git.samba.org / ira / wip.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Better explanation message for dmalloc.
[ira/wip.git] / source3 / rpc_server / srv_pipe.c
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 7079cc2ca189487f065f09c6838a574272171328..a38b86f826e3322ae8d8489f9478fe7a5888ea73 100644 (file)
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -265,14 +265,18 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm
        int nt_pw_len;
        int lm_pw_len;
        fstring user_name;
-       fstring pipe_user_name;
        fstring domain;
        fstring wks;
-       BOOL guest_user = False;
-       SAM_ACCOUNT *sampass = NULL;
-       uchar null_smb_passwd[16];
-       uchar *smb_passwd_ptr = NULL;
-       
+
+       NTSTATUS nt_status;
+
+       struct auth_context *auth_context = NULL;
+       auth_usersupplied_info *user_info = NULL;
+       auth_serversupplied_info *server_info = NULL;
+
+       uid_t uid;
+       uid_t gid;
+
        DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
 
        memset(p->user_name, '\0', sizeof(p->user_name));
@@ -289,8 +293,6 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm
         * Setup an empty password for a guest user.
         */
 
-       memset(null_smb_passwd,0,16);
-
        /*
         * We always negotiate UNICODE.
         */
@@ -324,26 +326,8 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm
         * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
         */
 
-       if((strlen(user_name) == 0) && 
-          (ntlmssp_resp->hdr_nt_resp.str_str_len==0))
-       {
-               guest_user = True;
-               
-               fstrcpy(pipe_user_name, lp_guestaccount(-1));
-               DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", pipe_user_name));
-
-               smb_passwd_ptr = null_smb_passwd;
-               
-       } else {
+       if (*user_name) {
 
-               /*
-                * Pass the user through the NT -> unix user mapping
-                * function.
-                */
-               
-               fstrcpy(pipe_user_name, user_name);
-               (void)map_username(pipe_user_name);
-               
                /* 
                 * Do the length checking only if user is not NULL.
                 */
@@ -360,43 +344,29 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm
                        return False;
 
        }
+       
+       make_auth_context_fixed(&auth_context, (uchar*)p->challenge);
 
-       if(!guest_user) {
-
-               become_root();
-
-               p->ntlmssp_auth_validated = 
-                       NT_STATUS_IS_OK(pass_check_smb_with_chal(pipe_user_name, NULL, 
-                                                                domain, wks, 
-                                                                (uchar*)p->challenge, 
-                                                                lm_owf, lm_pw_len, 
-                                                                nt_owf, nt_pw_len));
-               if (!p->ntlmssp_auth_validated) {
-                       DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \
-failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name ));
-                       unbecome_root();
-                       return False;
-               }
-
-               pdb_init_sam(&sampass);
-
-               if(!pdb_getsampwnam(sampass, pipe_user_name)) {
-                       DEBUG(1,("api_pipe_ntlmssp_verify: Cannot find user %s in smb passwd database.\n",
-                               pipe_user_name));
-                       pdb_free_sam(&sampass);
-                       unbecome_root();
-                       return False;
-               }
-
-               unbecome_root();
-
-               if(!pdb_get_nt_passwd(sampass)) {
-                       DEBUG(1,("Account for user '%s' has no NT password hash.\n", pipe_user_name));
-                       pdb_free_sam(&sampass);
-                       return False;
-               }
-               smb_passwd_ptr = pdb_get_lanman_passwd(sampass);
+       if (!make_user_info_netlogon_network(&user_info, 
+                                            user_name, domain, wks,
+                                            lm_owf, lm_pw_len, 
+                                            nt_owf, nt_pw_len)) {
+               DEBUG(0,("make_user_info_netlogon_network failed!  Failing authenticaion.\n"));
+               return False;
+       }
+       
+       nt_status = auth_context->check_ntlm_password(auth_context, user_info, &server_info); 
+       
+       (auth_context->free)(&auth_context);
+       free_user_info(&user_info);
+       
+       p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
+       
+       if (!p->ntlmssp_auth_validated) {
+               DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
+failed authentication on named pipe %s.\n", domain, user_name, wks, p->name ));
+               free_server_info(&server_info);
+               return False;
        }
 
        /*
@@ -405,7 +375,7 @@ failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name
 
        {
                uchar p24[24];
-               NTLMSSPOWFencrypt(smb_passwd_ptr, lm_owf, p24);
+               NTLMSSPOWFencrypt(server_info->first_8_lm_hash, lm_owf, p24);
                {
                        unsigned char j = 0;
                        int ind;
@@ -439,7 +409,7 @@ failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name
        }
 
        fstrcpy(p->user_name, user_name);
-       fstrcpy(p->pipe_user_name, pipe_user_name);
+       fstrcpy(p->pipe_user_name, pdb_get_username(server_info->sam_account));
        fstrcpy(p->domain, domain);
        fstrcpy(p->wks, wks);
 
@@ -447,21 +417,33 @@ failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name
         * Store the UNIX credential data (uid/gid pair) in the pipe structure.
         */
 
-       p->pipe_user.uid = pdb_get_uid(sampass);
-       p->pipe_user.gid = pdb_get_gid(sampass);
+       if (!IS_SAM_UNIX_USER(server_info->sam_account)) {
+               DEBUG(0,("Attempted authenticated pipe with invalid user.  No uid/gid in SAM_ACCOUNT\n"));
+               free_server_info(&server_info);
+               return False;
+       }
+       
+       uid = pdb_get_uid(server_info->sam_account);
+       gid = pdb_get_gid(server_info->sam_account);
+
+       p->pipe_user.uid = uid;
+       p->pipe_user.gid = gid;
 
        /* Set up pipe user group membership. */
-       initialise_groups(pipe_user_name, p->pipe_user.uid, p->pipe_user.gid);
+       initialise_groups(p->pipe_user_name, p->pipe_user.uid, p->pipe_user.gid);
        get_current_groups( &p->pipe_user.ngroups, &p->pipe_user.groups);
 
+       if (server_info->ptok)
+               add_supplementary_nt_login_groups(&p->pipe_user.ngroups, &p->pipe_user.groups, &server_info->ptok);
+
        /* Create an NT_USER_TOKEN struct for this user. */
        p->pipe_user.nt_user_token = create_nt_token(p->pipe_user.uid,p->pipe_user.gid,
-                                               p->pipe_user.ngroups, p->pipe_user.groups,
-                                               guest_user);
+                                                    p->pipe_user.ngroups, p->pipe_user.groups,
+                                                    server_info->guest, server_info->ptok);
 
        p->ntlmssp_auth_validated = True;
 
-       pdb_free_sam(&sampass);
+       pdb_free_sam(&server_info->sam_account);
        return True;
 }
 
Unnamed repository; edit this file 'description' to name the repository.