This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
/*
Unix SMB / Netbios implementation .
2001-11-26 04:37:01 +03:00
Version 3.0 .
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
Authenticate against a remote domain
Copyright ( C ) Andrew Tridgell 1992 - 1998
Copyright ( C ) Andrew Bartlett 2001
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 2 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program ; if not , write to the Free Software
Foundation , Inc . , 675 Mass Ave , Cambridge , MA 0213 9 , USA .
*/
# include "includes.h"
BOOL global_machine_password_needs_changing = False ;
2001-11-26 04:37:01 +03:00
extern pstring global_myname ;
2001-12-06 16:09:15 +03:00
extern userdom_struct current_user_info ;
2001-11-26 04:37:01 +03:00
2002-01-01 06:10:32 +03:00
/**
* Connect to a remote server for domain security authenticaion .
*
* @ param cli the cli to return containing the active connection
* @ param server either a machine name or text IP address to
* connect to .
* @ param trust_password the trust password to establish the
* credentials with .
*
* */
static NTSTATUS connect_to_domain_password_server ( struct cli_state * * cli ,
char * server , unsigned char * trust_passwd )
2001-11-26 04:37:01 +03:00
{
struct in_addr dest_ip ;
fstring remote_machine ;
NTSTATUS result ;
if ( is_ipaddress ( server ) ) {
struct in_addr to_ip ;
/* we shouldn't have 255.255.255.255 forthe IP address of
a password server anyways */
if ( ( to_ip . s_addr = inet_addr ( server ) ) = = 0xFFFFFFFF ) {
DEBUG ( 0 , ( " connect_to_domain_password_server: inet_addr(%s) returned 0xFFFFFFFF! \n " , server ) ) ;
2002-01-01 06:10:32 +03:00
return NT_STATUS_UNSUCCESSFUL ;
2001-11-26 04:37:01 +03:00
}
if ( ! name_status_find ( " * " , 0x20 , 0x20 , to_ip , remote_machine ) ) {
DEBUG ( 0 , ( " connect_to_domain_password_server: Can't "
" resolve name for IP %s \n " , server ) ) ;
2002-01-01 06:10:32 +03:00
return NT_STATUS_UNSUCCESSFUL ;
2001-11-26 04:37:01 +03:00
}
} else {
fstrcpy ( remote_machine , server ) ;
}
2001-12-06 16:09:15 +03:00
standard_sub_basic ( current_user_info . smb_name , remote_machine ) ;
2001-11-26 04:37:01 +03:00
strupper ( remote_machine ) ;
if ( ! resolve_name ( remote_machine , & dest_ip , 0x20 ) ) {
DEBUG ( 1 , ( " connect_to_domain_password_server: Can't resolve address for %s \n " , remote_machine ) ) ;
2002-01-01 06:10:32 +03:00
return NT_STATUS_UNSUCCESSFUL ;
2001-11-26 04:37:01 +03:00
}
if ( ismyip ( dest_ip ) ) {
DEBUG ( 1 , ( " connect_to_domain_password_server: Password server loop - not using password server %s \n " ,
remote_machine ) ) ;
2002-01-01 06:10:32 +03:00
return NT_STATUS_UNSUCCESSFUL ;
2001-11-26 04:37:01 +03:00
}
2002-01-01 06:10:32 +03:00
result = cli_full_connection ( cli , global_myname , server ,
& dest_ip , 0 , " IPC$ " , " IPC " , " " , " " , " " , 0 ) ;
if ( ! NT_STATUS_IS_OK ( result ) ) {
return result ;
2001-11-26 04:37:01 +03:00
}
/*
* We now have an anonymous connection to IPC $ on the domain password server .
*/
/*
* Even if the connect succeeds we need to setup the netlogon
* pipe here . We do this as we may just have changed the domain
* account password on the PDC and yet we may be talking to
* a BDC that doesn ' t have this replicated yet . In this case
* a successful connect to a DC needs to take the netlogon connect
* into account also . This patch from " Bjart Kvarme " < bjart . kvarme @ usit . uio . no > .
*/
2002-01-01 06:10:32 +03:00
if ( cli_nt_session_open ( * cli , PIPE_NETLOGON ) = = False ) {
2001-11-26 04:37:01 +03:00
DEBUG ( 0 , ( " connect_to_domain_password_server: unable to open the domain client session to \
2002-01-01 06:10:32 +03:00
machine % s . Error was : % s . \ n " , remote_machine, cli_errstr(*cli)));
cli_nt_session_close ( * cli ) ;
cli_ulogoff ( * cli ) ;
cli_shutdown ( * cli ) ;
return NT_STATUS_UNSUCCESSFUL ;
2001-11-26 04:37:01 +03:00
}
2002-01-01 06:10:32 +03:00
result = new_cli_nt_setup_creds ( * cli , trust_passwd ) ;
2001-11-26 04:37:01 +03:00
if ( ! NT_STATUS_IS_OK ( result ) ) {
DEBUG ( 0 , ( " connect_to_domain_password_server: unable to setup the PDC credentials to machine \
% s . Error was : % s . \ n " , remote_machine, get_nt_error_msg(result)));
2002-01-01 06:10:32 +03:00
cli_nt_session_close ( * cli ) ;
cli_ulogoff ( * cli ) ;
cli_shutdown ( * cli ) ;
return result ;
2001-11-26 04:37:01 +03:00
}
2002-01-01 06:10:32 +03:00
return NT_STATUS_OK ;
2001-11-26 04:37:01 +03:00
}
/***********************************************************************
Utility function to attempt a connection to an IP address of a DC .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2002-01-05 07:55:41 +03:00
static NTSTATUS attempt_connect_to_dc ( struct cli_state * * cli ,
const char * domain ,
struct in_addr * ip ,
unsigned char * trust_passwd )
2001-11-26 04:37:01 +03:00
{
fstring dc_name ;
/*
* Ignore addresses we have already tried .
*/
2001-11-26 06:11:44 +03:00
if ( is_zero_ip ( * ip ) )
2002-01-01 06:10:32 +03:00
return NT_STATUS_UNSUCCESSFUL ;
2001-11-26 04:37:01 +03:00
2002-01-05 07:55:41 +03:00
if ( ! lookup_dc_name ( global_myname , domain , ip , dc_name ) )
2002-01-01 06:10:32 +03:00
return NT_STATUS_UNSUCCESSFUL ;
2001-11-26 04:37:01 +03:00
2002-01-01 06:10:32 +03:00
return connect_to_domain_password_server ( cli , dc_name , trust_passwd ) ;
2001-11-26 04:37:01 +03:00
}
/***********************************************************************
We have been asked to dynamcially determine the IP addresses of
2002-01-05 07:55:41 +03:00
the PDC and BDC ' s for DOMAIN , and query them in turn .
2001-11-26 04:37:01 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2002-01-01 06:10:32 +03:00
static NTSTATUS find_connect_pdc ( struct cli_state * * cli ,
2002-01-05 07:55:41 +03:00
const char * domain ,
unsigned char * trust_passwd ,
time_t last_change_time )
2001-11-26 04:37:01 +03:00
{
struct in_addr * ip_list = NULL ;
int count = 0 ;
int i ;
2002-01-01 06:10:32 +03:00
NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL ;
2001-11-26 04:37:01 +03:00
time_t time_now = time ( NULL ) ;
BOOL use_pdc_only = False ;
/*
* If the time the machine password has changed
* was less than an hour ago then we need to contact
* the PDC only , as we cannot be sure domain replication
* has yet taken place . Bug found by Gerald ( way to go
* Gerald ! ) . JRA .
*/
if ( time_now - last_change_time < 3600 )
use_pdc_only = True ;
2002-01-05 07:55:41 +03:00
if ( ! get_dc_list ( use_pdc_only , domain , & ip_list , & count ) )
2002-01-01 06:10:32 +03:00
return NT_STATUS_UNSUCCESSFUL ;
2001-11-26 04:37:01 +03:00
/*
* Firstly try and contact a PDC / BDC who has the same
* network address as any of our interfaces .
*/
for ( i = 0 ; i < count ; i + + ) {
if ( ! is_local_net ( ip_list [ i ] ) )
continue ;
2002-01-05 07:55:41 +03:00
if ( NT_STATUS_IS_OK ( nt_status =
attempt_connect_to_dc ( cli , domain ,
& ip_list [ i ] , trust_passwd ) ) )
2001-11-26 04:37:01 +03:00
break ;
2001-11-26 06:11:44 +03:00
zero_ip ( & ip_list [ i ] ) ; /* Tried and failed. */
2001-11-26 04:37:01 +03:00
}
/*
* Secondly try and contact a random PDC / BDC .
*/
2002-01-01 06:10:32 +03:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
2001-11-26 04:37:01 +03:00
i = ( sys_random ( ) % count ) ;
2002-01-05 07:55:41 +03:00
if ( ! NT_STATUS_IS_OK ( nt_status =
attempt_connect_to_dc ( cli , domain ,
& ip_list [ i ] , trust_passwd ) ) )
2001-11-26 06:11:44 +03:00
zero_ip ( & ip_list [ i ] ) ; /* Tried and failed. */
2001-11-26 04:37:01 +03:00
}
/*
* Finally go through the IP list in turn , ignoring any addresses
* we have already tried .
*/
2002-01-01 06:10:32 +03:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
2001-11-26 04:37:01 +03:00
/*
* Try and connect to any of the other IP addresses in the PDC / BDC list .
* Note that from a WINS server the # 1 IP address is the PDC .
*/
for ( i = 0 ; i < count ; i + + ) {
2002-01-05 07:55:41 +03:00
if ( NT_STATUS_IS_OK ( nt_status =
attempt_connect_to_dc ( cli , domain ,
& ip_list [ i ] , trust_passwd ) ) )
2001-11-26 04:37:01 +03:00
break ;
}
}
SAFE_FREE ( ip_list ) ;
2002-01-01 06:10:32 +03:00
return nt_status ;
2001-11-26 04:37:01 +03:00
}
/***********************************************************************
Do the same as security = server , but using NT Domain calls and a session
key from the machine password . If the server parameter is specified
use it , otherwise figure out a server from the ' password server ' param .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2002-01-01 06:10:32 +03:00
static NTSTATUS domain_client_validate ( TALLOC_CTX * mem_ctx ,
const auth_usersupplied_info * user_info ,
2002-01-05 07:55:41 +03:00
const char * domain ,
2001-11-26 04:37:01 +03:00
uchar chal [ 8 ] ,
auth_serversupplied_info * * server_info ,
char * server , unsigned char * trust_passwd ,
time_t last_change_time )
{
fstring remote_machine ;
NET_USER_INFO_3 info3 ;
2002-01-01 06:10:32 +03:00
struct cli_state * cli ;
NTSTATUS nt_status ;
2001-11-26 04:37:01 +03:00
struct passwd * pass ;
/*
* At this point , smb_apasswd points to the lanman response to
* the challenge in local_challenge , and smb_ntpasswd points to
* the NT response to the challenge in local_challenge . Ship
* these over the secure channel to a domain controller and
* see if they were valid .
*/
2002-01-01 06:10:32 +03:00
while ( ! NT_STATUS_IS_OK ( nt_status ) & &
2001-11-26 04:37:01 +03:00
next_token ( & server , remote_machine , LIST_SEP , sizeof ( remote_machine ) ) ) {
if ( strequal ( remote_machine , " * " ) ) {
2002-01-05 07:55:41 +03:00
nt_status = find_connect_pdc ( & cli , domain , trust_passwd , last_change_time ) ;
2001-11-26 04:37:01 +03:00
} else {
2002-01-01 06:10:32 +03:00
nt_status = connect_to_domain_password_server ( & cli , remote_machine , trust_passwd ) ;
2001-11-26 04:37:01 +03:00
}
}
2002-01-01 06:10:32 +03:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
2001-11-26 04:37:01 +03:00
DEBUG ( 0 , ( " domain_client_validate: Domain password server not available. \n " ) ) ;
2002-01-01 06:10:32 +03:00
cli_shutdown ( cli ) ;
return nt_status ;
2001-11-26 04:37:01 +03:00
}
ZERO_STRUCT ( info3 ) ;
/*
* If this call succeeds , we now have lots of info about the user
* in the info3 structure .
*/
2002-01-01 06:10:32 +03:00
nt_status = cli_netlogon_sam_network_logon ( cli , mem_ctx ,
user_info - > internal_username . str , user_info - > domain . str ,
user_info - > wksta_name . str , chal ,
user_info - > lm_resp , user_info - > nt_resp ,
& info3 ) ;
2001-11-26 04:37:01 +03:00
2002-01-01 06:10:32 +03:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
2001-11-26 04:37:01 +03:00
DEBUG ( 0 , ( " domain_client_validate: unable to validate password "
" for user %s in domain %s to Domain controller %s. "
" Error was %s. \n " , user_info - > smb_name . str ,
2002-01-01 06:10:32 +03:00
user_info - > domain . str , cli - > srv_name_slash ,
get_nt_error_msg ( nt_status ) ) ) ;
2001-11-26 04:37:01 +03:00
} else {
char * dom_user ;
/* Check DOMAIN\username first to catch winbind users, then
just the username for local users . */
2002-01-01 06:10:32 +03:00
dom_user = talloc_asprintf ( mem_ctx , " %s%s%s " , user_info - > domain . str ,
lp_winbind_separator ( ) ,
user_info - > internal_username . str ) ;
if ( ! dom_user ) {
DEBUG ( 0 , ( " talloc_asprintf failed! \n " ) ) ;
nt_status = NT_STATUS_NO_MEMORY ;
} else {
if ( ! ( pass = Get_Pwnam ( dom_user ) ) )
pass = Get_Pwnam ( user_info - > internal_username . str ) ;
if ( pass ) {
make_server_info_pw ( server_info , pass ) ;
if ( ! server_info ) {
nt_status = NT_STATUS_NO_MEMORY ;
}
} else {
nt_status = NT_STATUS_NO_SUCH_USER ;
2001-11-26 04:37:01 +03:00
}
}
}
/* Store the user group information in the server_info returned to the caller. */
2002-01-01 06:10:32 +03:00
if ( NT_STATUS_IS_OK ( nt_status ) & & ( info3 . num_groups2 ! = 0 ) ) {
2001-11-26 04:37:01 +03:00
DOM_SID domain_sid ;
int i ;
NT_USER_TOKEN * ptok ;
auth_serversupplied_info * pserver_info = * server_info ;
if ( ( pserver_info - > ptok = malloc ( sizeof ( NT_USER_TOKEN ) ) ) = = NULL ) {
DEBUG ( 0 , ( " domain_client_validate: out of memory allocating rid group membership \n " ) ) ;
2002-01-01 06:10:32 +03:00
nt_status = NT_STATUS_NO_MEMORY ;
2001-11-26 04:37:01 +03:00
free_server_info ( server_info ) ;
goto done ;
}
ptok = pserver_info - > ptok ;
ptok - > num_sids = ( size_t ) info3 . num_groups2 ;
if ( ( ptok - > user_sids = ( DOM_SID * ) malloc ( sizeof ( DOM_SID ) * ptok - > num_sids ) ) = = NULL ) {
DEBUG ( 0 , ( " domain_client_validate: Out of memory allocating group SIDS \n " ) ) ;
2002-01-01 06:10:32 +03:00
nt_status = NT_STATUS_NO_MEMORY ;
2001-11-26 04:37:01 +03:00
free_server_info ( server_info ) ;
goto done ;
}
if ( ! secrets_fetch_domain_sid ( lp_workgroup ( ) , & domain_sid ) ) {
DEBUG ( 0 , ( " domain_client_validate: unable to fetch domain sid. \n " ) ) ;
2002-01-01 06:10:32 +03:00
nt_status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO ;
2001-11-26 04:37:01 +03:00
free_server_info ( server_info ) ;
goto done ;
}
for ( i = 0 ; i < ptok - > num_sids ; i + + ) {
sid_copy ( & ptok - > user_sids [ i ] , & domain_sid ) ;
sid_append_rid ( & ptok - > user_sids [ i ] , info3 . gids [ i ] . g_rid ) ;
}
}
#if 0
/*
* We don ' t actually need to do this - plus it fails currently with
* NT_STATUS_INVALID_INFO_CLASS - we need to know * exactly * what to
* send here . JRA .
*/
if ( NT_STATUS_IS_OK ( status ) ) {
if ( cli_nt_logoff ( & cli , & ctr ) = = False ) {
DEBUG ( 0 , ( " domain_client_validate: unable to log off user %s in domain \
% s to Domain controller % s . Error was % s . \ n " , user, domain, remote_machine, cli_errstr(&cli)));
2002-01-01 06:10:32 +03:00
nt_status = NT_STATUS_LOGON_FAILURE ;
2001-11-26 04:37:01 +03:00
}
}
# endif /* 0 */
done :
/* Note - once the cli stream is shutdown the mem_ctx used
to allocate the other_sids and gids structures has been deleted - so
these pointers are no longer valid . . . . . */
2002-01-01 06:10:32 +03:00
cli_nt_session_close ( cli ) ;
cli_ulogoff ( cli ) ;
cli_shutdown ( cli ) ;
return nt_status ;
2001-11-26 04:37:01 +03:00
}
2001-08-12 15:19:57 +04:00
/****************************************************************************
Check for a valid username and password in security = domain mode .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
2002-01-05 07:55:41 +03:00
static NTSTATUS check_ntdomain_security ( const struct auth_context * auth_context ,
void * my_private_data ,
2002-01-01 06:10:32 +03:00
TALLOC_CTX * mem_ctx ,
This is another rather major change to the samba authenticaion
subystem.
The particular aim is to modularized the interface - so that we
can have arbitrary password back-ends.
This code adds one such back-end, a 'winbind' module to authenticate
against the winbind_auth_crap functionality. While fully-functional
this code is mainly useful as a demonstration, because we don't get
back the info3 as we would for direct ntdomain authentication.
This commit introduced the new 'auth methods' parameter, in the
spirit of the 'auth order' discussed on the lists. It is renamed
because not all the methods may be consulted, even if previous
methods fail - they may not have a suitable challenge for example.
Also, we have a 'local' authentication method, for old-style
'unix if plaintext, sam if encrypted' authentication and a
'guest' module to handle guest logins in a single place.
While this current design is not ideal, I feel that it does
provide a better infrastructure than the current design, and can
be built upon.
The following parameters have changed:
- use rhosts =
This has been replaced by the 'rhosts' authentication method,
and can be specified like 'auth methods = guest rhosts'
- hosts equiv =
This needs both this parameter and an 'auth methods' entry
to be effective. (auth methods = guest hostsequiv ....)
- plaintext to smbpasswd =
This is replaced by specifying 'sam' rather than 'local'
in the auth methods.
The security = parameter is unchanged, and now provides defaults
for the 'auth methods' parameter.
The available auth methods are:
guest
rhosts
hostsequiv
sam (passdb direct hash access)
unix (PAM, crypt() etc)
local (the combination of the above, based on encryption)
smbserver (old security=server)
ntdomain (old security=domain)
winbind (use winbind to cache DC connections)
Assistance in testing, or the production of new and interesting
authentication modules is always appreciated.
Andrew Bartlett
(This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99)
2001-11-24 15:12:38 +03:00
const auth_usersupplied_info * user_info ,
auth_serversupplied_info * * server_info )
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
{
2001-09-04 11:13:01 +04:00
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
char * p , * pserver ;
2001-08-12 15:19:57 +04:00
unsigned char trust_passwd [ 16 ] ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
time_t last_change_time ;
2002-01-05 07:55:41 +03:00
char * domain = lp_workgroup ( ) ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
2002-01-05 07:55:41 +03:00
if ( ! user_info | | ! server_info | | ! auth_context ) {
2001-11-26 09:47:04 +03:00
DEBUG ( 1 , ( " check_ntdomain_security: Critical variables not present. Failing. \n " ) ) ;
return NT_STATUS_LOGON_FAILURE ;
}
/*
* Check that the requested domain is not our own machine name .
* If it is , we should never check the PDC here , we use our own local
* password file .
*/
if ( is_netbios_alias_or_name ( user_info - > domain . str ) ) {
DEBUG ( 3 , ( " check_ntdomain_security: Requested domain was for this machine. \n " ) ) ;
return NT_STATUS_LOGON_FAILURE ;
}
2001-08-12 15:19:57 +04:00
become_root ( ) ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
/*
* Get the machine account password for our primary domain
*/
2001-08-12 15:19:57 +04:00
2002-01-05 07:55:41 +03:00
if ( ! secrets_fetch_trust_account_password ( domain , trust_passwd , & last_change_time ) )
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
{
2001-08-24 22:55:56 +04:00
DEBUG ( 0 , ( " check_domain_security: could not fetch trust account password for domain %s \n " , lp_workgroup ( ) ) ) ;
2001-08-12 15:19:57 +04:00
unbecome_root ( ) ;
2002-01-01 06:10:32 +03:00
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
}
2001-08-12 15:19:57 +04:00
unbecome_root ( ) ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
/* Test if machine password is expired and need to be changed */
if ( time ( NULL ) > last_change_time + lp_machine_password_timeout ( ) )
{
global_machine_password_needs_changing = True ;
}
/*
* Treat each name in the ' password server = ' line as a potential
* PDC / BDC . Contact each in turn and try and authenticate .
*/
2001-08-12 15:19:57 +04:00
pserver = lp_passwordserver ( ) ;
if ( ! * pserver ) pserver = " * " ;
p = pserver ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
2002-01-05 07:55:41 +03:00
nt_status = domain_client_validate ( mem_ctx , user_info , domain ,
( uchar * ) auth_context - > challenge . data ,
server_info ,
2001-08-12 15:19:57 +04:00
p , trust_passwd , last_change_time ) ;
2002-01-01 06:10:32 +03:00
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
return nt_status ;
}
This is another rather major change to the samba authenticaion
subystem.
The particular aim is to modularized the interface - so that we
can have arbitrary password back-ends.
This code adds one such back-end, a 'winbind' module to authenticate
against the winbind_auth_crap functionality. While fully-functional
this code is mainly useful as a demonstration, because we don't get
back the info3 as we would for direct ntdomain authentication.
This commit introduced the new 'auth methods' parameter, in the
spirit of the 'auth order' discussed on the lists. It is renamed
because not all the methods may be consulted, even if previous
methods fail - they may not have a suitable challenge for example.
Also, we have a 'local' authentication method, for old-style
'unix if plaintext, sam if encrypted' authentication and a
'guest' module to handle guest logins in a single place.
While this current design is not ideal, I feel that it does
provide a better infrastructure than the current design, and can
be built upon.
The following parameters have changed:
- use rhosts =
This has been replaced by the 'rhosts' authentication method,
and can be specified like 'auth methods = guest rhosts'
- hosts equiv =
This needs both this parameter and an 'auth methods' entry
to be effective. (auth methods = guest hostsequiv ....)
- plaintext to smbpasswd =
This is replaced by specifying 'sam' rather than 'local'
in the auth methods.
The security = parameter is unchanged, and now provides defaults
for the 'auth methods' parameter.
The available auth methods are:
guest
rhosts
hostsequiv
sam (passdb direct hash access)
unix (PAM, crypt() etc)
local (the combination of the above, based on encryption)
smbserver (old security=server)
ntdomain (old security=domain)
winbind (use winbind to cache DC connections)
Assistance in testing, or the production of new and interesting
authentication modules is always appreciated.
Andrew Bartlett
(This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99)
2001-11-24 15:12:38 +03:00
2002-01-05 07:55:41 +03:00
/* module initialisation */
BOOL auth_init_ntdomain ( struct auth_context * auth_context , auth_methods * * auth_method )
This is another rather major change to the samba authenticaion
subystem.
The particular aim is to modularized the interface - so that we
can have arbitrary password back-ends.
This code adds one such back-end, a 'winbind' module to authenticate
against the winbind_auth_crap functionality. While fully-functional
this code is mainly useful as a demonstration, because we don't get
back the info3 as we would for direct ntdomain authentication.
This commit introduced the new 'auth methods' parameter, in the
spirit of the 'auth order' discussed on the lists. It is renamed
because not all the methods may be consulted, even if previous
methods fail - they may not have a suitable challenge for example.
Also, we have a 'local' authentication method, for old-style
'unix if plaintext, sam if encrypted' authentication and a
'guest' module to handle guest logins in a single place.
While this current design is not ideal, I feel that it does
provide a better infrastructure than the current design, and can
be built upon.
The following parameters have changed:
- use rhosts =
This has been replaced by the 'rhosts' authentication method,
and can be specified like 'auth methods = guest rhosts'
- hosts equiv =
This needs both this parameter and an 'auth methods' entry
to be effective. (auth methods = guest hostsequiv ....)
- plaintext to smbpasswd =
This is replaced by specifying 'sam' rather than 'local'
in the auth methods.
The security = parameter is unchanged, and now provides defaults
for the 'auth methods' parameter.
The available auth methods are:
guest
rhosts
hostsequiv
sam (passdb direct hash access)
unix (PAM, crypt() etc)
local (the combination of the above, based on encryption)
smbserver (old security=server)
ntdomain (old security=domain)
winbind (use winbind to cache DC connections)
Assistance in testing, or the production of new and interesting
authentication modules is always appreciated.
Andrew Bartlett
(This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99)
2001-11-24 15:12:38 +03:00
{
2002-01-05 07:55:41 +03:00
if ( ! make_auth_methods ( auth_context , auth_method ) ) {
This is another rather major change to the samba authenticaion
subystem.
The particular aim is to modularized the interface - so that we
can have arbitrary password back-ends.
This code adds one such back-end, a 'winbind' module to authenticate
against the winbind_auth_crap functionality. While fully-functional
this code is mainly useful as a demonstration, because we don't get
back the info3 as we would for direct ntdomain authentication.
This commit introduced the new 'auth methods' parameter, in the
spirit of the 'auth order' discussed on the lists. It is renamed
because not all the methods may be consulted, even if previous
methods fail - they may not have a suitable challenge for example.
Also, we have a 'local' authentication method, for old-style
'unix if plaintext, sam if encrypted' authentication and a
'guest' module to handle guest logins in a single place.
While this current design is not ideal, I feel that it does
provide a better infrastructure than the current design, and can
be built upon.
The following parameters have changed:
- use rhosts =
This has been replaced by the 'rhosts' authentication method,
and can be specified like 'auth methods = guest rhosts'
- hosts equiv =
This needs both this parameter and an 'auth methods' entry
to be effective. (auth methods = guest hostsequiv ....)
- plaintext to smbpasswd =
This is replaced by specifying 'sam' rather than 'local'
in the auth methods.
The security = parameter is unchanged, and now provides defaults
for the 'auth methods' parameter.
The available auth methods are:
guest
rhosts
hostsequiv
sam (passdb direct hash access)
unix (PAM, crypt() etc)
local (the combination of the above, based on encryption)
smbserver (old security=server)
ntdomain (old security=domain)
winbind (use winbind to cache DC connections)
Assistance in testing, or the production of new and interesting
authentication modules is always appreciated.
Andrew Bartlett
(This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99)
2001-11-24 15:12:38 +03:00
return False ;
}
( * auth_method ) - > auth = check_ntdomain_security ;
return True ;
}
2002-01-05 07:55:41 +03:00