mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
A number of things to clean up the auth subsytem a bit...
We now default encrypt passwords = yes
We now check plaintext passwords (however aquired) with the 'sam' backend
rather than unix, if encrypt passwords = yes.
(this kills off the 'local' backed. The sam backend may be renamed in its
place)
The new 'samstrict' wrapper backend checks that the user's domain is one of
our netbios aliases - this ensures that we don't get fallback crazies with
security = domain.
Similarly, the code in the 'ntdomain' and 'smbserver' backends now checks
that the user was not local before contacting the DC.
The default ordering has changed, we now check the local stuff first - but
becouse of the changes above, we will really only ever contact one
auth source.
Andrew Bartlett
(This used to be commit e89b47f65e
)
This commit is contained in:
parent
a131c2cfdc
commit
4499007e45
@ -36,7 +36,7 @@ static BOOL check_domain_match(char *user, char *domain)
|
||||
*/
|
||||
|
||||
if (!lp_allow_trusted_domains() &&
|
||||
(!strequal(lp_workgroup(), domain) || strequal("", domain))) {
|
||||
(strequal("", domain) || strequal(lp_workgroup(), domain) || is_netbios_alias_or_name(domain))) {
|
||||
DEBUG(1, ("check_domain_match: Attempt to connect as user %s from domain %s denied.\n", user, domain));
|
||||
return False;
|
||||
} else {
|
||||
|
@ -55,36 +55,6 @@ BOOL auth_init_guest(auth_methods **auth_method)
|
||||
return True;
|
||||
}
|
||||
|
||||
/****************************************************************************
|
||||
Check against either sam or unix, depending on encryption.
|
||||
****************************************************************************/
|
||||
|
||||
static NTSTATUS check_local_security(void *my_private_data,
|
||||
const auth_usersupplied_info *user_info,
|
||||
const auth_authsupplied_info *auth_info,
|
||||
auth_serversupplied_info **server_info)
|
||||
{
|
||||
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
|
||||
|
||||
if (user_info->encrypted) {
|
||||
nt_status = check_sam_security(my_private_data, user_info, auth_info, server_info);
|
||||
} else {
|
||||
nt_status = check_unix_security(my_private_data, user_info, auth_info, server_info);
|
||||
}
|
||||
|
||||
return nt_status;
|
||||
}
|
||||
|
||||
BOOL auth_init_local(auth_methods **auth_method)
|
||||
{
|
||||
if (!make_auth_methods(auth_method)) {
|
||||
return False;
|
||||
}
|
||||
|
||||
(*auth_method)->auth = check_local_security;
|
||||
return True;
|
||||
}
|
||||
|
||||
/****************************************************************************
|
||||
Return an error based on username
|
||||
****************************************************************************/
|
||||
|
@ -285,17 +285,6 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info,
|
||||
NTSTATUS status;
|
||||
struct passwd *pass;
|
||||
|
||||
/*
|
||||
* Check that the requested domain is not our own machine name.
|
||||
* If it is, we should never check the PDC here, we use our own local
|
||||
* password file.
|
||||
*/
|
||||
|
||||
if(strequal(user_info->domain.str, global_myname)) {
|
||||
DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n"));
|
||||
return NT_STATUS_LOGON_FAILURE;
|
||||
}
|
||||
|
||||
/*
|
||||
* At this point, smb_apasswd points to the lanman response to
|
||||
* the challenge in local_challenge, and smb_ntpasswd points to
|
||||
@ -445,6 +434,22 @@ static NTSTATUS check_ntdomain_security(void *my_private_data,
|
||||
unsigned char trust_passwd[16];
|
||||
time_t last_change_time;
|
||||
|
||||
if (!user_info || !server_info || !auth_info) {
|
||||
DEBUG(1,("check_ntdomain_security: Critical variables not present. Failing.\n"));
|
||||
return NT_STATUS_LOGON_FAILURE;
|
||||
}
|
||||
|
||||
/*
|
||||
* Check that the requested domain is not our own machine name.
|
||||
* If it is, we should never check the PDC here, we use our own local
|
||||
* password file.
|
||||
*/
|
||||
|
||||
if(is_netbios_alias_or_name(user_info->domain.str)) {
|
||||
DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n"));
|
||||
return NT_STATUS_LOGON_FAILURE;
|
||||
}
|
||||
|
||||
become_root();
|
||||
|
||||
/*
|
||||
|
@ -25,9 +25,9 @@ const struct auth_init_function builtin_auth_init_functions[] = {
|
||||
{ "guest", auth_init_guest },
|
||||
{ "rhosts", auth_init_rhosts },
|
||||
{ "hostsequiv", auth_init_hostsequiv },
|
||||
{ "sam", auth_init_sam },
|
||||
{ "sam", auth_init_sam },
|
||||
{ "samstrict", auth_init_samstrict },
|
||||
{ "unix", auth_init_unix },
|
||||
{ "local", auth_init_local },
|
||||
{ "smbserver", auth_init_smbserver },
|
||||
{ "ntdomain", auth_init_ntdomain },
|
||||
{ "winbind", auth_init_winbind },
|
||||
@ -139,23 +139,33 @@ BOOL make_auth_info_subsystem(auth_authsupplied_info **auth_info)
|
||||
{
|
||||
case SEC_DOMAIN:
|
||||
DEBUG(5,("Making default auth method list for security=domain\n"));
|
||||
auth_method_list = lp_list_make("guest ntdomain local");
|
||||
auth_method_list = lp_list_make("guest samstrict ntdomain");
|
||||
break;
|
||||
case SEC_SERVER:
|
||||
DEBUG(5,("Making default auth method list for security=server\n"));
|
||||
auth_method_list = lp_list_make("guest smbserver local");
|
||||
auth_method_list = lp_list_make("guest samstrict smbserver");
|
||||
break;
|
||||
case SEC_USER:
|
||||
DEBUG(5,("Making default auth method list for security=user\n"));
|
||||
auth_method_list = lp_list_make("guest local");
|
||||
if (lp_encrypted_passwords()) {
|
||||
DEBUG(5,("Making default auth method list for security=user, encrypt passwords = yes\n"));
|
||||
auth_method_list = lp_list_make("guest sam");
|
||||
} else {
|
||||
DEBUG(5,("Making default auth method list for security=user, encrypt passwords = no\n"));
|
||||
auth_method_list = lp_list_make("guest unix");
|
||||
}
|
||||
break;
|
||||
case SEC_SHARE:
|
||||
DEBUG(5,("Making default auth method list for security=share\n"));
|
||||
auth_method_list = lp_list_make("guest local");
|
||||
if (lp_encrypted_passwords()) {
|
||||
DEBUG(5,("Making default auth method list for security=share, encrypt passwords = yes\n"));
|
||||
auth_method_list = lp_list_make("guest sam");
|
||||
} else {
|
||||
DEBUG(5,("Making default auth method list for security=share, encrypt passwords = no\n"));
|
||||
auth_method_list = lp_list_make("guest unix");
|
||||
}
|
||||
break;
|
||||
case SEC_ADS:
|
||||
DEBUG(5,("Making default auth method list for security=ADS\n"));
|
||||
auth_method_list = lp_list_make("guest ads ntdomain local");
|
||||
auth_method_list = lp_list_make("guest samstrict ads ntdomain");
|
||||
break;
|
||||
default:
|
||||
DEBUG(5,("Unknown auth method!\n"));
|
||||
|
@ -337,7 +337,7 @@ SMB hash supplied in the user_info structure
|
||||
return an NT_STATUS constant.
|
||||
****************************************************************************/
|
||||
|
||||
NTSTATUS check_sam_security(void *my_private_dat,
|
||||
static NTSTATUS check_sam_security(void *my_private_data,
|
||||
const auth_usersupplied_info *user_info,
|
||||
const auth_authsupplied_info *auth_info,
|
||||
auth_serversupplied_info **server_info)
|
||||
@ -408,5 +408,40 @@ BOOL auth_init_sam(auth_methods **auth_method)
|
||||
return True;
|
||||
}
|
||||
|
||||
/****************************************************************************
|
||||
check if a username/password is OK assuming the password is a 24 byte
|
||||
SMB hash supplied in the user_info structure
|
||||
return an NT_STATUS constant.
|
||||
****************************************************************************/
|
||||
|
||||
static NTSTATUS check_samstrict_security(void *my_private_data,
|
||||
const auth_usersupplied_info *user_info,
|
||||
const auth_authsupplied_info *auth_info,
|
||||
auth_serversupplied_info **server_info)
|
||||
{
|
||||
|
||||
if (!user_info || !auth_info) {
|
||||
return NT_STATUS_LOGON_FAILURE;
|
||||
}
|
||||
|
||||
/* If we are a domain member, we must not
|
||||
attempt to check the password locally,
|
||||
unless it is one of our aliases. */
|
||||
|
||||
if (!is_netbios_alias_or_name(user_info->domain.str)) {
|
||||
return NT_STATUS_NO_SUCH_USER;
|
||||
}
|
||||
|
||||
return check_sam_security(my_private_data, user_info, auth_info, server_info);
|
||||
}
|
||||
|
||||
BOOL auth_init_samstrict(auth_methods **auth_method)
|
||||
{
|
||||
if (!make_auth_methods(auth_method)) {
|
||||
return False;
|
||||
}
|
||||
|
||||
(*auth_method)->auth = check_samstrict_security;
|
||||
return True;
|
||||
}
|
||||
|
||||
|
@ -186,6 +186,17 @@ static NTSTATUS check_smbserver_security(void *my_private_data,
|
||||
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
|
||||
BOOL locally_made_cli = False;
|
||||
|
||||
/*
|
||||
* Check that the requested domain is not our own machine name.
|
||||
* If it is, we should never check the PDC here, we use our own local
|
||||
* password file.
|
||||
*/
|
||||
|
||||
if(is_netbios_alias_or_name(user_info->domain.str)) {
|
||||
DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n"));
|
||||
return NT_STATUS_LOGON_FAILURE;
|
||||
}
|
||||
|
||||
cli = my_private_data;
|
||||
|
||||
if (cli) {
|
||||
|
@ -1238,7 +1238,7 @@ static void init_globals(void)
|
||||
Globals.minprotocol = PROTOCOL_CORE;
|
||||
Globals.security = SEC_USER;
|
||||
Globals.paranoid_server_security = True;
|
||||
Globals.bEncryptPasswords = False;
|
||||
Globals.bEncryptPasswords = True;
|
||||
Globals.bUpdateEncrypt = False;
|
||||
Globals.bReadRaw = True;
|
||||
Globals.bWriteRaw = True;
|
||||
@ -3850,3 +3850,29 @@ void get_private_directory(pstring privdir)
|
||||
{
|
||||
pstrcpy (privdir, lp_private_dir());
|
||||
}
|
||||
|
||||
|
||||
/****************************************************************
|
||||
Is netbios alias or name
|
||||
*****************************************************************/
|
||||
|
||||
BOOL is_netbios_alias_or_name(char *name)
|
||||
{
|
||||
char **netbios_aliases = lp_netbios_aliases();
|
||||
|
||||
if (StrCaseCmp(name, global_myname) == 0) {
|
||||
return True;
|
||||
}
|
||||
|
||||
for (netbios_aliases = lp_netbios_aliases();
|
||||
netbios_aliases && *netbios_aliases;
|
||||
netbios_aliases++) {
|
||||
if (StrCaseCmp(name, *netbios_aliases) == 0) {
|
||||
return True;
|
||||
}
|
||||
}
|
||||
|
||||
return False;
|
||||
}
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user