mirror of
https://github.com/samba-team/samba.git
synced 2025-11-13 08:23:49 +03:00
2aa0b55fb8
This commit kills passdb, which was only hosting the auth subsystem. With the work tridge has done on Samba4's SAM backend, this can (and now is) all hosted on ldb. The auth_sam.c file now references this backend. You will need to assign your users passwords in ldb - adding a new line: unicodePwd: myPass to a record, using ldbedit, should be sufficient. Naturally, this assumes you have had your personal SAMR provisioning tutorial from tridge. Everybody else can still use the anonymous logins. Andrew Bartlett
235 lines
6.6 KiB
C
235 lines
6.6 KiB
C
/*
|
|
Unix SMB/CIFS implementation.
|
|
Password and authentication handling
|
|
Copyright (C) Andrew Tridgell 1992-1998
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; either version 2 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program; if not, write to the Free Software
|
|
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
|
*/
|
|
|
|
#include "includes.h"
|
|
|
|
|
|
/****************************************************************************
|
|
check if a uid has been validated, and return an pointer to the user_struct
|
|
if it has. NULL if not. vuid is biased by an offset. This allows us to
|
|
tell random client vuid's (normally zero) from valid vuids.
|
|
****************************************************************************/
|
|
struct user_struct *get_valid_user_struct(struct server_context *smb, uint16 vuid)
|
|
{
|
|
user_struct *usp;
|
|
int count=0;
|
|
|
|
if (vuid == UID_FIELD_INVALID)
|
|
return NULL;
|
|
|
|
for (usp=smb->users.validated_users;usp;usp=usp->next,count++) {
|
|
if (vuid == usp->vuid) {
|
|
if (count > 10) {
|
|
DLIST_PROMOTE(smb->users.validated_users, usp);
|
|
}
|
|
return usp;
|
|
}
|
|
}
|
|
|
|
return NULL;
|
|
}
|
|
|
|
/****************************************************************************
|
|
invalidate a uid
|
|
****************************************************************************/
|
|
void invalidate_vuid(struct server_context *smb, uint16 vuid)
|
|
{
|
|
user_struct *vuser = get_valid_user_struct(smb, vuid);
|
|
|
|
if (vuser == NULL)
|
|
return;
|
|
|
|
data_blob_free(&vuser->session_key);
|
|
|
|
session_yield(vuser);
|
|
|
|
free_server_info(&vuser->server_info);
|
|
|
|
DLIST_REMOVE(smb->users.validated_users, vuser);
|
|
|
|
/* clear the vuid from the 'cache' on each connection, and
|
|
from the vuid 'owner' of connections */
|
|
/* REWRITE: conn_clear_vuid_cache(smb, vuid); */
|
|
|
|
SAFE_FREE(vuser);
|
|
smb->users.num_validated_vuids--;
|
|
}
|
|
|
|
/****************************************************************************
|
|
invalidate all vuid entries for this process
|
|
****************************************************************************/
|
|
void invalidate_all_vuids(struct server_context *smb)
|
|
{
|
|
user_struct *usp, *next=NULL;
|
|
|
|
for (usp=smb->users.validated_users;usp;usp=next) {
|
|
next = usp->next;
|
|
|
|
invalidate_vuid(smb, usp->vuid);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* register that a valid login has been performed, establish 'session'.
|
|
* @param server_info The token returned from the authentication process.
|
|
* (now 'owned' by register_vuid)
|
|
*
|
|
* @param session_key The User session key for the login session (now also 'owned' by register_vuid)
|
|
*
|
|
* @param smb_name The untranslated name of the user
|
|
*
|
|
* @return Newly allocated vuid, biased by an offset. (This allows us to
|
|
* tell random client vuid's (normally zero) from valid vuids.)
|
|
*
|
|
*/
|
|
|
|
int register_vuid(struct server_context *smb,
|
|
struct auth_serversupplied_info *server_info,
|
|
DATA_BLOB *session_key,
|
|
const char *smb_name)
|
|
{
|
|
user_struct *vuser = NULL;
|
|
|
|
/* Ensure no vuid gets registered in share level security. */
|
|
if(lp_security() == SEC_SHARE)
|
|
return UID_FIELD_INVALID;
|
|
|
|
/* Limit allowed vuids to 16bits - VUID_OFFSET. */
|
|
if (smb->users.num_validated_vuids >= 0xFFFF-VUID_OFFSET)
|
|
return UID_FIELD_INVALID;
|
|
|
|
if((vuser = (user_struct *)malloc( sizeof(user_struct) )) == NULL) {
|
|
DEBUG(0,("Failed to malloc users struct!\n"));
|
|
return UID_FIELD_INVALID;
|
|
}
|
|
|
|
ZERO_STRUCTP(vuser);
|
|
|
|
/* Allocate a free vuid. Yes this is a linear search... :-) */
|
|
while (get_valid_user_struct(smb, smb->users.next_vuid) != NULL ) {
|
|
smb->users.next_vuid++;
|
|
/* Check for vuid wrap. */
|
|
if (smb->users.next_vuid == UID_FIELD_INVALID)
|
|
smb->users.next_vuid = VUID_OFFSET;
|
|
}
|
|
|
|
DEBUG(10,("register_vuid: allocated vuid = %u\n",
|
|
(unsigned int)smb->users.next_vuid));
|
|
|
|
vuser->vuid = smb->users.next_vuid;
|
|
|
|
vuser->session_key = *session_key;
|
|
|
|
if (!server_info->ptok) {
|
|
DEBUG(1, ("server_info does not contain a user_token - cannot continue\n"));
|
|
free_server_info(&server_info);
|
|
|
|
SAFE_FREE(vuser);
|
|
return UID_FIELD_INVALID;
|
|
}
|
|
|
|
/* use this to keep tabs on all our info from the authentication */
|
|
vuser->server_info = server_info;
|
|
|
|
smb->users.next_vuid++;
|
|
smb->users.num_validated_vuids++;
|
|
|
|
DLIST_ADD(smb->users.validated_users, vuser);
|
|
|
|
if (!session_claim(smb, vuser)) {
|
|
DEBUG(1,("Failed to claim session for vuid=%d\n", vuser->vuid));
|
|
invalidate_vuid(smb, vuser->vuid);
|
|
return -1;
|
|
}
|
|
|
|
return vuser->vuid;
|
|
}
|
|
|
|
|
|
/****************************************************************************
|
|
add a name to the session users list
|
|
****************************************************************************/
|
|
void add_session_user(struct server_context *smb, const char *user)
|
|
{
|
|
char *suser;
|
|
struct passwd *passwd;
|
|
|
|
if (!(passwd = Get_Pwnam(user))) return;
|
|
|
|
suser = strdup(passwd->pw_name);
|
|
if (!suser) {
|
|
return;
|
|
}
|
|
|
|
if (suser && *suser && !in_list(suser,smb->users.session_users,False)) {
|
|
char *p;
|
|
if (!smb->users.session_users) {
|
|
asprintf(&p, "%s", suser);
|
|
} else {
|
|
asprintf(&p, "%s %s", smb->users.session_users, suser);
|
|
}
|
|
SAFE_FREE(smb->users.session_users);
|
|
smb->users.session_users = p;
|
|
}
|
|
|
|
free(suser);
|
|
}
|
|
|
|
|
|
/****************************************************************************
|
|
check if a username is valid
|
|
****************************************************************************/
|
|
BOOL user_ok(const char *user,int snum, gid_t *groups, size_t n_groups)
|
|
{
|
|
char **valid, **invalid;
|
|
BOOL ret;
|
|
|
|
valid = invalid = NULL;
|
|
ret = True;
|
|
|
|
if (lp_invalid_users(snum)) {
|
|
str_list_copy(&invalid, lp_invalid_users(snum));
|
|
if (invalid && str_list_substitute(invalid, "%S", lp_servicename(snum))) {
|
|
ret = !user_in_list(user, (const char **)invalid, groups, n_groups);
|
|
}
|
|
}
|
|
if (invalid)
|
|
str_list_free (&invalid);
|
|
|
|
if (ret && lp_valid_users(snum)) {
|
|
str_list_copy(&valid, lp_valid_users(snum));
|
|
if (valid && str_list_substitute(valid, "%S", lp_servicename(snum))) {
|
|
ret = user_in_list(user, (const char **)valid, groups, n_groups);
|
|
}
|
|
}
|
|
if (valid)
|
|
str_list_free (&valid);
|
|
|
|
if (ret && lp_onlyuser(snum)) {
|
|
char **user_list = str_list_make (lp_username(snum), NULL);
|
|
if (user_list && str_list_substitute(user_list, "%S", lp_servicename(snum))) {
|
|
ret = user_in_list(user, (const char **)user_list, groups, n_groups);
|
|
}
|
|
if (user_list) str_list_free (&user_list);
|
|
}
|
|
|
|
return(ret);
|
|
}
|