2001-02-27 03:32:11 +03:00
/*
* Unix SMB / Netbios implementation .
* Version 1.9 .
* RPC Pipe client / server routines
* Copyright ( C ) Andrew Tridgell 1992 - 1997 ,
* Copyright ( C ) Luke Kenneth Casson Leighton 1996 - 1997 ,
* Copyright ( C ) Paul Ashton 1997.
* Copyright ( C ) Jeremy Allison 1998 - 2001.
*
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation ; either version 2 of the License , or
* ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License
* along with this program ; if not , write to the Free Software
* Foundation , Inc . , 675 Mass Ave , Cambridge , MA 0213 9 , USA .
*/
/* This is the implementation of the netlogon pipe. */
# include "includes.h"
extern int DEBUGLEVEL ;
extern BOOL sam_logon_in_ssb ;
extern pstring samlogon_user ;
extern pstring global_myname ;
extern DOM_SID global_sam_sid ;
/*************************************************************************
init_net_r_req_chal :
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static void init_net_r_req_chal ( NET_R_REQ_CHAL * r_c ,
2001-08-27 23:46:22 +04:00
DOM_CHAL * srv_chal , NTSTATUS status )
2001-02-27 03:32:11 +03:00
{
DEBUG ( 6 , ( " init_net_r_req_chal: %d \n " , __LINE__ ) ) ;
memcpy ( r_c - > srv_chal . data , srv_chal - > data , sizeof ( srv_chal - > data ) ) ;
r_c - > status = status ;
}
/*************************************************************************
error messages cropping up when using nltest . exe . . .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
# define ERROR_NO_SUCH_DOMAIN 0x54b
# define ERROR_NO_LOGON_SERVERS 0x51f
2001-05-24 12:05:12 +04:00
/*************************************************************************
net_reply_logon_ctrl :
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
/* Some flag values reverse engineered from NLTEST.EXE */
# define LOGON_CTRL_IN_SYNC 0x00
# define LOGON_CTRL_REPL_NEEDED 0x01
# define LOGON_CTRL_REPL_IN_PROGRESS 0x02
2001-08-27 23:46:22 +04:00
NTSTATUS _net_logon_ctrl ( pipes_struct * p , NET_Q_LOGON_CTRL * q_u ,
2001-05-24 12:05:12 +04:00
NET_R_LOGON_CTRL * r_u )
{
uint32 flags = 0x0 ;
uint32 pdc_connection_status = 0x00 ; /* Maybe a win32 error code? */
/* Setup the Logon Control response */
init_net_r_logon_ctrl ( r_u , q_u - > query_level , flags ,
pdc_connection_status ) ;
return r_u - > status ;
}
2001-08-28 10:34:08 +04:00
/****************************************************************************
Send a message to smbd to do a sam synchronisation
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static void send_sync_message ( )
{
TDB_CONTEXT * tdb ;
tdb = tdb_open_log ( lock_path ( " connections.tdb " ) , 0 ,
USE_TDB_MMAP_FLAG , O_RDONLY , 0 ) ;
if ( ! tdb ) {
DEBUG ( 3 , ( " send_sync_message(): failed to open connections "
" database \n " ) ) ;
return ;
}
DEBUG ( 3 , ( " sending sam synchronisation message \n " ) ) ;
message_send_all ( tdb , MSG_SMB_SAM_SYNC , NULL , 0 , False ) ;
tdb_close ( tdb ) ;
}
2001-02-27 03:32:11 +03:00
/*************************************************************************
net_reply_logon_ctrl2 :
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _net_logon_ctrl2 ( pipes_struct * p , NET_Q_LOGON_CTRL2 * q_u , NET_R_LOGON_CTRL2 * r_u )
2001-02-27 03:32:11 +03:00
{
2001-08-28 10:34:08 +04:00
uint32 flags = 0x0 ;
uint32 pdc_connection_status = 0x0 ;
uint32 logon_attempts = 0x0 ;
uint32 tc_status = ERROR_NO_LOGON_SERVERS ;
char * trusted_domain = " test_domain " ;
DEBUG ( 0 , ( " *** net long ctrl2 %d, %d, %d \n " ,
q_u - > function_code , q_u - > query_level , q_u - > switch_value ) ) ;
2001-02-27 03:32:11 +03:00
DEBUG ( 6 , ( " _net_logon_ctrl2: %d \n " , __LINE__ ) ) ;
2001-08-28 10:34:08 +04:00
2001-02-27 03:32:11 +03:00
/* set up the Logon Control2 response */
2001-05-24 12:05:12 +04:00
init_net_r_logon_ctrl2 ( r_u , q_u - > query_level ,
flags , pdc_connection_status , logon_attempts ,
tc_status , trusted_domain ) ;
2001-02-27 03:32:11 +03:00
2001-08-28 10:34:08 +04:00
if ( lp_server_role ( ) = = ROLE_DOMAIN_BDC )
send_sync_message ( ) ;
2001-02-27 03:32:11 +03:00
DEBUG ( 6 , ( " _net_logon_ctrl2: %d \n " , __LINE__ ) ) ;
return r_u - > status ;
}
/*************************************************************************
net_reply_trust_dom_list :
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _net_trust_dom_list ( pipes_struct * p , NET_Q_TRUST_DOM_LIST * q_u , NET_R_TRUST_DOM_LIST * r_u )
2001-02-27 03:32:11 +03:00
{
char * trusted_domain = " test_domain " ;
uint32 num_trust_domains = 1 ;
DEBUG ( 6 , ( " _net_trust_dom_list: %d \n " , __LINE__ ) ) ;
/* set up the Trusted Domain List response */
init_r_trust_dom ( r_u , num_trust_domains , trusted_domain ) ;
DEBUG ( 6 , ( " _net_trust_dom_list: %d \n " , __LINE__ ) ) ;
return r_u - > status ;
}
/***********************************************************************************
init_net_r_srv_pwset :
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static void init_net_r_srv_pwset ( NET_R_SRV_PWSET * r_s ,
2001-08-27 23:46:22 +04:00
DOM_CRED * srv_cred , NTSTATUS status )
2001-02-27 03:32:11 +03:00
{
DEBUG ( 5 , ( " init_net_r_srv_pwset: %d \n " , __LINE__ ) ) ;
memcpy ( & r_s - > srv_cred , srv_cred , sizeof ( r_s - > srv_cred ) ) ;
r_s - > status = status ;
DEBUG ( 5 , ( " init_net_r_srv_pwset: %d \n " , __LINE__ ) ) ;
}
/******************************************************************
gets a machine password entry . checks access rights of the host .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static BOOL get_md4pw ( char * md4pw , char * mach_acct )
{
2001-03-11 03:32:10 +03:00
SAM_ACCOUNT * sampass = NULL ;
2001-03-11 03:51:54 +03:00
uint8 * pass ;
2001-05-04 19:44:27 +04:00
BOOL ret ;
2001-02-27 03:32:11 +03:00
#if 0
/*
* Currently this code is redundent as we already have a filter
* by hostname list . What this code really needs to do is to
* get a hosts allowed / hosts denied list from the SAM database
* on a per user basis , and make the access decision there .
* I will leave this code here for now as a reminder to implement
* this at a later date . JRA .
*/
if ( ! allow_access ( lp_domain_hostsdeny ( ) , lp_domain_hostsallow ( ) ,
client_name ( ) , client_addr ( ) ) )
{
DEBUG ( 0 , ( " get_md4pw: Workstation %s denied access to domain \n " , mach_acct ) ) ;
return False ;
}
# endif /* 0 */
2001-05-04 19:44:27 +04:00
if ( ! pdb_init_sam ( & sampass ) )
return False ;
2001-03-12 01:26:28 +03:00
2001-05-04 19:44:27 +04:00
/* JRA. This is ok as it is only used for generating the challenge. */
2001-02-27 03:32:11 +03:00
become_root ( ) ;
2001-05-04 19:44:27 +04:00
ret = pdb_getsampwnam ( sampass , mach_acct ) ;
2001-02-27 03:32:11 +03:00
unbecome_root ( ) ;
2001-03-11 03:32:10 +03:00
2001-05-04 19:44:27 +04:00
if ( ret = = False ) {
DEBUG ( 0 , ( " get_md4pw: Workstation %s: no account in domain \n " , mach_acct ) ) ;
2001-05-07 18:04:46 +04:00
pdb_free_sam ( sampass ) ;
2001-05-04 19:44:27 +04:00
return False ;
}
if ( ! ( pdb_get_acct_ctrl ( sampass ) & ACB_DISABLED ) & & ( ( pass = pdb_get_nt_passwd ( sampass ) ) ! = NULL ) ) {
2001-03-11 03:32:10 +03:00
memcpy ( md4pw , pass , 16 ) ;
2001-02-27 03:32:11 +03:00
dump_data ( 5 , md4pw , 16 ) ;
2001-05-07 18:04:46 +04:00
pdb_free_sam ( sampass ) ;
2001-02-27 03:32:11 +03:00
return True ;
}
2001-05-04 19:44:27 +04:00
2001-02-27 03:32:11 +03:00
DEBUG ( 0 , ( " get_md4pw: Workstation %s: no account in domain \n " , mach_acct ) ) ;
2001-05-07 18:04:46 +04:00
pdb_free_sam ( sampass ) ;
2001-02-27 03:32:11 +03:00
return False ;
2001-05-04 19:44:27 +04:00
2001-02-27 03:32:11 +03:00
}
/*************************************************************************
_net_req_chal
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _net_req_chal ( pipes_struct * p , NET_Q_REQ_CHAL * q_u , NET_R_REQ_CHAL * r_u )
2001-02-27 03:32:11 +03:00
{
2001-08-27 23:46:22 +04:00
NTSTATUS status = NT_STATUS_OK ;
2001-02-27 03:32:11 +03:00
fstring mach_acct ;
2001-03-12 01:26:28 +03:00
if ( ! get_valid_user_struct ( p - > vuid ) )
return NT_STATUS_NO_SUCH_USER ;
2001-02-27 03:32:11 +03:00
2001-07-04 11:15:53 +04:00
rpcstr_pull ( mach_acct , q_u - > uni_logon_clnt . buffer , sizeof ( fstring ) , q_u - > uni_logon_clnt . uni_str_len * 2 , 0 ) ;
2001-02-27 03:32:11 +03:00
strlower ( mach_acct ) ;
fstrcat ( mach_acct , " $ " ) ;
2001-03-12 01:26:28 +03:00
if ( get_md4pw ( ( char * ) p - > dc . md4pw , mach_acct ) ) {
2001-02-27 03:32:11 +03:00
/* copy the client credentials */
2001-03-12 01:26:28 +03:00
memcpy ( p - > dc . clnt_chal . data , q_u - > clnt_chal . data , sizeof ( q_u - > clnt_chal . data ) ) ;
memcpy ( p - > dc . clnt_cred . challenge . data , q_u - > clnt_chal . data , sizeof ( q_u - > clnt_chal . data ) ) ;
2001-02-27 03:32:11 +03:00
/* create a server challenge for the client */
/* Set these to random values. */
2001-03-12 01:26:28 +03:00
generate_random_buffer ( p - > dc . srv_chal . data , 8 , False ) ;
2001-02-27 03:32:11 +03:00
2001-03-12 01:26:28 +03:00
memcpy ( p - > dc . srv_cred . challenge . data , p - > dc . srv_chal . data , 8 ) ;
2001-02-27 03:32:11 +03:00
2001-03-12 01:26:28 +03:00
memset ( ( char * ) p - > dc . sess_key , ' \0 ' , sizeof ( p - > dc . sess_key ) ) ;
2001-02-27 03:32:11 +03:00
/* from client / server challenges and md4 password, generate sess key */
2001-03-12 01:26:28 +03:00
cred_session_key ( & p - > dc . clnt_chal , & p - > dc . srv_chal ,
( char * ) p - > dc . md4pw , p - > dc . sess_key ) ;
/* Save the machine account name. */
fstrcpy ( p - > dc . mach_acct , mach_acct ) ;
2001-02-27 03:32:11 +03:00
} else {
/* lkclXXXX take a guess at a good error message to return :-) */
status = NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT ;
}
/* set up the LSA REQUEST CHALLENGE response */
2001-03-12 01:26:28 +03:00
init_net_r_req_chal ( r_u , & p - > dc . srv_chal , status ) ;
2001-02-27 03:32:11 +03:00
return r_u - > status ;
}
2001-04-24 03:31:09 +04:00
/*************************************************************************
init_net_r_auth :
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
static void init_net_r_auth ( NET_R_AUTH * r_a , DOM_CHAL * resp_cred , NTSTATUS status )
2001-04-24 03:31:09 +04:00
{
memcpy ( r_a - > srv_chal . data , resp_cred - > data , sizeof ( resp_cred - > data ) ) ;
r_a - > status = status ;
}
/*************************************************************************
_net_auth
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _net_auth ( pipes_struct * p , NET_Q_AUTH * q_u , NET_R_AUTH * r_u )
2001-04-24 03:31:09 +04:00
{
2001-08-27 23:46:22 +04:00
NTSTATUS status = NT_STATUS_OK ;
2001-04-24 03:31:09 +04:00
DOM_CHAL srv_cred ;
UTIME srv_time ;
if ( ! get_valid_user_struct ( p - > vuid ) )
return NT_STATUS_NO_SUCH_USER ;
srv_time . time = 0 ;
/* check that the client credentials are valid */
if ( cred_assert ( & q_u - > clnt_chal , p - > dc . sess_key , & p - > dc . clnt_cred . challenge , srv_time ) ) {
/* create server challenge for inclusion in the reply */
cred_create ( p - > dc . sess_key , & p - > dc . srv_cred . challenge , srv_time , & srv_cred ) ;
/* copy the received client credentials for use next time */
memcpy ( p - > dc . clnt_cred . challenge . data , q_u - > clnt_chal . data , sizeof ( q_u - > clnt_chal . data ) ) ;
memcpy ( p - > dc . srv_cred . challenge . data , q_u - > clnt_chal . data , sizeof ( q_u - > clnt_chal . data ) ) ;
} else {
status = NT_STATUS_ACCESS_DENIED ;
}
/* set up the LSA AUTH 2 response */
init_net_r_auth ( r_u , & srv_cred , status ) ;
return r_u - > status ;
}
/*************************************************************************
init_net_r_auth_2 :
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static void init_net_r_auth_2 ( NET_R_AUTH_2 * r_a ,
2001-08-27 23:46:22 +04:00
DOM_CHAL * resp_cred , NEG_FLAGS * flgs , NTSTATUS status )
2001-04-24 03:31:09 +04:00
{
memcpy ( r_a - > srv_chal . data , resp_cred - > data , sizeof ( resp_cred - > data ) ) ;
memcpy ( & r_a - > srv_flgs , flgs , sizeof ( r_a - > srv_flgs ) ) ;
r_a - > status = status ;
}
2001-02-27 03:32:11 +03:00
/*************************************************************************
_net_auth_2
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _net_auth_2 ( pipes_struct * p , NET_Q_AUTH_2 * q_u , NET_R_AUTH_2 * r_u )
2001-02-27 03:32:11 +03:00
{
2001-08-27 23:46:22 +04:00
NTSTATUS status = NT_STATUS_OK ;
2001-02-27 03:32:11 +03:00
DOM_CHAL srv_cred ;
UTIME srv_time ;
NEG_FLAGS srv_flgs ;
2001-03-12 01:26:28 +03:00
if ( ! get_valid_user_struct ( p - > vuid ) )
2001-02-27 03:32:11 +03:00
return NT_STATUS_NO_SUCH_USER ;
srv_time . time = 0 ;
/* check that the client credentials are valid */
2001-03-12 01:26:28 +03:00
if ( cred_assert ( & q_u - > clnt_chal , p - > dc . sess_key , & p - > dc . clnt_cred . challenge , srv_time ) ) {
2001-02-27 03:32:11 +03:00
/* create server challenge for inclusion in the reply */
2001-03-12 01:26:28 +03:00
cred_create ( p - > dc . sess_key , & p - > dc . srv_cred . challenge , srv_time , & srv_cred ) ;
2001-02-27 03:32:11 +03:00
/* copy the received client credentials for use next time */
2001-03-12 01:26:28 +03:00
memcpy ( p - > dc . clnt_cred . challenge . data , q_u - > clnt_chal . data , sizeof ( q_u - > clnt_chal . data ) ) ;
memcpy ( p - > dc . srv_cred . challenge . data , q_u - > clnt_chal . data , sizeof ( q_u - > clnt_chal . data ) ) ;
2001-02-27 03:32:11 +03:00
} else {
status = NT_STATUS_ACCESS_DENIED ;
}
srv_flgs . neg_flags = 0x000001ff ;
/* set up the LSA AUTH 2 response */
init_net_r_auth_2 ( r_u , & srv_cred , & srv_flgs , status ) ;
return r_u - > status ;
}
/*************************************************************************
_net_srv_pwset
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _net_srv_pwset ( pipes_struct * p , NET_Q_SRV_PWSET * q_u , NET_R_SRV_PWSET * r_u )
2001-02-27 03:32:11 +03:00
{
2001-08-27 23:46:22 +04:00
NTSTATUS status = NT_STATUS_WRONG_PASSWORD ;
2001-02-27 03:32:11 +03:00
DOM_CRED srv_cred ;
pstring mach_acct ;
2001-05-04 19:44:27 +04:00
SAM_ACCOUNT * sampass = NULL ;
2001-03-11 03:32:10 +03:00
BOOL ret = False ;
2001-02-27 03:32:11 +03:00
unsigned char pwd [ 16 ] ;
int i ;
2001-03-12 01:26:28 +03:00
if ( ! get_valid_user_struct ( p - > vuid ) )
2001-02-27 03:32:11 +03:00
return NT_STATUS_NO_SUCH_USER ;
/* checks and updates credentials. creates reply credentials */
2001-03-12 01:26:28 +03:00
if ( ! deal_with_creds ( p - > dc . sess_key , & p - > dc . clnt_cred , & q_u - > clnt_id . cred , & srv_cred ) )
2001-02-27 03:32:11 +03:00
return NT_STATUS_INVALID_HANDLE ;
2001-03-12 01:26:28 +03:00
memcpy ( & p - > dc . srv_cred , & p - > dc . clnt_cred , sizeof ( p - > dc . clnt_cred ) ) ;
2001-02-27 03:32:11 +03:00
DEBUG ( 5 , ( " _net_srv_pwset: %d \n " , __LINE__ ) ) ;
2001-07-04 11:15:53 +04:00
rpcstr_pull ( mach_acct , q_u - > clnt_id . login . uni_acct_name . buffer ,
sizeof ( mach_acct ) , q_u - > clnt_id . login . uni_acct_name . uni_str_len * 2 , 0 ) ;
2001-02-27 03:32:11 +03:00
DEBUG ( 3 , ( " Server Password Set Wksta:[%s] \n " , mach_acct ) ) ;
2001-05-04 19:44:27 +04:00
pdb_init_sam ( & sampass ) ;
2001-02-27 03:32:11 +03:00
become_root ( ) ;
2001-05-04 19:44:27 +04:00
ret = pdb_getsampwnam ( sampass , mach_acct ) ;
2001-02-27 03:32:11 +03:00
unbecome_root ( ) ;
2001-03-12 01:26:28 +03:00
/* Ensure the account exists and is a machine account. */
2001-05-04 19:44:27 +04:00
if ( ret = = False | | ! ( pdb_get_acct_ctrl ( sampass ) & ACB_WSTRUST ) ) {
2001-05-07 18:04:46 +04:00
pdb_free_sam ( sampass ) ;
2001-02-27 03:32:11 +03:00
return NT_STATUS_NO_SUCH_USER ;
2001-05-04 19:44:27 +04:00
}
2001-02-27 03:32:11 +03:00
2001-03-12 01:26:28 +03:00
/*
* Check the machine account name we ' re changing is the same
* as the one we ' ve authenticated from . This prevents arbitrary
* machines changing other machine account passwords .
*/
2001-05-04 19:44:27 +04:00
if ( ! strequal ( mach_acct , p - > dc . mach_acct ) ) {
2001-05-07 18:04:46 +04:00
pdb_free_sam ( sampass ) ;
2001-03-12 01:26:28 +03:00
return NT_STATUS_ACCESS_DENIED ;
2001-05-04 19:44:27 +04:00
}
2001-03-12 01:26:28 +03:00
2001-02-27 03:32:11 +03:00
DEBUG ( 100 , ( " Server password set : new given value was : \n " ) ) ;
for ( i = 0 ; i < 16 ; i + + )
DEBUG ( 100 , ( " %02X " , q_u - > pwd [ i ] ) ) ;
DEBUG ( 100 , ( " \n " ) ) ;
2001-03-12 01:26:28 +03:00
cred_hash3 ( pwd , q_u - > pwd , p - > dc . sess_key , 0 ) ;
2001-02-27 03:32:11 +03:00
/* lies! nt and lm passwords are _not_ the same: don't care */
2001-03-11 03:32:10 +03:00
pdb_set_lanman_passwd ( sampass , pwd ) ;
pdb_set_nt_passwd ( sampass , pwd ) ;
pdb_set_acct_ctrl ( sampass , ACB_WSTRUST ) ;
2001-02-27 03:32:11 +03:00
become_root ( ) ;
2001-03-11 03:32:10 +03:00
ret = pdb_update_sam_account ( sampass , False ) ;
2001-02-27 03:32:11 +03:00
unbecome_root ( ) ;
2001-03-11 03:32:10 +03:00
if ( ret )
2001-08-27 23:46:22 +04:00
status = NT_STATUS_OK ;
2001-02-27 03:32:11 +03:00
/* set up the LSA Server Password Set response */
init_net_r_srv_pwset ( r_u , & srv_cred , status ) ;
2001-05-07 18:04:46 +04:00
pdb_free_sam ( sampass ) ;
2001-02-27 03:32:11 +03:00
return r_u - > status ;
}
/*************************************************************************
_net_sam_logoff :
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _net_sam_logoff ( pipes_struct * p , NET_Q_SAM_LOGOFF * q_u , NET_R_SAM_LOGOFF * r_u )
2001-02-27 03:32:11 +03:00
{
DOM_CRED srv_cred ;
2001-03-12 01:26:28 +03:00
if ( ! get_valid_user_struct ( p - > vuid ) )
2001-02-27 03:32:11 +03:00
return NT_STATUS_NO_SUCH_USER ;
/* checks and updates credentials. creates reply credentials */
2001-03-12 01:26:28 +03:00
if ( ! deal_with_creds ( p - > dc . sess_key , & p - > dc . clnt_cred ,
2001-02-27 03:32:11 +03:00
& q_u - > sam_id . client . cred , & srv_cred ) )
return NT_STATUS_INVALID_HANDLE ;
2001-03-12 01:26:28 +03:00
memcpy ( & p - > dc . srv_cred , & p - > dc . clnt_cred , sizeof ( p - > dc . clnt_cred ) ) ;
2001-02-27 03:32:11 +03:00
/* XXXX maybe we want to say 'no', reject the client's credentials */
r_u - > buffer_creds = 1 ; /* yes, we have valid server credentials */
memcpy ( & r_u - > srv_creds , & srv_cred , sizeof ( r_u - > srv_creds ) ) ;
2001-08-27 23:46:22 +04:00
r_u - > status = NT_STATUS_OK ;
2001-02-27 03:32:11 +03:00
return r_u - > status ;
}
/*************************************************************************
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
_net_logon_any : Use the new authentications subsystem to log in .
2001-02-27 03:32:11 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
static NTSTATUS _net_logon_any ( NET_ID_INFO_CTR * ctr , char * user , char * domain , char * sess_key )
2001-02-27 03:32:11 +03:00
{
2001-08-27 23:46:22 +04:00
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE ;
2001-02-27 03:32:11 +03:00
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
unsigned char local_lm_response [ 24 ] ;
unsigned char local_nt_response [ 24 ] ;
2001-02-27 03:32:11 +03:00
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
auth_usersupplied_info user_info ;
auth_serversupplied_info server_info ;
AUTH_STR ourdomain , theirdomain , smb_username , wksta_name ;
2001-02-27 03:32:11 +03:00
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
DEBUG ( 5 , ( " _net_logon_any: entered with user %s and domain %s \n " , user , domain ) ) ;
ZERO_STRUCT ( user_info ) ;
ZERO_STRUCT ( server_info ) ;
ZERO_STRUCT ( ourdomain ) ;
ZERO_STRUCT ( theirdomain ) ;
ZERO_STRUCT ( smb_username ) ;
ZERO_STRUCT ( wksta_name ) ;
ourdomain . str = lp_workgroup ( ) ;
ourdomain . len = strlen ( ourdomain . str ) ;
2001-02-27 03:32:11 +03:00
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
theirdomain . str = domain ;
theirdomain . len = strlen ( theirdomain . str ) ;
2001-02-27 03:32:11 +03:00
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
user_info . requested_domain = theirdomain ;
user_info . domain = ourdomain ;
smb_username . str = user ;
smb_username . len = strlen ( smb_username . str ) ;
2001-02-27 03:32:11 +03:00
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
user_info . requested_username = smb_username ; /* For the time-being */
user_info . smb_username = smb_username ;
2001-02-27 03:32:11 +03:00
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
#if 0
user_info . wksta_name . str = cleint_name ( ) ;
user_info . wksta_name . len = strlen ( client_name ( ) ) ;
2001-02-27 03:32:11 +03:00
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
user_info . wksta_name = wksta_name ;
2001-02-27 03:32:11 +03:00
# endif
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
DEBUG ( 10 , ( " _net_logon_any: Attempting validation level %d. \n " , ctr - > switch_value ) ) ;
switch ( ctr - > switch_value ) {
case NET_LOGON_TYPE :
2001-08-12 15:19:57 +04:00
/* Standard challange/response authenticaion */
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
user_info . lm_resp . buffer = ( uint8 * ) ctr - > auth . id2 . lm_chal_resp . buffer ;
user_info . lm_resp . len = ctr - > auth . id2 . lm_chal_resp . str_str_len ;
user_info . nt_resp . buffer = ( uint8 * ) ctr - > auth . id2 . nt_chal_resp . buffer ;
user_info . nt_resp . len = ctr - > auth . id2 . nt_chal_resp . str_str_len ;
memcpy ( user_info . chal , ctr - > auth . id2 . lm_chal , 8 ) ;
break ;
case INTERACTIVE_LOGON_TYPE :
2001-08-12 15:19:57 +04:00
/* 'Interactive' autheticaion, supplies the password in its MD4 form, encrypted
with the session key . We will convert this to challange / responce for the
auth subsystem to chew on */
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
{
char nt_pwd [ 16 ] ;
char lm_pwd [ 16 ] ;
unsigned char key [ 16 ] ;
memset ( key , 0 , 16 ) ;
memcpy ( key , sess_key , 8 ) ;
memcpy ( lm_pwd , ctr - > auth . id1 . lm_owf . data , 16 ) ;
memcpy ( nt_pwd , ctr - > auth . id1 . nt_owf . data , 16 ) ;
2001-02-27 03:32:11 +03:00
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
# ifdef DEBUG_PASSWORD
DEBUG ( 100 , ( " key: " ) ) ;
dump_data ( 100 , ( char * ) key , 16 ) ;
DEBUG ( 100 , ( " lm owf password: " ) ) ;
dump_data ( 100 , lm_pwd , 16 ) ;
DEBUG ( 100 , ( " nt owf password: " ) ) ;
dump_data ( 100 , nt_pwd , 16 ) ;
# endif
SamOEMhash ( ( uchar * ) lm_pwd , key , 16 ) ;
SamOEMhash ( ( uchar * ) nt_pwd , key , 16 ) ;
# ifdef DEBUG_PASSWORD
DEBUG ( 100 , ( " decrypt of lm owf password: " ) ) ;
dump_data ( 100 , lm_pwd , 16 ) ;
DEBUG ( 100 , ( " decrypt of nt owf password: " ) ) ;
dump_data ( 100 , nt_pwd , 16 ) ;
# endif
2001-03-11 03:32:10 +03:00
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
generate_random_buffer ( user_info . chal , 8 , False ) ;
2001-08-25 00:32:01 +04:00
SMBOWFencrypt ( ( const unsigned char * ) lm_pwd , user_info . chal , local_lm_response ) ;
SMBOWFencrypt ( ( const unsigned char * ) nt_pwd , user_info . chal , local_nt_response ) ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
user_info . lm_resp . buffer = ( uint8 * ) local_lm_response ;
user_info . lm_resp . len = 24 ;
user_info . nt_resp . buffer = ( uint8 * ) local_nt_response ;
user_info . nt_resp . len = 24 ;
break ;
2001-02-27 03:32:11 +03:00
}
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
default :
DEBUG ( 2 , ( " SAM Logon: unsupported switch value \n " ) ) ;
return NT_STATUS_INVALID_INFO_CLASS ;
} /* end switch */
nt_status = check_password ( & user_info , & server_info ) ;
2001-02-27 03:32:11 +03:00
2001-08-27 23:46:22 +04:00
DEBUG ( 5 , ( " _net_logon_any: exited with status %s \n " ,
get_nt_error_msg ( nt_status ) ) ) ;
2001-02-27 03:32:11 +03:00
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
return nt_status ;
2001-02-27 03:32:11 +03:00
}
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
2001-02-27 03:32:11 +03:00
/*************************************************************************
_net_sam_logon
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-08-27 23:46:22 +04:00
NTSTATUS _net_sam_logon ( pipes_struct * p , NET_Q_SAM_LOGON * q_u , NET_R_SAM_LOGON * r_u )
2001-02-27 03:32:11 +03:00
{
2001-08-27 23:46:22 +04:00
NTSTATUS status = NT_STATUS_OK ;
2001-05-04 19:44:27 +04:00
NET_USER_INFO_3 * usr_info = NULL ;
DOM_CRED srv_cred ;
SAM_ACCOUNT * sampass = NULL ;
UNISTR2 * uni_samlogon_user = NULL ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
UNISTR2 * uni_samlogon_domain = NULL ;
2001-05-04 19:44:27 +04:00
fstring nt_username ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
fstring nt_domain ;
2001-05-04 19:44:27 +04:00
BOOL ret ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
2001-02-27 03:32:11 +03:00
usr_info = ( NET_USER_INFO_3 * ) talloc ( p - > mem_ctx , sizeof ( NET_USER_INFO_3 ) ) ;
if ( ! usr_info )
return NT_STATUS_NO_MEMORY ;
2001-05-04 19:44:27 +04:00
2001-02-27 03:32:11 +03:00
ZERO_STRUCTP ( usr_info ) ;
2001-05-04 19:44:27 +04:00
if ( ! get_valid_user_struct ( p - > vuid ) )
return NT_STATUS_NO_SUCH_USER ;
2001-02-27 03:32:11 +03:00
2001-05-04 19:44:27 +04:00
/* checks and updates credentials. creates reply credentials */
if ( ! deal_with_creds ( p - > dc . sess_key , & p - > dc . clnt_cred , & q_u - > sam_id . client . cred , & srv_cred ) )
return NT_STATUS_INVALID_HANDLE ;
else
memcpy ( & p - > dc . srv_cred , & p - > dc . clnt_cred , sizeof ( p - > dc . clnt_cred ) ) ;
2001-02-27 03:32:11 +03:00
2001-03-13 23:13:20 +03:00
r_u - > buffer_creds = 1 ; /* yes, we have valid server credentials */
memcpy ( & r_u - > srv_creds , & srv_cred , sizeof ( r_u - > srv_creds ) ) ;
/* store the user information, if there is any. */
r_u - > user = usr_info ;
r_u - > switch_value = 0 ; /* indicates no info */
r_u - > auth_resp = 1 ; /* authoritative response */
r_u - > switch_value = 3 ; /* indicates type of validation user info */
2001-05-04 19:44:27 +04:00
/* find the username */
2001-02-27 03:32:11 +03:00
switch ( q_u - > sam_id . logon_level ) {
case INTERACTIVE_LOGON_TYPE :
uni_samlogon_user = & q_u - > sam_id . ctr - > auth . id1 . uni_user_name ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
uni_samlogon_domain = & q_u - > sam_id . ctr - > auth . id1 . uni_domain_name ;
2001-02-27 03:32:11 +03:00
DEBUG ( 3 , ( " SAM Logon (Interactive). Domain:[%s]. " , lp_workgroup ( ) ) ) ;
break ;
case NET_LOGON_TYPE :
uni_samlogon_user = & q_u - > sam_id . ctr - > auth . id2 . uni_user_name ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
uni_samlogon_domain = & q_u - > sam_id . ctr - > auth . id2 . uni_domain_name ;
2001-02-27 03:32:11 +03:00
DEBUG ( 3 , ( " SAM Logon (Network). Domain:[%s]. " , lp_workgroup ( ) ) ) ;
break ;
default :
DEBUG ( 2 , ( " SAM Logon: unsupported switch value \n " ) ) ;
return NT_STATUS_INVALID_INFO_CLASS ;
} /* end switch */
/* check username exists */
2001-07-04 11:15:53 +04:00
rpcstr_pull ( nt_username , uni_samlogon_user - > buffer , sizeof ( nt_username ) , uni_samlogon_user - > uni_str_len * 2 , 0 ) ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
rpcstr_pull ( nt_domain , uni_samlogon_domain - > buffer , sizeof ( nt_domain ) , uni_samlogon_domain - > uni_str_len * 2 , 0 ) ;
2001-02-27 03:32:11 +03:00
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
DEBUG ( 3 , ( " User:[%s] Requested Domain:[%s] \n " , nt_username , nt_domain ) ) ;
2001-02-27 03:32:11 +03:00
/*
* Convert to a UNIX username .
*/
map_username ( nt_username ) ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
DEBUG ( 10 , ( " Attempting validation level %d for mapped username %s. \n " , q_u - > sam_id . ctr - > switch_value , nt_username ) ) ;
2001-08-25 00:32:01 +04:00
status = _net_logon_any ( q_u - > sam_id . ctr , nt_username , nt_domain , ( char * ) p - > dc . sess_key ) ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
/* Check account and password */
2001-08-27 23:46:22 +04:00
if ( NT_STATUS_V ( status ) )
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
return status ;
2001-05-04 19:44:27 +04:00
pdb_init_sam ( & sampass ) ;
2001-03-11 03:32:10 +03:00
/* get the account information */
2001-02-27 03:32:11 +03:00
become_root ( ) ;
2001-05-04 19:44:27 +04:00
ret = pdb_getsampwnam ( sampass , nt_username ) ;
2001-02-27 03:32:11 +03:00
unbecome_root ( ) ;
2001-03-11 03:32:10 +03:00
2001-05-04 19:44:27 +04:00
if ( ret = = False ) {
2001-05-07 18:04:46 +04:00
pdb_free_sam ( sampass ) ;
2001-02-27 03:32:11 +03:00
return NT_STATUS_NO_SUCH_USER ;
2001-05-04 19:44:27 +04:00
}
2001-03-11 03:32:10 +03:00
2001-02-27 03:32:11 +03:00
/* lkclXXXX this is the point at which, if the login was
successful , that the SAM Local Security Authority should
record that the user is logged in to the domain .
*/
{
DOM_GID * gids = NULL ;
int num_gids = 0 ;
pstring my_name ;
pstring my_workgroup ;
pstring domain_groups ;
/* set up pointer indicating user/password failed to be found */
usr_info - > ptr_user_info = 0 ;
/* XXXX hack to get standard_sub_basic() to use sam logon username */
/* possibly a better way would be to do a become_user() call */
sam_logon_in_ssb = True ;
pstrcpy ( samlogon_user , nt_username ) ;
pstrcpy ( my_workgroup , lp_workgroup ( ) ) ;
pstrcpy ( my_name , global_myname ) ;
strupper ( my_name ) ;
/*
* This is the point at which we get the group
* database - we should be getting the gid_t list
* from / etc / group and then turning the uids into
* rids and then into machine sids for this user .
* JRA .
*/
get_domain_user_groups ( domain_groups , nt_username ) ;
/*
* make_dom_gids allocates the gids array . JRA .
*/
gids = NULL ;
num_gids = make_dom_gids ( p - > mem_ctx , domain_groups , & gids ) ;
sam_logon_in_ssb = False ;
2001-05-04 19:44:27 +04:00
init_net_user_info3 ( p - > mem_ctx , usr_info , sampass ,
2001-03-11 03:32:10 +03:00
0 , /* logon_count */
0 , /* bad_pw_count */
num_gids , /* uint32 num_groups */
gids , /* DOM_GID *gids */
0x20 , /* uint32 user_flgs (?) */
NULL , /* char sess_key[16] */
my_name , /* char *logon_srv */
my_workgroup , /* char *logon_dom */
& global_sam_sid , /* DOM_SID *dom_sid */
NULL ) ; /* char *other_sids */
2001-05-04 19:44:27 +04:00
}
2001-05-07 18:04:46 +04:00
pdb_free_sam ( sampass ) ;
2001-05-04 19:44:27 +04:00
return status ;
2001-02-27 03:32:11 +03:00
}