char *szNISHomeMapName;
char *szAnnounceVersion; /* This is initialised in init_globals */
char *szNetbiosAliases;
- char *szDomainSID;
char *szDomainOtherSIDs;
char *szDomainGroups;
char *szDriverFile;
BOOL bWINSproxy;
BOOL bLocalMaster;
BOOL bPreferredMaster;
- BOOL bDomainController;
BOOL bDomainMaster;
BOOL bDomainLogons;
BOOL bEncryptPasswords;
BOOL bNISHomeMap;
BOOL bTimeServer;
BOOL bBindInterfacesOnly;
- BOOL bNetWkstaUserLogon;
BOOL bUnixPasswdSync;
BOOL bPasswdChatDebug;
BOOL bOleLockingCompat;
{"read bmpx", P_BOOL, P_GLOBAL, &Globals.bReadbmpx, NULL, NULL, 0},
{"read raw", P_BOOL, P_GLOBAL, &Globals.bReadRaw, NULL, NULL, 0},
{"write raw", P_BOOL, P_GLOBAL, &Globals.bWriteRaw, NULL, NULL, 0},
- {"networkstation user login", P_BOOL,P_GLOBAL, &Globals.bNetWkstaUserLogon,NULL, NULL, 0},
{"nt smb support", P_BOOL, P_GLOBAL, &Globals.bNTSmbSupport, NULL, NULL, 0},
{"nt pipe support", P_BOOL, P_GLOBAL, &Globals.bNTPipeSupport, NULL, NULL, 0},
{"announce version", P_STRING, P_GLOBAL, &Globals.szAnnounceVersion, NULL, NULL, 0},
{"stat cache", P_BOOL, P_GLOBAL, &Globals.bStatCache, NULL, NULL, 0},
{"Domain Options", P_SEP, P_SEPARATOR},
- {"domain sid", P_USTRING, P_GLOBAL, &Globals.szDomainSID, NULL, NULL, 0},
{"domain groups", P_STRING, P_GLOBAL, &Globals.szDomainGroups, NULL, NULL, 0},
- {"domain controller",P_BOOL , P_GLOBAL, &Globals.bDomainController,NULL, NULL, 0},
{"domain admin group",P_STRING, P_GLOBAL, &Globals.szDomainAdminGroup, NULL, NULL, 0},
{"domain guest group",P_STRING, P_GLOBAL, &Globals.szDomainGuestGroup, NULL, NULL, 0},
{"domain admin users",P_STRING, P_GLOBAL, &Globals.szDomainAdminUsers, NULL, NULL, 0},
Globals.client_code_page = DEFAULT_CLIENT_CODE_PAGE;
Globals.bTimeServer = False;
Globals.bBindInterfacesOnly = False;
- Globals.bNetWkstaUserLogon = False; /* This is now set to false by default as
- the code in password.c protects us from this bug. */
Globals.bUnixPasswdSync = False;
Globals.bPasswdChatDebug = False;
Globals.bOleLockingCompat = True;
FN_GLOBAL_STRING(lp_driverfile,&Globals.szDriverFile)
FN_GLOBAL_STRING(lp_panic_action,&Globals.szPanicAction)
-FN_GLOBAL_STRING(lp_domain_sid,&Globals.szDomainSID)
FN_GLOBAL_STRING(lp_domain_groups,&Globals.szDomainGroups)
FN_GLOBAL_STRING(lp_domain_admin_group,&Globals.szDomainAdminGroup)
FN_GLOBAL_STRING(lp_domain_guest_group,&Globals.szDomainGuestGroup)
FN_GLOBAL_BOOL(lp_we_are_a_wins_server,&Globals.bWINSsupport)
FN_GLOBAL_BOOL(lp_wins_proxy,&Globals.bWINSproxy)
FN_GLOBAL_BOOL(lp_local_master,&Globals.bLocalMaster)
-FN_GLOBAL_BOOL(lp_domain_controller,&Globals.bDomainController)
FN_GLOBAL_BOOL(lp_domain_master,&Globals.bDomainMaster)
FN_GLOBAL_BOOL(lp_domain_logons,&Globals.bDomainLogons)
FN_GLOBAL_BOOL(lp_preferred_master,&Globals.bPreferredMaster)
FN_GLOBAL_BOOL(lp_nis_home_map,&Globals.bNISHomeMap)
static FN_GLOBAL_BOOL(lp_time_server,&Globals.bTimeServer)
FN_GLOBAL_BOOL(lp_bind_interfaces_only,&Globals.bBindInterfacesOnly)
-FN_GLOBAL_BOOL(lp_net_wksta_user_logon,&Globals.bNetWkstaUserLogon)
FN_GLOBAL_BOOL(lp_unix_password_sync,&Globals.bUnixPasswdSync)
FN_GLOBAL_BOOL(lp_passwd_chat_debug,&Globals.bPasswdChatDebug)
FN_GLOBAL_BOOL(lp_ole_locking_compat,&Globals.bOleLockingCompat)
char *pass, int passlen,
char *ntpass, int ntpasslen)
{
- struct cli_state *cli;
- extern fstring local_machine;
- static unsigned char badpass[24];
- cli = server_client();
+ struct cli_state *cli;
+ extern fstring local_machine;
+ static unsigned char badpass[24];
+ static BOOL tested_password_server = False;
+ static BOOL bad_password_server = False;
- if (!cli->initialised) {
- DEBUG(1,("password server %s is not connected\n", cli->desthost));
- return(False);
- }
+ cli = server_client();
- if(badpass[0] == 0) {
- memset(badpass, 0x1f, sizeof(badpass));
- }
+ if (!cli->initialised) {
+ DEBUG(1,("password server %s is not connected\n", cli->desthost));
+ return(False);
+ }
- if((passlen == sizeof(badpass)) && !memcmp(badpass, pass, passlen)) {
- /* Very unlikely, our random bad password is the same as the users
- password. */
- memset(badpass, badpass[0]+1, sizeof(badpass));
- }
+ if(badpass[0] == 0)
+ memset(badpass, 0x1f, sizeof(badpass));
- /*
- * Attempt a session setup with a totally incorrect password.
- * If this succeeds with the guest bit *NOT* set then the password
- * server is broken and is not correctly setting the guest bit. We
- * need to detect this as some versions of NT4.x are broken. JRA.
- */
+ if((passlen == sizeof(badpass)) && !memcmp(badpass, pass, passlen)) {
+ /*
+ * Very unlikely, our random bad password is the same as the users
+ * password. */
+ memset(badpass, badpass[0]+1, sizeof(badpass));
+ }
- if (cli_session_setup(cli, user, (char *)badpass, sizeof(badpass),
- (char *)badpass, sizeof(badpass), domain)) {
- if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) {
- DEBUG(0,("server_validate: password server %s allows users as non-guest \
-with a bad password.\n", cli->desthost));
- DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \
-use this machine as the password server.\n"));
- cli_ulogoff(cli);
- return False;
- }
- cli_ulogoff(cli);
- }
+ /*
+ * Attempt a session setup with a totally incorrect password.
+ * If this succeeds with the guest bit *NOT* set then the password
+ * server is broken and is not correctly setting the guest bit. We
+ * need to detect this as some versions of NT4.x are broken. JRA.
+ */
- /*
- * Now we know the password server will correctly set the guest bit, or is
- * not guest enabled, we can try with the real password.
- */
+ if(!tested_password_server) {
+ if (cli_session_setup(cli, user, (char *)badpass, sizeof(badpass),
+ (char *)badpass, sizeof(badpass), domain)) {
- if (!cli_session_setup(cli, user, pass, passlen, ntpass, ntpasslen, domain)) {
- DEBUG(1,("password server %s rejected the password\n", cli->desthost));
- return False;
- }
+ /*
+ * We connected to the password server so we
+ * can say we've tested it.
+ */
+ tested_password_server = True;
- /* if logged in as guest then reject */
- if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) {
- DEBUG(1,("password server %s gave us guest only\n", cli->desthost));
- cli_ulogoff(cli);
- return(False);
- }
+ if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) {
+ DEBUG(0,("server_validate: password server %s allows users as non-guest \
+with a bad password.\n", cli->desthost));
+ DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \
+use this machine as the password server.\n"));
+ cli_ulogoff(cli);
/*
- * This patch from Rob Nielsen <ran@adc.com> makes doing
- * the NetWksaUserLogon a dynamic, rather than compile-time
- * parameter, defaulting to on. This is somewhat dangerous
- * as it allows people to turn off this neccessary check,
- * but so many people have had problems with this that I
- * think it is a neccessary change. JRA.
+ * Password server has the bug.
*/
+ bad_password_server = True;
+ return False;
+ }
+ cli_ulogoff(cli);
+ }
+ } else {
- if (lp_net_wksta_user_logon()) {
- DEBUG(3,("trying NetWkstaUserLogon with password server %s\n", cli->desthost));
+ /*
+ * We have already tested the password server.
+ * Fail immediately if it has the bug.
+ */
- if (!cli_send_tconX(cli, "IPC$", "IPC", "", 1)) {
- DEBUG(0,("password server %s refused IPC$ connect\n", cli->desthost));
- cli_ulogoff(cli);
- return False;
- }
+ if(bad_password_server) {
+ DEBUG(0,("server_validate: [1] password server %s allows users as non-guest \
+with a bad password.\n", cli->desthost));
+ DEBUG(0,("server_validate: [1] This is broken (and insecure) behaviour. Please do not \
+use this machine as the password server.\n"));
+ return False;
+ }
+ }
- if (!cli_NetWkstaUserLogon(cli,user,local_machine)) {
- DEBUG(0,("password server %s failed NetWkstaUserLogon\n", cli->desthost));
- cli_tdis(cli);
- cli_ulogoff(cli);
- return False;
- }
+ /*
+ * Now we know the password server will correctly set the guest bit, or is
+ * not guest enabled, we can try with the real password.
+ */
- if (cli->privilages == 0) {
- DEBUG(0,("password server %s gave guest privilages\n", cli->desthost));
- cli_tdis(cli);
- cli_ulogoff(cli);
- return False;
- }
+ if (!cli_session_setup(cli, user, pass, passlen, ntpass, ntpasslen, domain)) {
+ DEBUG(1,("password server %s rejected the password\n", cli->desthost));
+ return False;
+ }
- if (!strequal(cli->eff_name, user)) {
- DEBUG(0,("password server %s gave different username %s\n",
- cli->desthost,
- cli->eff_name));
- cli_tdis(cli);
- cli_ulogoff(cli);
- return False;
- }
- cli_tdis(cli);
- }
- else {
- DEBUG(3,("skipping NetWkstaUserLogon with password server %s\n", cli->desthost));
- }
+ /* if logged in as guest then reject */
+ if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) {
+ DEBUG(1,("password server %s gave us guest only\n", cli->desthost));
+ cli_ulogoff(cli);
+ return(False);
+ }
- DEBUG(3,("password server %s accepted the password\n", cli->desthost));
- cli_ulogoff(cli);
+ cli_ulogoff(cli);
- return(True);
+ return(True);
}
/***********************************************************************
git.samba.org / kai / samba.git / commitdiff