mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
auth: Remove dfs_auth() from pass_check.c and s4's auth_unix
The waf build has no logic to detect DCE/DFS, so this plaintext authentication mechanism is dead code. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
parent
f5cff44713
commit
94f0716fff
@ -97,317 +97,6 @@ static bool afs_auth(char *user, char *password)
|
||||
#endif
|
||||
|
||||
|
||||
#ifdef WITH_DFS
|
||||
|
||||
#include <dce/dce_error.h>
|
||||
#include <dce/sec_login.h>
|
||||
|
||||
/*****************************************************************
|
||||
This new version of the DFS_AUTH code was donated by Karsten Muuss
|
||||
<muuss@or.uni-bonn.de>. It fixes the following problems with the
|
||||
old code :
|
||||
|
||||
- Server credentials may expire
|
||||
- Client credential cache files have wrong owner
|
||||
- purge_context() function is called with invalid argument
|
||||
|
||||
This new code was modified to ensure that on exit the uid/gid is
|
||||
still root, and the original directory is restored. JRA.
|
||||
******************************************************************/
|
||||
|
||||
sec_login_handle_t my_dce_sec_context;
|
||||
int dcelogin_atmost_once = 0;
|
||||
|
||||
/*******************************************************************
|
||||
check on a DCE/DFS authentication
|
||||
********************************************************************/
|
||||
static bool dfs_auth(char *user, char *password)
|
||||
{
|
||||
struct tm *t;
|
||||
error_status_t err;
|
||||
int err2;
|
||||
int prterr;
|
||||
signed32 expire_time, current_time;
|
||||
boolean32 password_reset;
|
||||
struct passwd *pw;
|
||||
sec_passwd_rec_t passwd_rec;
|
||||
sec_login_auth_src_t auth_src = sec_login_auth_src_network;
|
||||
unsigned char dce_errstr[dce_c_error_string_len];
|
||||
gid_t egid;
|
||||
|
||||
if (dcelogin_atmost_once)
|
||||
return (False);
|
||||
|
||||
#ifdef HAVE_CRYPT
|
||||
/*
|
||||
* We only go for a DCE login context if the given password
|
||||
* matches that stored in the local password file..
|
||||
* Assumes local passwd file is kept in sync w/ DCE RGY!
|
||||
*/
|
||||
|
||||
if (strcmp((char *)crypt(password, get_this_salt()), get_this_crypted()))
|
||||
{
|
||||
return (False);
|
||||
}
|
||||
#endif
|
||||
|
||||
sec_login_get_current_context(&my_dce_sec_context, &err);
|
||||
if (err != error_status_ok)
|
||||
{
|
||||
dce_error_inq_text(err, dce_errstr, &err2);
|
||||
DEBUG(0, ("DCE can't get current context. %s\n", dce_errstr));
|
||||
|
||||
return (False);
|
||||
}
|
||||
|
||||
sec_login_certify_identity(my_dce_sec_context, &err);
|
||||
if (err != error_status_ok)
|
||||
{
|
||||
dce_error_inq_text(err, dce_errstr, &err2);
|
||||
DEBUG(0, ("DCE can't get current context. %s\n", dce_errstr));
|
||||
|
||||
return (False);
|
||||
}
|
||||
|
||||
sec_login_get_expiration(my_dce_sec_context, &expire_time, &err);
|
||||
if (err != error_status_ok)
|
||||
{
|
||||
dce_error_inq_text(err, dce_errstr, &err2);
|
||||
DEBUG(0, ("DCE can't get expiration. %s\n", dce_errstr));
|
||||
|
||||
return (False);
|
||||
}
|
||||
|
||||
time(¤t_time);
|
||||
|
||||
if (expire_time < (current_time + 60))
|
||||
{
|
||||
struct passwd *pw;
|
||||
sec_passwd_rec_t *key;
|
||||
|
||||
sec_login_get_pwent(my_dce_sec_context,
|
||||
(sec_login_passwd_t *) & pw, &err);
|
||||
if (err != error_status_ok)
|
||||
{
|
||||
dce_error_inq_text(err, dce_errstr, &err2);
|
||||
DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr));
|
||||
|
||||
return (False);
|
||||
}
|
||||
|
||||
sec_login_refresh_identity(my_dce_sec_context, &err);
|
||||
if (err != error_status_ok)
|
||||
{
|
||||
dce_error_inq_text(err, dce_errstr, &err2);
|
||||
DEBUG(0, ("DCE can't refresh identity. %s\n",
|
||||
dce_errstr));
|
||||
|
||||
return (False);
|
||||
}
|
||||
|
||||
sec_key_mgmt_get_key(rpc_c_authn_dce_secret, NULL,
|
||||
(unsigned char *)pw->pw_name,
|
||||
sec_c_key_version_none,
|
||||
(void **)&key, &err);
|
||||
if (err != error_status_ok)
|
||||
{
|
||||
dce_error_inq_text(err, dce_errstr, &err2);
|
||||
DEBUG(0, ("DCE can't get key for %s. %s\n",
|
||||
pw->pw_name, dce_errstr));
|
||||
|
||||
return (False);
|
||||
}
|
||||
|
||||
sec_login_valid_and_cert_ident(my_dce_sec_context, key,
|
||||
&password_reset, &auth_src,
|
||||
&err);
|
||||
if (err != error_status_ok)
|
||||
{
|
||||
dce_error_inq_text(err, dce_errstr, &err2);
|
||||
DEBUG(0,
|
||||
("DCE can't validate and certify identity for %s. %s\n",
|
||||
pw->pw_name, dce_errstr));
|
||||
}
|
||||
|
||||
sec_key_mgmt_free_key(key, &err);
|
||||
if (err != error_status_ok)
|
||||
{
|
||||
dce_error_inq_text(err, dce_errstr, &err2);
|
||||
DEBUG(0, ("DCE can't free key.\n", dce_errstr));
|
||||
}
|
||||
}
|
||||
|
||||
if (sec_login_setup_identity((unsigned char *)user,
|
||||
sec_login_no_flags,
|
||||
&my_dce_sec_context, &err) == 0)
|
||||
{
|
||||
dce_error_inq_text(err, dce_errstr, &err2);
|
||||
DEBUG(0, ("DCE Setup Identity for %s failed: %s\n",
|
||||
user, dce_errstr));
|
||||
return (False);
|
||||
}
|
||||
|
||||
sec_login_get_pwent(my_dce_sec_context,
|
||||
(sec_login_passwd_t *) & pw, &err);
|
||||
if (err != error_status_ok)
|
||||
{
|
||||
dce_error_inq_text(err, dce_errstr, &err2);
|
||||
DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr));
|
||||
|
||||
return (False);
|
||||
}
|
||||
|
||||
sec_login_purge_context(&my_dce_sec_context, &err);
|
||||
if (err != error_status_ok)
|
||||
{
|
||||
dce_error_inq_text(err, dce_errstr, &err2);
|
||||
DEBUG(0, ("DCE can't purge context. %s\n", dce_errstr));
|
||||
|
||||
return (False);
|
||||
}
|
||||
|
||||
/*
|
||||
* NB. I'd like to change these to call something like change_to_user()
|
||||
* instead but currently we don't have a connection
|
||||
* context to become the correct user. This is already
|
||||
* fairly platform specific code however, so I think
|
||||
* this should be ok. I have added code to go
|
||||
* back to being root on error though. JRA.
|
||||
*/
|
||||
|
||||
egid = getegid();
|
||||
|
||||
set_effective_gid(pw->pw_gid);
|
||||
set_effective_uid(pw->pw_uid);
|
||||
|
||||
if (sec_login_setup_identity((unsigned char *)user,
|
||||
sec_login_no_flags,
|
||||
&my_dce_sec_context, &err) == 0)
|
||||
{
|
||||
dce_error_inq_text(err, dce_errstr, &err2);
|
||||
DEBUG(0, ("DCE Setup Identity for %s failed: %s\n",
|
||||
user, dce_errstr));
|
||||
goto err;
|
||||
}
|
||||
|
||||
sec_login_get_pwent(my_dce_sec_context,
|
||||
(sec_login_passwd_t *) & pw, &err);
|
||||
if (err != error_status_ok)
|
||||
{
|
||||
dce_error_inq_text(err, dce_errstr, &err2);
|
||||
DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr));
|
||||
goto err;
|
||||
}
|
||||
|
||||
passwd_rec.version_number = sec_passwd_c_version_none;
|
||||
passwd_rec.pepper = NULL;
|
||||
passwd_rec.key.key_type = sec_passwd_plain;
|
||||
passwd_rec.key.tagged_union.plain = (idl_char *) password;
|
||||
|
||||
sec_login_validate_identity(my_dce_sec_context,
|
||||
&passwd_rec, &password_reset,
|
||||
&auth_src, &err);
|
||||
if (err != error_status_ok)
|
||||
{
|
||||
dce_error_inq_text(err, dce_errstr, &err2);
|
||||
DEBUG(0,
|
||||
("DCE Identity Validation failed for principal %s: %s\n",
|
||||
user, dce_errstr));
|
||||
goto err;
|
||||
}
|
||||
|
||||
sec_login_certify_identity(my_dce_sec_context, &err);
|
||||
if (err != error_status_ok)
|
||||
{
|
||||
dce_error_inq_text(err, dce_errstr, &err2);
|
||||
DEBUG(0, ("DCE certify identity failed: %s\n", dce_errstr));
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (auth_src != sec_login_auth_src_network)
|
||||
{
|
||||
DEBUG(0, ("DCE context has no network credentials.\n"));
|
||||
}
|
||||
|
||||
sec_login_set_context(my_dce_sec_context, &err);
|
||||
if (err != error_status_ok)
|
||||
{
|
||||
dce_error_inq_text(err, dce_errstr, &err2);
|
||||
DEBUG(0,
|
||||
("DCE login failed for principal %s, cant set context: %s\n",
|
||||
user, dce_errstr));
|
||||
|
||||
sec_login_purge_context(&my_dce_sec_context, &err);
|
||||
goto err;
|
||||
}
|
||||
|
||||
sec_login_get_pwent(my_dce_sec_context,
|
||||
(sec_login_passwd_t *) & pw, &err);
|
||||
if (err != error_status_ok)
|
||||
{
|
||||
dce_error_inq_text(err, dce_errstr, &err2);
|
||||
DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr));
|
||||
goto err;
|
||||
}
|
||||
|
||||
DEBUG(0, ("DCE login succeeded for principal %s on pid %d\n",
|
||||
user, getpid()));
|
||||
|
||||
DEBUG(3, ("DCE principal: %s\n"
|
||||
" uid: %d\n"
|
||||
" gid: %d\n",
|
||||
pw->pw_name, pw->pw_uid, pw->pw_gid));
|
||||
DEBUG(3, (" info: %s\n"
|
||||
" dir: %s\n"
|
||||
" shell: %s\n",
|
||||
pw->pw_gecos, pw->pw_dir, pw->pw_shell));
|
||||
|
||||
sec_login_get_expiration(my_dce_sec_context, &expire_time, &err);
|
||||
if (err != error_status_ok)
|
||||
{
|
||||
dce_error_inq_text(err, dce_errstr, &err2);
|
||||
DEBUG(0, ("DCE can't get expiration. %s\n", dce_errstr));
|
||||
goto err;
|
||||
}
|
||||
|
||||
set_effective_uid(0);
|
||||
set_effective_gid(0);
|
||||
|
||||
t = localtime(&expire_time);
|
||||
if (t) {
|
||||
const char *asct = asctime(t);
|
||||
if (asct) {
|
||||
DEBUG(0,("DCE context expires: %s", asct));
|
||||
}
|
||||
}
|
||||
|
||||
dcelogin_atmost_once = 1;
|
||||
return (True);
|
||||
|
||||
err:
|
||||
|
||||
/* Go back to root, JRA. */
|
||||
set_effective_uid(0);
|
||||
set_effective_gid(egid);
|
||||
return (False);
|
||||
}
|
||||
|
||||
void dfs_unlogin(void)
|
||||
{
|
||||
error_status_t err;
|
||||
int err2;
|
||||
unsigned char dce_errstr[dce_c_error_string_len];
|
||||
|
||||
sec_login_purge_context(&my_dce_sec_context, &err);
|
||||
if (err != error_status_ok)
|
||||
{
|
||||
dce_error_inq_text(err, dce_errstr, &err2);
|
||||
DEBUG(0,
|
||||
("DCE purge login context failed for server instance %d: %s\n",
|
||||
getpid(), dce_errstr));
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef LINUX_BIGCRYPT
|
||||
/****************************************************************************
|
||||
@ -483,10 +172,6 @@ static NTSTATUS password_check(const char *user, const char *password, const voi
|
||||
return NT_STATUS_OK;
|
||||
#endif /* WITH_AFS */
|
||||
|
||||
#ifdef WITH_DFS
|
||||
if (dfs_auth(user, password))
|
||||
return NT_STATUS_OK;
|
||||
#endif /* WITH_DFS */
|
||||
|
||||
#ifdef OSF1_ENH_SEC
|
||||
|
||||
|
@ -518,10 +518,6 @@ static NTSTATUS password_check(const char *username, const char *password,
|
||||
return NT_STATUS_OK;
|
||||
#endif /* WITH_AFS */
|
||||
|
||||
#ifdef WITH_DFS
|
||||
if (dfs_auth(username, password))
|
||||
return NT_STATUS_OK;
|
||||
#endif /* WITH_DFS */
|
||||
|
||||
#ifdef OSF1_ENH_SEC
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user