge done - password failed\n"));
+ return False;
+ }
+ }
- if(cli_nt_setup_creds(&cli, nt_pipe_fnum,
- cli.mach_acct, trust_passwd, SEC_CHAN_WKSTA) == False)
- {
- DEBUG(0,("domain_client_validate: unable to setup the PDC credentials to machine \
- %s. Error was : %s.\n", cli.desthost, cli_errstr(&cli)));
- cli_nt_session_close(&cli, nt_pipe_fnum);
- cli_ulogoff(&cli);
- cli_shutdown(&cli);
- return False;
- }
+ /*
+ * Get the machine account password.
+ */
+ if (!trust_get_passwd( trust_passwd, global_myworkgroup, global_myname))
+ {
+ return False;
+ }
- /* We really don't care what LUID we give the user. */
- generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False);
+ /*
+ * At this point, smb_apasswd points to the lanman response to
+ * the challenge in local_challenge, and smb_ntpasswd points to
+ * the NT response to the challenge in local_challenge. Ship
+ * these over the secure channel to a domain controller and
+ * see if they were valid.
+ */
- if (!cli_nt_login_network(&cli, nt_pipe_fnum, domain, user, smb_uid_low, (char *)local_challenge,
- ((smb_apasslen != 0) ? smb_apasswd : NULL),
- ((smb_ntpasslen != 0) ? smb_ntpasswd : NULL),
- &ctr, &info3))
- {
- DEBUG(0,("domain_client_validate: unable to validate password for user %s in domain \
- %s to Domain controller %s. Error was %s.\n", user, domain, cli.desthost, cli_errstr(&cli)));
- cli_nt_session_close(&cli, nt_pipe_fnum);
- cli_ulogoff(&cli);
- cli_shutdown(&cli);
- return False;
- }
+ ZERO_STRUCT(cli);
- /*
- * Here, if we really want it, we have lots of info about the user in info3.
- * LKCLXXXX - really important to check things like "is this user acct
- * locked out / disabled" etc!!!!
- */
+ /*
+ * Treat each name in the 'password server =' line as a potential
+ * PDC/BDC. Contact each in turn and try and authenticate.
+ */
+
+ p = lp_passwordserver();
+ while(!connected_ok && p &&
+ next_token(&p,remote_machine,LIST_SEP,sizeof(remote_machine))) {
+ if(strequal(remote_machine, "*")) {
+
+ /*
+ * We have been asked to dynamcially determine the IP addresses of
+ * the PDC and BDC's for this DOMAIN, and query them in turn.
+ */
+
+ struct in_addr *ip_list = NULL;
+ int count = 0;
+ int i;
+
+ if(!get_dc_list(lp_workgroup(), &ip_list, &count))
+ continue;
+
+ /*
+ * Firstly try and contact a PDC/BDC who has the same
+ * network address as any of our interfaces.
+ */
+
+ for(i = 0; i < count; i++) {
+ if(!is_local_net(ip_list[i]))
+ continue;
+
+ if((connected_ok = attempt_connect_to_dc(&cli, &ip_list[i], trust_passwd)))
+ break;
+
+ ip_list[i] = ipzero; /* Tried and failed. */
+ }
+
+ /*
+ * Secondly try and contact a random PDC/BDC.
+ */
+
+ if(!connected_ok) {
+ i = (sys_random() % count);
+
+ if(!(connected_ok = attempt_connect_to_dc(&cli, &ip_list[i], trust_passwd)))
+ ip_list[i] = ipzero; /* Tried and failed. */
+ }
+
+ /*
+ * Finally go through the IP list in turn, ignoring any addresses
+ * we have already tried.
+ */
+
+ if(!connected_ok) {
+
+ /*
+ * Try and connect to any of the other IP addresses in the PDC/BDC list.
+ * Note that from a WINS server the #1 IP address is the PDC.
+ */
+
+ for(i = 0; i < count; i++) {
+ if((connected_ok = attempt_connect_to_dc(&cli, &ip_list[i], trust_passwd)))
+ break;
+ }
+ }
+
+ if(ip_list != NULL)
+ free((char *)ip_list);
+
+ } else {
+ connected_ok = connect_to_domain_password_server(&cli, remote_machine, trust_passwd);
+ }
+ }
+
+ if (!connected_ok) {
+ DEBUG(0,("domain_client_validate: Domain password server not available.\n"));
+ cli_shutdown(&cli);
+ return False;
+ }
+
+ /* We really don't care what LUID we give the user. */
+ generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False);
+
+ if(cli_nt_login_network(&cli, domain, user, smb_uid_low, (char *)local_challenge,
+ ((smb_apasslen != 0) ? smb_apasswd : NULL),
+ ((smb_ntpasslen != 0) ? smb_ntpasswd : NULL),
+ &ctr, &info3) == False) {
+ uint32 nt_rpc_err;
+
+ cli_error(&cli, NULL, NULL, &nt_rpc_err);
+ DEBUG(0,("domain_client_validate: unable to validate password for user %s in domain \
+%s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli)));
+ cli_nt_session_close(&cli);
+ cli_ulogoff(&cli);
+ cli_shutdown(&cli);
+
+ if((nt_rpc_err == NT_STATUS_NO_SUCH_USER) && (user_exists != NULL))
+ *user_exists = False;
+
+ return False;
+ }
+
+ /*
+ * Here, if we really want it, we have lots of info about the user in info3.
+ */
#if 0
- /*
- * We don't actually need to do this - plus it fails currently with
- * NT_STATUS_INVALID_INFO_CLASS - we need to know *exactly* what to
- * send here. JRA.
- */
+ /*
+ * We don't actually need to do this - plus it fails currently with
+ * NT_STATUS_INVALID_INFO_CLASS - we need to know *exactly* what to
+ * send here. JRA.
+ */
- if (!cli_nt_logoff(&cli, nt_pipe_fnum, &ctr))
- {
- DEBUG(0,("domain_client_validate: unable to log off user %s in domain \
- %s to Domain controller %s. Error was %s.\n", user, domain, cli.desthost, cli_errstr(&cli)));
- cli_nt_session_close(&cli, nt_pipe_fnum);
- cli_ulogoff(&cli);
- cli_shutdown(&cli);
- return False;
- }
+ if(cli_nt_logoff(&cli, &ctr) == False) {
+ DEBUG(0,("domain_client_validate: unable to log off user %s in domain \
+%s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli)));
+ cli_nt_session_close(&cli);
+ cli_ulogoff(&cli);
+ cli_shutdown(&cli);
+ return False;
+ }
#endif /* 0 */
- cli_nt_session_close(&cli, nt_pipe_fnum);
- cli_ulogoff(&cli);
- cli_shutdown(&cli);
- return True;
+ cli_nt_session_close(&cli);
+ cli_ulogoff(&cli);
+ cli_shutdown(&cli);
+ return True;
}