mirror of
https://github.com/samba-team/samba.git
synced 2025-11-30 20:23:49 +03:00
This is a farily large patch (3300 lines) and reworks most of the AuthRewrite
code. In particular this assists tpot in some of his work, becouse it provides the connection between the authenticaion and the vuid generation. Major Changes: - Fully malloc'ed structures. - Massive rework of the code so that all structures are made and destroyed using malloc and free, rather than hanging around on the stack. - SAM_ACCOUNT unix uids and gids are now pointers to the same, to allow them to be declared 'invalid' without the chance that people might get ROOT by default. - kill off some of the "DOMAIN\user" lookups. These can be readded at a more appropriate place (probably domain_client_validate.c) in the future. They don't belong in session setups. - Massive introduction of DATA_BLOB structures, particularly for passwords. - Use NTLMSSP flags to tell the backend what its getting, rather than magic lenghths. - Fix winbind back up again, but tpot is redoing this soon anyway. - Abstract much of the work in srv_netlog_nt back into auth helper functions. This is a LARGE change, and any assistance is testing it is appriciated. Domain logons are still broken (as far as I can tell) but other functionality seems intact. Needs testing with a wide variety of MS clients. Andrew Bartlett
This commit is contained in:
Andrew Bartlett
@@ -269,10 +269,16 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm
|
||||
fstring domain;
|
||||
fstring wks;
|
||||
BOOL guest_user = False;
|
||||
SAM_ACCOUNT *sampass = NULL;
|
||||
uchar null_smb_passwd[16];
|
||||
|
||||
const uchar *smb_passwd_ptr = NULL;
|
||||
|
||||
auth_usersupplied_info *user_info;
|
||||
auth_serversupplied_info *server_info;
|
||||
|
||||
uid_t *puid;
|
||||
uid_t *pgid;
|
||||
|
||||
DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
|
||||
|
||||
memset(p->user_name, '\0', sizeof(p->user_name));
|
||||
@@ -336,14 +342,6 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm
|
||||
|
||||
} else {
|
||||
|
||||
/*
|
||||
* Pass the user through the NT -> unix user mapping
|
||||
* function.
|
||||
*/
|
||||
|
||||
fstrcpy(pipe_user_name, user_name);
|
||||
(void)map_username(pipe_user_name);
|
||||
|
||||
/*
|
||||
* Do the length checking only if user is not NULL.
|
||||
*/
|
||||
@@ -362,41 +360,28 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm
|
||||
}
|
||||
|
||||
if(!guest_user) {
|
||||
NTSTATUS nt_status;
|
||||
|
||||
become_root();
|
||||
if (!make_user_info_netlogon_network(&user_info,
|
||||
user_name, domain, wks, (uchar*)p->challenge,
|
||||
lm_owf, lm_pw_len,
|
||||
nt_owf, nt_pw_len)) {
|
||||
DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n"));
|
||||
return False;
|
||||
}
|
||||
|
||||
nt_status = check_password(user_info, &server_info);
|
||||
|
||||
free_user_info(&user_info);
|
||||
|
||||
p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
|
||||
|
||||
p->ntlmssp_auth_validated =
|
||||
NT_STATUS_IS_OK(pass_check_smb_with_chal(pipe_user_name, NULL,
|
||||
domain, wks,
|
||||
(uchar*)p->challenge,
|
||||
lm_owf, lm_pw_len,
|
||||
nt_owf, nt_pw_len));
|
||||
if (!p->ntlmssp_auth_validated) {
|
||||
DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \
|
||||
failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name ));
|
||||
unbecome_root();
|
||||
free_server_info(&server_info);
|
||||
return False;
|
||||
}
|
||||
|
||||
pdb_init_sam(&sampass);
|
||||
|
||||
if(!pdb_getsampwnam(sampass, pipe_user_name)) {
|
||||
DEBUG(1,("api_pipe_ntlmssp_verify: Cannot find user %s in smb passwd database.\n",
|
||||
pipe_user_name));
|
||||
pdb_free_sam(&sampass);
|
||||
unbecome_root();
|
||||
return False;
|
||||
}
|
||||
|
||||
unbecome_root();
|
||||
|
||||
if(!pdb_get_nt_passwd(sampass)) {
|
||||
DEBUG(1,("Account for user '%s' has no NT password hash.\n", pipe_user_name));
|
||||
pdb_free_sam(&sampass);
|
||||
return False;
|
||||
}
|
||||
|
||||
smb_passwd_ptr = pdb_get_lanman_passwd(sampass);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -405,7 +390,7 @@ failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name
|
||||
|
||||
{
|
||||
uchar p24[24];
|
||||
NTLMSSPOWFencrypt(smb_passwd_ptr, lm_owf, p24);
|
||||
NTLMSSPOWFencrypt(server_info->first_8_lm_hash, lm_owf, p24);
|
||||
{
|
||||
unsigned char j = 0;
|
||||
int ind;
|
||||
@@ -447,8 +432,17 @@ failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name
|
||||
* Store the UNIX credential data (uid/gid pair) in the pipe structure.
|
||||
*/
|
||||
|
||||
p->pipe_user.uid = pdb_get_uid(sampass);
|
||||
p->pipe_user.gid = pdb_get_gid(sampass);
|
||||
puid = pdb_get_uid(server_info->sam_account);
|
||||
pgid = pdb_get_gid(server_info->sam_account);
|
||||
|
||||
if (!puid || !pgid) {
|
||||
DEBUG(0,("Attempted authenticated pipe with invalid user. No uid/gid in SAM_ACCOUNT\n"));
|
||||
free_server_info(&server_info);
|
||||
return False;
|
||||
}
|
||||
|
||||
p->pipe_user.uid = *puid;
|
||||
p->pipe_user.gid = *pgid;
|
||||
|
||||
/* Set up pipe user group membership. */
|
||||
initialise_groups(pipe_user_name, p->pipe_user.uid, p->pipe_user.gid);
|
||||
@@ -461,7 +455,7 @@ failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name
|
||||
|
||||
p->ntlmssp_auth_validated = True;
|
||||
|
||||
pdb_free_sam(&sampass);
|
||||
pdb_free_sam(&server_info->sam_account);
|
||||
return True;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user