search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
include/dlinklist.h: Added '{' '}' around DLIST_PROMOTE so it can be used as a single
[Samba.git] / source / smbd / password.c
blob48e4172ace8a60a0b7a3919553e0df8236838d9d
1 #define OLD_NTDOMAIN 1
2
3 /*
4 Unix SMB/Netbios implementation.
5 Version 1.9.
6 Password and authentication handling
7 Copyright (C) Andrew Tridgell 1992-1998
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 */
23
24 #include "includes.h"
25
26 extern int DEBUGLEVEL;
27 extern int Protocol;
28 extern struct in_addr ipzero;
29
30 /* users from session setup */
31 static pstring session_users="";
32
33 extern pstring global_myname;
34 extern fstring global_myworkgroup;
35
36 /* Data to do lanman1/2 password challenge. */
37 static unsigned char saved_challenge[8];
38 static BOOL challenge_sent=False;
39
40 /*******************************************************************
41 Get the next challenge value - no repeats.
42 ********************************************************************/
43 void generate_next_challenge(char *challenge)
44 {
45 #if 0
46 /*
47 * Leave this ifdef'd out while we test
48 * the new crypto random number generator.
49 * JRA.
50 */
51 unsigned char buf[16];
52 static int counter = 0;
53 struct timeval tval;
54 int v1,v2;
55
56 /* get a sort-of random number */
57 GetTimeOfDay(&tval);
58 v1 = (counter++) + sys_getpid() + tval.tv_sec;
59 v2 = (counter++) * sys_getpid() + tval.tv_usec;
60 SIVAL(challenge,0,v1);
61 SIVAL(challenge,4,v2);
62
63 /* mash it up with md4 */
64 mdfour(buf, (unsigned char *)challenge, 8);
65 #else
66 unsigned char buf[8];
67
68 generate_random_buffer(buf,8,False);
69 #endif
70 memcpy(saved_challenge, buf, 8);
71 memcpy(challenge,buf,8);
72 challenge_sent = True;
73 }
74
75 /*******************************************************************
76 set the last challenge sent, usually from a password server
77 ********************************************************************/
78 BOOL set_challenge(unsigned char *challenge)
79 {
80 memcpy(saved_challenge,challenge,8);
81 challenge_sent = True;
82 return(True);
83 }
84
85 /*******************************************************************
86 get the last challenge sent
87 ********************************************************************/
88 static BOOL last_challenge(unsigned char *challenge)
89 {
90 if (!challenge_sent) return(False);
91 memcpy(challenge,saved_challenge,8);
92 return(True);
93 }
94
95 /* this holds info on user ids that are already validated for this VC */
96 static user_struct *validated_users;
97 static int next_vuid = VUID_OFFSET;
98 static int num_validated_vuids;
99
100 /****************************************************************************
101 check if a uid has been validated, and return an pointer to the user_struct
102 if it has. NULL if not. vuid is biased by an offset. This allows us to
103 tell random client vuid's (normally zero) from valid vuids.
104 ****************************************************************************/
105 user_struct *get_valid_user_struct(uint16 vuid)
106 {
107 user_struct *usp;
108 int count=0;
109
110 if (vuid == UID_FIELD_INVALID)
111 return NULL;
112
113 for (usp=validated_users;usp;usp=usp->next,count++) {
114 if (vuid == usp->vuid) {
115 if (count > 10)
116 DLIST_PROMOTE(validated_users, usp);
117 return usp;
118 }
119 }
120
121 return NULL;
122 }
123
124 /****************************************************************************
125 invalidate a uid
126 ****************************************************************************/
127 void invalidate_vuid(uint16 vuid)
128 {
129 user_struct *vuser = get_valid_user_struct(vuid);
130
131 if (vuser == NULL)
132 return;
133
134 DLIST_REMOVE(validated_users, vuser);
135
136 safe_free(vuser->groups);
137 delete_nt_token(&vuser->nt_user_token);
138 safe_free(vuser);
139 num_validated_vuids--;
140 }
141
142 /****************************************************************************
143 return a validated username
144 ****************************************************************************/
145 char *validated_username(uint16 vuid)
146 {
147 user_struct *vuser = get_valid_user_struct(vuid);
148 if (vuser == NULL)
149 return 0;
150 return(vuser->user.unix_name);
151 }
152
153 /****************************************************************************
154 return a validated domain
155 ****************************************************************************/
156 char *validated_domain(uint16 vuid)
157 {
158 user_struct *vuser = get_valid_user_struct(vuid);
159 if (vuser == NULL)
160 return 0;
161 return(vuser->user.domain);
162 }
163
164
165 /****************************************************************************
166 Create the SID list for this user.
167 ****************************************************************************/
168
169 NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups)
170 {
171 NT_USER_TOKEN *token;
172 DOM_SID *psids;
173 int i, psid_ndx = 0;
174
175 if ((token = (NT_USER_TOKEN *)malloc( sizeof(NT_USER_TOKEN) ) ) == NULL)
176 return NULL;
177
178 ZERO_STRUCTP(token);
179
180 if ((token->user_sids = (DOM_SID *)malloc( (ngroups + 2)*sizeof(DOM_SID))) == NULL) {
181 free(token);
182 return NULL;
183 }
184
185 psids = token->user_sids;
186
187 token->num_sids = 2;
188
189 uid_to_sid( &psids[0], uid);
190 gid_to_sid( &psids[1], gid);
191
192 for (i = 0; i < ngroups; i++) {
193 if (groups[i] != gid) {
194 gid_to_sid( &psids[psid_ndx+2], groups[i]);
195 psid_ndx++;
196 token->num_sids++;
197 }
198 }
199
200 return token;
201 }
202
203 /****************************************************************************
204 register a uid/name pair as being valid and that a valid password
205 has been given. vuid is biased by an offset. This allows us to
206 tell random client vuid's (normally zero) from valid vuids.
207 ****************************************************************************/
208
209 uint16 register_vuid(uid_t uid,gid_t gid, char *unix_name, char *requested_name,
210 char *domain,BOOL guest)
211 {
212 user_struct *vuser = NULL;
213 user_struct *vsp;
214 struct passwd *pwfile; /* for getting real name from passwd file */
215
216 /* Ensure no vuid gets registered in share level security. */
217 if(lp_security() == SEC_SHARE)
218 return UID_FIELD_INVALID;
219
220 /* Limit allowed vuids to 16bits - VUID_OFFSET. */
221 if (num_validated_vuids >= 0xFFFF-VUID_OFFSET)
222 return UID_FIELD_INVALID;
223
224 if((vuser = (user_struct *)malloc( sizeof(user_struct) )) == NULL) {
225 DEBUG(0,("Failed to malloc users struct!\n"));
226 return UID_FIELD_INVALID;
227 }
228
229 ZERO_STRUCTP(vuser);
230
231 DEBUG(10,("register_vuid: (%u,%u) %s %s %s guest=%d\n", (unsigned int)uid, (unsigned int)gid,
232 unix_name, requested_name, domain, guest ));
233
234 /* Allocate a free vuid. Yes this is a linear search... :-) */
235 while( (vsp = get_valid_user_struct(next_vuid)) != NULL ) {
236 next_vuid++;
237 /* Check for vuid wrap. */
238 if (next_vuid == UID_FIELD_INVALID)
239 next_vuid = VUID_OFFSET;
240 }
241
242 DEBUG(10,("register_vuid: allocated vuid = %u\n", (unsigned int)next_vuid ));
243
244 vuser->vuid = next_vuid;
245 vuser->uid = uid;
246 vuser->gid = gid;
247 vuser->guest = guest;
248 fstrcpy(vuser->user.unix_name,unix_name);
249 fstrcpy(vuser->user.smb_name,requested_name);
250 fstrcpy(vuser->user.domain,domain);
251
252 vuser->n_groups = 0;
253 vuser->groups = NULL;
254
255 /* Find all the groups this uid is in and store them.
256 Used by become_user() */
257 initialise_groups(unix_name, uid, gid);
258 get_current_groups( &vuser->n_groups, &vuser->groups);
259
260 /* Create an NT_USER_TOKEN struct for this user. */
261 vuser->nt_user_token = create_nt_token(uid,gid, vuser->n_groups, vuser->groups);
262
263 next_vuid++;
264 num_validated_vuids++;
265
266 DLIST_ADD(validated_users, vuser);
267
268 DEBUG(3,("uid %d registered to name %s\n",(int)uid,unix_name));
269
270 DEBUG(3, ("Clearing default real name\n"));
271 fstrcpy(vuser->user.full_name, "<Full Name>");
272 if (lp_unix_realname()) {
273 if ((pwfile=sys_getpwnam(vuser->user.unix_name))!= NULL) {
274 DEBUG(3, ("User name: %s\tReal name: %s\n",vuser->user.unix_name,pwfile->pw_gecos));
275 fstrcpy(vuser->user.full_name, pwfile->pw_gecos);
276 }
277 }
278
279 memset(&vuser->dc, '\0', sizeof(vuser->dc));
280
281 return vuser->vuid;
282 }
283
284
285 /****************************************************************************
286 add a name to the session users list
287 ****************************************************************************/
288 void add_session_user(char *user)
289 {
290 fstring suser;
291 StrnCpy(suser,user,sizeof(suser)-1);
292
293 if (!Get_Pwnam(suser,True)) return;
294
295 if (suser && *suser && !in_list(suser,session_users,False))
296 {
297 if (strlen(suser) + strlen(session_users) + 2 >= sizeof(pstring))
298 DEBUG(1,("Too many session users??\n"));
299 else
300 {
301 pstrcat(session_users," ");
302 pstrcat(session_users,suser);
303 }
304 }
305 }
306
307
308 /****************************************************************************
309 update the encrypted smbpasswd file from the plaintext username and password
310 *****************************************************************************/
311 static BOOL update_smbpassword_file(char *user, char *password)
312 {
313 SAM_ACCOUNT *sampass = NULL;
314 BOOL ret;
315
316 become_root();
317 sampass = pdb_getsampwnam(user);
318 unbecome_root();
319
320 if(sampass == NULL) {
321 DEBUG(0,("pdb_getsampwnam returned NULL\n"));
322 return False;
323 }
324
325 /*
326 * Remove the account disabled flag - we are updating the
327 * users password from a login.
328 */
329 pdb_set_acct_ctrl(sampass, pdb_get_acct_ctrl(sampass) & ~ACB_DISABLED);
330
331 /* Here, the flag is one, because we want to ignore the
332 XXXXXXX'd out password */
333 ret = change_oem_password( sampass, password, True);
334 if (ret == False) {
335 DEBUG(3,("change_oem_password returned False\n"));
336 }
337
338 return ret;
339 }
340
341 /****************************************************************************
342 core of smb password checking routine.
343 ****************************************************************************/
344 BOOL smb_password_check(char *password, unsigned char *part_passwd, unsigned char *c8)
345 {
346 /* Finish the encryption of part_passwd. */
347 unsigned char p21[21];
348 unsigned char p24[24];
349
350 if (part_passwd == NULL)
351 {
352 DEBUG(10,("No password set - allowing access\n"));
353
354 /* No password set - always true ! */
355 return 1;
356 }
357
358 memset(p21,'\0',21);
359 memcpy(p21,part_passwd,16);
360 E_P24(p21, c8, p24);
361 #if DEBUG_PASSWORD
362 {
363 int i;
364 DEBUG(100,("Part password (P16) was |"));
365 for(i = 0; i < 16; i++)
366 DEBUG(100,("%X ", (unsigned char)part_passwd[i]));
367 DEBUG(100,("|\n"));
368 DEBUG(100,("Password from client was |"));
369 for(i = 0; i < 24; i++)
370 DEBUG(100,("%X ", (unsigned char)password[i]));
371 DEBUG(100,("|\n"));
372 DEBUG(100,("Given challenge was |"));
373 for(i = 0; i < 8; i++)
374 DEBUG(100,("%X ", (unsigned char)c8[i]));
375 DEBUG(100,("|\n"));
376 DEBUG(100,("Value from encryption was |"));
377 for(i = 0; i < 24; i++)
378 DEBUG(100,("%X ", (unsigned char)p24[i]));
379 DEBUG(100,("|\n"));
380 }
381 #endif
382 return (memcmp(p24, password, 24) == 0);
383 }
384
385 /****************************************************************************
386 Do a specific test for an smb password being correct, given a smb_password and
387 the lanman and NT responses.
388 ****************************************************************************/
389 BOOL smb_password_ok(SAM_ACCOUNT *sampass, uchar chal[8],
390 uchar lm_pass[24], uchar nt_pass[24])
391 {
392 uchar challenge[8];
393 char* user_name;
394 BYTE *nt_pw, *lm_pw;
395
396 if (!lm_pass || !sampass)
397 return(False);
398
399 user_name = pdb_get_username(sampass);
400
401 DEBUG(4,("Checking SMB password for user %s\n",user_name));
402
403 if(pdb_get_acct_ctrl(sampass) & ACB_DISABLED) {
404 DEBUG(1,("account for user %s was disabled.\n", user_name));
405 return(False);
406 }
407
408 if (chal == NULL)
409 {
410 DEBUG(5,("use last SMBnegprot challenge\n"));
411 if (!last_challenge(challenge))
412 {
413 DEBUG(1,("no challenge done - password failed\n"));
414 return False;
415 }
416 }
417 else
418 {
419 DEBUG(5,("challenge received\n"));
420 memcpy(challenge, chal, 8);
421 }
422
423 nt_pw = pdb_get_nt_passwd(sampass);
424
425 if ((Protocol >= PROTOCOL_NT1) && (nt_pw != NULL)) {
426 /* We have the NT MD4 hash challenge available - see if we can
427 use it (ie. does it exist in the smbpasswd file).
428 */
429 DEBUG(4,("smb_password_ok: Checking NT MD4 password\n"));
430 if (smb_password_check((char *)nt_pass, (uchar *)nt_pw, challenge))
431 {
432 DEBUG(4,("NT MD4 password check succeeded\n"));
433 return(True);
434 }
435 DEBUG(4,("NT MD4 password check failed\n"));
436 }
437
438 /* Try against the lanman password. pdb_get_lanman_passwd(sampass) == NULL
439 means no password, allow access. */
440
441 DEBUG(4,("Checking LM MD4 password\n"));
442
443 lm_pw = pdb_get_lanman_passwd(sampass);
444
445 if((lm_pw == NULL) && (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ))
446 {
447 DEBUG(4,("no password required for user %s\n",user_name));
448 return True;
449 }
450
451 if((lm_pw != NULL) && smb_password_check((char *)lm_pass,(uchar *)lm_pw, challenge))
452 {
453 DEBUG(4,("LM MD4 password check succeeded\n"));
454 return(True);
455 }
456
457 DEBUG(4,("LM MD4 password check failed\n"));
458
459 return False;
460 }
461
462
463 /****************************************************************************
464 check if a username/password is OK assuming the password is a 24 byte
465 SMB hash
466 return True if the password is correct, False otherwise
467 ****************************************************************************/
468
469 BOOL pass_check_smb(char *user, char *domain, uchar *chal,
470 uchar *lm_pwd, uchar *nt_pwd, struct passwd *pwd)
471 {
472 struct passwd *pass;
473 SAM_ACCOUNT *sampass;
474
475 if (!lm_pwd || !nt_pwd)
476 {
477 return(False);
478 }
479
480 /* FIXME! this code looks to be unnecessary now that the passdb
481 validates that the username exists and has a valid uid */
482 if (pwd != NULL && user == NULL)
483 {
484 pass = (struct passwd *) pwd;
485 user = pass->pw_name;
486 }
487 else
488 {
489 /* I don't get this call here. I think it should be moved.
490 Need to check on it. --jerry */
491 pass = smb_getpwnam(user,True);
492 }
493
494 if (pass == NULL)
495 {
496 DEBUG(1,("Couldn't find user '%s' in UNIX password database.\n",user));
497 return(False);
498 }
499
500 /* get the account information */
501 sampass = pdb_getsampwnam(user);
502 if (sampass == NULL)
503 {
504 DEBUG(1,("Couldn't find user '%s' in passdb file.\n", user));
505 return(False);
506 }
507
508 /* Quit if the account was disabled. */
509 if(pdb_get_acct_ctrl(sampass) & ACB_DISABLED) {
510 DEBUG(1,("Account for user '%s' was disabled.\n", user));
511 return(False);
512 }
513
514 /* Ensure the uid's match
515 FIXME! This also seems unnecessary --jerry */
516 #if 0 /* GWC */
517 if (smb_pass->smb_userid != pass->pw_uid)
518 {
519 DEBUG(0,("Error : UNIX and SMB uids in password files do not match for user '%s'!\n", user));
520 return(False);
521 }
522 #endif
523
524 if (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ)
525 {
526 if (lp_null_passwords())
527 {
528 DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", user));
529 return(True);
530 }
531 else
532 {
533 DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", user));
534 return(False);
535 }
536 }
537
538 if (smb_password_ok(sampass, chal, lm_pwd, nt_pwd))
539 {
540 return(True);
541 }
542
543 DEBUG(2,("pass_check_smb failed - invalid password for user [%s]\n", user));
544 return False;
545 }
546
547 /****************************************************************************
548 check if a username/password pair is OK either via the system password
549 database or the encrypted SMB password database
550 return True if the password is correct, False otherwise
551 ****************************************************************************/
552 BOOL password_ok(char *user, char *password, int pwlen, struct passwd *pwd)
553 {
554 if (pwlen == 24 || (lp_encrypted_passwords() && (pwlen == 0) && lp_null_passwords()))
555 {
556 /* if 24 bytes long assume it is an encrypted password */
557 uchar challenge[8];
558
559 if (!last_challenge(challenge))
560 {
561 DEBUG(0,("Error: challenge not done for user=%s\n", user));
562 return False;
563 }
564
565 return pass_check_smb(user, global_myworkgroup,
566 challenge, (uchar *)password, (uchar *)password, pwd);
567 }
568
569 return pass_check(user, password, pwlen, pwd,
570 lp_update_encrypted() ?
571 update_smbpassword_file : NULL);
572 }
573
574 /****************************************************************************
575 check if a username is valid
576 ****************************************************************************/
577 BOOL user_ok(char *user,int snum)
578 {
579 pstring valid, invalid;
580 BOOL ret;
581
582 StrnCpy(valid, lp_valid_users(snum), sizeof(pstring)-1);
583 StrnCpy(invalid, lp_invalid_users(snum), sizeof(pstring)-1);
584
585 pstring_sub(valid,"%S",lp_servicename(snum));
586 pstring_sub(invalid,"%S",lp_servicename(snum));
587
588 ret = !user_in_list(user,invalid);
589
590 if (ret && valid && *valid) {
591 ret = user_in_list(user,valid);
592 }
593
594 if (ret && lp_onlyuser(snum)) {
595 char *user_list = lp_username(snum);
596 pstring_sub(user_list,"%S",lp_servicename(snum));
597 ret = user_in_list(user,user_list);
598 }
599
600 return(ret);
601 }
602
603
604
605
606 /****************************************************************************
607 validate a group username entry. Return the username or NULL
608 ****************************************************************************/
609 static char *validate_group(char *group,char *password,int pwlen,int snum)
610 {
611 #ifdef HAVE_NETGROUP
612 {
613 char *host, *user, *domain;
614 setnetgrent(group);
615 while (getnetgrent(&host, &user, &domain)) {
616 if (user) {
617 if (user_ok(user, snum) &&
618 password_ok(user,password,pwlen,NULL)) {
619 endnetgrent();
620 return(user);
621 }
622 }
623 }
624 endnetgrent();
625 }
626 #endif
627
628 #ifdef HAVE_GETGRENT
629 {
630 struct group *gptr;
631 setgrent();
632 while ((gptr = (struct group *)getgrent())) {
633 if (strequal(gptr->gr_name,group))
634 break;
635 }
636
637 /*
638 * As user_ok can recurse doing a getgrent(), we must
639 * copy the member list into a pstring on the stack before
640 * use. Bug pointed out by leon@eatworms.swmed.edu.
641 */
642
643 if (gptr) {
644 pstring member_list;
645 char *member;
646 size_t copied_len = 0;
647 int i;
648
649 *member_list = '\0';
650 member = member_list;
651
652 for(i = 0; gptr->gr_mem && gptr->gr_mem[i]; i++) {
653 size_t member_len = strlen(gptr->gr_mem[i]) + 1;
654 if( copied_len + member_len < sizeof(pstring)) {
655
656 DEBUG(10,("validate_group: = gr_mem = %s\n", gptr->gr_mem[i]));
657
658 safe_strcpy(member, gptr->gr_mem[i], sizeof(pstring) - copied_len - 1);
659 copied_len += member_len;
660 member += copied_len;
661 } else {
662 *member = '\0';
663 }
664 }
665
666 endgrent();
667
668 member = member_list;
669 while (*member) {
670 static fstring name;
671 fstrcpy(name,member);
672 if (user_ok(name,snum) &&
673 password_ok(name,password,pwlen,NULL)) {
674 endgrent();
675 return(&name[0]);
676 }
677
678 DEBUG(10,("validate_group = member = %s\n", member));
679
680 member += strlen(member) + 1;
681 }
682 } else {
683 endgrent();
684 return NULL;
685 }
686 }
687 #endif
688 return(NULL);
689 }
690
691
692
693 /****************************************************************************
694 check for authority to login to a service with a given username/password
695 ****************************************************************************/
696 BOOL authorise_login(int snum,char *user,char *password, int pwlen,
697 BOOL *guest,BOOL *force,uint16 vuid)
698 {
699 BOOL ok = False;
700
701 *guest = False;
702
703 #if DEBUG_PASSWORD
704 DEBUG(100,("checking authorisation on user=%s pass=%s\n",user,password));
705 #endif
706
707 /* there are several possibilities:
708 1) login as the given user with given password
709 2) login as a previously registered username with the given password
710 3) login as a session list username with the given password
711 4) login as a previously validated user/password pair
712 5) login as the "user =" user with given password
713 6) login as the "user =" user with no password (guest connection)
714 7) login as guest user with no password
715
716 if the service is guest_only then steps 1 to 5 are skipped
717 */
718
719 if (GUEST_ONLY(snum)) *force = True;
720
721 if (!(GUEST_ONLY(snum) && GUEST_OK(snum)))
722 {
723
724 user_struct *vuser = get_valid_user_struct(vuid);
725
726 /* check the given username and password */
727 if (!ok && (*user) && user_ok(user,snum)) {
728 ok = password_ok(user,password, pwlen, NULL);
729 if (ok) DEBUG(3,("ACCEPTED: given username password ok\n"));
730 }
731
732 /* check for a previously registered guest username */
733 if (!ok && (vuser != 0) && vuser->guest) {
734 if (user_ok(vuser->user.unix_name,snum) &&
735 password_ok(vuser->user.unix_name, password, pwlen, NULL)) {
736 fstrcpy(user, vuser->user.unix_name);
737 vuser->guest = False;
738 DEBUG(3,("ACCEPTED: given password with registered user %s\n", user));
739 ok = True;
740 }
741 }
742
743
744 /* now check the list of session users */
745 if (!ok)
746 {
747 char *auser;
748 char *user_list = strdup(session_users);
749 if (!user_list) return(False);
750
751 for (auser=strtok(user_list,LIST_SEP);
752 !ok && auser;
753 auser = strtok(NULL,LIST_SEP))
754 {
755 fstring user2;
756 fstrcpy(user2,auser);
757 if (!user_ok(user2,snum)) continue;
758
759 if (password_ok(user2,password, pwlen, NULL)) {
760 ok = True;
761 fstrcpy(user,user2);
762 DEBUG(3,("ACCEPTED: session list username and given password ok\n"));
763 }
764 }
765 free(user_list);
766 }
767
768 /* check for a previously validated username/password pair */
769 if (!ok && (lp_security() > SEC_SHARE) &&
770 (vuser != 0) && !vuser->guest &&
771 user_ok(vuser->user.unix_name,snum)) {
772 fstrcpy(user,vuser->user.unix_name);
773 *guest = False;
774 DEBUG(3,("ACCEPTED: validated uid ok as non-guest\n"));
775 ok = True;
776 }
777
778 /* check for a rhosts entry */
779 if (!ok && user_ok(user,snum) && check_hosts_equiv(user)) {
780 ok = True;
781 DEBUG(3,("ACCEPTED: hosts equiv or rhosts entry\n"));
782 }
783
784 /* check the user= fields and the given password */
785 if (!ok && lp_username(snum)) {
786 char *auser;
787 pstring user_list;
788 StrnCpy(user_list,lp_username(snum),sizeof(pstring));
789
790 pstring_sub(user_list,"%S",lp_servicename(snum));
791
792 for (auser=strtok(user_list,LIST_SEP);
793 auser && !ok;
794 auser = strtok(NULL,LIST_SEP))
795 {
796 if (*auser == '@')
797 {
798 auser = validate_group(auser+1,password,pwlen,snum);
799 if (auser)
800 {
801 ok = True;
802 fstrcpy(user,auser);
803 DEBUG(3,("ACCEPTED: group username and given password ok\n"));
804 }
805 }
806 else
807 {
808 fstring user2;
809 fstrcpy(user2,auser);
810 if (user_ok(user2,snum) &&
811 password_ok(user2,password,pwlen,NULL))
812 {
813 ok = True;
814 fstrcpy(user,user2);
815 DEBUG(3,("ACCEPTED: user list username and given password ok\n"));
816 }
817 }
818 }
819 }
820 } /* not guest only */
821
822 /* check for a normal guest connection */
823 if (!ok && GUEST_OK(snum))
824 {
825 fstring guestname;
826 StrnCpy(guestname,lp_guestaccount(snum),sizeof(guestname)-1);
827 if (Get_Pwnam(guestname,True))
828 {
829 fstrcpy(user,guestname);
830 ok = True;
831 DEBUG(3,("ACCEPTED: guest account and guest ok\n"));
832 }
833 else
834 DEBUG(0,("Invalid guest account %s??\n",guestname));
835 *guest = True;
836 }
837
838 if (ok && !user_ok(user,snum))
839 {
840 DEBUG(0,("rejected invalid user %s\n",user));
841 ok = False;
842 }
843
844 return(ok);
845 }
846
847
848 /****************************************************************************
849 read the a hosts.equiv or .rhosts file and check if it
850 allows this user from this machine
851 ****************************************************************************/
852 static BOOL check_user_equiv(char *user, char *remote, char *equiv_file)
853 {
854 int plus_allowed = 1;
855 char *file_host;
856 char *file_user;
857 char **lines = file_lines_load(equiv_file, NULL);
858 int i;
859
860 DEBUG(5, ("check_user_equiv %s %s %s\n", user, remote, equiv_file));
861 if (! lines) return False;
862 for (i=0; lines[i]; i++) {
863 char *buf = lines[i];
864 trim_string(buf," "," ");
865
866 if (buf[0] != '#' && buf[0] != '\n')
867 {
868 BOOL is_group = False;
869 int plus = 1;
870 char *bp = buf;
871 if (strcmp(buf, "NO_PLUS\n") == 0)
872 {
873 DEBUG(6, ("check_user_equiv NO_PLUS\n"));
874 plus_allowed = 0;
875 }
876 else {
877 if (buf[0] == '+')
878 {
879 bp++;
880 if (*bp == '\n' && plus_allowed)
881 {
882 /* a bare plus means everbody allowed */
883 DEBUG(6, ("check_user_equiv everybody allowed\n"));
884 file_lines_free(lines);
885 return True;
886 }
887 }
888 else if (buf[0] == '-')
889 {
890 bp++;
891 plus = 0;
892 }
893 if (*bp == '@')
894 {
895 is_group = True;
896 bp++;
897 }
898 file_host = strtok(bp, " \t\n");
899 file_user = strtok(NULL, " \t\n");
900 DEBUG(7, ("check_user_equiv %s %s\n", file_host ? file_host : "(null)",
901 file_user ? file_user : "(null)" ));
902 if (file_host && *file_host)
903 {
904 BOOL host_ok = False;
905
906 #if defined(HAVE_NETGROUP) && defined(HAVE_YP_GET_DEFAULT_DOMAIN)
907 if (is_group)
908 {
909 static char *mydomain = NULL;
910 if (!mydomain)
911 yp_get_default_domain(&mydomain);
912 if (mydomain && innetgr(file_host,remote,user,mydomain))
913 host_ok = True;
914 }
915 #else
916 if (is_group)
917 {
918 DEBUG(1,("Netgroups not configured\n"));
919 continue;
920 }
921 #endif
922
923 /* is it this host */
924 /* the fact that remote has come from a call of gethostbyaddr
925 * means that it may have the fully qualified domain name
926 * so we could look up the file version to get it into
927 * a canonical form, but I would rather just type it
928 * in full in the equiv file
929 */
930 if (!host_ok && !is_group && strequal(remote, file_host))
931 host_ok = True;
932
933 if (!host_ok)
934 continue;
935
936 /* is it this user */
937 if (file_user == 0 || strequal(user, file_user))
938 {
939 DEBUG(5, ("check_user_equiv matched %s%s %s\n",
940 (plus ? "+" : "-"), file_host,
941 (file_user ? file_user : "")));
942 file_lines_free(lines);
943 return (plus ? True : False);
944 }
945 }
946 }
947 }
948 }
949 file_lines_free(lines);
950 return False;
951 }
952
953
954 /****************************************************************************
955 check for a possible hosts equiv or rhosts entry for the user
956 ****************************************************************************/
957 BOOL check_hosts_equiv(char *user)
958 {
959 char *fname = NULL;
960 pstring rhostsfile;
961 struct passwd *pass = Get_Pwnam(user,True);
962
963 if (!pass)
964 return(False);
965
966 fname = lp_hosts_equiv();
967
968 /* note: don't allow hosts.equiv on root */
969 if (fname && *fname && (pass->pw_uid != 0)) {
970 if (check_user_equiv(user,client_name(),fname))
971 return(True);
972 }
973
974 if (lp_use_rhosts())
975 {
976 char *home = get_user_home_dir(user);
977 if (home) {
978 slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home);
979 if (check_user_equiv(user,client_name(),rhostsfile))
980 return(True);
981 }
982 }
983
984 return(False);
985 }
986
987
988 /****************************************************************************
989 Return the client state structure.
990 ****************************************************************************/
991
992 struct cli_state *server_client(void)
993 {
994 static struct cli_state pw_cli;
995 return &pw_cli;
996 }
997
998 /****************************************************************************
999 Support for server level security.
1000 ****************************************************************************/
1001
1002 struct cli_state *server_cryptkey(void)
1003 {
1004 struct cli_state *cli;
1005 fstring desthost;
1006 struct in_addr dest_ip;
1007 char *p, *pserver;
1008 BOOL connected_ok = False;
1009
1010 cli = server_client();
1011
1012 if (!cli_initialise(cli))
1013 return NULL;
1014
1015 pserver = strdup(lp_passwordserver());
1016 p = pserver;
1017
1018 while(next_token( &p, desthost, LIST_SEP, sizeof(desthost))) {
1019 standard_sub_basic(desthost);
1020 strupper(desthost);
1021
1022 if(!resolve_name( desthost, &dest_ip, 0x20)) {
1023 DEBUG(1,("server_cryptkey: Can't resolve address for %s\n",desthost));
1024 continue;
1025 }
1026
1027 if (ismyip(dest_ip)) {
1028 DEBUG(1,("Password server loop - disabling password server %s\n",desthost));
1029 continue;
1030 }
1031
1032 if (cli_connect(cli, desthost, &dest_ip)) {
1033 DEBUG(3,("connected to password server %s\n",desthost));
1034 connected_ok = True;
1035 break;
1036 }
1037 }
1038
1039 free(pserver);
1040
1041 if (!connected_ok) {
1042 DEBUG(0,("password server not available\n"));
1043 cli_shutdown(cli);
1044 return NULL;
1045 }
1046
1047 if (!attempt_netbios_session_request(cli, global_myname, desthost, &dest_ip))
1048 return NULL;
1049
1050 DEBUG(3,("got session\n"));
1051
1052 if (!cli_negprot(cli)) {
1053 DEBUG(1,("%s rejected the negprot\n",desthost));
1054 cli_shutdown(cli);
1055 return NULL;
1056 }
1057
1058 if (cli->protocol < PROTOCOL_LANMAN2 ||
1059 !(cli->sec_mode & 1)) {
1060 DEBUG(1,("%s isn't in user level security mode\n",desthost));
1061 cli_shutdown(cli);
1062 return NULL;
1063 }
1064
1065 DEBUG(3,("password server OK\n"));
1066
1067 return cli;
1068 }
1069
1070 /****************************************************************************
1071 Validate a password with the password server.
1072 ****************************************************************************/
1073
1074 BOOL server_validate(char *user, char *domain,
1075 char *pass, int passlen,
1076 char *ntpass, int ntpasslen)
1077 {
1078 struct cli_state *cli;
1079 static unsigned char badpass[24];
1080 static BOOL tested_password_server = False;
1081 static BOOL bad_password_server = False;
1082
1083 cli = server_client();
1084
1085 if (!cli->initialised) {
1086 DEBUG(1,("password server %s is not connected\n", cli->desthost));
1087 return(False);
1088 }
1089
1090 if(badpass[0] == 0)
1091 memset(badpass, 0x1f, sizeof(badpass));
1092
1093 if((passlen == sizeof(badpass)) && !memcmp(badpass, pass, passlen)) {
1094 /*
1095 * Very unlikely, our random bad password is the same as the users
1096 * password. */
1097 memset(badpass, badpass[0]+1, sizeof(badpass));
1098 }
1099
1100 /*
1101 * Attempt a session setup with a totally incorrect password.
1102 * If this succeeds with the guest bit *NOT* set then the password
1103 * server is broken and is not correctly setting the guest bit. We
1104 * need to detect this as some versions of NT4.x are broken. JRA.
1105 */
1106
1107 if(!tested_password_server) {
1108 if (cli_session_setup(cli, user, (char *)badpass, sizeof(badpass),
1109 (char *)badpass, sizeof(badpass), domain)) {
1110
1111 /*
1112 * We connected to the password server so we
1113 * can say we've tested it.
1114 */
1115 tested_password_server = True;
1116
1117 if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) {
1118 DEBUG(0,("server_validate: password server %s allows users as non-guest \
1119 with a bad password.\n", cli->desthost));
1120 DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \
1121 use this machine as the password server.\n"));
1122 cli_ulogoff(cli);
1123
1124 /*
1125 * Password server has the bug.
1126 */
1127 bad_password_server = True;
1128 return False;
1129 }
1130 cli_ulogoff(cli);
1131 }
1132 } else {
1133
1134 /*
1135 * We have already tested the password server.
1136 * Fail immediately if it has the bug.
1137 */
1138
1139 if(bad_password_server) {
1140 DEBUG(0,("server_validate: [1] password server %s allows users as non-guest \
1141 with a bad password.\n", cli->desthost));
1142 DEBUG(0,("server_validate: [1] This is broken (and insecure) behaviour. Please do not \
1143 use this machine as the password server.\n"));
1144 return False;
1145 }
1146 }
1147
1148 /*
1149 * Now we know the password server will correctly set the guest bit, or is
1150 * not guest enabled, we can try with the real password.
1151 */
1152
1153 if (!cli_session_setup(cli, user, pass, passlen, ntpass, ntpasslen, domain)) {
1154 DEBUG(1,("password server %s rejected the password\n", cli->desthost));
1155 return False;
1156 }
1157
1158 /* if logged in as guest then reject */
1159 if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) {
1160 DEBUG(1,("password server %s gave us guest only\n", cli->desthost));
1161 cli_ulogoff(cli);
1162 return(False);
1163 }
1164
1165 cli_ulogoff(cli);
1166
1167 return(True);
1168 }
1169
1170 /***********************************************************************
1171 Connect to a remote machine for domain security authentication
1172 given a name or IP address.
1173 ************************************************************************/
1174
1175 static BOOL connect_to_domain_password_server(struct cli_state *pcli, char *remote_machine,
1176 unsigned char *trust_passwd)
1177 {
1178 struct in_addr dest_ip;
1179
1180 if(cli_initialise(pcli) == False) {
1181 DEBUG(0,("connect_to_domain_password_server: unable to initialize client connection.\n"));
1182 return False;
1183 }
1184
1185 standard_sub_basic(remote_machine);
1186 strupper(remote_machine);
1187
1188 if(!resolve_name( remote_machine, &dest_ip, 0x20)) {
1189 DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", remote_machine));
1190 cli_shutdown(pcli);
1191 return False;
1192 }
1193
1194 if (ismyip(dest_ip)) {
1195 DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n",
1196 remote_machine));
1197 cli_shutdown(pcli);
1198 return False;
1199 }
1200
1201 if (!cli_connect(pcli, remote_machine, &dest_ip)) {
1202 DEBUG(0,("connect_to_domain_password_server: unable to connect to SMB server on \
1203 machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
1204 cli_shutdown(pcli);
1205 return False;
1206 }
1207
1208 if (!attempt_netbios_session_request(pcli, global_myname, remote_machine, &dest_ip)) {
1209 DEBUG(0,("connect_to_password_server: machine %s rejected the NetBIOS \
1210 session request. Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
1211 return False;
1212 }
1213
1214 pcli->protocol = PROTOCOL_NT1;
1215
1216 if (!cli_negprot(pcli)) {
1217 DEBUG(0,("connect_to_domain_password_server: machine %s rejected the negotiate protocol. \
1218 Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
1219 cli_shutdown(pcli);
1220 return False;
1221 }
1222
1223 if (pcli->protocol != PROTOCOL_NT1) {
1224 DEBUG(0,("connect_to_domain_password_server: machine %s didn't negotiate NT protocol.\n",
1225 remote_machine));
1226 cli_shutdown(pcli);
1227 return False;
1228 }
1229
1230 /*
1231 * Do an anonymous session setup.
1232 */
1233
1234 if (!cli_session_setup(pcli, "", "", 0, "", 0, "")) {
1235 DEBUG(0,("connect_to_domain_password_server: machine %s rejected the session setup. \
1236 Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
1237 cli_shutdown(pcli);
1238 return False;
1239 }
1240
1241 if (!(pcli->sec_mode & 1)) {
1242 DEBUG(1,("connect_to_domain_password_server: machine %s isn't in user level security mode\n",
1243 remote_machine));
1244 cli_shutdown(pcli);
1245 return False;
1246 }
1247
1248 if (!cli_send_tconX(pcli, "IPC$", "IPC", "", 1)) {
1249 DEBUG(0,("connect_to_domain_password_server: machine %s rejected the tconX on the IPC$ share. \
1250 Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
1251 cli_shutdown(pcli);
1252 return False;
1253 }
1254
1255 /*
1256 * We now have an anonymous connection to IPC$ on the domain password server.
1257 */
1258
1259 /*
1260 * Even if the connect succeeds we need to setup the netlogon
1261 * pipe here. We do this as we may just have changed the domain
1262 * account password on the PDC and yet we may be talking to
1263 * a BDC that doesn't have this replicated yet. In this case
1264 * a successful connect to a DC needs to take the netlogon connect
1265 * into account also. This patch from "Bjart Kvarme" <bjart.kvarme@usit.uio.no>.
1266 */
1267
1268 if(cli_nt_session_open(pcli, PIPE_NETLOGON) == False) {
1269 DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
1270 machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli)));
1271 cli_nt_session_close(pcli);
1272 cli_ulogoff(pcli);
1273 cli_shutdown(pcli);
1274 return False;
1275 }
1276
1277 if (cli_nt_setup_creds(pcli, trust_passwd) == False) {
1278 DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \
1279 %s. Error was : %s.\n", remote_machine, cli_errstr(pcli)));
1280 cli_nt_session_close(pcli);
1281 cli_ulogoff(pcli);
1282 cli_shutdown(pcli);
1283 return(False);
1284 }
1285
1286 return True;
1287 }
1288
1289 /***********************************************************************
1290 Utility function to attempt a connection to an IP address of a DC.
1291 ************************************************************************/
1292
1293 static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, unsigned char *trust_passwd)
1294 {
1295 fstring dc_name;
1296
1297 /*
1298 * Ignore addresses we have already tried.
1299 */
1300
1301 if (ip_equal(ipzero, *ip))
1302 return False;
1303
1304 if (!lookup_pdc_name(global_myname, lp_workgroup(), ip, dc_name))
1305 return False;
1306
1307 return connect_to_domain_password_server(pcli, dc_name, trust_passwd);
1308 }
1309
1310
1311
1312 /***********************************************************************
1313 We have been asked to dynamcially determine the IP addresses of
1314 the PDC and BDC's for this DOMAIN, and query them in turn.
1315 ************************************************************************/
1316 static BOOL find_connect_pdc(struct cli_state *pcli, unsigned char *trust_passwd)
1317 {
1318 struct in_addr *ip_list = NULL;
1319 int count = 0;
1320 int i;
1321 BOOL connected_ok = False;
1322
1323 if (!get_dc_list(lp_workgroup(), &ip_list, &count))
1324 return False;
1325
1326 /*
1327 * Firstly try and contact a PDC/BDC who has the same
1328 * network address as any of our interfaces.
1329 */
1330 for(i = 0; i < count; i++) {
1331 if(!is_local_net(ip_list[i]))
1332 continue;
1333
1334 if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd)))
1335 break;
1336
1337 ip_list[i] = ipzero; /* Tried and failed. */
1338 }
1339
1340 /*
1341 * Secondly try and contact a random PDC/BDC.
1342 */
1343 if(!connected_ok) {
1344 i = (sys_random() % count);
1345
1346 if (!(connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd)))
1347 ip_list[i] = ipzero; /* Tried and failed. */
1348 }
1349
1350 /*
1351 * Finally go through the IP list in turn, ignoring any addresses
1352 * we have already tried.
1353 */
1354 if(!connected_ok) {
1355 /*
1356 * Try and connect to any of the other IP addresses in the PDC/BDC list.
1357 * Note that from a WINS server the #1 IP address is the PDC.
1358 */
1359 for(i = 0; i < count; i++) {
1360 if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd)))
1361 break;
1362 }
1363 }
1364
1365 if(ip_list != NULL)
1366 free((char *)ip_list);
1367
1368
1369 return connected_ok;
1370 }
1371
1372
1373
1374 /***********************************************************************
1375 Do the same as security=server, but using NT Domain calls and a session
1376 key from the machine password.
1377 ************************************************************************/
1378
1379 BOOL domain_client_validate( char *user, char *domain,
1380 char *smb_apasswd, int smb_apasslen,
1381 char *smb_ntpasswd, int smb_ntpasslen,
1382 BOOL *user_exists)
1383 {
1384 unsigned char local_challenge[8];
1385 unsigned char local_lm_response[24];
1386 unsigned char local_nt_response[24];
1387 unsigned char trust_passwd[16];
1388 fstring remote_machine;
1389 char *p, *pserver;
1390 NET_ID_INFO_CTR ctr;
1391 NET_USER_INFO_3 info3;
1392 struct cli_state cli;
1393 uint32 smb_uid_low;
1394 BOOL connected_ok = False;
1395
1396 if(user_exists != NULL)
1397 *user_exists = True; /* Only set false on a very specific error. */
1398
1399 /*
1400 * Check that the requested domain is not our own machine name.
1401 * If it is, we should never check the PDC here, we use our own local
1402 * password file.
1403 */
1404
1405 if(strequal( domain, global_myname)) {
1406 DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n"));
1407 return False;
1408 }
1409
1410 /*
1411 * Next, check that the passwords given were encrypted.
1412 */
1413
1414 if(((smb_apasslen != 24) && (smb_apasslen != 0)) ||
1415 ((smb_ntpasslen != 24) && (smb_ntpasslen != 0))) {
1416
1417 /*
1418 * Not encrypted - do so.
1419 */
1420
1421 DEBUG(3,("domain_client_validate: User passwords not in encrypted format.\n"));
1422 generate_random_buffer( local_challenge, 8, False);
1423 SMBencrypt( (uchar *)smb_apasswd, local_challenge, local_lm_response);
1424 SMBNTencrypt((uchar *)smb_ntpasswd, local_challenge, local_nt_response);
1425 smb_apasslen = 24;
1426 smb_ntpasslen = 24;
1427 smb_apasswd = (char *)local_lm_response;
1428 smb_ntpasswd = (char *)local_nt_response;
1429 } else {
1430
1431 /*
1432 * Encrypted - get the challenge we sent for these
1433 * responses.
1434 */
1435
1436 if (!last_challenge(local_challenge)) {
1437 DEBUG(0,("domain_client_validate: no challenge done - password failed\n"));
1438 return False;
1439 }
1440 }
1441
1442 /*
1443 * Get the machine account password for our primary domain
1444 */
1445 if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, NULL))
1446 {
1447 return False;
1448 }
1449
1450 /*
1451 * At this point, smb_apasswd points to the lanman response to
1452 * the challenge in local_challenge, and smb_ntpasswd points to
1453 * the NT response to the challenge in local_challenge. Ship
1454 * these over the secure channel to a domain controller and
1455 * see if they were valid.
1456 */
1457
1458 ZERO_STRUCT(cli);
1459
1460 /*
1461 * Treat each name in the 'password server =' line as a potential
1462 * PDC/BDC. Contact each in turn and try and authenticate.
1463 */
1464
1465 pserver = lp_passwordserver();
1466 if (! *pserver) pserver = "*";
1467 p = pserver;
1468
1469 while (!connected_ok &&
1470 next_token(&p,remote_machine,LIST_SEP,sizeof(remote_machine))) {
1471 if(strequal(remote_machine, "*")) {
1472 connected_ok = find_connect_pdc(&cli, trust_passwd);
1473 } else {
1474 connected_ok = connect_to_domain_password_server(&cli, remote_machine, trust_passwd);
1475 }
1476 }
1477
1478 if (!connected_ok) {
1479 DEBUG(0,("domain_client_validate: Domain password server not available.\n"));
1480 cli_shutdown(&cli);
1481 return False;
1482 }
1483
1484 /* We really don't care what LUID we give the user. */
1485 generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False);
1486
1487 ZERO_STRUCT(info3);
1488
1489 if(cli_nt_login_network(&cli, domain, user, smb_uid_low, (char *)local_challenge,
1490 ((smb_apasslen != 0) ? smb_apasswd : NULL),
1491 ((smb_ntpasslen != 0) ? smb_ntpasswd : NULL),
1492 &ctr, &info3) == False) {
1493 uint32 nt_rpc_err;
1494
1495 cli_error(&cli, NULL, NULL, &nt_rpc_err);
1496 DEBUG(0,("domain_client_validate: unable to validate password for user %s in domain \
1497 %s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli)));
1498 cli_nt_session_close(&cli);
1499 cli_ulogoff(&cli);
1500 cli_shutdown(&cli);
1501
1502 if((nt_rpc_err == NT_STATUS_NO_SUCH_USER) && (user_exists != NULL))
1503 *user_exists = False;
1504
1505 return False;
1506 }
1507
1508 /*
1509 * Here, if we really want it, we have lots of info about the user in info3.
1510 */
1511
1512 #if 0
1513 /*
1514 * We don't actually need to do this - plus it fails currently with
1515 * NT_STATUS_INVALID_INFO_CLASS - we need to know *exactly* what to
1516 * send here. JRA.
1517 */
1518
1519 if(cli_nt_logoff(&cli, &ctr) == False) {
1520 DEBUG(0,("domain_client_validate: unable to log off user %s in domain \
1521 %s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli)));
1522 cli_nt_session_close(&cli);
1523 cli_ulogoff(&cli);
1524 cli_shutdown(&cli);
1525 return False;
1526 }
1527 #endif /* 0 */
1528
1529 /* Note - once the cli stream is shutdown the mem_ctx used
1530 to allocate the other_sids and gids structures has been deleted - so
1531 these pointers are no longer valid..... */
1532
1533 cli_nt_session_close(&cli);
1534 cli_ulogoff(&cli);
1535 cli_shutdown(&cli);
1536 return True;
1537 }
1538
1539 #undef OLD_NTDOMAIN
Samba GIT mirror