mirror of
https://github.com/samba-team/samba.git
synced 2024-12-27 03:21:53 +03:00
This is the 'easy' parts of the trusted domains patch n+3 patch from
Rafal Szczesniak <mimir@diament.ists.pwr.wroc.pl>
It includes a conversion of make_user_info*() to NTSTATUS and some minor
changes to other files.
It also picks up on a nasty segfault that can occour in some security=domain
cases.
Andrew Bartlett
(This used to be commit d1e1fc3e4b)
This commit is contained in:
Andrew Bartlett
parent
94d6c0e895
commit
789d51b42c
@ -242,7 +242,8 @@ UNIGRP_OBJ = libsmb/netlogon_unigrp.o
|
||||
|
||||
AUTH_OBJ = auth/auth.o auth/auth_sam.o auth/auth_server.o auth/auth_domain.o \
|
||||
auth/auth_rhosts.o auth/auth_unix.o auth/auth_util.o auth/auth_winbind.o \
|
||||
auth/auth_builtin.o auth/auth_compat.o $(PLAINTEXT_AUTH_OBJ) $(UNIGRP_OBJ)
|
||||
auth/auth_builtin.o auth/auth_compat.o \
|
||||
$(PLAINTEXT_AUTH_OBJ) $(UNIGRP_OBJ)
|
||||
|
||||
MANGLE_OBJ = smbd/mangle.o smbd/mangle_hash.o smbd/mangle_map.o smbd/mangle_hash2.o
|
||||
|
||||
|
||||
@ -251,7 +251,7 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli,
|
||||
}
|
||||
|
||||
/***********************************************************************
|
||||
We have been asked to dynamcially determine the IP addresses of
|
||||
We have been asked to dynamically determine the IP addresses of
|
||||
the PDC and BDC's for DOMAIN, and query them in turn.
|
||||
************************************************************************/
|
||||
static NTSTATUS find_connect_pdc(struct cli_state **cli,
|
||||
|
||||
@ -4,6 +4,7 @@
|
||||
Copyright (C) Andrew Tridgell 1992-1998
|
||||
Copyright (C) Andrew Bartlett 2001
|
||||
Copyright (C) Jeremy Allison 2000-2001
|
||||
Copyright (C) Rafal Szczesniak 2002
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
@ -56,7 +57,7 @@ static int smb_create_user(const char *unix_user, const char *homedir)
|
||||
Add and Delete UNIX users on demand, based on NTSTATUS codes.
|
||||
****************************************************************************/
|
||||
|
||||
void smb_user_control(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info, NTSTATUS nt_status)
|
||||
void smb_user_control(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info, NTSTATUS nt_status)
|
||||
{
|
||||
struct passwd *pwd=NULL;
|
||||
|
||||
@ -81,15 +82,15 @@ void smb_user_control(const auth_usersupplied_info *user_info, auth_serversuppli
|
||||
Create an auth_usersupplied_data structure
|
||||
****************************************************************************/
|
||||
|
||||
static BOOL make_user_info(auth_usersupplied_info **user_info,
|
||||
const char *smb_name,
|
||||
const char *internal_username,
|
||||
const char *client_domain,
|
||||
const char *domain,
|
||||
const char *wksta_name,
|
||||
DATA_BLOB lm_pwd, DATA_BLOB nt_pwd,
|
||||
DATA_BLOB plaintext,
|
||||
uint32 auth_flags, BOOL encrypted)
|
||||
static NTSTATUS make_user_info(auth_usersupplied_info **user_info,
|
||||
const char *smb_name,
|
||||
const char *internal_username,
|
||||
const char *client_domain,
|
||||
const char *domain,
|
||||
const char *wksta_name,
|
||||
DATA_BLOB lm_pwd, DATA_BLOB nt_pwd,
|
||||
DATA_BLOB plaintext,
|
||||
uint32 auth_flags, BOOL encrypted)
|
||||
{
|
||||
|
||||
DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name));
|
||||
@ -97,7 +98,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info,
|
||||
*user_info = malloc(sizeof(**user_info));
|
||||
if (!user_info) {
|
||||
DEBUG(0,("malloc failed for user_info (size %d)\n", sizeof(*user_info)));
|
||||
return False;
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
ZERO_STRUCTP(*user_info);
|
||||
@ -109,7 +110,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info,
|
||||
(*user_info)->smb_name.len = strlen(smb_name);
|
||||
} else {
|
||||
free_user_info(user_info);
|
||||
return False;
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
(*user_info)->internal_username.str = strdup(internal_username);
|
||||
@ -117,7 +118,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info,
|
||||
(*user_info)->internal_username.len = strlen(internal_username);
|
||||
} else {
|
||||
free_user_info(user_info);
|
||||
return False;
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
(*user_info)->domain.str = strdup(domain);
|
||||
@ -125,7 +126,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info,
|
||||
(*user_info)->domain.len = strlen(domain);
|
||||
} else {
|
||||
free_user_info(user_info);
|
||||
return False;
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
(*user_info)->client_domain.str = strdup(client_domain);
|
||||
@ -133,7 +134,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info,
|
||||
(*user_info)->client_domain.len = strlen(client_domain);
|
||||
} else {
|
||||
free_user_info(user_info);
|
||||
return False;
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
(*user_info)->wksta_name.str = strdup(wksta_name);
|
||||
@ -141,7 +142,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info,
|
||||
(*user_info)->wksta_name.len = strlen(wksta_name);
|
||||
} else {
|
||||
free_user_info(user_info);
|
||||
return False;
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
DEBUG(5,("making blobs for %s's user_info struct\n", internal_username));
|
||||
@ -155,26 +156,26 @@ static BOOL make_user_info(auth_usersupplied_info **user_info,
|
||||
|
||||
DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name));
|
||||
|
||||
return True;
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
/****************************************************************************
|
||||
Create an auth_usersupplied_data structure after appropriate mapping.
|
||||
****************************************************************************/
|
||||
|
||||
BOOL make_user_info_map(auth_usersupplied_info **user_info,
|
||||
const char *smb_name,
|
||||
const char *client_domain,
|
||||
const char *wksta_name,
|
||||
DATA_BLOB lm_pwd, DATA_BLOB nt_pwd,
|
||||
DATA_BLOB plaintext,
|
||||
uint32 ntlmssp_flags, BOOL encrypted)
|
||||
NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
|
||||
const char *smb_name,
|
||||
const char *client_domain,
|
||||
const char *wksta_name,
|
||||
DATA_BLOB lm_pwd, DATA_BLOB nt_pwd,
|
||||
DATA_BLOB plaintext,
|
||||
uint32 ntlmssp_flags, BOOL encrypted)
|
||||
{
|
||||
const char *domain;
|
||||
fstring internal_username;
|
||||
fstrcpy(internal_username, smb_name);
|
||||
map_username(internal_username);
|
||||
|
||||
|
||||
DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n",
|
||||
client_domain, smb_name, wksta_name));
|
||||
|
||||
@ -203,7 +204,7 @@ BOOL make_user_info_map(auth_usersupplied_info **user_info,
|
||||
client_domain, lp_winbind_separator(),
|
||||
smb_name) < 0) {
|
||||
DEBUG(0, ("make_user_info_map: asprintf() failed!\n"));
|
||||
return False;
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
DEBUG(5, ("make_user_info_map: testing for user %s\n", user));
|
||||
@ -245,6 +246,7 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info,
|
||||
const uchar *nt_network_pwd, int nt_pwd_len)
|
||||
{
|
||||
BOOL ret;
|
||||
NTSTATUS nt_status;
|
||||
DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len);
|
||||
DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
|
||||
DATA_BLOB plaintext_blob = data_blob(NULL, 0);
|
||||
@ -258,12 +260,14 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info,
|
||||
auth_flags |= AUTH_FLAG_NTLMv2_RESP;
|
||||
}
|
||||
|
||||
ret = make_user_info_map(user_info,
|
||||
smb_name, client_domain,
|
||||
wksta_name,
|
||||
lm_blob, nt_blob,
|
||||
plaintext_blob,
|
||||
auth_flags, True);
|
||||
nt_status = make_user_info_map(user_info,
|
||||
smb_name, client_domain,
|
||||
wksta_name,
|
||||
lm_blob, nt_blob,
|
||||
plaintext_blob,
|
||||
auth_flags, True);
|
||||
|
||||
ret = NT_STATUS_IS_OK(nt_status) ? True : False;
|
||||
|
||||
data_blob_free(&lm_blob);
|
||||
data_blob_free(&nt_blob);
|
||||
@ -329,6 +333,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
|
||||
|
||||
{
|
||||
BOOL ret;
|
||||
NTSTATUS nt_status;
|
||||
DATA_BLOB local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response));
|
||||
DATA_BLOB local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response));
|
||||
DATA_BLOB plaintext_blob = data_blob(NULL, 0);
|
||||
@ -338,14 +343,15 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
|
||||
if (nt_interactive_pwd)
|
||||
auth_flags |= AUTH_FLAG_NTLM_RESP;
|
||||
|
||||
ret = make_user_info_map(user_info,
|
||||
smb_name, client_domain,
|
||||
wksta_name,
|
||||
local_lm_blob,
|
||||
local_nt_blob,
|
||||
plaintext_blob,
|
||||
auth_flags, True);
|
||||
nt_status = make_user_info_map(user_info,
|
||||
smb_name, client_domain,
|
||||
wksta_name,
|
||||
local_lm_blob,
|
||||
local_nt_blob,
|
||||
plaintext_blob,
|
||||
auth_flags, True);
|
||||
|
||||
ret = NT_STATUS_IS_OK(nt_status) ? True : False;
|
||||
data_blob_free(&local_lm_blob);
|
||||
data_blob_free(&local_nt_blob);
|
||||
return ret;
|
||||
@ -366,7 +372,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info,
|
||||
|
||||
DATA_BLOB local_lm_blob;
|
||||
DATA_BLOB local_nt_blob;
|
||||
BOOL ret = False;
|
||||
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
|
||||
uint32 auth_flags = AUTH_FLAG_NONE;
|
||||
|
||||
/*
|
||||
@ -397,25 +403,25 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info,
|
||||
}
|
||||
|
||||
ret = make_user_info_map(user_info, smb_name,
|
||||
client_domain,
|
||||
get_remote_machine_name(),
|
||||
local_lm_blob,
|
||||
local_nt_blob,
|
||||
plaintext_password,
|
||||
auth_flags, False);
|
||||
client_domain,
|
||||
get_remote_machine_name(),
|
||||
local_lm_blob,
|
||||
local_nt_blob,
|
||||
plaintext_password,
|
||||
auth_flags, False);
|
||||
|
||||
data_blob_free(&local_lm_blob);
|
||||
return ret;
|
||||
return NT_STATUS_IS_OK(ret) ? True : False;
|
||||
}
|
||||
|
||||
/****************************************************************************
|
||||
Create an auth_usersupplied_data structure
|
||||
****************************************************************************/
|
||||
|
||||
BOOL make_user_info_for_reply_enc(auth_usersupplied_info **user_info,
|
||||
const char *smb_name,
|
||||
const char *client_domain,
|
||||
DATA_BLOB lm_resp, DATA_BLOB nt_resp)
|
||||
NTSTATUS make_user_info_for_reply_enc(auth_usersupplied_info **user_info,
|
||||
const char *smb_name,
|
||||
const char *client_domain,
|
||||
DATA_BLOB lm_resp, DATA_BLOB nt_resp)
|
||||
{
|
||||
uint32 auth_flags = AUTH_FLAG_NONE;
|
||||
|
||||
@ -450,14 +456,17 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info)
|
||||
DATA_BLOB nt_blob = data_blob(NULL, 0);
|
||||
DATA_BLOB plaintext_blob = data_blob(NULL, 0);
|
||||
uint32 auth_flags = AUTH_FLAG_NONE;
|
||||
NTSTATUS nt_status;
|
||||
|
||||
return make_user_info(user_info,
|
||||
nt_status = make_user_info(user_info,
|
||||
"","",
|
||||
"","",
|
||||
"",
|
||||
nt_blob, lm_blob,
|
||||
plaintext_blob,
|
||||
auth_flags, True);
|
||||
|
||||
return NT_STATUS_IS_OK(nt_status) ? True : False;
|
||||
}
|
||||
|
||||
/****************************************************************************
|
||||
@ -633,7 +642,14 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid,
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
usr = getpwuid_alloc(uid);
|
||||
/*
|
||||
* This is _essential_ to prevent occasional segfaults when
|
||||
* winbind can't find uid -> username mapping
|
||||
*/
|
||||
if (!(usr = getpwuid_alloc(uid))) {
|
||||
DEBUG(0, ("Couldn't find passdb structure for UID = %d ! Aborting.\n", uid));
|
||||
return NT_STATUS_NO_SUCH_USER;
|
||||
};
|
||||
|
||||
n_unix_groups = groups_max();
|
||||
if ((*unix_groups = malloc( sizeof(gid_t) * groups_max() ) ) == NULL) {
|
||||
|
||||
@ -473,6 +473,8 @@ NTSTATUS _lsa_enum_trust_dom(pipes_struct *p, LSA_Q_ENUM_TRUST_DOM *q_u, LSA_R_E
|
||||
/*
|
||||
* preferred length is set to 5 as a "our" preferred length
|
||||
* nt sets this parameter to 2
|
||||
* update (20.08.2002): it's not preferred length, but preferred size!
|
||||
* it needs further investigation how to optimally choose this value
|
||||
*/
|
||||
uint32 max_num_domains = q_u->preferred_len < 5 ? q_u->preferred_len : 10;
|
||||
TRUSTDOM **trust_doms;
|
||||
|
||||
@ -439,14 +439,14 @@ static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf,
|
||||
auth_flags |= AUTH_FLAG_NTLM_RESP;
|
||||
} else if (nthash.length > 24) {
|
||||
auth_flags |= AUTH_FLAG_NTLMv2_RESP;
|
||||
}
|
||||
};
|
||||
|
||||
if (!make_user_info_map(&user_info,
|
||||
user, workgroup,
|
||||
machine,
|
||||
lmhash, nthash,
|
||||
plaintext_password,
|
||||
auth_flags, True)) {
|
||||
nt_status = make_user_info_map(&user_info, user, workgroup, machine,
|
||||
lmhash, nthash, plaintext_password,
|
||||
auth_flags, True);
|
||||
|
||||
/* it looks a bit weird, but this function returns int type... */
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
return ERROR_NT(NT_STATUS_NO_MEMORY);
|
||||
}
|
||||
|
||||
@ -621,7 +621,7 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
|
||||
NTSTATUS nt_status;
|
||||
|
||||
BOOL doencrypt = global_encrypted_passwords_negotiated;
|
||||
|
||||
|
||||
START_PROFILE(SMBsesssetupX);
|
||||
|
||||
ZERO_STRUCT(lm_resp);
|
||||
@ -776,11 +776,9 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
|
||||
nt_status = check_guest_password(&server_info);
|
||||
|
||||
} else if (doencrypt) {
|
||||
if (!make_user_info_for_reply_enc(&user_info,
|
||||
user, domain,
|
||||
lm_resp, nt_resp)) {
|
||||
nt_status = NT_STATUS_NO_MEMORY;
|
||||
} else {
|
||||
nt_status = make_user_info_for_reply_enc(&user_info, user, domain,
|
||||
lm_resp, nt_resp);
|
||||
if (NT_STATUS_IS_OK(nt_status)) {
|
||||
nt_status = negprot_global_auth_context->check_ntlm_password(negprot_global_auth_context,
|
||||
user_info,
|
||||
&server_info);
|
||||
|
||||
@ -1972,6 +1972,12 @@ static int rpc_trustdom_list(int argc, const char **argv)
|
||||
|
||||
d_printf("%s%s%s\n", trusted_dom_names[i], padding, ascii_sid);
|
||||
};
|
||||
|
||||
/*
|
||||
* in case of no trusted domains say something rather
|
||||
* than just display blank line
|
||||
*/
|
||||
if (!num_domains) d_printf("none\n");
|
||||
|
||||
} while (NT_STATUS_EQUAL(nt_status, STATUS_MORE_ENTRIES));
|
||||
|
||||
@ -2076,6 +2082,8 @@ static int rpc_trustdom_list(int argc, const char **argv)
|
||||
};
|
||||
};
|
||||
|
||||
if (!num_domains) d_printf("none\n");
|
||||
|
||||
} while (NT_STATUS_EQUAL(nt_status, STATUS_MORE_ENTRIES));
|
||||
|
||||
/* close opened samr and domain policy handles */
|
||||
|
||||
Loading…
Reference in New Issue
Block a user