mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
Fixes to get pam_auth() functionality working again.
This commit is contained in:
parent
672242a52e
commit
083b74c743
@ -368,10 +368,17 @@ WINBINDD_OBJ1 = \
|
||||
nsswitch/winbindd_sid.o \
|
||||
nsswitch/winbindd_misc.o
|
||||
|
||||
UNECESSARY_BECAUSE_SAMBA_DEPENDENCIES_ARE_SO_BROKEN_OBJ = \
|
||||
smbd/password.o smbd/session.o smbd/uid.o smbd/sec_ctx.o \
|
||||
rpc_client/cli_netlogon.o rpc_client/cli_login.o \
|
||||
smbd/chgpasswd.o
|
||||
|
||||
WINBINDD_OBJ = \
|
||||
$(WINBINDD_OBJ1) $(NOPROTO_OBJ) $(PASSDB_OBJ) \
|
||||
$(LIBNMB_OBJ) $(PARAM_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) \
|
||||
$(LIBSMB_OBJ) $(LIBMSRPC_OBJ) $(RPC_PARSE_OBJ) $(GROUPDB_OBJ)
|
||||
$(LIBSMB_OBJ) $(LIBMSRPC_OBJ) $(RPC_PARSE_OBJ) \
|
||||
$(GROUPDB_OBJ) \
|
||||
$(UNECESSARY_BECAUSE_SAMBA_DEPENDENCIES_ARE_SO_BROKEN_OBJ)
|
||||
|
||||
WBINFO_OBJ = nsswitch/wbinfo.o
|
||||
|
||||
@ -407,6 +414,8 @@ debug2html : CHECK bin/debug2html
|
||||
|
||||
smbfilter : CHECK bin/smbfilter
|
||||
|
||||
nsswitch : CHECK $(WINBIND_PROGS)
|
||||
|
||||
.SUFFIXES:
|
||||
.SUFFIXES: .c .o .po .po32 .lo
|
||||
|
||||
|
@ -50,56 +50,33 @@ static void parse_domain_user(char *domuser, fstring domain, fstring user)
|
||||
|
||||
enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
|
||||
{
|
||||
NET_USER_INFO_3 info3;
|
||||
uchar ntpw[16];
|
||||
uchar lmpw[16];
|
||||
uchar trust_passwd[16];
|
||||
uint32 status;
|
||||
fstring server;
|
||||
BOOL result, user_exists;
|
||||
fstring name_domain, name_user;
|
||||
extern pstring global_myname;
|
||||
int passlen;
|
||||
|
||||
DEBUG(3, ("[%5d]: pam auth %s\n", state->pid,
|
||||
state->request.data.auth.user));
|
||||
|
||||
/* Parse domain and username */
|
||||
|
||||
parse_domain_user(state->request.data.auth.user, name_domain,
|
||||
name_user);
|
||||
|
||||
/* don't allow the null domain */
|
||||
if (strcmp(name_domain,"") == 0) return WINBINDD_ERROR;
|
||||
|
||||
ZERO_STRUCT(info3);
|
||||
if (strcmp(name_domain,"") == 0)
|
||||
return WINBINDD_ERROR;
|
||||
|
||||
if (!_get_trust_account_password(lp_workgroup(), trust_passwd, NULL)) {
|
||||
DEBUG(1, ("could not get trust password for domain %s\n",
|
||||
name_domain));
|
||||
return WINBINDD_ERROR;
|
||||
}
|
||||
passlen = strlen(state->request.data.auth.pass);
|
||||
|
||||
nt_lm_owf_gen(state->request.data.auth.pass, ntpw, lmpw);
|
||||
result = domain_client_validate(name_user, name_domain,
|
||||
state->request.data.auth.pass,
|
||||
passlen,
|
||||
state->request.data.auth.pass,
|
||||
passlen, &user_exists,
|
||||
server_state.controller);
|
||||
|
||||
slprintf(server, sizeof(server), "\\\\%s", server_state.controller);
|
||||
|
||||
#if 0
|
||||
|
||||
/* XXX */
|
||||
|
||||
status = domain_client_validate_backend(server,
|
||||
name_user, name_domain,
|
||||
global_myname, SEC_CHAN_WKSTA,
|
||||
trust_passwd,
|
||||
NULL,
|
||||
lmpw, sizeof(lmpw),
|
||||
ntpw, sizeof(ntpw), &info3);
|
||||
#else
|
||||
status = NT_STATUS_UNSUCCESSFUL;
|
||||
#endif
|
||||
|
||||
|
||||
if (status != NT_STATUS_NOPROBLEMO) return WINBINDD_ERROR;
|
||||
|
||||
return WINBINDD_OK;
|
||||
return result ? WINBINDD_OK : WINBINDD_ERROR;
|
||||
}
|
||||
|
||||
/* Change a user password */
|
||||
|
@ -1416,8 +1416,6 @@ static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, un
|
||||
return connect_to_domain_password_server(pcli, dc_name, trust_passwd);
|
||||
}
|
||||
|
||||
|
||||
|
||||
/***********************************************************************
|
||||
We have been asked to dynamcially determine the IP addresses of
|
||||
the PDC and BDC's for this DOMAIN, and query them in turn.
|
||||
@ -1491,17 +1489,16 @@ static BOOL find_connect_pdc(struct cli_state *pcli, unsigned char *trust_passwd
|
||||
return connected_ok;
|
||||
}
|
||||
|
||||
|
||||
|
||||
/***********************************************************************
|
||||
Do the same as security=server, but using NT Domain calls and a session
|
||||
key from the machine password.
|
||||
key from the machine password. If the server parameter is specified
|
||||
use it, otherwise figure out a server from the 'password server' param.
|
||||
************************************************************************/
|
||||
|
||||
BOOL domain_client_validate( char *user, char *domain,
|
||||
char *smb_apasswd, int smb_apasslen,
|
||||
char *smb_ntpasswd, int smb_ntpasslen,
|
||||
BOOL *user_exists)
|
||||
BOOL *user_exists, char *server)
|
||||
{
|
||||
unsigned char local_challenge[8];
|
||||
unsigned char local_lm_response[24];
|
||||
@ -1541,7 +1538,7 @@ BOOL domain_client_validate( char *user, char *domain,
|
||||
* Not encrypted - do so.
|
||||
*/
|
||||
|
||||
DEBUG(3,("domain_client_validate: User passwords not in encrypted format.\n"));
|
||||
DEBUG(5,("domain_client_validate: User passwords not in encrypted format.\n"));
|
||||
generate_random_buffer( local_challenge, 8, False);
|
||||
SMBencrypt( (uchar *)smb_apasswd, local_challenge, local_lm_response);
|
||||
SMBNTencrypt((uchar *)smb_ntpasswd, local_challenge, local_nt_response);
|
||||
@ -1586,9 +1583,13 @@ BOOL domain_client_validate( char *user, char *domain,
|
||||
* PDC/BDC. Contact each in turn and try and authenticate.
|
||||
*/
|
||||
|
||||
pserver = lp_passwordserver();
|
||||
if (! *pserver) pserver = "*";
|
||||
p = pserver;
|
||||
if (server) {
|
||||
p = server;
|
||||
} else {
|
||||
pserver = lp_passwordserver();
|
||||
if (! *pserver) pserver = "*";
|
||||
p = pserver;
|
||||
}
|
||||
|
||||
while (!connected_ok &&
|
||||
next_token(&p,remote_machine,LIST_SEP,sizeof(remote_machine))) {
|
||||
|
@ -616,7 +616,7 @@ static BOOL check_domain_security(char *orig_user, char *domain, char *unix_user
|
||||
ret = domain_client_validate(orig_user, domain,
|
||||
smb_apasswd, smb_apasslen,
|
||||
smb_ntpasswd, smb_ntpasslen,
|
||||
&user_exists);
|
||||
&user_exists, NULL);
|
||||
|
||||
if(ret) {
|
||||
/*
|
||||
|
Loading…
Reference in New Issue
Block a user