git.samba.org / mimir / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 272e49e)
s3:auth Make Samba3 use the new common struct auth_usersupplied_info
authorAndrew Bartlett <abartlet@samba.org>
Tue, 1 Jun 2010 11:52:01 +0000 (21:52 +1000)
committerAndrew Bartlett <abartlet@samba.org>
Sat, 14 Aug 2010 01:58:13 +0000 (11:58 +1000)
This common structure will make it much easier to produce an auth
module for s3compat that calls Samba4's auth subsystem.

In order the make the link work properly (and not map twice), we mark
both that we did try and map the user, as well as if we changed the
user during the mapping.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
19 files changed:
auth/common_auth.h patch | blob | history
source3/auth/auth.c patch | blob | history
source3/auth/auth_compat.c patch | blob | history
source3/auth/auth_domain.c patch | blob | history
source3/auth/auth_netlogond.c patch | blob | history
source3/auth/auth_ntlmssp.c patch | blob | history
source3/auth/auth_script.c patch | blob | history
source3/auth/auth_server.c patch | blob | history
source3/auth/auth_unix.c patch | blob | history
source3/auth/auth_util.c patch | blob | history
source3/auth/auth_wbc.c patch | blob | history
source3/auth/auth_winbind.c patch | blob | history
source3/auth/check_samsec.c patch | blob | history
source3/auth/pass_check.c patch | blob | history
source3/auth/user_info.c patch | blob | history
source3/include/auth.h patch | blob | history
source3/include/proto.h patch | blob | history
source3/web/cgi.c patch | blob | history
source3/winbindd/winbindd_pam.c patch | blob | history

diff --git a/auth/common_auth.h b/auth/common_auth.h
index 5bade6915f040a876ec1bb6bcc894388685ca40e..4ae5df9a6b158c5f0b6887733611993bf055fc43 100644 (file)
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -25,9 +25,9 @@
 #define USER_INFO_INTERACTIVE_LOGON         0x08 /* don't check unix account status */
 
 enum auth_password_state {
-       AUTH_PASSWORD_RESPONSE,
-       AUTH_PASSWORD_HASH,
-       AUTH_PASSWORD_PLAIN
+       AUTH_PASSWORD_PLAIN = 1,
+       AUTH_PASSWORD_HASH = 2,
+       AUTH_PASSWORD_RESPONSE = 3
 };
 
 struct auth_usersupplied_info
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 5dc1d970d61f48ccc528dfb83892383e3ceb7c07..5c50bb88265f081edb5fd717dcbf01a1122fcf98 100644 (file)
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -233,11 +233,11 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context,
 
 #ifdef DEBUG_PASSWORD
        DEBUG(100, ("user_info has passwords of length %d and %d\n", 
-                   (int)user_info->lm_resp.length, (int)user_info->nt_resp.length));
+                   (int)user_info->password.response.lanman.length, (int)user_info->password.response.nt.length));
        DEBUG(100, ("lm:\n"));
-       dump_data(100, user_info->lm_resp.data, user_info->lm_resp.length);
+       dump_data(100, user_info->password.response.lanman.data, user_info->password.response.lanman.length);
        DEBUG(100, ("nt:\n"));
-       dump_data(100, user_info->nt_resp.data, user_info->nt_resp.length);
+       dump_data(100, user_info->password.response.nt.data, user_info->password.response.nt.length);
 #endif
 
        /* This needs to be sorted:  If it doesn't match, what should we do? */
diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c
index cdd40966542734b682eec2015e84cb43b6064e9a..bd4c433ab99dbfe5a47e0ae88336a53a7bb1532e 100644 (file)
--- a/source3/auth/auth_compat.c
+++ b/source3/auth/auth_compat.c
@@ -30,13 +30,12 @@ extern bool global_encrypted_passwords_negotiated;
  ***************************************************************************/
 
 /****************************************************************************
-check if a username/password is OK assuming the password is a 24 byte
-SMB hash
+check if a username/password is OK assuming the password is in plaintext
 return True if the password is correct, False otherwise
 ****************************************************************************/
 
 NTSTATUS check_plaintext_password(const char *smb_name,
-                                 DATA_BLOB plaintext_password,
+                                 DATA_BLOB plaintext_blob,
                                  struct auth_serversupplied_info **server_info)
 {
        struct auth_context *plaintext_auth_context = NULL;
@@ -52,7 +51,7 @@ NTSTATUS check_plaintext_password(const char *smb_name,
 
        if (!make_user_info_for_reply(&user_info, 
                                      smb_name, lp_workgroup(), chal,
-                                     plaintext_password)) {
+                                     plaintext_blob)) {
                return NT_STATUS_NO_MEMORY;
        }
 
@@ -68,27 +67,21 @@ static NTSTATUS pass_check_smb(struct auth_context *actx,
                               const char *smb_name,
                               const char *domain, 
                               DATA_BLOB lm_pwd,
-                              DATA_BLOB nt_pwd,
-                              DATA_BLOB plaintext_password,
-                              bool encrypted)
+                              DATA_BLOB nt_pwd)
 
 {
        NTSTATUS nt_status;
        struct auth_serversupplied_info *server_info = NULL;
-       if (encrypted) {
-               struct auth_usersupplied_info *user_info = NULL;
-               if (actx == NULL) {
-                       return NT_STATUS_INTERNAL_ERROR;
-               }
-               make_user_info_for_reply_enc(&user_info, smb_name, 
-                                            domain,
-                                            lm_pwd, 
-                                            nt_pwd);
-               nt_status = actx->check_ntlm_password(actx, user_info, &server_info);
-               free_user_info(&user_info);
-       } else {
-               nt_status = check_plaintext_password(smb_name, plaintext_password, &server_info);
-       }               
+       struct auth_usersupplied_info *user_info = NULL;
+       if (actx == NULL) {
+               return NT_STATUS_INTERNAL_ERROR;
+       }
+       make_user_info_for_reply_enc(&user_info, smb_name,
+                                    domain,
+                                    lm_pwd,
+                                    nt_pwd);
+       nt_status = actx->check_ntlm_password(actx, user_info, &server_info);
+       free_user_info(&user_info);
        TALLOC_FREE(server_info);
        return nt_status;
 }
@@ -113,23 +106,26 @@ bool password_ok(struct auth_context *actx, bool global_encrypted,
                 * Vista sends NTLMv2 here - we need to try the client given workgroup.
                 */
                if (session_workgroup) {
-                       if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, session_workgroup, null_password, password_blob, null_password, encrypted))) {
+                       if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, session_workgroup, null_password, password_blob))) {
                                return True;
                        }
-                       if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, session_workgroup, password_blob, null_password, null_password, encrypted))) {
+                       if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, session_workgroup, password_blob, null_password))) {
                                return True;
                        }
                }
 
-               if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, lp_workgroup(), null_password, password_blob, null_password, encrypted))) {
+               if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, lp_workgroup(), null_password, password_blob))) {
                        return True;
                }
 
-               if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, lp_workgroup(), password_blob, null_password, null_password, encrypted))) {
+               if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, lp_workgroup(), password_blob, null_password))) {
                        return True;
                }
        } else {
-               if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, lp_workgroup(), null_password, null_password, password_blob, encrypted))) {
+               struct auth_serversupplied_info *server_info = NULL;
+               NTSTATUS nt_status = check_plaintext_password(smb_name, password_blob, &server_info);
+               TALLOC_FREE(server_info);
+               if (NT_STATUS_IS_OK(nt_status)) {
                        return True;
                }
        }
diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index 0fc6410fec3e70d5df698a7ef8cab37087a2681c..824618c63dfa09c4a180a9866664489690b5ca61 100644 (file)
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -313,8 +313,8 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
                                                      user_info->client.domain_name,   /* domain name */
                                                      user_info->workstation_name,/* workstation name */
                                                      chal,                       /* 8 byte challenge. */
-                                                     user_info->lm_resp,         /* lanman 24 byte response */
-                                                     user_info->nt_resp,         /* nt 24 byte response */
+                                                     user_info->password.response.lanman, /* lanman 24 byte response */
+                                                     user_info->password.response.nt,     /* nt 24 byte response */
                                                      &info3);                    /* info3 out */
 
        /* Let go as soon as possible so we avoid any potential deadlocks
diff --git a/source3/auth/auth_netlogond.c b/source3/auth/auth_netlogond.c
index 8be2c6a00c009e4ca18d37ccc0cd78820a8a9783..446b9e2ee4e7d0050c0570e5cb46432a4c7a3818 100644 (file)
--- a/source3/auth/auth_netlogond.c
+++ b/source3/auth/auth_netlogond.c
@@ -88,8 +88,8 @@ static NTSTATUS netlogond_validate(TALLOC_CTX *mem_ctx,
                user_info->client.domain_name,              /* domain name */
                user_info->workstation_name,           /* workstation name */
                (uchar *)auth_context->challenge.data, /* 8 byte challenge. */
-               user_info->lm_resp,                    /* lanman 24 byte response */
-               user_info->nt_resp,                    /* nt 24 byte response */
+               user_info->password.response.lanman,   /* lanman 24 byte response */
+               user_info->password.response.nt,       /* nt 24 byte response */
                &info3);                               /* info3 out */
 
        DEBUG(10, ("rpccli_netlogon_sam_network_logon_ex returned %s\n",
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index bc0e9d276a990189c6a1b81d64578035361feb49..a910201fcf4a3482f66e0f30ce990b6b01b0feac 100644 (file)
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -131,7 +131,7 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
                                       auth_ntlmssp_state->ntlmssp_state->lm_resp.data ? &auth_ntlmssp_state->ntlmssp_state->lm_resp : NULL, 
                                       auth_ntlmssp_state->ntlmssp_state->nt_resp.data ? &auth_ntlmssp_state->ntlmssp_state->nt_resp : NULL, 
                                       NULL, NULL, NULL,
-                                      True);
+                                      AUTH_PASSWORD_RESPONSE);
 
        user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
 
diff --git a/source3/auth/auth_script.c b/source3/auth/auth_script.c
index 2b83f80d9838f9b32bf938f150f6a3aae6238ce5..ee01733514954cee04425be5c3fca55cdba39c83 100644 (file)
--- a/source3/auth/auth_script.c
+++ b/source3/auth/auth_script.c
@@ -84,17 +84,17 @@ static NTSTATUS script_check_user_credentials(const struct auth_context *auth_co
        safe_strcat( secret_str, hex_str, secret_str_len - 1);
        safe_strcat( secret_str, "\n", secret_str_len - 1);
 
-       if (user_info->lm_resp.data) {
+       if (user_info->password.response.lanman.data) {
                for (i = 0; i < 24; i++) {
-                       slprintf(&hex_str[i*2], 3, "%02X", user_info->lm_resp.data[i]);
+                       slprintf(&hex_str[i*2], 3, "%02X", user_info->password.response.lanman.data[i]);
                }
                safe_strcat( secret_str, hex_str, secret_str_len - 1);
        }
        safe_strcat( secret_str, "\n", secret_str_len - 1);
 
-       if (user_info->nt_resp.data) {
+       if (user_info->password.response.nt.data) {
                for (i = 0; i < 24; i++) {
-                       slprintf(&hex_str[i*2], 3, "%02X", user_info->nt_resp.data[i]);
+                       slprintf(&hex_str[i*2], 3, "%02X", user_info->password.response.nt.data[i]);
                }
                safe_strcat( secret_str, hex_str, secret_str_len - 1);
        }
diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c
index 8f0f98b350c0cd99156bc9906898e0f5e0461dae..76cafc6d6900dd1878309794caafb636d2a2744a 100644 (file)
--- a/source3/auth/auth_server.c
+++ b/source3/auth/auth_server.c
@@ -297,7 +297,7 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context
        }  
 
        if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
-               if (user_info->encrypted) {
+               if (user_info->password_state != AUTH_PASSWORD_PLAIN) {
                        DEBUG(1,("password server %s is plaintext, but we are encrypted. This just can't work :-(\n", cli->desthost));
                        return NT_STATUS_LOGON_FAILURE;         
                }
@@ -326,8 +326,8 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context
 
                memset(badpass, 0x1f, sizeof(badpass));
 
-               if((user_info->nt_resp.length == sizeof(badpass)) && 
-                  !memcmp(badpass, user_info->nt_resp.data, sizeof(badpass))) {
+               if((user_info->password.response.nt.length == sizeof(badpass)) &&
+                  !memcmp(badpass, user_info->password.response.nt.data, sizeof(badpass))) {
                        /* 
                         * Very unlikely, our random bad password is the same as the users
                         * password.
@@ -391,22 +391,24 @@ use this machine as the password server.\n"));
         * Now we know the password server will correctly set the guest bit, or is
         * not guest enabled, we can try with the real password.
         */
-
-       if (!user_info->encrypted) {
+       switch (user_info->password_state) {
+       case AUTH_PASSWORD_PLAIN:
                /* Plaintext available */
                nt_status = cli_session_setup(
                        cli, user_info->client.account_name,
-                       (char *)user_info->plaintext_password.data,
-                       user_info->plaintext_password.length,
+                       user_info->password.plaintext,
+                       strlen(user_info->password.plaintext),
                        NULL, 0, user_info->mapped.domain_name);
 
-       } else {
+       /* currently the hash values include a challenge-response as well */
+       case AUTH_PASSWORD_HASH:
+       case AUTH_PASSWORD_RESPONSE:
                nt_status = cli_session_setup(
                        cli, user_info->client.account_name,
-                       (char *)user_info->lm_resp.data, 
-                       user_info->lm_resp.length, 
-                       (char *)user_info->nt_resp.data, 
-                       user_info->nt_resp.length, 
+                       (char *)user_info->password.response.lanman.data,
+                       user_info->password.response.lanman.length,
+                       (char *)user_info->password.response.nt.data,
+                       user_info->password.response.nt.length,
                        user_info->mapped.domain_name);
        }
 
diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c
index 053cad9707c15163893c050d2632908c27b1939e..a9a4c53704df39f813f5992dd94431d9b585dbb6 100644 (file)
--- a/source3/auth/auth_unix.c
+++ b/source3/auth/auth_unix.c
@@ -101,8 +101,7 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context,
            done.  We may need to revisit this **/
        nt_status = pass_check(pass,
                                pass ? pass->pw_name : user_info->mapped.account_name,
-                               (char *)user_info->plaintext_password.data,
-                               user_info->plaintext_password.length-1,
+                               user_info->password.plaintext,
                                lp_update_encrypted() ? 
                                update_smbpassword_file : NULL,
                                True);
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 16fa421f8b00cd662cbb844237ad1480f0f5331b..371087e4493d5b647203ec7c7a94cd7b672f2847 100644 (file)
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -86,10 +86,10 @@ NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info,
                            const char *workstation_name,
                            DATA_BLOB *lm_pwd,
                            DATA_BLOB *nt_pwd,
-                           DATA_BLOB *lm_interactive_pwd,
-                           DATA_BLOB *nt_interactive_pwd,
-                           DATA_BLOB *plaintext,
-                           bool encrypted)
+                           const struct samr_Password *lm_interactive_pwd,
+                           const struct samr_Password *nt_interactive_pwd,
+                           const char *plaintext,
+                           enum auth_password_state password_state)
 {
        const char *domain;
        NTSTATUS result;
@@ -131,8 +131,11 @@ NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info,
                              client_domain, domain, workstation_name,
                              lm_pwd, nt_pwd,
                              lm_interactive_pwd, nt_interactive_pwd,
-                             plaintext, encrypted);
+                             plaintext, password_state);
        if (NT_STATUS_IS_OK(result)) {
+               /* We have tried mapping */
+               (*user_info)->mapped_state = True;
+               /* did we actually map the user to a different name? */
                (*user_info)->was_mapped = was_mapped;
        }
        return result;
@@ -164,7 +167,7 @@ bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info,
                                    lm_pwd_len ? &lm_blob : NULL, 
                                    nt_pwd_len ? &nt_blob : NULL,
                                    NULL, NULL, NULL,
-                                   True);
+                                   AUTH_PASSWORD_RESPONSE);
 
        if (NT_STATUS_IS_OK(status)) {
                (*user_info)->logon_parameters = logon_parameters;
@@ -191,8 +194,8 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
                                         const uchar nt_interactive_pwd[16], 
                                         const uchar *dc_sess_key)
 {
-       unsigned char lm_pwd[16];
-       unsigned char nt_pwd[16];
+       struct samr_Password lm_pwd;
+       struct samr_Password nt_pwd;
        unsigned char local_lm_response[24];
        unsigned char local_nt_response[24];
        unsigned char key[16];
@@ -200,42 +203,42 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
        memcpy(key, dc_sess_key, 16);
 
        if (lm_interactive_pwd)
-               memcpy(lm_pwd, lm_interactive_pwd, sizeof(lm_pwd));
+               memcpy(lm_pwd.hash, lm_interactive_pwd, sizeof(lm_pwd.hash));
 
        if (nt_interactive_pwd)
-               memcpy(nt_pwd, nt_interactive_pwd, sizeof(nt_pwd));
+               memcpy(nt_pwd.hash, nt_interactive_pwd, sizeof(nt_pwd.hash));
 
 #ifdef DEBUG_PASSWORD
        DEBUG(100,("key:"));
        dump_data(100, key, sizeof(key));
 
        DEBUG(100,("lm owf password:"));
-       dump_data(100, lm_pwd, sizeof(lm_pwd));
+       dump_data(100, lm_pwd.hash, sizeof(lm_pwd.hash));
 
        DEBUG(100,("nt owf password:"));
-       dump_data(100, nt_pwd, sizeof(nt_pwd));
+       dump_data(100, nt_pwd.hash, sizeof(nt_pwd.hash));
 #endif
 
        if (lm_interactive_pwd)
-               arcfour_crypt(lm_pwd, key, sizeof(lm_pwd));
+               arcfour_crypt(lm_pwd.hash, key, sizeof(lm_pwd.hash));
 
        if (nt_interactive_pwd)
-               arcfour_crypt(nt_pwd, key, sizeof(nt_pwd));
+               arcfour_crypt(nt_pwd.hash, key, sizeof(nt_pwd.hash));
 
 #ifdef DEBUG_PASSWORD
        DEBUG(100,("decrypt of lm owf password:"));
-       dump_data(100, lm_pwd, sizeof(lm_pwd));
+       dump_data(100, lm_pwd.hash, sizeof(lm_pwd));
 
        DEBUG(100,("decrypt of nt owf password:"));
-       dump_data(100, nt_pwd, sizeof(nt_pwd));
+       dump_data(100, nt_pwd.hash, sizeof(nt_pwd));
 #endif
 
        if (lm_interactive_pwd)
-               SMBOWFencrypt(lm_pwd, chal,
+               SMBOWFencrypt(lm_pwd.hash, chal,
                              local_lm_response);
 
        if (nt_interactive_pwd)
-               SMBOWFencrypt(nt_pwd, chal,
+               SMBOWFencrypt(nt_pwd.hash, chal,
                              local_nt_response);
 
        /* Password info paranoia */
@@ -247,23 +250,14 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
                DATA_BLOB local_lm_blob;
                DATA_BLOB local_nt_blob;
 
-               DATA_BLOB lm_interactive_blob;
-               DATA_BLOB nt_interactive_blob;
-
                if (lm_interactive_pwd) {
                        local_lm_blob = data_blob(local_lm_response,
                                                  sizeof(local_lm_response));
-                       lm_interactive_blob = data_blob(lm_pwd,
-                                                       sizeof(lm_pwd));
-                       ZERO_STRUCT(lm_pwd);
                }
 
                if (nt_interactive_pwd) {
                        local_nt_blob = data_blob(local_nt_response,
                                                  sizeof(local_nt_response));
-                       nt_interactive_blob = data_blob(nt_pwd,
-                                                       sizeof(nt_pwd));
-                       ZERO_STRUCT(nt_pwd);
                }
 
                nt_status = make_user_info_map(
@@ -271,9 +265,9 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
                        smb_name, client_domain, workstation_name,
                        lm_interactive_pwd ? &local_lm_blob : NULL,
                        nt_interactive_pwd ? &local_nt_blob : NULL,
-                       lm_interactive_pwd ? &lm_interactive_blob : NULL,
-                       nt_interactive_pwd ? &nt_interactive_blob : NULL,
-                       NULL, True);
+                       lm_interactive_pwd ? &lm_pwd : NULL,
+                       nt_interactive_pwd ? &nt_pwd : NULL,
+                       NULL, AUTH_PASSWORD_HASH);
 
                if (NT_STATUS_IS_OK(nt_status)) {
                        (*user_info)->logon_parameters = logon_parameters;
@@ -282,8 +276,6 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
                ret = NT_STATUS_IS_OK(nt_status) ? True : False;
                data_blob_free(&local_lm_blob);
                data_blob_free(&local_nt_blob);
-               data_blob_free(&lm_interactive_blob);
-               data_blob_free(&nt_interactive_blob);
                return ret;
        }
 }
@@ -303,14 +295,13 @@ bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
        DATA_BLOB local_lm_blob;
        DATA_BLOB local_nt_blob;
        NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
-
+       char *plaintext_password_string;
        /*
         * Not encrypted - do so.
         */
 
        DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted "
                 "format.\n"));
-
        if (plaintext_password.data && plaintext_password.length) {
                unsigned char local_lm_response[24];
 
@@ -333,14 +324,26 @@ bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
                local_nt_blob = data_blob_null; 
        }
 
+       plaintext_password_string = talloc_strndup(talloc_tos(),
+                                                  (const char *)plaintext_password.data,
+                                                  plaintext_password.length);
+       if (!plaintext_password_string) {
+               return False;
+       }
+
        ret = make_user_info_map(
                user_info, smb_name, client_domain, 
                get_remote_machine_name(),
                local_lm_blob.data ? &local_lm_blob : NULL,
                local_nt_blob.data ? &local_nt_blob : NULL,
                NULL, NULL,
-               plaintext_password.data && plaintext_password.length ? &plaintext_password : NULL, 
-               False);
+               plaintext_password_string,
+               AUTH_PASSWORD_PLAIN);
+
+       if (plaintext_password_string) {
+               memset(plaintext_password_string, '\0', strlen(plaintext_password_string));
+               talloc_free(plaintext_password_string);
+       }
 
        data_blob_free(&local_lm_blob);
        return NT_STATUS_IS_OK(ret) ? True : False;
@@ -361,7 +364,7 @@ NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info,
                                  lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL,
                                  nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL,
                                  NULL, NULL, NULL,
-                                 True);
+                                 AUTH_PASSWORD_RESPONSE);
 }
 
 /****************************************************************************
@@ -379,7 +382,7 @@ bool make_user_info_guest(struct auth_usersupplied_info **user_info)
                                   NULL, NULL, 
                                   NULL, NULL, 
                                   NULL,
-                                  True);
+                                  AUTH_PASSWORD_RESPONSE);
 
        return NT_STATUS_IS_OK(nt_status) ? True : False;
 }
diff --git a/source3/auth/auth_wbc.c b/source3/auth/auth_wbc.c
index 05097ee39f00d1980e4e33748fca69625e198b1f..e4fffc7cf88b091ecd0827787094a78733efe8b4 100644 (file)
--- a/source3/auth/auth_wbc.c
+++ b/source3/auth/auth_wbc.c
@@ -71,13 +71,18 @@ static NTSTATUS check_wbc_security(const struct auth_context *auth_context,
        params.parameter_control= user_info->logon_parameters;
 
        /* Handle plaintext */
-       if (!user_info->encrypted) {
+       switch (user_info->password_state) {
+       case AUTH_PASSWORD_PLAIN:
+       {
                DEBUG(3,("Checking plaintext password for %s.\n",
                         user_info->mapped.account_name));
                params.level = WBC_AUTH_USER_LEVEL_PLAIN;
 
-               params.password.plaintext = (char *)user_info->plaintext_password.data;
-       } else {
+               params.password.plaintext = user_info->password.plaintext;
+       }
+       case AUTH_PASSWORD_RESPONSE:
+       case AUTH_PASSWORD_HASH:
+       {
                DEBUG(3,("Checking encrypted password for %s.\n",
                         user_info->mapped.account_name));
                params.level = WBC_AUTH_USER_LEVEL_RESPONSE;
@@ -86,12 +91,33 @@ static NTSTATUS check_wbc_security(const struct auth_context *auth_context,
                    auth_context->challenge.data,
                    sizeof(params.password.response.challenge));
 
-               params.password.response.nt_length = user_info->nt_resp.length;
-               params.password.response.nt_data = user_info->nt_resp.data;
-               params.password.response.lm_length = user_info->lm_resp.length;
-               params.password.response.lm_data = user_info->lm_resp.data;
+               params.password.response.nt_length = user_info->password.response.nt.length;
+               params.password.response.nt_data = user_info->password.response.nt.data;
+               params.password.response.lm_length = user_info->password.response.lanman.length;
+               params.password.response.lm_data = user_info->password.response.lanman.data;
+       }
+#if 0
+       case AUTH_PASSWORD_HASH:
+       {
+               DEBUG(3,("Checking logon (hash) password for %s.\n",
+                        user_info->mapped.account_name));
+               params.level = WBC_AUTH_USER_LEVEL_HASH;
+
+               if (user_info->password.hash.nt) {
+                       memcpy(params.password.hash.nt_hash, user_info->password.hash.nt, sizeof(* user_info->password.hash.nt));
+               } else {
+                       memset(params.password.hash.nt_hash, '\0', sizeof(params.password.hash.nt_hash));
+               }
+
+               if (user_info->password.hash.lanman) {
+                       memcpy(params.password.hash.lm_hash, user_info->password.hash.lanman, sizeof(* user_info->password.hash.lanman));
+               } else {
+                       memset(params.password.hash.lm_hash, '\0', sizeof(params.password.hash.lm_hash));
+               }
 
        }
+#endif
+       }
 
        /* we are contacting the privileged pipe */
        become_root();
diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c
index f8678d5aed9e17e263013199328fb8f84d90de65..dcf7e419c167aceefff3bbf5708f58996fb39433 100644 (file)
--- a/source3/auth/auth_winbind.c
+++ b/source3/auth/auth_winbind.c
@@ -72,10 +72,10 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
               auth_context->challenge.data,
               sizeof(params.password.response.challenge));
 
-       params.password.response.nt_length      = user_info->nt_resp.length;
-       params.password.response.nt_data        = user_info->nt_resp.data;
-       params.password.response.lm_length      = user_info->lm_resp.length;
-       params.password.response.lm_data        = user_info->lm_resp.data;
+       params.password.response.nt_length      = user_info->password.response.nt.length;
+       params.password.response.nt_data        = user_info->password.response.nt.data;
+       params.password.response.lm_length      = user_info->password.response.lanman.length;
+       params.password.response.lm_data        = user_info->password.response.lanman.data;
 
        /* we are contacting the privileged pipe */
        become_root();
diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c
index 5228811422a62a260c4ac3359be6544cc01c1e7d..df5dc31b9c97cc6317bad7b6e72b9da362db2f68 100644 (file)
--- a/source3/auth/check_samsec.c
+++ b/source3/auth/check_samsec.c
@@ -41,11 +41,10 @@ static NTSTATUS sam_password_ok(TALLOC_CTX *mem_ctx,
                                DATA_BLOB *user_sess_key,
                                DATA_BLOB *lm_sess_key)
 {
-       struct samr_Password _lm_hash, _nt_hash, _client_lm_hash, _client_nt_hash;
+       NTSTATUS status;
+       struct samr_Password _lm_hash, _nt_hash;
        struct samr_Password *lm_hash = NULL;
        struct samr_Password *nt_hash = NULL;
-       struct samr_Password *client_lm_hash = NULL;
-       struct samr_Password *client_nt_hash = NULL;
 
        *user_sess_key = data_blob_null;
        *lm_sess_key = data_blob_null;
@@ -68,36 +67,35 @@ static NTSTATUS sam_password_ok(TALLOC_CTX *mem_ctx,
                memcpy(_nt_hash.hash, nt_pw, sizeof(_nt_hash.hash));
                nt_hash = &_nt_hash;
        }
-       if (user_info->lm_interactive_pwd.data && sizeof(_client_lm_hash.hash) == user_info->lm_interactive_pwd.length) {
-               memcpy(_client_lm_hash.hash, user_info->lm_interactive_pwd.data, sizeof(_lm_hash.hash));
-               client_lm_hash = &_client_lm_hash;
-       }
-       if (user_info->nt_interactive_pwd.data && sizeof(_client_nt_hash.hash) == user_info->nt_interactive_pwd.length) {
-               memcpy(_client_nt_hash.hash, user_info->nt_interactive_pwd.data, sizeof(_nt_hash.hash));
-               client_nt_hash = &_client_nt_hash;
-       }
-
-       if (client_lm_hash || client_nt_hash) {
-               if (!nt_pw) {
-                       return NT_STATUS_WRONG_PASSWORD;
-               }
-               *user_sess_key = data_blob_talloc(mem_ctx, NULL, 16);
-               if (!user_sess_key->data) {
-                       return NT_STATUS_NO_MEMORY;
+       switch (user_info->password_state) {
+       case AUTH_PASSWORD_HASH:
+               status = hash_password_check(mem_ctx, lp_lanman_auth(),
+                                            user_info->password.hash.lanman,
+                                            user_info->password.hash.nt,
+                                            username,
+                                            lm_hash,
+                                            nt_hash);
+               if (NT_STATUS_IS_OK(status)) {
+                       if (nt_pw) {
+                               *user_sess_key = data_blob_talloc(mem_ctx, NULL, 16);
+                               if (!user_sess_key->data) {
+                                       return NT_STATUS_NO_MEMORY;
+                               }
+                               SMBsesskeygen_ntv1(nt_pw, user_sess_key->data);
+                       }
                }
-               SMBsesskeygen_ntv1(nt_pw, user_sess_key->data);
-               return hash_password_check(mem_ctx, lp_lanman_auth(),
-                                          client_lm_hash,
-                                          client_nt_hash,
-                                          username,
-                                          lm_hash,
-                                          nt_hash);
-       } else {
+               return status;
+
+       /* Eventually we should test plaintext passwords in their own
+        * function, not assuming the caller has done a
+        * mapping */
+       case AUTH_PASSWORD_PLAIN:
+       case AUTH_PASSWORD_RESPONSE:
                return ntlm_password_check(mem_ctx, lp_lanman_auth(),
                                           lp_ntlm_auth(),
                                           user_info->logon_parameters,
                                           challenge,
-                                          &user_info->lm_resp, &user_info->nt_resp,
+                                          &user_info->password.response.lanman, &user_info->password.response.nt,
                                           username,
                                           user_info->client.account_name,
                                           user_info->client.domain_name,
@@ -105,6 +103,7 @@ static NTSTATUS sam_password_ok(TALLOC_CTX *mem_ctx,
                                           nt_hash,
                                           user_sess_key, lm_sess_key);
        }
+       return NT_STATUS_INVALID_PARAMETER;
 }
 
 /****************************************************************************
diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c
index 813540d9fa822a15848badfa2de5d062a087235a..d1b720c9225267346f5949120a94320c42e47771 100644 (file)
--- a/source3/auth/pass_check.c
+++ b/source3/auth/pass_check.c
@@ -648,7 +648,7 @@ return NT_STATUS_OK on correct match, appropriate error otherwise
 ****************************************************************************/
 
 NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *password, 
-                   int pwlen, bool (*fn) (const char *, const char *), bool run_cracker)
+                   bool (*fn) (const char *, const char *), bool run_cracker)
 {
        char *pass2 = NULL;
        int level = lp_passwordlevel();
@@ -662,7 +662,7 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas
        if (!password)
                return NT_STATUS_LOGON_FAILURE;
 
-       if (((!*password) || (!pwlen)) && !lp_null_passwords())
+       if ((!*password) && !lp_null_passwords())
                return NT_STATUS_LOGON_FAILURE;
 
 #if defined(WITH_PAM) 
@@ -676,11 +676,11 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas
                return NT_STATUS_NO_MEMORY;
        }
 
-       DEBUG(4, ("pass_check: Checking (PAM) password for user %s (l=%d)\n", user, pwlen));
+       DEBUG(4, ("pass_check: Checking (PAM) password for user %s\n", user));
 
 #else /* Not using PAM */
 
-       DEBUG(4, ("pass_check: Checking password for user %s (l=%d)\n", user, pwlen));
+       DEBUG(4, ("pass_check: Checking password for user %s\n", user));
 
        if (!pass) {
                DEBUG(3, ("Couldn't find user %s\n", user));
diff --git a/source3/auth/user_info.c b/source3/auth/user_info.c
index ea0073ad0cd61999e87673e26f11b1fcab96db4b..55a6f96e40d8dbbbcc5287f302ef6962f9eeec5c 100644 (file)
--- a/source3/auth/user_info.c
+++ b/source3/auth/user_info.c
@@ -34,10 +34,10 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **user_info,
                        const char *workstation_name,
                        const DATA_BLOB *lm_pwd,
                        const DATA_BLOB *nt_pwd,
-                       const DATA_BLOB *lm_interactive_pwd,
-                       const DATA_BLOB *nt_interactive_pwd,
-                       const DATA_BLOB *plaintext,
-                       bool encrypted)
+                       const struct samr_Password *lm_interactive_pwd,
+                       const struct samr_Password *nt_interactive_pwd,
+                       const char *plaintext_password,
+                       enum auth_password_state password_state)
 {
 
        DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name));
@@ -85,22 +85,27 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **user_info,
        DEBUG(5,("making blobs for %s's user_info struct\n", internal_username));
 
        if (lm_pwd)
-               (*user_info)->lm_resp = data_blob(lm_pwd->data, lm_pwd->length);
+               (*user_info)->password.response.lanman = data_blob(lm_pwd->data, lm_pwd->length);
        if (nt_pwd)
-               (*user_info)->nt_resp = data_blob(nt_pwd->data, nt_pwd->length);
-       if (lm_interactive_pwd)
-               (*user_info)->lm_interactive_pwd = data_blob(lm_interactive_pwd->data, lm_interactive_pwd->length);
-       if (nt_interactive_pwd)
-               (*user_info)->nt_interactive_pwd = data_blob(nt_interactive_pwd->data, nt_interactive_pwd->length);
+               (*user_info)->password.response.nt = data_blob(nt_pwd->data, nt_pwd->length);
+       if (lm_interactive_pwd) {
+               (*user_info)->password.hash.lanman = SMB_MALLOC_P(struct samr_Password);
+               memcpy((*user_info)->password.hash.lanman->hash, lm_interactive_pwd->hash, sizeof((*user_info)->password.hash.lanman->hash));
+       }
+
+       if (nt_interactive_pwd) {
+               (*user_info)->password.hash.nt = SMB_MALLOC_P(struct samr_Password);
+               memcpy((*user_info)->password.hash.nt->hash, nt_interactive_pwd->hash, sizeof((*user_info)->password.hash.nt->hash));
+       }
 
-       if (plaintext)
-               (*user_info)->plaintext_password = data_blob(plaintext->data, plaintext->length);
+       if (plaintext_password)
+               (*user_info)->password.plaintext = SMB_STRDUP(plaintext_password);
 
-       (*user_info)->encrypted = encrypted;
+       (*user_info)->password_state = password_state;
 
        (*user_info)->logon_parameters = 0;
 
-       DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name));
+       DEBUG(10,("made a user_info for %s (%s)\n", internal_username, smb_name));
 
        return NT_STATUS_OK;
 }
@@ -122,11 +127,20 @@ void free_user_info(struct auth_usersupplied_info **user_info)
                SAFE_FREE((*user_info)->client.domain_name);
                SAFE_FREE((*user_info)->mapped.domain_name);
                SAFE_FREE((*user_info)->workstation_name);
-               data_blob_free(&(*user_info)->lm_resp);
-               data_blob_free(&(*user_info)->nt_resp);
-               data_blob_clear_free(&(*user_info)->lm_interactive_pwd);
-               data_blob_clear_free(&(*user_info)->nt_interactive_pwd);
-               data_blob_clear_free(&(*user_info)->plaintext_password);
+               data_blob_free(&(*user_info)->password.response.lanman);
+               data_blob_free(&(*user_info)->password.response.nt);
+               if ((*user_info)->password.hash.lanman) {
+                       ZERO_STRUCTP((*user_info)->password.hash.lanman);
+                       SAFE_FREE((*user_info)->password.hash.lanman);
+               }
+               if ((*user_info)->password.hash.nt) {
+                       ZERO_STRUCTP((*user_info)->password.hash.nt);
+                       SAFE_FREE((*user_info)->password.hash.nt);
+               }
+               if ((*user_info)->password.plaintext) {
+                       memset((*user_info)->password.plaintext, '\0', strlen(((*user_info)->password.plaintext)));
+                       SAFE_FREE((*user_info)->password.plaintext);
+               }
                ZERO_STRUCT(**user_info);
        }
        SAFE_FREE(*user_info);
diff --git a/source3/include/auth.h b/source3/include/auth.h
index b7089b8c0ad7105dc6ca74bc2209258a36957001..659c6be103acb5572fed5bd0bdfbca7503021921 100644 (file)
--- a/source3/include/auth.h
+++ b/source3/include/auth.h
@@ -19,27 +19,7 @@
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-struct auth_usersupplied_info {
-       DATA_BLOB lm_resp;
-       DATA_BLOB nt_resp;
-       DATA_BLOB lm_interactive_pwd;
-       DATA_BLOB nt_interactive_pwd;
-       DATA_BLOB plaintext_password;
-
-       bool encrypted;
-       struct {
-               char *account_name;   /* username before/after mapping */
-               char *domain_name;    /* username before/after mapping */
-       } client, mapped;
-
-       bool was_mapped;              /* Did the username map actually match? */
-       char *internal_username;      /* username after mapping */
-       const char *workstation_name; /* workstation name (netbios calling
-                                      * name) unicode string */
-
-       uint32 logon_parameters;
-
-};
+#include "../auth/common_auth.h"
 
 struct extra_auth_info {
        struct dom_sid user_sid;
@@ -155,6 +135,7 @@ struct auth_init_function_entry {
 struct auth_ntlmssp_state;
 
 /* Changed from 1 -> 2 to add the logon_parameters field. */
-#define AUTH_INTERFACE_VERSION 2
+/* Changed from 2 -> 3 when we reworked many auth structures to use IDL or be in common with Samba4 */
+#define AUTH_INTERFACE_VERSION 3
 
 #endif /* _SMBAUTH_H_ */
diff --git a/source3/include/proto.h b/source3/include/proto.h
index bc55eaff072d76e6cb812401e0e90fca7e4c2176..02faf880ecbf1719514e1269c1088dc49270fc4f 100644 (file)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -79,13 +79,15 @@ NTSTATUS auth_unix_init(void);
 /* The following definitions come from auth/auth_util.c  */
 
 NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info,
-                           const char *smb_name, 
-                           const char *client_domain, 
+                           const char *smb_name,
+                           const char *client_domain,
                            const char *workstation_name,
-                           DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd,
-                           DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd,
-                           DATA_BLOB *plaintext, 
-                           bool encrypted);
+                           DATA_BLOB *lm_pwd,
+                           DATA_BLOB *nt_pwd,
+                           const struct samr_Password *lm_interactive_pwd,
+                           const struct samr_Password *nt_interactive_pwd,
+                           const char *plaintext,
+                           enum auth_password_state password_state);
 bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info,
                                     const char *smb_name, 
                                     const char *client_domain, 
@@ -160,7 +162,7 @@ bool is_trusted_domain(const char* dom_name);
 
 /* The following definitions come from auth/user_info.c  */
 
-NTSTATUS make_user_info(struct auth_usersupplied_info **user_info,
+NTSTATUS make_user_info(struct auth_usersupplied_info **ret_user_info,
                        const char *smb_name,
                        const char *internal_username,
                        const char *client_domain,
@@ -168,10 +170,10 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **user_info,
                        const char *workstation_name,
                        const DATA_BLOB *lm_pwd,
                        const DATA_BLOB *nt_pwd,
-                       const DATA_BLOB *lm_interactive_pwd,
-                       const DATA_BLOB *nt_interactive_pwd,
-                       const DATA_BLOB *plaintext,
-                       bool encrypted);
+                       const struct samr_Password *lm_interactive_pwd,
+                       const struct samr_Password *nt_interactive_pwd,
+                       const char *plaintext_password,
+                       enum auth_password_state password_state);
 void free_user_info(struct auth_usersupplied_info **user_info);
 
 /* The following definitions come from auth/auth_winbind.c  */
@@ -226,7 +228,7 @@ bool smb_pam_close_session(char *in_user, char *tty, char *rhost);
 
 void dfs_unlogin(void);
 NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *password, 
-                   int pwlen, bool (*fn) (const char *, const char *), bool run_cracker);
+                   bool (*fn) (const char *, const char *), bool run_cracker);
 
 /* The following definitions come from auth/token_util.c  */
 
diff --git a/source3/web/cgi.c b/source3/web/cgi.c
index c81ef87e1a1351d0d03d660e9cfd1e09cd86acd9..0c1c80e724099b3a286dfb944e8d4ffb7eb4f05c 100644 (file)
--- a/source3/web/cgi.c
+++ b/source3/web/cgi.c
@@ -374,7 +374,7 @@ static bool cgi_handle_authorization(char *line)
         */
 
        if NT_STATUS_IS_OK(pass_check(pass, user, user_pass, 
-                     strlen(user_pass), NULL, False)) {
+                                     NULL, False)) {
 
                if (pass) {
                        /*
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 70adc29b1e1fe318831bf89f5ab0f5bd384873ef..e2c1d0d1b985a381c445d59a671981681394d923 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1139,7 +1139,7 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
 
        status = make_user_info(&user_info, user, user, domain, domain,
                                global_myname(), lm_resp, nt_resp, NULL, NULL,
-                               NULL, True);
+                               NULL, AUTH_PASSWORD_RESPONSE);
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(10, ("make_user_info failed: %s\n", nt_errstr(status)));
                return status;
Personal Samba branches