sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-02 09:47:23 +03:00
Code

codepages/codepage_def.936: Updated comment.

Browse Source 
param/loadparm.c: Removed "networkstation user login", "domain controller", and "domain sid" parameters.
passdb/passdb.c: Removed "networkstation user login" code and changed bug test code
                 to only check once for a bad password server. This will stop the
                 complaints of many "bad login" audit records in NT PDC logs.
utils/smbpasswd.c: Removed check for "domain controller".
Jeremy.
(This used to be commit d6e6e936b5dd90dd8fc38d9404efbe5c546c15e5)
This commit is contained in:
Jeremy Allison 1998-11-07 05:32:37 +00:00
parent f7580666de
commit 548b417d40
5 changed files with 89 additions and 118 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
source3/codepages/codepage_def.936
View File

@ -14,7 +14,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
# Codepage definition file for IBM Code Page 949 - MS-DOS Simplified Chinese.
# Codepage definition file for IBM Code Page 936 - MS-DOS Simplified Chinese.
# defines lower->upper mapping.
# Written by Jeremy Allison <jallison@whistle.com>

11
source3/param/loadparm.c
View File

@ -145,7 +145,6 @@ typedef struct
char *szNISHomeMapName;
char *szAnnounceVersion; /* This is initialised in init_globals */
char *szNetbiosAliases;
char *szDomainSID;
char *szDomainOtherSIDs;
char *szDomainGroups;
char *szDriverFile;
@ -207,7 +206,6 @@ typedef struct
BOOL bWINSproxy;
BOOL bLocalMaster;
BOOL bPreferredMaster;
BOOL bDomainController;
BOOL bDomainMaster;
BOOL bDomainLogons;
BOOL bEncryptPasswords;
@ -226,7 +224,6 @@ typedef struct
BOOL bNISHomeMap;
BOOL bTimeServer;
BOOL bBindInterfacesOnly;
BOOL bNetWkstaUserLogon;
BOOL bUnixPasswdSync;
BOOL bPasswdChatDebug;
BOOL bOleLockingCompat;
@ -577,7 +574,6 @@ static struct parm_struct parm_table[] =
{"read bmpx", P_BOOL, P_GLOBAL, &Globals.bReadbmpx, NULL, NULL, 0},
{"read raw", P_BOOL, P_GLOBAL, &Globals.bReadRaw, NULL, NULL, 0},
{"write raw", P_BOOL, P_GLOBAL, &Globals.bWriteRaw, NULL, NULL, 0},
{"networkstation user login", P_BOOL,P_GLOBAL, &Globals.bNetWkstaUserLogon,NULL, NULL, 0},
{"nt smb support", P_BOOL, P_GLOBAL, &Globals.bNTSmbSupport, NULL, NULL, 0},
{"nt pipe support", P_BOOL, P_GLOBAL, &Globals.bNTPipeSupport, NULL, NULL, 0},
{"announce version", P_STRING, P_GLOBAL, &Globals.szAnnounceVersion, NULL, NULL, 0},
@ -659,9 +655,7 @@ static struct parm_struct parm_table[] =
{"stat cache", P_BOOL, P_GLOBAL, &Globals.bStatCache, NULL, NULL, 0},
{"Domain Options", P_SEP, P_SEPARATOR},
{"domain sid", P_USTRING, P_GLOBAL, &Globals.szDomainSID, NULL, NULL, 0},
{"domain groups", P_STRING, P_GLOBAL, &Globals.szDomainGroups, NULL, NULL, 0},
{"domain controller",P_BOOL , P_GLOBAL, &Globals.bDomainController,NULL, NULL, 0},
{"domain admin group",P_STRING, P_GLOBAL, &Globals.szDomainAdminGroup, NULL, NULL, 0},
{"domain guest group",P_STRING, P_GLOBAL, &Globals.szDomainGuestGroup, NULL, NULL, 0},
{"domain admin users",P_STRING, P_GLOBAL, &Globals.szDomainAdminUsers, NULL, NULL, 0},
@ -866,8 +860,6 @@ static void init_globals(void)
Globals.client_code_page = DEFAULT_CLIENT_CODE_PAGE;
Globals.bTimeServer = False;
Globals.bBindInterfacesOnly = False;
Globals.bNetWkstaUserLogon = False; /* This is now set to false by default as
the code in password.c protects us from this bug. */
Globals.bUnixPasswdSync = False;
Globals.bPasswdChatDebug = False;
Globals.bOleLockingCompat = True;
@ -1105,7 +1097,6 @@ FN_GLOBAL_STRING(lp_netbios_aliases,&Globals.szNetbiosAliases)
FN_GLOBAL_STRING(lp_driverfile,&Globals.szDriverFile)
FN_GLOBAL_STRING(lp_panic_action,&Globals.szPanicAction)
FN_GLOBAL_STRING(lp_domain_sid,&Globals.szDomainSID)
FN_GLOBAL_STRING(lp_domain_groups,&Globals.szDomainGroups)
FN_GLOBAL_STRING(lp_domain_admin_group,&Globals.szDomainAdminGroup)
FN_GLOBAL_STRING(lp_domain_guest_group,&Globals.szDomainGuestGroup)
@ -1142,7 +1133,6 @@ FN_GLOBAL_BOOL(lp_wins_support,&Globals.bWINSsupport)
FN_GLOBAL_BOOL(lp_we_are_a_wins_server,&Globals.bWINSsupport)
FN_GLOBAL_BOOL(lp_wins_proxy,&Globals.bWINSproxy)
FN_GLOBAL_BOOL(lp_local_master,&Globals.bLocalMaster)
FN_GLOBAL_BOOL(lp_domain_controller,&Globals.bDomainController)
FN_GLOBAL_BOOL(lp_domain_master,&Globals.bDomainMaster)
FN_GLOBAL_BOOL(lp_domain_logons,&Globals.bDomainLogons)
FN_GLOBAL_BOOL(lp_preferred_master,&Globals.bPreferredMaster)
@ -1163,7 +1153,6 @@ FN_GLOBAL_BOOL(lp_unix_realname,&Globals.bUnixRealname)
FN_GLOBAL_BOOL(lp_nis_home_map,&Globals.bNISHomeMap)
static FN_GLOBAL_BOOL(lp_time_server,&Globals.bTimeServer)
FN_GLOBAL_BOOL(lp_bind_interfaces_only,&Globals.bBindInterfacesOnly)
FN_GLOBAL_BOOL(lp_net_wksta_user_logon,&Globals.bNetWkstaUserLogon)
FN_GLOBAL_BOOL(lp_unix_password_sync,&Globals.bUnixPasswdSync)
FN_GLOBAL_BOOL(lp_passwd_chat_debug,&Globals.bPasswdChatDebug)
FN_GLOBAL_BOOL(lp_ole_locking_compat,&Globals.bOleLockingCompat)

8
source3/passdb/passdb.c
View File

@ -875,13 +875,11 @@ BOOL pdb_generate_sam_sid(void)
}
/*
* The file contains no data - we may need to generate our
* own sid. Try the lp_domain_sid() first.
* The file contains no data - we need to generate our
* own sid.
*/
if(*lp_domain_sid())
fstrcpy( sid_string, lp_domain_sid());
else {
{
/*
* Generate the new sid data & turn it into a string.
*/

180
source3/smbd/password.c
View File

@ -1036,114 +1036,98 @@ BOOL server_validate(char *user, char *domain,
char *pass, int passlen,
char *ntpass, int ntpasslen)
{
struct cli_state *cli;
extern fstring local_machine;
static unsigned char badpass[24];
cli = server_client();
struct cli_state *cli;
extern fstring local_machine;
static unsigned char badpass[24];
static BOOL tested_password_server = False;
static BOOL bad_password_server = False;
if (!cli->initialised) {
DEBUG(1,("password server %s is not connected\n", cli->desthost));
return(False);
}
cli = server_client();
if(badpass[0] == 0) {
memset(badpass, 0x1f, sizeof(badpass));
}
if (!cli->initialised) {
DEBUG(1,("password server %s is not connected\n", cli->desthost));
return(False);
}
if((passlen == sizeof(badpass)) && !memcmp(badpass, pass, passlen)) {
/* Very unlikely, our random bad password is the same as the users
password. */
memset(badpass, badpass[0]+1, sizeof(badpass));
}
if(badpass[0] == 0)
memset(badpass, 0x1f, sizeof(badpass));
/*
* Attempt a session setup with a totally incorrect password.
* If this succeeds with the guest bit *NOT* set then the password
* server is broken and is not correctly setting the guest bit. We
* need to detect this as some versions of NT4.x are broken. JRA.
*/
if((passlen == sizeof(badpass)) && !memcmp(badpass, pass, passlen)) {
/*
* Very unlikely, our random bad password is the same as the users
* password. */
memset(badpass, badpass[0]+1, sizeof(badpass));
}
if (cli_session_setup(cli, user, (char *)badpass, sizeof(badpass),
/*
* Attempt a session setup with a totally incorrect password.
* If this succeeds with the guest bit *NOT* set then the password
* server is broken and is not correctly setting the guest bit. We
* need to detect this as some versions of NT4.x are broken. JRA.
*/
if(!tested_password_server) {
if (cli_session_setup(cli, user, (char *)badpass, sizeof(badpass),
(char *)badpass, sizeof(badpass), domain)) {
if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) {
DEBUG(0,("server_validate: password server %s allows users as non-guest \
/*
* We connected to the password server so we
* can say we've tested it.
*/
tested_password_server = True;
if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) {
DEBUG(0,("server_validate: password server %s allows users as non-guest \
with a bad password.\n", cli->desthost));
DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \
DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \
use this machine as the password server.\n"));
cli_ulogoff(cli);
return False;
}
cli_ulogoff(cli);
}
/*
* Now we know the password server will correctly set the guest bit, or is
* not guest enabled, we can try with the real password.
*/
if (!cli_session_setup(cli, user, pass, passlen, ntpass, ntpasslen, domain)) {
DEBUG(1,("password server %s rejected the password\n", cli->desthost));
return False;
}
/* if logged in as guest then reject */
if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) {
DEBUG(1,("password server %s gave us guest only\n", cli->desthost));
cli_ulogoff(cli);
return(False);
}
/*
* This patch from Rob Nielsen <ran@adc.com> makes doing
* the NetWksaUserLogon a dynamic, rather than compile-time
* parameter, defaulting to on. This is somewhat dangerous
* as it allows people to turn off this neccessary check,
* but so many people have had problems with this that I
* think it is a neccessary change. JRA.
*/
if (lp_net_wksta_user_logon()) {
DEBUG(3,("trying NetWkstaUserLogon with password server %s\n", cli->desthost));
if (!cli_send_tconX(cli, "IPC$", "IPC", "", 1)) {
DEBUG(0,("password server %s refused IPC$ connect\n", cli->desthost));
cli_ulogoff(cli);
return False;
}
if (!cli_NetWkstaUserLogon(cli,user,local_machine)) {
DEBUG(0,("password server %s failed NetWkstaUserLogon\n", cli->desthost));
cli_tdis(cli);
cli_ulogoff(cli);
return False;
}
if (cli->privilages == 0) {
DEBUG(0,("password server %s gave guest privilages\n", cli->desthost));
cli_tdis(cli);
cli_ulogoff(cli);
return False;
}
if (!strequal(cli->eff_name, user)) {
DEBUG(0,("password server %s gave different username %s\n",
cli->desthost,
cli->eff_name));
cli_tdis(cli);
cli_ulogoff(cli);
return False;
}
cli_tdis(cli);
}
else {
DEBUG(3,("skipping NetWkstaUserLogon with password server %s\n", cli->desthost));
}
DEBUG(3,("password server %s accepted the password\n", cli->desthost));
cli_ulogoff(cli);
return(True);
/*
* Password server has the bug.
*/
bad_password_server = True;
return False;
}
cli_ulogoff(cli);
}
} else {
/*
* We have already tested the password server.
* Fail immediately if it has the bug.
*/
if(bad_password_server) {
DEBUG(0,("server_validate: [1] password server %s allows users as non-guest \
with a bad password.\n", cli->desthost));
DEBUG(0,("server_validate: [1] This is broken (and insecure) behaviour. Please do not \
use this machine as the password server.\n"));
return False;
}
}
/*
* Now we know the password server will correctly set the guest bit, or is
* not guest enabled, we can try with the real password.
*/
if (!cli_session_setup(cli, user, pass, passlen, ntpass, ntpasslen, domain)) {
DEBUG(1,("password server %s rejected the password\n", cli->desthost));
return False;
}
/* if logged in as guest then reject */
if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) {
DEBUG(1,("password server %s gave us guest only\n", cli->desthost));
cli_ulogoff(cli);
return(False);
}
cli_ulogoff(cli);
return(True);
}
/***********************************************************************

6
source3/utils/smbpasswd.c
View File

@ -60,9 +60,9 @@ static int join_domain( char *domain, char *remote)
domain if we are locally set up as a domain
controller. */
if(lp_domain_controller() && strequal(lp_workgroup(), domain)) {
fprintf(stderr, "%s: Cannot join domain %s as we already configured as \
domain controller for that domain.\n", prog_name, domain);
if(strequal(remote, global_myname)) {
fprintf(stderr, "%s: Cannot join domain %s as the domain controller name is our own. \
We cannot be a domain controller for a domain and also be a domain member.\n", prog_name, domain);
return 1;
}