mirror of
https://github.com/samba-team/samba.git
synced 2025-01-31 01:48:16 +03:00
1f5e93e2e7
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit dcdc75ebd89f504a0f6e3a3bc5b43298858d276b)
246 lines
6.3 KiB
C
246 lines
6.3 KiB
C
/*
|
|
Unix SMB/CIFS implementation.
|
|
|
|
Winbind daemon for ntdom nss module
|
|
|
|
Copyright (C) Tim Potter 2000
|
|
|
|
This library is free software; you can redistribute it and/or
|
|
modify it under the terms of the GNU Library General Public
|
|
License as published by the Free Software Foundation; either
|
|
version 2 of the License, or (at your option) any later version.
|
|
|
|
This library is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Library General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Library General Public
|
|
License along with this library; if not, write to the
|
|
Free Software Foundation, Inc., 59 Temple Place - Suite 330,
|
|
Boston, MA 02111-1307, USA.
|
|
*/
|
|
|
|
#ifndef SAFE_FREE
|
|
#define SAFE_FREE(x) do { if(x) {free(x); x=NULL;} } while(0)
|
|
#endif
|
|
|
|
#ifndef _WINBINDD_NTDOM_H
|
|
#define _WINBINDD_NTDOM_H
|
|
|
|
#define WINBINDD_SOCKET_NAME "pipe" /* Name of PF_UNIX socket */
|
|
#define WINBINDD_SOCKET_DIR "/tmp/.winbindd" /* Name of PF_UNIX dir */
|
|
#define WINBINDD_PRIV_SOCKET_SUBDIR "winbindd_privilaged" /* name of subdirectory of lp_lockdir() to hold the 'privilaged' pipe */
|
|
#define WINBINDD_DOMAIN_ENV "WINBINDD_DOMAIN" /* Environment variables */
|
|
#define WINBINDD_DONT_ENV "_NO_WINBINDD"
|
|
|
|
/* Update this when you change the interface. */
|
|
|
|
#define WINBIND_INTERFACE_VERSION 7
|
|
|
|
/* Socket commands */
|
|
|
|
enum winbindd_cmd {
|
|
|
|
WINBINDD_INTERFACE_VERSION, /* Always a well known value */
|
|
|
|
/* Get users and groups */
|
|
|
|
WINBINDD_GETPWNAM,
|
|
WINBINDD_GETPWUID,
|
|
WINBINDD_GETGRNAM,
|
|
WINBINDD_GETGRGID,
|
|
WINBINDD_GETGROUPS,
|
|
|
|
/* Enumerate users and groups */
|
|
|
|
WINBINDD_SETPWENT,
|
|
WINBINDD_ENDPWENT,
|
|
WINBINDD_GETPWENT,
|
|
WINBINDD_SETGRENT,
|
|
WINBINDD_ENDGRENT,
|
|
WINBINDD_GETGRENT,
|
|
|
|
/* PAM authenticate and password change */
|
|
|
|
WINBINDD_PAM_AUTH,
|
|
WINBINDD_PAM_AUTH_CRAP,
|
|
WINBINDD_PAM_CHAUTHTOK,
|
|
|
|
/* List various things */
|
|
|
|
WINBINDD_LIST_USERS, /* List w/o rid->id mapping */
|
|
WINBINDD_LIST_GROUPS, /* Ditto */
|
|
WINBINDD_LIST_TRUSTDOM,
|
|
|
|
/* SID conversion */
|
|
|
|
WINBINDD_LOOKUPSID,
|
|
WINBINDD_LOOKUPNAME,
|
|
|
|
/* Lookup functions */
|
|
|
|
WINBINDD_SID_TO_UID,
|
|
WINBINDD_SID_TO_GID,
|
|
WINBINDD_UID_TO_SID,
|
|
WINBINDD_GID_TO_SID,
|
|
|
|
/* Miscellaneous other stuff */
|
|
|
|
WINBINDD_CHECK_MACHACC, /* Check machine account pw works */
|
|
WINBINDD_PING, /* Just tell me winbind is running */
|
|
WINBINDD_INFO, /* Various bit of info. Currently just tidbits */
|
|
WINBINDD_DOMAIN_NAME, /* The domain this winbind server is a member of (lp_workgroup()) */
|
|
|
|
WINBINDD_SHOW_SEQUENCE, /* display sequence numbers of domains */
|
|
|
|
/* WINS commands */
|
|
|
|
WINBINDD_WINS_BYIP,
|
|
WINBINDD_WINS_BYNAME,
|
|
|
|
/* this is like GETGRENT but gives an empty group list */
|
|
WINBINDD_GETGRLST,
|
|
|
|
WINBINDD_NETBIOS_NAME, /* The netbios name of the server */
|
|
/* Placeholder for end of cmd list */
|
|
|
|
/* find the location of our privilaged pipe */
|
|
WINBINDD_PRIV_PIPE_DIR,
|
|
|
|
WINBINDD_NUM_CMDS
|
|
};
|
|
|
|
#define WINBIND_PAM_INFO3_NDR 0x0001
|
|
#define WINBIND_PAM_INFO3_TEXT 0x0002
|
|
#define WINBIND_PAM_NTKEY 0x0004
|
|
#define WINBIND_PAM_LMKEY 0x0008
|
|
#define WINBIND_PAM_CONTACT_TRUSTDOM 0x0010
|
|
|
|
/* Winbind request structure */
|
|
|
|
struct winbindd_request {
|
|
uint32 length;
|
|
enum winbindd_cmd cmd; /* Winbindd command to execute */
|
|
pid_t pid; /* pid of calling process */
|
|
|
|
union {
|
|
fstring winsreq; /* WINS request */
|
|
fstring username; /* getpwnam */
|
|
fstring groupname; /* getgrnam */
|
|
uid_t uid; /* getpwuid, uid_to_sid */
|
|
gid_t gid; /* getgrgid, gid_to_sid */
|
|
struct {
|
|
/* We deliberatedly don't split into domain/user to
|
|
avoid having the client know what the separator
|
|
character is. */
|
|
fstring user;
|
|
fstring pass;
|
|
} auth; /* pam_winbind auth module */
|
|
struct {
|
|
unsigned char chal[8];
|
|
fstring user;
|
|
fstring domain;
|
|
fstring lm_resp;
|
|
uint16 lm_resp_len;
|
|
fstring nt_resp;
|
|
uint16 nt_resp_len;
|
|
fstring workstation;
|
|
uint32 flags;
|
|
} auth_crap;
|
|
struct {
|
|
fstring user;
|
|
fstring oldpass;
|
|
fstring newpass;
|
|
} chauthtok; /* pam_winbind passwd module */
|
|
fstring sid; /* lookupsid, sid_to_[ug]id */
|
|
struct {
|
|
fstring dom_name; /* lookupname */
|
|
fstring name;
|
|
} name;
|
|
uint32 num_entries; /* getpwent, getgrent */
|
|
} data;
|
|
char null_term;
|
|
};
|
|
|
|
/* Response values */
|
|
|
|
enum winbindd_result {
|
|
WINBINDD_ERROR,
|
|
WINBINDD_OK
|
|
};
|
|
|
|
/* Winbind response structure */
|
|
|
|
struct winbindd_response {
|
|
|
|
/* Header information */
|
|
|
|
uint32 length; /* Length of response */
|
|
enum winbindd_result result; /* Result code */
|
|
|
|
/* Fixed length return data */
|
|
|
|
union {
|
|
int interface_version; /* Try to ensure this is always in the same spot... */
|
|
|
|
fstring winsresp; /* WINS response */
|
|
|
|
/* getpwnam, getpwuid */
|
|
|
|
struct winbindd_pw {
|
|
fstring pw_name;
|
|
fstring pw_passwd;
|
|
uid_t pw_uid;
|
|
gid_t pw_gid;
|
|
fstring pw_gecos;
|
|
fstring pw_dir;
|
|
fstring pw_shell;
|
|
} pw;
|
|
|
|
/* getgrnam, getgrgid */
|
|
|
|
struct winbindd_gr {
|
|
fstring gr_name;
|
|
fstring gr_passwd;
|
|
gid_t gr_gid;
|
|
int num_gr_mem;
|
|
int gr_mem_ofs; /* offset to group membership */
|
|
} gr;
|
|
|
|
uint32 num_entries; /* getpwent, getgrent */
|
|
struct winbindd_sid {
|
|
fstring sid; /* lookupname, [ug]id_to_sid */
|
|
int type;
|
|
} sid;
|
|
struct winbindd_name {
|
|
fstring dom_name; /* lookupsid */
|
|
fstring name;
|
|
int type;
|
|
} name;
|
|
uid_t uid; /* sid_to_uid */
|
|
gid_t gid; /* sid_to_gid */
|
|
struct winbindd_info {
|
|
char winbind_separator;
|
|
fstring samba_version;
|
|
} info;
|
|
fstring domain_name;
|
|
fstring netbios_name;
|
|
|
|
struct auth_reply {
|
|
uint32 nt_status;
|
|
fstring nt_status_string;
|
|
fstring error_string;
|
|
int pam_error;
|
|
char nt_session_key[16];
|
|
char first_8_lm_hash[8];
|
|
} auth;
|
|
} data;
|
|
|
|
/* Variable length return data */
|
|
|
|
void *extra_data; /* getgrnam, getgrgid, getgrent */
|
|
};
|
|
|
|
#endif
|