1996-05-04 11:50:46 +04:00
/*
Unix SMB / Netbios implementation .
Version 1.9 .
Password and authentication handling
1998-01-22 16:27:43 +03:00
Copyright ( C ) Andrew Tridgell 1992 - 1998
1996-05-04 11:50:46 +04:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 2 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program ; if not , write to the Free Software
Foundation , Inc . , 675 Mass Ave , Cambridge , MA 0213 9 , USA .
*/
# include "includes.h"
extern int DEBUGLEVEL ;
extern int Protocol ;
1999-12-13 16:27:58 +03:00
extern struct in_addr ipzero ;
1996-05-04 11:50:46 +04:00
/* users from session setup */
static pstring session_users = " " ;
1998-04-25 05:12:08 +04:00
extern pstring global_myname ;
1998-04-29 04:02:57 +04:00
extern fstring global_myworkgroup ;
1998-04-23 22:54:57 +04:00
1999-12-13 16:27:58 +03:00
/* Data to do lanman1/2 password challenge. */
static unsigned char saved_challenge [ 8 ] ;
static BOOL challenge_sent = False ;
/*******************************************************************
Get the next challenge value - no repeats .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
void generate_next_challenge ( char * challenge )
{
#if 0
/*
* Leave this ifdef ' d out while we test
* the new crypto random number generator .
* JRA .
*/
unsigned char buf [ 16 ] ;
static int counter = 0 ;
struct timeval tval ;
int v1 , v2 ;
/* get a sort-of random number */
GetTimeOfDay ( & tval ) ;
2000-05-02 06:23:41 +04:00
v1 = ( counter + + ) + sys_getpid ( ) + tval . tv_sec ;
v2 = ( counter + + ) * sys_getpid ( ) + tval . tv_usec ;
1999-12-13 16:27:58 +03:00
SIVAL ( challenge , 0 , v1 ) ;
SIVAL ( challenge , 4 , v2 ) ;
/* mash it up with md4 */
mdfour ( buf , ( unsigned char * ) challenge , 8 ) ;
# else
unsigned char buf [ 8 ] ;
generate_random_buffer ( buf , 8 , False ) ;
# endif
memcpy ( saved_challenge , buf , 8 ) ;
memcpy ( challenge , buf , 8 ) ;
challenge_sent = True ;
}
/*******************************************************************
set the last challenge sent , usually from a password server
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
BOOL set_challenge ( unsigned char * challenge )
{
memcpy ( saved_challenge , challenge , 8 ) ;
challenge_sent = True ;
return ( True ) ;
}
/*******************************************************************
get the last challenge sent
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static BOOL last_challenge ( unsigned char * challenge )
{
if ( ! challenge_sent ) return ( False ) ;
memcpy ( challenge , saved_challenge , 8 ) ;
return ( True ) ;
}
/* this holds info on user ids that are already validated for this VC */
2000-11-29 01:17:44 +03:00
static user_struct * validated_users ;
static int next_vuid = VUID_OFFSET ;
static int num_validated_vuids ;
1999-12-13 16:27:58 +03:00
/****************************************************************************
check if a uid has been validated , and return an pointer to the user_struct
if it has . NULL if not . vuid is biased by an offset . This allows us to
tell random client vuid ' s ( normally zero ) from valid vuids .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
user_struct * get_valid_user_struct ( uint16 vuid )
{
2000-11-29 01:17:44 +03:00
user_struct * usp ;
int count = 0 ;
if ( vuid = = UID_FIELD_INVALID )
return NULL ;
for ( usp = validated_users ; usp ; usp = usp - > next , count + + ) {
if ( vuid = = usp - > vuid ) {
2001-04-18 20:41:04 +04:00
if ( count > 10 ) {
DLIST_PROMOTE ( validated_users , usp ) ;
}
2000-11-29 01:17:44 +03:00
return usp ;
}
}
return NULL ;
1999-12-13 16:27:58 +03:00
}
/****************************************************************************
invalidate a uid
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
void invalidate_vuid ( uint16 vuid )
{
2000-06-09 22:45:31 +04:00
user_struct * vuser = get_valid_user_struct ( vuid ) ;
1999-12-13 16:27:58 +03:00
2000-06-09 22:45:31 +04:00
if ( vuser = = NULL )
return ;
1999-12-13 16:27:58 +03:00
2001-04-18 20:41:04 +04:00
session_yield ( vuid ) ;
2000-11-29 01:17:44 +03:00
DLIST_REMOVE ( validated_users , vuser ) ;
2000-06-09 07:30:54 +04:00
2000-11-29 01:17:44 +03:00
safe_free ( vuser - > groups ) ;
2000-08-02 06:11:55 +04:00
delete_nt_token ( & vuser - > nt_user_token ) ;
2000-11-29 01:17:44 +03:00
safe_free ( vuser ) ;
num_validated_vuids - - ;
1999-12-13 16:27:58 +03:00
}
2001-04-18 20:41:04 +04:00
/****************************************************************************
invalidate all vuid entries for this process
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
void invalidate_all_vuids ( void )
{
user_struct * usp , * next = NULL ;
for ( usp = validated_users ; usp ; usp = next ) {
next = usp - > next ;
invalidate_vuid ( usp - > vuid ) ;
}
}
1999-12-13 16:27:58 +03:00
/****************************************************************************
return a validated username
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
char * validated_username ( uint16 vuid )
{
2000-05-04 20:01:47 +04:00
user_struct * vuser = get_valid_user_struct ( vuid ) ;
if ( vuser = = NULL )
return 0 ;
return ( vuser - > user . unix_name ) ;
}
/****************************************************************************
return a validated domain
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
char * validated_domain ( uint16 vuid )
{
user_struct * vuser = get_valid_user_struct ( vuid ) ;
if ( vuser = = NULL )
return 0 ;
return ( vuser - > user . domain ) ;
1999-12-13 16:27:58 +03:00
}
2000-08-02 06:11:55 +04:00
/****************************************************************************
Create the SID list for this user .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
2000-12-12 05:36:14 +03:00
NT_USER_TOKEN * create_nt_token ( uid_t uid , gid_t gid , int ngroups , gid_t * groups , BOOL is_guest )
2000-08-02 06:11:55 +04:00
{
2000-12-12 05:36:14 +03:00
extern DOM_SID global_sid_World ;
extern DOM_SID global_sid_Network ;
extern DOM_SID global_sid_Builtin_Guests ;
extern DOM_SID global_sid_Authenticated_Users ;
2000-08-04 02:38:43 +04:00
NT_USER_TOKEN * token ;
2000-08-02 06:11:55 +04:00
DOM_SID * psids ;
2000-08-28 10:46:53 +04:00
int i , psid_ndx = 0 ;
2000-12-12 05:36:14 +03:00
size_t num_sids = 0 ;
2001-01-04 22:27:08 +03:00
fstring sid_str ;
1999-12-13 16:27:58 +03:00
2000-08-04 02:38:43 +04:00
if ( ( token = ( NT_USER_TOKEN * ) malloc ( sizeof ( NT_USER_TOKEN ) ) ) = = NULL )
return NULL ;
2000-08-02 06:11:55 +04:00
ZERO_STRUCTP ( token ) ;
1999-12-13 16:27:58 +03:00
2000-12-12 05:36:14 +03:00
/* We always have uid/gid plus World and Network and Authenticated Users or Guest SIDs. */
num_sids = 5 + ngroups ;
if ( ( token - > user_sids = ( DOM_SID * ) malloc ( num_sids * sizeof ( DOM_SID ) ) ) = = NULL ) {
2000-08-04 02:38:43 +04:00
free ( token ) ;
return NULL ;
}
1999-12-13 16:27:58 +03:00
2000-08-02 06:11:55 +04:00
psids = token - > user_sids ;
1999-12-13 16:27:58 +03:00
2000-12-12 05:36:14 +03:00
/*
2000-12-12 23:41:02 +03:00
* Note - user SID * MUST * be first in token !
* se_access_check depends on this .
2000-12-12 05:36:14 +03:00
*/
2000-08-02 06:11:55 +04:00
2000-12-12 05:36:14 +03:00
uid_to_sid ( & psids [ psid_ndx + + ] , uid ) ;
2000-12-12 23:41:02 +03:00
/*
* Primary group SID is second in token . Convention .
*/
2000-12-12 05:36:14 +03:00
gid_to_sid ( & psids [ psid_ndx + + ] , gid ) ;
1999-12-13 16:27:58 +03:00
2000-12-12 23:41:02 +03:00
/* Now add the group SIDs. */
2000-08-28 10:46:53 +04:00
for ( i = 0 ; i < ngroups ; i + + ) {
if ( groups [ i ] ! = gid ) {
2000-12-12 05:36:14 +03:00
gid_to_sid ( & psids [ psid_ndx + + ] , groups [ i ] ) ;
2000-08-28 10:46:53 +04:00
}
}
2000-08-04 02:38:43 +04:00
2000-12-12 23:41:02 +03:00
/*
* Finally add the " standard " SIDs .
* The only difference between guest and " anonymous " ( which we
* don ' t really support ) is the addition of Authenticated_Users .
*/
sid_copy ( & psids [ psid_ndx + + ] , & global_sid_World ) ;
sid_copy ( & psids [ psid_ndx + + ] , & global_sid_Network ) ;
if ( is_guest )
sid_copy ( & psids [ psid_ndx + + ] , & global_sid_Builtin_Guests ) ;
else
sid_copy ( & psids [ psid_ndx + + ] , & global_sid_Authenticated_Users ) ;
2000-12-12 05:36:14 +03:00
token - > num_sids = psid_ndx ;
2001-01-04 22:27:08 +03:00
/* Dump list of sids in token */
for ( i = 0 ; i < token - > num_sids ; i + + ) {
DEBUG ( 5 , ( " user token sid %s \n " ,
sid_to_string ( sid_str , & token - > user_sids [ i ] ) ) ) ;
}
2000-08-04 02:38:43 +04:00
return token ;
2000-08-02 06:11:55 +04:00
}
2000-06-09 05:26:42 +04:00
1999-12-13 16:27:58 +03:00
/****************************************************************************
2000-06-09 05:26:42 +04:00
register a uid / name pair as being valid and that a valid password
has been given . vuid is biased by an offset . This allows us to
tell random client vuid ' s ( normally zero ) from valid vuids .
1999-12-13 16:27:58 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2000-08-02 06:11:55 +04:00
2001-04-18 20:41:04 +04:00
int register_vuid ( uid_t uid , gid_t gid , char * unix_name , char * requested_name ,
char * domain , BOOL guest )
1999-12-13 16:27:58 +03:00
{
2000-11-29 01:17:44 +03:00
user_struct * vuser = NULL ;
struct passwd * pwfile ; /* for getting real name from passwd file */
/* Ensure no vuid gets registered in share level security. */
if ( lp_security ( ) = = SEC_SHARE )
return UID_FIELD_INVALID ;
/* Limit allowed vuids to 16bits - VUID_OFFSET. */
if ( num_validated_vuids > = 0xFFFF - VUID_OFFSET )
return UID_FIELD_INVALID ;
if ( ( vuser = ( user_struct * ) malloc ( sizeof ( user_struct ) ) ) = = NULL ) {
DEBUG ( 0 , ( " Failed to malloc users struct! \n " ) ) ;
return UID_FIELD_INVALID ;
}
ZERO_STRUCTP ( vuser ) ;
DEBUG ( 10 , ( " register_vuid: (%u,%u) %s %s %s guest=%d \n " , ( unsigned int ) uid , ( unsigned int ) gid ,
unix_name , requested_name , domain , guest ) ) ;
/* Allocate a free vuid. Yes this is a linear search... :-) */
2000-12-08 22:21:09 +03:00
while ( get_valid_user_struct ( next_vuid ) ! = NULL ) {
2000-11-29 01:17:44 +03:00
next_vuid + + ;
/* Check for vuid wrap. */
if ( next_vuid = = UID_FIELD_INVALID )
next_vuid = VUID_OFFSET ;
}
DEBUG ( 10 , ( " register_vuid: allocated vuid = %u \n " , ( unsigned int ) next_vuid ) ) ;
vuser - > vuid = next_vuid ;
vuser - > uid = uid ;
vuser - > gid = gid ;
vuser - > guest = guest ;
fstrcpy ( vuser - > user . unix_name , unix_name ) ;
fstrcpy ( vuser - > user . smb_name , requested_name ) ;
fstrcpy ( vuser - > user . domain , domain ) ;
vuser - > n_groups = 0 ;
vuser - > groups = NULL ;
/* Find all the groups this uid is in and store them.
Used by become_user ( ) */
initialise_groups ( unix_name , uid , gid ) ;
get_current_groups ( & vuser - > n_groups , & vuser - > groups ) ;
/* Create an NT_USER_TOKEN struct for this user. */
2000-12-12 05:36:14 +03:00
vuser - > nt_user_token = create_nt_token ( uid , gid , vuser - > n_groups , vuser - > groups , guest ) ;
2000-11-29 01:17:44 +03:00
next_vuid + + ;
num_validated_vuids + + ;
DLIST_ADD ( validated_users , vuser ) ;
DEBUG ( 3 , ( " uid %d registered to name %s \n " , ( int ) uid , unix_name ) ) ;
DEBUG ( 3 , ( " Clearing default real name \n " ) ) ;
2001-04-18 20:41:04 +04:00
if ( ( pwfile = sys_getpwnam ( vuser - > user . unix_name ) ) ! = NULL ) {
DEBUG ( 3 , ( " User name: %s \t Real name: %s \n " , vuser - > user . unix_name , pwfile - > pw_gecos ) ) ;
fstrcpy ( vuser - > user . full_name , pwfile - > pw_gecos ) ;
}
if ( ! session_claim ( vuser - > vuid ) ) {
DEBUG ( 1 , ( " Failed to claim session for vuid=%d \n " , vuser - > vuid ) ) ;
invalidate_vuid ( vuser - > vuid ) ;
return - 1 ;
2000-11-29 01:17:44 +03:00
}
1999-12-13 16:27:58 +03:00
2000-11-29 01:17:44 +03:00
return vuser - > vuid ;
1999-12-13 16:27:58 +03:00
}
1996-05-04 11:50:46 +04:00
/****************************************************************************
add a name to the session users list
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
void add_session_user ( char * user )
{
fstring suser ;
StrnCpy ( suser , user , sizeof ( suser ) - 1 ) ;
if ( ! Get_Pwnam ( suser , True ) ) return ;
if ( suser & & * suser & & ! in_list ( suser , session_users , False ) )
{
if ( strlen ( suser ) + strlen ( session_users ) + 2 > = sizeof ( pstring ) )
DEBUG ( 1 , ( " Too many session users?? \n " ) ) ;
else
{
1998-05-12 04:55:32 +04:00
pstrcat ( session_users , " " ) ;
pstrcat ( session_users , suser ) ;
1996-05-04 11:50:46 +04:00
}
}
}
1998-04-30 05:39:22 +04:00
/****************************************************************************
update the encrypted smbpasswd file from the plaintext username and password
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1998-09-05 09:07:05 +04:00
static BOOL update_smbpassword_file ( char * user , char * password )
1997-07-18 00:11:58 +04:00
{
2000-11-14 02:03:34 +03:00
SAM_ACCOUNT * sampass = NULL ;
BOOL ret ;
1997-07-18 00:11:58 +04:00
2001-05-04 19:44:27 +04:00
pdb_init_sam ( & sampass ) ;
2000-06-23 09:57:48 +04:00
become_root ( ) ;
2001-05-04 19:44:27 +04:00
ret = pdb_getsampwnam ( sampass , user ) ;
2000-06-23 09:57:48 +04:00
unbecome_root ( ) ;
2001-05-04 19:44:27 +04:00
if ( ret = = False ) {
2000-11-14 02:03:34 +03:00
DEBUG ( 0 , ( " pdb_getsampwnam returned NULL \n " ) ) ;
2001-05-07 18:04:46 +04:00
pdb_free_sam ( sampass ) ;
1998-08-10 11:04:53 +04:00
return False ;
1997-07-18 00:11:58 +04:00
}
1999-12-13 16:27:58 +03:00
/*
* Remove the account disabled flag - we are updating the
* users password from a login .
*/
2000-11-14 02:03:34 +03:00
pdb_set_acct_ctrl ( sampass , pdb_get_acct_ctrl ( sampass ) & ~ ACB_DISABLED ) ;
1999-12-13 16:27:58 +03:00
1998-08-10 11:04:53 +04:00
/* Here, the flag is one, because we want to ignore the
XXXXXXX ' d out password */
2000-11-14 02:03:34 +03:00
ret = change_oem_password ( sampass , password , True ) ;
1999-12-13 16:27:58 +03:00
if ( ret = = False ) {
1998-08-10 11:04:53 +04:00
DEBUG ( 3 , ( " change_oem_password returned False \n " ) ) ;
1997-07-18 00:11:58 +04:00
}
2001-05-07 18:04:46 +04:00
pdb_free_sam ( sampass ) ;
1998-08-10 11:04:53 +04:00
return ret ;
1996-05-04 11:50:46 +04:00
}
1999-12-13 16:27:58 +03:00
/****************************************************************************
core of smb password checking routine .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
BOOL smb_password_check ( char * password , unsigned char * part_passwd , unsigned char * c8 )
{
/* Finish the encryption of part_passwd. */
unsigned char p21 [ 21 ] ;
unsigned char p24 [ 24 ] ;
2000-11-21 09:05:08 +03:00
if ( part_passwd = = NULL )
{
1999-12-13 16:27:58 +03:00
DEBUG ( 10 , ( " No password set - allowing access \n " ) ) ;
2000-11-21 09:05:08 +03:00
/* No password set - always true ! */
1999-12-13 16:27:58 +03:00
return 1 ;
2000-11-21 09:05:08 +03:00
}
1999-12-13 16:27:58 +03:00
memset ( p21 , ' \0 ' , 21 ) ;
memcpy ( p21 , part_passwd , 16 ) ;
E_P24 ( p21 , c8 , p24 ) ;
# if DEBUG_PASSWORD
{
int i ;
DEBUG ( 100 , ( " Part password (P16) was | " ) ) ;
for ( i = 0 ; i < 16 ; i + + )
DEBUG ( 100 , ( " %X " , ( unsigned char ) part_passwd [ i ] ) ) ;
DEBUG ( 100 , ( " | \n " ) ) ;
DEBUG ( 100 , ( " Password from client was | " ) ) ;
for ( i = 0 ; i < 24 ; i + + )
DEBUG ( 100 , ( " %X " , ( unsigned char ) password [ i ] ) ) ;
DEBUG ( 100 , ( " | \n " ) ) ;
DEBUG ( 100 , ( " Given challenge was | " ) ) ;
for ( i = 0 ; i < 8 ; i + + )
DEBUG ( 100 , ( " %X " , ( unsigned char ) c8 [ i ] ) ) ;
DEBUG ( 100 , ( " | \n " ) ) ;
DEBUG ( 100 , ( " Value from encryption was | " ) ) ;
for ( i = 0 ; i < 24 ; i + + )
DEBUG ( 100 , ( " %X " , ( unsigned char ) p24 [ i ] ) ) ;
DEBUG ( 100 , ( " | \n " ) ) ;
}
# endif
return ( memcmp ( p24 , password , 24 ) = = 0 ) ;
}
/****************************************************************************
Do a specific test for an smb password being correct , given a smb_password and
the lanman and NT responses .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2000-11-14 02:03:34 +03:00
BOOL smb_password_ok ( SAM_ACCOUNT * sampass , uchar chal [ 8 ] ,
1999-12-13 16:27:58 +03:00
uchar lm_pass [ 24 ] , uchar nt_pass [ 24 ] )
{
uchar challenge [ 8 ] ;
2000-11-14 02:03:34 +03:00
char * user_name ;
2001-03-11 03:51:54 +03:00
uint8 * nt_pw , * lm_pw ;
1999-12-13 16:27:58 +03:00
2000-11-14 02:03:34 +03:00
if ( ! lm_pass | | ! sampass )
return ( False ) ;
1999-12-13 16:27:58 +03:00
2000-11-14 02:03:34 +03:00
user_name = pdb_get_username ( sampass ) ;
2001-05-01 01:05:58 +04:00
DEBUG ( 4 , ( " smb_password_ok: Checking SMB password for user %s \n " , user_name ) ) ;
1999-12-13 16:27:58 +03:00
2000-11-14 02:03:34 +03:00
if ( pdb_get_acct_ctrl ( sampass ) & ACB_DISABLED ) {
2001-05-01 01:05:58 +04:00
DEBUG ( 1 , ( " smb_password_ok: account for user %s was disabled. \n " , user_name ) ) ;
1999-12-13 16:27:58 +03:00
return ( False ) ;
}
2001-05-01 01:05:58 +04:00
if ( chal = = NULL ) {
DEBUG ( 5 , ( " smb_password_ok: use last SMBnegprot challenge \n " ) ) ;
if ( ! last_challenge ( challenge ) ) {
DEBUG ( 1 , ( " smb_password_ok: no challenge done - password failed \n " ) ) ;
1999-12-13 16:27:58 +03:00
return False ;
}
2001-05-01 01:05:58 +04:00
} else {
DEBUG ( 5 , ( " smb_password_ok: challenge received \n " ) ) ;
1999-12-13 16:27:58 +03:00
memcpy ( challenge , chal , 8 ) ;
}
2000-11-14 02:03:34 +03:00
nt_pw = pdb_get_nt_passwd ( sampass ) ;
if ( ( Protocol > = PROTOCOL_NT1 ) & & ( nt_pw ! = NULL ) ) {
1999-12-13 16:27:58 +03:00
/* We have the NT MD4 hash challenge available - see if we can
use it ( ie . does it exist in the smbpasswd file ) .
*/
DEBUG ( 4 , ( " smb_password_ok: Checking NT MD4 password \n " ) ) ;
2001-05-01 01:05:58 +04:00
if ( smb_password_check ( ( char * ) nt_pass , ( uchar * ) nt_pw , challenge ) ) {
DEBUG ( 4 , ( " smb_password_ok: NT MD4 password check succeeded \n " ) ) ;
1999-12-13 16:27:58 +03:00
return ( True ) ;
}
2001-05-01 01:05:58 +04:00
DEBUG ( 4 , ( " smb_password_ok: NT MD4 password check failed \n " ) ) ;
1999-12-13 16:27:58 +03:00
}
2000-11-14 02:03:34 +03:00
/* Try against the lanman password. pdb_get_lanman_passwd(sampass) == NULL
means no password , allow access . */
1999-12-13 16:27:58 +03:00
2000-11-14 02:03:34 +03:00
lm_pw = pdb_get_lanman_passwd ( sampass ) ;
if ( ( lm_pw = = NULL ) & & ( pdb_get_acct_ctrl ( sampass ) & ACB_PWNOTREQ ) )
{
2001-05-01 01:05:58 +04:00
DEBUG ( 4 , ( " smb_password_ok: no password required for user %s \n " , user_name ) ) ;
1999-12-13 16:27:58 +03:00
return True ;
}
2001-05-01 01:05:58 +04:00
if ( lp_lanman_auth ( ) & & ( lm_pw ! = NULL ) ) {
DEBUG ( 4 , ( " smb_password_ok: Checking LM password \n " ) ) ;
if ( smb_password_check ( ( char * ) lm_pass , ( uchar * ) lm_pw , challenge ) ) {
DEBUG ( 4 , ( " smb_password_ok: LM password check succeeded \n " ) ) ;
return ( True ) ;
}
DEBUG ( 4 , ( " smb_password_ok: LM password check failed \n " ) ) ;
1999-12-13 16:27:58 +03:00
}
return False ;
}
/****************************************************************************
check if a username / password is OK assuming the password is a 24 byte
SMB hash
return True if the password is correct , False otherwise
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2000-11-14 02:03:34 +03:00
BOOL pass_check_smb ( char * user , char * domain , uchar * chal ,
uchar * lm_pwd , uchar * nt_pwd , struct passwd * pwd )
1999-12-13 16:27:58 +03:00
{
struct passwd * pass ;
2001-05-04 19:44:27 +04:00
SAM_ACCOUNT * sampass = NULL ;
BOOL ret ;
1999-12-13 16:27:58 +03:00
if ( ! lm_pwd | | ! nt_pwd )
{
return ( False ) ;
}
2000-11-14 02:03:34 +03:00
/* FIXME! this code looks to be unnecessary now that the passdb
validates that the username exists and has a valid uid */
1999-12-13 16:27:58 +03:00
if ( pwd ! = NULL & & user = = NULL )
{
pass = ( struct passwd * ) pwd ;
user = pass - > pw_name ;
}
else
{
2000-11-14 02:03:34 +03:00
/* I don't get this call here. I think it should be moved.
Need to check on it . - - jerry */
2000-05-10 18:48:33 +04:00
pass = smb_getpwnam ( user , True ) ;
1999-12-13 16:27:58 +03:00
}
if ( pass = = NULL )
{
DEBUG ( 1 , ( " Couldn't find user '%s' in UNIX password database. \n " , user ) ) ;
return ( False ) ;
}
2001-05-04 19:44:27 +04:00
pdb_init_sam ( & sampass ) ;
2000-11-14 02:03:34 +03:00
/* get the account information */
2001-05-04 19:44:27 +04:00
ret = pdb_getsampwnam ( sampass , user ) ;
if ( ret = = False )
1999-12-13 16:27:58 +03:00
{
2000-11-14 02:03:34 +03:00
DEBUG ( 1 , ( " Couldn't find user '%s' in passdb file. \n " , user ) ) ;
2001-05-07 18:04:46 +04:00
pdb_free_sam ( sampass ) ;
1999-12-13 16:27:58 +03:00
return ( False ) ;
}
/* Quit if the account was disabled. */
2000-11-14 02:03:34 +03:00
if ( pdb_get_acct_ctrl ( sampass ) & ACB_DISABLED ) {
1999-12-13 16:27:58 +03:00
DEBUG ( 1 , ( " Account for user '%s' was disabled. \n " , user ) ) ;
2001-05-07 18:04:46 +04:00
pdb_free_sam ( sampass ) ;
1999-12-13 16:27:58 +03:00
return ( False ) ;
2000-08-01 22:32:34 +04:00
}
1999-12-13 16:27:58 +03:00
2000-11-14 02:03:34 +03:00
/* Ensure the uid's match
FIXME ! This also seems unnecessary - - jerry */
#if 0 /* GWC */
1999-12-13 16:27:58 +03:00
if ( smb_pass - > smb_userid ! = pass - > pw_uid )
{
DEBUG ( 0 , ( " Error : UNIX and SMB uids in password files do not match for user '%s'! \n " , user ) ) ;
2001-05-07 18:04:46 +04:00
pdb_free_sam ( sampass ) ;
1999-12-13 16:27:58 +03:00
return ( False ) ;
}
2000-11-14 02:03:34 +03:00
# endif
1999-12-13 16:27:58 +03:00
2000-11-14 02:03:34 +03:00
if ( pdb_get_acct_ctrl ( sampass ) & ACB_PWNOTREQ )
{
if ( lp_null_passwords ( ) )
{
DEBUG ( 3 , ( " Account for user '%s' has no password and null passwords are allowed. \n " , user ) ) ;
2001-05-07 18:04:46 +04:00
pdb_free_sam ( sampass ) ;
2000-10-06 02:51:57 +04:00
return ( True ) ;
2000-11-14 02:03:34 +03:00
}
else
{
DEBUG ( 3 , ( " Account for user '%s' has no password and null passwords are NOT allowed. \n " , user ) ) ;
2001-05-07 18:04:46 +04:00
pdb_free_sam ( sampass ) ;
2000-10-06 02:51:57 +04:00
return ( False ) ;
}
1999-12-13 16:27:58 +03:00
}
2000-11-14 02:03:34 +03:00
if ( smb_password_ok ( sampass , chal , lm_pwd , nt_pwd ) )
1999-12-13 16:27:58 +03:00
{
2001-05-07 18:04:46 +04:00
pdb_free_sam ( sampass ) ;
1999-12-13 16:27:58 +03:00
return ( True ) ;
}
DEBUG ( 2 , ( " pass_check_smb failed - invalid password for user [%s] \n " , user ) ) ;
2001-05-07 18:04:46 +04:00
pdb_free_sam ( sampass ) ;
1999-12-13 16:27:58 +03:00
return False ;
}
1998-08-10 11:04:53 +04:00
/****************************************************************************
check if a username / password pair is OK either via the system password
database or the encrypted SMB password database
return True if the password is correct , False otherwise
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
BOOL password_ok ( char * user , char * password , int pwlen , struct passwd * pwd )
1998-08-10 11:04:53 +04:00
{
2001-04-22 11:20:24 +04:00
BOOL ret ;
2001-03-27 04:24:40 +04:00
if ( ( pwlen = = 0 ) & & ! lp_null_passwords ( ) ) {
DEBUG ( 4 , ( " Null passwords not allowed. \n " ) ) ;
return False ;
}
2001-04-22 11:20:24 +04:00
if ( pwlen = = 24 | | ( lp_encrypted_passwords ( ) & & ( pwlen = = 0 ) & & lp_null_passwords ( ) ) ) {
1999-12-13 16:27:58 +03:00
/* if 24 bytes long assume it is an encrypted password */
1998-10-17 01:36:19 +04:00
uchar challenge [ 8 ] ;
2001-04-22 11:20:24 +04:00
if ( ! last_challenge ( challenge ) ) {
1998-10-17 01:36:19 +04:00
DEBUG ( 0 , ( " Error: challenge not done for user=%s \n " , user ) ) ;
return False ;
}
2001-04-22 11:20:24 +04:00
ret = pass_check_smb ( user , global_myworkgroup ,
1999-12-13 16:27:58 +03:00
challenge , ( uchar * ) password , ( uchar * ) password , pwd ) ;
2001-04-22 11:20:24 +04:00
/*
* Try with PAM ( may not be compiled in - returns True if not . JRA ) .
* FIXME ! Should this be called if we ' re using winbindd ? What about
* non - local accounts ? JRA .
*/
if ( ret )
2001-05-04 18:28:28 +04:00
return ( smb_pam_accountcheck ( user ) = = NT_STATUS_NOPROBLEMO ) ;
1998-08-10 11:04:53 +04:00
}
return pass_check ( user , password , pwlen , pwd ,
lp_update_encrypted ( ) ?
update_smbpassword_file : NULL ) ;
}
1996-05-04 11:50:46 +04:00
1999-12-13 16:27:58 +03:00
/****************************************************************************
check if a username is valid
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
BOOL user_ok ( char * user , int snum )
{
pstring valid , invalid ;
BOOL ret ;
StrnCpy ( valid , lp_valid_users ( snum ) , sizeof ( pstring ) - 1 ) ;
StrnCpy ( invalid , lp_invalid_users ( snum ) , sizeof ( pstring ) - 1 ) ;
pstring_sub ( valid , " %S " , lp_servicename ( snum ) ) ;
pstring_sub ( invalid , " %S " , lp_servicename ( snum ) ) ;
ret = ! user_in_list ( user , invalid ) ;
if ( ret & & valid & & * valid ) {
ret = user_in_list ( user , valid ) ;
}
if ( ret & & lp_onlyuser ( snum ) ) {
char * user_list = lp_username ( snum ) ;
pstring_sub ( user_list , " %S " , lp_servicename ( snum ) ) ;
ret = user_in_list ( user , user_list ) ;
}
return ( ret ) ;
}
1996-05-04 11:50:46 +04:00
/****************************************************************************
validate a group username entry . Return the username or NULL
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
static char * validate_group ( char * group , char * password , int pwlen , int snum )
1996-05-04 11:50:46 +04:00
{
1999-12-13 16:27:58 +03:00
# ifdef HAVE_NETGROUP
{
char * host , * user , * domain ;
setnetgrent ( group ) ;
while ( getnetgrent ( & host , & user , & domain ) ) {
if ( user ) {
if ( user_ok ( user , snum ) & &
password_ok ( user , password , pwlen , NULL ) ) {
endnetgrent ( ) ;
return ( user ) ;
}
}
}
endnetgrent ( ) ;
1996-05-04 11:50:46 +04:00
}
# endif
1999-12-13 16:27:58 +03:00
# ifdef HAVE_GETGRENT
1996-05-04 11:50:46 +04:00
{
1999-12-13 16:27:58 +03:00
struct group * gptr ;
setgrent ( ) ;
while ( ( gptr = ( struct group * ) getgrent ( ) ) ) {
2000-01-04 04:01:27 +03:00
if ( strequal ( gptr - > gr_name , group ) )
break ;
}
/*
* As user_ok can recurse doing a getgrent ( ) , we must
* copy the member list into a pstring on the stack before
* use . Bug pointed out by leon @ eatworms . swmed . edu .
*/
if ( gptr ) {
pstring member_list ;
char * member ;
size_t copied_len = 0 ;
int i ;
* member_list = ' \0 ' ;
member = member_list ;
for ( i = 0 ; gptr - > gr_mem & & gptr - > gr_mem [ i ] ; i + + ) {
size_t member_len = strlen ( gptr - > gr_mem [ i ] ) + 1 ;
if ( copied_len + member_len < sizeof ( pstring ) ) {
DEBUG ( 10 , ( " validate_group: = gr_mem = %s \n " , gptr - > gr_mem [ i ] ) ) ;
safe_strcpy ( member , gptr - > gr_mem [ i ] , sizeof ( pstring ) - copied_len - 1 ) ;
copied_len + = member_len ;
member + = copied_len ;
} else {
* member = ' \0 ' ;
}
}
endgrent ( ) ;
member = member_list ;
while ( * member ) {
1999-12-13 16:27:58 +03:00
static fstring name ;
2000-01-04 04:01:27 +03:00
fstrcpy ( name , member ) ;
1999-12-13 16:27:58 +03:00
if ( user_ok ( name , snum ) & &
password_ok ( name , password , pwlen , NULL ) ) {
endgrent ( ) ;
return ( & name [ 0 ] ) ;
}
2000-01-04 04:01:27 +03:00
DEBUG ( 10 , ( " validate_group = member = %s \n " , member ) ) ;
member + = strlen ( member ) + 1 ;
1999-12-13 16:27:58 +03:00
}
2000-01-04 04:01:27 +03:00
} else {
endgrent ( ) ;
return NULL ;
1999-12-13 16:27:58 +03:00
}
1996-05-04 11:50:46 +04:00
}
# endif
1999-12-13 16:27:58 +03:00
return ( NULL ) ;
1996-05-04 11:50:46 +04:00
}
/****************************************************************************
2001-06-22 04:57:59 +04:00
Check for authority to login to a service with a given username / password .
Note this is * NOT * used when logging on using sessionsetup_and_X .
1996-05-04 11:50:46 +04:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-06-22 04:57:59 +04:00
1996-05-04 11:50:46 +04:00
BOOL authorise_login ( int snum , char * user , char * password , int pwlen ,
1996-10-26 00:18:28 +04:00
BOOL * guest , BOOL * force , uint16 vuid )
1996-05-04 11:50:46 +04:00
{
2001-06-22 04:57:59 +04:00
BOOL ok = False ;
user_struct * vuser = get_valid_user_struct ( vuid ) ;
2001-04-18 20:41:04 +04:00
1996-05-04 11:50:46 +04:00
# if DEBUG_PASSWORD
2001-06-22 04:57:59 +04:00
DEBUG ( 100 , ( " authorise_login: checking authorisation on user=%s pass=%s \n " ,
user , password ) ) ;
1996-05-04 11:50:46 +04:00
# endif
2001-06-22 04:57:59 +04:00
* guest = False ;
if ( GUEST_ONLY ( snum ) )
* force = True ;
1996-05-04 11:50:46 +04:00
2001-06-22 04:57:59 +04:00
if ( ! GUEST_ONLY ( snum ) & & ( lp_security ( ) > SEC_SHARE ) ) {
1996-05-04 11:50:46 +04:00
2001-06-22 04:57:59 +04:00
/*
* We should just use the given vuid from a sessionsetup_and_X .
*/
1996-05-04 11:50:46 +04:00
2001-06-22 04:57:59 +04:00
if ( ! vuser ) {
DEBUG ( 1 , ( " authorise_login: refusing user %s with no session setup \n " ,
user ) ) ;
return False ;
}
if ( ! vuser - > guest & & user_ok ( vuser - > user . unix_name , snum ) ) {
fstrcpy ( user , vuser - > user . unix_name ) ;
* guest = False ;
DEBUG ( 3 , ( " authorise_login: ACCEPTED: validated uid ok as non-guest \
( user = % s ) \ n " , user));
return True ;
}
}
/* there are several possibilities:
1 ) login as the given user with given password
2 ) login as a previously registered username with the given password
3 ) login as a session list username with the given password
4 ) login as a previously validated user / password pair
5 ) login as the " user = " user with given password
6 ) login as the " user = " user with no password ( guest connection )
7 ) login as guest user with no password
if the service is guest_only then steps 1 to 5 are skipped
*/
if ( ! ( GUEST_ONLY ( snum ) & & GUEST_OK ( snum ) ) ) {
/* check the given username and password */
if ( ! ok & & ( * user ) & & user_ok ( user , snum ) ) {
ok = password_ok ( user , password , pwlen , NULL ) ;
if ( ok )
DEBUG ( 3 , ( " authorise_login: ACCEPTED: given username (%s) password ok \n " ,
user ) ) ;
}
/* check for a previously registered guest username */
if ( ! ok & & ( vuser ! = 0 ) & & vuser - > guest ) {
if ( user_ok ( vuser - > user . unix_name , snum ) & &
password_ok ( vuser - > user . unix_name , password , pwlen , NULL ) ) {
fstrcpy ( user , vuser - > user . unix_name ) ;
vuser - > guest = False ;
DEBUG ( 3 , ( " authorise_login: ACCEPTED: given password with registered user %s \n " , user ) ) ;
ok = True ;
}
}
/* now check the list of session users */
if ( ! ok ) {
char * auser ;
char * user_list = strdup ( session_users ) ;
if ( ! user_list )
return ( False ) ;
for ( auser = strtok ( user_list , LIST_SEP ) ; ! ok & & auser ;
auser = strtok ( NULL , LIST_SEP ) ) {
fstring user2 ;
fstrcpy ( user2 , auser ) ;
if ( ! user_ok ( user2 , snum ) )
continue ;
1998-05-22 03:59:04 +04:00
2001-06-22 04:57:59 +04:00
if ( password_ok ( user2 , password , pwlen , NULL ) ) {
ok = True ;
fstrcpy ( user , user2 ) ;
DEBUG ( 3 , ( " authorise_login: ACCEPTED: session list username (%s) \
and given password ok \ n " , user));
}
}
1998-05-22 03:59:04 +04:00
2001-06-22 04:57:59 +04:00
free ( user_list ) ;
}
1996-05-04 11:50:46 +04:00
2001-06-22 04:57:59 +04:00
/* check for a previously validated username/password pair */
if ( ! ok & & ( lp_security ( ) > SEC_SHARE ) & & ( vuser ! = 0 ) & & ! vuser - > guest & &
user_ok ( vuser - > user . unix_name , snum ) ) {
fstrcpy ( user , vuser - > user . unix_name ) ;
* guest = False ;
DEBUG ( 3 , ( " authorise_login: ACCEPTED: validated uid (%s) as non-guest \n " ,
user ) ) ;
ok = True ;
}
1996-05-04 11:50:46 +04:00
2001-06-22 04:57:59 +04:00
/* check for a rhosts entry */
if ( ! ok & & user_ok ( user , snum ) & & check_hosts_equiv ( user ) ) {
ok = True ;
DEBUG ( 3 , ( " authorise_login: ACCEPTED: hosts equiv or rhosts entry for %s \n " ,
user ) ) ;
}
1996-05-04 11:50:46 +04:00
2001-06-22 04:57:59 +04:00
/* check the user= fields and the given password */
if ( ! ok & & lp_username ( snum ) ) {
char * auser ;
pstring user_list ;
StrnCpy ( user_list , lp_username ( snum ) , sizeof ( pstring ) ) ;
pstring_sub ( user_list , " %S " , lp_servicename ( snum ) ) ;
1996-05-04 11:50:46 +04:00
2001-06-22 04:57:59 +04:00
for ( auser = strtok ( user_list , LIST_SEP ) ; auser & & ! ok ;
auser = strtok ( NULL , LIST_SEP ) ) {
if ( * auser = = ' @ ' ) {
auser = validate_group ( auser + 1 , password , pwlen , snum ) ;
if ( auser ) {
ok = True ;
fstrcpy ( user , auser ) ;
DEBUG ( 3 , ( " authorise_login: ACCEPTED: group username \
and given password ok ( % s ) \ n " , user)) ;
}
} else {
fstring user2 ;
fstrcpy ( user2 , auser ) ;
if ( user_ok ( user2 , snum ) & & password_ok ( user2 , password , pwlen , NULL ) ) {
ok = True ;
fstrcpy ( user , user2 ) ;
DEBUG ( 3 , ( " authorise_login: ACCEPTED: user list username \
and given password ok ( % s ) \ n " , user)) ;
}
}
}
}
} /* not guest only */
/* check for a normal guest connection */
if ( ! ok & & GUEST_OK ( snum ) ) {
fstring guestname ;
StrnCpy ( guestname , lp_guestaccount ( snum ) , sizeof ( guestname ) - 1 ) ;
if ( Get_Pwnam ( guestname , True ) ) {
fstrcpy ( user , guestname ) ;
ok = True ;
DEBUG ( 3 , ( " authorise_login: ACCEPTED: guest account and guest ok (%s) \n " ,
user ) ) ;
} else {
DEBUG ( 0 , ( " authorise_login: Invalid guest account %s?? \n " , guestname ) ) ;
}
* guest = True ;
1996-05-04 11:50:46 +04:00
}
2001-06-22 04:57:59 +04:00
if ( ok & & ! user_ok ( user , snum ) ) {
DEBUG ( 0 , ( " authorise_login: rejected invalid user %s \n " , user ) ) ;
ok = False ;
}
1996-05-04 11:50:46 +04:00
2001-06-22 04:57:59 +04:00
return ( ok ) ;
1996-05-04 11:50:46 +04:00
}
/****************************************************************************
2001-06-22 04:57:59 +04:00
Read the a hosts . equiv or . rhosts file and check if it
allows this user from this machine .
1996-05-04 11:50:46 +04:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-06-22 04:57:59 +04:00
1996-05-04 11:50:46 +04:00
static BOOL check_user_equiv ( char * user , char * remote , char * equiv_file )
{
int plus_allowed = 1 ;
char * file_host ;
char * file_user ;
2001-07-04 11:15:53 +04:00
char * * lines = file_lines_load ( equiv_file , NULL ) ;
2000-04-16 15:17:19 +04:00
int i ;
1996-05-04 11:50:46 +04:00
DEBUG ( 5 , ( " check_user_equiv %s %s %s \n " , user , remote , equiv_file ) ) ;
2000-04-16 15:17:19 +04:00
if ( ! lines ) return False ;
for ( i = 0 ; lines [ i ] ; i + + ) {
char * buf = lines [ i ] ;
1996-05-04 11:50:46 +04:00
trim_string ( buf , " " , " " ) ;
if ( buf [ 0 ] ! = ' # ' & & buf [ 0 ] ! = ' \n ' )
{
BOOL is_group = False ;
int plus = 1 ;
char * bp = buf ;
if ( strcmp ( buf , " NO_PLUS \n " ) = = 0 )
{
DEBUG ( 6 , ( " check_user_equiv NO_PLUS \n " ) ) ;
plus_allowed = 0 ;
}
else {
if ( buf [ 0 ] = = ' + ' )
{
bp + + ;
if ( * bp = = ' \n ' & & plus_allowed )
{
/* a bare plus means everbody allowed */
DEBUG ( 6 , ( " check_user_equiv everybody allowed \n " ) ) ;
2000-04-16 15:17:19 +04:00
file_lines_free ( lines ) ;
1996-05-04 11:50:46 +04:00
return True ;
}
}
else if ( buf [ 0 ] = = ' - ' )
{
bp + + ;
plus = 0 ;
}
if ( * bp = = ' @ ' )
{
is_group = True ;
bp + + ;
}
file_host = strtok ( bp , " \t \n " ) ;
file_user = strtok ( NULL , " \t \n " ) ;
1997-07-18 00:11:58 +04:00
DEBUG ( 7 , ( " check_user_equiv %s %s \n " , file_host ? file_host : " (null) " ,
file_user ? file_user : " (null) " ) ) ;
1996-05-04 11:50:46 +04:00
if ( file_host & & * file_host )
{
BOOL host_ok = False ;
1998-08-15 05:19:26 +04:00
# if defined(HAVE_NETGROUP) && defined(HAVE_YP_GET_DEFAULT_DOMAIN)
1996-05-04 11:50:46 +04:00
if ( is_group )
{
static char * mydomain = NULL ;
if ( ! mydomain )
yp_get_default_domain ( & mydomain ) ;
1996-05-04 14:45:50 +04:00
if ( mydomain & & innetgr ( file_host , remote , user , mydomain ) )
1996-05-04 11:50:46 +04:00
host_ok = True ;
}
# else
if ( is_group )
{
1998-07-29 07:08:05 +04:00
DEBUG ( 1 , ( " Netgroups not configured \n " ) ) ;
1996-05-04 11:50:46 +04:00
continue ;
}
# endif
/* is it this host */
/* the fact that remote has come from a call of gethostbyaddr
* means that it may have the fully qualified domain name
* so we could look up the file version to get it into
* a canonical form , but I would rather just type it
* in full in the equiv file
*/
if ( ! host_ok & & ! is_group & & strequal ( remote , file_host ) )
host_ok = True ;
if ( ! host_ok )
continue ;
/* is it this user */
if ( file_user = = 0 | | strequal ( user , file_user ) )
{
DEBUG ( 5 , ( " check_user_equiv matched %s%s %s \n " ,
( plus ? " + " : " - " ) , file_host ,
( file_user ? file_user : " " ) ) ) ;
2000-04-16 15:17:19 +04:00
file_lines_free ( lines ) ;
1996-05-04 11:50:46 +04:00
return ( plus ? True : False ) ;
}
}
}
}
}
2000-04-16 15:17:19 +04:00
file_lines_free ( lines ) ;
1996-05-04 11:50:46 +04:00
return False ;
}
/****************************************************************************
check for a possible hosts equiv or rhosts entry for the user
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
BOOL check_hosts_equiv ( char * user )
{
char * fname = NULL ;
pstring rhostsfile ;
1999-12-13 16:27:58 +03:00
struct passwd * pass = Get_Pwnam ( user , True ) ;
1996-05-04 11:50:46 +04:00
if ( ! pass )
1999-12-13 16:27:58 +03:00
return ( False ) ;
1996-05-04 11:50:46 +04:00
fname = lp_hosts_equiv ( ) ;
/* note: don't allow hosts.equiv on root */
1998-03-17 15:31:43 +03:00
if ( fname & & * fname & & ( pass - > pw_uid ! = 0 ) ) {
2000-04-11 17:55:53 +04:00
if ( check_user_equiv ( user , client_name ( ) , fname ) )
1998-03-17 15:31:43 +03:00
return ( True ) ;
}
1996-05-04 11:50:46 +04:00
if ( lp_use_rhosts ( ) )
{
1999-12-13 16:27:58 +03:00
char * home = get_user_home_dir ( user ) ;
1998-03-17 15:31:43 +03:00
if ( home ) {
1998-05-11 10:38:36 +04:00
slprintf ( rhostsfile , sizeof ( rhostsfile ) - 1 , " %s/.rhosts " , home ) ;
2000-04-11 17:55:53 +04:00
if ( check_user_equiv ( user , client_name ( ) , rhostsfile ) )
1998-03-17 15:31:43 +03:00
return ( True ) ;
}
1996-05-04 11:50:46 +04:00
}
1999-12-13 16:27:58 +03:00
return ( False ) ;
1996-05-04 11:50:46 +04:00
}
1997-11-10 22:23:17 +03:00
/****************************************************************************
1999-12-13 16:27:58 +03:00
Return the client state structure .
1997-11-10 22:23:17 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
1997-11-10 22:23:17 +03:00
struct cli_state * server_client ( void )
{
1998-10-06 20:25:24 +04:00
static struct cli_state pw_cli ;
1998-04-24 00:12:17 +04:00
return & pw_cli ;
1997-11-10 22:23:17 +03:00
}
/****************************************************************************
1999-12-13 16:27:58 +03:00
Support for server level security .
1997-11-10 22:23:17 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
1997-11-10 22:23:17 +03:00
struct cli_state * server_cryptkey ( void )
{
1999-12-13 16:27:58 +03:00
struct cli_state * cli ;
fstring desthost ;
struct in_addr dest_ip ;
2000-01-03 09:30:50 +03:00
char * p , * pserver ;
BOOL connected_ok = False ;
1999-12-13 16:27:58 +03:00
cli = server_client ( ) ;
if ( ! cli_initialise ( cli ) )
return NULL ;
2000-01-03 09:30:50 +03:00
pserver = strdup ( lp_passwordserver ( ) ) ;
p = pserver ;
while ( next_token ( & p , desthost , LIST_SEP , sizeof ( desthost ) ) ) {
1999-12-13 16:27:58 +03:00
standard_sub_basic ( desthost ) ;
strupper ( desthost ) ;
if ( ! resolve_name ( desthost , & dest_ip , 0x20 ) ) {
DEBUG ( 1 , ( " server_cryptkey: Can't resolve address for %s \n " , desthost ) ) ;
continue ;
}
if ( ismyip ( dest_ip ) ) {
DEBUG ( 1 , ( " Password server loop - disabling password server %s \n " , desthost ) ) ;
continue ;
}
if ( cli_connect ( cli , desthost , & dest_ip ) ) {
DEBUG ( 3 , ( " connected to password server %s \n " , desthost ) ) ;
connected_ok = True ;
break ;
}
}
2000-01-03 09:30:50 +03:00
free ( pserver ) ;
1999-12-13 16:27:58 +03:00
if ( ! connected_ok ) {
DEBUG ( 0 , ( " password server not available \n " ) ) ;
cli_shutdown ( cli ) ;
return NULL ;
1997-11-10 22:23:17 +03:00
}
1999-12-13 16:27:58 +03:00
if ( ! attempt_netbios_session_request ( cli , global_myname , desthost , & dest_ip ) )
return NULL ;
DEBUG ( 3 , ( " got session \n " ) ) ;
if ( ! cli_negprot ( cli ) ) {
DEBUG ( 1 , ( " %s rejected the negprot \n " , desthost ) ) ;
cli_shutdown ( cli ) ;
return NULL ;
}
if ( cli - > protocol < PROTOCOL_LANMAN2 | |
! ( cli - > sec_mode & 1 ) ) {
DEBUG ( 1 , ( " %s isn't in user level security mode \n " , desthost ) ) ;
cli_shutdown ( cli ) ;
return NULL ;
}
DEBUG ( 3 , ( " password server OK \n " ) ) ;
return cli ;
1997-11-10 22:23:17 +03:00
}
/****************************************************************************
1999-12-13 16:27:58 +03:00
Validate a password with the password server .
1997-11-10 22:23:17 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
1997-11-10 22:23:17 +03:00
BOOL server_validate ( char * user , char * domain ,
char * pass , int passlen ,
char * ntpass , int ntpasslen )
{
2001-05-07 00:56:14 +04:00
struct cli_state * cli ;
static unsigned char badpass [ 24 ] ;
static fstring baduser ;
static BOOL tested_password_server = False ;
static BOOL bad_password_server = False ;
1997-11-10 22:23:17 +03:00
2001-05-07 00:56:14 +04:00
cli = server_client ( ) ;
1997-11-10 22:23:17 +03:00
2001-05-07 00:56:14 +04:00
if ( ! cli - > initialised ) {
DEBUG ( 1 , ( " password server %s is not connected \n " , cli - > desthost ) ) ;
return ( False ) ;
}
1998-04-22 04:56:38 +04:00
2001-05-07 00:56:14 +04:00
if ( badpass [ 0 ] = = 0 )
memset ( badpass , 0x1f , sizeof ( badpass ) ) ;
1998-04-22 04:56:38 +04:00
2001-05-07 00:56:14 +04:00
if ( ( passlen = = sizeof ( badpass ) ) & & ! memcmp ( badpass , pass , passlen ) ) {
/*
* Very unlikely , our random bad password is the same as the users
* password .
*/
memset ( badpass , badpass [ 0 ] + 1 , sizeof ( badpass ) ) ;
}
1998-04-22 04:56:38 +04:00
2001-05-07 00:56:14 +04:00
if ( baduser [ 0 ] = = 0 ) {
fstrcpy ( baduser , INVALID_USER_PREFIX ) ;
fstrcat ( baduser , global_myname ) ;
}
/*
* Attempt a session setup with a totally incorrect password .
* If this succeeds with the guest bit * NOT * set then the password
* server is broken and is not correctly setting the guest bit . We
* need to detect this as some versions of NT4 . x are broken . JRA .
*/
if ( ! tested_password_server ) {
if ( cli_session_setup ( cli , baduser , ( char * ) badpass , sizeof ( badpass ) ,
( char * ) badpass , sizeof ( badpass ) , domain ) ) {
/*
* We connected to the password server so we
* can say we ' ve tested it .
*/
tested_password_server = True ;
if ( ( SVAL ( cli - > inbuf , smb_vwv2 ) & 1 ) = = 0 ) {
DEBUG ( 0 , ( " server_validate: password server %s allows users as non-guest \
1998-11-07 08:32:37 +03:00
with a bad password . \ n " , cli->desthost));
2001-05-07 00:56:14 +04:00
DEBUG ( 0 , ( " server_validate: This is broken (and insecure) behaviour. Please do not \
1998-11-07 08:32:37 +03:00
use this machine as the password server . \ n " ));
2001-05-07 00:56:14 +04:00
cli_ulogoff ( cli ) ;
1997-11-10 22:23:17 +03:00
2001-05-07 00:56:14 +04:00
/*
* Password server has the bug .
*/
bad_password_server = True ;
return False ;
}
cli_ulogoff ( cli ) ;
}
} else {
1998-02-07 15:15:20 +03:00
2001-05-07 00:56:14 +04:00
/*
* We have already tested the password server .
* Fail immediately if it has the bug .
*/
1998-05-05 23:24:32 +04:00
2001-05-07 00:56:14 +04:00
if ( bad_password_server ) {
DEBUG ( 0 , ( " server_validate: [1] password server %s allows users as non-guest \
1998-11-07 08:32:37 +03:00
with a bad password . \ n " , cli->desthost));
2001-05-07 00:56:14 +04:00
DEBUG ( 0 , ( " server_validate: [1] This is broken (and insecure) behaviour. Please do not \
1998-11-07 08:32:37 +03:00
use this machine as the password server . \ n " ));
2001-05-07 00:56:14 +04:00
return False ;
}
}
1998-05-05 23:24:32 +04:00
2001-05-07 00:56:14 +04:00
/*
* Now we know the password server will correctly set the guest bit , or is
* not guest enabled , we can try with the real password .
*/
1997-11-10 22:23:17 +03:00
2001-05-07 00:56:14 +04:00
if ( ! cli_session_setup ( cli , user , pass , passlen , ntpass , ntpasslen , domain ) ) {
DEBUG ( 1 , ( " password server %s rejected the password \n " , cli - > desthost ) ) ;
return False ;
}
1997-11-10 22:23:17 +03:00
2001-05-07 00:56:14 +04:00
/* if logged in as guest then reject */
if ( ( SVAL ( cli - > inbuf , smb_vwv2 ) & 1 ) ! = 0 ) {
DEBUG ( 1 , ( " password server %s gave us guest only \n " , cli - > desthost ) ) ;
cli_ulogoff ( cli ) ;
return ( False ) ;
}
1997-11-10 22:23:17 +03:00
2001-05-07 00:56:14 +04:00
cli_ulogoff ( cli ) ;
1997-11-10 22:23:17 +03:00
2001-05-07 00:56:14 +04:00
return ( True ) ;
1997-11-10 22:23:17 +03:00
}
1998-04-23 22:54:57 +04:00
1999-12-13 16:27:58 +03:00
/***********************************************************************
Connect to a remote machine for domain security authentication
given a name or IP address .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-01-25 05:59:13 +03:00
static BOOL connect_to_domain_password_server ( struct cli_state * pcli ,
2001-06-25 23:08:30 +04:00
char * server , unsigned char * trust_passwd )
1999-12-13 16:27:58 +03:00
{
struct in_addr dest_ip ;
2001-01-25 05:59:13 +03:00
fstring remote_machine ;
1999-12-13 16:27:58 +03:00
2001-06-14 04:08:42 +04:00
if ( cli_initialise ( pcli ) = = NULL ) {
1999-12-13 16:27:58 +03:00
DEBUG ( 0 , ( " connect_to_domain_password_server: unable to initialize client connection. \n " ) ) ;
return False ;
}
2001-01-25 05:59:13 +03:00
if ( is_ipaddress ( server ) ) {
struct in_addr to_ip ;
2001-02-08 21:41:01 +03:00
/* we shouldn't have 255.255.255.255 forthe IP address of
a password server anyways */
if ( ( to_ip . s_addr = inet_addr ( server ) ) = = 0xFFFFFFFF ) {
DEBUG ( 0 , ( " connect_to_domain_password_server: inet_addr(%s) returned 0xFFFFFFFF! \n " , server ) ) ;
return False ;
}
2001-01-25 05:59:13 +03:00
2001-02-08 21:41:01 +03:00
if ( ! name_status_find ( 0x20 , to_ip , remote_machine ) ) {
DEBUG ( 0 , ( " connect_to_domain_password_server: Can't "
2001-01-25 05:59:13 +03:00
" resolve name for IP %s \n " , server ) ) ;
return False ;
}
} else {
fstrcpy ( remote_machine , server ) ;
}
1999-12-13 16:27:58 +03:00
standard_sub_basic ( remote_machine ) ;
strupper ( remote_machine ) ;
if ( ! resolve_name ( remote_machine , & dest_ip , 0x20 ) ) {
DEBUG ( 1 , ( " connect_to_domain_password_server: Can't resolve address for %s \n " , remote_machine ) ) ;
cli_shutdown ( pcli ) ;
return False ;
}
if ( ismyip ( dest_ip ) ) {
DEBUG ( 1 , ( " connect_to_domain_password_server: Password server loop - not using password server %s \n " ,
remote_machine ) ) ;
cli_shutdown ( pcli ) ;
return False ;
}
if ( ! cli_connect ( pcli , remote_machine , & dest_ip ) ) {
DEBUG ( 0 , ( " connect_to_domain_password_server: unable to connect to SMB server on \
machine % s . Error was : % s . \ n " , remote_machine, cli_errstr(pcli) ));
cli_shutdown ( pcli ) ;
return False ;
}
if ( ! attempt_netbios_session_request ( pcli , global_myname , remote_machine , & dest_ip ) ) {
DEBUG ( 0 , ( " connect_to_password_server: machine %s rejected the NetBIOS \
session request . Error was : % s . \ n " , remote_machine, cli_errstr(pcli) ));
return False ;
}
pcli - > protocol = PROTOCOL_NT1 ;
if ( ! cli_negprot ( pcli ) ) {
DEBUG ( 0 , ( " connect_to_domain_password_server: machine %s rejected the negotiate protocol. \
Error was : % s . \ n " , remote_machine, cli_errstr(pcli) ));
cli_shutdown ( pcli ) ;
return False ;
}
if ( pcli - > protocol ! = PROTOCOL_NT1 ) {
DEBUG ( 0 , ( " connect_to_domain_password_server: machine %s didn't negotiate NT protocol. \n " ,
remote_machine ) ) ;
cli_shutdown ( pcli ) ;
return False ;
}
/*
* Do an anonymous session setup .
*/
if ( ! cli_session_setup ( pcli , " " , " " , 0 , " " , 0 , " " ) ) {
DEBUG ( 0 , ( " connect_to_domain_password_server: machine %s rejected the session setup. \
Error was : % s . \ n " , remote_machine, cli_errstr(pcli) ));
cli_shutdown ( pcli ) ;
return False ;
}
if ( ! ( pcli - > sec_mode & 1 ) ) {
DEBUG ( 1 , ( " connect_to_domain_password_server: machine %s isn't in user level security mode \n " ,
remote_machine ) ) ;
cli_shutdown ( pcli ) ;
return False ;
}
if ( ! cli_send_tconX ( pcli , " IPC$ " , " IPC " , " " , 1 ) ) {
DEBUG ( 0 , ( " connect_to_domain_password_server: machine %s rejected the tconX on the IPC$ share. \
Error was : % s . \ n " , remote_machine, cli_errstr(pcli) ));
cli_shutdown ( pcli ) ;
return False ;
}
/*
* We now have an anonymous connection to IPC $ on the domain password server .
*/
/*
* Even if the connect succeeds we need to setup the netlogon
* pipe here . We do this as we may just have changed the domain
* account password on the PDC and yet we may be talking to
* a BDC that doesn ' t have this replicated yet . In this case
* a successful connect to a DC needs to take the netlogon connect
* into account also . This patch from " Bjart Kvarme " < bjart . kvarme @ usit . uio . no > .
*/
if ( cli_nt_session_open ( pcli , PIPE_NETLOGON ) = = False ) {
DEBUG ( 0 , ( " connect_to_domain_password_server: unable to open the domain client session to \
machine % s . Error was : % s . \ n " , remote_machine, cli_errstr(pcli)));
cli_nt_session_close ( pcli ) ;
cli_ulogoff ( pcli ) ;
cli_shutdown ( pcli ) ;
return False ;
}
if ( cli_nt_setup_creds ( pcli , trust_passwd ) = = False ) {
DEBUG ( 0 , ( " connect_to_domain_password_server: unable to setup the PDC credentials to machine \
% s . Error was : % s . \ n " , remote_machine, cli_errstr(pcli)));
cli_nt_session_close ( pcli ) ;
cli_ulogoff ( pcli ) ;
cli_shutdown ( pcli ) ;
return ( False ) ;
}
return True ;
}
/***********************************************************************
Utility function to attempt a connection to an IP address of a DC .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static BOOL attempt_connect_to_dc ( struct cli_state * pcli , struct in_addr * ip , unsigned char * trust_passwd )
{
fstring dc_name ;
/*
* Ignore addresses we have already tried .
*/
2000-01-03 09:30:50 +03:00
if ( ip_equal ( ipzero , * ip ) )
return False ;
1999-12-13 16:27:58 +03:00
2000-01-03 09:30:50 +03:00
if ( ! lookup_pdc_name ( global_myname , lp_workgroup ( ) , ip , dc_name ) )
return False ;
1999-12-13 16:27:58 +03:00
return connect_to_domain_password_server ( pcli , dc_name , trust_passwd ) ;
}
2000-01-03 09:30:50 +03:00
/***********************************************************************
We have been asked to dynamcially determine the IP addresses of
the PDC and BDC ' s for this DOMAIN , and query them in turn .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2000-12-20 02:57:48 +03:00
static BOOL find_connect_pdc ( struct cli_state * pcli , unsigned char * trust_passwd , time_t last_change_time )
2000-01-03 09:30:50 +03:00
{
struct in_addr * ip_list = NULL ;
int count = 0 ;
int i ;
BOOL connected_ok = False ;
2000-12-20 02:57:48 +03:00
time_t time_now = time ( NULL ) ;
BOOL use_pdc_only = False ;
2000-01-03 09:30:50 +03:00
2000-12-20 02:57:48 +03:00
/*
* If the time the machine password has changed
* was less than an hour ago then we need to contact
* the PDC only , as we cannot be sure domain replication
* has yet taken place . Bug found by Gerald ( way to go
* Gerald ! ) . JRA .
*/
if ( time_now - last_change_time < 3600 )
use_pdc_only = True ;
if ( ! get_dc_list ( use_pdc_only , lp_workgroup ( ) , & ip_list , & count ) )
2000-01-03 09:30:50 +03:00
return False ;
/*
* Firstly try and contact a PDC / BDC who has the same
* network address as any of our interfaces .
*/
for ( i = 0 ; i < count ; i + + ) {
if ( ! is_local_net ( ip_list [ i ] ) )
continue ;
if ( ( connected_ok = attempt_connect_to_dc ( pcli , & ip_list [ i ] , trust_passwd ) ) )
break ;
ip_list [ i ] = ipzero ; /* Tried and failed. */
}
/*
* Secondly try and contact a random PDC / BDC .
*/
if ( ! connected_ok ) {
i = ( sys_random ( ) % count ) ;
if ( ! ( connected_ok = attempt_connect_to_dc ( pcli , & ip_list [ i ] , trust_passwd ) ) )
ip_list [ i ] = ipzero ; /* Tried and failed. */
}
/*
* Finally go through the IP list in turn , ignoring any addresses
* we have already tried .
*/
if ( ! connected_ok ) {
/*
* Try and connect to any of the other IP addresses in the PDC / BDC list .
* Note that from a WINS server the # 1 IP address is the PDC .
*/
for ( i = 0 ; i < count ; i + + ) {
if ( ( connected_ok = attempt_connect_to_dc ( pcli , & ip_list [ i ] , trust_passwd ) ) )
break ;
}
}
if ( ip_list ! = NULL )
free ( ( char * ) ip_list ) ;
return connected_ok ;
}
1999-12-13 16:27:58 +03:00
/***********************************************************************
Do the same as security = server , but using NT Domain calls and a session
2001-05-17 10:08:49 +04:00
key from the machine password . If the server parameter is specified
use it , otherwise figure out a server from the ' password server ' param .
1999-12-13 16:27:58 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
BOOL domain_client_validate ( char * user , char * domain ,
char * smb_apasswd , int smb_apasslen ,
char * smb_ntpasswd , int smb_ntpasslen ,
2001-05-17 10:08:49 +04:00
BOOL * user_exists , char * server )
1999-12-13 16:27:58 +03:00
{
unsigned char local_challenge [ 8 ] ;
unsigned char local_lm_response [ 24 ] ;
2000-07-10 08:57:09 +04:00
unsigned char local_nt_response [ 24 ] ;
1999-12-13 16:27:58 +03:00
unsigned char trust_passwd [ 16 ] ;
fstring remote_machine ;
2000-01-03 09:30:50 +03:00
char * p , * pserver ;
1999-12-13 16:27:58 +03:00
NET_ID_INFO_CTR ctr ;
NET_USER_INFO_3 info3 ;
struct cli_state cli ;
uint32 smb_uid_low ;
BOOL connected_ok = False ;
2000-12-20 02:57:48 +03:00
time_t last_change_time ;
1999-12-13 16:27:58 +03:00
if ( user_exists ! = NULL )
* user_exists = True ; /* Only set false on a very specific error. */
/*
* Check that the requested domain is not our own machine name .
* If it is , we should never check the PDC here , we use our own local
* password file .
*/
if ( strequal ( domain , global_myname ) ) {
DEBUG ( 3 , ( " domain_client_validate: Requested domain was for this machine. \n " ) ) ;
return False ;
}
/*
* Next , check that the passwords given were encrypted .
*/
if ( ( ( smb_apasslen ! = 24 ) & & ( smb_apasslen ! = 0 ) ) | |
( ( smb_ntpasslen ! = 24 ) & & ( smb_ntpasslen ! = 0 ) ) ) {
/*
* Not encrypted - do so .
*/
2001-05-17 10:08:49 +04:00
DEBUG ( 5 , ( " domain_client_validate: User passwords not in encrypted format. \n " ) ) ;
1999-12-13 16:27:58 +03:00
generate_random_buffer ( local_challenge , 8 , False ) ;
SMBencrypt ( ( uchar * ) smb_apasswd , local_challenge , local_lm_response ) ;
2000-07-10 08:57:09 +04:00
SMBNTencrypt ( ( uchar * ) smb_ntpasswd , local_challenge , local_nt_response ) ;
1999-12-13 16:27:58 +03:00
smb_apasslen = 24 ;
smb_ntpasslen = 24 ;
smb_apasswd = ( char * ) local_lm_response ;
2000-07-10 08:57:09 +04:00
smb_ntpasswd = ( char * ) local_nt_response ;
1999-12-13 16:27:58 +03:00
} else {
/*
* Encrypted - get the challenge we sent for these
* responses .
*/
if ( ! last_challenge ( local_challenge ) ) {
DEBUG ( 0 , ( " domain_client_validate: no challenge done - password failed \n " ) ) ;
return False ;
}
}
/*
2000-05-12 09:07:26 +04:00
* Get the machine account password for our primary domain
1999-12-13 16:27:58 +03:00
*/
2001-06-25 23:08:30 +04:00
if ( ! secrets_fetch_trust_account_password ( global_myworkgroup , trust_passwd , & last_change_time ) )
1999-12-13 16:27:58 +03:00
{
2001-06-25 23:08:30 +04:00
DEBUG ( 0 , ( " domain_client_validate: could not fetch trust account password for domain %s \n " , global_myworkgroup ) ) ;
2000-12-06 06:22:44 +03:00
return False ;
1999-12-13 16:27:58 +03:00
}
/*
* At this point , smb_apasswd points to the lanman response to
* the challenge in local_challenge , and smb_ntpasswd points to
* the NT response to the challenge in local_challenge . Ship
* these over the secure channel to a domain controller and
* see if they were valid .
*/
ZERO_STRUCT ( cli ) ;
/*
* Treat each name in the ' password server = ' line as a potential
* PDC / BDC . Contact each in turn and try and authenticate .
*/
2001-05-17 10:08:49 +04:00
if ( server ) {
p = server ;
} else {
pserver = lp_passwordserver ( ) ;
if ( ! * pserver ) pserver = " * " ;
p = pserver ;
}
1999-12-13 16:27:58 +03:00
2000-01-03 09:30:50 +03:00
while ( ! connected_ok & &
next_token ( & p , remote_machine , LIST_SEP , sizeof ( remote_machine ) ) ) {
if ( strequal ( remote_machine , " * " ) ) {
2000-12-20 02:57:48 +03:00
connected_ok = find_connect_pdc ( & cli , trust_passwd , last_change_time ) ;
2000-01-03 09:30:50 +03:00
} else {
connected_ok = connect_to_domain_password_server ( & cli , remote_machine , trust_passwd ) ;
}
1999-12-13 16:27:58 +03:00
}
if ( ! connected_ok ) {
DEBUG ( 0 , ( " domain_client_validate: Domain password server not available. \n " ) ) ;
cli_shutdown ( & cli ) ;
return False ;
}
/* We really don't care what LUID we give the user. */
generate_random_buffer ( ( unsigned char * ) & smb_uid_low , 4 , False ) ;
2000-06-14 05:48:08 +04:00
ZERO_STRUCT ( info3 ) ;
1999-12-13 16:27:58 +03:00
if ( cli_nt_login_network ( & cli , domain , user , smb_uid_low , ( char * ) local_challenge ,
( ( smb_apasslen ! = 0 ) ? smb_apasswd : NULL ) ,
( ( smb_ntpasslen ! = 0 ) ? smb_ntpasswd : NULL ) ,
& ctr , & info3 ) = = False ) {
uint32 nt_rpc_err ;
cli_error ( & cli , NULL , NULL , & nt_rpc_err ) ;
DEBUG ( 0 , ( " domain_client_validate: unable to validate password for user %s in domain \
% s to Domain controller % s . Error was % s . \ n " , user, domain, remote_machine, cli_errstr(&cli)));
cli_nt_session_close ( & cli ) ;
cli_ulogoff ( & cli ) ;
cli_shutdown ( & cli ) ;
if ( ( nt_rpc_err = = NT_STATUS_NO_SUCH_USER ) & & ( user_exists ! = NULL ) )
* user_exists = False ;
return False ;
}
/*
* Here , if we really want it , we have lots of info about the user in info3 .
*/
#if 0
/*
* We don ' t actually need to do this - plus it fails currently with
* NT_STATUS_INVALID_INFO_CLASS - we need to know * exactly * what to
* send here . JRA .
*/
if ( cli_nt_logoff ( & cli , & ctr ) = = False ) {
DEBUG ( 0 , ( " domain_client_validate: unable to log off user %s in domain \
% s to Domain controller % s . Error was % s . \ n " , user, domain, remote_machine, cli_errstr(&cli)));
cli_nt_session_close ( & cli ) ;
cli_ulogoff ( & cli ) ;
cli_shutdown ( & cli ) ;
return False ;
}
# endif /* 0 */
2000-09-06 05:06:39 +04:00
/* Note - once the cli stream is shutdown the mem_ctx used
to allocate the other_sids and gids structures has been deleted - so
these pointers are no longer valid . . . . . */
1999-12-13 16:27:58 +03:00
cli_nt_session_close ( & cli ) ;
cli_ulogoff ( & cli ) ;
cli_shutdown ( & cli ) ;
return True ;
}