**/
static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
- char *server, unsigned char *trust_passwd)
+ const char *server,
+ const char *setup_creds_as,
+ uint16 sec_chan,
+ const unsigned char *trust_passwd)
{
struct in_addr dest_ip;
fstring remote_machine;
return NT_STATUS_UNSUCCESSFUL;
}
- result = new_cli_nt_setup_creds(*cli, trust_passwd);
+ snprintf((*cli)->mach_acct, sizeof((*cli)->mach_acct) - 1, "%s$", setup_creds_as);
+
+ if (!(*cli)->mach_acct) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ result = new_cli_nt_setup_creds(*cli, sec_chan, trust_passwd);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \
static NTSTATUS attempt_connect_to_dc(struct cli_state **cli,
const char *domain,
struct in_addr *ip,
- unsigned char *trust_passwd)
+ const char *setup_creds_as,
+ uint16 sec_chan,
+ const unsigned char *trust_passwd)
{
fstring dc_name;
if (!lookup_dc_name(global_myname, domain, ip, dc_name))
return NT_STATUS_UNSUCCESSFUL;
- return connect_to_domain_password_server(cli, dc_name, trust_passwd);
+ return connect_to_domain_password_server(cli, dc_name, setup_creds_as, sec_chan, trust_passwd);
}
/***********************************************************************
************************************************************************/
static NTSTATUS find_connect_pdc(struct cli_state **cli,
const char *domain,
+ const char *setup_creds_as,
+ uint16 sec_chan,
unsigned char *trust_passwd,
time_t last_change_time)
{
if(!is_local_net(ip_list[i]))
continue;
- if(NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, domain,
- &ip_list[i], trust_passwd)))
+ if(NT_STATUS_IS_OK(nt_status =
+ attempt_connect_to_dc(cli, domain,
+ &ip_list[i], setup_creds_as,
+ sec_chan, trust_passwd)))
break;
zero_ip(&ip_list[i]); /* Tried and failed. */
i = (sys_random() % count);
if (!is_zero_ip(ip_list[i])) {
- if (!NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, domain,
- &ip_list[i], trust_passwd)))
- zero_ip(&ip_list[i]); /* Tried and failed. */
+ if (!NT_STATUS_IS_OK(nt_status =
+ attempt_connect_to_dc(cli, domain,
+ &ip_list[i], setup_creds_as,
+ sec_chan, trust_passwd)))
+ zero_ip(&ip_list[i]); /* Tried and failed. */
}
}
continue;
if (NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, domain,
- &ip_list[i], trust_passwd)))
+ &ip_list[i], setup_creds_as, sec_chan, trust_passwd)))
break;
}
}
const char *domain,
uchar chal[8],
auth_serversupplied_info **server_info,
- char *server, unsigned char *trust_passwd,
+ char *server, char *setup_creds_as,
+ uint16 sec_chan,
+ unsigned char *trust_passwd,
time_t last_change_time)
{
fstring remote_machine;
while (!NT_STATUS_IS_OK(nt_status) &&
next_token(&server,remote_machine,LIST_SEP,sizeof(remote_machine))) {
if(strequal(remote_machine, "*")) {
- nt_status = find_connect_pdc(&cli, domain, trust_passwd, last_change_time);
+ nt_status = find_connect_pdc(&cli, domain, setup_creds_as, sec_chan, trust_passwd, last_change_time);
} else {
- nt_status = connect_to_domain_password_server(&cli, remote_machine, trust_passwd);
+ nt_status = connect_to_domain_password_server(&cli, remote_machine, setup_creds_as, sec_chan, trust_passwd);
}
}
if (!secrets_fetch_trust_account_password(domain, trust_passwd, &last_change_time))
{
- DEBUG(0, ("check_domain_security: could not fetch trust account password for domain %s\n", lp_workgroup()));
+ DEBUG(0, ("check_ntdomain_security: could not fetch trust account password for domain %s\n", lp_workgroup()));
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
nt_status = domain_client_validate(mem_ctx, user_info, domain,
(uchar *)auth_context->challenge.data,
server_info,
- password_server, trust_passwd, last_change_time);
-
+ password_server, global_myname, SEC_CHAN_WKSTA, trust_passwd, last_change_time);
return nt_status;
}
(*auth_method)->auth = check_ntdomain_security;
return True;
}
+
+
+/****************************************************************************
+ Check for a valid username and password in a trusted domain
+****************************************************************************/
+
+static NTSTATUS check_trustdomain_security(const struct auth_context *auth_context,
+ void *my_private_data,
+ TALLOC_CTX *mem_ctx,
+ const auth_usersupplied_info *user_info,
+ auth_serversupplied_info **server_info)
+{
+ NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
+ unsigned char trust_md4_password[16];
+ char *trust_password;
+ time_t last_change_time;
+ DOM_SID sid;
+
+ if (!user_info || !server_info || !auth_context) {
+ DEBUG(1,("check_trustdomain_security: Critical variables not present. Failing.\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ /*
+ * Check that the requested domain is not our own machine name.
+ * If it is, we should never check the PDC here, we use our own local
+ * password file.
+ */
+
+ if(is_netbios_alias_or_name(user_info->domain.str)) {
+ DEBUG(3,("check_trustdomain_security: Requested domain was for this machine.\n"));
+ return NT_STATUS_LOGON_FAILURE;
+ }
+
+ /*
+ * Check that the requested domain is not our own domain,
+ * If it is, we should use our own local password file.
+ */
+
+ if(strequal(lp_workgroup(), (user_info->domain.str))) {
+ DEBUG(3,("check_trustdomain_security: Requested domain was for this domain.\n"));
+ return NT_STATUS_LOGON_FAILURE;
+ }
+
+ /*
+ * Get the machine account password for the trusted domain
+ * No need to become_root() as secrets_init() is done at startup.
+ */
+
+ if (!secrets_fetch_trusted_domain_password(user_info->domain.str, &trust_password, &sid, &last_change_time))
+ {
+ DEBUG(0, ("check_trustdomain_security: could not fetch trust account password for domain %s\n", user_info->domain.str));
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+#ifdef DEBUG_PASSWORD
+ DEBUG(100, ("Trust password for domain %s is %s\n", user_info->domain.str, trust_password));
+#endif
+ E_md4hash((uchar *)trust_password, trust_md4_password);
+ SAFE_FREE(trust_password);
+
+#if 0
+ /* Test if machine password is expired and need to be changed */
+ if (time(NULL) > last_change_time + lp_machine_password_timeout())
+ {
+ global_machine_password_needs_changing = True;
+ }
+#endif
+
+ nt_status = domain_client_validate(mem_ctx, user_info, user_info->domain.str,
+ (uchar *)auth_context->challenge.data,
+ server_info, "*" /* Do a lookup */,
+ lp_workgroup(), SEC_CHAN_DOMAIN, trust_md4_password, last_change_time);
+
+ return nt_status;
+}
+
+/* module initialisation */
+BOOL auth_init_trustdomain(struct auth_context *auth_context, auth_methods **auth_method)
+{
+ if (!make_auth_methods(auth_context, auth_method)) {
+ return False;
+ }
+
+ (*auth_method)->auth = check_trustdomain_security;
+ return True;
+}
encrypt of the server challenge originally received. JRA.
****************************************************************************/
-NTSTATUS new_cli_net_auth2(struct cli_state *cli, uint16 sec_chan,
+NTSTATUS new_cli_net_auth2(struct cli_state *cli,
+ uint16 sec_chan,
uint32 neg_flags, DOM_CHAL *srv_chal)
{
prs_struct qbuf, rbuf;
NET_Q_AUTH_2 q;
NET_R_AUTH_2 r;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
- extern pstring global_myname;
+ extern pstring global_myname;
prs_init(&qbuf, MAX_PDU_FRAG_LEN, cli->mem_ctx, MARSHALL);
prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL);
/* Initialize domain session credentials */
NTSTATUS new_cli_nt_setup_creds(struct cli_state *cli,
- unsigned char mach_pwd[16])
+ uint16 sec_chan,
+ const unsigned char mach_pwd[16])
{
DOM_CHAL clnt_chal;
DOM_CHAL srv_chal;
/**************** Long-term Session key **************/
/* calculate the session key */
- cred_session_key(&clnt_chal, &srv_chal, (char *)mach_pwd,
+ cred_session_key(&clnt_chal, &srv_chal, mach_pwd,
cli->sess_key);
memset((char *)cli->sess_key+8, '\0', 8);
* Receive an auth-2 challenge response and check it.
*/
- result = new_cli_net_auth2(cli, (lp_server_role() == ROLE_DOMAIN_MEMBER) ?
- SEC_CHAN_WKSTA : SEC_CHAN_BDC, 0x000001ff,
+ result = new_cli_net_auth2(cli, sec_chan, 0x000001ff,
&srv_chal);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(0,("cli_nt_setup_creds: auth2 challenge failed %s\n",
git.samba.org / kai / samba.git / commitdiff