X-Git-Url: http://git.samba.org/samba.git/?a=blobdiff_plain;f=source3%2Fauth%2Fauth_winbind.c;h=2b5c84d2760e1a0205b04da1a8117abc808c4fec;hb=92ca4f52ae093e14d39b8853a34ffa8be6a3d492;hp=d1b00a32686495447c5fa0bb635ea15d32a886d8;hpb=64ddd381b74ca94e8ff8ae62d8f019a9b5290a80;p=sfrench%2Fsamba-autobuild%2F.git diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index d1b00a32686..2b5c84d2760 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -5,22 +5,24 @@ Copyright (C) Tim Potter 2000 Copyright (C) Andrew Bartlett 2001 - 2002 - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see . */ #include "includes.h" +#include "auth.h" +#include "nsswitch/libwbclient/wbclient.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH @@ -30,8 +32,8 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, void *my_private_data, TALLOC_CTX *mem_ctx, - const auth_usersupplied_info *user_info, - auth_serversupplied_info **server_info) + const struct auth_usersupplied_info *user_info, + struct auth_serversupplied_info **server_info) { NTSTATUS nt_status; wbcErr wbc_status; @@ -39,27 +41,37 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, struct wbcAuthUserInfo *info = NULL; struct wbcAuthErrorInfo *err = NULL; + ZERO_STRUCT(params); + if (!user_info) { return NT_STATUS_INVALID_PARAMETER; } + DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name)); + if (!auth_context) { DEBUG(3,("Password for user %s cannot be checked because we have no auth_info to get the challenge from.\n", - user_info->internal_username)); + user_info->mapped.account_name)); return NT_STATUS_INVALID_PARAMETER; } - if (strequal(user_info->domain, get_global_sam_name())) { + if (strequal(user_info->mapped.domain_name, get_global_sam_name())) { DEBUG(3,("check_winbind_security: Not using winbind, requested domain [%s] was for this SAM.\n", - user_info->domain)); + user_info->mapped.domain_name)); return NT_STATUS_NOT_IMPLEMENTED; } /* Send off request */ - - params.account_name = user_info->smb_name; - params.domain_name = user_info->domain; - params.workstation_name = user_info->wksta_name; + params.account_name = user_info->client.account_name; + /* + * We need to send the domain name from the client to the DC. With + * NTLMv2 the domain name is part of the hashed second challenge, + * if we change the domain name, the DC will fail to verify the + * challenge cause we changed the domain name, this is like a + * man in the middle attack. + */ + params.domain_name = user_info->client.domain_name; + params.workstation_name = user_info->workstation_name; params.flags = 0; params.parameter_control= user_info->logon_parameters; @@ -70,10 +82,18 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, auth_context->challenge.data, sizeof(params.password.response.challenge)); - params.password.response.nt_length = user_info->nt_resp.length; - params.password.response.nt_data = user_info->nt_resp.data; - params.password.response.lm_length = user_info->lm_resp.length; - params.password.response.lm_data = user_info->lm_resp.data; + if (user_info->password.response.nt.length != 0) { + params.password.response.nt_length = + user_info->password.response.nt.length; + params.password.response.nt_data = + user_info->password.response.nt.data; + } + if (user_info->password.response.lanman.length != 0) { + params.password.response.lm_length = + user_info->password.response.lanman.length; + params.password.response.lm_data = + user_info->password.response.lanman.data; + } /* we are contacting the privileged pipe */ become_root(); @@ -96,9 +116,7 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, if ( auth_method ) return auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info); - else - /* log an error since this should not happen */ - DEBUG(0,("check_winbind_security: ERROR! my_private_data == NULL!\n")); + return NT_STATUS_LOGON_FAILURE; } if (wbc_status == WBC_ERR_AUTH_ERROR) { @@ -112,8 +130,8 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, } nt_status = make_server_info_wbcAuthUserInfo(mem_ctx, - user_info->smb_name, - user_info->domain, + user_info->client.account_name, + user_info->mapped.domain_name, info, server_info); wbcFreeMemory(info); if (!NT_STATUS_IS_OK(nt_status)) { @@ -128,12 +146,14 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, /* module initialisation */ static NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { - if (!make_auth_methods(auth_context, auth_method)) { + struct auth_methods *result; + + result = talloc_zero(auth_context, struct auth_methods); + if (result == NULL) { return NT_STATUS_NO_MEMORY; } - - (*auth_method)->name = "winbind"; - (*auth_method)->auth = check_winbind_security; + result->name = "winbind"; + result->auth = check_winbind_security; if (param && *param) { /* we load the 'fallback' module - if winbind isn't here, call this @@ -142,8 +162,10 @@ static NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char if (!load_auth_module(auth_context, param, &priv)) { return NT_STATUS_UNSUCCESSFUL; } - (*auth_method)->private_data = (void *)priv; + result->private_data = (void *)priv; } + + *auth_method = result; return NT_STATUS_OK; }