Unix SMB/Netbios implementation.
Version 1.9.
Password and authentication handling
- Copyright (C) Andrew Tridgell 1992-1995
+ Copyright (C) Andrew Tridgell 1992-1997
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
*/
#include "includes.h"
-#include "loadparm.h"
+
+#if (defined(NETGROUP) && defined (AUTOMOUNT))
+#include "rpcsvc/ypclnt.h"
+#endif
extern int DEBUGLEVEL;
extern int Protocol;
********************************************************************/
void generate_next_challenge(char *challenge)
{
- extern void E1(char *,char *,char *);
static int counter = 0;
struct timeval tval;
int v1,v2;
static user_struct *validated_users = NULL;
static int num_validated_users = 0;
-/****************************************************************************
-check if a uid has been validated, and return an index if it has. -1 if not
-****************************************************************************/
-int valid_uid(int uid)
-{
- int i;
- if (uid == -1) return(-1);
-
- for (i=0;i<num_validated_users;i++)
- if (validated_users[i].uid == uid)
- {
- DEBUG(3,("valid uid %d mapped to vuid %d (user=%s)\n",
- uid,i,validated_users[i].name));
- return(i);
- }
- return(-1);
-}
-
/****************************************************************************
check if a uid has been validated, and return an pointer to the user_struct
-if it has. NULL if not
+if it has. NULL if not. vuid is biased by an offset. This allows us to
+tell random client vuid's (normally zero) from valid vuids.
****************************************************************************/
-user_struct *get_valid_user_struct(int uid)
+user_struct *get_valid_user_struct(uint16 vuid)
{
- int vuid = valid_uid(uid);
- if(vuid == -1 || validated_users[vuid].guest)
+ if(vuid == UID_FIELD_INVALID)
+ return NULL;
+ vuid -= VUID_OFFSET;
+ if((vuid >= (uint16)num_validated_users) ||
+ (validated_users[vuid].uid == -1) || (validated_users[vuid].gid == -1))
return NULL;
return &validated_users[vuid];
}
/****************************************************************************
invalidate a uid
****************************************************************************/
-void invalidate_uid(int uid)
+void invalidate_vuid(uint16 vuid)
{
- int i;
- for (i=0;i<num_validated_users;i++)
- if (validated_users[i].uid == uid)
- {
- user_struct *vuser = &validated_users[i];
- vuser->uid = -1;
- vuser->gid = -1;
- vuser->user_ngroups = 0;
- if(vuser->user_groups &&
- (vuser->user_groups != (gid_t *)vuser->user_igroups))
- free(vuser->user_groups);
- vuser->user_groups = NULL;
- if(vuser->user_igroups)
- free(vuser->user_igroups);
- vuser->user_igroups = NULL;
- }
+ user_struct *vuser = get_valid_user_struct(vuid);
+ if(vuser == 0)
+ return;
+
+ vuser->uid = -1;
+ vuser->gid = -1;
+ vuser->user_ngroups = 0;
+ if(vuser->user_groups &&
+ (vuser->user_groups != (gid_t *)vuser->user_igroups))
+ free(vuser->user_groups);
+ vuser->user_groups = NULL;
+ if(vuser->user_igroups)
+ free(vuser->user_igroups);
+ vuser->user_igroups = NULL;
}
/****************************************************************************
return a validated username
****************************************************************************/
-char *validated_username(int vuid)
+char *validated_username(uint16 vuid)
{
- return(validated_users[vuid].name);
+ user_struct *vuser = get_valid_user_struct(vuid);
+ if(vuser == 0)
+ return 0;
+ return(vuser->name);
}
/****************************************************************************
register a uid/name pair as being valid and that a valid password
-has been given.
+has been given. vuid is biased by an offset. This allows us to
+tell random client vuid's (normally zero) from valid vuids.
****************************************************************************/
-void register_uid(int uid,int gid, char *name,BOOL guest)
+uint16 register_vuid(int uid,int gid, char *name,BOOL guest)
{
user_struct *vuser;
- if (valid_uid(uid) >= 0)
- return;
- validated_users = (user_struct *)Realloc(validated_users,
- sizeof(user_struct)*
- (num_validated_users+1));
+#if (defined(NETGROUP) && defined (AUTOMOUNT))
+ int nis_error; /* returned by yp all functions */
+ char *nis_result; /* yp_match inits this */
+ int nis_result_len; /* and set this */
+ char *nis_domain; /* yp_get_default_domain inits this */
+ char *nis_map = (char *)lp_nis_home_map_name();
+ int home_server_len;
+#endif
+ struct passwd *pwfile; /* for getting real name from passwd file */
+ int real_name_len;
+
+#if 0
+ /*
+ * After observing MS-Exchange services writing to a Samba share
+ * I belive this code is incorrect. Each service does it's own
+ * sessionsetup_and_X for the same user, and as each service shuts
+ * down, it does a user_logoff_and_X. As we are consolidating multiple
+ * sessionsetup_and_X's onto the same vuid here, when the first service
+ * shuts down, it invalidates all the open files for the other services.
+ * Hence I am removing this code and forcing each sessionsetup_and_X
+ * to get a new vuid.
+ * Jeremy Allison. (jallison@whistle.com).
+ */
+
+ int i;
+ for(i = 0; i < num_validated_users; i++) {
+ vuser = &validated_users[i];
+ if( vuser->uid == uid )
+ return (uint16)(i + VUID_OFFSET); /* User already validated */
+ }
+#endif
+ validated_users = (user_struct *)Realloc(validated_users,
+ sizeof(user_struct)*
+ (num_validated_users+1));
+
if (!validated_users)
{
DEBUG(0,("Failed to realloc users struct!\n"));
- return;
+ num_validated_users = 0;
+ return UID_FIELD_INVALID;
}
vuser = &validated_users[num_validated_users];
+ num_validated_users++;
+
vuser->uid = uid;
vuser->gid = gid;
vuser->guest = guest;
&vuser->user_groups);
DEBUG(3,("uid %d registered to name %s\n",uid,name));
-
- num_validated_users++;
+
+#if (defined(NETGROUP) && defined (AUTOMOUNT))
+ vuser->home_share = NULL;
+ DEBUG(3, ("Setting default HOMESHR to: \\\\logon server\\HOMES\n"));
+ vuser->home_share = Realloc(vuser->home_share, 32);
+ strcpy(vuser->home_share,"\\\\%L\\HOMES");
+
+ if (nis_error = yp_get_default_domain(&nis_domain))
+ DEBUG(3, ("YP Error: %s\n", yperr_string(nis_error)));
+ DEBUG(3, ("NIS Domain: %s\n", nis_domain));
+
+ if (nis_error = yp_match(nis_domain, nis_map, vuser->name, strlen(vuser->name),
+ &nis_result, &nis_result_len))
+ DEBUG(3, ("YP Error: %s\n", yperr_string(nis_error)));
+ if (!nis_error && lp_nis_home_map()) {
+ home_server_len = strcspn(nis_result,":");
+ DEBUG(3, ("NIS lookup succeeded\n\tHome server length: %d\n",home_server_len));
+ vuser->home_share = (char *)Realloc(vuser->home_share, home_server_len+12);
+ DEBUG(3, ("\tAllocated %d bytes for HOMESHR\n",home_server_len+12 ));
+ strcpy(vuser->home_share,"\\\\");
+ strncat(vuser->home_share, nis_result, home_server_len);
+ strcat(vuser->home_share,"\\homes");
+ DEBUG(2,("\tUser = %s\n\tUID = %d\n\tNIS result = %s\n\tHOMESHR = %s\n",
+ vuser->name, vuser->uid, nis_result, vuser->home_share));
+ }
+#endif
+
+ vuser->real_name = NULL;
+ DEBUG(3, ("Clearing default real name\n"));
+ vuser->real_name = Realloc(vuser->real_name, 15);
+ strcpy(vuser->real_name, "<Full Name>\0");
+ if (lp_unix_realname()) {
+ pwfile=getpwnam(vuser->name);
+ DEBUG(3, ("User name: %s\tReal name: %s\n",vuser->name,pwfile->pw_gecos));
+ real_name_len = strcspn(pwfile->pw_gecos, ",");
+ DEBUG(3, ("Real name length: %d\n", real_name_len));
+ vuser->real_name = (char *)Realloc(vuser->real_name, real_name_len+1);
+ strncpy(vuser->real_name, pwfile->pw_gecos, real_name_len);
+ vuser->real_name[real_name_len]='\0';
+ }
+
+ return (uint16)((num_validated_users - 1) + VUID_OFFSET);
}
}
+#ifdef USE_PAM
+/*******************************************************************
+check on PAM authentication
+********************************************************************/
+
+/* We first need some helper functions */
+#include <security/pam_appl.h>
+/* Static variables used to communicate between the conversation function
+ * and the server_login function
+ */
+static char *PAM_username;
+static char *PAM_password;
+
+/* PAM conversation function
+ * Here we assume (for now, at least) that echo on means login name, and
+ * echo off means password.
+ */
+static int PAM_conv (int num_msg,
+ const struct pam_message **msg,
+ struct pam_response **resp,
+ void *appdata_ptr) {
+ int count = 0, replies = 0;
+ struct pam_response *reply = NULL;
+ int size = sizeof(struct pam_response);
+
+ #define GET_MEM if (reply) realloc(reply, size); else reply = malloc(size); \
+ if (!reply) return PAM_CONV_ERR; \
+ size += sizeof(struct pam_response)
+ #define COPY_STRING(s) (s) ? strdup(s) : NULL
+
+ for (count = 0; count < num_msg; count++) {
+ switch (msg[count]->msg_style) {
+ case PAM_PROMPT_ECHO_ON:
+ GET_MEM;
+ reply[replies].resp_retcode = PAM_SUCCESS;
+ reply[replies++].resp = COPY_STRING(PAM_username);
+ /* PAM frees resp */
+ break;
+ case PAM_PROMPT_ECHO_OFF:
+ GET_MEM;
+ reply[replies].resp_retcode = PAM_SUCCESS;
+ reply[replies++].resp = COPY_STRING(PAM_password);
+ /* PAM frees resp */
+ break;
+ case PAM_TEXT_INFO:
+ /* ignore it... */
+ break;
+ case PAM_ERROR_MSG:
+ default:
+ /* Must be an error of some sort... */
+ free (reply);
+ return PAM_CONV_ERR;
+ }
+ }
+ if (reply) *resp = reply;
+ return PAM_SUCCESS;
+}
+static struct pam_conv PAM_conversation = {
+ &PAM_conv,
+ NULL
+};
+
+
+static BOOL pam_auth(char *this_user,char *password)
+{
+ pam_handle_t *pamh;
+ int pam_error;
+
+ /* Now use PAM to do authentication. For now, we won't worry about
+ * session logging, only authentication. Bail out if there are any
+ * errors. Since this is a limited protocol, and an even more limited
+ * function within a server speaking this protocol, we can't be as
+ * verbose as would otherwise make sense.
+ * Query: should we be using PAM_SILENT to shut PAM up?
+ */
+ #define PAM_BAIL if (pam_error != PAM_SUCCESS) { \
+ pam_end(pamh, 0); return False; \
+ }
+ PAM_password = password;
+ PAM_username = this_user;
+ pam_error = pam_start("samba", this_user, &PAM_conversation, &pamh);
+ PAM_BAIL;
+ pam_error = pam_authenticate(pamh, 0);
+ PAM_BAIL;
+ /* It is not clear to me that account management is the right thing
+ * to do, but it is not clear that it isn't, either. This can be
+ * removed if no account management should be done. Alternately,
+ * put a pam_allow.so entry in /etc/pam.conf for account handling. */
+ pam_error = pam_acct_mgmt(pamh, 0);
+ PAM_BAIL;
+ pam_end(pamh, PAM_SUCCESS);
+ /* If this point is reached, the user has been authenticated. */
+ return(True);
+}
+#endif
+
+
#ifdef AFS_AUTH
/*******************************************************************
check on AFS authentication
#endif
+#ifdef KRB5_AUTH
+/*******************************************************************
+check on Kerberos authentication
+********************************************************************/
+static BOOL krb5_auth(char *this_user,char *password)
+{
+ krb5_data tgtname = {
+ 0,
+ KRB5_TGS_NAME_SIZE,
+ KRB5_TGS_NAME
+ };
+ krb5_context kcontext;
+ krb5_principal kprinc;
+ krb5_principal server;
+ krb5_creds kcreds;
+ int options = 0;
+ krb5_address **addrs = (krb5_address **)0;
+ krb5_preauthtype *preauth = NULL;
+ krb5_keytab keytab = NULL;
+ krb5_timestamp now;
+ krb5_ccache ccache = NULL;
+ int retval;
+ char *name;
+
+ if ( retval=krb5_init_context(&kcontext))
+ {
+ return(False);
+ }
+
+ if ( retval = krb5_timeofday(kcontext, &now) )
+ {
+ return(False);
+ }
+
+ if ( retval = krb5_cc_default(kcontext, &ccache) )
+ {
+ return(False);
+ }
+
+ if ( retval = krb5_parse_name(kcontext, this_user, &kprinc) )
+ {
+ return(False);
+ }
+
+ memset((char *)&kcreds, 0, sizeof(kcreds));
+
+ kcreds.client = kprinc;
+
+ if ((retval = krb5_build_principal_ext(kcontext, &server,
+ krb5_princ_realm(kcontext, kprinc)->length,
+ krb5_princ_realm(kcontext, kprinc)->data,
+ tgtname.length,
+ tgtname.data,
+ krb5_princ_realm(kcontext, kprinc)->length,
+ krb5_princ_realm(kcontext, kprinc)->data,
+ 0)))
+ {
+ return(False);
+ }
+
+ kcreds.server = server;
+
+ retval = krb5_get_in_tkt_with_password(kcontext,
+ options,
+ addrs,
+ NULL,
+ preauth,
+ password,
+ 0,
+ &kcreds,
+ 0);
+
+ if ( retval )
+ {
+ return(False);
+ }
+
+ return(True);
+}
+#endif /* KRB5_AUTH */
#ifdef LINUX_BIGCRYPT
/****************************************************************************
****************************************************************************/
BOOL password_check(char *password)
{
+
+#ifdef USE_PAM
+/* This falls through if the password check fails
+ - if NO_CRYPT is defined this causes an error msg
+ saying Warning - no crypt available
+ - if NO_CRYPT is NOT defined this is a potential security hole
+ as it may authenticate via the crypt call when PAM
+ settings say it should fail.
+ if (pam_auth(this_user,password)) return(True);
+Hence we make a direct return to avoid a second chance!!!
+*/
+ return (pam_auth(this_user,password));
+#endif
+
#ifdef AFS_AUTH
if (afs_auth(this_user,password)) return(True);
#endif
if (dfs_auth(this_user,password)) return(True);
#endif
+#ifdef KRB5_AUTH
+ if (krb5_auth(this_user,password)) return(True);
+#endif
+
#ifdef PWDAUTH
if (pwdauth(this_user,password) == 0)
return(True);
/****************************************************************************
check if a username/password is OK
****************************************************************************/
-BOOL password_ok(char *user,char *password, int pwlen, struct passwd *pwd, BOOL is_nt_password)
+BOOL password_ok(char *user,char *password, int pwlen, struct passwd *pwd)
{
pstring pass2;
int level = lp_passwordlevel();
return(False);
}
- if(Protocol >= PROTOCOL_NT1 && is_nt_password)
+ if(Protocol >= PROTOCOL_NT1)
{
/* We have the NT MD4 hash challenge available - see if we can
use it (ie. does it exist in the smbpasswd file).
return(True);
}
DEBUG(4,("NT MD4 password check failed\n"));
- return (False);
}
}
if (spass && spass->sp_pwdp)
pass->pw_passwd = spass->sp_pwdp;
}
+#elif defined(IA_UINFO)
+ {
+ /* Need to get password with SVR4.2's ia_ functions instead of
+ get{sp,pw}ent functions. Required by UnixWare 2.x, tested on
+ version 2.1. (tangent@cyberport.com) */
+ uinfo_t uinfo;
+ if (ia_openinfo(pass->pw_name, &uinfo) != -1)
+ ia_get_logpwd(uinfo, &(pass->pw_passwd));
+ }
#endif
#ifdef SecureWare
while (getnetgrent(&host, &user, &domain)) {
if (user) {
if (user_ok(user, snum) &&
- password_ok(user,password,pwlen,NULL,False)) {
+ password_ok(user,password,pwlen,NULL)) {
endnetgrent();
return(user);
}
static fstring name;
strcpy(name,*member);
if (user_ok(name,snum) &&
- password_ok(name,password,pwlen,NULL,False))
+ password_ok(name,password,pwlen,NULL))
return(&name[0]);
member++;
}
while (pwd = getpwent ()) {
if (*(pwd->pw_passwd) && pwd->pw_gid == gptr->gr_gid) {
/* This Entry have PASSWORD and same GID then check pwd */
- if (password_ok(NULL, password, pwlen, pwd,False)) {
+ if (password_ok(NULL, password, pwlen, pwd)) {
strcpy(tm, pwd->pw_name);
endpwent ();
return tm;
check for authority to login to a service with a given username/password
****************************************************************************/
BOOL authorise_login(int snum,char *user,char *password, int pwlen,
- BOOL *guest,BOOL *force,int vuid)
+ BOOL *guest,BOOL *force,uint16 vuid)
{
BOOL ok = False;
if (!(GUEST_ONLY(snum) && GUEST_OK(snum)))
{
+ user_struct *vuser = get_valid_user_struct(vuid);
+
/* check the given username and password */
if (!ok && (*user) && user_ok(user,snum)) {
- ok = password_ok(user,password, pwlen, NULL, False);
+ ok = password_ok(user,password, pwlen, NULL);
if (ok) DEBUG(3,("ACCEPTED: given username password ok\n"));
}
/* check for a previously registered guest username */
- if (!ok && (vuid >= 0) && validated_users[vuid].guest) {
- if (user_ok(validated_users[vuid].name,snum) &&
- password_ok(validated_users[vuid].name, password, pwlen, NULL, False)) {
- strcpy(user, validated_users[vuid].name);
- validated_users[vuid].guest = False;
+ if (!ok && (vuser != 0) && vuser->guest) {
+ if (user_ok(vuser->name,snum) &&
+ password_ok(vuser->name, password, pwlen, NULL)) {
+ strcpy(user, vuser->name);
+ vuser->guest = False;
DEBUG(3,("ACCEPTED: given password with registered user %s\n", user));
ok = True;
}
strcpy(user2,auser);
if (!user_ok(user2,snum)) continue;
- if (password_ok(user2,password, pwlen, NULL, False)) {
+ if (password_ok(user2,password, pwlen, NULL)) {
ok = True;
strcpy(user,user2);
DEBUG(3,("ACCEPTED: session list username and given password ok\n"));
/* check for a previously validated username/password pair */
if (!ok && !lp_revalidate(snum) &&
- (vuid >= 0) && !validated_users[vuid].guest &&
- user_ok(validated_users[vuid].name,snum)) {
- strcpy(user,validated_users[vuid].name);
+ (vuser != 0) && !vuser->guest &&
+ user_ok(vuser->name,snum)) {
+ strcpy(user,vuser->name);
*guest = False;
DEBUG(3,("ACCEPTED: validated uid ok as non-guest\n"));
ok = True;
fstring user2;
strcpy(user2,auser);
if (user_ok(user2,snum) &&
- password_ok(user2,password,pwlen,NULL, False))
+ password_ok(user2,password,pwlen,NULL))
{
ok = True;
strcpy(user,user2);
}
file_host = strtok(bp, " \t\n");
file_user = strtok(NULL, " \t\n");
- DEBUG(7, ("check_user_equiv %s %s\n", file_host, file_user));
+ DEBUG(7, ("check_user_equiv %s %s\n", file_host ? file_host : "(null)",
+ file_user ? file_user : "(null)" ));
if (file_host && *file_host)
{
BOOL host_ok = False;
pstring rhostsfile;
struct passwd *pass = Get_Pwnam(user,True);
- extern struct from_host Client_info;
- extern int Client;
-
if (!pass)
return(False);
- fromhost(Client,&Client_info);
-
fname = lp_hosts_equiv();
/* note: don't allow hosts.equiv on root */
if (fname && *fname && (pass->pw_uid != 0))
{
- if (check_user_equiv(user,Client_info.name,fname))
+ if (check_user_equiv(user,client_name(),fname))
return(True);
}
if (home)
{
sprintf(rhostsfile, "%s/.rhosts", home);
- if (check_user_equiv(user,Client_info.name,rhostsfile))
+ if (check_user_equiv(user,client_name(),rhostsfile))
return(True);
}
}
int len;
fstring desthost;
struct in_addr dest_ip;
- extern struct in_addr myip;
- int port = 139;
+ int port = SMB_PORT;
BOOL ret;
if (password_client >= 0)
continue;
}
- if (memcmp(&dest_ip,&myip,sizeof(dest_ip)) == 0) {
+ if (ismyip(dest_ip)) {
DEBUG(1,("Password server loop - disabling password server %s\n",p));
continue;
}
- password_client = open_socket_out(SOCK_STREAM, &dest_ip, port);
+ password_client = open_socket_out(SOCK_STREAM, &dest_ip, port, SHORT_CONNECT_TIMEOUT);
if (password_client >= 0) {
DEBUG(3,("connected to password server %s\n",p));
StrnCpy(pserver,p,sizeof(pserver)-1);
CVAL(outbuf,0) = 0x81;
send_smb(password_client,outbuf);
- receive_smb(password_client,inbuf,5000);
+
- if (CVAL(inbuf,0) != 0x82) {
+ if (!receive_smb(password_client,inbuf,5000) ||
+ CVAL(inbuf,0) != 0x82) {
DEBUG(1,("%s rejected the session\n",pserver));
close(password_client); password_client = -1;
return(False);