4 Unix SMB/Netbios implementation.
6 Password and authentication handling
7 Copyright (C) Andrew Tridgell 1992-1998
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 extern int DEBUGLEVEL
;
28 extern struct in_addr ipzero
;
30 /* users from session setup */
31 static pstring session_users
="";
33 extern pstring global_myname
;
34 extern fstring global_myworkgroup
;
36 /* Data to do lanman1/2 password challenge. */
37 static unsigned char saved_challenge
[8];
38 static BOOL challenge_sent
=False
;
40 /*******************************************************************
41 Get the next challenge value - no repeats.
42 ********************************************************************/
43 void generate_next_challenge(char *challenge
)
47 * Leave this ifdef'd out while we test
48 * the new crypto random number generator.
51 unsigned char buf
[16];
52 static int counter
= 0;
56 /* get a sort-of random number */
58 v1
= (counter
++) + sys_getpid() + tval
.tv_sec
;
59 v2
= (counter
++) * sys_getpid() + tval
.tv_usec
;
60 SIVAL(challenge
,0,v1
);
61 SIVAL(challenge
,4,v2
);
63 /* mash it up with md4 */
64 mdfour(buf
, (unsigned char *)challenge
, 8);
68 generate_random_buffer(buf
,8,False
);
70 memcpy(saved_challenge
, buf
, 8);
71 memcpy(challenge
,buf
,8);
72 challenge_sent
= True
;
75 /*******************************************************************
76 set the last challenge sent, usually from a password server
77 ********************************************************************/
78 BOOL
set_challenge(unsigned char *challenge
)
80 memcpy(saved_challenge
,challenge
,8);
81 challenge_sent
= True
;
85 /*******************************************************************
86 get the last challenge sent
87 ********************************************************************/
88 static BOOL
last_challenge(unsigned char *challenge
)
90 if (!challenge_sent
) return(False
);
91 memcpy(challenge
,saved_challenge
,8);
95 /* this holds info on user ids that are already validated for this VC */
96 static user_struct
*validated_users
;
97 static int next_vuid
= VUID_OFFSET
;
98 static int num_validated_vuids
;
100 /****************************************************************************
101 check if a uid has been validated, and return an pointer to the user_struct
102 if it has. NULL if not. vuid is biased by an offset. This allows us to
103 tell random client vuid's (normally zero) from valid vuids.
104 ****************************************************************************/
105 user_struct
*get_valid_user_struct(uint16 vuid
)
110 if (vuid
== UID_FIELD_INVALID
)
113 for (usp
=validated_users
;usp
;usp
=usp
->next
,count
++) {
114 if (vuid
== usp
->vuid
) {
116 DLIST_PROMOTE(validated_users
, usp
);
124 /****************************************************************************
126 ****************************************************************************/
127 void invalidate_vuid(uint16 vuid
)
129 user_struct
*vuser
= get_valid_user_struct(vuid
);
134 DLIST_REMOVE(validated_users
, vuser
);
136 safe_free(vuser
->groups
);
137 delete_nt_token(&vuser
->nt_user_token
);
139 num_validated_vuids
--;
142 /****************************************************************************
143 return a validated username
144 ****************************************************************************/
145 char *validated_username(uint16 vuid
)
147 user_struct
*vuser
= get_valid_user_struct(vuid
);
150 return(vuser
->user
.unix_name
);
153 /****************************************************************************
154 return a validated domain
155 ****************************************************************************/
156 char *validated_domain(uint16 vuid
)
158 user_struct
*vuser
= get_valid_user_struct(vuid
);
161 return(vuser
->user
.domain
);
165 /****************************************************************************
166 Create the SID list for this user.
167 ****************************************************************************/
169 NT_USER_TOKEN
*create_nt_token(uid_t uid
, gid_t gid
, int ngroups
, gid_t
*groups
)
171 NT_USER_TOKEN
*token
;
175 if ((token
= (NT_USER_TOKEN
*)malloc( sizeof(NT_USER_TOKEN
) ) ) == NULL
)
180 if ((token
->user_sids
= (DOM_SID
*)malloc( (ngroups
+ 2)*sizeof(DOM_SID
))) == NULL
) {
185 psids
= token
->user_sids
;
189 uid_to_sid( &psids
[0], uid
);
190 gid_to_sid( &psids
[1], gid
);
192 for (i
= 0; i
< ngroups
; i
++) {
193 if (groups
[i
] != gid
) {
194 gid_to_sid( &psids
[psid_ndx
+2], groups
[i
]);
203 /****************************************************************************
204 register a uid/name pair as being valid and that a valid password
205 has been given. vuid is biased by an offset. This allows us to
206 tell random client vuid's (normally zero) from valid vuids.
207 ****************************************************************************/
209 uint16
register_vuid(uid_t uid
,gid_t gid
, char *unix_name
, char *requested_name
,
210 char *domain
,BOOL guest
)
212 user_struct
*vuser
= NULL
;
214 struct passwd
*pwfile
; /* for getting real name from passwd file */
216 /* Ensure no vuid gets registered in share level security. */
217 if(lp_security() == SEC_SHARE
)
218 return UID_FIELD_INVALID
;
220 /* Limit allowed vuids to 16bits - VUID_OFFSET. */
221 if (num_validated_vuids
>= 0xFFFF-VUID_OFFSET
)
222 return UID_FIELD_INVALID
;
224 if((vuser
= (user_struct
*)malloc( sizeof(user_struct
) )) == NULL
) {
225 DEBUG(0,("Failed to malloc users struct!\n"));
226 return UID_FIELD_INVALID
;
231 DEBUG(10,("register_vuid: (%u,%u) %s %s %s guest=%d\n", (unsigned int)uid
, (unsigned int)gid
,
232 unix_name
, requested_name
, domain
, guest
));
234 /* Allocate a free vuid. Yes this is a linear search... :-) */
235 while( (vsp
= get_valid_user_struct(next_vuid
)) != NULL
) {
237 /* Check for vuid wrap. */
238 if (next_vuid
== UID_FIELD_INVALID
)
239 next_vuid
= VUID_OFFSET
;
242 DEBUG(10,("register_vuid: allocated vuid = %u\n", (unsigned int)next_vuid
));
244 vuser
->vuid
= next_vuid
;
247 vuser
->guest
= guest
;
248 fstrcpy(vuser
->user
.unix_name
,unix_name
);
249 fstrcpy(vuser
->user
.smb_name
,requested_name
);
250 fstrcpy(vuser
->user
.domain
,domain
);
253 vuser
->groups
= NULL
;
255 /* Find all the groups this uid is in and store them.
256 Used by become_user() */
257 initialise_groups(unix_name
, uid
, gid
);
258 get_current_groups( &vuser
->n_groups
, &vuser
->groups
);
260 /* Create an NT_USER_TOKEN struct for this user. */
261 vuser
->nt_user_token
= create_nt_token(uid
,gid
, vuser
->n_groups
, vuser
->groups
);
264 num_validated_vuids
++;
266 DLIST_ADD(validated_users
, vuser
);
268 DEBUG(3,("uid %d registered to name %s\n",(int)uid
,unix_name
));
270 DEBUG(3, ("Clearing default real name\n"));
271 fstrcpy(vuser
->user
.full_name
, "<Full Name>");
272 if (lp_unix_realname()) {
273 if ((pwfile
=sys_getpwnam(vuser
->user
.unix_name
))!= NULL
) {
274 DEBUG(3, ("User name: %s\tReal name: %s\n",vuser
->user
.unix_name
,pwfile
->pw_gecos
));
275 fstrcpy(vuser
->user
.full_name
, pwfile
->pw_gecos
);
279 memset(&vuser
->dc
, '\0', sizeof(vuser
->dc
));
285 /****************************************************************************
286 add a name to the session users list
287 ****************************************************************************/
288 void add_session_user(char *user
)
291 StrnCpy(suser
,user
,sizeof(suser
)-1);
293 if (!Get_Pwnam(suser
,True
)) return;
295 if (suser
&& *suser
&& !in_list(suser
,session_users
,False
))
297 if (strlen(suser
) + strlen(session_users
) + 2 >= sizeof(pstring
))
298 DEBUG(1,("Too many session users??\n"));
301 pstrcat(session_users
," ");
302 pstrcat(session_users
,suser
);
308 /****************************************************************************
309 update the encrypted smbpasswd file from the plaintext username and password
310 *****************************************************************************/
311 static BOOL
update_smbpassword_file(char *user
, char *password
)
313 SAM_ACCOUNT
*sampass
= NULL
;
317 sampass
= pdb_getsampwnam(user
);
320 if(sampass
== NULL
) {
321 DEBUG(0,("pdb_getsampwnam returned NULL\n"));
326 * Remove the account disabled flag - we are updating the
327 * users password from a login.
329 pdb_set_acct_ctrl(sampass
, pdb_get_acct_ctrl(sampass
) & ~ACB_DISABLED
);
331 /* Here, the flag is one, because we want to ignore the
332 XXXXXXX'd out password */
333 ret
= change_oem_password( sampass
, password
, True
);
335 DEBUG(3,("change_oem_password returned False\n"));
341 /****************************************************************************
342 core of smb password checking routine.
343 ****************************************************************************/
344 BOOL
smb_password_check(char *password
, unsigned char *part_passwd
, unsigned char *c8
)
346 /* Finish the encryption of part_passwd. */
347 unsigned char p21
[21];
348 unsigned char p24
[24];
350 if (part_passwd
== NULL
)
352 DEBUG(10,("No password set - allowing access\n"));
354 /* No password set - always true ! */
359 memcpy(p21
,part_passwd
,16);
364 DEBUG(100,("Part password (P16) was |"));
365 for(i
= 0; i
< 16; i
++)
366 DEBUG(100,("%X ", (unsigned char)part_passwd
[i
]));
368 DEBUG(100,("Password from client was |"));
369 for(i
= 0; i
< 24; i
++)
370 DEBUG(100,("%X ", (unsigned char)password
[i
]));
372 DEBUG(100,("Given challenge was |"));
373 for(i
= 0; i
< 8; i
++)
374 DEBUG(100,("%X ", (unsigned char)c8
[i
]));
376 DEBUG(100,("Value from encryption was |"));
377 for(i
= 0; i
< 24; i
++)
378 DEBUG(100,("%X ", (unsigned char)p24
[i
]));
382 return (memcmp(p24
, password
, 24) == 0);
385 /****************************************************************************
386 Do a specific test for an smb password being correct, given a smb_password and
387 the lanman and NT responses.
388 ****************************************************************************/
389 BOOL
smb_password_ok(SAM_ACCOUNT
*sampass
, uchar chal
[8],
390 uchar lm_pass
[24], uchar nt_pass
[24])
396 if (!lm_pass
|| !sampass
)
399 user_name
= pdb_get_username(sampass
);
401 DEBUG(4,("Checking SMB password for user %s\n",user_name
));
403 if(pdb_get_acct_ctrl(sampass
) & ACB_DISABLED
) {
404 DEBUG(1,("account for user %s was disabled.\n", user_name
));
410 DEBUG(5,("use last SMBnegprot challenge\n"));
411 if (!last_challenge(challenge
))
413 DEBUG(1,("no challenge done - password failed\n"));
419 DEBUG(5,("challenge received\n"));
420 memcpy(challenge
, chal
, 8);
423 nt_pw
= pdb_get_nt_passwd(sampass
);
425 if ((Protocol
>= PROTOCOL_NT1
) && (nt_pw
!= NULL
)) {
426 /* We have the NT MD4 hash challenge available - see if we can
427 use it (ie. does it exist in the smbpasswd file).
429 DEBUG(4,("smb_password_ok: Checking NT MD4 password\n"));
430 if (smb_password_check((char *)nt_pass
, (uchar
*)nt_pw
, challenge
))
432 DEBUG(4,("NT MD4 password check succeeded\n"));
435 DEBUG(4,("NT MD4 password check failed\n"));
438 /* Try against the lanman password. pdb_get_lanman_passwd(sampass) == NULL
439 means no password, allow access. */
441 DEBUG(4,("Checking LM MD4 password\n"));
443 lm_pw
= pdb_get_lanman_passwd(sampass
);
445 if((lm_pw
== NULL
) && (pdb_get_acct_ctrl(sampass
) & ACB_PWNOTREQ
))
447 DEBUG(4,("no password required for user %s\n",user_name
));
451 if((lm_pw
!= NULL
) && smb_password_check((char *)lm_pass
,(uchar
*)lm_pw
, challenge
))
453 DEBUG(4,("LM MD4 password check succeeded\n"));
457 DEBUG(4,("LM MD4 password check failed\n"));
463 /****************************************************************************
464 check if a username/password is OK assuming the password is a 24 byte
466 return True if the password is correct, False otherwise
467 ****************************************************************************/
469 BOOL
pass_check_smb(char *user
, char *domain
, uchar
*chal
,
470 uchar
*lm_pwd
, uchar
*nt_pwd
, struct passwd
*pwd
)
473 SAM_ACCOUNT
*sampass
;
475 if (!lm_pwd
|| !nt_pwd
)
480 /* FIXME! this code looks to be unnecessary now that the passdb
481 validates that the username exists and has a valid uid */
482 if (pwd
!= NULL
&& user
== NULL
)
484 pass
= (struct passwd
*) pwd
;
485 user
= pass
->pw_name
;
489 /* I don't get this call here. I think it should be moved.
490 Need to check on it. --jerry */
491 pass
= smb_getpwnam(user
,True
);
496 DEBUG(1,("Couldn't find user '%s' in UNIX password database.\n",user
));
500 /* get the account information */
501 sampass
= pdb_getsampwnam(user
);
504 DEBUG(1,("Couldn't find user '%s' in passdb file.\n", user
));
508 /* Quit if the account was disabled. */
509 if(pdb_get_acct_ctrl(sampass
) & ACB_DISABLED
) {
510 DEBUG(1,("Account for user '%s' was disabled.\n", user
));
514 /* Ensure the uid's match
515 FIXME! This also seems unnecessary --jerry */
517 if (smb_pass
->smb_userid
!= pass
->pw_uid
)
519 DEBUG(0,("Error : UNIX and SMB uids in password files do not match for user '%s'!\n", user
));
524 if (pdb_get_acct_ctrl(sampass
) & ACB_PWNOTREQ
)
526 if (lp_null_passwords())
528 DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", user
));
533 DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", user
));
538 if (smb_password_ok(sampass
, chal
, lm_pwd
, nt_pwd
))
543 DEBUG(2,("pass_check_smb failed - invalid password for user [%s]\n", user
));
547 /****************************************************************************
548 check if a username/password pair is OK either via the system password
549 database or the encrypted SMB password database
550 return True if the password is correct, False otherwise
551 ****************************************************************************/
552 BOOL
password_ok(char *user
, char *password
, int pwlen
, struct passwd
*pwd
)
554 if (pwlen
== 24 || (lp_encrypted_passwords() && (pwlen
== 0) && lp_null_passwords()))
556 /* if 24 bytes long assume it is an encrypted password */
559 if (!last_challenge(challenge
))
561 DEBUG(0,("Error: challenge not done for user=%s\n", user
));
565 return pass_check_smb(user
, global_myworkgroup
,
566 challenge
, (uchar
*)password
, (uchar
*)password
, pwd
);
569 return pass_check(user
, password
, pwlen
, pwd
,
570 lp_update_encrypted() ?
571 update_smbpassword_file
: NULL
);
574 /****************************************************************************
575 check if a username is valid
576 ****************************************************************************/
577 BOOL
user_ok(char *user
,int snum
)
579 pstring valid
, invalid
;
582 StrnCpy(valid
, lp_valid_users(snum
), sizeof(pstring
)-1);
583 StrnCpy(invalid
, lp_invalid_users(snum
), sizeof(pstring
)-1);
585 pstring_sub(valid
,"%S",lp_servicename(snum
));
586 pstring_sub(invalid
,"%S",lp_servicename(snum
));
588 ret
= !user_in_list(user
,invalid
);
590 if (ret
&& valid
&& *valid
) {
591 ret
= user_in_list(user
,valid
);
594 if (ret
&& lp_onlyuser(snum
)) {
595 char *user_list
= lp_username(snum
);
596 pstring_sub(user_list
,"%S",lp_servicename(snum
));
597 ret
= user_in_list(user
,user_list
);
606 /****************************************************************************
607 validate a group username entry. Return the username or NULL
608 ****************************************************************************/
609 static char *validate_group(char *group
,char *password
,int pwlen
,int snum
)
613 char *host
, *user
, *domain
;
615 while (getnetgrent(&host
, &user
, &domain
)) {
617 if (user_ok(user
, snum
) &&
618 password_ok(user
,password
,pwlen
,NULL
)) {
632 while ((gptr
= (struct group
*)getgrent())) {
633 if (strequal(gptr
->gr_name
,group
))
638 * As user_ok can recurse doing a getgrent(), we must
639 * copy the member list into a pstring on the stack before
640 * use. Bug pointed out by leon@eatworms.swmed.edu.
646 size_t copied_len
= 0;
650 member
= member_list
;
652 for(i
= 0; gptr
->gr_mem
&& gptr
->gr_mem
[i
]; i
++) {
653 size_t member_len
= strlen(gptr
->gr_mem
[i
]) + 1;
654 if( copied_len
+ member_len
< sizeof(pstring
)) {
656 DEBUG(10,("validate_group: = gr_mem = %s\n", gptr
->gr_mem
[i
]));
658 safe_strcpy(member
, gptr
->gr_mem
[i
], sizeof(pstring
) - copied_len
- 1);
659 copied_len
+= member_len
;
660 member
+= copied_len
;
668 member
= member_list
;
671 fstrcpy(name
,member
);
672 if (user_ok(name
,snum
) &&
673 password_ok(name
,password
,pwlen
,NULL
)) {
678 DEBUG(10,("validate_group = member = %s\n", member
));
680 member
+= strlen(member
) + 1;
693 /****************************************************************************
694 check for authority to login to a service with a given username/password
695 ****************************************************************************/
696 BOOL
authorise_login(int snum
,char *user
,char *password
, int pwlen
,
697 BOOL
*guest
,BOOL
*force
,uint16 vuid
)
704 DEBUG(100,("checking authorisation on user=%s pass=%s\n",user
,password
));
707 /* there are several possibilities:
708 1) login as the given user with given password
709 2) login as a previously registered username with the given password
710 3) login as a session list username with the given password
711 4) login as a previously validated user/password pair
712 5) login as the "user =" user with given password
713 6) login as the "user =" user with no password (guest connection)
714 7) login as guest user with no password
716 if the service is guest_only then steps 1 to 5 are skipped
719 if (GUEST_ONLY(snum
)) *force
= True
;
721 if (!(GUEST_ONLY(snum
) && GUEST_OK(snum
)))
724 user_struct
*vuser
= get_valid_user_struct(vuid
);
726 /* check the given username and password */
727 if (!ok
&& (*user
) && user_ok(user
,snum
)) {
728 ok
= password_ok(user
,password
, pwlen
, NULL
);
729 if (ok
) DEBUG(3,("ACCEPTED: given username password ok\n"));
732 /* check for a previously registered guest username */
733 if (!ok
&& (vuser
!= 0) && vuser
->guest
) {
734 if (user_ok(vuser
->user
.unix_name
,snum
) &&
735 password_ok(vuser
->user
.unix_name
, password
, pwlen
, NULL
)) {
736 fstrcpy(user
, vuser
->user
.unix_name
);
737 vuser
->guest
= False
;
738 DEBUG(3,("ACCEPTED: given password with registered user %s\n", user
));
744 /* now check the list of session users */
748 char *user_list
= strdup(session_users
);
749 if (!user_list
) return(False
);
751 for (auser
=strtok(user_list
,LIST_SEP
);
753 auser
= strtok(NULL
,LIST_SEP
))
756 fstrcpy(user2
,auser
);
757 if (!user_ok(user2
,snum
)) continue;
759 if (password_ok(user2
,password
, pwlen
, NULL
)) {
762 DEBUG(3,("ACCEPTED: session list username and given password ok\n"));
768 /* check for a previously validated username/password pair */
769 if (!ok
&& (lp_security() > SEC_SHARE
) &&
770 (vuser
!= 0) && !vuser
->guest
&&
771 user_ok(vuser
->user
.unix_name
,snum
)) {
772 fstrcpy(user
,vuser
->user
.unix_name
);
774 DEBUG(3,("ACCEPTED: validated uid ok as non-guest\n"));
778 /* check for a rhosts entry */
779 if (!ok
&& user_ok(user
,snum
) && check_hosts_equiv(user
)) {
781 DEBUG(3,("ACCEPTED: hosts equiv or rhosts entry\n"));
784 /* check the user= fields and the given password */
785 if (!ok
&& lp_username(snum
)) {
788 StrnCpy(user_list
,lp_username(snum
),sizeof(pstring
));
790 pstring_sub(user_list
,"%S",lp_servicename(snum
));
792 for (auser
=strtok(user_list
,LIST_SEP
);
794 auser
= strtok(NULL
,LIST_SEP
))
798 auser
= validate_group(auser
+1,password
,pwlen
,snum
);
803 DEBUG(3,("ACCEPTED: group username and given password ok\n"));
809 fstrcpy(user2
,auser
);
810 if (user_ok(user2
,snum
) &&
811 password_ok(user2
,password
,pwlen
,NULL
))
815 DEBUG(3,("ACCEPTED: user list username and given password ok\n"));
820 } /* not guest only */
822 /* check for a normal guest connection */
823 if (!ok
&& GUEST_OK(snum
))
826 StrnCpy(guestname
,lp_guestaccount(snum
),sizeof(guestname
)-1);
827 if (Get_Pwnam(guestname
,True
))
829 fstrcpy(user
,guestname
);
831 DEBUG(3,("ACCEPTED: guest account and guest ok\n"));
834 DEBUG(0,("Invalid guest account %s??\n",guestname
));
838 if (ok
&& !user_ok(user
,snum
))
840 DEBUG(0,("rejected invalid user %s\n",user
));
848 /****************************************************************************
849 read the a hosts.equiv or .rhosts file and check if it
850 allows this user from this machine
851 ****************************************************************************/
852 static BOOL
check_user_equiv(char *user
, char *remote
, char *equiv_file
)
854 int plus_allowed
= 1;
857 char **lines
= file_lines_load(equiv_file
, NULL
);
860 DEBUG(5, ("check_user_equiv %s %s %s\n", user
, remote
, equiv_file
));
861 if (! lines
) return False
;
862 for (i
=0; lines
[i
]; i
++) {
863 char *buf
= lines
[i
];
864 trim_string(buf
," "," ");
866 if (buf
[0] != '#' && buf
[0] != '\n')
868 BOOL is_group
= False
;
871 if (strcmp(buf
, "NO_PLUS\n") == 0)
873 DEBUG(6, ("check_user_equiv NO_PLUS\n"));
880 if (*bp
== '\n' && plus_allowed
)
882 /* a bare plus means everbody allowed */
883 DEBUG(6, ("check_user_equiv everybody allowed\n"));
884 file_lines_free(lines
);
888 else if (buf
[0] == '-')
898 file_host
= strtok(bp
, " \t\n");
899 file_user
= strtok(NULL
, " \t\n");
900 DEBUG(7, ("check_user_equiv %s %s\n", file_host
? file_host
: "(null)",
901 file_user
? file_user
: "(null)" ));
902 if (file_host
&& *file_host
)
904 BOOL host_ok
= False
;
906 #if defined(HAVE_NETGROUP) && defined(HAVE_YP_GET_DEFAULT_DOMAIN)
909 static char *mydomain
= NULL
;
911 yp_get_default_domain(&mydomain
);
912 if (mydomain
&& innetgr(file_host
,remote
,user
,mydomain
))
918 DEBUG(1,("Netgroups not configured\n"));
923 /* is it this host */
924 /* the fact that remote has come from a call of gethostbyaddr
925 * means that it may have the fully qualified domain name
926 * so we could look up the file version to get it into
927 * a canonical form, but I would rather just type it
928 * in full in the equiv file
930 if (!host_ok
&& !is_group
&& strequal(remote
, file_host
))
936 /* is it this user */
937 if (file_user
== 0 || strequal(user
, file_user
))
939 DEBUG(5, ("check_user_equiv matched %s%s %s\n",
940 (plus
? "+" : "-"), file_host
,
941 (file_user
? file_user
: "")));
942 file_lines_free(lines
);
943 return (plus
? True
: False
);
949 file_lines_free(lines
);
954 /****************************************************************************
955 check for a possible hosts equiv or rhosts entry for the user
956 ****************************************************************************/
957 BOOL
check_hosts_equiv(char *user
)
961 struct passwd
*pass
= Get_Pwnam(user
,True
);
966 fname
= lp_hosts_equiv();
968 /* note: don't allow hosts.equiv on root */
969 if (fname
&& *fname
&& (pass
->pw_uid
!= 0)) {
970 if (check_user_equiv(user
,client_name(),fname
))
976 char *home
= get_user_home_dir(user
);
978 slprintf(rhostsfile
, sizeof(rhostsfile
)-1, "%s/.rhosts", home
);
979 if (check_user_equiv(user
,client_name(),rhostsfile
))
988 /****************************************************************************
989 Return the client state structure.
990 ****************************************************************************/
992 struct cli_state
*server_client(void)
994 static struct cli_state pw_cli
;
998 /****************************************************************************
999 Support for server level security.
1000 ****************************************************************************/
1002 struct cli_state
*server_cryptkey(void)
1004 struct cli_state
*cli
;
1006 struct in_addr dest_ip
;
1008 BOOL connected_ok
= False
;
1010 cli
= server_client();
1012 if (!cli_initialise(cli
))
1015 pserver
= strdup(lp_passwordserver());
1018 while(next_token( &p
, desthost
, LIST_SEP
, sizeof(desthost
))) {
1019 standard_sub_basic(desthost
);
1022 if(!resolve_name( desthost
, &dest_ip
, 0x20)) {
1023 DEBUG(1,("server_cryptkey: Can't resolve address for %s\n",desthost
));
1027 if (ismyip(dest_ip
)) {
1028 DEBUG(1,("Password server loop - disabling password server %s\n",desthost
));
1032 if (cli_connect(cli
, desthost
, &dest_ip
)) {
1033 DEBUG(3,("connected to password server %s\n",desthost
));
1034 connected_ok
= True
;
1041 if (!connected_ok
) {
1042 DEBUG(0,("password server not available\n"));
1047 if (!attempt_netbios_session_request(cli
, global_myname
, desthost
, &dest_ip
))
1050 DEBUG(3,("got session\n"));
1052 if (!cli_negprot(cli
)) {
1053 DEBUG(1,("%s rejected the negprot\n",desthost
));
1058 if (cli
->protocol
< PROTOCOL_LANMAN2
||
1059 !(cli
->sec_mode
& 1)) {
1060 DEBUG(1,("%s isn't in user level security mode\n",desthost
));
1065 DEBUG(3,("password server OK\n"));
1070 /****************************************************************************
1071 Validate a password with the password server.
1072 ****************************************************************************/
1074 BOOL
server_validate(char *user
, char *domain
,
1075 char *pass
, int passlen
,
1076 char *ntpass
, int ntpasslen
)
1078 struct cli_state
*cli
;
1079 static unsigned char badpass
[24];
1080 static BOOL tested_password_server
= False
;
1081 static BOOL bad_password_server
= False
;
1083 cli
= server_client();
1085 if (!cli
->initialised
) {
1086 DEBUG(1,("password server %s is not connected\n", cli
->desthost
));
1091 memset(badpass
, 0x1f, sizeof(badpass
));
1093 if((passlen
== sizeof(badpass
)) && !memcmp(badpass
, pass
, passlen
)) {
1095 * Very unlikely, our random bad password is the same as the users
1097 memset(badpass
, badpass
[0]+1, sizeof(badpass
));
1101 * Attempt a session setup with a totally incorrect password.
1102 * If this succeeds with the guest bit *NOT* set then the password
1103 * server is broken and is not correctly setting the guest bit. We
1104 * need to detect this as some versions of NT4.x are broken. JRA.
1107 if(!tested_password_server
) {
1108 if (cli_session_setup(cli
, user
, (char *)badpass
, sizeof(badpass
),
1109 (char *)badpass
, sizeof(badpass
), domain
)) {
1112 * We connected to the password server so we
1113 * can say we've tested it.
1115 tested_password_server
= True
;
1117 if ((SVAL(cli
->inbuf
,smb_vwv2
) & 1) == 0) {
1118 DEBUG(0,("server_validate: password server %s allows users as non-guest \
1119 with a bad password.\n", cli
->desthost
));
1120 DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \
1121 use this machine as the password server.\n"));
1125 * Password server has the bug.
1127 bad_password_server
= True
;
1135 * We have already tested the password server.
1136 * Fail immediately if it has the bug.
1139 if(bad_password_server
) {
1140 DEBUG(0,("server_validate: [1] password server %s allows users as non-guest \
1141 with a bad password.\n", cli
->desthost
));
1142 DEBUG(0,("server_validate: [1] This is broken (and insecure) behaviour. Please do not \
1143 use this machine as the password server.\n"));
1149 * Now we know the password server will correctly set the guest bit, or is
1150 * not guest enabled, we can try with the real password.
1153 if (!cli_session_setup(cli
, user
, pass
, passlen
, ntpass
, ntpasslen
, domain
)) {
1154 DEBUG(1,("password server %s rejected the password\n", cli
->desthost
));
1158 /* if logged in as guest then reject */
1159 if ((SVAL(cli
->inbuf
,smb_vwv2
) & 1) != 0) {
1160 DEBUG(1,("password server %s gave us guest only\n", cli
->desthost
));
1170 /***********************************************************************
1171 Connect to a remote machine for domain security authentication
1172 given a name or IP address.
1173 ************************************************************************/
1175 static BOOL
connect_to_domain_password_server(struct cli_state
*pcli
, char *remote_machine
,
1176 unsigned char *trust_passwd
)
1178 struct in_addr dest_ip
;
1180 if(cli_initialise(pcli
) == False
) {
1181 DEBUG(0,("connect_to_domain_password_server: unable to initialize client connection.\n"));
1185 standard_sub_basic(remote_machine
);
1186 strupper(remote_machine
);
1188 if(!resolve_name( remote_machine
, &dest_ip
, 0x20)) {
1189 DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", remote_machine
));
1194 if (ismyip(dest_ip
)) {
1195 DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n",
1201 if (!cli_connect(pcli
, remote_machine
, &dest_ip
)) {
1202 DEBUG(0,("connect_to_domain_password_server: unable to connect to SMB server on \
1203 machine %s. Error was : %s.\n", remote_machine
, cli_errstr(pcli
) ));
1208 if (!attempt_netbios_session_request(pcli
, global_myname
, remote_machine
, &dest_ip
)) {
1209 DEBUG(0,("connect_to_password_server: machine %s rejected the NetBIOS \
1210 session request. Error was : %s.\n", remote_machine
, cli_errstr(pcli
) ));
1214 pcli
->protocol
= PROTOCOL_NT1
;
1216 if (!cli_negprot(pcli
)) {
1217 DEBUG(0,("connect_to_domain_password_server: machine %s rejected the negotiate protocol. \
1218 Error was : %s.\n", remote_machine
, cli_errstr(pcli
) ));
1223 if (pcli
->protocol
!= PROTOCOL_NT1
) {
1224 DEBUG(0,("connect_to_domain_password_server: machine %s didn't negotiate NT protocol.\n",
1231 * Do an anonymous session setup.
1234 if (!cli_session_setup(pcli
, "", "", 0, "", 0, "")) {
1235 DEBUG(0,("connect_to_domain_password_server: machine %s rejected the session setup. \
1236 Error was : %s.\n", remote_machine
, cli_errstr(pcli
) ));
1241 if (!(pcli
->sec_mode
& 1)) {
1242 DEBUG(1,("connect_to_domain_password_server: machine %s isn't in user level security mode\n",
1248 if (!cli_send_tconX(pcli
, "IPC$", "IPC", "", 1)) {
1249 DEBUG(0,("connect_to_domain_password_server: machine %s rejected the tconX on the IPC$ share. \
1250 Error was : %s.\n", remote_machine
, cli_errstr(pcli
) ));
1256 * We now have an anonymous connection to IPC$ on the domain password server.
1260 * Even if the connect succeeds we need to setup the netlogon
1261 * pipe here. We do this as we may just have changed the domain
1262 * account password on the PDC and yet we may be talking to
1263 * a BDC that doesn't have this replicated yet. In this case
1264 * a successful connect to a DC needs to take the netlogon connect
1265 * into account also. This patch from "Bjart Kvarme" <bjart.kvarme@usit.uio.no>.
1268 if(cli_nt_session_open(pcli
, PIPE_NETLOGON
) == False
) {
1269 DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
1270 machine %s. Error was : %s.\n", remote_machine
, cli_errstr(pcli
)));
1271 cli_nt_session_close(pcli
);
1277 if (cli_nt_setup_creds(pcli
, trust_passwd
) == False
) {
1278 DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \
1279 %s. Error was : %s.\n", remote_machine
, cli_errstr(pcli
)));
1280 cli_nt_session_close(pcli
);
1289 /***********************************************************************
1290 Utility function to attempt a connection to an IP address of a DC.
1291 ************************************************************************/
1293 static BOOL
attempt_connect_to_dc(struct cli_state
*pcli
, struct in_addr
*ip
, unsigned char *trust_passwd
)
1298 * Ignore addresses we have already tried.
1301 if (ip_equal(ipzero
, *ip
))
1304 if (!lookup_pdc_name(global_myname
, lp_workgroup(), ip
, dc_name
))
1307 return connect_to_domain_password_server(pcli
, dc_name
, trust_passwd
);
1312 /***********************************************************************
1313 We have been asked to dynamcially determine the IP addresses of
1314 the PDC and BDC's for this DOMAIN, and query them in turn.
1315 ************************************************************************/
1316 static BOOL
find_connect_pdc(struct cli_state
*pcli
, unsigned char *trust_passwd
)
1318 struct in_addr
*ip_list
= NULL
;
1321 BOOL connected_ok
= False
;
1323 if (!get_dc_list(lp_workgroup(), &ip_list
, &count
))
1327 * Firstly try and contact a PDC/BDC who has the same
1328 * network address as any of our interfaces.
1330 for(i
= 0; i
< count
; i
++) {
1331 if(!is_local_net(ip_list
[i
]))
1334 if((connected_ok
= attempt_connect_to_dc(pcli
, &ip_list
[i
], trust_passwd
)))
1337 ip_list
[i
] = ipzero
; /* Tried and failed. */
1341 * Secondly try and contact a random PDC/BDC.
1344 i
= (sys_random() % count
);
1346 if (!(connected_ok
= attempt_connect_to_dc(pcli
, &ip_list
[i
], trust_passwd
)))
1347 ip_list
[i
] = ipzero
; /* Tried and failed. */
1351 * Finally go through the IP list in turn, ignoring any addresses
1352 * we have already tried.
1356 * Try and connect to any of the other IP addresses in the PDC/BDC list.
1357 * Note that from a WINS server the #1 IP address is the PDC.
1359 for(i
= 0; i
< count
; i
++) {
1360 if((connected_ok
= attempt_connect_to_dc(pcli
, &ip_list
[i
], trust_passwd
)))
1366 free((char *)ip_list
);
1369 return connected_ok
;
1374 /***********************************************************************
1375 Do the same as security=server, but using NT Domain calls and a session
1376 key from the machine password.
1377 ************************************************************************/
1379 BOOL
domain_client_validate( char *user
, char *domain
,
1380 char *smb_apasswd
, int smb_apasslen
,
1381 char *smb_ntpasswd
, int smb_ntpasslen
,
1384 unsigned char local_challenge
[8];
1385 unsigned char local_lm_response
[24];
1386 unsigned char local_nt_response
[24];
1387 unsigned char trust_passwd
[16];
1388 fstring remote_machine
;
1390 NET_ID_INFO_CTR ctr
;
1391 NET_USER_INFO_3 info3
;
1392 struct cli_state cli
;
1394 BOOL connected_ok
= False
;
1396 if(user_exists
!= NULL
)
1397 *user_exists
= True
; /* Only set false on a very specific error. */
1400 * Check that the requested domain is not our own machine name.
1401 * If it is, we should never check the PDC here, we use our own local
1405 if(strequal( domain
, global_myname
)) {
1406 DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n"));
1411 * Next, check that the passwords given were encrypted.
1414 if(((smb_apasslen
!= 24) && (smb_apasslen
!= 0)) ||
1415 ((smb_ntpasslen
!= 24) && (smb_ntpasslen
!= 0))) {
1418 * Not encrypted - do so.
1421 DEBUG(3,("domain_client_validate: User passwords not in encrypted format.\n"));
1422 generate_random_buffer( local_challenge
, 8, False
);
1423 SMBencrypt( (uchar
*)smb_apasswd
, local_challenge
, local_lm_response
);
1424 SMBNTencrypt((uchar
*)smb_ntpasswd
, local_challenge
, local_nt_response
);
1427 smb_apasswd
= (char *)local_lm_response
;
1428 smb_ntpasswd
= (char *)local_nt_response
;
1432 * Encrypted - get the challenge we sent for these
1436 if (!last_challenge(local_challenge
)) {
1437 DEBUG(0,("domain_client_validate: no challenge done - password failed\n"));
1443 * Get the machine account password for our primary domain
1445 if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd
, NULL
))
1451 * At this point, smb_apasswd points to the lanman response to
1452 * the challenge in local_challenge, and smb_ntpasswd points to
1453 * the NT response to the challenge in local_challenge. Ship
1454 * these over the secure channel to a domain controller and
1455 * see if they were valid.
1461 * Treat each name in the 'password server =' line as a potential
1462 * PDC/BDC. Contact each in turn and try and authenticate.
1465 pserver
= lp_passwordserver();
1466 if (! *pserver
) pserver
= "*";
1469 while (!connected_ok
&&
1470 next_token(&p
,remote_machine
,LIST_SEP
,sizeof(remote_machine
))) {
1471 if(strequal(remote_machine
, "*")) {
1472 connected_ok
= find_connect_pdc(&cli
, trust_passwd
);
1474 connected_ok
= connect_to_domain_password_server(&cli
, remote_machine
, trust_passwd
);
1478 if (!connected_ok
) {
1479 DEBUG(0,("domain_client_validate: Domain password server not available.\n"));
1484 /* We really don't care what LUID we give the user. */
1485 generate_random_buffer( (unsigned char *)&smb_uid_low
, 4, False
);
1489 if(cli_nt_login_network(&cli
, domain
, user
, smb_uid_low
, (char *)local_challenge
,
1490 ((smb_apasslen
!= 0) ? smb_apasswd
: NULL
),
1491 ((smb_ntpasslen
!= 0) ? smb_ntpasswd
: NULL
),
1492 &ctr
, &info3
) == False
) {
1495 cli_error(&cli
, NULL
, NULL
, &nt_rpc_err
);
1496 DEBUG(0,("domain_client_validate: unable to validate password for user %s in domain \
1497 %s to Domain controller %s. Error was %s.\n", user
, domain
, remote_machine
, cli_errstr(&cli
)));
1498 cli_nt_session_close(&cli
);
1502 if((nt_rpc_err
== NT_STATUS_NO_SUCH_USER
) && (user_exists
!= NULL
))
1503 *user_exists
= False
;
1509 * Here, if we really want it, we have lots of info about the user in info3.
1514 * We don't actually need to do this - plus it fails currently with
1515 * NT_STATUS_INVALID_INFO_CLASS - we need to know *exactly* what to
1519 if(cli_nt_logoff(&cli
, &ctr
) == False
) {
1520 DEBUG(0,("domain_client_validate: unable to log off user %s in domain \
1521 %s to Domain controller %s. Error was %s.\n", user
, domain
, remote_machine
, cli_errstr(&cli
)));
1522 cli_nt_session_close(&cli
);
1529 /* Note - once the cli stream is shutdown the mem_ctx used
1530 to allocate the other_sids and gids structures has been deleted - so
1531 these pointers are no longer valid..... */
1533 cli_nt_session_close(&cli
);