Copyright (C) Andrew Bartlett 2001
Copyright (C) Jeremy Allison 2000-2001
Copyright (C) Rafal Szczesniak 2002
+ Copyright (C) Stefan Metzmacher 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
-#include "librpc/gen_ndr/ndr_samr.h"
-#include "librpc/gen_ndr/ndr_netlogon.h"
-#include "librpc/gen_ndr/ndr_security.h"
#include "auth/auth.h"
+#include "libcli/security/security.h"
+#include "libcli/auth/libcli_auth.h"
+#include "dsdb/samdb/samdb.h"
+#include "auth/credentials/credentials.h"
+#include "param/param.h"
-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_AUTH
+/* this default function can be used by mostly all backends
+ * which don't want to set a challenge
+ */
+NTSTATUS auth_get_challenge_not_implemented(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, DATA_BLOB *challenge)
+{
+ /* we don't want to set a challenge */
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
/****************************************************************************
- Create an auth_usersupplied_data structure
+ Create an auth_usersupplied_data structure after appropriate mapping.
****************************************************************************/
-static NTSTATUS make_user_info(TALLOC_CTX *mem_ctx,
- struct auth_usersupplied_info **user_info,
- const char *smb_name,
- const char *internal_username,
- const char *client_domain,
- const char *domain,
- const char *wksta_name,
- DATA_BLOB *lm_password, DATA_BLOB *nt_password,
- DATA_BLOB *lm_interactive_password, DATA_BLOB *nt_interactive_password,
- DATA_BLOB *plaintext,
- BOOL encrypted)
-{
-
- DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name));
-
- *user_info = talloc_p(mem_ctx, struct auth_usersupplied_info);
- if (!user_info) {
- return NT_STATUS_NO_MEMORY;
- }
- ZERO_STRUCTP(*user_info);
-
- DEBUG(5,("making strings for %s's user_info struct\n", internal_username));
+NTSTATUS map_user_info(TALLOC_CTX *mem_ctx,
+ const char *default_domain,
+ const struct auth_usersupplied_info *user_info,
+ struct auth_usersupplied_info **user_info_mapped)
+{
+ const char *domain;
+ char *account_name;
+ char *d;
+ DEBUG(5,("map_user_info: Mapping user [%s]\\[%s] from workstation [%s]\n",
+ user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));
- (*user_info)->smb_name.str = talloc_strdup(*user_info, smb_name);
- if ((*user_info)->smb_name.str) {
- (*user_info)->smb_name.len = strlen(smb_name);
- } else {
- free_user_info(user_info);
+ account_name = talloc_strdup(mem_ctx, user_info->client.account_name);
+ if (!account_name) {
return NT_STATUS_NO_MEMORY;
}
- (*user_info)->internal_username.str = talloc_strdup(*user_info, internal_username);
- if ((*user_info)->internal_username.str) {
- (*user_info)->internal_username.len = strlen(internal_username);
- } else {
- free_user_info(user_info);
- return NT_STATUS_NO_MEMORY;
- }
+ /* don't allow "" as a domain, fixes a Win9X bug
+ where it doesn't supply a domain for logon script
+ 'net use' commands. */
- (*user_info)->domain.str = talloc_strdup(*user_info, domain);
- if ((*user_info)->domain.str) {
- (*user_info)->domain.len = strlen(domain);
+ /* Split user@realm names into user and realm components. This is TODO to fix with proper userprincipalname support */
+ if (user_info->client.domain_name && *user_info->client.domain_name) {
+ domain = user_info->client.domain_name;
+ } else if (strchr_m(user_info->client.account_name, '@')) {
+ d = strchr_m(account_name, '@');
+ if (!d) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ d[0] = '\0';
+ d++;
+ domain = d;
} else {
- free_user_info(user_info);
- return NT_STATUS_NO_MEMORY;
+ domain = default_domain;
}
- (*user_info)->client_domain.str = talloc_strdup(*user_info, client_domain);
- if ((*user_info)->client_domain.str) {
- (*user_info)->client_domain.len = strlen(client_domain);
- } else {
- free_user_info(user_info);
+ *user_info_mapped = talloc(mem_ctx, struct auth_usersupplied_info);
+ if (!*user_info_mapped) {
return NT_STATUS_NO_MEMORY;
}
-
- (*user_info)->wksta_name.str = talloc_strdup(*user_info, wksta_name);
- if ((*user_info)->wksta_name.str) {
- (*user_info)->wksta_name.len = strlen(wksta_name);
- } else {
- free_user_info(user_info);
+ talloc_reference(*user_info_mapped, user_info);
+ **user_info_mapped = *user_info;
+ (*user_info_mapped)->mapped_state = true;
+ (*user_info_mapped)->mapped.domain_name = talloc_strdup(*user_info_mapped, domain);
+ (*user_info_mapped)->mapped.account_name = talloc_strdup(*user_info_mapped, account_name);
+ talloc_free(account_name);
+ if (!(*user_info_mapped)->mapped.domain_name
+ || !(*user_info_mapped)->mapped.account_name) {
return NT_STATUS_NO_MEMORY;
}
- DEBUG(5,("making blobs for %s's user_info struct\n", internal_username));
-
- if (lm_password)
- (*user_info)->lm_resp = data_blob_talloc(*user_info,
- lm_password->data,
- lm_password->length);
- if (nt_password)
- (*user_info)->nt_resp = data_blob_talloc(*user_info,
- nt_password->data,
- nt_password->length);
- if (lm_interactive_password)
- (*user_info)->lm_interactive_password =
- data_blob_talloc(*user_info,
- lm_interactive_password->data,
- lm_interactive_password->length);
- if (nt_interactive_password)
- (*user_info)->nt_interactive_password =
- data_blob_talloc(*user_info,
- nt_interactive_password->data,
- nt_interactive_password->length);
-
- if (plaintext)
- (*user_info)->plaintext_password =
- data_blob_talloc(*user_info,
- plaintext->data,
- plaintext->length);
-
- (*user_info)->encrypted = encrypted;
-
- DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name));
-
return NT_STATUS_OK;
}
Create an auth_usersupplied_data structure after appropriate mapping.
****************************************************************************/
-NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
- struct auth_usersupplied_info **user_info,
- const char *smb_name,
- const char *client_domain,
- const char *wksta_name,
- DATA_BLOB *lm_password, DATA_BLOB *nt_password,
- DATA_BLOB *lm_interactive_password, DATA_BLOB *nt_interactive_password,
- DATA_BLOB *plaintext,
- BOOL encrypted)
-{
- const char *domain;
-
- DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n",
- client_domain, smb_name, wksta_name));
-
- /* don't allow "" as a domain, fixes a Win9X bug
- where it doens't supply a domain for logon script
- 'net use' commands. */
-
- if ( *client_domain )
- domain = client_domain;
- else
- domain = lp_workgroup();
-
- /* we know that it is a trusted domain (and we are allowing
- them) or it is our domain */
-
- return make_user_info(mem_ctx,
- user_info, smb_name, smb_name,
- client_domain, domain, wksta_name,
- lm_password, nt_password,
- lm_interactive_password, nt_interactive_password,
- plaintext, encrypted);
-}
-
-/****************************************************************************
- Create an auth_usersupplied_data, making the DATA_BLOBs here.
- Decrypt and encrypt the passwords.
-****************************************************************************/
-
-NTSTATUS make_user_info_netlogon_network(TALLOC_CTX *mem_ctx,
- struct auth_usersupplied_info **user_info,
- const char *smb_name,
- const char *client_domain,
- const char *wksta_name,
- const uint8_t *lm_network_password, int lm_password_len,
- const uint8_t *nt_network_password, int nt_password_len)
+NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth_context *auth_context,
+ enum auth_password_state to_state,
+ const struct auth_usersupplied_info *user_info_in,
+ const struct auth_usersupplied_info **user_info_encrypted)
{
NTSTATUS nt_status;
- DATA_BLOB lm_blob = data_blob(lm_network_password, lm_password_len);
- DATA_BLOB nt_blob = data_blob(nt_network_password, nt_password_len);
-
- nt_status = make_user_info_map(mem_ctx,
- user_info,
- smb_name, client_domain,
- wksta_name,
- lm_password_len ? &lm_blob : NULL,
- nt_password_len ? &nt_blob : NULL,
- NULL, NULL, NULL,
- True);
-
- data_blob_free(&lm_blob);
- data_blob_free(&nt_blob);
- return nt_status;
-}
-
-/****************************************************************************
- Create an auth_usersupplied_data, making the DATA_BLOBs here.
- Decrypt and encrypt the passwords.
-****************************************************************************/
-
-NTSTATUS make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx,
- struct auth_usersupplied_info **user_info,
- const char *smb_name,
- const char *client_domain,
- const char *wksta_name,
- const uint8_t chal[8],
- const struct samr_Password *lm_interactive_password,
- const struct samr_Password *nt_interactive_password)
-{
- NTSTATUS nt_status;
- DATA_BLOB local_lm_blob;
- DATA_BLOB local_nt_blob;
-
- DATA_BLOB lm_interactive_blob;
- DATA_BLOB nt_interactive_blob;
- uint8_t local_lm_response[24];
- uint8_t local_nt_response[24];
-
- SMBOWFencrypt(lm_interactive_password->hash, chal, local_lm_response);
- SMBOWFencrypt(nt_interactive_password->hash, chal, local_nt_response);
-
- local_lm_blob = data_blob(local_lm_response,
- sizeof(local_lm_response));
- lm_interactive_blob = data_blob(lm_interactive_password->hash,
- sizeof(lm_interactive_password->hash));
-
- local_nt_blob = data_blob(local_nt_response,
- sizeof(local_nt_response));
- nt_interactive_blob = data_blob(nt_interactive_password->hash,
- sizeof(nt_interactive_password->hash));
-
- nt_status = make_user_info_map(mem_ctx,
- user_info,
- smb_name, client_domain,
- wksta_name,
- &local_lm_blob,
- &local_nt_blob,
- &lm_interactive_blob,
- &nt_interactive_blob,
- NULL,
- True);
-
- data_blob_free(&local_lm_blob);
- data_blob_free(&local_nt_blob);
- data_blob_free(&lm_interactive_blob);
- data_blob_free(&nt_interactive_blob);
- return nt_status;
-}
-/****************************************************************************
- Create an auth_usersupplied_data structure
-****************************************************************************/
-
-NTSTATUS make_user_info_for_reply_enc(TALLOC_CTX *mem_ctx,
- struct auth_usersupplied_info **user_info,
- const char *smb_name,
- const char *client_domain,
- const char *remote_machine,
- DATA_BLOB lm_resp, DATA_BLOB nt_resp)
-{
- return make_user_info_map(mem_ctx,
- user_info, smb_name,
- client_domain,
- remote_machine,
- lm_resp.data ? &lm_resp : NULL,
- nt_resp.data ? &nt_resp : NULL,
- NULL, NULL, NULL,
- True);
-}
-
-/****************************************************************************
- Create a guest user_info blob, for anonymous authenticaion.
-****************************************************************************/
-
-BOOL make_user_info_guest(TALLOC_CTX *mem_ctx,
- struct auth_usersupplied_info **user_info)
-{
- NTSTATUS nt_status;
-
- nt_status = make_user_info(mem_ctx,
- user_info,
- "","",
- "","",
- "",
- NULL, NULL,
- NULL, NULL,
- NULL,
- True);
-
- return NT_STATUS_IS_OK(nt_status) ? True : False;
-}
-
-/****************************************************************************
- prints a struct security_token to debug output.
-****************************************************************************/
-void debug_security_token(int dbg_class, int dbg_lev, const struct security_token *token)
-{
- TALLOC_CTX *mem_ctx;
-
- size_t i;
-
- if (!token) {
- DEBUGC(dbg_class, dbg_lev, ("Security token: (NULL)\n"));
- return;
- }
-
- mem_ctx = talloc_init("debug_security_token()");
- if (!mem_ctx) {
- return;
- }
-
- DEBUGC(dbg_class, dbg_lev, ("Security token of user %s\n",
- dom_sid_string(mem_ctx, token->user_sid) ));
- DEBUGADDC(dbg_class, dbg_lev, ("contains %lu SIDs\n",
- (unsigned long)token->num_sids));
- for (i = 0; i < token->num_sids; i++) {
- DEBUGADDC(dbg_class, dbg_lev,
- ("SID[%3lu]: %s\n", (unsigned long)i,
- dom_sid_string(mem_ctx, token->sids[i])));
- }
-
- talloc_destroy(mem_ctx);
-}
-
-/****************************************************************************
- prints a struct auth_session_info security token to debug output.
-****************************************************************************/
-void debug_session_info(int dbg_class, int dbg_lev,
- const struct auth_session_info *session_info)
-{
- if (!session_info) {
- DEBUGC(dbg_class, dbg_lev, ("Session Info: (NULL)\n"));
- return;
- }
-
- debug_security_token(dbg_class, dbg_lev, session_info->security_token);
-}
-
-/****************************************************************************
- Create the SID list for this user.
-****************************************************************************/
-NTSTATUS create_security_token(TALLOC_CTX *mem_ctx,
- struct dom_sid *user_sid, struct dom_sid *group_sid,
- int n_groupSIDs, struct dom_sid **groupSIDs,
- BOOL is_guest, struct security_token **token)
-{
- struct security_token *ptoken;
- int i;
- NTSTATUS status;
-
- ptoken = security_token_initialise(mem_ctx);
- if (ptoken == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- ptoken->sids = talloc_array_p(ptoken, struct dom_sid *, n_groupSIDs + 5);
- if (!ptoken->sids) {
- return NT_STATUS_NO_MEMORY;
- }
-
- ptoken->user_sid = user_sid;
- ptoken->group_sid = group_sid;
- ptoken->privilege_mask = 0;
-
- ptoken->sids[0] = user_sid;
- ptoken->sids[1] = group_sid;
-
- /*
- * Finally add the "standard" SIDs.
- * The only difference between guest and "anonymous" (which we
- * don't really support) is the addition of Authenticated_Users.
- */
- ptoken->sids[2] = dom_sid_parse_talloc(mem_ctx, SID_WORLD);
- ptoken->sids[3] = dom_sid_parse_talloc(mem_ctx, SID_NT_NETWORK);
- ptoken->sids[4] = dom_sid_parse_talloc(mem_ctx,
- is_guest?SID_BUILTIN_GUESTS:
- SID_NT_AUTHENTICATED_USERS);
- ptoken->num_sids = 5;
-
- for (i = 0; i < n_groupSIDs; i++) {
- size_t check_sid_idx;
- for (check_sid_idx = 1;
- check_sid_idx < ptoken->num_sids;
- check_sid_idx++) {
- if (dom_sid_equal(ptoken->sids[check_sid_idx], groupSIDs[i])) {
- break;
+ struct auth_usersupplied_info *user_info_temp;
+ switch (to_state) {
+ case AUTH_PASSWORD_RESPONSE:
+ switch (user_info_in->password_state) {
+ case AUTH_PASSWORD_PLAIN:
+ {
+ const struct auth_usersupplied_info *user_info_temp2;
+ nt_status = encrypt_user_info(mem_ctx, auth_context,
+ AUTH_PASSWORD_HASH,
+ user_info_in, &user_info_temp2);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
}
+ user_info_in = user_info_temp2;
+ /* fall through */
}
-
- if (check_sid_idx == ptoken->num_sids) {
- ptoken->sids[ptoken->num_sids++] = groupSIDs[i];
- }
- }
-
- /* setup the privilege mask for this token */
- status = samdb_privilege_setup(ptoken);
- if (!NT_STATUS_IS_OK(status)) {
- talloc_free(ptoken);
- return status;
- }
-
- debug_security_token(DBGC_AUTH, 10, ptoken);
-
- *token = ptoken;
-
- return NT_STATUS_OK;
-}
-
-/***************************************************************************
- Make a user_info struct
-***************************************************************************/
-
-NTSTATUS make_server_info(const TALLOC_CTX *mem_ctx,
- struct auth_serversupplied_info **server_info,
- const char *username)
-{
- *server_info = talloc_p(mem_ctx, struct auth_serversupplied_info);
- if (!*server_info) {
- return NT_STATUS_NO_MEMORY;
- }
- ZERO_STRUCTP(*server_info);
-
- return NT_STATUS_OK;
-}
-
-/***************************************************************************
- Make (and fill) a user_info struct for a guest login.
-***************************************************************************/
-NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx, struct auth_serversupplied_info **server_info)
-{
- NTSTATUS nt_status;
-
- nt_status = make_server_info(mem_ctx, server_info, "");
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
-
- (*server_info)->guest = True;
-
- (*server_info)->user_sid = dom_sid_parse_talloc((*server_info), SID_NT_ANONYMOUS);
- (*server_info)->primary_group_sid = dom_sid_parse_talloc((*server_info), SID_BUILTIN_GUESTS);
- (*server_info)->n_domain_groups = 0;
- (*server_info)->domain_groups = NULL;
-
- /* annoying, but the Guest really does have a session key,
- and it is all zeros! */
- (*server_info)->user_session_key = data_blob_talloc(*server_info, NULL, 16);
- (*server_info)->lm_session_key = data_blob_talloc(*server_info, NULL, 16);
-
- data_blob_clear(&(*server_info)->user_session_key);
- data_blob_clear(&(*server_info)->lm_session_key);
-
- (*server_info)->account_name = "";
- (*server_info)->domain = "";
- (*server_info)->full_name = "Anonymous";
- (*server_info)->logon_script = "";
- (*server_info)->profile_path = "";
- (*server_info)->home_directory = "";
- (*server_info)->home_drive = "";
-
- (*server_info)->last_logon = 0;
- (*server_info)->last_logoff = 0;
- (*server_info)->acct_expiry = 0;
- (*server_info)->last_password_change = 0;
- (*server_info)->allow_password_change = 0;
- (*server_info)->force_password_change = 0;
-
- (*server_info)->logon_count = 0;
- (*server_info)->bad_password_count = 0;
-
- (*server_info)->acct_flags = ACB_NORMAL;
-
- return nt_status;
-}
-
-/***************************************************************************
- Make a server_info struct from the info3 returned by a domain logon
-***************************************************************************/
+ case AUTH_PASSWORD_HASH:
+ {
+ const uint8_t *challenge;
+ DATA_BLOB chall_blob;
+ user_info_temp = talloc(mem_ctx, struct auth_usersupplied_info);
+ if (!user_info_temp) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ talloc_reference(user_info_temp, user_info_in);
+ *user_info_temp = *user_info_in;
+ user_info_temp->mapped_state = to_state;
+
+ nt_status = auth_get_challenge(auth_context, &challenge);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ chall_blob = data_blob_talloc(mem_ctx, challenge, 8);
+ if (lp_client_ntlmv2_auth(auth_context->lp_ctx)) {
+ DATA_BLOB names_blob = NTLMv2_generate_names_blob(mem_ctx, lp_netbios_name(auth_context->lp_ctx), lp_workgroup(auth_context->lp_ctx));
+ DATA_BLOB lmv2_response, ntlmv2_response, lmv2_session_key, ntlmv2_session_key;
+
+ if (!SMBNTLMv2encrypt_hash(user_info_temp,
+ user_info_in->client.account_name,
+ user_info_in->client.domain_name,
+ user_info_in->password.hash.nt->hash, &chall_blob,
+ &names_blob,
+ &lmv2_response, &ntlmv2_response,
+ &lmv2_session_key, &ntlmv2_session_key)) {
+ data_blob_free(&names_blob);
+ return NT_STATUS_NO_MEMORY;
+ }
+ data_blob_free(&names_blob);
+ user_info_temp->password.response.lanman = lmv2_response;
+ user_info_temp->password.response.nt = ntlmv2_response;
+
+ data_blob_free(&lmv2_session_key);
+ data_blob_free(&ntlmv2_session_key);
+ } else {
+ DATA_BLOB blob = data_blob_talloc(mem_ctx, NULL, 24);
+ SMBOWFencrypt(user_info_in->password.hash.nt->hash, challenge, blob.data);
+
+ user_info_temp->password.response.nt = blob;
+ if (lp_client_lanman_auth(auth_context->lp_ctx) && user_info_in->password.hash.lanman) {
+ DATA_BLOB lm_blob = data_blob_talloc(mem_ctx, NULL, 24);
+ SMBOWFencrypt(user_info_in->password.hash.lanman->hash, challenge, blob.data);
+ user_info_temp->password.response.lanman = lm_blob;
+ } else {
+ /* if not sending the LM password, send the NT password twice */
+ user_info_temp->password.response.lanman = user_info_temp->password.response.nt;
+ }
+ }
-NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx,
- const char *internal_username,
- struct auth_serversupplied_info **server_info,
- uint16 validation_level,
- union netr_Validation *validation)
-{
- NTSTATUS nt_status;
- struct netr_SamBaseInfo *base = NULL;
- switch (validation_level) {
- case 2:
- if (!validation || !validation->sam2) {
- return NT_STATUS_INVALID_PARAMETER;
+ user_info_in = user_info_temp;
+ /* fall through */
}
- base = &validation->sam2->base;
- break;
- case 3:
- if (!validation || !validation->sam3) {
- return NT_STATUS_INVALID_PARAMETER;
+ case AUTH_PASSWORD_RESPONSE:
+ *user_info_encrypted = user_info_in;
}
- base = &validation->sam3->base;
break;
- case 6:
- if (!validation || !validation->sam6) {
+ case AUTH_PASSWORD_HASH:
+ {
+ switch (user_info_in->password_state) {
+ case AUTH_PASSWORD_PLAIN:
+ {
+ struct samr_Password lanman;
+ struct samr_Password nt;
+
+ user_info_temp = talloc(mem_ctx, struct auth_usersupplied_info);
+ if (!user_info_temp) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ talloc_reference(user_info_temp, user_info_in);
+ *user_info_temp = *user_info_in;
+ user_info_temp->mapped_state = to_state;
+
+ if (E_deshash(user_info_in->password.plaintext, lanman.hash)) {
+ user_info_temp->password.hash.lanman = talloc(user_info_temp,
+ struct samr_Password);
+ *user_info_temp->password.hash.lanman = lanman;
+ } else {
+ user_info_temp->password.hash.lanman = NULL;
+ }
+
+ E_md4hash(user_info_in->password.plaintext, nt.hash);
+ user_info_temp->password.hash.nt = talloc(user_info_temp,
+ struct samr_Password);
+ *user_info_temp->password.hash.nt = nt;
+
+ user_info_in = user_info_temp;
+ /* fall through */
+ }
+ case AUTH_PASSWORD_HASH:
+ *user_info_encrypted = user_info_in;
+ break;
+ default:
return NT_STATUS_INVALID_PARAMETER;
+ break;
}
- base = &validation->sam6->base;
break;
- default:
- return NT_STATUS_INVALID_LEVEL;
- }
-
- nt_status = make_server_info(mem_ctx, server_info, internal_username);
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
}
-
- (*server_info)->guest = False;
-
- /*
- Here is where we should check the list of
- trusted domains, and verify that the SID
- matches.
- */
-
- (*server_info)->user_sid = dom_sid_add_rid(*server_info, dom_sid_dup(*server_info, base->domain_sid), base->rid);
- (*server_info)->primary_group_sid = dom_sid_add_rid(*server_info, dom_sid_dup(*server_info, base->domain_sid), base->primary_gid);
-
- (*server_info)->domain_groups = talloc_array_p((*server_info), struct dom_sid*, base->group_count);
- if (!(*server_info)->domain_groups) {
- return NT_STATUS_NO_MEMORY;
- }
-
- for ((*server_info)->n_domain_groups = 0;
- (*server_info)->n_domain_groups < base->group_count;
- (*server_info)->n_domain_groups++) {
- struct dom_sid *sid;
- sid = dom_sid_dup((*server_info)->domain_groups, base->domain_sid);
- if (!sid) {
- return NT_STATUS_NO_MEMORY;
- }
- (*server_info)->domain_groups[(*server_info)->n_domain_groups]
- = dom_sid_add_rid(*server_info, sid,
- base->groupids[(*server_info)->n_domain_groups].rid);
- if (!(*server_info)->domain_groups[(*server_info)->n_domain_groups]) {
- return NT_STATUS_NO_MEMORY;
- }
- }
-
- /* Copy 'other' sids. We need to do sid filtering here to
- prevent possible elevation of privileges. See:
-
- http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
- */
-
- if (validation_level == 3) {
- int i;
- (*server_info)->domain_groups
- = talloc_realloc_p((*server_info),
- (*server_info)->domain_groups,
- struct dom_sid*,
- base->group_count + validation->sam3->sidcount);
-
- if (!(*server_info)->domain_groups) {
- return NT_STATUS_NO_MEMORY;
- }
-
- for (i = 0; i < validation->sam3->sidcount; i++) {
- (*server_info)->domain_groups[(*server_info)->n_domain_groups + i] =
- dom_sid_dup((*server_info)->domain_groups,
- validation->sam3->sids[i].sid);
- }
-
- /* Where are the 'global' sids?... */
- }
-
- if (base->account_name.string) {
- (*server_info)->account_name = talloc_reference(*server_info, base->account_name.string);
- } else {
- (*server_info)->account_name = talloc_strdup(*server_info, internal_username);
- }
-
- (*server_info)->domain = talloc_reference(*server_info, base->domain.string);
- (*server_info)->full_name = talloc_reference(*server_info, base->full_name.string);
- (*server_info)->logon_script = talloc_reference(*server_info, base->logon_script.string);
- (*server_info)->profile_path = talloc_reference(*server_info, base->profile_path.string);
- (*server_info)->home_directory = talloc_reference(*server_info, base->home_directory.string);
- (*server_info)->home_drive = talloc_reference(*server_info, base->home_drive.string);
- (*server_info)->last_logon = base->last_logon;
- (*server_info)->last_logoff = base->last_logoff;
- (*server_info)->acct_expiry = base->acct_expiry;
- (*server_info)->last_password_change = base->last_password_change;
- (*server_info)->allow_password_change = base->allow_password_change;
- (*server_info)->force_password_change = base->force_password_change;
-
- (*server_info)->logon_count = base->logon_count;
- (*server_info)->bad_password_count = base->bad_password_count;
-
- (*server_info)->acct_flags = base->acct_flags;
-
- /* ensure we are never given NULL session keys */
-
- if (all_zero(base->key.key, sizeof(base->key.key))) {
- (*server_info)->user_session_key = data_blob(NULL, 0);
- } else {
- (*server_info)->user_session_key = data_blob_talloc((*server_info), base->key.key, sizeof(base->key.key));
+ default:
+ return NT_STATUS_INVALID_PARAMETER;
}
- if (all_zero(base->LMSessKey.key, sizeof(base->LMSessKey.key))) {
- (*server_info)->lm_session_key = data_blob(NULL, 0);
- } else {
- (*server_info)->lm_session_key = data_blob_talloc((*server_info), base->LMSessKey.key, sizeof(base->LMSessKey.key));
- }
return NT_STATUS_OK;
}
-/***************************************************************************
- Free a user_info struct
-***************************************************************************/
-
-void free_user_info(struct auth_usersupplied_info **user_info)
-{
- DEBUG(5,("attempting to free (and zero) a user_info structure\n"));
- if (*user_info) {
- data_blob_clear(&(*user_info)->plaintext_password);
- }
-
- talloc_free(*user_info);
- *user_info = NULL;
-}
-
-/***************************************************************************
- Clear out a server_info struct that has been allocated
-***************************************************************************/
-
-void free_server_info(struct auth_serversupplied_info **server_info)
-{
- DEBUG(5,("attempting to free a server_info structure\n"));
- talloc_free(*server_info);
- *server_info = NULL;
-}
-
-/***************************************************************************
- Make an auth_methods struct
-***************************************************************************/
-
-BOOL make_auth_methods(struct auth_context *auth_context, struct auth_methods **auth_method)
-{
- if (!auth_context) {
- smb_panic("no auth_context supplied to make_auth_methods()!\n");
- }
-
- if (!auth_method) {
- smb_panic("make_auth_methods: pointer to auth_method pointer is NULL!\n");
- }
-
- *auth_method = talloc_p(auth_context, struct auth_methods);
- if (!*auth_method) {
- return False;
- }
- ZERO_STRUCTP(*auth_method);
-
- return True;
-}
-
-NTSTATUS make_session_info(TALLOC_CTX *mem_ctx,
- struct auth_serversupplied_info *server_info,
- struct auth_session_info **session_info)
-{
- NTSTATUS nt_status;
-
- *session_info = talloc_p(mem_ctx, struct auth_session_info);
- if (!*session_info) {
- return NT_STATUS_NO_MEMORY;
- }
-
- (*session_info)->server_info = server_info;
- talloc_reference(*session_info, (*session_info)->server_info);
-
- /* unless set otherwise, the session key is the user session
- * key from the auth subsystem */
-
- (*session_info)->session_key = server_info->user_session_key;
-
- /* we should search for local groups here */
-
- nt_status = create_security_token((*session_info),
- server_info->user_sid,
- server_info->primary_group_sid,
- server_info->n_domain_groups,
- server_info->domain_groups,
- False,
- &(*session_info)->security_token);
-
- return nt_status;
-}
-
-/***************************************************************************
- Clear out a server_info struct that has been allocated
-***************************************************************************/
-
-void free_session_info(struct auth_session_info **session_info)
-{
- DEBUG(5,("attempting to free a session_info structure\n"));
- talloc_free((*session_info));
- *session_info = NULL;
-}
/**
* Squash an NT_STATUS in line with security requirements.
* @param nt_status NTSTATUS input for squashing.
* @return the 'squashed' nt_status
**/
-
-NTSTATUS nt_status_squash(NTSTATUS nt_status)
+NTSTATUS auth_nt_status_squash(NTSTATUS nt_status)
{
- if NT_STATUS_IS_OK(nt_status) {
- return nt_status;
- } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) {
+ if NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) {
/* Match WinXP and don't give the game away */
return NT_STATUS_LOGON_FAILURE;
-
} else if NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) {
/* Match WinXP and don't give the game away */
return NT_STATUS_LOGON_FAILURE;
- } else {
- return nt_status;
- }
-}
-
-
+ }
+ return nt_status;
+}
git.samba.org / jelmer / samba4-debian.git / blobdiff