const struct auth_usersupplied_info *user_info,
struct auth_serversupplied_info **server_info)
{
-
- NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
+ /* if all the modules say 'not for me' this is reasonable */
+ NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
const char *pdb_username;
auth_methods *auth_method;
TALLOC_CTX *mem_ctx;
}
talloc_destroy(mem_ctx);
-
- /* this sucks. Somehow we have to know if an authentication module is
- authoritative for a user. Fixme!!! --jerry */
-
- if ( NT_STATUS_IS_OK(nt_status) ||
- NT_STATUS_V(nt_status) == NT_STATUS_V(NT_STATUS_WRONG_PASSWORD) )
+
+ if ( NT_STATUS_IS_OK(nt_status))
{
break;
}
break;
case SEC_USER:
if (lp_encrypted_passwords()) {
- DEBUG(5,("Making default auth method list for security=user, encrypt passwords = yes\n"));
- auth_method_list = str_list_make("guest sam", NULL);
+ if ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role() == ROLE_DOMAIN_BDC)) {
+ DEBUG(5,("Making default auth method list for DC, security=user, encrypt passwords = yes\n"));
+ auth_method_list = str_list_make("guest sam winbind:trustdomain", NULL);
+ } else {
+ DEBUG(5,("Making default auth method list for standalone security=user, encrypt passwords = yes\n"));
+ auth_method_list = str_list_make("guest sam", NULL);
+ }
} else {
DEBUG(5,("Making default auth method list for security=user, encrypt passwords = no\n"));
auth_method_list = str_list_make("guest unix", NULL);
const auth_usersupplied_info *user_info,
auth_serversupplied_info **server_info)
{
- NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
+ /* mark this as 'not for me' */
+ NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
if (!(user_info->internal_username.str
&& *user_info->internal_username.str)) {
const auth_usersupplied_info *user_info,
auth_serversupplied_info **server_info)
{
- return NT_STATUS_UNSUCCESSFUL;
+ return NT_STATUS_NOT_IMPLEMENTED;
}
/****************************************************************************
* password file.
*/
- if(is_myname(user_info->domain.str)) {
+ if(strequal(get_global_sam_name(), user_info->domain.str)) {
DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n"));
return NT_STATUS_NOT_IMPLEMENTED;
}
* Check that the requested domain is not our own machine name or domain name.
*/
- if( is_myname(user_info->domain.str) || strequal(lp_workgroup(), user_info->domain.str) ) {
+ if( strequal(get_global_sam_name(), user_info->domain.str)) {
DEBUG(3,("check_trustdomain_security: Requested domain [%s] was for this machine.\n",
user_info->domain.str));
return NT_STATUS_NOT_IMPLEMENTED;
user is known to us and does not exist */
if ( !is_trusted_domain( user_info->domain.str ) )
- return NT_STATUS_NO_SUCH_USER;
+ return NT_STATUS_NOT_IMPLEMENTED;
/*
* Get the trusted account password for the trusted domain
const auth_usersupplied_info *user_info,
auth_serversupplied_info **server_info)
{
- NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
+ NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
SAM_ACCOUNT *account = NULL;
if (!NT_STATUS_IS_OK(nt_status =
auth_get_sam_account(user_info->internal_username.str,
nt_status = make_server_info_sam(server_info, account);
} else {
pdb_free_sam(&account);
- nt_status = NT_STATUS_LOGON_FAILURE;
}
return nt_status;
const auth_usersupplied_info *user_info,
auth_serversupplied_info **server_info)
{
- NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
+ NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
SAM_ACCOUNT *account = NULL;
pstring rhostsfile;
const char *home;
nt_status = make_server_info_sam(server_info, account);
} else {
pdb_free_sam(&account);
- nt_status = NT_STATUS_LOGON_FAILURE;
}
unbecome_root();
} else {
pdb_free_sam(&account);
- nt_status = NT_STATUS_LOGON_FAILURE;
}
return nt_status;
static fstring baduser;
static BOOL tested_password_server = False;
static BOOL bad_password_server = False;
- NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
+ NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
BOOL locally_made_cli = False;
/*
if(is_myname(user_info->domain.str)) {
DEBUG(3,("check_smbserver_security: Requested domain was for this machine.\n"));
- return NT_STATUS_LOGON_FAILURE;
+ return nt_status;
}
cli = my_private_data;
SAM_ACCOUNT *sampass)
{
NTSTATUS nt_status;
+ struct passwd *pwd;
if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info)))
return nt_status;
if (!NT_STATUS_IS_OK(nt_status = sid_to_uid(pdb_get_user_sid(sampass), &((*server_info)->uid))))
return nt_status;
- if (!NT_STATUS_IS_OK(nt_status = sid_to_gid(pdb_get_group_sid(sampass), &((*server_info)->gid))))
+ if (!(pwd = getpwuid_alloc(((*server_info)->uid)))) {
+ fstring sid;
+ DEBUG(1, ("User %s in passdb (%s) maps to UID, but getpwuid(%u) fails!\n",
+ pdb_get_username(sampass),
+ sid_to_string(sid, pdb_get_user_sid(sampass)),
+ (unsigned)(*server_info)->uid));
+ free_server_info(server_info);
+ return NT_STATUS_NO_SUCH_USER;
+ }
+ (*server_info)->unix_name = smb_xstrdup(pwd->pw_name);
+ passwd_free(&pwd);
+
+ if (!NT_STATUS_IS_OK(nt_status = sid_to_gid(pdb_get_group_sid(sampass),
+ &((*server_info)->gid)))) {
+ free_server_info(server_info);
return nt_status;
+ }
if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, sampass,
- (*server_info)->uid, (*server_info)->gid)))
+ (*server_info)->uid,
+ (*server_info)->gid))) {
+ free_server_info(server_info);
return nt_status;
+ }
(*server_info)->sam_fill_level = SAM_FILL_ALL;
- DEBUG(5,("make_server_info_sam: made server info for user %s\n",
- pdb_get_username((*server_info)->sam_account)));
+ DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n",
+ pdb_get_username(sampass),
+ (*server_info)->unix_name));
return nt_status;
}
return nt_status;
}
+ (*server_info)->unix_name = smb_xstrdup(pwd->pw_name);
+
(*server_info)->sam_fill_level = SAM_FILL_ALL;
(*server_info)->uid = pwd->pw_uid;
(*server_info)->gid = pwd->pw_gid;
Purely internal function for make_server_info_info3
Fill the sam account from getpwnam
***************************************************************************/
-static NTSTATUS fill_sam_account(const char *domain,
+static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx,
+ const char *domain,
const char *username,
+ char **found_username,
uid_t *uid, gid_t *gid,
SAM_ACCOUNT **sam_account)
{
*uid = passwd->pw_uid;
*gid = passwd->pw_gid;
+ *found_username = talloc_strdup(mem_ctx, passwd->pw_name);
+
return pdb_init_sam_pw(sam_account, passwd);
}
NET_USER_INFO_3 *info3)
{
NTSTATUS nt_status = NT_STATUS_OK;
-
+ char *found_username;
const char *nt_domain;
const char *nt_username;
gid = passwd->pw_gid;
/* we should check this is the same name */
-
+ found_username = talloc_strdup(mem_ctx, passwd->pw_name);
+
passwd_free(&passwd);
} else {
/* User not from winbind - try and find them by getpwnam() */
- nt_status = fill_sam_account(nt_domain,
+ nt_status = fill_sam_account(mem_ctx, nt_domain,
internal_username,
+ &found_username,
&uid, &gid,
&sam_account);
DEBUG(3,("User %s does not exist, trying to add it\n",
internal_username));
auth_add_user_script(nt_domain, internal_username);
- nt_status = fill_sam_account(nt_domain,
+ nt_status = fill_sam_account(mem_ctx, nt_domain,
internal_username,
+ &found_username,
&uid, &gid,
&sam_account);
}
return nt_status;
}
- if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) {
+ if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) {
pdb_free_sam(&sam_account);
- return NT_STATUS_UNSUCCESSFUL;
+ return NT_STATUS_NO_MEMORY;
}
- if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) {
- pdb_free_sam(&sam_account);
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) {
+ if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) {
pdb_free_sam(&sam_account);
return NT_STATUS_NO_MEMORY;
}
return NT_STATUS_NO_MEMORY;
}
- if (!pdb_set_fullname(sam_account, unistr2_static(&(info3->uni_full_name)), PDB_CHANGED)) {
+ if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) {
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) {
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (!pdb_set_fullname(sam_account, unistr2_static(&(info3->uni_full_name)),
+ PDB_CHANGED)) {
pdb_free_sam(&sam_account);
return NT_STATUS_NO_MEMORY;
}
(*server_info)->sam_account = sam_account;
+ (*server_info)->unix_name = smb_xstrdup(found_username);
+
/* Fill in the unix info we found on the way */
(*server_info)->sam_fill_level = SAM_FILL_ALL;
returned to the caller. */
if (!NT_STATUS_IS_OK(nt_status
- = get_user_groups_from_local_sam(pdb_get_username(sam_account),
+ = get_user_groups_from_local_sam((*server_info)->unix_name,
uid, gid,
&n_lgroupSIDs,
&lgroupSIDs,
if (!all_group_SIDs) {
DEBUG(0, ("malloc() failed for DOM_SID list!\n"));
SAFE_FREE(lgroupSIDs);
+ free_server_info(server_info);
return NT_STATUS_NO_MEMORY;
}
DEBUG(3,("could not append additional group rid 0x%x\n",
info3->gids[i].g_rid));
SAFE_FREE(lgroupSIDs);
+ free_server_info(server_info);
return nt_status;
}
}
all_group_SIDs, False, &token))) {
DEBUG(4,("create_nt_user_token failed\n"));
SAFE_FREE(all_group_SIDs);
+ free_server_info(server_info);
return nt_status;
}
/* call pam_end here, unless we know we are keeping it */
delete_nt_token( &(*server_info)->ptok );
SAFE_FREE((*server_info)->groups);
+ SAFE_FREE((*server_info)->unix_name);
ZERO_STRUCT(**server_info);
}
SAFE_FREE(*server_info);
if (!auth_context) {
DEBUG(3,("Password for user %s cannot be checked because we have no auth_info to get the challenge from.\n",
user_info->internal_username.str));
- return NT_STATUS_UNSUCCESSFUL;
+ return NT_STATUS_INVALID_PARAMETER;
}
+ if (strequal(user_info->domain.str, get_global_sam_name())) {
+ DEBUG(3,("check_winbind_security: Not using winbind, requested domain was for this SAM.\n"));
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
/* Send off request */
ZERO_STRUCT(request);
request.data.auth_crap.lm_resp_len);
memcpy(request.data.auth_crap.nt_resp, user_info->nt_resp.data,
request.data.auth_crap.nt_resp_len);
-
+
+ /* we are contacting the privileged pipe */
+ become_root();
result = winbindd_request(WINBINDD_PAM_AUTH_CRAP, &request, &response);
+ unbecome_root();
if ( result == NSS_STATUS_UNAVAIL ) {
struct auth_methods *auth_method = my_private_data;
}
}
} else if (NT_STATUS_IS_OK(nt_status)) {
- nt_status = NT_STATUS_UNSUCCESSFUL;
+ nt_status = NT_STATUS_NO_LOGON_SERVERS;
}
return nt_status;
SAM_ACCOUNT *sam_account;
void *pam_handle;
+
+ char *unix_name;
} auth_serversupplied_info;
/* need to count the number of space-delimited sids */
unsigned int i;
int num_other_sids = 0;
- char *username;
NTTIME logon_time, logoff_time, kickoff_time,
pass_last_set_time, pass_can_change_time,
int len_logon_srv = strlen(logon_srv);
int len_logon_dom = strlen(logon_dom);
-
- /* do some cleanup on the user name here to deal with users from a
- trusted domain logging onto a client in our domain. If we are running
- winbindd, the trusted users will be of the form DOMAIN\user so strip
- out the domain portion. I noticed then when looking at an SMBsessionsetup&X.
- The client was sending GLASS\Administrator as the username and GLASS as the
- domain name -- jerry */
-
- if ( (username = strchr( user_name, *lp_winbind_separator() )) != NULL )
- username++;
- else
- username = user_name;
-
-
- len_user_name = strlen(username );
+ len_user_name = strlen(user_name );
len_full_name = strlen(full_name );
len_home_dir = strlen(home_dir );
len_dir_drive = strlen(dir_drive );
usr->num_other_sids = num_other_sids;
usr->buffer_other_sids = (num_other_sids != 0) ? 1 : 0;
- init_unistr2(&usr->uni_user_name, username, len_user_name);
+ init_unistr2(&usr->uni_user_name, user_name, len_user_name);
init_unistr2(&usr->uni_full_name, full_name, len_full_name);
init_unistr2(&usr->uni_logon_script, logon_script, len_logon_script);
init_unistr2(&usr->uni_profile_path, profile_path, len_profile_path);
} /* end switch */
if ( NT_STATUS_IS_OK(status) ) {
- become_root();
status = auth_context->check_ntlm_password(auth_context,
user_info, &server_info);
- unbecome_root();
}
(auth_context->free)(&auth_context);
}
fstrcpy(p->user_name, user_name);
- fstrcpy(p->pipe_user_name, pdb_get_username(server_info->sam_account));
+ fstrcpy(p->pipe_user_name, server_info->unix_name);
fstrcpy(p->domain, domain);
fstrcpy(p->wks, wks);