search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Patch from Simo:
[Samba.git] / source / smbd / password.c
blob01fc9cdd5323ce5b8a1586901bb5be213682d942
1 /*
2 Unix SMB/Netbios implementation.
3 Version 1.9.
4 Password and authentication handling
5 Copyright (C) Andrew Tridgell 1992-1998
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20 */
21
22 #include "includes.h"
23
24 extern int DEBUGLEVEL;
25 extern int Protocol;
26 extern struct in_addr ipzero;
27
28 /* users from session setup */
29 static pstring session_users="";
30
31 extern pstring global_myname;
32 extern fstring global_myworkgroup;
33
34 /* Data to do lanman1/2 password challenge. */
35 static unsigned char saved_challenge[8];
36 static BOOL challenge_sent=False;
37
38 /*******************************************************************
39 Get the next challenge value - no repeats.
40 ********************************************************************/
41 void generate_next_challenge(char *challenge)
42 {
43 #if 0
44 /*
45 * Leave this ifdef'd out while we test
46 * the new crypto random number generator.
47 * JRA.
48 */
49 unsigned char buf[16];
50 static int counter = 0;
51 struct timeval tval;
52 int v1,v2;
53
54 /* get a sort-of random number */
55 GetTimeOfDay(&tval);
56 v1 = (counter++) + sys_getpid() + tval.tv_sec;
57 v2 = (counter++) * sys_getpid() + tval.tv_usec;
58 SIVAL(challenge,0,v1);
59 SIVAL(challenge,4,v2);
60
61 /* mash it up with md4 */
62 mdfour(buf, (unsigned char *)challenge, 8);
63 #else
64 unsigned char buf[8];
65
66 generate_random_buffer(buf,8,False);
67 #endif
68 memcpy(saved_challenge, buf, 8);
69 memcpy(challenge,buf,8);
70 challenge_sent = True;
71 }
72
73 /*******************************************************************
74 set the last challenge sent, usually from a password server
75 ********************************************************************/
76 BOOL set_challenge(unsigned char *challenge)
77 {
78 memcpy(saved_challenge,challenge,8);
79 challenge_sent = True;
80 return(True);
81 }
82
83 /*******************************************************************
84 get the last challenge sent
85 ********************************************************************/
86 static BOOL last_challenge(unsigned char *challenge)
87 {
88 if (!challenge_sent) return(False);
89 memcpy(challenge,saved_challenge,8);
90 return(True);
91 }
92
93 /* this holds info on user ids that are already validated for this VC */
94 static user_struct *validated_users;
95 static int next_vuid = VUID_OFFSET;
96 static int num_validated_vuids;
97
98 /****************************************************************************
99 check if a uid has been validated, and return an pointer to the user_struct
100 if it has. NULL if not. vuid is biased by an offset. This allows us to
101 tell random client vuid's (normally zero) from valid vuids.
102 ****************************************************************************/
103 user_struct *get_valid_user_struct(uint16 vuid)
104 {
105 user_struct *usp;
106 int count=0;
107
108 if (vuid == UID_FIELD_INVALID)
109 return NULL;
110
111 for (usp=validated_users;usp;usp=usp->next,count++) {
112 if (vuid == usp->vuid) {
113 if (count > 10) {
114 DLIST_PROMOTE(validated_users, usp);
115 }
116 return usp;
117 }
118 }
119
120 return NULL;
121 }
122
123 /****************************************************************************
124 invalidate a uid
125 ****************************************************************************/
126 void invalidate_vuid(uint16 vuid)
127 {
128 user_struct *vuser = get_valid_user_struct(vuid);
129
130 if (vuser == NULL)
131 return;
132
133 session_yield(vuid);
134
135 DLIST_REMOVE(validated_users, vuser);
136
137 safe_free(vuser->groups);
138 delete_nt_token(&vuser->nt_user_token);
139 safe_free(vuser);
140 num_validated_vuids--;
141 }
142
143 /****************************************************************************
144 invalidate all vuid entries for this process
145 ****************************************************************************/
146 void invalidate_all_vuids(void)
147 {
148 user_struct *usp, *next=NULL;
149
150 for (usp=validated_users;usp;usp=next) {
151 next = usp->next;
152
153 invalidate_vuid(usp->vuid);
154 }
155 }
156
157 /****************************************************************************
158 return a validated username
159 ****************************************************************************/
160 char *validated_username(uint16 vuid)
161 {
162 user_struct *vuser = get_valid_user_struct(vuid);
163 if (vuser == NULL)
164 return 0;
165 return(vuser->user.unix_name);
166 }
167
168 /****************************************************************************
169 return a validated domain
170 ****************************************************************************/
171 char *validated_domain(uint16 vuid)
172 {
173 user_struct *vuser = get_valid_user_struct(vuid);
174 if (vuser == NULL)
175 return 0;
176 return(vuser->user.domain);
177 }
178
179
180 /****************************************************************************
181 Create the SID list for this user.
182 ****************************************************************************/
183
184 NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, BOOL is_guest)
185 {
186 extern DOM_SID global_sid_World;
187 extern DOM_SID global_sid_Network;
188 extern DOM_SID global_sid_Builtin_Guests;
189 extern DOM_SID global_sid_Authenticated_Users;
190 NT_USER_TOKEN *token;
191 DOM_SID *psids;
192 int i, psid_ndx = 0;
193 size_t num_sids = 0;
194 fstring sid_str;
195
196 if ((token = (NT_USER_TOKEN *)malloc( sizeof(NT_USER_TOKEN) ) ) == NULL)
197 return NULL;
198
199 ZERO_STRUCTP(token);
200
201 /* We always have uid/gid plus World and Network and Authenticated Users or Guest SIDs. */
202 num_sids = 5 + ngroups;
203
204 if ((token->user_sids = (DOM_SID *)malloc( num_sids*sizeof(DOM_SID))) == NULL) {
205 free(token);
206 return NULL;
207 }
208
209 psids = token->user_sids;
210
211 /*
212 * Note - user SID *MUST* be first in token !
213 * se_access_check depends on this.
214 */
215
216 uid_to_sid( &psids[psid_ndx++], uid);
217
218 /*
219 * Primary group SID is second in token. Convention.
220 */
221
222 gid_to_sid( &psids[psid_ndx++], gid);
223
224 /* Now add the group SIDs. */
225
226 for (i = 0; i < ngroups; i++) {
227 if (groups[i] != gid) {
228 gid_to_sid( &psids[psid_ndx++], groups[i]);
229 }
230 }
231
232 /*
233 * Finally add the "standard" SIDs.
234 * The only difference between guest and "anonymous" (which we
235 * don't really support) is the addition of Authenticated_Users.
236 */
237
238 sid_copy( &psids[psid_ndx++], &global_sid_World);
239 sid_copy( &psids[psid_ndx++], &global_sid_Network);
240
241 if (is_guest)
242 sid_copy( &psids[psid_ndx++], &global_sid_Builtin_Guests);
243 else
244 sid_copy( &psids[psid_ndx++], &global_sid_Authenticated_Users);
245
246 token->num_sids = psid_ndx;
247
248 /* Dump list of sids in token */
249
250 for (i = 0; i < token->num_sids; i++) {
251 DEBUG(5, ("user token sid %s\n",
252 sid_to_string(sid_str, &token->user_sids[i])));
253 }
254
255 return token;
256 }
257
258 /****************************************************************************
259 register a uid/name pair as being valid and that a valid password
260 has been given. vuid is biased by an offset. This allows us to
261 tell random client vuid's (normally zero) from valid vuids.
262 ****************************************************************************/
263
264 int register_vuid(uid_t uid,gid_t gid, char *unix_name, char *requested_name,
265 char *domain,BOOL guest)
266 {
267 user_struct *vuser = NULL;
268 struct passwd *pwfile; /* for getting real name from passwd file */
269
270 /* Ensure no vuid gets registered in share level security. */
271 if(lp_security() == SEC_SHARE)
272 return UID_FIELD_INVALID;
273
274 /* Limit allowed vuids to 16bits - VUID_OFFSET. */
275 if (num_validated_vuids >= 0xFFFF-VUID_OFFSET)
276 return UID_FIELD_INVALID;
277
278 if((vuser = (user_struct *)malloc( sizeof(user_struct) )) == NULL) {
279 DEBUG(0,("Failed to malloc users struct!\n"));
280 return UID_FIELD_INVALID;
281 }
282
283 ZERO_STRUCTP(vuser);
284
285 DEBUG(10,("register_vuid: (%u,%u) %s %s %s guest=%d\n", (unsigned int)uid, (unsigned int)gid,
286 unix_name, requested_name, domain, guest ));
287
288 /* Allocate a free vuid. Yes this is a linear search... :-) */
289 while( get_valid_user_struct(next_vuid) != NULL ) {
290 next_vuid++;
291 /* Check for vuid wrap. */
292 if (next_vuid == UID_FIELD_INVALID)
293 next_vuid = VUID_OFFSET;
294 }
295
296 DEBUG(10,("register_vuid: allocated vuid = %u\n", (unsigned int)next_vuid ));
297
298 vuser->vuid = next_vuid;
299 vuser->uid = uid;
300 vuser->gid = gid;
301 vuser->guest = guest;
302 fstrcpy(vuser->user.unix_name,unix_name);
303 fstrcpy(vuser->user.smb_name,requested_name);
304 fstrcpy(vuser->user.domain,domain);
305
306 vuser->n_groups = 0;
307 vuser->groups = NULL;
308
309 /* Find all the groups this uid is in and store them.
310 Used by become_user() */
311 initialise_groups(unix_name, uid, gid);
312 get_current_groups( &vuser->n_groups, &vuser->groups);
313
314 /* Create an NT_USER_TOKEN struct for this user. */
315 vuser->nt_user_token = create_nt_token(uid,gid, vuser->n_groups, vuser->groups, guest);
316
317 next_vuid++;
318 num_validated_vuids++;
319
320 DLIST_ADD(validated_users, vuser);
321
322 DEBUG(3,("uid %d registered to name %s\n",(int)uid,unix_name));
323
324 DEBUG(3, ("Clearing default real name\n"));
325 if ((pwfile=sys_getpwnam(vuser->user.unix_name))!= NULL) {
326 DEBUG(3, ("User name: %s\tReal name: %s\n",vuser->user.unix_name,pwfile->pw_gecos));
327 fstrcpy(vuser->user.full_name, pwfile->pw_gecos);
328 }
329
330 if (!session_claim(vuser->vuid)) {
331 DEBUG(1,("Failed to claim session for vuid=%d\n", vuser->vuid));
332 invalidate_vuid(vuser->vuid);
333 return -1;
334 }
335
336 return vuser->vuid;
337 }
338
339
340 /****************************************************************************
341 add a name to the session users list
342 ****************************************************************************/
343 void add_session_user(char *user)
344 {
345 fstring suser;
346 StrnCpy(suser,user,sizeof(suser)-1);
347
348 if (!Get_Pwnam(suser,True)) return;
349
350 if (suser && *suser && !in_list(suser,session_users,False))
351 {
352 if (strlen(suser) + strlen(session_users) + 2 >= sizeof(pstring))
353 DEBUG(1,("Too many session users??\n"));
354 else
355 {
356 pstrcat(session_users," ");
357 pstrcat(session_users,suser);
358 }
359 }
360 }
361
362
363 /****************************************************************************
364 update the encrypted smbpasswd file from the plaintext username and password
365 *****************************************************************************/
366 static BOOL update_smbpassword_file(char *user, char *password)
367 {
368 SAM_ACCOUNT *sampass = NULL;
369 BOOL ret;
370
371 pdb_init_sam(&sampass);
372
373 become_root();
374 ret = pdb_getsampwnam(sampass, user);
375 unbecome_root();
376
377 if(ret == False) {
378 DEBUG(0,("pdb_getsampwnam returned NULL\n"));
379 pdb_free_sam(sampass);
380 return False;
381 }
382
383 /*
384 * Remove the account disabled flag - we are updating the
385 * users password from a login.
386 */
387 pdb_set_acct_ctrl(sampass, pdb_get_acct_ctrl(sampass) & ~ACB_DISABLED);
388
389 /* Here, the flag is one, because we want to ignore the
390 XXXXXXX'd out password */
391 ret = change_oem_password( sampass, password, True);
392 if (ret == False) {
393 DEBUG(3,("change_oem_password returned False\n"));
394 }
395
396 pdb_free_sam(sampass);
397 return ret;
398 }
399
400 /****************************************************************************
401 core of smb password checking routine.
402 ****************************************************************************/
403 BOOL smb_password_check(char *password, unsigned char *part_passwd, unsigned char *c8)
404 {
405 /* Finish the encryption of part_passwd. */
406 unsigned char p21[21];
407 unsigned char p24[24];
408
409 if (part_passwd == NULL)
410 {
411 DEBUG(10,("No password set - allowing access\n"));
412
413 /* No password set - always true ! */
414 return 1;
415 }
416
417 memset(p21,'\0',21);
418 memcpy(p21,part_passwd,16);
419 E_P24(p21, c8, p24);
420 #if DEBUG_PASSWORD
421 {
422 int i;
423 DEBUG(100,("Part password (P16) was |"));
424 for(i = 0; i < 16; i++)
425 DEBUG(100,("%X ", (unsigned char)part_passwd[i]));
426 DEBUG(100,("|\n"));
427 DEBUG(100,("Password from client was |"));
428 for(i = 0; i < 24; i++)
429 DEBUG(100,("%X ", (unsigned char)password[i]));
430 DEBUG(100,("|\n"));
431 DEBUG(100,("Given challenge was |"));
432 for(i = 0; i < 8; i++)
433 DEBUG(100,("%X ", (unsigned char)c8[i]));
434 DEBUG(100,("|\n"));
435 DEBUG(100,("Value from encryption was |"));
436 for(i = 0; i < 24; i++)
437 DEBUG(100,("%X ", (unsigned char)p24[i]));
438 DEBUG(100,("|\n"));
439 }
440 #endif
441 return (memcmp(p24, password, 24) == 0);
442 }
443
444 /****************************************************************************
445 Do a specific test for an smb password being correct, given a smb_password and
446 the lanman and NT responses.
447 ****************************************************************************/
448 BOOL smb_password_ok(SAM_ACCOUNT *sampass, uchar chal[8],
449 uchar lm_pass[24], uchar nt_pass[24])
450 {
451 uchar challenge[8];
452 char* user_name;
453 uint8 *nt_pw, *lm_pw;
454
455 if (!lm_pass || !sampass)
456 return(False);
457
458 user_name = pdb_get_username(sampass);
459
460 DEBUG(4,("smb_password_ok: Checking SMB password for user %s\n",user_name));
461
462 if(pdb_get_acct_ctrl(sampass) & ACB_DISABLED) {
463 DEBUG(1,("smb_password_ok: account for user %s was disabled.\n", user_name));
464 return(False);
465 }
466
467 if (chal == NULL) {
468 DEBUG(5,("smb_password_ok: use last SMBnegprot challenge\n"));
469 if (!last_challenge(challenge)) {
470 DEBUG(1,("smb_password_ok: no challenge done - password failed\n"));
471 return False;
472 }
473 } else {
474 DEBUG(5,("smb_password_ok: challenge received\n"));
475 memcpy(challenge, chal, 8);
476 }
477
478 nt_pw = pdb_get_nt_passwd(sampass);
479
480 if ((Protocol >= PROTOCOL_NT1) && (nt_pw != NULL)) {
481 /* We have the NT MD4 hash challenge available - see if we can
482 use it (ie. does it exist in the smbpasswd file).
483 */
484 DEBUG(4,("smb_password_ok: Checking NT MD4 password\n"));
485 if (smb_password_check((char *)nt_pass, (uchar *)nt_pw, challenge)) {
486 DEBUG(4,("smb_password_ok: NT MD4 password check succeeded\n"));
487 return(True);
488 }
489 DEBUG(4,("smb_password_ok: NT MD4 password check failed\n"));
490 }
491
492 /* Try against the lanman password. pdb_get_lanman_passwd(sampass) == NULL
493 means no password, allow access. */
494
495 lm_pw = pdb_get_lanman_passwd(sampass);
496
497 if((lm_pw == NULL) && (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ))
498 {
499 DEBUG(4,("smb_password_ok: no password required for user %s\n",user_name));
500 return True;
501 }
502
503 if(lp_lanman_auth() && (lm_pw != NULL)) {
504 DEBUG(4,("smb_password_ok: Checking LM password\n"));
505 if(smb_password_check((char *)lm_pass,(uchar *)lm_pw, challenge)) {
506 DEBUG(4,("smb_password_ok: LM password check succeeded\n"));
507 return(True);
508 }
509 DEBUG(4,("smb_password_ok: LM password check failed\n"));
510 }
511
512 return False;
513 }
514
515
516 /****************************************************************************
517 check if a username/password is OK assuming the password is a 24 byte
518 SMB hash
519 return True if the password is correct, False otherwise
520 ****************************************************************************/
521
522 BOOL pass_check_smb(char *user, char *domain, uchar *chal,
523 uchar *lm_pwd, uchar *nt_pwd, struct passwd *pwd)
524 {
525 struct passwd *pass;
526 SAM_ACCOUNT *sampass=NULL;
527 BOOL ret;
528
529 if (!lm_pwd || !nt_pwd)
530 {
531 return(False);
532 }
533
534 /* FIXME! this code looks to be unnecessary now that the passdb
535 validates that the username exists and has a valid uid */
536 if (pwd != NULL && user == NULL)
537 {
538 pass = (struct passwd *) pwd;
539 user = pass->pw_name;
540 }
541 else
542 {
543 /* I don't get this call here. I think it should be moved.
544 Need to check on it. --jerry */
545 pass = smb_getpwnam(user,True);
546 }
547
548 if (pass == NULL)
549 {
550 DEBUG(1,("Couldn't find user '%s' in UNIX password database.\n",user));
551 return(False);
552 }
553
554 pdb_init_sam(&sampass);
555
556 /* get the account information */
557 ret = pdb_getsampwnam(sampass, user);
558 if (ret == False)
559 {
560 DEBUG(1,("Couldn't find user '%s' in passdb file.\n", user));
561 pdb_free_sam(sampass);
562 return(False);
563 }
564
565 /* Quit if the account was disabled. */
566 if(pdb_get_acct_ctrl(sampass) & ACB_DISABLED) {
567 DEBUG(1,("Account for user '%s' was disabled.\n", user));
568 pdb_free_sam(sampass);
569 return(False);
570 }
571
572 /* Ensure the uid's match
573 FIXME! This also seems unnecessary --jerry */
574 #if 0 /* GWC */
575 if (smb_pass->smb_userid != pass->pw_uid)
576 {
577 DEBUG(0,("Error : UNIX and SMB uids in password files do not match for user '%s'!\n", user));
578 pdb_free_sam(sampass);
579 return(False);
580 }
581 #endif
582
583 if (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ)
584 {
585 if (lp_null_passwords())
586 {
587 DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", user));
588 pdb_free_sam(sampass);
589 return(True);
590 }
591 else
592 {
593 DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", user));
594 pdb_free_sam(sampass);
595 return(False);
596 }
597 }
598
599 if (smb_password_ok(sampass, chal, lm_pwd, nt_pwd))
600 {
601 pdb_free_sam(sampass);
602 return(True);
603 }
604
605 DEBUG(2,("pass_check_smb failed - invalid password for user [%s]\n", user));
606 pdb_free_sam(sampass);
607 return False;
608 }
609
610 /****************************************************************************
611 check if a username/password pair is OK either via the system password
612 database or the encrypted SMB password database
613 return True if the password is correct, False otherwise
614 ****************************************************************************/
615 BOOL password_ok(char *user, char *password, int pwlen, struct passwd *pwd)
616 {
617 BOOL ret;
618
619 if ((pwlen == 0) && !lp_null_passwords()) {
620 DEBUG(4,("Null passwords not allowed.\n"));
621 return False;
622 }
623
624 if (pwlen == 24 || (lp_encrypted_passwords() && (pwlen == 0) && lp_null_passwords())) {
625 /* if 24 bytes long assume it is an encrypted password */
626 uchar challenge[8];
627
628 if (!last_challenge(challenge)) {
629 DEBUG(0,("Error: challenge not done for user=%s\n", user));
630 return False;
631 }
632
633 ret = pass_check_smb(user, global_myworkgroup,
634 challenge, (uchar *)password, (uchar *)password, pwd);
635
636 /*
637 * Try with PAM (may not be compiled in - returns True if not. JRA).
638 * FIXME ! Should this be called if we're using winbindd ? What about
639 * non-local accounts ? JRA.
640 */
641
642 if (ret)
643 return (smb_pam_accountcheck(user) == NT_STATUS_NOPROBLEMO);
644 }
645
646 return pass_check(user, password, pwlen, pwd,
647 lp_update_encrypted() ?
648 update_smbpassword_file : NULL);
649 }
650
651 /****************************************************************************
652 check if a username is valid
653 ****************************************************************************/
654 BOOL user_ok(char *user,int snum)
655 {
656 pstring valid, invalid;
657 BOOL ret;
658
659 StrnCpy(valid, lp_valid_users(snum), sizeof(pstring)-1);
660 StrnCpy(invalid, lp_invalid_users(snum), sizeof(pstring)-1);
661
662 pstring_sub(valid,"%S",lp_servicename(snum));
663 pstring_sub(invalid,"%S",lp_servicename(snum));
664
665 ret = !user_in_list(user,invalid);
666
667 if (ret && valid && *valid) {
668 ret = user_in_list(user,valid);
669 }
670
671 if (ret && lp_onlyuser(snum)) {
672 char *user_list = lp_username(snum);
673 pstring_sub(user_list,"%S",lp_servicename(snum));
674 ret = user_in_list(user,user_list);
675 }
676
677 return(ret);
678 }
679
680
681
682
683 /****************************************************************************
684 validate a group username entry. Return the username or NULL
685 ****************************************************************************/
686 static char *validate_group(char *group,char *password,int pwlen,int snum)
687 {
688 #ifdef HAVE_NETGROUP
689 {
690 char *host, *user, *domain;
691 setnetgrent(group);
692 while (getnetgrent(&host, &user, &domain)) {
693 if (user) {
694 if (user_ok(user, snum) &&
695 password_ok(user,password,pwlen,NULL)) {
696 endnetgrent();
697 return(user);
698 }
699 }
700 }
701 endnetgrent();
702 }
703 #endif
704
705 #ifdef HAVE_GETGRENT
706 {
707 struct group *gptr;
708 setgrent();
709 while ((gptr = (struct group *)getgrent())) {
710 if (strequal(gptr->gr_name,group))
711 break;
712 }
713
714 /*
715 * As user_ok can recurse doing a getgrent(), we must
716 * copy the member list into a pstring on the stack before
717 * use. Bug pointed out by leon@eatworms.swmed.edu.
718 */
719
720 if (gptr) {
721 pstring member_list;
722 char *member;
723 size_t copied_len = 0;
724 int i;
725
726 *member_list = '\0';
727 member = member_list;
728
729 for(i = 0; gptr->gr_mem && gptr->gr_mem[i]; i++) {
730 size_t member_len = strlen(gptr->gr_mem[i]) + 1;
731 if( copied_len + member_len < sizeof(pstring)) {
732
733 DEBUG(10,("validate_group: = gr_mem = %s\n", gptr->gr_mem[i]));
734
735 safe_strcpy(member, gptr->gr_mem[i], sizeof(pstring) - copied_len - 1);
736 copied_len += member_len;
737 member += copied_len;
738 } else {
739 *member = '\0';
740 }
741 }
742
743 endgrent();
744
745 member = member_list;
746 while (*member) {
747 static fstring name;
748 fstrcpy(name,member);
749 if (user_ok(name,snum) &&
750 password_ok(name,password,pwlen,NULL)) {
751 endgrent();
752 return(&name[0]);
753 }
754
755 DEBUG(10,("validate_group = member = %s\n", member));
756
757 member += strlen(member) + 1;
758 }
759 } else {
760 endgrent();
761 return NULL;
762 }
763 }
764 #endif
765 return(NULL);
766 }
767
768
769
770 /****************************************************************************
771 check for authority to login to a service with a given username/password
772 ****************************************************************************/
773 BOOL authorise_login(int snum,char *user,char *password, int pwlen,
774 BOOL *guest,BOOL *force,uint16 vuid)
775 {
776 BOOL ok = False;
777 user_struct *vuser = get_valid_user_struct(vuid);
778
779 if (lp_security() > SEC_SHARE && !vuser) {
780 DEBUG(1,("authorise_login: refusing user %s with no session setup\n",
781 user));
782 return False;
783 }
784
785 *guest = False;
786
787 #if DEBUG_PASSWORD
788 DEBUG(100,("checking authorisation on user=%s pass=%s\n",user,password));
789 #endif
790
791 /* there are several possibilities:
792 1) login as the given user with given password
793 2) login as a previously registered username with the given password
794 3) login as a session list username with the given password
795 4) login as a previously validated user/password pair
796 5) login as the "user =" user with given password
797 6) login as the "user =" user with no password (guest connection)
798 7) login as guest user with no password
799
800 if the service is guest_only then steps 1 to 5 are skipped
801 */
802
803 if (GUEST_ONLY(snum)) *force = True;
804
805 if (!(GUEST_ONLY(snum) && GUEST_OK(snum)))
806 {
807 /* check the given username and password */
808 if (!ok && (*user) && user_ok(user,snum)) {
809 ok = password_ok(user,password, pwlen, NULL);
810 if (ok) DEBUG(3,("ACCEPTED: given username password ok\n"));
811 }
812
813 /* check for a previously registered guest username */
814 if (!ok && (vuser != 0) && vuser->guest) {
815 if (user_ok(vuser->user.unix_name,snum) &&
816 password_ok(vuser->user.unix_name, password, pwlen, NULL)) {
817 fstrcpy(user, vuser->user.unix_name);
818 vuser->guest = False;
819 DEBUG(3,("ACCEPTED: given password with registered user %s\n", user));
820 ok = True;
821 }
822 }
823
824
825 /* now check the list of session users */
826 if (!ok)
827 {
828 char *auser;
829 char *user_list = strdup(session_users);
830 if (!user_list) return(False);
831
832 for (auser=strtok(user_list,LIST_SEP);
833 !ok && auser;
834 auser = strtok(NULL,LIST_SEP))
835 {
836 fstring user2;
837 fstrcpy(user2,auser);
838 if (!user_ok(user2,snum)) continue;
839
840 if (password_ok(user2,password, pwlen, NULL)) {
841 ok = True;
842 fstrcpy(user,user2);
843 DEBUG(3,("ACCEPTED: session list username and given password ok\n"));
844 }
845 }
846 free(user_list);
847 }
848
849 /* check for a previously validated username/password pair */
850 if (!ok && (lp_security() > SEC_SHARE) &&
851 (vuser != 0) && !vuser->guest &&
852 user_ok(vuser->user.unix_name,snum)) {
853 fstrcpy(user,vuser->user.unix_name);
854 *guest = False;
855 DEBUG(3,("ACCEPTED: validated uid ok as non-guest\n"));
856 ok = True;
857 }
858
859 /* check for a rhosts entry */
860 if (!ok && user_ok(user,snum) && check_hosts_equiv(user)) {
861 ok = True;
862 DEBUG(3,("ACCEPTED: hosts equiv or rhosts entry\n"));
863 }
864
865 /* check the user= fields and the given password */
866 if (!ok && lp_username(snum)) {
867 char *auser;
868 pstring user_list;
869 StrnCpy(user_list,lp_username(snum),sizeof(pstring));
870
871 pstring_sub(user_list,"%S",lp_servicename(snum));
872
873 for (auser=strtok(user_list,LIST_SEP);
874 auser && !ok;
875 auser = strtok(NULL,LIST_SEP))
876 {
877 if (*auser == '@')
878 {
879 auser = validate_group(auser+1,password,pwlen,snum);
880 if (auser)
881 {
882 ok = True;
883 fstrcpy(user,auser);
884 DEBUG(3,("ACCEPTED: group username and given password ok\n"));
885 }
886 }
887 else
888 {
889 fstring user2;
890 fstrcpy(user2,auser);
891 if (user_ok(user2,snum) &&
892 password_ok(user2,password,pwlen,NULL))
893 {
894 ok = True;
895 fstrcpy(user,user2);
896 DEBUG(3,("ACCEPTED: user list username and given password ok\n"));
897 }
898 }
899 }
900 }
901 } /* not guest only */
902
903 /* check for a normal guest connection */
904 if (!ok && GUEST_OK(snum))
905 {
906 fstring guestname;
907 StrnCpy(guestname,lp_guestaccount(snum),sizeof(guestname)-1);
908 if (Get_Pwnam(guestname,True))
909 {
910 fstrcpy(user,guestname);
911 ok = True;
912 DEBUG(3,("ACCEPTED: guest account and guest ok\n"));
913 }
914 else
915 DEBUG(0,("Invalid guest account %s??\n",guestname));
916 *guest = True;
917 }
918
919 if (ok && !user_ok(user,snum))
920 {
921 DEBUG(0,("rejected invalid user %s\n",user));
922 ok = False;
923 }
924
925 return(ok);
926 }
927
928
929 /****************************************************************************
930 read the a hosts.equiv or .rhosts file and check if it
931 allows this user from this machine
932 ****************************************************************************/
933 static BOOL check_user_equiv(char *user, char *remote, char *equiv_file)
934 {
935 int plus_allowed = 1;
936 char *file_host;
937 char *file_user;
938 char **lines = file_lines_load(equiv_file, NULL, False);
939 int i;
940
941 DEBUG(5, ("check_user_equiv %s %s %s\n", user, remote, equiv_file));
942 if (! lines) return False;
943 for (i=0; lines[i]; i++) {
944 char *buf = lines[i];
945 trim_string(buf," "," ");
946
947 if (buf[0] != '#' && buf[0] != '\n')
948 {
949 BOOL is_group = False;
950 int plus = 1;
951 char *bp = buf;
952 if (strcmp(buf, "NO_PLUS\n") == 0)
953 {
954 DEBUG(6, ("check_user_equiv NO_PLUS\n"));
955 plus_allowed = 0;
956 }
957 else {
958 if (buf[0] == '+')
959 {
960 bp++;
961 if (*bp == '\n' && plus_allowed)
962 {
963 /* a bare plus means everbody allowed */
964 DEBUG(6, ("check_user_equiv everybody allowed\n"));
965 file_lines_free(lines);
966 return True;
967 }
968 }
969 else if (buf[0] == '-')
970 {
971 bp++;
972 plus = 0;
973 }
974 if (*bp == '@')
975 {
976 is_group = True;
977 bp++;
978 }
979 file_host = strtok(bp, " \t\n");
980 file_user = strtok(NULL, " \t\n");
981 DEBUG(7, ("check_user_equiv %s %s\n", file_host ? file_host : "(null)",
982 file_user ? file_user : "(null)" ));
983 if (file_host && *file_host)
984 {
985 BOOL host_ok = False;
986
987 #if defined(HAVE_NETGROUP) && defined(HAVE_YP_GET_DEFAULT_DOMAIN)
988 if (is_group)
989 {
990 static char *mydomain = NULL;
991 if (!mydomain)
992 yp_get_default_domain(&mydomain);
993 if (mydomain && innetgr(file_host,remote,user,mydomain))
994 host_ok = True;
995 }
996 #else
997 if (is_group)
998 {
999 DEBUG(1,("Netgroups not configured\n"));
1000 continue;
1001 }
1002 #endif
1003
1004 /* is it this host */
1005 /* the fact that remote has come from a call of gethostbyaddr
1006 * means that it may have the fully qualified domain name
1007 * so we could look up the file version to get it into
1008 * a canonical form, but I would rather just type it
1009 * in full in the equiv file
1010 */
1011 if (!host_ok && !is_group && strequal(remote, file_host))
1012 host_ok = True;
1013
1014 if (!host_ok)
1015 continue;
1016
1017 /* is it this user */
1018 if (file_user == 0 || strequal(user, file_user))
1019 {
1020 DEBUG(5, ("check_user_equiv matched %s%s %s\n",
1021 (plus ? "+" : "-"), file_host,
1022 (file_user ? file_user : "")));
1023 file_lines_free(lines);
1024 return (plus ? True : False);
1025 }
1026 }
1027 }
1028 }
1029 }
1030 file_lines_free(lines);
1031 return False;
1032 }
1033
1034
1035 /****************************************************************************
1036 check for a possible hosts equiv or rhosts entry for the user
1037 ****************************************************************************/
1038 BOOL check_hosts_equiv(char *user)
1039 {
1040 char *fname = NULL;
1041 pstring rhostsfile;
1042 struct passwd *pass = Get_Pwnam(user,True);
1043
1044 if (!pass)
1045 return(False);
1046
1047 fname = lp_hosts_equiv();
1048
1049 /* note: don't allow hosts.equiv on root */
1050 if (fname && *fname && (pass->pw_uid != 0)) {
1051 if (check_user_equiv(user,client_name(),fname))
1052 return(True);
1053 }
1054
1055 if (lp_use_rhosts())
1056 {
1057 char *home = get_user_home_dir(user);
1058 if (home) {
1059 slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home);
1060 if (check_user_equiv(user,client_name(),rhostsfile))
1061 return(True);
1062 }
1063 }
1064
1065 return(False);
1066 }
1067
1068
1069 /****************************************************************************
1070 Return the client state structure.
1071 ****************************************************************************/
1072
1073 struct cli_state *server_client(void)
1074 {
1075 static struct cli_state pw_cli;
1076 return &pw_cli;
1077 }
1078
1079 /****************************************************************************
1080 Support for server level security.
1081 ****************************************************************************/
1082
1083 struct cli_state *server_cryptkey(void)
1084 {
1085 struct cli_state *cli;
1086 fstring desthost;
1087 struct in_addr dest_ip;
1088 char *p, *pserver;
1089 BOOL connected_ok = False;
1090
1091 cli = server_client();
1092
1093 if (!cli_initialise(cli))
1094 return NULL;
1095
1096 pserver = strdup(lp_passwordserver());
1097 p = pserver;
1098
1099 while(next_token( &p, desthost, LIST_SEP, sizeof(desthost))) {
1100 standard_sub_basic(desthost);
1101 strupper(desthost);
1102
1103 if(!resolve_name( desthost, &dest_ip, 0x20)) {
1104 DEBUG(1,("server_cryptkey: Can't resolve address for %s\n",desthost));
1105 continue;
1106 }
1107
1108 if (ismyip(dest_ip)) {
1109 DEBUG(1,("Password server loop - disabling password server %s\n",desthost));
1110 continue;
1111 }
1112
1113 if (cli_connect(cli, desthost, &dest_ip)) {
1114 DEBUG(3,("connected to password server %s\n",desthost));
1115 connected_ok = True;
1116 break;
1117 }
1118 }
1119
1120 free(pserver);
1121
1122 if (!connected_ok) {
1123 DEBUG(0,("password server not available\n"));
1124 cli_shutdown(cli);
1125 return NULL;
1126 }
1127
1128 if (!attempt_netbios_session_request(cli, global_myname, desthost, &dest_ip))
1129 return NULL;
1130
1131 DEBUG(3,("got session\n"));
1132
1133 if (!cli_negprot(cli)) {
1134 DEBUG(1,("%s rejected the negprot\n",desthost));
1135 cli_shutdown(cli);
1136 return NULL;
1137 }
1138
1139 if (cli->protocol < PROTOCOL_LANMAN2 ||
1140 !(cli->sec_mode & 1)) {
1141 DEBUG(1,("%s isn't in user level security mode\n",desthost));
1142 cli_shutdown(cli);
1143 return NULL;
1144 }
1145
1146 DEBUG(3,("password server OK\n"));
1147
1148 return cli;
1149 }
1150
1151 /****************************************************************************
1152 Validate a password with the password server.
1153 ****************************************************************************/
1154
1155 BOOL server_validate(char *user, char *domain,
1156 char *pass, int passlen,
1157 char *ntpass, int ntpasslen)
1158 {
1159 struct cli_state *cli;
1160 static unsigned char badpass[24];
1161 static fstring baduser;
1162 static BOOL tested_password_server = False;
1163 static BOOL bad_password_server = False;
1164
1165 cli = server_client();
1166
1167 if (!cli->initialised) {
1168 DEBUG(1,("password server %s is not connected\n", cli->desthost));
1169 return(False);
1170 }
1171
1172 if(badpass[0] == 0)
1173 memset(badpass, 0x1f, sizeof(badpass));
1174
1175 if((passlen == sizeof(badpass)) && !memcmp(badpass, pass, passlen)) {
1176 /*
1177 * Very unlikely, our random bad password is the same as the users
1178 * password.
1179 */
1180 memset(badpass, badpass[0]+1, sizeof(badpass));
1181 }
1182
1183 if(baduser[0] == 0) {
1184 fstrcpy(baduser, INVALID_USER_PREFIX);
1185 fstrcat(baduser, global_myname);
1186 }
1187
1188 /*
1189 * Attempt a session setup with a totally incorrect password.
1190 * If this succeeds with the guest bit *NOT* set then the password
1191 * server is broken and is not correctly setting the guest bit. We
1192 * need to detect this as some versions of NT4.x are broken. JRA.
1193 */
1194
1195 if(!tested_password_server) {
1196 if (cli_session_setup(cli, baduser, (char *)badpass, sizeof(badpass),
1197 (char *)badpass, sizeof(badpass), domain)) {
1198
1199 /*
1200 * We connected to the password server so we
1201 * can say we've tested it.
1202 */
1203 tested_password_server = True;
1204
1205 if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) {
1206 DEBUG(0,("server_validate: password server %s allows users as non-guest \
1207 with a bad password.\n", cli->desthost));
1208 DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \
1209 use this machine as the password server.\n"));
1210 cli_ulogoff(cli);
1211
1212 /*
1213 * Password server has the bug.
1214 */
1215 bad_password_server = True;
1216 return False;
1217 }
1218 cli_ulogoff(cli);
1219 }
1220 } else {
1221
1222 /*
1223 * We have already tested the password server.
1224 * Fail immediately if it has the bug.
1225 */
1226
1227 if(bad_password_server) {
1228 DEBUG(0,("server_validate: [1] password server %s allows users as non-guest \
1229 with a bad password.\n", cli->desthost));
1230 DEBUG(0,("server_validate: [1] This is broken (and insecure) behaviour. Please do not \
1231 use this machine as the password server.\n"));
1232 return False;
1233 }
1234 }
1235
1236 /*
1237 * Now we know the password server will correctly set the guest bit, or is
1238 * not guest enabled, we can try with the real password.
1239 */
1240
1241 if (!cli_session_setup(cli, user, pass, passlen, ntpass, ntpasslen, domain)) {
1242 DEBUG(1,("password server %s rejected the password\n", cli->desthost));
1243 return False;
1244 }
1245
1246 /* if logged in as guest then reject */
1247 if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) {
1248 DEBUG(1,("password server %s gave us guest only\n", cli->desthost));
1249 cli_ulogoff(cli);
1250 return(False);
1251 }
1252
1253 cli_ulogoff(cli);
1254
1255 return(True);
1256 }
1257
1258 /***********************************************************************
1259 Connect to a remote machine for domain security authentication
1260 given a name or IP address.
1261 ************************************************************************/
1262
1263 static BOOL connect_to_domain_password_server(struct cli_state *pcli,
1264 char *server,
1265 unsigned char *trust_passwd)
1266 {
1267 struct in_addr dest_ip;
1268 fstring remote_machine;
1269
1270 if(cli_initialise(pcli) == False) {
1271 DEBUG(0,("connect_to_domain_password_server: unable to initialize client connection.\n"));
1272 return False;
1273 }
1274
1275 if (is_ipaddress(server)) {
1276 struct in_addr to_ip;
1277
1278 /* we shouldn't have 255.255.255.255 forthe IP address of
1279 a password server anyways */
1280 if ((to_ip.s_addr=inet_addr(server)) == 0xFFFFFFFF) {
1281 DEBUG (0,("connect_to_domain_password_server: inet_addr(%s) returned 0xFFFFFFFF!\n", server));
1282 return False;
1283 }
1284
1285 if (!name_status_find(0x20, to_ip, remote_machine)) {
1286 DEBUG(0, ("connect_to_domain_password_server: Can't "
1287 "resolve name for IP %s\n", server));
1288 return False;
1289 }
1290 } else {
1291 fstrcpy(remote_machine, server);
1292 }
1293
1294 standard_sub_basic(remote_machine);
1295 strupper(remote_machine);
1296
1297 if(!resolve_name( remote_machine, &dest_ip, 0x20)) {
1298 DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", remote_machine));
1299 cli_shutdown(pcli);
1300 return False;
1301 }
1302
1303 if (ismyip(dest_ip)) {
1304 DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n",
1305 remote_machine));
1306 cli_shutdown(pcli);
1307 return False;
1308 }
1309
1310 if (!cli_connect(pcli, remote_machine, &dest_ip)) {
1311 DEBUG(0,("connect_to_domain_password_server: unable to connect to SMB server on \
1312 machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
1313 cli_shutdown(pcli);
1314 return False;
1315 }
1316
1317 if (!attempt_netbios_session_request(pcli, global_myname, remote_machine, &dest_ip)) {
1318 DEBUG(0,("connect_to_password_server: machine %s rejected the NetBIOS \
1319 session request. Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
1320 return False;
1321 }
1322
1323 pcli->protocol = PROTOCOL_NT1;
1324
1325 if (!cli_negprot(pcli)) {
1326 DEBUG(0,("connect_to_domain_password_server: machine %s rejected the negotiate protocol. \
1327 Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
1328 cli_shutdown(pcli);
1329 return False;
1330 }
1331
1332 if (pcli->protocol != PROTOCOL_NT1) {
1333 DEBUG(0,("connect_to_domain_password_server: machine %s didn't negotiate NT protocol.\n",
1334 remote_machine));
1335 cli_shutdown(pcli);
1336 return False;
1337 }
1338
1339 /*
1340 * Do an anonymous session setup.
1341 */
1342
1343 if (!cli_session_setup(pcli, "", "", 0, "", 0, "")) {
1344 DEBUG(0,("connect_to_domain_password_server: machine %s rejected the session setup. \
1345 Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
1346 cli_shutdown(pcli);
1347 return False;
1348 }
1349
1350 if (!(pcli->sec_mode & 1)) {
1351 DEBUG(1,("connect_to_domain_password_server: machine %s isn't in user level security mode\n",
1352 remote_machine));
1353 cli_shutdown(pcli);
1354 return False;
1355 }
1356
1357 if (!cli_send_tconX(pcli, "IPC$", "IPC", "", 1)) {
1358 DEBUG(0,("connect_to_domain_password_server: machine %s rejected the tconX on the IPC$ share. \
1359 Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
1360 cli_shutdown(pcli);
1361 return False;
1362 }
1363
1364 /*
1365 * We now have an anonymous connection to IPC$ on the domain password server.
1366 */
1367
1368 /*
1369 * Even if the connect succeeds we need to setup the netlogon
1370 * pipe here. We do this as we may just have changed the domain
1371 * account password on the PDC and yet we may be talking to
1372 * a BDC that doesn't have this replicated yet. In this case
1373 * a successful connect to a DC needs to take the netlogon connect
1374 * into account also. This patch from "Bjart Kvarme" <bjart.kvarme@usit.uio.no>.
1375 */
1376
1377 if(cli_nt_session_open(pcli, PIPE_NETLOGON) == False) {
1378 DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
1379 machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli)));
1380 cli_nt_session_close(pcli);
1381 cli_ulogoff(pcli);
1382 cli_shutdown(pcli);
1383 return False;
1384 }
1385
1386 if (cli_nt_setup_creds(pcli, trust_passwd) == False) {
1387 DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \
1388 %s. Error was : %s.\n", remote_machine, cli_errstr(pcli)));
1389 cli_nt_session_close(pcli);
1390 cli_ulogoff(pcli);
1391 cli_shutdown(pcli);
1392 return(False);
1393 }
1394
1395 return True;
1396 }
1397
1398 /***********************************************************************
1399 Utility function to attempt a connection to an IP address of a DC.
1400 ************************************************************************/
1401
1402 static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, unsigned char *trust_passwd)
1403 {
1404 fstring dc_name;
1405
1406 /*
1407 * Ignore addresses we have already tried.
1408 */
1409
1410 if (ip_equal(ipzero, *ip))
1411 return False;
1412
1413 if (!lookup_pdc_name(global_myname, lp_workgroup(), ip, dc_name))
1414 return False;
1415
1416 return connect_to_domain_password_server(pcli, dc_name, trust_passwd);
1417 }
1418
1419
1420
1421 /***********************************************************************
1422 We have been asked to dynamcially determine the IP addresses of
1423 the PDC and BDC's for this DOMAIN, and query them in turn.
1424 ************************************************************************/
1425 static BOOL find_connect_pdc(struct cli_state *pcli, unsigned char *trust_passwd, time_t last_change_time)
1426 {
1427 struct in_addr *ip_list = NULL;
1428 int count = 0;
1429 int i;
1430 BOOL connected_ok = False;
1431 time_t time_now = time(NULL);
1432 BOOL use_pdc_only = False;
1433
1434 /*
1435 * If the time the machine password has changed
1436 * was less than an hour ago then we need to contact
1437 * the PDC only, as we cannot be sure domain replication
1438 * has yet taken place. Bug found by Gerald (way to go
1439 * Gerald !). JRA.
1440 */
1441
1442 if (time_now - last_change_time < 3600)
1443 use_pdc_only = True;
1444
1445 if (!get_dc_list(use_pdc_only, lp_workgroup(), &ip_list, &count))
1446 return False;
1447
1448 /*
1449 * Firstly try and contact a PDC/BDC who has the same
1450 * network address as any of our interfaces.
1451 */
1452 for(i = 0; i < count; i++) {
1453 if(!is_local_net(ip_list[i]))
1454 continue;
1455
1456 if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd)))
1457 break;
1458
1459 ip_list[i] = ipzero; /* Tried and failed. */
1460 }
1461
1462 /*
1463 * Secondly try and contact a random PDC/BDC.
1464 */
1465 if(!connected_ok) {
1466 i = (sys_random() % count);
1467
1468 if (!(connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd)))
1469 ip_list[i] = ipzero; /* Tried and failed. */
1470 }
1471
1472 /*
1473 * Finally go through the IP list in turn, ignoring any addresses
1474 * we have already tried.
1475 */
1476 if(!connected_ok) {
1477 /*
1478 * Try and connect to any of the other IP addresses in the PDC/BDC list.
1479 * Note that from a WINS server the #1 IP address is the PDC.
1480 */
1481 for(i = 0; i < count; i++) {
1482 if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd)))
1483 break;
1484 }
1485 }
1486
1487 if(ip_list != NULL)
1488 free((char *)ip_list);
1489
1490
1491 return connected_ok;
1492 }
1493
1494
1495
1496 /***********************************************************************
1497 Do the same as security=server, but using NT Domain calls and a session
1498 key from the machine password.
1499 ************************************************************************/
1500
1501 BOOL domain_client_validate( char *user, char *domain,
1502 char *smb_apasswd, int smb_apasslen,
1503 char *smb_ntpasswd, int smb_ntpasslen,
1504 BOOL *user_exists)
1505 {
1506 unsigned char local_challenge[8];
1507 unsigned char local_lm_response[24];
1508 unsigned char local_nt_response[24];
1509 unsigned char trust_passwd[16];
1510 fstring remote_machine;
1511 char *p, *pserver;
1512 NET_ID_INFO_CTR ctr;
1513 NET_USER_INFO_3 info3;
1514 struct cli_state cli;
1515 uint32 smb_uid_low;
1516 BOOL connected_ok = False;
1517 time_t last_change_time;
1518
1519 if(user_exists != NULL)
1520 *user_exists = True; /* Only set false on a very specific error. */
1521
1522 /*
1523 * Check that the requested domain is not our own machine name.
1524 * If it is, we should never check the PDC here, we use our own local
1525 * password file.
1526 */
1527
1528 if(strequal( domain, global_myname)) {
1529 DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n"));
1530 return False;
1531 }
1532
1533 /*
1534 * Next, check that the passwords given were encrypted.
1535 */
1536
1537 if(((smb_apasslen != 24) && (smb_apasslen != 0)) ||
1538 ((smb_ntpasslen != 24) && (smb_ntpasslen != 0))) {
1539
1540 /*
1541 * Not encrypted - do so.
1542 */
1543
1544 DEBUG(3,("domain_client_validate: User passwords not in encrypted format.\n"));
1545 generate_random_buffer( local_challenge, 8, False);
1546 SMBencrypt( (uchar *)smb_apasswd, local_challenge, local_lm_response);
1547 SMBNTencrypt((uchar *)smb_ntpasswd, local_challenge, local_nt_response);
1548 smb_apasslen = 24;
1549 smb_ntpasslen = 24;
1550 smb_apasswd = (char *)local_lm_response;
1551 smb_ntpasswd = (char *)local_nt_response;
1552 } else {
1553
1554 /*
1555 * Encrypted - get the challenge we sent for these
1556 * responses.
1557 */
1558
1559 if (!last_challenge(local_challenge)) {
1560 DEBUG(0,("domain_client_validate: no challenge done - password failed\n"));
1561 return False;
1562 }
1563 }
1564
1565 /*
1566 * Get the machine account password for our primary domain
1567 */
1568 if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, &last_change_time))
1569 {
1570 DEBUG(0, ("domain_client_validate: could not fetch trust account password for domain %s\n", lp_workgroup()));
1571 return False;
1572 }
1573
1574 /*
1575 * At this point, smb_apasswd points to the lanman response to
1576 * the challenge in local_challenge, and smb_ntpasswd points to
1577 * the NT response to the challenge in local_challenge. Ship
1578 * these over the secure channel to a domain controller and
1579 * see if they were valid.
1580 */
1581
1582 ZERO_STRUCT(cli);
1583
1584 /*
1585 * Treat each name in the 'password server =' line as a potential
1586 * PDC/BDC. Contact each in turn and try and authenticate.
1587 */
1588
1589 pserver = lp_passwordserver();
1590 if (! *pserver) pserver = "*";
1591 p = pserver;
1592
1593 while (!connected_ok &&
1594 next_token(&p,remote_machine,LIST_SEP,sizeof(remote_machine))) {
1595 if(strequal(remote_machine, "*")) {
1596 connected_ok = find_connect_pdc(&cli, trust_passwd, last_change_time);
1597 } else {
1598 connected_ok = connect_to_domain_password_server(&cli, remote_machine, trust_passwd);
1599 }
1600 }
1601
1602 if (!connected_ok) {
1603 DEBUG(0,("domain_client_validate: Domain password server not available.\n"));
1604 cli_shutdown(&cli);
1605 return False;
1606 }
1607
1608 /* We really don't care what LUID we give the user. */
1609 generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False);
1610
1611 ZERO_STRUCT(info3);
1612
1613 if(cli_nt_login_network(&cli, domain, user, smb_uid_low, (char *)local_challenge,
1614 ((smb_apasslen != 0) ? smb_apasswd : NULL),
1615 ((smb_ntpasslen != 0) ? smb_ntpasswd : NULL),
1616 &ctr, &info3) == False) {
1617 uint32 nt_rpc_err;
1618
1619 cli_error(&cli, NULL, NULL, &nt_rpc_err);
1620 DEBUG(0,("domain_client_validate: unable to validate password for user %s in domain \
1621 %s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli)));
1622 cli_nt_session_close(&cli);
1623 cli_ulogoff(&cli);
1624 cli_shutdown(&cli);
1625
1626 if((nt_rpc_err == NT_STATUS_NO_SUCH_USER) && (user_exists != NULL))
1627 *user_exists = False;
1628
1629 return False;
1630 }
1631
1632 /*
1633 * Here, if we really want it, we have lots of info about the user in info3.
1634 */
1635
1636 #if 0
1637 /*
1638 * We don't actually need to do this - plus it fails currently with
1639 * NT_STATUS_INVALID_INFO_CLASS - we need to know *exactly* what to
1640 * send here. JRA.
1641 */
1642
1643 if(cli_nt_logoff(&cli, &ctr) == False) {
1644 DEBUG(0,("domain_client_validate: unable to log off user %s in domain \
1645 %s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli)));
1646 cli_nt_session_close(&cli);
1647 cli_ulogoff(&cli);
1648 cli_shutdown(&cli);
1649 return False;
1650 }
1651 #endif /* 0 */
1652
1653 /* Note - once the cli stream is shutdown the mem_ctx used
1654 to allocate the other_sids and gids structures has been deleted - so
1655 these pointers are no longer valid..... */
1656
1657 cli_nt_session_close(&cli);
1658 cli_ulogoff(&cli);
1659 cli_shutdown(&cli);
1660 return True;
1661 }
Samba GIT mirror