X-Git-Url: http://git.samba.org/samba.git/?p=ira%2Fwip.git;a=blobdiff_plain;f=source3%2Frpc_server%2Fsrv_pipe.c;h=a38b86f826e3322ae8d8489f9478fe7a5888ea73;hp=2957d7cc95dd9f82f3d9fdf4d4d3f55a211afc82;hb=f5bc0e92a66b418b2bd8f3669a9642b4d46bc8d1;hpb=dc1fc3ee8ec2199bc73bb5d7ec711c6800f61d65

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 2957d7cc95d..a38b86f826e 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -265,14 +265,18 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm
 	int nt_pw_len;
 	int lm_pw_len;
 	fstring user_name;
-	fstring pipe_user_name;
 	fstring domain;
 	fstring wks;
-	BOOL guest_user = False;
-	SAM_ACCOUNT *sampass = NULL;
-	uchar null_smb_passwd[16];
-	uchar *smb_passwd_ptr = NULL;
-	
+
+	NTSTATUS nt_status;
+
+	struct auth_context *auth_context = NULL;
+	auth_usersupplied_info *user_info = NULL;
+	auth_serversupplied_info *server_info = NULL;
+
+	uid_t uid;
+	uid_t gid;
+
 	DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
 
 	memset(p->user_name, '\0', sizeof(p->user_name));
@@ -289,8 +293,6 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm
 	 * Setup an empty password for a guest user.
 	 */
 
- 	memset(null_smb_passwd,0,16);
-
 	/*
 	 * We always negotiate UNICODE.
 	 */
@@ -324,26 +326,8 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm
 	 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
 	 */
 
-	if((strlen(user_name) == 0) && 
-	   (ntlmssp_resp->hdr_nt_resp.str_str_len==0))
-	{
-		guest_user = True;
-		
-		fstrcpy(pipe_user_name, lp_guestaccount(-1));
-		DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", pipe_user_name));
+	if (*user_name) {
 
-		smb_passwd_ptr = null_smb_passwd;
-		
-	} else {
-
-		/*
-		 * Pass the user through the NT -> unix user mapping
-		 * function.
-		 */
-		
-		fstrcpy(pipe_user_name, user_name);
-		(void)map_username(pipe_user_name);
-		
 	 	/* 
 		 * Do the length checking only if user is not NULL.
 		 */
@@ -360,43 +344,29 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm
  			return False;
 
 	}
+	
+	make_auth_context_fixed(&auth_context, (uchar*)p->challenge);
 
-	if(!guest_user) {
-
-		become_root();
-
-		p->ntlmssp_auth_validated = 
-			NT_STATUS_IS_OK(pass_check_smb_with_chal(pipe_user_name, NULL, 
-								 domain, wks, 
-								 (uchar*)p->challenge, 
-								 lm_owf, lm_pw_len, 
-								 nt_owf, nt_pw_len));
-		if (!p->ntlmssp_auth_validated) {
-			DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \
-failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name ));
-			unbecome_root();
-			return False;
-		}
-
-		pdb_init_sam(&sampass);
-
-		if(!pdb_getsampwnam(sampass, pipe_user_name)) {
-			DEBUG(1,("api_pipe_ntlmssp_verify: Cannot find user %s in smb passwd database.\n",
-				pipe_user_name));
-			pdb_free_sam(&sampass);
-			unbecome_root();
-			return False;
-		}
-
-		unbecome_root();
-
-		if(!pdb_get_nt_passwd(sampass)) {
-			DEBUG(1,("Account for user '%s' has no NT password hash.\n", pipe_user_name));
-			pdb_free_sam(&sampass);
-			return False;
-	        }
- 
-	        smb_passwd_ptr = pdb_get_lanman_passwd(sampass);
+	if (!make_user_info_netlogon_network(&user_info, 
+					     user_name, domain, wks,
+					     lm_owf, lm_pw_len, 
+					     nt_owf, nt_pw_len)) {
+		DEBUG(0,("make_user_info_netlogon_network failed!  Failing authenticaion.\n"));
+		return False;
+	}
+	
+	nt_status = auth_context->check_ntlm_password(auth_context, user_info, &server_info); 
+	
+	(auth_context->free)(&auth_context);
+	free_user_info(&user_info);
+	
+	p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
+	
+	if (!p->ntlmssp_auth_validated) {
+		DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
+failed authentication on named pipe %s.\n", domain, user_name, wks, p->name ));
+		free_server_info(&server_info);
+		return False;
 	}
 
 	/*
@@ -405,7 +375,7 @@ failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name
 
 	{
 		uchar p24[24];
-		NTLMSSPOWFencrypt(smb_passwd_ptr, lm_owf, p24);
+		NTLMSSPOWFencrypt(server_info->first_8_lm_hash, lm_owf, p24);
 		{
 			unsigned char j = 0;
 			int ind;
@@ -439,7 +409,7 @@ failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name
 	}
 
 	fstrcpy(p->user_name, user_name);
-	fstrcpy(p->pipe_user_name, pipe_user_name);
+	fstrcpy(p->pipe_user_name, pdb_get_username(server_info->sam_account));
 	fstrcpy(p->domain, domain);
 	fstrcpy(p->wks, wks);
 
@@ -447,21 +417,33 @@ failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name
 	 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
 	 */
 
-	p->pipe_user.uid = pdb_get_uid(sampass);
-	p->pipe_user.gid = pdb_get_gid(sampass);
+	if (!IS_SAM_UNIX_USER(server_info->sam_account)) {
+		DEBUG(0,("Attempted authenticated pipe with invalid user.  No uid/gid in SAM_ACCOUNT\n"));
+		free_server_info(&server_info);
+		return False;
+	}
+	
+	uid = pdb_get_uid(server_info->sam_account);
+	gid = pdb_get_gid(server_info->sam_account);
+
+	p->pipe_user.uid = uid;
+	p->pipe_user.gid = gid;
 
 	/* Set up pipe user group membership. */
-	initialise_groups(pipe_user_name, p->pipe_user.uid, p->pipe_user.gid);
+	initialise_groups(p->pipe_user_name, p->pipe_user.uid, p->pipe_user.gid);
 	get_current_groups( &p->pipe_user.ngroups, &p->pipe_user.groups);
 
+	if (server_info->ptok)
+		add_supplementary_nt_login_groups(&p->pipe_user.ngroups, &p->pipe_user.groups, &server_info->ptok);
+
 	/* Create an NT_USER_TOKEN struct for this user. */
 	p->pipe_user.nt_user_token = create_nt_token(p->pipe_user.uid,p->pipe_user.gid,
-						p->pipe_user.ngroups, p->pipe_user.groups,
-						guest_user);
+						     p->pipe_user.ngroups, p->pipe_user.groups,
+						     server_info->guest, server_info->ptok);
 
 	p->ntlmssp_auth_validated = True;
 
-	pdb_free_sam(&sampass);
+	pdb_free_sam(&server_info->sam_account);
 	return True;
 }
 
@@ -1135,7 +1117,6 @@ BOOL api_pipe_request(pipes_struct *p)
 {
 	int i = 0;
 	BOOL ret = False;
-	BOOL changed_user_id = False;
 
 	if (p->ntlmssp_auth_validated) {
 
@@ -1143,8 +1124,6 @@ BOOL api_pipe_request(pipes_struct *p)
 			prs_mem_free(&p->out_data.rdata);
 			return False;
 		}
-
-		changed_user_id = True;
 	}
 
 	for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
@@ -1157,8 +1136,8 @@ BOOL api_pipe_request(pipes_struct *p)
 		}
 	}
 
-	if(changed_user_id)
-		unbecome_authenticated_pipe_user(p);
+	if(p->ntlmssp_auth_validated)
+		unbecome_authenticated_pipe_user();
 
 	return ret;
 }