sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-26 10:04:02 +03:00
Code

Fix up workstaion and kickoff time checks, moved to auth_smbpasswd.c where

Browse Source 
they can have general effect.

Fixed up workstaion support in the rest of samba, so that we can do these
checks.

Pass through the workstation for cli_net_logon(), if supplied.
(This used to be commit 7f04a139b2ee34b4c282590509cdf21395815a7a)
This commit is contained in:
Andrew Bartlett 2001-09-16 06:35:35 +00:00
parent 9bae3609ac
commit dec3cbcaf0
8 changed files with 136 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
source3/auth/auth.c
View File

@ -25,8 +25,6 @@
extern int DEBUGLEVEL;
extern pstring global_myname;
/****************************************************************************
Check user is in correct domain if required
****************************************************************************/
@ -63,7 +61,8 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
BOOL done_pam = False;
DEBUG(3, ("check_password: Checking password for smb user %s with the new password interface\n", user_info->smb_username.str));
DEBUG(3, ("check_password: Checking password for smb user %s\\%s@%s with the new password interface\n",
user_info->smb_username.str, user_info->requested_domain.str, user_info->wksta_name.str));
if (!check_domain_match(user_info->smb_username.str, user_info->domain.str)) {
return NT_STATUS_LOGON_FAILURE;
}
@ -122,7 +121,8 @@ return True if the password is correct, False otherwise
****************************************************************************/
NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user,
char *domain, uchar chal[8],
char *domain, char* workstation,
uchar chal[8],
uchar *lm_pwd, int lm_pwd_len,
uchar *nt_pwd, int nt_pwd_len)
{
@ -158,8 +158,8 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user,
user_info.unix_username = unix_username;
user_info.smb_username = smb_username;
user_info.wksta_name.str = client_name();
user_info.wksta_name.len = strlen(client_name());
wksta_name.str = workstation;
wksta_name.len = strlen(workstation);
user_info.wksta_name = wksta_name;
@ -204,7 +204,8 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user,
return check_password(&user_info, &server_info);
}
NTSTATUS pass_check_smb(char *smb_user, char *unix_user, char *domain,
NTSTATUS pass_check_smb(char *smb_user, char *unix_user,
char *domain, char *workstation,
uchar *lm_pwd, int lm_pwd_len,
uchar *nt_pwd, int nt_pwd_len)
{
@ -214,7 +215,8 @@ NTSTATUS pass_check_smb(char *smb_user, char *unix_user, char *domain,
generate_random_buffer( chal, 8, False);
}
return pass_check_smb_with_chal(smb_user, unix_user, domain, chal,
return pass_check_smb_with_chal(smb_user, unix_user,
domain, workstation, chal,
lm_pwd, lm_pwd_len,
nt_pwd, nt_pwd_len);
@ -227,6 +229,7 @@ return True if the password is correct, False otherwise
****************************************************************************/
BOOL password_ok(char *user, char *password, int pwlen)
{
extern fstring remote_machine;
/*
* This hack must die! But until I rewrite the rest of samba
@ -240,11 +243,11 @@ BOOL password_ok(char *user, char *password, int pwlen)
/* The password could be either NTLM or plain LM. Try NTLM first, but fall-through as
required. */
if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, lp_workgroup(), NULL, 0, (unsigned char *)password, pwlen))) {
if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, remote_machine, lp_workgroup(), NULL, 0, (unsigned char *)password, pwlen))) {
return True;
}
if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, lp_workgroup(), (unsigned char *)password, pwlen, NULL, 0))) {
if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, remote_machine, lp_workgroup(), (unsigned char *)password, pwlen, NULL, 0))) {
return True;
}

45
source3/auth/auth_sam.c
View File

@ -112,9 +112,9 @@ static BOOL smb_pwd_check_ntlmv2(const uchar *password, size_t pwd_len,
NTSTATUS smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info)
{
uint8 *nt_pw, *lm_pw;
uint16 acct_ctrl;
acct_ctrl = pdb_get_acct_ctrl(sampass);
uint16 acct_ctrl = pdb_get_acct_ctrl(sampass);
char *workstation_list;
time_t kickoff_time;
/* Quit if the account was disabled. */
if(acct_ctrl & ACB_DISABLED) {
@ -122,6 +122,45 @@ NTSTATUS smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *use
return(NT_STATUS_ACCOUNT_DISABLED);
}
/* Test account expire time */
kickoff_time = pdb_get_kickoff_time(sampass);
if (kickoff_time != (time_t)-1) {
if (time(NULL) > kickoff_time) {
return NT_STATUS_ACCOUNT_EXPIRED;
}
}
/* Test workstation. Workstation list is comma separated. */
workstation_list = strdup(pdb_get_workstations(sampass));
if (workstation_list) {
if (*workstation_list) {
BOOL invalid_ws = True;
char *s = workstation_list;
fstring tok;
while (next_token(&s, tok, ",", sizeof(tok))) {
DEBUG(10,("checking for workstation match %s and %s (len=%d)\n",
tok, user_info->wksta_name.str, user_info->wksta_name.len));
if(strequal(tok, user_info->wksta_name.str)) {
invalid_ws = False;
break;
}
}
free(workstation_list);
if (invalid_ws)
return NT_STATUS_INVALID_WORKSTATION;
} else {
free(workstation_list);
}
} else {
return NT_STATUS_NO_MEMORY;
}
if (acct_ctrl & ACB_PWNOTREQ)
{
if (lp_null_passwords())

6
source3/rpc_client/cli_login.c
View File

@ -167,7 +167,11 @@ NTSTATUS cli_nt_login_network(struct cli_state *cli,
/* Create the structure needed for SAM logon. */
init_id_info2(&ctr->auth.id2, user_info->domain.str, 0, smb_userid_low, 0,
user_info->smb_username.str, cli->clnt_name_slash,
user_info->smb_username.str,
/* Send our cleint's workstaion name if we have it, otherwise ours */
((user_info->wksta_name.len > 0) ?
user_info->wksta_name.str :
cli->clnt_name_slash),
user_info->chal,
user_info->lm_resp.buffer, user_info->lm_resp.len,
user_info->nt_resp.buffer, user_info->nt_resp.len);

40
source3/rpc_server/srv_netlog_nt.c
View File

@ -6,6 +6,7 @@
* Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
* Copyright (C) Paul Ashton 1997.
* Copyright (C) Jeremy Allison 1998-2001.
* Copyirht (C) Andrew Bartlett 2001.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -473,7 +474,7 @@ NTSTATUS _net_sam_logoff(pipes_struct *p, NET_Q_SAM_LOGOFF *q_u, NET_R_SAM_LOGOF
_net_logon_any: Use the new authentications subsystem to log in.
*************************************************************************/
static NTSTATUS _net_logon_any(NET_ID_INFO_CTR *ctr, char *user, char *domain, char *sess_key)
static NTSTATUS _net_logon_any(NET_ID_INFO_CTR *ctr, char *user, char *domain, char *workstation, char *sess_key)
{
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
@ -508,12 +509,10 @@ static NTSTATUS _net_logon_any(NET_ID_INFO_CTR *ctr, char *user, char *domain, c
user_info.unix_username = smb_username; /* For the time-being */
user_info.smb_username = smb_username;
#if 0
user_info.wksta_name.str = cleint_name();
user_info.wksta_name.len = strlen(client_name());
user_info.wksta_name.str = workstation;
user_info.wksta_name.len = strlen(workstation);
user_info.wksta_name = wksta_name;
#endif
DEBUG(10,("_net_logon_any: Attempting validation level %d.\n", ctr->switch_value));
switch (ctr->switch_value) {
@ -667,7 +666,7 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *
DEBUG(10,("Attempting validation level %d for mapped username %s.\n", q_u->sam_id.ctr->switch_value, nt_username));
status = _net_logon_any(q_u->sam_id.ctr, nt_username, nt_domain, (char *)p->dc.sess_key);
status = _net_logon_any(q_u->sam_id.ctr, nt_username, nt_domain, nt_workstation, (char *)p->dc.sess_key);
/* Check account and password */
@ -686,35 +685,6 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *
return NT_STATUS_NO_SUCH_USER;
}
/* Test account expire time */
if (time(NULL) > sampass->kickoff_time)
return NT_STATUS_ACCOUNT_EXPIRED;
/* Test workstation. Workstation list is comma separated. */
if (sampass->workstations && *sampass->workstations) {
char *s = strdup(sampass->workstations);
BOOL invalid_ws = True;
fstring tok;
while(next_token(&s, tok, ",", sizeof(tok))) {
if(strequal(tok, nt_workstation)) {
invalid_ws = False;
break;
}
}
free(s);
if (invalid_ws)
return NT_STATUS_INVALID_WORKSTATION;
}
/* Test logon hours. */
/* Test must change password. */
/* This is the point at which, if the login was successful, that
the SAM Local Security Authority should record that the user is
logged in to the domain. */

23
source3/rpc_server/srv_pipe.c
View File

@ -302,6 +302,7 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm
rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
} else {
/* What charset are these meant to be in? */
fstrcpy(user_name, ntlmssp_resp->user);
fstrcpy(domain, ntlmssp_resp->domain);
fstrcpy(wks, ntlmssp_resp->wks);
@ -328,24 +329,24 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm
if((strlen(user_name) == 0) &&
(ntlmssp_resp->hdr_nt_resp.str_str_len==0))
{
{
guest_user = True;
fstrcpy(pipe_user_name, lp_guestaccount(-1));
fstrcpy(pipe_user_name, lp_guestaccount(-1));
DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", pipe_user_name));
smb_passwd_ptr = null_smb_passwd;
} else {
/*
* Pass the user through the NT -> unix user mapping
* function.
*/
fstrcpy(pipe_user_name, user_name);
(void)map_username(pipe_user_name);
/*
* Do the length checking only if user is not NULL.
*/
@ -368,7 +369,8 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm
become_root();
p->ntlmssp_auth_validated =
NT_STATUS_IS_OK(pass_check_smb_with_chal(pipe_user_name, NULL, domain,
NT_STATUS_IS_OK(pass_check_smb_with_chal(pipe_user_name, NULL,
domain, wks,
(uchar*)p->challenge,
lm_owf, lm_pw_len,
nt_owf, nt_pw_len));
@ -391,13 +393,6 @@ failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name
unbecome_root();
/* Quit if the account was disabled. */
if((pdb_get_acct_ctrl(sampass) & ACB_DISABLED) || !pdb_get_lanman_passwd(sampass)) {
DEBUG(1,("Account for user '%s' was disabled.\n", pipe_user_name));
pdb_free_sam(sampass);
return False;
}
if(!pdb_get_nt_passwd(sampass)) {
DEBUG(1,("Account for user '%s' has no NT password hash.\n", pipe_user_name));
pdb_free_sam(sampass);

23
source3/smbd/auth.c
View File

@ -25,8 +25,6 @@
extern int DEBUGLEVEL;
extern pstring global_myname;
/****************************************************************************
Check user is in correct domain if required
****************************************************************************/
@ -63,7 +61,8 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
BOOL done_pam = False;
DEBUG(3, ("check_password: Checking password for smb user %s with the new password interface\n", user_info->smb_username.str));
DEBUG(3, ("check_password: Checking password for smb user %s\\%s@%s with the new password interface\n",
user_info->smb_username.str, user_info->requested_domain.str, user_info->wksta_name.str));
if (!check_domain_match(user_info->smb_username.str, user_info->domain.str)) {
return NT_STATUS_LOGON_FAILURE;
}
@ -122,7 +121,8 @@ return True if the password is correct, False otherwise
****************************************************************************/
NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user,
char *domain, uchar chal[8],
char *domain, char* workstation,
uchar chal[8],
uchar *lm_pwd, int lm_pwd_len,
uchar *nt_pwd, int nt_pwd_len)
{
@ -158,8 +158,8 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user,
user_info.unix_username = unix_username;
user_info.smb_username = smb_username;
user_info.wksta_name.str = client_name();
user_info.wksta_name.len = strlen(client_name());
wksta_name.str = workstation;
wksta_name.len = strlen(workstation);
user_info.wksta_name = wksta_name;
@ -204,7 +204,8 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user,
return check_password(&user_info, &server_info);
}
NTSTATUS pass_check_smb(char *smb_user, char *unix_user, char *domain,
NTSTATUS pass_check_smb(char *smb_user, char *unix_user,
char *domain, char *workstation,
uchar *lm_pwd, int lm_pwd_len,
uchar *nt_pwd, int nt_pwd_len)
{
@ -214,7 +215,8 @@ NTSTATUS pass_check_smb(char *smb_user, char *unix_user, char *domain,
generate_random_buffer( chal, 8, False);
}
return pass_check_smb_with_chal(smb_user, unix_user, domain, chal,
return pass_check_smb_with_chal(smb_user, unix_user,
domain, workstation, chal,
lm_pwd, lm_pwd_len,
nt_pwd, nt_pwd_len);
@ -227,6 +229,7 @@ return True if the password is correct, False otherwise
****************************************************************************/
BOOL password_ok(char *user, char *password, int pwlen)
{
extern fstring remote_machine;
/*
* This hack must die! But until I rewrite the rest of samba
@ -240,11 +243,11 @@ BOOL password_ok(char *user, char *password, int pwlen)
/* The password could be either NTLM or plain LM. Try NTLM first, but fall-through as
required. */
if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, lp_workgroup(), NULL, 0, (unsigned char *)password, pwlen))) {
if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, remote_machine, lp_workgroup(), NULL, 0, (unsigned char *)password, pwlen))) {
return True;
}
if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, lp_workgroup(), (unsigned char *)password, pwlen, NULL, 0))) {
if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, remote_machine, lp_workgroup(), (unsigned char *)password, pwlen, NULL, 0))) {
return True;
}

45
source3/smbd/auth_smbpasswd.c
View File

@ -112,9 +112,9 @@ static BOOL smb_pwd_check_ntlmv2(const uchar *password, size_t pwd_len,
NTSTATUS smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info)
{
uint8 *nt_pw, *lm_pw;
uint16 acct_ctrl;
acct_ctrl = pdb_get_acct_ctrl(sampass);
uint16 acct_ctrl = pdb_get_acct_ctrl(sampass);
char *workstation_list;
time_t kickoff_time;
/* Quit if the account was disabled. */
if(acct_ctrl & ACB_DISABLED) {
@ -122,6 +122,45 @@ NTSTATUS smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *use
return(NT_STATUS_ACCOUNT_DISABLED);
}
/* Test account expire time */
kickoff_time = pdb_get_kickoff_time(sampass);
if (kickoff_time != (time_t)-1) {
if (time(NULL) > kickoff_time) {
return NT_STATUS_ACCOUNT_EXPIRED;
}
}
/* Test workstation. Workstation list is comma separated. */
workstation_list = strdup(pdb_get_workstations(sampass));
if (workstation_list) {
if (*workstation_list) {
BOOL invalid_ws = True;
char *s = workstation_list;
fstring tok;
while (next_token(&s, tok, ",", sizeof(tok))) {
DEBUG(10,("checking for workstation match %s and %s (len=%d)\n",
tok, user_info->wksta_name.str, user_info->wksta_name.len));
if(strequal(tok, user_info->wksta_name.str)) {
invalid_ws = False;
break;
}
}
free(workstation_list);
if (invalid_ws)
return NT_STATUS_INVALID_WORKSTATION;
} else {
free(workstation_list);
}
} else {
return NT_STATUS_NO_MEMORY;
}
if (acct_ctrl & ACB_PWNOTREQ)
{
if (lp_null_passwords())

11
source3/smbd/reply.c
View File

@ -3,7 +3,8 @@
Version 1.9.
Main SMB reply routines
Copyright (C) Andrew Tridgell 1992-1998
Copyright (C) Andrew Bartlett 2001
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
@ -41,6 +42,8 @@ extern int global_oplock_break;
uint32 global_client_caps = 0;
unsigned int smb_echo_count = 0;
extern fstring remote_machine;
/****************************************************************************
report a possible attack via the password buffer overflow bug
****************************************************************************/
@ -66,7 +69,7 @@ int reply_special(char *inbuf,char *outbuf)
int msg_type = CVAL(inbuf,0);
int msg_flags = CVAL(inbuf,1);
pstring name1,name2;
extern fstring remote_machine;
extern fstring local_machine;
int len;
char name_type = 0;
@ -637,7 +640,7 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,int
}
DEBUG(3,("sesssetupX:name=[%s]\n",user));
DEBUG(3,("sesssetupX:name=[%s]@[%s]\n",user, remote_machine));
/* If name ends in $ then I think it's asking about whether a */
/* computer with that name (minus the $) has access. For now */
@ -720,7 +723,7 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,int
if (!guest) {
NTSTATUS nt_status;
nt_status = pass_check_smb(orig_user, user,
domain,
domain, remote_machine,
(unsigned char *)smb_apasswd,
smb_apasslen,
(unsigned char *)smb_ntpasswd,