#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
-extern DOM_SID global_sid_World;
-extern DOM_SID global_sid_Network;
-extern DOM_SID global_sid_Builtin_Guests;
-extern DOM_SID global_sid_Authenticated_Users;
-
-
-/****************************************************************************
- Create a UNIX user on demand.
-****************************************************************************/
-
-static int smb_create_user(const char *domain, const char *unix_username, const char *homedir)
-{
- pstring add_script;
- int ret;
-
- pstrcpy(add_script, lp_adduser_script());
- if (! *add_script)
- return -1;
- all_string_sub(add_script, "%u", unix_username, sizeof(pstring));
- if (domain)
- all_string_sub(add_script, "%D", domain, sizeof(pstring));
- if (homedir)
- all_string_sub(add_script, "%H", homedir, sizeof(pstring));
- ret = smbrun(add_script,NULL);
- DEBUG(3,("smb_create_user: Running the command `%s' gave %d\n",add_script,ret));
- return ret;
-}
-
-/****************************************************************************
- Add and Delete UNIX users on demand, based on NTSTATUS codes.
-****************************************************************************/
-
-void smb_user_control(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info, NTSTATUS nt_status)
-{
- struct passwd *pwd=NULL;
-
- if (NT_STATUS_IS_OK(nt_status)) {
-
- if (!(server_info->sam_fill_level & SAM_FILL_UNIX)) {
-
- /*
- * User validated ok against Domain controller.
- * If the admin wants us to try and create a UNIX
- * user on the fly, do so.
- */
-
- if(lp_adduser_script() && !(pwd = Get_Pwnam(user_info->internal_username.str))) {
- smb_create_user(user_info->domain.str, user_info->internal_username.str, NULL);
- }
- }
- }
-}
-
-/****************************************************************************
- Create a SAM_ACCOUNT - either by looking in the pdb, or by faking it up from
- unix info.
-****************************************************************************/
-
-NTSTATUS auth_get_sam_account(const char *user, SAM_ACCOUNT **account)
-{
- BOOL pdb_ret;
- NTSTATUS nt_status;
- if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(account))) {
- return nt_status;
- }
-
- become_root();
- pdb_ret = pdb_getsampwnam(*account, user);
- unbecome_root();
-
- if (!pdb_ret) {
-
- struct passwd *pass = Get_Pwnam(user);
- if (!pass)
- return NT_STATUS_NO_SUCH_USER;
-
- if (!NT_STATUS_IS_OK(nt_status = pdb_fill_sam_pw(*account, pass))) {
- return nt_status;
- }
- }
- return NT_STATUS_OK;
-}
-
/****************************************************************************
Create an auth_usersupplied_data structure
****************************************************************************/
-
static NTSTATUS make_user_info(auth_usersupplied_info **user_info,
const char *smb_name,
const char *internal_username,
const char *smb_name,
const char *client_domain,
const char *wksta_name,
- const uchar *lm_network_pwd, int lm_pwd_len,
- const uchar *nt_network_pwd, int nt_pwd_len)
+ const uint8_t *lm_network_pwd, int lm_pwd_len,
+ const uint8_t *nt_network_pwd, int nt_pwd_len)
{
BOOL ret;
NTSTATUS nt_status;
const char *smb_name,
const char *client_domain,
const char *wksta_name,
- const uchar chal[8],
- const uchar lm_interactive_pwd[16],
- const uchar nt_interactive_pwd[16],
- const uchar *dc_sess_key)
+ const uint8_t chal[8],
+ const uint8_t lm_interactive_pwd[16],
+ const uint8_t nt_interactive_pwd[16],
+ const uint8_t *dc_sess_key)
{
char lm_pwd[16];
char nt_pwd[16];
- unsigned char local_lm_response[24];
- unsigned char local_nt_response[24];
- unsigned char key[16];
+ uint8_t local_lm_response[24];
+ uint8_t local_nt_response[24];
+ uint8_t key[16];
ZERO_STRUCT(key);
memcpy(key, dc_sess_key, 8);
#endif
if (lm_interactive_pwd)
- SamOEMhash((uchar *)lm_pwd, key, sizeof(lm_pwd));
+ arcfour_crypt((uint8_t *)lm_pwd, key, sizeof(lm_pwd));
if (nt_interactive_pwd)
- SamOEMhash((uchar *)nt_pwd, key, sizeof(nt_pwd));
+ arcfour_crypt((uint8_t *)nt_pwd, key, sizeof(nt_pwd));
#ifdef DEBUG_PASSWORD
DEBUG(100,("decrypt of lm owf password:"));
#endif
if (lm_interactive_pwd)
- SMBOWFencrypt((const unsigned char *)lm_pwd, chal, local_lm_response);
+ SMBOWFencrypt((const uint8_t *)lm_pwd, chal, local_lm_response);
if (nt_interactive_pwd)
- SMBOWFencrypt((const unsigned char *)nt_pwd, chal, local_nt_response);
+ SMBOWFencrypt((const uint8_t *)nt_pwd, chal, local_nt_response);
/* Password info paranoia */
ZERO_STRUCT(key);
BOOL make_user_info_for_reply(auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
- const uint8 chal[8],
+ const uint8_t chal[8],
DATA_BLOB plaintext_password)
{
DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted format.\n"));
if (plaintext_password.data) {
- unsigned char local_lm_response[24];
+ uint8_t local_lm_response[24];
#ifdef DEBUG_PASSWORD
DEBUG(10,("Unencrypted password (len %d):\n",plaintext_password.length));
dump_data(100, plaintext_password.data, plaintext_password.length);
#endif
- SMBencrypt( (const char *)plaintext_password.data, (const uchar*)chal, local_lm_response);
+ SMBencrypt( (const char *)plaintext_password.data, (const uint8_t *)chal, local_lm_response);
local_lm_blob = data_blob(local_lm_response, 24);
/* We can't do an NT hash here, as the password needs to be
void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token)
{
- fstring sid_str;
+ TALLOC_CTX *mem_ctx;
+
size_t i;
if (!token) {
return;
}
+ mem_ctx = talloc_init("debug_nt_user_token()");
+ if (!mem_ctx) {
+ return;
+ }
+
DEBUGC(dbg_class, dbg_lev, ("NT user token of user %s\n",
- sid_to_string(sid_str, &token->user_sids[0]) ));
+ dom_sid_string(mem_ctx, token->user_sids[0]) ));
DEBUGADDC(dbg_class, dbg_lev, ("contains %lu SIDs\n", (unsigned long)token->num_sids));
for (i = 0; i < token->num_sids; i++)
DEBUGADDC(dbg_class, dbg_lev, ("SID[%3lu]: %s\n", (unsigned long)i,
- sid_to_string(sid_str, &token->user_sids[i])));
-}
-
-/****************************************************************************
- prints a UNIX 'token' to debug output.
-****************************************************************************/
+ dom_sid_string(mem_ctx, token->user_sids[i])));
-void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid, int n_groups, gid_t *groups)
-{
- int i;
- DEBUGC(dbg_class, dbg_lev, ("UNIX token of user %ld\n", (long int)uid));
-
- DEBUGADDC(dbg_class, dbg_lev, ("Primary group is %ld and contains %i supplementary groups\n", (long int)gid, n_groups));
- for (i = 0; i < n_groups; i++)
- DEBUGADDC(dbg_class, dbg_lev, ("Group[%3i]: %ld\n", i,
- (long int)groups[i]));
+ talloc_destroy(mem_ctx);
}
/****************************************************************************
Create the SID list for this user.
****************************************************************************/
-static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *group_sid,
- int n_groupSIDs, DOM_SID *groupSIDs,
- BOOL is_guest, NT_USER_TOKEN **token)
+NTSTATUS create_nt_user_token(TALLOC_CTX *mem_ctx,
+ struct dom_sid *user_sid, struct dom_sid *group_sid,
+ int n_groupSIDs, struct dom_sid **groupSIDs,
+ BOOL is_guest, struct nt_user_token **token)
{
NTSTATUS nt_status = NT_STATUS_OK;
- NT_USER_TOKEN *ptoken;
+ struct nt_user_token *ptoken;
int i;
int sid_ndx;
- if ((ptoken = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) {
+ if (!(ptoken = talloc_p(mem_ctx, struct nt_user_token))) {
DEBUG(0, ("create_nt_token: Out of memory allocating token\n"));
nt_status = NT_STATUS_NO_MEMORY;
return nt_status;
}
- ZERO_STRUCTP(ptoken);
-
- ptoken->num_sids = n_groupSIDs + 5;
+ ptoken->num_sids = 0;
- if ((ptoken->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptoken->num_sids )) == NULL) {
+ if (!(ptoken->user_sids = talloc_array_p(mem_ctx, struct dom_sid*, n_groupSIDs + 5))) {
DEBUG(0, ("create_nt_token: Out of memory allocating SIDs\n"));
nt_status = NT_STATUS_NO_MEMORY;
return nt_status;
}
- memset((char*)ptoken->user_sids,0,sizeof(DOM_SID) * ptoken->num_sids);
-
/*
* Note - user SID *MUST* be first in token !
* se_access_check depends on this.
* Primary group SID is second in token. Convention.
*/
- sid_copy(&ptoken->user_sids[PRIMARY_USER_SID_INDEX], user_sid);
- if (group_sid)
- sid_copy(&ptoken->user_sids[PRIMARY_GROUP_SID_INDEX], group_sid);
+ ptoken->user_sids[PRIMARY_USER_SID_INDEX] = user_sid;
+ ptoken->num_sids++;
+ ptoken->user_sids[PRIMARY_GROUP_SID_INDEX] = group_sid;
+ ptoken->num_sids++;
/*
* Finally add the "standard" SIDs.
* The only difference between guest and "anonymous" (which we
* don't really support) is the addition of Authenticated_Users.
*/
+ ptoken->user_sids[2] = dom_sid_parse_talloc(mem_ctx, SID_WORLD);
+ ptoken->user_sids[3] = dom_sid_parse_talloc(mem_ctx, SID_NETWORK);
- sid_copy(&ptoken->user_sids[2], &global_sid_World);
- sid_copy(&ptoken->user_sids[3], &global_sid_Network);
+ if (is_guest) {
+ ptoken->user_sids[4] = dom_sid_parse_talloc(mem_ctx, SID_BUILTIN_GUESTS);
+ ptoken->num_sids++;
+ } else {
+ ptoken->user_sids[4] = dom_sid_parse_talloc(mem_ctx, SID_AUTHENTICATED_USERS);
+ ptoken->num_sids++;
+ }
- if (is_guest)
- sid_copy(&ptoken->user_sids[4], &global_sid_Builtin_Guests);
- else
- sid_copy(&ptoken->user_sids[4], &global_sid_Authenticated_Users);
-
sid_ndx = 5; /* next available spot */
for (i = 0; i < n_groupSIDs; i++) {
size_t check_sid_idx;
for (check_sid_idx = 1; check_sid_idx < ptoken->num_sids; check_sid_idx++) {
- if (sid_equal(&ptoken->user_sids[check_sid_idx],
- &groupSIDs[i])) {
+ if (sid_equal(ptoken->user_sids[check_sid_idx],
+ groupSIDs[i])) {
break;
}
}
if (check_sid_idx >= ptoken->num_sids) /* Not found already */ {
- sid_copy(&ptoken->user_sids[sid_ndx++], &groupSIDs[i]);
- } else {
- ptoken->num_sids--;
+ ptoken->user_sids[sid_ndx++] = groupSIDs[i];
+ ptoken->num_sids++;
}
}
return nt_status;
}
-/****************************************************************************
- Create the SID list for this user.
-****************************************************************************/
-
-struct nt_user_token *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, BOOL is_guest)
-{
- DOM_SID user_sid;
- DOM_SID group_sid;
- DOM_SID *group_sids;
- NT_USER_TOKEN *token;
- int i;
-
- if (!uid_to_sid(&user_sid, uid)) {
- return NULL;
- }
- if (!gid_to_sid(&group_sid, gid)) {
- return NULL;
- }
-
- group_sids = malloc(sizeof(DOM_SID) * ngroups);
- if (!group_sids) {
- DEBUG(0, ("create_nt_token: malloc() failed for DOM_SID list!\n"));
- return NULL;
- }
-
- for (i = 0; i < ngroups; i++) {
- if (!gid_to_sid(&(group_sids)[i], (groups)[i])) {
- DEBUG(1, ("create_nt_token: failed to convert gid %ld to a sid!\n", (long int)groups[i]));
- SAFE_FREE(group_sids);
- return NULL;
- }
- }
-
- if (!NT_STATUS_IS_OK(create_nt_user_token(&user_sid, &group_sid,
- ngroups, group_sids, is_guest, &token))) {
- SAFE_FREE(group_sids);
- return NULL;
- }
-
- SAFE_FREE(group_sids);
-
- return token;
-}
-
-/******************************************************************************
- * this function returns the groups (SIDs) of the local SAM the user is in.
- * If this samba server is a DC of the domain the user belongs to, it returns
- * both domain groups and local / builtin groups. If the user is in a trusted
- * domain, or samba is a member server of a domain, then this function returns
- * local and builtin groups the user is a member of.
- *
- * currently this is a hack, as there is no sam implementation that is capable
- * of groups.
- ******************************************************************************/
-
-static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass,
- int *n_groups, DOM_SID **groups, gid_t **unix_groups)
-{
- uid_t uid;
- gid_t gid;
- int n_unix_groups;
- int i;
- struct passwd *usr;
-
- *n_groups = 0;
- *groups = NULL;
-
- if (!IS_SAM_UNIX_USER(sampass)) {
- DEBUG(1, ("user %s does not have a unix identity!\n", pdb_get_username(sampass)));
- return NT_STATUS_NO_SUCH_USER;
- }
-
- uid = pdb_get_uid(sampass);
- gid = pdb_get_gid(sampass);
-
- n_unix_groups = groups_max();
- if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) {
- DEBUG(0, ("get_user_groups_from_local_sam: Out of memory allocating unix group list\n"));
- passwd_free(&usr);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) {
- gid_t *groups_tmp;
- groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups);
- if (!groups_tmp) {
- SAFE_FREE(*unix_groups);
- passwd_free(&usr);
- return NT_STATUS_NO_MEMORY;
- }
- *unix_groups = groups_tmp;
-
- if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) {
- DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n"));
- SAFE_FREE(*unix_groups);
- passwd_free(&usr);
- return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */
- }
- }
-
- debug_unix_user_token(DBGC_CLASS, 5, uid, gid, n_unix_groups, *unix_groups);
-
- if (n_unix_groups > 0) {
- *groups = malloc(sizeof(DOM_SID) * n_unix_groups);
- if (!*groups) {
- DEBUG(0, ("get_user_group_from_local_sam: malloc() failed for DOM_SID list!\n"));
- SAFE_FREE(*unix_groups);
- return NT_STATUS_NO_MEMORY;
- }
- }
-
- *n_groups = n_unix_groups;
-
- for (i = 0; i < *n_groups; i++) {
- if (!gid_to_sid(&(*groups)[i], (*unix_groups)[i])) {
- DEBUG(1, ("get_user_groups_from_local_sam: failed to convert gid %ld to a sid!\n", (long int)(*unix_groups)[i+1]));
- SAFE_FREE(*groups);
- SAFE_FREE(*unix_groups);
- return NT_STATUS_NO_SUCH_USER;
- }
- }
-
- return NT_STATUS_OK;
-}
-
/***************************************************************************
Make a user_info struct
***************************************************************************/
-static NTSTATUS make_server_info(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass)
+NTSTATUS make_server_info(auth_serversupplied_info **server_info, const char *username)
{
- *server_info = malloc(sizeof(**server_info));
+ TALLOC_CTX *mem_ctx = talloc_init("auth subsystem: server_info for %s", username);
+ *server_info = talloc_p(mem_ctx, auth_serversupplied_info);
if (!*server_info) {
DEBUG(0,("make_server_info: malloc failed!\n"));
+ talloc_destroy(mem_ctx);
return NT_STATUS_NO_MEMORY;
}
- ZERO_STRUCTP(*server_info);
-
- (*server_info)->sam_fill_level = SAM_FILL_ALL;
- (*server_info)->sam_account = sampass;
-
- return NT_STATUS_OK;
-}
-
-/***************************************************************************
- Make (and fill) a user_info struct from a SAM_ACCOUNT
-***************************************************************************/
-
-NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
- SAM_ACCOUNT *sampass)
-{
- NTSTATUS nt_status = NT_STATUS_OK;
- const DOM_SID *user_sid = pdb_get_user_sid(sampass);
- const DOM_SID *group_sid = pdb_get_group_sid(sampass);
- int n_groupSIDs = 0;
- DOM_SID *groupSIDs = NULL;
- gid_t *unix_groups = NULL;
- NT_USER_TOKEN *token;
- BOOL is_guest;
- uint32 rid;
-
- if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info, sampass))) {
- return nt_status;
- }
-
- if (!NT_STATUS_IS_OK(nt_status
- = get_user_groups_from_local_sam(sampass,
- &n_groupSIDs, &groupSIDs, &unix_groups)))
- {
- DEBUG(4,("get_user_groups_from_local_sam failed\n"));
- free_server_info(server_info);
- return nt_status;
- }
-
- is_guest = (sid_peek_rid(user_sid, &rid) && rid == DOMAIN_USER_RID_GUEST);
-
- if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token(user_sid, group_sid,
- n_groupSIDs, groupSIDs, is_guest,
- &token)))
- {
- DEBUG(4,("create_nt_user_token failed\n"));
- SAFE_FREE(groupSIDs);
- SAFE_FREE(unix_groups);
- free_server_info(server_info);
- return nt_status;
- }
+ (*server_info)->mem_ctx = mem_ctx;
- SAFE_FREE(groupSIDs);
-
- (*server_info)->n_groups = n_groupSIDs;
- (*server_info)->groups = unix_groups;
-
- (*server_info)->ptok = token;
-
- DEBUG(5,("make_server_info_sam: made server info for user %s\n",
- pdb_get_username((*server_info)->sam_account)));
-
- return nt_status;
-}
-
-/***************************************************************************
- Make (and fill) a user_info struct from a 'struct passwd' by conversion
- to a SAM_ACCOUNT
-***************************************************************************/
-
-NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, const struct passwd *pwd)
-{
- NTSTATUS nt_status;
- SAM_ACCOUNT *sampass = NULL;
- if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sampass, pwd))) {
- return nt_status;
- }
- return make_server_info_sam(server_info, sampass);
+ return NT_STATUS_OK;
}
/***************************************************************************
Make (and fill) a user_info struct for a guest login.
***************************************************************************/
-
NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info)
{
NTSTATUS nt_status;
- SAM_ACCOUNT *sampass = NULL;
- DOM_SID guest_sid;
-
- if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sampass))) {
- return nt_status;
- }
+ static const char zeros[16];
+ struct dom_sid *sid_Anonymous;
+ struct dom_sid *sid_Builtin_Guests;
- sid_copy(&guest_sid, get_global_sam_sid());
- sid_append_rid(&guest_sid, DOMAIN_USER_RID_GUEST);
+ nt_status = make_server_info(server_info, "");
- become_root();
- if (!pdb_getsampwsid(sampass, &guest_sid)) {
- unbecome_root();
- return NT_STATUS_NO_SUCH_USER;
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
}
- unbecome_root();
-
- nt_status = make_server_info_sam(server_info, sampass);
+
+ (*server_info)->guest = True;
- if (NT_STATUS_IS_OK(nt_status)) {
- static const char zeros[16];
- (*server_info)->guest = True;
-
- /* annoying, but the Guest really does have a session key,
- and it is all zeros! */
- (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));
- (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
+ sid_Anonymous = dom_sid_parse_talloc((*server_info)->mem_ctx, SID_ANONYMOUS);
+ sid_Builtin_Guests = dom_sid_parse_talloc((*server_info)->mem_ctx, SID_BUILTIN_GUESTS);
+
+ if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token((*server_info)->mem_ctx,
+ sid_Anonymous, sid_Builtin_Guests,
+ 0, NULL,
+ True, &(*server_info)->ptok))) {
+ DEBUG(1,("check_sam_security: create_nt_user_token failed with '%s'\n", nt_errstr(nt_status)));
+ free_server_info(server_info);
+ return nt_status;
}
-
+
+ /* annoying, but the Guest really does have a session key,
+ and it is all zeros! */
+ (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));
+ (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
return nt_status;
}
void free_server_info(auth_serversupplied_info **server_info)
{
- DEBUG(5,("attempting to free (and zero) a server_info structure\n"));
- if (*server_info != NULL) {
- pdb_free_sam(&(*server_info)->sam_account);
-
- /* call pam_end here, unless we know we are keeping it */
- delete_nt_token( &(*server_info)->ptok );
- SAFE_FREE((*server_info)->groups);
- ZERO_STRUCT(**server_info);
+ DEBUG(5,("attempting to free a server_info structure\n"));
+ if (!*server_info) {
+ talloc_destroy((*server_info)->mem_ctx);
}
- SAFE_FREE(*server_info);
+ *server_info = NULL;
}
/***************************************************************************
SAFE_FREE(*pptoken);
}
-/****************************************************************************
- Duplicate a SID token.
-****************************************************************************/
-
-struct nt_user_token *dup_nt_token(NT_USER_TOKEN *ptoken)
-{
- NT_USER_TOKEN *token;
-
- if (!ptoken)
- return NULL;
-
- if ((token = (NT_USER_TOKEN *)malloc( sizeof(NT_USER_TOKEN) ) ) == NULL)
- return NULL;
-
- ZERO_STRUCTP(token);
-
- if ((token->user_sids = (DOM_SID *)memdup( ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids )) == NULL) {
- SAFE_FREE(token);
- return NULL;
- }
-
- token->num_sids = ptoken->num_sids;
-
- return token;
-}
-
/**
* Squash an NT_STATUS in line with security requirements.
* In an attempt to avoid giving the whole game away when users
git.samba.org / kai / samba-autobuild / .git / blobdiff