source3/auth/auth_util.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Authentication utility functions
   4    Copyright (C) Andrew Tridgell 1992-1998
   5    Copyright (C) Andrew Bartlett 2001
   6    Copyright (C) Jeremy Allison 2000-2001
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program; if not, write to the Free Software
  20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 */
  22
  23 #include "includes.h"
  24
  25 extern fstring remote_machine;
  26 extern pstring global_myname;
  27
  28 /****************************************************************************
  29  Create a UNIX user on demand.
  30 ****************************************************************************/
  31
  32 static int smb_create_user(const char *unix_user, const char *homedir)
  33 {
  34         pstring add_script;
  35         int ret;
  36
  37         pstrcpy(add_script, lp_adduser_script());
  38         if (! *add_script)
  39                 return -1;
  40         all_string_sub(add_script, "%u", unix_user, sizeof(pstring));
  41         if (homedir)
  42                 all_string_sub(add_script, "%H", homedir, sizeof(pstring));
  43         ret = smbrun(add_script,NULL);
  44         DEBUG(3,("smb_create_user: Running the command `%s' gave %d\n",add_script,ret));
  45         return ret;
  46 }
  47
  48 /****************************************************************************
  49  Delete a UNIX user on demand.
  50 ****************************************************************************/
  51
  52 int smb_delete_user(const char *unix_user)
  53 {
  54         pstring del_script;
  55         int ret;
  56
  57         pstrcpy(del_script, lp_deluser_script());
  58         if (! *del_script)
  59                 return -1;
  60         all_string_sub(del_script, "%u", unix_user, sizeof(pstring));
  61         ret = smbrun(del_script,NULL);
  62         DEBUG(3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret));
  63         return ret;
  64 }
  65
  66 /****************************************************************************
  67  Add and Delete UNIX users on demand, based on NTSTATUS codes.
  68 ****************************************************************************/
  69
  70 void smb_user_control(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info, NTSTATUS nt_status)
  71 {
  72         struct passwd *pwd=NULL;
  73
  74         if (NT_STATUS_IS_OK(nt_status)) {
  75
  76                 if (!(server_info->sam_fill_level & SAM_FILL_UNIX)) {
  77
  78                         /*
  79                          * User validated ok against Domain controller.
  80                          * If the admin wants us to try and create a UNIX
  81                          * user on the fly, do so.
  82                          */
  83
  84                         if(lp_adduser_script() && !(pwd = Get_Pwnam(user_info->internal_username.str))) {
  85                                 smb_create_user(user_info->internal_username.str, NULL);
  86                         }
  87                 }
  88         } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) {
  89                 /*
  90                  * User failed to validate ok against Domain controller.
  91                  * If the failure was "user doesn't exist" and admin
  92                  * wants us to try and delete that UNIX user on the fly,
  93                  * do so.
  94                  */
  95                 if (lp_deluser_script()) {
  96                         smb_delete_user(user_info->internal_username.str);
  97                 }
  98         }
  99 }
 100
 101 /****************************************************************************
 102  Create an auth_usersupplied_data structure
 103 ****************************************************************************/
 104
 105 static BOOL make_user_info(auth_usersupplied_info **user_info,
 106                            const char *smb_name,
 107                            const char *internal_username,
 108                            const char *client_domain,
 109                            const char *domain,
 110                            const char *wksta_name,
 111                            DATA_BLOB lm_pwd, DATA_BLOB nt_pwd,
 112                            DATA_BLOB plaintext,
 113                            uint32 auth_flags, BOOL encrypted)
 114 {
 115
 116         DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name));
 117
 118         *user_info = malloc(sizeof(**user_info));
 119         if (!user_info) {
 120                 DEBUG(0,("malloc failed for user_info (size %d)\n", sizeof(*user_info)));
 121                 return False;
 122         }
 123
 124         ZERO_STRUCTP(*user_info);
 125
 126         DEBUG(5,("making strings for %s's user_info struct\n", internal_username));
 127
 128         (*user_info)->smb_name.str = strdup(smb_name);
 129         if ((*user_info)->smb_name.str) {
 130                 (*user_info)->smb_name.len = strlen(smb_name);
 131         } else {
 132                 free_user_info(user_info);
 133                 return False;
 134         }
 135
 136         (*user_info)->internal_username.str = strdup(internal_username);
 137         if ((*user_info)->internal_username.str) {
 138                 (*user_info)->internal_username.len = strlen(internal_username);
 139         } else {
 140                 free_user_info(user_info);
 141                 return False;
 142         }
 143
 144         (*user_info)->domain.str = strdup(domain);
 145         if ((*user_info)->domain.str) {
 146                 (*user_info)->domain.len = strlen(domain);
 147         } else {
 148                 free_user_info(user_info);
 149                 return False;
 150         }
 151
 152         (*user_info)->client_domain.str = strdup(client_domain);
 153         if ((*user_info)->client_domain.str) {
 154                 (*user_info)->client_domain.len = strlen(client_domain);
 155         } else {
 156                 free_user_info(user_info);
 157                 return False;
 158         }
 159
 160         (*user_info)->wksta_name.str = strdup(wksta_name);
 161         if ((*user_info)->wksta_name.str) {
 162                 (*user_info)->wksta_name.len = strlen(wksta_name);
 163         } else {
 164                 free_user_info(user_info);
 165                 return False;
 166         }
 167
 168         DEBUG(5,("makeing blobs for %s's user_info struct\n", internal_username));
 169
 170         (*user_info)->lm_resp = data_blob(lm_pwd.data, lm_pwd.length);
 171         (*user_info)->nt_resp = data_blob(nt_pwd.data, nt_pwd.length);
 172         (*user_info)->plaintext_password = data_blob(plaintext.data, plaintext.length);
 173
 174         (*user_info)->encrypted = encrypted;
 175         (*user_info)->auth_flags = auth_flags;
 176
 177         DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name));
 178
 179         return True;
 180 }
 181
 182 /****************************************************************************
 183  Create an auth_usersupplied_data structure after appropriate mapping.
 184 ****************************************************************************/
 185
 186 BOOL make_user_info_map(auth_usersupplied_info **user_info,
 187                         const char *smb_name,
 188                         const char *client_domain,
 189                         const char *wksta_name,
 190                         DATA_BLOB lm_pwd, DATA_BLOB nt_pwd,
 191                         DATA_BLOB plaintext,
 192                         uint32 ntlmssp_flags, BOOL encrypted)
 193 {
 194         const char *domain;
 195         fstring internal_username;
 196         fstrcpy(internal_username, smb_name);
 197         map_username(internal_username);
 198
 199         DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n",
 200               client_domain, smb_name, wksta_name));
 201
 202         if (lp_allow_trusted_domains() && *client_domain) {
 203
 204                 /* the client could have given us a workstation name
 205                    or other crap for the workgroup - we really need a
 206                    way of telling if this domain name is one of our
 207                    trusted domain names
 208
 209                    Also don't allow "" as a domain, fixes a Win9X bug
 210                    where it doens't supply a domain for logon script
 211                    'net use' commands.
 212
 213                    The way I do it here is by checking if the fully
 214                    qualified username exists. This is rather reliant
 215                    on winbind, but until we have a better method this
 216                    will have to do
 217                 */
 218
 219                 domain = client_domain;
 220
 221                 if ((smb_name) && (*smb_name)) { /* Don't do this for guests */
 222                         char *user = NULL;
 223                         if (asprintf(&user, "%s%s%s",
 224                                  client_domain, lp_winbind_separator(),
 225                                  smb_name) < 0) {
 226                                 DEBUG(0, ("make_user_info_map: asprintf() failed!\n"));
 227                                 return False;
 228                         }
 229
 230                         DEBUG(5, ("make_user_info_map: testing for user %s\n", user));
 231
 232                         if (Get_Pwnam(user) == NULL) {
 233                                 DEBUG(5, ("make_user_info_map: test for user %s failed\n", user));
 234                                 domain = lp_workgroup();
 235                                 DEBUG(5, ("make_user_info_map: trusted domain %s doesn't appear to exist, using %s\n",
 236                                           client_domain, domain));
 237                         } else {
 238                                 DEBUG(5, ("make_user_info_map: using trusted domain %s\n", domain));
 239                         }
 240                         SAFE_FREE(user);
 241                 }
 242         } else {
 243                 domain = lp_workgroup();
 244         }
 245
 246         return make_user_info(user_info,
 247                               smb_name, internal_username,
 248                               client_domain, domain,
 249                               wksta_name,
 250                               lm_pwd, nt_pwd,
 251                               plaintext,
 252                               ntlmssp_flags, encrypted);
 253
 254 }
 255
 256 /****************************************************************************
 257  Create an auth_usersupplied_data, making the DATA_BLOBs here.
 258  Decrypt and encrypt the passwords.
 259 ****************************************************************************/
 260
 261 BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info,
 262                                      const char *smb_name,
 263                                      const char *client_domain,
 264                                      const char *wksta_name,
 265                                      const uchar *lm_network_pwd, int lm_pwd_len,
 266                                      const uchar *nt_network_pwd, int nt_pwd_len)
 267 {
 268         BOOL ret;
 269         DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len);
 270         DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
 271         DATA_BLOB plaintext_blob = data_blob(NULL, 0);
 272         uint32 auth_flags = AUTH_FLAG_NONE;
 273
 274         if (lm_pwd_len)
 275                 auth_flags |= AUTH_FLAG_LM_RESP;
 276         if (nt_pwd_len == 24) {
 277                 auth_flags |= AUTH_FLAG_NTLM_RESP;
 278         } else if (nt_pwd_len != 0) {
 279                 auth_flags |= AUTH_FLAG_NTLMv2_RESP;
 280         }
 281
 282         ret = make_user_info_map(user_info,
 283                                  smb_name, client_domain,
 284                                  wksta_name,
 285                                  lm_blob, nt_blob,
 286                                  plaintext_blob,
 287                                  auth_flags, True);
 288
 289         data_blob_free(&lm_blob);
 290         data_blob_free(&nt_blob);
 291         return ret;
 292 }
 293
 294 /****************************************************************************
 295  Create an auth_usersupplied_data, making the DATA_BLOBs here.
 296  Decrypt and encrypt the passwords.
 297 ****************************************************************************/
 298
 299 BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
 300                                          const char *smb_name,
 301                                          const char *client_domain,
 302                                          const char *wksta_name,
 303                                          const uchar chal[8],
 304                                          const uchar lm_interactive_pwd[16],
 305                                          const uchar nt_interactive_pwd[16],
 306                                          const uchar *dc_sess_key)
 307 {
 308         char lm_pwd[16];
 309         char nt_pwd[16];
 310         unsigned char local_lm_response[24];
 311         unsigned char local_nt_response[24];
 312         unsigned char key[16];
 313         uint32 auth_flags = AUTH_FLAG_NONE;
 314
 315         ZERO_STRUCT(key);
 316         memcpy(key, dc_sess_key, 8);
 317
 318         if (lm_interactive_pwd) memcpy(lm_pwd, lm_interactive_pwd, sizeof(lm_pwd));
 319         if (nt_interactive_pwd) memcpy(nt_pwd, nt_interactive_pwd, sizeof(nt_pwd));
 320
 321 #ifdef DEBUG_PASSWORD
 322         DEBUG(100,("key:"));
 323         dump_data(100, (char *)key, sizeof(key));
 324
 325         DEBUG(100,("lm owf password:"));
 326         dump_data(100, lm_pwd, sizeof(lm_pwd));
 327
 328         DEBUG(100,("nt owf password:"));
 329         dump_data(100, nt_pwd, sizeof(nt_pwd));
 330 #endif
 331
 332         SamOEMhash((uchar *)lm_pwd, key, sizeof(lm_pwd));
 333         SamOEMhash((uchar *)nt_pwd, key, sizeof(nt_pwd));
 334
 335 #ifdef DEBUG_PASSWORD
 336         DEBUG(100,("decrypt of lm owf password:"));
 337         dump_data(100, lm_pwd, sizeof(lm_pwd));
 338
 339         DEBUG(100,("decrypt of nt owf password:"));
 340         dump_data(100, nt_pwd, sizeof(nt_pwd));
 341 #endif
 342
 343         SMBOWFencrypt((const unsigned char *)lm_pwd, chal, local_lm_response);
 344         SMBOWFencrypt((const unsigned char *)nt_pwd, chal, local_nt_response);
 345
 346         /* Password info paranoia */
 347         ZERO_STRUCT(lm_pwd);
 348         ZERO_STRUCT(nt_pwd);
 349         ZERO_STRUCT(key);
 350
 351         {
 352                 BOOL ret;
 353                 DATA_BLOB local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response));
 354                 DATA_BLOB local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response));
 355                 DATA_BLOB plaintext_blob = data_blob(NULL, 0);
 356
 357                 if (lm_interactive_pwd)
 358                         auth_flags |= AUTH_FLAG_LM_RESP;
 359                 if (nt_interactive_pwd)
 360                         auth_flags |= AUTH_FLAG_NTLM_RESP;
 361
 362                 ret = make_user_info_map(user_info,
 363                                          smb_name, client_domain,
 364                                          wksta_name,
 365                                          local_lm_blob,
 366                                          local_nt_blob,
 367                                          plaintext_blob,
 368                                          auth_flags, True);
 369
 370                 data_blob_free(&local_lm_blob);
 371                 data_blob_free(&local_nt_blob);
 372                 return ret;
 373         }
 374 }
 375
 376
 377 /****************************************************************************
 378  Create an auth_usersupplied_data structure
 379 ****************************************************************************/
 380
 381 BOOL make_user_info_for_reply(auth_usersupplied_info **user_info,
 382                               const char *smb_name,
 383                               const char *client_domain,
 384                               const uint8 chal[8],
 385                               DATA_BLOB plaintext_password)
 386 {
 387
 388         DATA_BLOB local_lm_blob;
 389         DATA_BLOB local_nt_blob;
 390         BOOL ret = False;
 391         uint32 auth_flags = AUTH_FLAG_NONE;
 392
 393         /*
 394          * Not encrypted - do so.
 395          */
 396
 397         DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted format.\n"));
 398
 399         if (plaintext_password.data) {
 400                 unsigned char local_lm_response[24];
 401
 402 #ifdef DEBUG_PASSWORD
 403                 DEBUG(10,("Unencrypted password (len %d):\n",plaintext_password.length));
 404                 dump_data(100, plaintext_password.data, plaintext_password.length);
 405 #endif
 406
 407                 SMBencrypt( (const uchar *)plaintext_password.data, (const uchar*)chal, local_lm_response);
 408                 local_lm_blob = data_blob(local_lm_response, 24);
 409
 410                 /* We can't do an NT hash here, as the password needs to be
 411                    case insensitive */
 412                 local_nt_blob = data_blob(NULL, 0);
 413
 414                 auth_flags = (AUTH_FLAG_PLAINTEXT | AUTH_FLAG_LM_RESP);
 415         } else {
 416                 local_lm_blob = data_blob(NULL, 0);
 417                 local_nt_blob = data_blob(NULL, 0);
 418         }
 419
 420         ret = make_user_info_map(user_info, smb_name,
 421                                  client_domain,
 422                                  remote_machine,
 423                                  local_lm_blob,
 424                                  local_nt_blob,
 425                                  plaintext_password,
 426                                  auth_flags, False);
 427
 428         data_blob_free(&local_lm_blob);
 429         return ret;
 430 }
 431
 432 /****************************************************************************
 433  Create an auth_usersupplied_data structure
 434 ****************************************************************************/
 435
 436 BOOL make_user_info_for_reply_enc(auth_usersupplied_info **user_info,
 437                                   const char *smb_name,
 438                                   const char *client_domain,
 439                                   DATA_BLOB lm_resp, DATA_BLOB nt_resp)
 440 {
 441         uint32 auth_flags = AUTH_FLAG_NONE;
 442
 443         DATA_BLOB no_plaintext_blob = data_blob(NULL, 0);
 444
 445         if (lm_resp.length == 24) {
 446                 auth_flags |= AUTH_FLAG_LM_RESP;
 447         }
 448         if (nt_resp.length == 0) {
 449         } else if (nt_resp.length == 24) {
 450                 auth_flags |= AUTH_FLAG_NTLM_RESP;
 451         } else {
 452                 auth_flags |= AUTH_FLAG_NTLMv2_RESP;
 453         }
 454
 455         return make_user_info_map(user_info, smb_name,
 456                                  client_domain,
 457                                  remote_machine,
 458                                  lm_resp,
 459                                  nt_resp,
 460                                  no_plaintext_blob,
 461                                  auth_flags, True);
 462 }
 463
 464 /****************************************************************************
 465  Create a guest user_info blob, for anonymous authenticaion.
 466 ****************************************************************************/
 467
 468 BOOL make_user_info_guest(auth_usersupplied_info **user_info)
 469 {
 470         DATA_BLOB lm_blob = data_blob(NULL, 0);
 471         DATA_BLOB nt_blob = data_blob(NULL, 0);
 472         DATA_BLOB plaintext_blob = data_blob(NULL, 0);
 473         uint32 auth_flags = AUTH_FLAG_NONE;
 474
 475         return make_user_info(user_info,
 476                               "","",
 477                               "","",
 478                               "",
 479                               nt_blob, lm_blob,
 480                               plaintext_blob,
 481                               auth_flags, True);
 482 }
 483
 484 /***************************************************************************
 485  Make a user_info struct
 486 ***************************************************************************/
 487
 488 BOOL make_server_info(auth_serversupplied_info **server_info)
 489 {
 490         *server_info = malloc(sizeof(**server_info));
 491         if (!*server_info) {
 492                 DEBUG(0,("make_server_info: malloc failed!\n"));
 493                 return False;
 494         }
 495         ZERO_STRUCTP(*server_info);
 496         return True;
 497 }
 498
 499 /***************************************************************************
 500  Make (and fill) a user_info struct from a SAM_ACCOUNT
 501 ***************************************************************************/
 502
 503 BOOL make_server_info_sam(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass)
 504 {
 505         if (!make_server_info(server_info)) {
 506                 return False;
 507         }
 508
 509         (*server_info)->sam_fill_level = SAM_FILL_ALL;
 510         (*server_info)->sam_account = sampass;
 511
 512         DEBUG(5,("make_server_info_sam: made server info for user %s\n",
 513                  pdb_get_username((*server_info)->sam_account)));
 514         return True;
 515 }
 516
 517 /***************************************************************************
 518  Make (and fill) a user_info struct from a 'struct passwd' by conversion
 519  to a SAM_ACCOUNT
 520 ***************************************************************************/
 521
 522 BOOL make_server_info_pw(auth_serversupplied_info **server_info, const struct passwd *pwd)
 523 {
 524         SAM_ACCOUNT *sampass = NULL;
 525         if (!NT_STATUS_IS_OK(pdb_init_sam_pw(&sampass, pwd))) {
 526                 return False;
 527         }
 528         return make_server_info_sam(server_info, sampass);
 529 }
 530
 531 /***************************************************************************
 532  Free a user_info struct
 533 ***************************************************************************/
 534
 535 void free_user_info(auth_usersupplied_info **user_info)
 536 {
 537         DEBUG(5,("attempting to free (and zero) a user_info structure\n"));
 538         if (*user_info != NULL) {
 539                 if ((*user_info)->smb_name.str) {
 540                         DEBUG(10,("structure was created for %s\n", (*user_info)->smb_name.str));
 541                 }
 542                 SAFE_FREE((*user_info)->smb_name.str);
 543                 SAFE_FREE((*user_info)->internal_username.str);
 544                 SAFE_FREE((*user_info)->client_domain.str);
 545                 SAFE_FREE((*user_info)->domain.str);
 546                 SAFE_FREE((*user_info)->wksta_name.str);
 547                 data_blob_free(&(*user_info)->lm_resp);
 548                 data_blob_free(&(*user_info)->nt_resp);
 549                 SAFE_FREE((*user_info)->interactive_password);
 550                 data_blob_clear_free(&(*user_info)->plaintext_password);
 551                 ZERO_STRUCT(**user_info);
 552         }
 553         SAFE_FREE(*user_info);
 554 }
 555
 556 /***************************************************************************
 557  Clear out a server_info struct that has been allocated
 558 ***************************************************************************/
 559
 560 void free_server_info(auth_serversupplied_info **server_info)
 561 {
 562         if (*server_info != NULL) {
 563                 pdb_free_sam(&(*server_info)->sam_account);
 564
 565                 /* call pam_end here, unless we know we are keeping it */
 566                 delete_nt_token( &(*server_info)->ptok );
 567                 ZERO_STRUCT(**server_info);
 568         }
 569         SAFE_FREE(*server_info);
 570 }
 571
 572 /***************************************************************************
 573  Make a server_info struct for a guest user
 574 ***************************************************************************/
 575
 576 BOOL make_server_info_guest(auth_serversupplied_info **server_info)
 577 {
 578         struct passwd *pass = getpwnam_alloc(lp_guestaccount());
 579
 580         if (pass) {
 581                 if (!make_server_info_pw(server_info, pass)) {
 582                         passwd_free(&pass);
 583                         return False;
 584                 }
 585                 (*server_info)->guest = True;
 586                 passwd_free(&pass);
 587                 return True;
 588         }
 589         DEBUG(0,("make_server_info_guest: getpwnam_alloc() failed on guest account!\n"));
 590         return False;
 591 }
 592
 593 /***************************************************************************
 594  Make an auth_methods struct
 595 ***************************************************************************/
 596
 597 BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_method)
 598 {
 599         if (!auth_context) {
 600                 smb_panic("no auth_context supplied to make_auth_methods()!\n");
 601         }
 602
 603         if (!auth_method) {
 604                 smb_panic("make_auth_methods: pointer to auth_method pointer is NULL!\n");
 605         }
 606
 607         *auth_method = talloc(auth_context->mem_ctx, sizeof(**auth_method));
 608         if (!*auth_method) {
 609                 DEBUG(0,("make_auth_method: malloc failed!\n"));
 610                 return False;
 611         }
 612         ZERO_STRUCTP(*auth_method);
 613
 614         return True;
 615 }
 616
 617 /****************************************************************************
 618  Delete a SID token.
 619 ****************************************************************************/
 620
 621 void delete_nt_token(NT_USER_TOKEN **pptoken)
 622 {
 623     if (*pptoken) {
 624                 NT_USER_TOKEN *ptoken = *pptoken;
 625         SAFE_FREE( ptoken->user_sids );
 626         ZERO_STRUCTP(ptoken);
 627     }
 628     SAFE_FREE(*pptoken);
 629 }
 630
 631 /****************************************************************************
 632  Duplicate a SID token.
 633 ****************************************************************************/
 634
 635 NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken)
 636 {
 637         NT_USER_TOKEN *token;
 638
 639         if (!ptoken)
 640                 return NULL;
 641
 642     if ((token = (NT_USER_TOKEN *)malloc( sizeof(NT_USER_TOKEN) ) ) == NULL)
 643         return NULL;
 644
 645     ZERO_STRUCTP(token);
 646
 647     if ((token->user_sids = (DOM_SID *)memdup( ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids )) == NULL) {
 648         SAFE_FREE(token);
 649         return NULL;
 650     }
 651
 652     token->num_sids = ptoken->num_sids;
 653
 654         return token;
 655 }
 656
 657 /**
 658  * Squash an NT_STATUS in line with security requirements.
 659  * In an attempt to avoid giving the whole game away when users
 660  * are authenticating, NT replaces both NT_STATUS_NO_SUCH_USER and
 661  * NT_STATUS_WRONG_PASSWORD with NT_STATUS_LOGON_FAILURE in certain situations
 662  * (session setups in particular).
 663  *
 664  * @param nt_status NTSTATUS input for squashing.
 665  * @return the 'squashed' nt_status
 666  **/
 667
 668 NTSTATUS nt_status_squash(NTSTATUS nt_status)
 669 {
 670         if NT_STATUS_IS_OK(nt_status) {
 671                 return nt_status;
 672         } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) {
 673                 /* Match WinXP and don't give the game away */
 674                 return NT_STATUS_LOGON_FAILURE;
 675
 676         } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) {
 677                 /* Match WinXP and don't give the game away */
 678                 return NT_STATUS_LOGON_FAILURE;
 679         } else {
 680                 return nt_status;
 681         }
 682 }
 683
 684
 685