This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
/*
2002-01-30 09:08:46 +03:00
Unix SMB / CIFS implementation .
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
Authenticate against a remote domain
Copyright ( C ) Andrew Tridgell 1992 - 1998
Copyright ( C ) Andrew Bartlett 2001
2010-04-11 13:50:55 +04:00
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 23:25:36 +04:00
the Free Software Foundation ; either version 3 of the License , or
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
( at your option ) any later version .
2010-04-11 13:50:55 +04:00
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2010-04-11 13:50:55 +04:00
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
You should have received a copy of the GNU General Public License
2007-07-10 04:52:41 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
*/
# include "includes.h"
2011-03-25 04:28:05 +03:00
# include "auth.h"
2009-03-16 13:27:58 +03:00
# include "../libcli/auth/libcli_auth.h"
2010-05-05 03:39:16 +04:00
# include "../librpc/gen_ndr/ndr_netlogon.h"
2011-02-28 12:19:44 +03:00
# include "rpc_client/cli_pipe.h"
2010-05-18 20:26:03 +04:00
# include "rpc_client/cli_netlogon.h"
2010-08-05 04:25:37 +04:00
# include "secrets.h"
2011-03-22 18:50:02 +03:00
# include "passdb.h"
2011-05-06 13:47:43 +04:00
# include "libsmb/libsmb.h"
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
2002-07-15 14:35:28 +04:00
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_AUTH
2007-10-19 04:40:25 +04:00
extern bool global_machine_password_needs_changing ;
2008-03-10 23:08:29 +03:00
static struct named_mutex * mutex ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
2008-10-04 01:18:35 +04:00
/*
* Change machine password ( called from main loop
* idle timeout . Must be done as root .
*/
void attempt_machine_password_change ( void )
{
unsigned char trust_passwd_hash [ 16 ] ;
time_t lct ;
void * lock ;
if ( ! global_machine_password_needs_changing ) {
return ;
}
if ( lp_security ( ) ! = SEC_DOMAIN ) {
return ;
}
/*
* We ' re in domain level security , and the code that
* read the machine password flagged that the machine
* password needs changing .
*/
/*
* First , open the machine password file with an exclusive lock .
*/
lock = secrets_get_trust_account_lock ( NULL , lp_workgroup ( ) ) ;
if ( lock = = NULL ) {
DEBUG ( 0 , ( " attempt_machine_password_change: unable to lock "
" the machine account password for machine %s in "
" domain %s. \n " ,
global_myname ( ) , lp_workgroup ( ) ) ) ;
return ;
}
if ( ! secrets_fetch_trust_account_password ( lp_workgroup ( ) ,
trust_passwd_hash , & lct , NULL ) ) {
DEBUG ( 0 , ( " attempt_machine_password_change: unable to read the "
" machine account password for %s in domain %s. \n " ,
global_myname ( ) , lp_workgroup ( ) ) ) ;
TALLOC_FREE ( lock ) ;
return ;
}
/*
* Make sure someone else hasn ' t already done this .
*/
if ( time ( NULL ) < lct + lp_machine_password_timeout ( ) ) {
global_machine_password_needs_changing = false ;
TALLOC_FREE ( lock ) ;
return ;
}
/* always just contact the PDC here */
change_trust_account_password ( lp_workgroup ( ) , NULL ) ;
global_machine_password_needs_changing = false ;
TALLOC_FREE ( lock ) ;
}
2002-01-01 06:10:32 +03:00
/**
2004-01-08 01:43:36 +03:00
* Connect to a remote server for ( inter ) domain security authenticaion .
2002-01-01 06:10:32 +03:00
*
* @ param cli the cli to return containing the active connection
* @ param server either a machine name or text IP address to
* connect to .
2004-01-08 01:43:36 +03:00
* @ param setup_creds_as domain account to setup credentials as
* @ param sec_chan a switch value to distinguish between domain
* member and interdomain authentication
2003-03-18 01:42:56 +03:00
* @ param trust_passwd the trust password to establish the
2004-01-08 01:43:36 +03:00
* credentials with .
2002-01-01 06:10:32 +03:00
*
* */
2005-09-30 21:13:37 +04:00
static NTSTATUS connect_to_domain_password_server ( struct cli_state * * cli ,
const char * domain ,
const char * dc_name ,
2007-10-25 01:16:54 +04:00
struct sockaddr_storage * dc_ss ,
2010-12-20 18:22:02 +03:00
struct rpc_pipe_client * * pipe_ret )
2001-11-26 04:37:01 +03:00
{
NTSTATUS result ;
2005-09-30 21:13:37 +04:00
struct rpc_pipe_client * netlogon_pipe = NULL ;
2006-07-11 22:01:26 +04:00
* cli = NULL ;
2005-09-30 21:13:37 +04:00
* pipe_ret = NULL ;
2001-11-26 04:37:01 +03:00
2002-01-25 08:17:49 +03:00
/* TODO: Send a SAMLOGON request to determine whether this is a valid
logonserver . We can avoid a 30 - second timeout if the DC is down
if the SAMLOGON request fails as it is only over UDP . */
2002-07-15 14:35:28 +04:00
/* we use a mutex to prevent two connections at once - when a
Win2k PDC get two connections where one hasn ' t completed a
session setup yet it will send a TCP reset to the first
connection ( tridge ) */
/*
* With NT4 . x DC ' s * all * authentication must be serialized to avoid
* ACCESS_DENIED errors if 2 auths are done from the same machine . JRA .
*/
2008-03-10 23:08:29 +03:00
mutex = grab_named_mutex ( NULL , dc_name , 10 ) ;
if ( mutex = = NULL ) {
2002-08-17 21:00:51 +04:00
return NT_STATUS_NO_LOGON_SERVERS ;
2005-09-30 21:13:37 +04:00
}
2010-04-11 13:50:55 +04:00
2002-01-25 08:17:49 +03:00
/* Attempt connection */
2007-10-25 01:16:54 +04:00
result = cli_full_connection ( cli , global_myname ( ) , dc_name , dc_ss , 0 ,
2010-12-20 18:37:23 +03:00
" IPC$ " , " IPC " , " " , " " , " " , 0 , Undefined ) ;
2002-02-18 14:07:57 +03:00
2002-01-01 06:10:32 +03:00
if ( ! NT_STATUS_IS_OK ( result ) ) {
2003-04-24 15:56:09 +04:00
/* map to something more useful */
if ( NT_STATUS_EQUAL ( result , NT_STATUS_UNSUCCESSFUL ) ) {
result = NT_STATUS_NO_LOGON_SERVERS ;
}
2006-07-11 22:01:26 +04:00
if ( * cli ) {
cli_shutdown ( * cli ) ;
* cli = NULL ;
}
2008-03-10 23:08:29 +03:00
TALLOC_FREE ( mutex ) ;
2002-01-01 06:10:32 +03:00
return result ;
2001-11-26 04:37:01 +03:00
}
/*
* We now have an anonymous connection to IPC $ on the domain password server .
*/
/*
* Even if the connect succeeds we need to setup the netlogon
* pipe here . We do this as we may just have changed the domain
* account password on the PDC and yet we may be talking to
* a BDC that doesn ' t have this replicated yet . In this case
* a successful connect to a DC needs to take the netlogon connect
* into account also . This patch from " Bjart Kvarme " < bjart . kvarme @ usit . uio . no > .
*/
2005-09-30 21:13:37 +04:00
/* open the netlogon pipe. */
if ( lp_client_schannel ( ) ) {
/* We also setup the creds chain in the open_schannel call. */
2008-07-20 13:04:31 +04:00
result = cli_rpc_pipe_open_schannel (
2009-09-11 00:32:34 +04:00
* cli , & ndr_table_netlogon . syntax_id , NCACN_NP ,
2009-09-14 22:39:54 +04:00
DCERPC_AUTH_LEVEL_PRIVACY , domain , & netlogon_pipe ) ;
2005-09-30 21:13:37 +04:00
} else {
2008-07-20 13:04:31 +04:00
result = cli_rpc_pipe_open_noauth (
* cli , & ndr_table_netlogon . syntax_id , & netlogon_pipe ) ;
2005-09-30 21:13:37 +04:00
}
2008-07-20 13:04:31 +04:00
if ( ! NT_STATUS_IS_OK ( result ) ) {
2001-11-26 04:37:01 +03:00
DEBUG ( 0 , ( " connect_to_domain_password_server: unable to open the domain client session to \
2005-09-30 21:13:37 +04:00
machine % s . Error was : % s . \ n " , dc_name, nt_errstr(result)));
2002-01-01 06:10:32 +03:00
cli_shutdown ( * cli ) ;
2006-07-11 22:01:26 +04:00
* cli = NULL ;
2008-03-10 23:08:29 +03:00
TALLOC_FREE ( mutex ) ;
2005-09-30 21:13:37 +04:00
return result ;
2001-11-26 04:37:01 +03:00
}
2005-09-30 21:13:37 +04:00
if ( ! lp_client_schannel ( ) ) {
/* We need to set up a creds chain on an unauthenticated netlogon pipe. */
2008-04-02 04:29:48 +04:00
uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS ;
2009-10-13 12:15:34 +04:00
enum netr_SchannelType sec_chan_type = 0 ;
2005-10-18 07:24:00 +04:00
unsigned char machine_pwd [ 16 ] ;
2007-12-11 15:05:44 +03:00
const char * account_name ;
2005-09-30 21:13:37 +04:00
2007-12-11 16:07:32 +03:00
if ( ! get_trust_pw_hash ( domain , machine_pwd , & account_name ,
& sec_chan_type ) )
2007-12-11 15:05:44 +03:00
{
2005-09-30 21:13:37 +04:00
DEBUG ( 0 , ( " connect_to_domain_password_server: could not fetch "
" trust account password for domain '%s' \n " ,
domain ) ) ;
cli_shutdown ( * cli ) ;
2006-07-11 22:01:26 +04:00
* cli = NULL ;
2008-03-10 23:08:29 +03:00
TALLOC_FREE ( mutex ) ;
2005-09-30 21:13:37 +04:00
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO ;
}
2004-01-15 09:55:10 +03:00
2005-09-30 21:13:37 +04:00
result = rpccli_netlogon_setup_creds ( netlogon_pipe ,
2005-11-04 03:03:55 +03:00
dc_name , /* server name */
domain , /* domain */
global_myname ( ) , /* client name */
2007-12-11 15:05:44 +03:00
account_name , /* machine account name */
2005-09-30 21:13:37 +04:00
machine_pwd ,
sec_chan_type ,
& neg_flags ) ;
if ( ! NT_STATUS_IS_OK ( result ) ) {
cli_shutdown ( * cli ) ;
2006-07-11 22:01:26 +04:00
* cli = NULL ;
2008-03-10 23:08:29 +03:00
TALLOC_FREE ( mutex ) ;
2005-09-30 21:13:37 +04:00
return result ;
}
}
2001-11-26 04:37:01 +03:00
2005-09-30 21:13:37 +04:00
if ( ! netlogon_pipe ) {
DEBUG ( 0 , ( " connect_to_domain_password_server: unable to open the domain client session to \
machine % s . Error was : % s . \ n " , dc_name, cli_errstr(*cli)));
2002-01-01 06:10:32 +03:00
cli_shutdown ( * cli ) ;
2006-07-11 22:01:26 +04:00
* cli = NULL ;
2008-03-10 23:08:29 +03:00
TALLOC_FREE ( mutex ) ;
2005-09-30 21:13:37 +04:00
return NT_STATUS_NO_LOGON_SERVERS ;
2001-11-26 04:37:01 +03:00
}
2002-07-15 14:35:28 +04:00
/* We exit here with the mutex *locked*. JRA */
2005-09-30 21:13:37 +04:00
* pipe_ret = netlogon_pipe ;
2002-01-01 06:10:32 +03:00
return NT_STATUS_OK ;
2001-11-26 04:37:01 +03:00
}
/***********************************************************************
Do the same as security = server , but using NT Domain calls and a session
key from the machine password . If the server parameter is specified
use it , otherwise figure out a server from the ' password server ' param .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2002-01-01 06:10:32 +03:00
static NTSTATUS domain_client_validate ( TALLOC_CTX * mem_ctx ,
2010-01-10 16:16:04 +03:00
const struct auth_usersupplied_info * user_info ,
2005-09-30 21:13:37 +04:00
const char * domain ,
uchar chal [ 8 ] ,
2010-01-10 16:24:22 +03:00
struct auth_serversupplied_info * * server_info ,
2005-09-30 21:13:37 +04:00
const char * dc_name ,
2007-10-25 01:16:54 +04:00
struct sockaddr_storage * dc_ss )
2005-09-30 21:13:37 +04:00
2001-11-26 04:37:01 +03:00
{
2008-02-17 04:09:35 +03:00
struct netr_SamInfo3 * info3 = NULL ;
2002-01-15 00:52:25 +03:00
struct cli_state * cli = NULL ;
2005-09-30 21:13:37 +04:00
struct rpc_pipe_client * netlogon_pipe = NULL ;
2002-08-17 21:00:51 +04:00
NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS ;
2003-07-01 00:45:14 +04:00
int i ;
2001-11-26 04:37:01 +03:00
/*
* At this point , smb_apasswd points to the lanman response to
* the challenge in local_challenge , and smb_ntpasswd points to
* the NT response to the challenge in local_challenge . Ship
* these over the secure channel to a domain controller and
* see if they were valid .
*/
2003-07-01 00:45:14 +04:00
/* rety loop for robustness */
2010-04-11 13:50:55 +04:00
2010-12-20 18:22:02 +03:00
for ( i = 0 ; ! NT_STATUS_IS_OK ( nt_status ) & & ( i < 3 ) ; i + + ) {
2005-09-30 21:13:37 +04:00
nt_status = connect_to_domain_password_server ( & cli ,
domain ,
dc_name ,
2007-10-25 01:16:54 +04:00
dc_ss ,
2010-12-20 18:22:02 +03:00
& netlogon_pipe ) ;
2001-11-26 04:37:01 +03:00
}
2003-07-01 00:45:14 +04:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
2001-11-26 04:37:01 +03:00
DEBUG ( 0 , ( " domain_client_validate: Domain password server not available. \n " ) ) ;
2004-01-05 07:10:28 +03:00
if ( NT_STATUS_EQUAL ( nt_status , NT_STATUS_ACCESS_DENIED ) ) {
return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE ;
}
2002-01-01 06:10:32 +03:00
return nt_status ;
2001-11-26 04:37:01 +03:00
}
2006-02-08 07:03:47 +03:00
/* store a successful connection */
saf_store ( domain , cli - > desthost ) ;
2001-11-26 04:37:01 +03:00
/*
* If this call succeeds , we now have lots of info about the user
* in the info3 structure .
*/
2005-09-30 21:13:37 +04:00
nt_status = rpccli_netlogon_sam_network_logon ( netlogon_pipe ,
2005-11-08 09:19:34 +03:00
mem_ctx ,
2010-06-01 15:53:42 +04:00
user_info - > logon_parameters , /* flags such as 'allow workstation logon' */
dc_name , /* server name */
user_info - > client . account_name , /* user name logging on. */
user_info - > client . domain_name , /* domain name */
user_info - > workstation_name , /* workstation name */
chal , /* 8 byte challenge. */
2011-01-07 19:28:29 +03:00
3 , /* validation level */
2010-06-01 15:52:01 +04:00
user_info - > password . response . lanman , /* lanman 24 byte response */
user_info - > password . response . nt , /* nt 24 byte response */
2010-06-01 15:53:42 +04:00
& info3 ) ; /* info3 out */
2005-09-30 21:13:37 +04:00
/* Let go as soon as possible so we avoid any potential deadlocks
with winbind lookup up users or groups . */
2010-04-11 13:50:55 +04:00
2008-03-10 23:08:29 +03:00
TALLOC_FREE ( mutex ) ;
Here's the code to make winbindd work on a Samba DC
to handle domain trusts. Jeremy and I talked about this
and it's going in as working code. It keeps winbind clean
and solves the trust problem with minimal changes.
To summarize, there are 2 basic cases where the deadlock would
occur. (1) lookuping up secondary groups for a user, and
(2) get[gr|pw]nam() calls that fall through the NSS layer because
they don't exist anywhere.
o To handle case #1, we bypass winbindd in sys_getgrouplist() unless
the username includes the 'winbind separator'.
o Case #2 is handled by adding checks in winbindd to return failure
if we are a DC and the domain matches our own.
This code has been tested using basic share connections, domain
logons, and with pam_winbind (both with and without 'winbind
use default domain'). The 'trustdomain' auth module should work
as well if an admin wants to manually create UNIX users for
acounts in the trusted domains.
Other misc fixes:
* we need to fix check_ntlm_password() to be able to determine
if an auth module is authoritative over a user (NT_STATUS_WRONG_PASSWORD,
etc...). I worked around my specific situation, but this needs to be
fixed. the winbindd auth module was causing delays.
* fix named server mutex deadlock between trust domain auth module
and winbindd looking up a uid
* make sure SAM_ACCOUNT gets stored in the server_info struct for the
_net_sam_logon() reply.
Configuration details:
The recommended method for supporting trusts is to use winbind.
The gets us around some of the server mutex issues as well.
* set 'files winbind' for passwd: and group: in /etc/nsswitch.conf
* create domain trusts like normal
* join winbind on the pdc to the Samba domain using 'net rpc join'
* add normal parameters to smb.conf for winbind
* set 'auth method = guest sam winbind'
* start smbd, nmbd, & winbindd
Problems that remain:
* join a Windows 2k/XP box to a Samba domain.
* create a 2-way trust between the Samba domain
and an NT domain
* logon to the windows client as a user from theh trusted
domain
* try to browse server in the trusted domain (or other
workstations). an NT client seems to work ok, but 2k
and XP either prompt for passwords or fail with errors.
apparanently this never got tested since no one has ever been
able to logon as a trusted user to a Samba domain from a Windows
client.
(This used to be commit f804b590f9dbf1f0147c06a0a2f12e221ae6fc3b)
2003-06-29 07:39:50 +04:00
2002-01-01 06:10:32 +03:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
2001-11-26 04:37:01 +03:00
DEBUG ( 0 , ( " domain_client_validate: unable to validate password "
" for user %s in domain %s to Domain controller %s. "
2010-06-01 14:27:03 +04:00
" Error was %s. \n " , user_info - > client . account_name ,
2010-06-01 15:08:38 +04:00
user_info - > client . domain_name , dc_name ,
2002-03-17 07:36:35 +03:00
nt_errstr ( nt_status ) ) ) ;
2003-04-21 18:09:03 +04:00
/* map to something more useful */
if ( NT_STATUS_EQUAL ( nt_status , NT_STATUS_UNSUCCESSFUL ) ) {
nt_status = NT_STATUS_NO_LOGON_SERVERS ;
}
2001-11-26 04:37:01 +03:00
} else {
2005-09-30 21:13:37 +04:00
nt_status = make_server_info_info3 ( mem_ctx ,
2010-06-01 15:53:42 +04:00
user_info - > client . account_name ,
domain ,
server_info ,
info3 ) ;
2005-11-10 23:28:23 +03:00
2006-05-06 23:42:25 +04:00
if ( NT_STATUS_IS_OK ( nt_status ) ) {
2008-05-06 19:37:00 +04:00
( * server_info ) - > nss_token | = user_info - > was_mapped ;
2010-08-18 20:16:24 +04:00
netsamlogon_cache_store ( user_info - > client . account_name , info3 ) ;
TALLOC_FREE ( info3 ) ;
2006-05-06 23:42:25 +04:00
}
2001-11-26 04:37:01 +03:00
}
/* Note - once the cli stream is shutdown the mem_ctx used
to allocate the other_sids and gids structures has been deleted - so
these pointers are no longer valid . . . . . */
2002-01-01 06:10:32 +03:00
cli_shutdown ( cli ) ;
return nt_status ;
2001-11-26 04:37:01 +03:00
}
2001-08-12 15:19:57 +04:00
/****************************************************************************
Check for a valid username and password in security = domain mode .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
2002-01-05 07:55:41 +03:00
static NTSTATUS check_ntdomain_security ( const struct auth_context * auth_context ,
void * my_private_data ,
2002-01-01 06:10:32 +03:00
TALLOC_CTX * mem_ctx ,
2010-01-10 16:16:04 +03:00
const struct auth_usersupplied_info * user_info ,
2010-01-10 16:24:22 +03:00
struct auth_serversupplied_info * * server_info )
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
{
2001-09-04 11:13:01 +04:00
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE ;
2002-11-13 02:20:50 +03:00
const char * domain = lp_workgroup ( ) ;
2003-06-28 12:29:42 +04:00
fstring dc_name ;
2007-10-25 01:16:54 +04:00
struct sockaddr_storage dc_ss ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
2003-07-01 00:45:14 +04:00
if ( lp_server_role ( ) ! = ROLE_DOMAIN_MEMBER ) {
DEBUG ( 0 , ( " check_ntdomain_security: Configuration error! Cannot use "
" ntdomain auth method when not a member of a domain. \n " ) ) ;
return NT_STATUS_NOT_IMPLEMENTED ;
}
2002-01-05 07:55:41 +03:00
if ( ! user_info | | ! server_info | | ! auth_context ) {
2001-11-26 09:47:04 +03:00
DEBUG ( 1 , ( " check_ntdomain_security: Critical variables not present. Failing. \n " ) ) ;
2002-03-02 01:45:23 +03:00
return NT_STATUS_INVALID_PARAMETER ;
2001-11-26 09:47:04 +03:00
}
2010-06-01 14:30:56 +04:00
DEBUG ( 10 , ( " Check auth for: [%s] \n " , user_info - > mapped . account_name ) ) ;
2010-05-30 00:49:37 +04:00
2001-11-26 09:47:04 +03:00
/*
* Check that the requested domain is not our own machine name .
* If it is , we should never check the PDC here , we use our own local
* password file .
*/
2010-06-01 15:11:14 +04:00
if ( strequal ( get_global_sam_name ( ) , user_info - > mapped . domain_name ) ) {
2001-11-26 09:47:04 +03:00
DEBUG ( 3 , ( " check_ntdomain_security: Requested domain was for this machine. \n " ) ) ;
2003-07-01 00:45:14 +04:00
return NT_STATUS_NOT_IMPLEMENTED ;
2001-11-26 09:47:04 +03:00
}
2003-07-01 00:45:14 +04:00
/* we need our DC to send the net_sam_logon() request to */
2007-10-25 01:16:54 +04:00
if ( ! get_dc_name ( domain , NULL , dc_name , & dc_ss ) ) {
2004-01-15 09:55:10 +03:00
DEBUG ( 5 , ( " check_ntdomain_security: unable to locate a DC for domain %s \n " ,
2010-06-01 15:11:14 +04:00
user_info - > mapped . domain_name ) ) ;
2003-06-28 12:29:42 +04:00
return NT_STATUS_NO_LOGON_SERVERS ;
}
2010-04-11 13:50:55 +04:00
2005-09-30 21:13:37 +04:00
nt_status = domain_client_validate ( mem_ctx ,
user_info ,
domain ,
( uchar * ) auth_context - > challenge . data ,
server_info ,
dc_name ,
2007-10-25 01:16:54 +04:00
& dc_ss ) ;
2010-04-11 13:50:55 +04:00
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
return nt_status ;
}
This is another rather major change to the samba authenticaion
subystem.
The particular aim is to modularized the interface - so that we
can have arbitrary password back-ends.
This code adds one such back-end, a 'winbind' module to authenticate
against the winbind_auth_crap functionality. While fully-functional
this code is mainly useful as a demonstration, because we don't get
back the info3 as we would for direct ntdomain authentication.
This commit introduced the new 'auth methods' parameter, in the
spirit of the 'auth order' discussed on the lists. It is renamed
because not all the methods may be consulted, even if previous
methods fail - they may not have a suitable challenge for example.
Also, we have a 'local' authentication method, for old-style
'unix if plaintext, sam if encrypted' authentication and a
'guest' module to handle guest logins in a single place.
While this current design is not ideal, I feel that it does
provide a better infrastructure than the current design, and can
be built upon.
The following parameters have changed:
- use rhosts =
This has been replaced by the 'rhosts' authentication method,
and can be specified like 'auth methods = guest rhosts'
- hosts equiv =
This needs both this parameter and an 'auth methods' entry
to be effective. (auth methods = guest hostsequiv ....)
- plaintext to smbpasswd =
This is replaced by specifying 'sam' rather than 'local'
in the auth methods.
The security = parameter is unchanged, and now provides defaults
for the 'auth methods' parameter.
The available auth methods are:
guest
rhosts
hostsequiv
sam (passdb direct hash access)
unix (PAM, crypt() etc)
local (the combination of the above, based on encryption)
smbserver (old security=server)
ntdomain (old security=domain)
winbind (use winbind to cache DC connections)
Assistance in testing, or the production of new and interesting
authentication modules is always appreciated.
Andrew Bartlett
(This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99)
2001-11-24 15:12:38 +03:00
2002-01-05 07:55:41 +03:00
/* module initialisation */
2003-06-04 20:40:50 +04:00
static NTSTATUS auth_init_ntdomain ( struct auth_context * auth_context , const char * param , auth_methods * * auth_method )
This is another rather major change to the samba authenticaion
subystem.
The particular aim is to modularized the interface - so that we
can have arbitrary password back-ends.
This code adds one such back-end, a 'winbind' module to authenticate
against the winbind_auth_crap functionality. While fully-functional
this code is mainly useful as a demonstration, because we don't get
back the info3 as we would for direct ntdomain authentication.
This commit introduced the new 'auth methods' parameter, in the
spirit of the 'auth order' discussed on the lists. It is renamed
because not all the methods may be consulted, even if previous
methods fail - they may not have a suitable challenge for example.
Also, we have a 'local' authentication method, for old-style
'unix if plaintext, sam if encrypted' authentication and a
'guest' module to handle guest logins in a single place.
While this current design is not ideal, I feel that it does
provide a better infrastructure than the current design, and can
be built upon.
The following parameters have changed:
- use rhosts =
This has been replaced by the 'rhosts' authentication method,
and can be specified like 'auth methods = guest rhosts'
- hosts equiv =
This needs both this parameter and an 'auth methods' entry
to be effective. (auth methods = guest hostsequiv ....)
- plaintext to smbpasswd =
This is replaced by specifying 'sam' rather than 'local'
in the auth methods.
The security = parameter is unchanged, and now provides defaults
for the 'auth methods' parameter.
The available auth methods are:
guest
rhosts
hostsequiv
sam (passdb direct hash access)
unix (PAM, crypt() etc)
local (the combination of the above, based on encryption)
smbserver (old security=server)
ntdomain (old security=domain)
winbind (use winbind to cache DC connections)
Assistance in testing, or the production of new and interesting
authentication modules is always appreciated.
Andrew Bartlett
(This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99)
2001-11-24 15:12:38 +03:00
{
2010-04-11 14:37:48 +04:00
struct auth_methods * result ;
result = TALLOC_ZERO_P ( auth_context , struct auth_methods ) ;
if ( result = = NULL ) {
2002-07-15 14:35:28 +04:00
return NT_STATUS_NO_MEMORY ;
This is another rather major change to the samba authenticaion
subystem.
The particular aim is to modularized the interface - so that we
can have arbitrary password back-ends.
This code adds one such back-end, a 'winbind' module to authenticate
against the winbind_auth_crap functionality. While fully-functional
this code is mainly useful as a demonstration, because we don't get
back the info3 as we would for direct ntdomain authentication.
This commit introduced the new 'auth methods' parameter, in the
spirit of the 'auth order' discussed on the lists. It is renamed
because not all the methods may be consulted, even if previous
methods fail - they may not have a suitable challenge for example.
Also, we have a 'local' authentication method, for old-style
'unix if plaintext, sam if encrypted' authentication and a
'guest' module to handle guest logins in a single place.
While this current design is not ideal, I feel that it does
provide a better infrastructure than the current design, and can
be built upon.
The following parameters have changed:
- use rhosts =
This has been replaced by the 'rhosts' authentication method,
and can be specified like 'auth methods = guest rhosts'
- hosts equiv =
This needs both this parameter and an 'auth methods' entry
to be effective. (auth methods = guest hostsequiv ....)
- plaintext to smbpasswd =
This is replaced by specifying 'sam' rather than 'local'
in the auth methods.
The security = parameter is unchanged, and now provides defaults
for the 'auth methods' parameter.
The available auth methods are:
guest
rhosts
hostsequiv
sam (passdb direct hash access)
unix (PAM, crypt() etc)
local (the combination of the above, based on encryption)
smbserver (old security=server)
ntdomain (old security=domain)
winbind (use winbind to cache DC connections)
Assistance in testing, or the production of new and interesting
authentication modules is always appreciated.
Andrew Bartlett
(This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99)
2001-11-24 15:12:38 +03:00
}
2010-04-11 14:37:48 +04:00
result - > name = " ntdomain " ;
result - > auth = check_ntdomain_security ;
This is another rather major change to the samba authenticaion
subystem.
The particular aim is to modularized the interface - so that we
can have arbitrary password back-ends.
This code adds one such back-end, a 'winbind' module to authenticate
against the winbind_auth_crap functionality. While fully-functional
this code is mainly useful as a demonstration, because we don't get
back the info3 as we would for direct ntdomain authentication.
This commit introduced the new 'auth methods' parameter, in the
spirit of the 'auth order' discussed on the lists. It is renamed
because not all the methods may be consulted, even if previous
methods fail - they may not have a suitable challenge for example.
Also, we have a 'local' authentication method, for old-style
'unix if plaintext, sam if encrypted' authentication and a
'guest' module to handle guest logins in a single place.
While this current design is not ideal, I feel that it does
provide a better infrastructure than the current design, and can
be built upon.
The following parameters have changed:
- use rhosts =
This has been replaced by the 'rhosts' authentication method,
and can be specified like 'auth methods = guest rhosts'
- hosts equiv =
This needs both this parameter and an 'auth methods' entry
to be effective. (auth methods = guest hostsequiv ....)
- plaintext to smbpasswd =
This is replaced by specifying 'sam' rather than 'local'
in the auth methods.
The security = parameter is unchanged, and now provides defaults
for the 'auth methods' parameter.
The available auth methods are:
guest
rhosts
hostsequiv
sam (passdb direct hash access)
unix (PAM, crypt() etc)
local (the combination of the above, based on encryption)
smbserver (old security=server)
ntdomain (old security=domain)
winbind (use winbind to cache DC connections)
Assistance in testing, or the production of new and interesting
authentication modules is always appreciated.
Andrew Bartlett
(This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99)
2001-11-24 15:12:38 +03:00
2010-04-11 14:37:48 +04:00
* auth_method = result ;
2002-07-15 14:35:28 +04:00
return NT_STATUS_OK ;
This is another rather major change to the samba authenticaion
subystem.
The particular aim is to modularized the interface - so that we
can have arbitrary password back-ends.
This code adds one such back-end, a 'winbind' module to authenticate
against the winbind_auth_crap functionality. While fully-functional
this code is mainly useful as a demonstration, because we don't get
back the info3 as we would for direct ntdomain authentication.
This commit introduced the new 'auth methods' parameter, in the
spirit of the 'auth order' discussed on the lists. It is renamed
because not all the methods may be consulted, even if previous
methods fail - they may not have a suitable challenge for example.
Also, we have a 'local' authentication method, for old-style
'unix if plaintext, sam if encrypted' authentication and a
'guest' module to handle guest logins in a single place.
While this current design is not ideal, I feel that it does
provide a better infrastructure than the current design, and can
be built upon.
The following parameters have changed:
- use rhosts =
This has been replaced by the 'rhosts' authentication method,
and can be specified like 'auth methods = guest rhosts'
- hosts equiv =
This needs both this parameter and an 'auth methods' entry
to be effective. (auth methods = guest hostsequiv ....)
- plaintext to smbpasswd =
This is replaced by specifying 'sam' rather than 'local'
in the auth methods.
The security = parameter is unchanged, and now provides defaults
for the 'auth methods' parameter.
The available auth methods are:
guest
rhosts
hostsequiv
sam (passdb direct hash access)
unix (PAM, crypt() etc)
local (the combination of the above, based on encryption)
smbserver (old security=server)
ntdomain (old security=domain)
winbind (use winbind to cache DC connections)
Assistance in testing, or the production of new and interesting
authentication modules is always appreciated.
Andrew Bartlett
(This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99)
2001-11-24 15:12:38 +03:00
}
2002-03-02 11:25:44 +03:00
/****************************************************************************
Check for a valid username and password in a trusted domain
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS check_trustdomain_security ( const struct auth_context * auth_context ,
void * my_private_data ,
TALLOC_CTX * mem_ctx ,
2010-01-10 16:16:04 +03:00
const struct auth_usersupplied_info * user_info ,
2010-01-10 16:24:22 +03:00
struct auth_serversupplied_info * * server_info )
2002-03-02 11:25:44 +03:00
{
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE ;
unsigned char trust_md4_password [ 16 ] ;
char * trust_password ;
2003-06-28 12:29:42 +04:00
fstring dc_name ;
2007-10-25 01:16:54 +04:00
struct sockaddr_storage dc_ss ;
2002-03-02 11:25:44 +03:00
if ( ! user_info | | ! server_info | | ! auth_context ) {
DEBUG ( 1 , ( " check_trustdomain_security: Critical variables not present. Failing. \n " ) ) ;
return NT_STATUS_INVALID_PARAMETER ;
}
2010-06-01 14:30:56 +04:00
DEBUG ( 10 , ( " Check auth for: [%s] \n " , user_info - > mapped . account_name ) ) ;
2010-05-30 00:49:37 +04:00
2002-03-02 11:25:44 +03:00
/*
2003-07-01 00:45:14 +04:00
* Check that the requested domain is not our own machine name or domain name .
2002-03-02 11:25:44 +03:00
*/
2010-06-01 15:11:14 +04:00
if ( strequal ( get_global_sam_name ( ) , user_info - > mapped . domain_name ) ) {
2003-07-01 00:45:14 +04:00
DEBUG ( 3 , ( " check_trustdomain_security: Requested domain [%s] was for this machine. \n " ,
2010-06-01 15:11:14 +04:00
user_info - > mapped . domain_name ) ) ;
2003-06-28 12:29:42 +04:00
return NT_STATUS_NOT_IMPLEMENTED ;
2002-03-02 11:25:44 +03:00
}
2003-07-01 00:45:14 +04:00
/* No point is bothering if this is not a trusted domain.
This return makes " map to guest = bad user " work again .
The logic is that if we know nothing about the domain , that
2005-09-30 21:13:37 +04:00
user is not known to us and does not exist */
2010-04-11 13:50:55 +04:00
2010-06-01 15:11:14 +04:00
if ( ! is_trusted_domain ( user_info - > mapped . domain_name ) )
2003-07-03 18:36:42 +04:00
return NT_STATUS_NOT_IMPLEMENTED ;
2003-06-28 12:29:42 +04:00
2002-03-02 11:25:44 +03:00
/*
2002-07-15 14:35:28 +04:00
* Get the trusted account password for the trusted domain
2002-03-02 11:25:44 +03:00
* No need to become_root ( ) as secrets_init ( ) is done at startup .
*/
2010-06-01 15:11:14 +04:00
if ( ! pdb_get_trusteddom_pw ( user_info - > mapped . domain_name , & trust_password ,
2009-10-30 04:15:45 +03:00
NULL , NULL ) ) {
2006-02-04 01:19:41 +03:00
DEBUG ( 0 , ( " check_trustdomain_security: could not fetch trust "
" account password for domain %s \n " ,
2010-06-01 15:11:14 +04:00
user_info - > mapped . domain_name ) ) ;
2002-03-02 11:25:44 +03:00
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO ;
}
# ifdef DEBUG_PASSWORD
2010-06-01 15:11:14 +04:00
DEBUG ( 100 , ( " Trust password for domain %s is %s \n " , user_info - > mapped . domain_name ,
2006-02-04 01:19:41 +03:00
trust_password ) ) ;
2002-03-02 11:25:44 +03:00
# endif
2002-08-17 21:00:51 +04:00
E_md4hash ( trust_password , trust_md4_password ) ;
2002-03-02 11:25:44 +03:00
SAFE_FREE ( trust_password ) ;
#if 0
/* Test if machine password is expired and need to be changed */
2006-06-07 08:45:50 +04:00
if ( time ( NULL ) > last_change_time + ( time_t ) lp_machine_password_timeout ( ) )
2002-03-02 11:25:44 +03:00
{
global_machine_password_needs_changing = True ;
}
# endif
2003-07-01 00:45:14 +04:00
/* use get_dc_name() for consistency even through we know that it will be
a netbios name */
2010-04-11 13:50:55 +04:00
2010-06-01 15:11:14 +04:00
if ( ! get_dc_name ( user_info - > mapped . domain_name , NULL , dc_name , & dc_ss ) ) {
2003-06-28 12:29:42 +04:00
DEBUG ( 5 , ( " check_trustdomain_security: unable to locate a DC for domain %s \n " ,
2010-06-01 15:11:14 +04:00
user_info - > mapped . domain_name ) ) ;
2003-06-28 12:29:42 +04:00
return NT_STATUS_NO_LOGON_SERVERS ;
}
2010-04-11 13:50:55 +04:00
2005-09-30 21:13:37 +04:00
nt_status = domain_client_validate ( mem_ctx ,
2010-06-01 15:53:42 +04:00
user_info ,
user_info - > mapped . domain_name ,
( uchar * ) auth_context - > challenge . data ,
server_info ,
dc_name ,
& dc_ss ) ;
2003-06-28 12:29:42 +04:00
2002-03-02 11:25:44 +03:00
return nt_status ;
}
/* module initialisation */
2003-06-04 20:40:50 +04:00
static NTSTATUS auth_init_trustdomain ( struct auth_context * auth_context , const char * param , auth_methods * * auth_method )
2002-03-02 11:25:44 +03:00
{
2010-04-11 14:37:48 +04:00
struct auth_methods * result ;
result = TALLOC_ZERO_P ( auth_context , struct auth_methods ) ;
if ( result = = NULL ) {
2002-07-15 14:35:28 +04:00
return NT_STATUS_NO_MEMORY ;
2002-03-02 11:25:44 +03:00
}
2010-04-11 14:37:48 +04:00
result - > name = " trustdomain " ;
result - > auth = check_trustdomain_security ;
2002-03-02 11:25:44 +03:00
2010-04-11 14:37:48 +04:00
* auth_method = result ;
2002-07-15 14:35:28 +04:00
return NT_STATUS_OK ;
2002-03-02 11:25:44 +03:00
}
2003-04-16 16:13:07 +04:00
2003-04-28 21:48:48 +04:00
NTSTATUS auth_domain_init ( void )
2003-04-16 16:13:07 +04:00
{
2003-04-28 21:48:48 +04:00
smb_register_auth ( AUTH_INTERFACE_VERSION , " trustdomain " , auth_init_trustdomain ) ;
smb_register_auth ( AUTH_INTERFACE_VERSION , " ntdomain " , auth_init_ntdomain ) ;
return NT_STATUS_OK ;
2003-04-16 16:13:07 +04:00
}
