4 Unix SMB/Netbios implementation.
6 Password and authentication handling
7 Copyright (C) Andrew Tridgell 1992-1998
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 extern int DEBUGLEVEL;
28 extern struct in_addr ipzero;
30 /* users from session setup */
31 static pstring session_users="";
33 extern pstring global_myname;
34 extern fstring global_myworkgroup;
36 /* Data to do lanman1/2 password challenge. */
37 static unsigned char saved_challenge[8];
38 static BOOL challenge_sent=False;
40 /*******************************************************************
41 Get the next challenge value - no repeats.
42 ********************************************************************/
43 void generate_next_challenge(char *challenge)
47 * Leave this ifdef'd out while we test
48 * the new crypto random number generator.
51 unsigned char buf[16];
52 static int counter = 0;
56 /* get a sort-of random number */
58 v1 = (counter++) + sys_getpid() + tval.tv_sec;
59 v2 = (counter++) * sys_getpid() + tval.tv_usec;
60 SIVAL(challenge,0,v1);
61 SIVAL(challenge,4,v2);
63 /* mash it up with md4 */
64 mdfour(buf, (unsigned char *)challenge, 8);
68 generate_random_buffer(buf,8,False);
70 memcpy(saved_challenge, buf, 8);
71 memcpy(challenge,buf,8);
72 challenge_sent = True;
75 /*******************************************************************
76 set the last challenge sent, usually from a password server
77 ********************************************************************/
78 BOOL set_challenge(unsigned char *challenge)
80 memcpy(saved_challenge,challenge,8);
81 challenge_sent = True;
85 /*******************************************************************
86 get the last challenge sent
87 ********************************************************************/
88 static BOOL last_challenge(unsigned char *challenge)
90 if (!challenge_sent) return(False);
91 memcpy(challenge,saved_challenge,8);
95 /* this holds info on user ids that are already validated for this VC */
96 static user_struct *validated_users;
97 static int next_vuid = VUID_OFFSET;
98 static int num_validated_vuids;
100 /****************************************************************************
101 check if a uid has been validated, and return an pointer to the user_struct
102 if it has. NULL if not. vuid is biased by an offset. This allows us to
103 tell random client vuid's (normally zero) from valid vuids.
104 ****************************************************************************/
105 user_struct *get_valid_user_struct(uint16 vuid)
110 if (vuid == UID_FIELD_INVALID)
113 for (usp=validated_users;usp;usp=usp->next,count++) {
114 if (vuid == usp->vuid) {
116 DLIST_PROMOTE(validated_users, usp);
124 /****************************************************************************
126 ****************************************************************************/
127 void invalidate_vuid(uint16 vuid)
129 user_struct *vuser = get_valid_user_struct(vuid);
134 DLIST_REMOVE(validated_users, vuser);
136 safe_free(vuser->groups);
137 delete_nt_token(&vuser->nt_user_token);
139 num_validated_vuids--;
142 /****************************************************************************
143 return a validated username
144 ****************************************************************************/
145 char *validated_username(uint16 vuid)
147 user_struct *vuser = get_valid_user_struct(vuid);
150 return(vuser->user.unix_name);
153 /****************************************************************************
154 return a validated domain
155 ****************************************************************************/
156 char *validated_domain(uint16 vuid)
158 user_struct *vuser = get_valid_user_struct(vuid);
161 return(vuser->user.domain);
165 /****************************************************************************
166 Create the SID list for this user.
167 ****************************************************************************/
169 NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, BOOL is_guest)
171 extern DOM_SID global_sid_World;
172 extern DOM_SID global_sid_Network;
173 extern DOM_SID global_sid_Builtin_Guests;
174 extern DOM_SID global_sid_Authenticated_Users;
175 NT_USER_TOKEN *token;
180 if ((token = (NT_USER_TOKEN *)malloc( sizeof(NT_USER_TOKEN) ) ) == NULL)
185 /* We always have uid/gid plus World and Network and Authenticated Users or Guest SIDs. */
186 num_sids = 5 + ngroups;
188 if ((token->user_sids = (DOM_SID *)malloc( num_sids*sizeof(DOM_SID))) == NULL) {
193 psids = token->user_sids;
195 sid_copy( &psids[psid_ndx++], &global_sid_World);
196 sid_copy( &psids[psid_ndx++], &global_sid_Network);
199 * The only difference between guest and "anonymous" (which we
200 * don't really support) is the addition of Authenticated_Users.
204 sid_copy( &psids[psid_ndx++], &global_sid_Builtin_Guests);
206 sid_copy( &psids[psid_ndx++], &global_sid_Authenticated_Users);
208 uid_to_sid( &psids[psid_ndx++], uid);
209 gid_to_sid( &psids[psid_ndx++], gid);
211 for (i = 0; i < ngroups; i++) {
212 if (groups[i] != gid) {
213 gid_to_sid( &psids[psid_ndx++], groups[i]);
217 token->num_sids = psid_ndx;
222 /****************************************************************************
223 register a uid/name pair as being valid and that a valid password
224 has been given. vuid is biased by an offset. This allows us to
225 tell random client vuid's (normally zero) from valid vuids.
226 ****************************************************************************/
228 uint16 register_vuid(uid_t uid,gid_t gid, char *unix_name, char *requested_name,
229 char *domain,BOOL guest)
231 user_struct *vuser = NULL;
232 struct passwd *pwfile; /* for getting real name from passwd file */
234 /* Ensure no vuid gets registered in share level security. */
235 if(lp_security() == SEC_SHARE)
236 return UID_FIELD_INVALID;
238 /* Limit allowed vuids to 16bits - VUID_OFFSET. */
239 if (num_validated_vuids >= 0xFFFF-VUID_OFFSET)
240 return UID_FIELD_INVALID;
242 if((vuser = (user_struct *)malloc( sizeof(user_struct) )) == NULL) {
243 DEBUG(0,("Failed to malloc users struct!\n"));
244 return UID_FIELD_INVALID;
249 DEBUG(10,("register_vuid: (%u,%u) %s %s %s guest=%d\n", (unsigned int)uid, (unsigned int)gid,
250 unix_name, requested_name, domain, guest ));
252 /* Allocate a free vuid. Yes this is a linear search... :-) */
253 while( get_valid_user_struct(next_vuid) != NULL ) {
255 /* Check for vuid wrap. */
256 if (next_vuid == UID_FIELD_INVALID)
257 next_vuid = VUID_OFFSET;
260 DEBUG(10,("register_vuid: allocated vuid = %u\n", (unsigned int)next_vuid ));
262 vuser->vuid = next_vuid;
265 vuser->guest = guest;
266 fstrcpy(vuser->user.unix_name,unix_name);
267 fstrcpy(vuser->user.smb_name,requested_name);
268 fstrcpy(vuser->user.domain,domain);
271 vuser->groups = NULL;
273 /* Find all the groups this uid is in and store them.
274 Used by become_user() */
275 initialise_groups(unix_name, uid, gid);
276 get_current_groups( &vuser->n_groups, &vuser->groups);
278 /* Create an NT_USER_TOKEN struct for this user. */
279 vuser->nt_user_token = create_nt_token(uid,gid, vuser->n_groups, vuser->groups, guest);
282 num_validated_vuids++;
284 DLIST_ADD(validated_users, vuser);
286 DEBUG(3,("uid %d registered to name %s\n",(int)uid,unix_name));
288 DEBUG(3, ("Clearing default real name\n"));
289 fstrcpy(vuser->user.full_name, "<Full Name>");
290 if (lp_unix_realname()) {
291 if ((pwfile=sys_getpwnam(vuser->user.unix_name))!= NULL) {
292 DEBUG(3, ("User name: %s\tReal name: %s\n",vuser->user.unix_name,pwfile->pw_gecos));
293 fstrcpy(vuser->user.full_name, pwfile->pw_gecos);
297 memset(&vuser->dc, '\0', sizeof(vuser->dc));
303 /****************************************************************************
304 add a name to the session users list
305 ****************************************************************************/
306 void add_session_user(char *user)
309 StrnCpy(suser,user,sizeof(suser)-1);
311 if (!Get_Pwnam(suser,True)) return;
313 if (suser && *suser && !in_list(suser,session_users,False))
315 if (strlen(suser) + strlen(session_users) + 2 >= sizeof(pstring))
316 DEBUG(1,("Too many session users??\n"));
319 pstrcat(session_users," ");
320 pstrcat(session_users,suser);
326 /****************************************************************************
327 update the encrypted smbpasswd file from the plaintext username and password
328 *****************************************************************************/
329 static BOOL update_smbpassword_file(char *user, char *password)
331 SAM_ACCOUNT *sampass = NULL;
335 sampass = pdb_getsampwnam(user);
338 if(sampass == NULL) {
339 DEBUG(0,("pdb_getsampwnam returned NULL\n"));
344 * Remove the account disabled flag - we are updating the
345 * users password from a login.
347 pdb_set_acct_ctrl(sampass, pdb_get_acct_ctrl(sampass) & ~ACB_DISABLED);
349 /* Here, the flag is one, because we want to ignore the
350 XXXXXXX'd out password */
351 ret = change_oem_password( sampass, password, True);
353 DEBUG(3,("change_oem_password returned False\n"));
359 /****************************************************************************
360 core of smb password checking routine.
361 ****************************************************************************/
362 BOOL smb_password_check(char *password, unsigned char *part_passwd, unsigned char *c8)
364 /* Finish the encryption of part_passwd. */
365 unsigned char p21[21];
366 unsigned char p24[24];
368 if (part_passwd == NULL)
370 DEBUG(10,("No password set - allowing access\n"));
372 /* No password set - always true ! */
377 memcpy(p21,part_passwd,16);
382 DEBUG(100,("Part password (P16) was |"));
383 for(i = 0; i < 16; i++)
384 DEBUG(100,("%X ", (unsigned char)part_passwd[i]));
386 DEBUG(100,("Password from client was |"));
387 for(i = 0; i < 24; i++)
388 DEBUG(100,("%X ", (unsigned char)password[i]));
390 DEBUG(100,("Given challenge was |"));
391 for(i = 0; i < 8; i++)
392 DEBUG(100,("%X ", (unsigned char)c8[i]));
394 DEBUG(100,("Value from encryption was |"));
395 for(i = 0; i < 24; i++)
396 DEBUG(100,("%X ", (unsigned char)p24[i]));
400 return (memcmp(p24, password, 24) == 0);
403 /****************************************************************************
404 Do a specific test for an smb password being correct, given a smb_password and
405 the lanman and NT responses.
406 ****************************************************************************/
407 BOOL smb_password_ok(SAM_ACCOUNT *sampass, uchar chal[8],
408 uchar lm_pass[24], uchar nt_pass[24])
414 if (!lm_pass || !sampass)
417 user_name = pdb_get_username(sampass);
419 DEBUG(4,("Checking SMB password for user %s\n",user_name));
421 if(pdb_get_acct_ctrl(sampass) & ACB_DISABLED) {
422 DEBUG(1,("account for user %s was disabled.\n", user_name));
428 DEBUG(5,("use last SMBnegprot challenge\n"));
429 if (!last_challenge(challenge))
431 DEBUG(1,("no challenge done - password failed\n"));
437 DEBUG(5,("challenge received\n"));
438 memcpy(challenge, chal, 8);
441 nt_pw = pdb_get_nt_passwd(sampass);
443 if ((Protocol >= PROTOCOL_NT1) && (nt_pw != NULL)) {
444 /* We have the NT MD4 hash challenge available - see if we can
445 use it (ie. does it exist in the smbpasswd file).
447 DEBUG(4,("smb_password_ok: Checking NT MD4 password\n"));
448 if (smb_password_check((char *)nt_pass, (uchar *)nt_pw, challenge))
450 DEBUG(4,("NT MD4 password check succeeded\n"));
453 DEBUG(4,("NT MD4 password check failed\n"));
456 /* Try against the lanman password. pdb_get_lanman_passwd(sampass) == NULL
457 means no password, allow access. */
459 DEBUG(4,("Checking LM MD4 password\n"));
461 lm_pw = pdb_get_lanman_passwd(sampass);
463 if((lm_pw == NULL) && (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ))
465 DEBUG(4,("no password required for user %s\n",user_name));
469 if((lm_pw != NULL) && smb_password_check((char *)lm_pass,(uchar *)lm_pw, challenge))
471 DEBUG(4,("LM MD4 password check succeeded\n"));
475 DEBUG(4,("LM MD4 password check failed\n"));
481 /****************************************************************************
482 check if a username/password is OK assuming the password is a 24 byte
484 return True if the password is correct, False otherwise
485 ****************************************************************************/
487 BOOL pass_check_smb(char *user, char *domain, uchar *chal,
488 uchar *lm_pwd, uchar *nt_pwd, struct passwd *pwd)
491 SAM_ACCOUNT *sampass;
493 if (!lm_pwd || !nt_pwd)
498 /* FIXME! this code looks to be unnecessary now that the passdb
499 validates that the username exists and has a valid uid */
500 if (pwd != NULL && user == NULL)
502 pass = (struct passwd *) pwd;
503 user = pass->pw_name;
507 /* I don't get this call here. I think it should be moved.
508 Need to check on it. --jerry */
509 pass = smb_getpwnam(user,True);
514 DEBUG(1,("Couldn't find user '%s' in UNIX password database.\n",user));
518 /* get the account information */
519 sampass = pdb_getsampwnam(user);
522 DEBUG(1,("Couldn't find user '%s' in passdb file.\n", user));
526 /* Quit if the account was disabled. */
527 if(pdb_get_acct_ctrl(sampass) & ACB_DISABLED) {
528 DEBUG(1,("Account for user '%s' was disabled.\n", user));
532 /* Ensure the uid's match
533 FIXME! This also seems unnecessary --jerry */
535 if (smb_pass->smb_userid != pass->pw_uid)
537 DEBUG(0,("Error : UNIX and SMB uids in password files do not match for user '%s'!\n", user));
542 if (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ)
544 if (lp_null_passwords())
546 DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", user));
551 DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", user));
556 if (smb_password_ok(sampass, chal, lm_pwd, nt_pwd))
561 DEBUG(2,("pass_check_smb failed - invalid password for user [%s]\n", user));
565 /****************************************************************************
566 check if a username/password pair is OK either via the system password
567 database or the encrypted SMB password database
568 return True if the password is correct, False otherwise
569 ****************************************************************************/
570 BOOL password_ok(char *user, char *password, int pwlen, struct passwd *pwd)
572 if (pwlen == 24 || (lp_encrypted_passwords() && (pwlen == 0) && lp_null_passwords()))
574 /* if 24 bytes long assume it is an encrypted password */
577 if (!last_challenge(challenge))
579 DEBUG(0,("Error: challenge not done for user=%s\n", user));
583 return pass_check_smb(user, global_myworkgroup,
584 challenge, (uchar *)password, (uchar *)password, pwd);
587 return pass_check(user, password, pwlen, pwd,
588 lp_update_encrypted() ?
589 update_smbpassword_file : NULL);
592 /****************************************************************************
593 check if a username is valid
594 ****************************************************************************/
595 BOOL user_ok(char *user,int snum)
597 pstring valid, invalid;
600 StrnCpy(valid, lp_valid_users(snum), sizeof(pstring)-1);
601 StrnCpy(invalid, lp_invalid_users(snum), sizeof(pstring)-1);
603 pstring_sub(valid,"%S",lp_servicename(snum));
604 pstring_sub(invalid,"%S",lp_servicename(snum));
606 ret = !user_in_list(user,invalid);
608 if (ret && valid && *valid) {
609 ret = user_in_list(user,valid);
612 if (ret && lp_onlyuser(snum)) {
613 char *user_list = lp_username(snum);
614 pstring_sub(user_list,"%S",lp_servicename(snum));
615 ret = user_in_list(user,user_list);
624 /****************************************************************************
625 validate a group username entry. Return the username or NULL
626 ****************************************************************************/
627 static char *validate_group(char *group,char *password,int pwlen,int snum)
631 char *host, *user, *domain;
633 while (getnetgrent(&host, &user, &domain)) {
635 if (user_ok(user, snum) &&
636 password_ok(user,password,pwlen,NULL)) {
650 while ((gptr = (struct group *)getgrent())) {
651 if (strequal(gptr->gr_name,group))
656 * As user_ok can recurse doing a getgrent(), we must
657 * copy the member list into a pstring on the stack before
658 * use. Bug pointed out by leon@eatworms.swmed.edu.
664 size_t copied_len = 0;
668 member = member_list;
670 for(i = 0; gptr->gr_mem && gptr->gr_mem[i]; i++) {
671 size_t member_len = strlen(gptr->gr_mem[i]) + 1;
672 if( copied_len + member_len < sizeof(pstring)) {
674 DEBUG(10,("validate_group: = gr_mem = %s\n", gptr->gr_mem[i]));
676 safe_strcpy(member, gptr->gr_mem[i], sizeof(pstring) - copied_len - 1);
677 copied_len += member_len;
678 member += copied_len;
686 member = member_list;
689 fstrcpy(name,member);
690 if (user_ok(name,snum) &&
691 password_ok(name,password,pwlen,NULL)) {
696 DEBUG(10,("validate_group = member = %s\n", member));
698 member += strlen(member) + 1;
711 /****************************************************************************
712 check for authority to login to a service with a given username/password
713 ****************************************************************************/
714 BOOL authorise_login(int snum,char *user,char *password, int pwlen,
715 BOOL *guest,BOOL *force,uint16 vuid)
722 DEBUG(100,("checking authorisation on user=%s pass=%s\n",user,password));
725 /* there are several possibilities:
726 1) login as the given user with given password
727 2) login as a previously registered username with the given password
728 3) login as a session list username with the given password
729 4) login as a previously validated user/password pair
730 5) login as the "user =" user with given password
731 6) login as the "user =" user with no password (guest connection)
732 7) login as guest user with no password
734 if the service is guest_only then steps 1 to 5 are skipped
737 if (GUEST_ONLY(snum)) *force = True;
739 if (!(GUEST_ONLY(snum) && GUEST_OK(snum)))
742 user_struct *vuser = get_valid_user_struct(vuid);
744 /* check the given username and password */
745 if (!ok && (*user) && user_ok(user,snum)) {
746 ok = password_ok(user,password, pwlen, NULL);
747 if (ok) DEBUG(3,("ACCEPTED: given username password ok\n"));
750 /* check for a previously registered guest username */
751 if (!ok && (vuser != 0) && vuser->guest) {
752 if (user_ok(vuser->user.unix_name,snum) &&
753 password_ok(vuser->user.unix_name, password, pwlen, NULL)) {
754 fstrcpy(user, vuser->user.unix_name);
755 vuser->guest = False;
756 DEBUG(3,("ACCEPTED: given password with registered user %s\n", user));
762 /* now check the list of session users */
766 char *user_list = strdup(session_users);
767 if (!user_list) return(False);
769 for (auser=strtok(user_list,LIST_SEP);
771 auser = strtok(NULL,LIST_SEP))
774 fstrcpy(user2,auser);
775 if (!user_ok(user2,snum)) continue;
777 if (password_ok(user2,password, pwlen, NULL)) {
780 DEBUG(3,("ACCEPTED: session list username and given password ok\n"));
786 /* check for a previously validated username/password pair */
787 if (!ok && (lp_security() > SEC_SHARE) &&
788 (vuser != 0) && !vuser->guest &&
789 user_ok(vuser->user.unix_name,snum)) {
790 fstrcpy(user,vuser->user.unix_name);
792 DEBUG(3,("ACCEPTED: validated uid ok as non-guest\n"));
796 /* check for a rhosts entry */
797 if (!ok && user_ok(user,snum) && check_hosts_equiv(user)) {
799 DEBUG(3,("ACCEPTED: hosts equiv or rhosts entry\n"));
802 /* check the user= fields and the given password */
803 if (!ok && lp_username(snum)) {
806 StrnCpy(user_list,lp_username(snum),sizeof(pstring));
808 pstring_sub(user_list,"%S",lp_servicename(snum));
810 for (auser=strtok(user_list,LIST_SEP);
812 auser = strtok(NULL,LIST_SEP))
816 auser = validate_group(auser+1,password,pwlen,snum);
821 DEBUG(3,("ACCEPTED: group username and given password ok\n"));
827 fstrcpy(user2,auser);
828 if (user_ok(user2,snum) &&
829 password_ok(user2,password,pwlen,NULL))
833 DEBUG(3,("ACCEPTED: user list username and given password ok\n"));
838 } /* not guest only */
840 /* check for a normal guest connection */
841 if (!ok && GUEST_OK(snum))
844 StrnCpy(guestname,lp_guestaccount(snum),sizeof(guestname)-1);
845 if (Get_Pwnam(guestname,True))
847 fstrcpy(user,guestname);
849 DEBUG(3,("ACCEPTED: guest account and guest ok\n"));
852 DEBUG(0,("Invalid guest account %s??\n",guestname));
856 if (ok && !user_ok(user,snum))
858 DEBUG(0,("rejected invalid user %s\n",user));
866 /****************************************************************************
867 read the a hosts.equiv or .rhosts file and check if it
868 allows this user from this machine
869 ****************************************************************************/
870 static BOOL check_user_equiv(char *user, char *remote, char *equiv_file)
872 int plus_allowed = 1;
875 char **lines = file_lines_load(equiv_file, NULL, False);
878 DEBUG(5, ("check_user_equiv %s %s %s\n", user, remote, equiv_file));
879 if (! lines) return False;
880 for (i=0; lines[i]; i++) {
881 char *buf = lines[i];
882 trim_string(buf," "," ");
884 if (buf[0] != '#' && buf[0] != '\n')
886 BOOL is_group = False;
889 if (strcmp(buf, "NO_PLUS\n") == 0)
891 DEBUG(6, ("check_user_equiv NO_PLUS\n"));
898 if (*bp == '\n' && plus_allowed)
900 /* a bare plus means everbody allowed */
901 DEBUG(6, ("check_user_equiv everybody allowed\n"));
902 file_lines_free(lines);
906 else if (buf[0] == '-')
916 file_host = strtok(bp, " \t\n");
917 file_user = strtok(NULL, " \t\n");
918 DEBUG(7, ("check_user_equiv %s %s\n", file_host ? file_host : "(null)",
919 file_user ? file_user : "(null)" ));
920 if (file_host && *file_host)
922 BOOL host_ok = False;
924 #if defined(HAVE_NETGROUP) && defined(HAVE_YP_GET_DEFAULT_DOMAIN)
927 static char *mydomain = NULL;
929 yp_get_default_domain(&mydomain);
930 if (mydomain && innetgr(file_host,remote,user,mydomain))
936 DEBUG(1,("Netgroups not configured\n"));
941 /* is it this host */
942 /* the fact that remote has come from a call of gethostbyaddr
943 * means that it may have the fully qualified domain name
944 * so we could look up the file version to get it into
945 * a canonical form, but I would rather just type it
946 * in full in the equiv file
948 if (!host_ok && !is_group && strequal(remote, file_host))
954 /* is it this user */
955 if (file_user == 0 || strequal(user, file_user))
957 DEBUG(5, ("check_user_equiv matched %s%s %s\n",
958 (plus ? "+" : "-"), file_host,
959 (file_user ? file_user : "")));
960 file_lines_free(lines);
961 return (plus ? True : False);
967 file_lines_free(lines);
972 /****************************************************************************
973 check for a possible hosts equiv or rhosts entry for the user
974 ****************************************************************************/
975 BOOL check_hosts_equiv(char *user)
979 struct passwd *pass = Get_Pwnam(user,True);
984 fname = lp_hosts_equiv();
986 /* note: don't allow hosts.equiv on root */
987 if (fname && *fname && (pass->pw_uid != 0)) {
988 if (check_user_equiv(user,client_name(),fname))
994 char *home = get_user_home_dir(user);
996 slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home);
997 if (check_user_equiv(user,client_name(),rhostsfile))
1006 /****************************************************************************
1007 Return the client state structure.
1008 ****************************************************************************/
1010 struct cli_state *server_client(void)
1012 static struct cli_state pw_cli;
1016 /****************************************************************************
1017 Support for server level security.
1018 ****************************************************************************/
1020 struct cli_state *server_cryptkey(void)
1022 struct cli_state *cli;
1024 struct in_addr dest_ip;
1026 BOOL connected_ok = False;
1028 cli = server_client();
1030 if (!cli_initialise(cli))
1033 pserver = strdup(lp_passwordserver());
1036 while(next_token( &p, desthost, LIST_SEP, sizeof(desthost))) {
1037 standard_sub_basic(desthost);
1040 if(!resolve_name( desthost, &dest_ip, 0x20)) {
1041 DEBUG(1,("server_cryptkey: Can't resolve address for %s\n",desthost));
1045 if (ismyip(dest_ip)) {
1046 DEBUG(1,("Password server loop - disabling password server %s\n",desthost));
1050 if (cli_connect(cli, desthost, &dest_ip)) {
1051 DEBUG(3,("connected to password server %s\n",desthost));
1052 connected_ok = True;
1059 if (!connected_ok) {
1060 DEBUG(0,("password server not available\n"));
1065 if (!attempt_netbios_session_request(cli, global_myname, desthost, &dest_ip))
1068 DEBUG(3,("got session\n"));
1070 if (!cli_negprot(cli)) {
1071 DEBUG(1,("%s rejected the negprot\n",desthost));
1076 if (cli->protocol < PROTOCOL_LANMAN2 ||
1077 !(cli->sec_mode & 1)) {
1078 DEBUG(1,("%s isn't in user level security mode\n",desthost));
1083 DEBUG(3,("password server OK\n"));
1088 /****************************************************************************
1089 Validate a password with the password server.
1090 ****************************************************************************/
1092 BOOL server_validate(char *user, char *domain,
1093 char *pass, int passlen,
1094 char *ntpass, int ntpasslen)
1096 struct cli_state *cli;
1097 static unsigned char badpass[24];
1098 static BOOL tested_password_server = False;
1099 static BOOL bad_password_server = False;
1101 cli = server_client();
1103 if (!cli->initialised) {
1104 DEBUG(1,("password server %s is not connected\n", cli->desthost));
1109 memset(badpass, 0x1f, sizeof(badpass));
1111 if((passlen == sizeof(badpass)) && !memcmp(badpass, pass, passlen)) {
1113 * Very unlikely, our random bad password is the same as the users
1115 memset(badpass, badpass[0]+1, sizeof(badpass));
1119 * Attempt a session setup with a totally incorrect password.
1120 * If this succeeds with the guest bit *NOT* set then the password
1121 * server is broken and is not correctly setting the guest bit. We
1122 * need to detect this as some versions of NT4.x are broken. JRA.
1125 if(!tested_password_server) {
1126 if (cli_session_setup(cli, user, (char *)badpass, sizeof(badpass),
1127 (char *)badpass, sizeof(badpass), domain)) {
1130 * We connected to the password server so we
1131 * can say we've tested it.
1133 tested_password_server = True;
1135 if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) {
1136 DEBUG(0,("server_validate: password server %s allows users as non-guest \
1137 with a bad password.\n", cli->desthost));
1138 DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \
1139 use this machine as the password server.\n"));
1143 * Password server has the bug.
1145 bad_password_server = True;
1153 * We have already tested the password server.
1154 * Fail immediately if it has the bug.
1157 if(bad_password_server) {
1158 DEBUG(0,("server_validate: [1] password server %s allows users as non-guest \
1159 with a bad password.\n", cli->desthost));
1160 DEBUG(0,("server_validate: [1] This is broken (and insecure) behaviour. Please do not \
1161 use this machine as the password server.\n"));
1167 * Now we know the password server will correctly set the guest bit, or is
1168 * not guest enabled, we can try with the real password.
1171 if (!cli_session_setup(cli, user, pass, passlen, ntpass, ntpasslen, domain)) {
1172 DEBUG(1,("password server %s rejected the password\n", cli->desthost));
1176 /* if logged in as guest then reject */
1177 if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) {
1178 DEBUG(1,("password server %s gave us guest only\n", cli->desthost));
1188 /***********************************************************************
1189 Connect to a remote machine for domain security authentication
1190 given a name or IP address.
1191 ************************************************************************/
1193 static BOOL connect_to_domain_password_server(struct cli_state *pcli, char *remote_machine,
1194 unsigned char *trust_passwd)
1196 struct in_addr dest_ip;
1198 if(cli_initialise(pcli) == False) {
1199 DEBUG(0,("connect_to_domain_password_server: unable to initialize client connection.\n"));
1203 standard_sub_basic(remote_machine);
1204 strupper(remote_machine);
1206 if(!resolve_name( remote_machine, &dest_ip, 0x20)) {
1207 DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", remote_machine));
1212 if (ismyip(dest_ip)) {
1213 DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n",
1219 if (!cli_connect(pcli, remote_machine, &dest_ip)) {
1220 DEBUG(0,("connect_to_domain_password_server: unable to connect to SMB server on \
1221 machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
1226 if (!attempt_netbios_session_request(pcli, global_myname, remote_machine, &dest_ip)) {
1227 DEBUG(0,("connect_to_password_server: machine %s rejected the NetBIOS \
1228 session request. Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
1232 pcli->protocol = PROTOCOL_NT1;
1234 if (!cli_negprot(pcli)) {
1235 DEBUG(0,("connect_to_domain_password_server: machine %s rejected the negotiate protocol. \
1236 Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
1241 if (pcli->protocol != PROTOCOL_NT1) {
1242 DEBUG(0,("connect_to_domain_password_server: machine %s didn't negotiate NT protocol.\n",
1249 * Do an anonymous session setup.
1252 if (!cli_session_setup(pcli, "", "", 0, "", 0, "")) {
1253 DEBUG(0,("connect_to_domain_password_server: machine %s rejected the session setup. \
1254 Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
1259 if (!(pcli->sec_mode & 1)) {
1260 DEBUG(1,("connect_to_domain_password_server: machine %s isn't in user level security mode\n",
1266 if (!cli_send_tconX(pcli, "IPC$", "IPC", "", 1)) {
1267 DEBUG(0,("connect_to_domain_password_server: machine %s rejected the tconX on the IPC$ share. \
1268 Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
1274 * We now have an anonymous connection to IPC$ on the domain password server.
1278 * Even if the connect succeeds we need to setup the netlogon
1279 * pipe here. We do this as we may just have changed the domain
1280 * account password on the PDC and yet we may be talking to
1281 * a BDC that doesn't have this replicated yet. In this case
1282 * a successful connect to a DC needs to take the netlogon connect
1283 * into account also. This patch from "Bjart Kvarme" <bjart.kvarme@usit.uio.no>.
1286 if(cli_nt_session_open(pcli, PIPE_NETLOGON) == False) {
1287 DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
1288 machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli)));
1289 cli_nt_session_close(pcli);
1295 if (cli_nt_setup_creds(pcli, trust_passwd) == False) {
1296 DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \
1297 %s. Error was : %s.\n", remote_machine, cli_errstr(pcli)));
1298 cli_nt_session_close(pcli);
1307 /***********************************************************************
1308 Utility function to attempt a connection to an IP address of a DC.
1309 ************************************************************************/
1311 static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, unsigned char *trust_passwd)
1316 * Ignore addresses we have already tried.
1319 if (ip_equal(ipzero, *ip))
1322 if (!lookup_pdc_name(global_myname, lp_workgroup(), ip, dc_name))
1325 return connect_to_domain_password_server(pcli, dc_name, trust_passwd);
1330 /***********************************************************************
1331 We have been asked to dynamcially determine the IP addresses of
1332 the PDC and BDC's for this DOMAIN, and query them in turn.
1333 ************************************************************************/
1334 static BOOL find_connect_pdc(struct cli_state *pcli, unsigned char *trust_passwd)
1336 struct in_addr *ip_list = NULL;
1339 BOOL connected_ok = False;
1341 if (!get_dc_list(lp_workgroup(), &ip_list, &count))
1345 * Firstly try and contact a PDC/BDC who has the same
1346 * network address as any of our interfaces.
1348 for(i = 0; i < count; i++) {
1349 if(!is_local_net(ip_list[i]))
1352 if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd)))
1355 ip_list[i] = ipzero; /* Tried and failed. */
1359 * Secondly try and contact a random PDC/BDC.
1362 i = (sys_random() % count);
1364 if (!(connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd)))
1365 ip_list[i] = ipzero; /* Tried and failed. */
1369 * Finally go through the IP list in turn, ignoring any addresses
1370 * we have already tried.
1374 * Try and connect to any of the other IP addresses in the PDC/BDC list.
1375 * Note that from a WINS server the #1 IP address is the PDC.
1377 for(i = 0; i < count; i++) {
1378 if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd)))
1384 free((char *)ip_list);
1387 return connected_ok;
1392 /***********************************************************************
1393 Do the same as security=server, but using NT Domain calls and a session
1394 key from the machine password.
1395 ************************************************************************/
1397 BOOL domain_client_validate( char *user, char *domain,
1398 char *smb_apasswd, int smb_apasslen,
1399 char *smb_ntpasswd, int smb_ntpasslen,
1402 unsigned char local_challenge[8];
1403 unsigned char local_lm_response[24];
1404 unsigned char local_nt_response[24];
1405 unsigned char trust_passwd[16];
1406 fstring remote_machine;
1408 NET_ID_INFO_CTR ctr;
1409 NET_USER_INFO_3 info3;
1410 struct cli_state cli;
1412 BOOL connected_ok = False;
1414 if(user_exists != NULL)
1415 *user_exists = True; /* Only set false on a very specific error. */
1418 * Check that the requested domain is not our own machine name.
1419 * If it is, we should never check the PDC here, we use our own local
1423 if(strequal( domain, global_myname)) {
1424 DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n"));
1429 * Next, check that the passwords given were encrypted.
1432 if(((smb_apasslen != 24) && (smb_apasslen != 0)) ||
1433 ((smb_ntpasslen != 24) && (smb_ntpasslen != 0))) {
1436 * Not encrypted - do so.
1439 DEBUG(3,("domain_client_validate: User passwords not in encrypted format.\n"));
1440 generate_random_buffer( local_challenge, 8, False);
1441 SMBencrypt( (uchar *)smb_apasswd, local_challenge, local_lm_response);
1442 SMBNTencrypt((uchar *)smb_ntpasswd, local_challenge, local_nt_response);
1445 smb_apasswd = (char *)local_lm_response;
1446 smb_ntpasswd = (char *)local_nt_response;
1450 * Encrypted - get the challenge we sent for these
1454 if (!last_challenge(local_challenge)) {
1455 DEBUG(0,("domain_client_validate: no challenge done - password failed\n"));
1461 * Get the machine account password for our primary domain
1463 if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, NULL))
1465 DEBUG(0, ("domain_client_validate: could not fetch trust account password for domain %s\n", lp_workgroup()));
1470 * At this point, smb_apasswd points to the lanman response to
1471 * the challenge in local_challenge, and smb_ntpasswd points to
1472 * the NT response to the challenge in local_challenge. Ship
1473 * these over the secure channel to a domain controller and
1474 * see if they were valid.
1480 * Treat each name in the 'password server =' line as a potential
1481 * PDC/BDC. Contact each in turn and try and authenticate.
1484 pserver = lp_passwordserver();
1485 if (! *pserver) pserver = "*";
1488 while (!connected_ok &&
1489 next_token(&p,remote_machine,LIST_SEP,sizeof(remote_machine))) {
1490 if(strequal(remote_machine, "*")) {
1491 connected_ok = find_connect_pdc(&cli, trust_passwd);
1493 connected_ok = connect_to_domain_password_server(&cli, remote_machine, trust_passwd);
1497 if (!connected_ok) {
1498 DEBUG(0,("domain_client_validate: Domain password server not available.\n"));
1503 /* We really don't care what LUID we give the user. */
1504 generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False);
1508 if(cli_nt_login_network(&cli, domain, user, smb_uid_low, (char *)local_challenge,
1509 ((smb_apasslen != 0) ? smb_apasswd : NULL),
1510 ((smb_ntpasslen != 0) ? smb_ntpasswd : NULL),
1511 &ctr, &info3) == False) {
1514 cli_error(&cli, NULL, NULL, &nt_rpc_err);
1515 DEBUG(0,("domain_client_validate: unable to validate password for user %s in domain \
1516 %s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli)));
1517 cli_nt_session_close(&cli);
1521 if((nt_rpc_err == NT_STATUS_NO_SUCH_USER) && (user_exists != NULL))
1522 *user_exists = False;
1528 * Here, if we really want it, we have lots of info about the user in info3.
1533 * We don't actually need to do this - plus it fails currently with
1534 * NT_STATUS_INVALID_INFO_CLASS - we need to know *exactly* what to
1538 if(cli_nt_logoff(&cli, &ctr) == False) {
1539 DEBUG(0,("domain_client_validate: unable to log off user %s in domain \
1540 %s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli)));
1541 cli_nt_session_close(&cli);
1548 /* Note - once the cli stream is shutdown the mem_ctx used
1549 to allocate the other_sids and gids structures has been deleted - so
1550 these pointers are no longer valid..... */
1552 cli_nt_session_close(&cli);