2 Unix SMB/Netbios implementation.
4 Password and authentication handling
5 Copyright (C) Andrew Tridgell 1992-1998
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 extern int DEBUGLEVEL
;
26 extern struct in_addr ipzero
;
28 /* users from session setup */
29 static pstring session_users
="";
31 extern pstring global_myname
;
32 extern fstring global_myworkgroup
;
34 /* Data to do lanman1/2 password challenge. */
35 static unsigned char saved_challenge
[8];
36 static BOOL challenge_sent
=False
;
38 /*******************************************************************
39 Get the next challenge value - no repeats.
40 ********************************************************************/
41 void generate_next_challenge(char *challenge
)
45 * Leave this ifdef'd out while we test
46 * the new crypto random number generator.
49 unsigned char buf
[16];
50 static int counter
= 0;
54 /* get a sort-of random number */
56 v1
= (counter
++) + sys_getpid() + tval
.tv_sec
;
57 v2
= (counter
++) * sys_getpid() + tval
.tv_usec
;
58 SIVAL(challenge
,0,v1
);
59 SIVAL(challenge
,4,v2
);
61 /* mash it up with md4 */
62 mdfour(buf
, (unsigned char *)challenge
, 8);
66 generate_random_buffer(buf
,8,False
);
68 memcpy(saved_challenge
, buf
, 8);
69 memcpy(challenge
,buf
,8);
70 challenge_sent
= True
;
73 /*******************************************************************
74 set the last challenge sent, usually from a password server
75 ********************************************************************/
76 BOOL
set_challenge(unsigned char *challenge
)
78 memcpy(saved_challenge
,challenge
,8);
79 challenge_sent
= True
;
83 /*******************************************************************
84 get the last challenge sent
85 ********************************************************************/
86 static BOOL
last_challenge(unsigned char *challenge
)
88 if (!challenge_sent
) return(False
);
89 memcpy(challenge
,saved_challenge
,8);
93 /* this holds info on user ids that are already validated for this VC */
94 static user_struct
*validated_users
;
95 static int next_vuid
= VUID_OFFSET
;
96 static int num_validated_vuids
;
98 /****************************************************************************
99 check if a uid has been validated, and return an pointer to the user_struct
100 if it has. NULL if not. vuid is biased by an offset. This allows us to
101 tell random client vuid's (normally zero) from valid vuids.
102 ****************************************************************************/
103 user_struct
*get_valid_user_struct(uint16 vuid
)
108 if (vuid
== UID_FIELD_INVALID
)
111 for (usp
=validated_users
;usp
;usp
=usp
->next
,count
++) {
112 if (vuid
== usp
->vuid
) {
114 DLIST_PROMOTE(validated_users
, usp
);
123 /****************************************************************************
125 ****************************************************************************/
126 void invalidate_vuid(uint16 vuid
)
128 user_struct
*vuser
= get_valid_user_struct(vuid
);
135 DLIST_REMOVE(validated_users
, vuser
);
137 safe_free(vuser
->groups
);
138 delete_nt_token(&vuser
->nt_user_token
);
140 num_validated_vuids
--;
143 /****************************************************************************
144 invalidate all vuid entries for this process
145 ****************************************************************************/
146 void invalidate_all_vuids(void)
148 user_struct
*usp
, *next
=NULL
;
150 for (usp
=validated_users
;usp
;usp
=next
) {
153 invalidate_vuid(usp
->vuid
);
157 /****************************************************************************
158 return a validated username
159 ****************************************************************************/
160 char *validated_username(uint16 vuid
)
162 user_struct
*vuser
= get_valid_user_struct(vuid
);
165 return(vuser
->user
.unix_name
);
168 /****************************************************************************
169 return a validated domain
170 ****************************************************************************/
171 char *validated_domain(uint16 vuid
)
173 user_struct
*vuser
= get_valid_user_struct(vuid
);
176 return(vuser
->user
.domain
);
180 /****************************************************************************
181 Create the SID list for this user.
182 ****************************************************************************/
184 NT_USER_TOKEN
*create_nt_token(uid_t uid
, gid_t gid
, int ngroups
, gid_t
*groups
, BOOL is_guest
)
186 extern DOM_SID global_sid_World
;
187 extern DOM_SID global_sid_Network
;
188 extern DOM_SID global_sid_Builtin_Guests
;
189 extern DOM_SID global_sid_Authenticated_Users
;
190 NT_USER_TOKEN
*token
;
196 if ((token
= (NT_USER_TOKEN
*)malloc( sizeof(NT_USER_TOKEN
) ) ) == NULL
)
201 /* We always have uid/gid plus World and Network and Authenticated Users or Guest SIDs. */
202 num_sids
= 5 + ngroups
;
204 if ((token
->user_sids
= (DOM_SID
*)malloc( num_sids
*sizeof(DOM_SID
))) == NULL
) {
209 psids
= token
->user_sids
;
212 * Note - user SID *MUST* be first in token !
213 * se_access_check depends on this.
216 uid_to_sid( &psids
[psid_ndx
++], uid
);
219 * Primary group SID is second in token. Convention.
222 gid_to_sid( &psids
[psid_ndx
++], gid
);
224 /* Now add the group SIDs. */
226 for (i
= 0; i
< ngroups
; i
++) {
227 if (groups
[i
] != gid
) {
228 gid_to_sid( &psids
[psid_ndx
++], groups
[i
]);
233 * Finally add the "standard" SIDs.
234 * The only difference between guest and "anonymous" (which we
235 * don't really support) is the addition of Authenticated_Users.
238 sid_copy( &psids
[psid_ndx
++], &global_sid_World
);
239 sid_copy( &psids
[psid_ndx
++], &global_sid_Network
);
242 sid_copy( &psids
[psid_ndx
++], &global_sid_Builtin_Guests
);
244 sid_copy( &psids
[psid_ndx
++], &global_sid_Authenticated_Users
);
246 token
->num_sids
= psid_ndx
;
248 /* Dump list of sids in token */
250 for (i
= 0; i
< token
->num_sids
; i
++) {
251 DEBUG(5, ("user token sid %s\n",
252 sid_to_string(sid_str
, &token
->user_sids
[i
])));
258 /****************************************************************************
259 register a uid/name pair as being valid and that a valid password
260 has been given. vuid is biased by an offset. This allows us to
261 tell random client vuid's (normally zero) from valid vuids.
262 ****************************************************************************/
264 int register_vuid(uid_t uid
,gid_t gid
, char *unix_name
, char *requested_name
,
265 char *domain
,BOOL guest
)
267 user_struct
*vuser
= NULL
;
268 struct passwd
*pwfile
; /* for getting real name from passwd file */
270 /* Ensure no vuid gets registered in share level security. */
271 if(lp_security() == SEC_SHARE
)
272 return UID_FIELD_INVALID
;
274 /* Limit allowed vuids to 16bits - VUID_OFFSET. */
275 if (num_validated_vuids
>= 0xFFFF-VUID_OFFSET
)
276 return UID_FIELD_INVALID
;
278 if((vuser
= (user_struct
*)malloc( sizeof(user_struct
) )) == NULL
) {
279 DEBUG(0,("Failed to malloc users struct!\n"));
280 return UID_FIELD_INVALID
;
285 DEBUG(10,("register_vuid: (%u,%u) %s %s %s guest=%d\n", (unsigned int)uid
, (unsigned int)gid
,
286 unix_name
, requested_name
, domain
, guest
));
288 /* Allocate a free vuid. Yes this is a linear search... :-) */
289 while( get_valid_user_struct(next_vuid
) != NULL
) {
291 /* Check for vuid wrap. */
292 if (next_vuid
== UID_FIELD_INVALID
)
293 next_vuid
= VUID_OFFSET
;
296 DEBUG(10,("register_vuid: allocated vuid = %u\n", (unsigned int)next_vuid
));
298 vuser
->vuid
= next_vuid
;
301 vuser
->guest
= guest
;
302 fstrcpy(vuser
->user
.unix_name
,unix_name
);
303 fstrcpy(vuser
->user
.smb_name
,requested_name
);
304 fstrcpy(vuser
->user
.domain
,domain
);
307 vuser
->groups
= NULL
;
309 /* Find all the groups this uid is in and store them.
310 Used by become_user() */
311 initialise_groups(unix_name
, uid
, gid
);
312 get_current_groups( &vuser
->n_groups
, &vuser
->groups
);
314 /* Create an NT_USER_TOKEN struct for this user. */
315 vuser
->nt_user_token
= create_nt_token(uid
,gid
, vuser
->n_groups
, vuser
->groups
, guest
);
318 num_validated_vuids
++;
320 DLIST_ADD(validated_users
, vuser
);
322 DEBUG(3,("uid %d registered to name %s\n",(int)uid
,unix_name
));
324 DEBUG(3, ("Clearing default real name\n"));
325 if ((pwfile
=sys_getpwnam(vuser
->user
.unix_name
))!= NULL
) {
326 DEBUG(3, ("User name: %s\tReal name: %s\n",vuser
->user
.unix_name
,pwfile
->pw_gecos
));
327 fstrcpy(vuser
->user
.full_name
, pwfile
->pw_gecos
);
330 if (!session_claim(vuser
->vuid
)) {
331 DEBUG(1,("Failed to claim session for vuid=%d\n", vuser
->vuid
));
332 invalidate_vuid(vuser
->vuid
);
340 /****************************************************************************
341 add a name to the session users list
342 ****************************************************************************/
343 void add_session_user(char *user
)
346 StrnCpy(suser
,user
,sizeof(suser
)-1);
348 if (!Get_Pwnam(suser
,True
)) return;
350 if (suser
&& *suser
&& !in_list(suser
,session_users
,False
))
352 if (strlen(suser
) + strlen(session_users
) + 2 >= sizeof(pstring
))
353 DEBUG(1,("Too many session users??\n"));
356 pstrcat(session_users
," ");
357 pstrcat(session_users
,suser
);
363 /****************************************************************************
364 update the encrypted smbpasswd file from the plaintext username and password
365 *****************************************************************************/
366 static BOOL
update_smbpassword_file(char *user
, char *password
)
368 struct smb_passwd
*smbpw
;
372 smbpw
= getsmbpwnam(user
);
376 DEBUG(0,("getsmbpwnam returned NULL\n"));
381 * Remove the account disabled flag - we are updating the
382 * users password from a login.
384 smbpw
->acct_ctrl
&= ~ACB_DISABLED
;
386 /* Here, the flag is one, because we want to ignore the
387 XXXXXXX'd out password */
388 ret
= change_oem_password( smbpw
, password
, True
);
390 DEBUG(3,("change_oem_password returned False\n"));
400 /****************************************************************************
401 core of smb password checking routine.
402 ****************************************************************************/
403 BOOL
smb_password_check(char *password
, unsigned char *part_passwd
, unsigned char *c8
)
405 /* Finish the encryption of part_passwd. */
406 unsigned char p21
[21];
407 unsigned char p24
[24];
409 if (part_passwd
== NULL
)
410 DEBUG(10,("No password set - allowing access\n"));
411 /* No password set - always true ! */
412 if (part_passwd
== NULL
)
416 memcpy(p21
,part_passwd
,16);
421 DEBUG(100,("Part password (P16) was |"));
422 for(i
= 0; i
< 16; i
++)
423 DEBUG(100,("%X ", (unsigned char)part_passwd
[i
]));
425 DEBUG(100,("Password from client was |"));
426 for(i
= 0; i
< 24; i
++)
427 DEBUG(100,("%X ", (unsigned char)password
[i
]));
429 DEBUG(100,("Given challenge was |"));
430 for(i
= 0; i
< 8; i
++)
431 DEBUG(100,("%X ", (unsigned char)c8
[i
]));
433 DEBUG(100,("Value from encryption was |"));
434 for(i
= 0; i
< 24; i
++)
435 DEBUG(100,("%X ", (unsigned char)p24
[i
]));
439 return (memcmp(p24
, password
, 24) == 0);
442 /****************************************************************************
443 Do a specific test for an smb password being correct, given a smb_password and
444 the lanman and NT responses.
445 ****************************************************************************/
446 BOOL
smb_password_ok(struct smb_passwd
*smb_pass
, uchar chal
[8],
447 uchar lm_pass
[24], uchar nt_pass
[24])
451 if (!lm_pass
|| !smb_pass
) return(False
);
453 DEBUG(4,("smb_password_ok: Checking SMB password for user %s\n",
454 smb_pass
->smb_name
));
456 if(smb_pass
->acct_ctrl
& ACB_DISABLED
) {
457 DEBUG(1,("account for user %s was disabled.\n",
458 smb_pass
->smb_name
));
464 DEBUG(5,("use last SMBnegprot challenge\n"));
465 if (!last_challenge(challenge
))
467 DEBUG(1,("no challenge done - password failed\n"));
473 DEBUG(5,("challenge received\n"));
474 memcpy(challenge
, chal
, 8);
477 if ((Protocol
>= PROTOCOL_NT1
) && (smb_pass
->smb_nt_passwd
!= NULL
)) {
478 /* We have the NT MD4 hash challenge available - see if we can
479 use it (ie. does it exist in the smbpasswd file).
481 DEBUG(4,("smb_password_ok: Checking NT MD4 password\n"));
482 if (smb_password_check((char *)nt_pass
,
483 (uchar
*)smb_pass
->smb_nt_passwd
,
485 DEBUG(4,("NT MD4 password check succeeded\n"));
488 DEBUG(4,("NT MD4 password check failed\n"));
491 /* Try against the lanman password. smb_pass->smb_passwd == NULL means
492 no password, allow access. */
494 if((smb_pass
->smb_passwd
== NULL
) &&
495 (smb_pass
->acct_ctrl
& ACB_PWNOTREQ
)) {
496 DEBUG(4,("smb_password_ok: no password required for user %s\n",
497 smb_pass
->smb_name
));
501 if(lp_lanman_auth() && (smb_pass
->smb_passwd
!= NULL
)) {
502 DEBUG(4,("smb_password_ok: Checking LM password\n"));
504 if (smb_password_check((char *)lm_pass
,
505 (uchar
*)smb_pass
->smb_passwd
, challenge
)) {
506 DEBUG(4,("smb_password_ok: LM password check succeeded\n"));
509 DEBUG(4,("LM password check failed\n"));
516 /****************************************************************************
517 check if a username/password is OK assuming the password is a 24 byte
519 return True if the password is correct, False otherwise
520 ****************************************************************************/
522 BOOL
pass_check_smb(char *user
, char *domain
,
523 uchar
*chal
, uchar
*lm_pwd
, uchar
*nt_pwd
,
527 struct smb_passwd
*smb_pass
;
529 if (!lm_pwd
|| !nt_pwd
)
534 if (pwd
!= NULL
&& user
== NULL
)
536 pass
= (struct passwd
*) pwd
;
537 user
= pass
->pw_name
;
541 pass
= smb_getpwnam(user
,True
);
546 DEBUG(1,("Couldn't find user '%s' in UNIX password database.\n",user
));
550 smb_pass
= getsmbpwnam(user
);
552 if (smb_pass
== NULL
)
554 DEBUG(1,("Couldn't find user '%s' in smb_passwd file.\n", user
));
558 /* Quit if the account was disabled. */
559 if(smb_pass
->acct_ctrl
& ACB_DISABLED
) {
560 DEBUG(1,("Account for user '%s' was disabled.\n", user
));
564 /* Ensure the uid's match */
565 if (smb_pass
->smb_userid
!= pass
->pw_uid
)
567 DEBUG(0,("Error : UNIX and SMB uids in password files do not match for user '%s'!\n", user
));
571 if (smb_pass
->acct_ctrl
& ACB_PWNOTREQ
) {
572 if (lp_null_passwords()) {
573 DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", smb_pass
->smb_name
));
576 DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", smb_pass
->smb_name
));
581 if (smb_password_ok(smb_pass
, chal
, lm_pwd
, nt_pwd
))
586 DEBUG(2,("pass_check_smb failed - invalid password for user [%s]\n", user
));
590 /****************************************************************************
591 check if a username/password pair is OK either via the system password
592 database or the encrypted SMB password database
593 return True if the password is correct, False otherwise
594 ****************************************************************************/
595 BOOL
password_ok(char *user
, char *password
, int pwlen
, struct passwd
*pwd
)
600 if ((pwlen
== 0) && !lp_null_passwords()) {
601 DEBUG(4,("Null passwords not allowed.\n"));
605 if (pwlen
== 24 || (lp_encrypted_passwords() && (pwlen
== 0) && lp_null_passwords())) {
606 /* if 24 bytes long assume it is an encrypted password */
609 if (!last_challenge(challenge
)) {
610 DEBUG(0,("Error: challenge not done for user=%s\n", user
));
614 ret
= pass_check_smb(user
, global_myworkgroup
,
615 challenge
, (uchar
*)password
, (uchar
*)password
, pwd
);
618 * Try with PAM (may not be compiled in - returns True if not. JRA).
619 * FIXME ! Should this be called if we're using winbindd ? What about
620 * non-local accounts ? JRA.
624 return (smb_pam_accountcheck(user
) == NT_STATUS_NOPROBLEMO
);
629 return (pass_check(user
, password
, pwlen
, pwd
,
630 lp_update_encrypted() ?
631 update_smbpassword_file
: NULL
));
634 /****************************************************************************
635 check if a username is valid
636 ****************************************************************************/
637 BOOL
user_ok(char *user
,int snum
)
639 pstring valid
, invalid
;
642 StrnCpy(valid
, lp_valid_users(snum
), sizeof(pstring
)-1);
643 StrnCpy(invalid
, lp_invalid_users(snum
), sizeof(pstring
)-1);
645 pstring_sub(valid
,"%S",lp_servicename(snum
));
646 pstring_sub(invalid
,"%S",lp_servicename(snum
));
648 ret
= !user_in_list(user
,invalid
);
650 if (ret
&& valid
&& *valid
) {
651 ret
= user_in_list(user
,valid
);
654 if (ret
&& lp_onlyuser(snum
)) {
655 char *user_list
= lp_username(snum
);
656 pstring_sub(user_list
,"%S",lp_servicename(snum
));
657 ret
= user_in_list(user
,user_list
);
666 /****************************************************************************
667 validate a group username entry. Return the username or NULL
668 ****************************************************************************/
669 static char *validate_group(char *group
,char *password
,int pwlen
,int snum
)
673 char *host
, *user
, *domain
;
675 while (getnetgrent(&host
, &user
, &domain
)) {
677 if (user_ok(user
, snum
) &&
678 password_ok(user
,password
,pwlen
,NULL
)) {
692 while ((gptr
= (struct group
*)getgrent())) {
693 if (strequal(gptr
->gr_name
,group
))
698 * As user_ok can recurse doing a getgrent(), we must
699 * copy the member list into a pstring on the stack before
700 * use. Bug pointed out by leon@eatworms.swmed.edu.
706 size_t copied_len
= 0;
710 member
= member_list
;
712 for(i
= 0; gptr
->gr_mem
&& gptr
->gr_mem
[i
]; i
++) {
713 size_t member_len
= strlen(gptr
->gr_mem
[i
]) + 1;
714 if( copied_len
+ member_len
< sizeof(pstring
)) {
716 DEBUG(10,("validate_group: = gr_mem = %s\n", gptr
->gr_mem
[i
]));
718 safe_strcpy(member
, gptr
->gr_mem
[i
], sizeof(pstring
) - copied_len
- 1);
719 copied_len
+= member_len
;
720 member
+= copied_len
;
728 member
= member_list
;
731 fstrcpy(name
,member
);
732 if (user_ok(name
,snum
) &&
733 password_ok(name
,password
,pwlen
,NULL
)) {
738 DEBUG(10,("validate_group = member = %s\n", member
));
740 member
+= strlen(member
) + 1;
751 /****************************************************************************
752 Check for authority to login to a service with a given username/password.
753 Note this is *NOT* used when logging on using sessionsetup_and_X.
754 ****************************************************************************/
756 BOOL
authorise_login(int snum
,char *user
,char *password
, int pwlen
,
757 BOOL
*guest
,BOOL
*force
,uint16 vuid
)
760 user_struct
*vuser
= get_valid_user_struct(vuid
);
763 DEBUG(100,("authorise_login: checking authorisation on user=%s pass=%s\n",
769 if (GUEST_ONLY(snum
))
772 if (!GUEST_ONLY(snum
) && (lp_security() > SEC_SHARE
)) {
775 * We should just use the given vuid from a sessionsetup_and_X.
779 DEBUG(1,("authorise_login: refusing user %s with no session setup\n",
784 if (!vuser
->guest
&& user_ok(vuser
->user
.unix_name
,snum
)) {
785 fstrcpy(user
,vuser
->user
.unix_name
);
787 DEBUG(3,("authorise_login: ACCEPTED: validated uid ok as non-guest \
788 (user=%s)\n", user
));
793 /* there are several possibilities:
794 1) login as the given user with given password
795 2) login as a previously registered username with the given password
796 3) login as a session list username with the given password
797 4) login as a previously validated user/password pair
798 5) login as the "user =" user with given password
799 6) login as the "user =" user with no password (guest connection)
800 7) login as guest user with no password
802 if the service is guest_only then steps 1 to 5 are skipped
805 if (!(GUEST_ONLY(snum
) && GUEST_OK(snum
))) {
806 /* check the given username and password */
807 if (!ok
&& (*user
) && user_ok(user
,snum
)) {
808 ok
= password_ok(user
,password
, pwlen
, NULL
);
810 DEBUG(3,("authorise_login: ACCEPTED: given username (%s) password ok\n",
814 /* check for a previously registered guest username */
815 if (!ok
&& (vuser
!= 0) && vuser
->guest
) {
816 if (user_ok(vuser
->user
.unix_name
,snum
) &&
817 password_ok(vuser
->user
.unix_name
, password
, pwlen
, NULL
)) {
818 fstrcpy(user
, vuser
->user
.unix_name
);
819 vuser
->guest
= False
;
820 DEBUG(3,("authorise_login: ACCEPTED: given password with registered user %s\n", user
));
825 /* now check the list of session users */
828 char *user_list
= strdup(session_users
);
832 for (auser
=strtok(user_list
,LIST_SEP
); !ok
&& auser
;
833 auser
= strtok(NULL
,LIST_SEP
)) {
835 fstrcpy(user2
,auser
);
836 if (!user_ok(user2
,snum
))
839 if (password_ok(user2
,password
, pwlen
, NULL
)) {
842 DEBUG(3,("authorise_login: ACCEPTED: session list username (%s) \
843 and given password ok\n", user
));
850 /* check for a previously validated username/password pair */
851 if (!ok
&& (lp_security() > SEC_SHARE
) && (vuser
!= 0) && !vuser
->guest
&&
852 user_ok(vuser
->user
.unix_name
,snum
)) {
853 fstrcpy(user
,vuser
->user
.unix_name
);
855 DEBUG(3,("authorise_login: ACCEPTED: validated uid (%s) as non-guest\n",
860 /* check for a rhosts entry */
861 if (!ok
&& user_ok(user
,snum
) && check_hosts_equiv(user
)) {
863 DEBUG(3,("authorise_login: ACCEPTED: hosts equiv or rhosts entry for %s\n",
867 /* check the user= fields and the given password */
868 if (!ok
&& lp_username(snum
)) {
871 StrnCpy(user_list
,lp_username(snum
),sizeof(pstring
));
873 pstring_sub(user_list
,"%S",lp_servicename(snum
));
875 for (auser
=strtok(user_list
,LIST_SEP
); auser
&& !ok
;
876 auser
= strtok(NULL
,LIST_SEP
)) {
878 auser
= validate_group(auser
+1,password
,pwlen
,snum
);
882 DEBUG(3,("authorise_login: ACCEPTED: group username \
883 and given password ok (%s)\n", user
));
887 fstrcpy(user2
,auser
);
888 if (user_ok(user2
,snum
) && password_ok(user2
,password
,pwlen
,NULL
)) {
891 DEBUG(3,("authorise_login: ACCEPTED: user list username \
892 and given password ok (%s)\n", user
));
897 } /* not guest only */
899 /* check for a normal guest connection */
900 if (!ok
&& GUEST_OK(snum
)) {
902 StrnCpy(guestname
,lp_guestaccount(snum
),sizeof(guestname
)-1);
903 if (Get_Pwnam(guestname
,True
)) {
904 fstrcpy(user
,guestname
);
906 DEBUG(3,("authorise_login: ACCEPTED: guest account and guest ok (%s)\n",
909 DEBUG(0,("authorise_login: Invalid guest account %s??\n",guestname
));
914 if (ok
&& !user_ok(user
,snum
)) {
915 DEBUG(0,("authorise_login: rejected invalid user %s\n",user
));
922 /****************************************************************************
923 Read the a hosts.equiv or .rhosts file and check if it
924 allows this user from this machine.
925 ****************************************************************************/
927 static BOOL
check_user_equiv(char *user
, char *remote
, char *equiv_file
)
929 int plus_allowed
= 1;
932 char **lines
= file_lines_load(equiv_file
, NULL
, False
);
935 DEBUG(5, ("check_user_equiv %s %s %s\n", user
, remote
, equiv_file
));
936 if (! lines
) return False
;
937 for (i
=0; lines
[i
]; i
++) {
938 char *buf
= lines
[i
];
939 trim_string(buf
," "," ");
941 if (buf
[0] != '#' && buf
[0] != '\n')
943 BOOL is_group
= False
;
946 if (strcmp(buf
, "NO_PLUS\n") == 0)
948 DEBUG(6, ("check_user_equiv NO_PLUS\n"));
955 if (*bp
== '\n' && plus_allowed
)
957 /* a bare plus means everbody allowed */
958 DEBUG(6, ("check_user_equiv everybody allowed\n"));
959 file_lines_free(lines
);
963 else if (buf
[0] == '-')
973 file_host
= strtok(bp
, " \t\n");
974 file_user
= strtok(NULL
, " \t\n");
975 DEBUG(7, ("check_user_equiv %s %s\n", file_host
? file_host
: "(null)",
976 file_user
? file_user
: "(null)" ));
977 if (file_host
&& *file_host
)
979 BOOL host_ok
= False
;
981 #if defined(HAVE_NETGROUP) && defined(HAVE_YP_GET_DEFAULT_DOMAIN)
984 static char *mydomain
= NULL
;
986 yp_get_default_domain(&mydomain
);
987 if (mydomain
&& innetgr(file_host
,remote
,user
,mydomain
))
993 DEBUG(1,("Netgroups not configured\n"));
998 /* is it this host */
999 /* the fact that remote has come from a call of gethostbyaddr
1000 * means that it may have the fully qualified domain name
1001 * so we could look up the file version to get it into
1002 * a canonical form, but I would rather just type it
1003 * in full in the equiv file
1005 if (!host_ok
&& !is_group
&& strequal(remote
, file_host
))
1011 /* is it this user */
1012 if (file_user
== 0 || strequal(user
, file_user
))
1014 DEBUG(5, ("check_user_equiv matched %s%s %s\n",
1015 (plus
? "+" : "-"), file_host
,
1016 (file_user
? file_user
: "")));
1017 file_lines_free(lines
);
1018 return (plus
? True
: False
);
1024 file_lines_free(lines
);
1029 /****************************************************************************
1030 check for a possible hosts equiv or rhosts entry for the user
1031 ****************************************************************************/
1032 BOOL
check_hosts_equiv(char *user
)
1036 struct passwd
*pass
= Get_Pwnam(user
,True
);
1041 fname
= lp_hosts_equiv();
1043 /* note: don't allow hosts.equiv on root */
1044 if (fname
&& *fname
&& (pass
->pw_uid
!= 0)) {
1045 if (check_user_equiv(user
,client_name(),fname
))
1049 if (lp_use_rhosts())
1051 char *home
= get_user_home_dir(user
);
1053 slprintf(rhostsfile
, sizeof(rhostsfile
)-1, "%s/.rhosts", home
);
1054 if (check_user_equiv(user
,client_name(),rhostsfile
))
1063 /****************************************************************************
1064 Return the client state structure.
1065 ****************************************************************************/
1067 struct cli_state
*server_client(void)
1069 static struct cli_state pw_cli
;
1073 /****************************************************************************
1074 Support for server level security.
1075 ****************************************************************************/
1077 struct cli_state
*server_cryptkey(void)
1079 struct cli_state
*cli
;
1081 struct in_addr dest_ip
;
1083 BOOL connected_ok
= False
;
1085 cli
= server_client();
1087 if (!cli_initialise(cli
))
1090 pserver
= strdup(lp_passwordserver());
1093 while(next_token( &p
, desthost
, LIST_SEP
, sizeof(desthost
))) {
1094 standard_sub_basic(desthost
);
1097 if(!resolve_name( desthost
, &dest_ip
, 0x20)) {
1098 DEBUG(1,("server_cryptkey: Can't resolve address for %s\n",desthost
));
1102 if (ismyip(dest_ip
)) {
1103 DEBUG(1,("Password server loop - disabling password server %s\n",desthost
));
1107 if (cli_connect(cli
, desthost
, &dest_ip
)) {
1108 DEBUG(3,("connected to password server %s\n",desthost
));
1109 connected_ok
= True
;
1116 if (!connected_ok
) {
1117 DEBUG(0,("password server not available\n"));
1122 if (!attempt_netbios_session_request(cli
, global_myname
, desthost
, &dest_ip
))
1125 DEBUG(3,("got session\n"));
1127 if (!cli_negprot(cli
)) {
1128 DEBUG(1,("%s rejected the negprot\n",desthost
));
1133 if (cli
->protocol
< PROTOCOL_LANMAN2
||
1134 !(cli
->sec_mode
& 1)) {
1135 DEBUG(1,("%s isn't in user level security mode\n",desthost
));
1140 DEBUG(3,("password server OK\n"));
1145 /****************************************************************************
1146 Validate a password with the password server.
1147 ****************************************************************************/
1149 BOOL
server_validate(char *user
, char *domain
,
1150 char *pass
, int passlen
,
1151 char *ntpass
, int ntpasslen
)
1153 struct cli_state
*cli
;
1154 static unsigned char badpass
[24];
1155 static fstring baduser
;
1156 static BOOL tested_password_server
= False
;
1157 static BOOL bad_password_server
= False
;
1159 cli
= server_client();
1161 if (!cli
->initialised
) {
1162 DEBUG(1,("password server %s is not connected\n", cli
->desthost
));
1167 memset(badpass
, 0x1f, sizeof(badpass
));
1169 if((passlen
== sizeof(badpass
)) && !memcmp(badpass
, pass
, passlen
)) {
1171 * Very unlikely, our random bad password is the same as the users
1174 memset(badpass
, badpass
[0]+1, sizeof(badpass
));
1177 if(baduser
[0] == 0) {
1178 fstrcpy(baduser
, INVALID_USER_PREFIX
);
1179 fstrcat(baduser
, global_myname
);
1183 * Attempt a session setup with a totally incorrect password.
1184 * If this succeeds with the guest bit *NOT* set then the password
1185 * server is broken and is not correctly setting the guest bit. We
1186 * need to detect this as some versions of NT4.x are broken. JRA.
1189 if(!tested_password_server
) {
1190 if (cli_session_setup(cli
, baduser
, (char *)badpass
, sizeof(badpass
),
1191 (char *)badpass
, sizeof(badpass
), domain
)) {
1194 * We connected to the password server so we
1195 * can say we've tested it.
1197 tested_password_server
= True
;
1199 if ((SVAL(cli
->inbuf
,smb_vwv2
) & 1) == 0) {
1200 DEBUG(0,("server_validate: password server %s allows users as non-guest \
1201 with a bad password.\n", cli
->desthost
));
1202 DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \
1203 use this machine as the password server.\n"));
1207 * Password server has the bug.
1209 bad_password_server
= True
;
1217 * We have already tested the password server.
1218 * Fail immediately if it has the bug.
1221 if(bad_password_server
) {
1222 DEBUG(0,("server_validate: [1] password server %s allows users as non-guest \
1223 with a bad password.\n", cli
->desthost
));
1224 DEBUG(0,("server_validate: [1] This is broken (and insecure) behaviour. Please do not \
1225 use this machine as the password server.\n"));
1231 * Now we know the password server will correctly set the guest bit, or is
1232 * not guest enabled, we can try with the real password.
1235 if (!cli_session_setup(cli
, user
, pass
, passlen
, ntpass
, ntpasslen
, domain
)) {
1236 DEBUG(1,("password server %s rejected the password\n", cli
->desthost
));
1240 /* if logged in as guest then reject */
1241 if ((SVAL(cli
->inbuf
,smb_vwv2
) & 1) != 0) {
1242 DEBUG(1,("password server %s gave us guest only\n", cli
->desthost
));
1252 /***********************************************************************
1253 Connect to a remote machine for domain security authentication
1254 given a name or IP address.
1255 ************************************************************************/
1257 static BOOL
connect_to_domain_password_server(struct cli_state
*pcli
,
1258 char *server
, unsigned char *trust_passwd
)
1260 struct in_addr dest_ip
;
1261 fstring remote_machine
;
1263 if(!cli_initialise(pcli
)) {
1264 DEBUG(0,("connect_to_domain_password_server: unable to initialize client connection.\n"));
1268 if (is_ipaddress(server
)) {
1269 struct in_addr to_ip
;
1271 /* we shouldn't have 255.255.255.255 forthe IP address of
1272 a password server anyways */
1273 if ((to_ip
.s_addr
=inet_addr(server
)) == 0xFFFFFFFF) {
1274 DEBUG (0,("connect_to_domain_password_server: inet_addr(%s) returned 0xFFFFFFFF!\n", server
));
1278 if (!name_status_find(0x20, to_ip
, remote_machine
)) {
1279 DEBUG(1, ("connect_to_domain_password_server: Can't "
1280 "resolve name for IP %s\n", server
));
1284 fstrcpy(remote_machine
, server
);
1287 standard_sub_basic(remote_machine
);
1288 strupper(remote_machine
);
1290 if(!resolve_name( remote_machine
, &dest_ip
, 0x20)) {
1291 DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", remote_machine
));
1296 if (ismyip(dest_ip
)) {
1297 DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n",
1303 if (!cli_connect(pcli
, remote_machine
, &dest_ip
)) {
1304 DEBUG(0,("connect_to_domain_password_server: unable to connect to SMB server on \
1305 machine %s. Error was : %s.\n", remote_machine
, cli_errstr(pcli
) ));
1310 if (!attempt_netbios_session_request(pcli
, global_myname
, remote_machine
, &dest_ip
)) {
1311 DEBUG(0,("connect_to_password_server: machine %s rejected the NetBIOS \
1312 session request. Error was : %s.\n", remote_machine
, cli_errstr(pcli
) ));
1316 pcli
->protocol
= PROTOCOL_NT1
;
1318 if (!cli_negprot(pcli
)) {
1319 DEBUG(0,("connect_to_domain_password_server: machine %s rejected the negotiate protocol. \
1320 Error was : %s.\n", remote_machine
, cli_errstr(pcli
) ));
1325 if (pcli
->protocol
!= PROTOCOL_NT1
) {
1326 DEBUG(0,("connect_to_domain_password_server: machine %s didn't negotiate NT protocol.\n",
1333 * Do an anonymous session setup.
1336 if (!cli_session_setup(pcli
, "", "", 0, "", 0, "")) {
1337 DEBUG(0,("connect_to_domain_password_server: machine %s rejected the session setup. \
1338 Error was : %s.\n", remote_machine
, cli_errstr(pcli
) ));
1343 if (!(pcli
->sec_mode
& 1)) {
1344 DEBUG(1,("connect_to_domain_password_server: machine %s isn't in user level security mode\n",
1350 if (!cli_send_tconX(pcli
, "IPC$", "IPC", "", 1)) {
1351 DEBUG(0,("connect_to_domain_password_server: machine %s rejected the tconX on the IPC$ share. \
1352 Error was : %s.\n", remote_machine
, cli_errstr(pcli
) ));
1358 * We now have an anonymous connection to IPC$ on the domain password server.
1362 * Even if the connect succeeds we need to setup the netlogon
1363 * pipe here. We do this as we may just have changed the domain
1364 * account password on the PDC and yet we may be talking to
1365 * a BDC that doesn't have this replicated yet. In this case
1366 * a successful connect to a DC needs to take the netlogon connect
1367 * into account also. This patch from "Bjart Kvarme" <bjart.kvarme@usit.uio.no>.
1370 if(cli_nt_session_open(pcli
, PIPE_NETLOGON
) == False
) {
1371 DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
1372 machine %s. Error was : %s.\n", remote_machine
, cli_errstr(pcli
)));
1373 cli_nt_session_close(pcli
);
1379 if (cli_nt_setup_creds(pcli
, trust_passwd
) == False
) {
1380 DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \
1381 %s. Error was : %s.\n", remote_machine
, cli_errstr(pcli
)));
1382 cli_nt_session_close(pcli
);
1391 /***********************************************************************
1392 Utility function to attempt a connection to an IP address of a DC.
1393 ************************************************************************/
1395 static BOOL
attempt_connect_to_dc(struct cli_state
*pcli
, struct in_addr
*ip
, unsigned char *trust_passwd
)
1400 * Ignore addresses we have already tried.
1403 if (ip_equal(ipzero
, *ip
))
1406 if (!lookup_pdc_name(global_myname
, lp_workgroup(), ip
, dc_name
))
1409 return connect_to_domain_password_server(pcli
, dc_name
, trust_passwd
);
1414 /***********************************************************************
1415 We have been asked to dynamcially determine the IP addresses of
1416 the PDC and BDC's for this DOMAIN, and query them in turn.
1417 ************************************************************************/
1418 static BOOL
find_connect_pdc(struct cli_state
*pcli
, unsigned char *trust_passwd
, time_t last_change_time
)
1420 struct in_addr
*ip_list
= NULL
;
1423 BOOL connected_ok
= False
;
1424 time_t time_now
= time(NULL
);
1425 BOOL use_pdc_only
= False
;
1428 * If the time the machine password has changed
1429 * was less than an hour ago then we need to contact
1430 * the PDC only, as we cannot be sure domain replication
1431 * has yet taken place. Bug found by Gerald (way to go
1435 if (time_now
- last_change_time
< 3600)
1436 use_pdc_only
= True
;
1438 if (!get_dc_list(use_pdc_only
, lp_workgroup(), &ip_list
, &count
))
1442 * Firstly try and contact a PDC/BDC who has the same
1443 * network address as any of our interfaces.
1445 for(i
= 0; i
< count
; i
++) {
1446 if(!is_local_net(ip_list
[i
]))
1449 if((connected_ok
= attempt_connect_to_dc(pcli
, &ip_list
[i
], trust_passwd
)))
1452 ip_list
[i
] = ipzero
; /* Tried and failed. */
1456 * Secondly try and contact a random PDC/BDC.
1459 i
= (sys_random() % count
);
1461 if (!(connected_ok
= attempt_connect_to_dc(pcli
, &ip_list
[i
], trust_passwd
)))
1462 ip_list
[i
] = ipzero
; /* Tried and failed. */
1466 * Finally go through the IP list in turn, ignoring any addresses
1467 * we have already tried.
1471 * Try and connect to any of the other IP addresses in the PDC/BDC list.
1472 * Note that from a WINS server the #1 IP address is the PDC.
1474 for(i
= 0; i
< count
; i
++) {
1475 if((connected_ok
= attempt_connect_to_dc(pcli
, &ip_list
[i
], trust_passwd
)))
1481 free((char *)ip_list
);
1484 return connected_ok
;
1489 /***********************************************************************
1490 Do the same as security=server, but using NT Domain calls and a session
1491 key from the machine password.
1492 ************************************************************************/
1494 BOOL
domain_client_validate( char *user
, char *domain
,
1495 char *smb_apasswd
, int smb_apasslen
,
1496 char *smb_ntpasswd
, int smb_ntpasslen
,
1499 unsigned char local_challenge
[8];
1500 unsigned char local_lm_response
[24];
1501 unsigned char local_nt_response
[24];
1502 unsigned char trust_passwd
[16];
1503 fstring remote_machine
;
1505 NET_ID_INFO_CTR ctr
;
1506 NET_USER_INFO_3 info3
;
1507 struct cli_state cli
;
1509 BOOL connected_ok
= False
;
1510 time_t last_change_time
;
1512 if(user_exists
!= NULL
)
1513 *user_exists
= True
; /* Only set false on a very specific error. */
1516 * Check that the requested domain is not our own machine name.
1517 * If it is, we should never check the PDC here, we use our own local
1521 if(strequal( domain
, global_myname
)) {
1522 DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n"));
1527 * Next, check that the passwords given were encrypted.
1530 if(((smb_apasslen
!= 24) && (smb_apasslen
!= 0)) ||
1531 ((smb_ntpasslen
!= 24) && (smb_ntpasslen
!= 0))) {
1534 * Not encrypted - do so.
1537 DEBUG(3,("domain_client_validate: User passwords not in encrypted format.\n"));
1538 generate_random_buffer( local_challenge
, 8, False
);
1539 SMBencrypt( (uchar
*)smb_apasswd
, local_challenge
, local_lm_response
);
1540 SMBNTencrypt((uchar
*)smb_ntpasswd
, local_challenge
, local_nt_response
);
1543 smb_apasswd
= (char *)local_lm_response
;
1544 smb_ntpasswd
= (char *)local_nt_response
;
1548 * Encrypted - get the challenge we sent for these
1552 if (!last_challenge(local_challenge
)) {
1553 DEBUG(0,("domain_client_validate: no challenge done - password failed\n"));
1559 * Get the machine account password for our primary domain
1561 if (!secrets_fetch_trust_account_password(global_myworkgroup
, trust_passwd
, &last_change_time
))
1563 DEBUG(0, ("domain_client_validate: could not fetch trust account password for domain %s\n", global_myworkgroup
));
1568 * At this point, smb_apasswd points to the lanman response to
1569 * the challenge in local_challenge, and smb_ntpasswd points to
1570 * the NT response to the challenge in local_challenge. Ship
1571 * these over the secure channel to a domain controller and
1572 * see if they were valid.
1578 * Treat each name in the 'password server =' line as a potential
1579 * PDC/BDC. Contact each in turn and try and authenticate.
1582 pserver
= lp_passwordserver();
1583 if (! *pserver
) pserver
= "*";
1586 while (!connected_ok
&&
1587 next_token(&p
,remote_machine
,LIST_SEP
,sizeof(remote_machine
))) {
1588 if(strequal(remote_machine
, "*")) {
1589 connected_ok
= find_connect_pdc(&cli
, trust_passwd
, last_change_time
);
1591 connected_ok
= connect_to_domain_password_server(&cli
, remote_machine
, trust_passwd
);
1595 if (!connected_ok
) {
1596 DEBUG(0,("domain_client_validate: Domain password server not available.\n"));
1601 /* We really don't care what LUID we give the user. */
1602 generate_random_buffer( (unsigned char *)&smb_uid_low
, 4, False
);
1606 if(cli_nt_login_network(&cli
, domain
, user
, smb_uid_low
, (char *)local_challenge
,
1607 ((smb_apasslen
!= 0) ? smb_apasswd
: NULL
),
1608 ((smb_ntpasslen
!= 0) ? smb_ntpasswd
: NULL
),
1609 &ctr
, &info3
) == False
) {
1612 cli_error(&cli
, NULL
, NULL
, &nt_rpc_err
);
1613 DEBUG(0,("domain_client_validate: unable to validate password for user %s in domain \
1614 %s to Domain controller %s. Error was %s.\n", user
, domain
, remote_machine
, cli_errstr(&cli
)));
1615 cli_nt_session_close(&cli
);
1619 if((nt_rpc_err
== NT_STATUS_NO_SUCH_USER
) && (user_exists
!= NULL
))
1620 *user_exists
= False
;
1626 * Here, if we really want it, we have lots of info about the user in info3.
1631 * We don't actually need to do this - plus it fails currently with
1632 * NT_STATUS_INVALID_INFO_CLASS - we need to know *exactly* what to
1636 if(cli_nt_logoff(&cli
, &ctr
) == False
) {
1637 DEBUG(0,("domain_client_validate: unable to log off user %s in domain \
1638 %s to Domain controller %s. Error was %s.\n", user
, domain
, remote_machine
, cli_errstr(&cli
)));
1639 cli_nt_session_close(&cli
);
1646 /* Note - once the cli stream is shutdown the mem_ctx used
1647 to allocate the other_sids and gids structures has been deleted - so
1648 these pointers are no longer valid..... */
1650 cli_nt_session_close(&cli
);