Changeset 740 for vendor/current/source3/auth/auth_domain.c
- Timestamp:
- Nov 14, 2012, 12:59:34 PM (12 years ago)
- File:
-
- 1 edited
-
vendor/current/source3/auth/auth_domain.c (modified) (22 diffs)
Legend:
- Unmodified
- Added
- Removed
-
TabularUnified vendor/current/source3/auth/auth_domain.c ¶
r594 r740 4 4 Copyright (C) Andrew Tridgell 1992-1998 5 5 Copyright (C) Andrew Bartlett 2001 6 6 7 7 This program is free software; you can redistribute it and/or modify 8 8 it under the terms of the GNU General Public License as published by 9 9 the Free Software Foundation; either version 3 of the License, or 10 10 (at your option) any later version. 11 11 12 12 This program is distributed in the hope that it will be useful, 13 13 but WITHOUT ANY WARRANTY; without even the implied warranty of 14 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 15 GNU General Public License for more details. 16 16 17 17 You should have received a copy of the GNU General Public License 18 18 along with this program. If not, see <http://www.gnu.org/licenses/>. … … 20 20 21 21 #include "includes.h" 22 #include "auth.h" 22 23 #include "../libcli/auth/libcli_auth.h" 24 #include "../librpc/gen_ndr/ndr_netlogon.h" 25 #include "rpc_client/cli_pipe.h" 26 #include "rpc_client/cli_netlogon.h" 27 #include "secrets.h" 28 #include "passdb.h" 29 #include "libsmb/libsmb.h" 23 30 24 31 #undef DBGC_CLASS … … 111 118 const char *dc_name, 112 119 struct sockaddr_storage *dc_ss, 113 struct rpc_pipe_client **pipe_ret, 114 bool *retry) 120 struct rpc_pipe_client **pipe_ret) 115 121 { 116 122 NTSTATUS result; … … 139 145 return NT_STATUS_NO_LOGON_SERVERS; 140 146 } 141 147 142 148 /* Attempt connection */ 143 *retry = True;144 149 result = cli_full_connection(cli, global_myname(), dc_name, dc_ss, 0, 145 "IPC$", "IPC", "", "", "", 0, Undefined , retry);150 "IPC$", "IPC", "", "", "", 0, Undefined); 146 151 147 152 if (!NT_STATUS_IS_OK(result)) { … … 252 257 253 258 static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, 254 const auth_usersupplied_info *user_info,259 const struct auth_usersupplied_info *user_info, 255 260 const char *domain, 256 261 uchar chal[8], 257 auth_serversupplied_info **server_info,262 struct auth_serversupplied_info **server_info, 258 263 const char *dc_name, 259 264 struct sockaddr_storage *dc_ss) … … 265 270 NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS; 266 271 int i; 267 bool retry = True;268 272 269 273 /* … … 276 280 277 281 /* rety loop for robustness */ 278 279 for (i = 0; !NT_STATUS_IS_OK(nt_status) && retry &&(i < 3); i++) {282 283 for (i = 0; !NT_STATUS_IS_OK(nt_status) && (i < 3); i++) { 280 284 nt_status = connect_to_domain_password_server(&cli, 281 285 domain, 282 286 dc_name, 283 287 dc_ss, 284 &netlogon_pipe, 285 &retry); 288 &netlogon_pipe); 286 289 } 287 290 … … 305 308 nt_status = rpccli_netlogon_sam_network_logon(netlogon_pipe, 306 309 mem_ctx, 307 user_info->logon_parameters, /* flags such as 'allow workstation logon' */308 dc_name, /* server name */309 user_info-> smb_name,/* user name logging on. */310 user_info->client _domain,/* domain name */311 user_info->w ksta_name,/* workstation name */312 chal, /* 8 byte challenge. */313 3, 314 user_info-> lm_resp,/* lanman 24 byte response */315 user_info-> nt_resp,/* nt 24 byte response */316 &info3); /* info3 out */310 user_info->logon_parameters, /* flags such as 'allow workstation logon' */ 311 dc_name, /* server name */ 312 user_info->client.account_name, /* user name logging on. */ 313 user_info->client.domain_name, /* domain name */ 314 user_info->workstation_name, /* workstation name */ 315 chal, /* 8 byte challenge. */ 316 3, /* validation level */ 317 user_info->password.response.lanman, /* lanman 24 byte response */ 318 user_info->password.response.nt, /* nt 24 byte response */ 319 &info3); /* info3 out */ 317 320 318 321 /* Let go as soon as possible so we avoid any potential deadlocks 319 322 with winbind lookup up users or groups. */ 320 323 321 324 TALLOC_FREE(mutex); 322 325 … … 324 327 DEBUG(0,("domain_client_validate: unable to validate password " 325 328 "for user %s in domain %s to Domain controller %s. " 326 "Error was %s.\n", user_info-> smb_name,327 user_info->client _domain, dc_name,329 "Error was %s.\n", user_info->client.account_name, 330 user_info->client.domain_name, dc_name, 328 331 nt_errstr(nt_status))); 329 332 … … 334 337 } else { 335 338 nt_status = make_server_info_info3(mem_ctx, 336 user_info->smb_name,337 domain,338 server_info,339 info3);339 user_info->client.account_name, 340 domain, 341 server_info, 342 info3); 340 343 341 344 if (NT_STATUS_IS_OK(nt_status)) { 342 345 (*server_info)->nss_token |= user_info->was_mapped; 343 344 if ( ! (*server_info)->guest) { 345 /* if a real user check pam account restrictions */ 346 /* only really perfomed if "obey pam restriction" is true */ 347 nt_status = smb_pam_accountcheck((*server_info)->unix_name); 348 if ( !NT_STATUS_IS_OK(nt_status)) { 349 DEBUG(1, ("PAM account restriction prevents user login\n")); 350 cli_shutdown(cli); 351 TALLOC_FREE(info3); 352 return nt_status; 353 } 354 } 355 } 356 357 netsamlogon_cache_store(user_info->smb_name, info3); 358 TALLOC_FREE(info3); 346 netsamlogon_cache_store(user_info->client.account_name, info3); 347 TALLOC_FREE(info3); 348 } 359 349 } 360 350 … … 374 364 void *my_private_data, 375 365 TALLOC_CTX *mem_ctx, 376 const auth_usersupplied_info *user_info,377 auth_serversupplied_info **server_info)366 const struct auth_usersupplied_info *user_info, 367 struct auth_serversupplied_info **server_info) 378 368 { 379 369 NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; … … 393 383 } 394 384 385 DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name)); 386 395 387 /* 396 388 * Check that the requested domain is not our own machine name. … … 399 391 */ 400 392 401 if(strequal(get_global_sam_name(), user_info-> domain)) {393 if(strequal(get_global_sam_name(), user_info->mapped.domain_name)) { 402 394 DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n")); 403 395 return NT_STATUS_NOT_IMPLEMENTED; … … 408 400 if ( !get_dc_name(domain, NULL, dc_name, &dc_ss) ) { 409 401 DEBUG(5,("check_ntdomain_security: unable to locate a DC for domain %s\n", 410 user_info-> domain));402 user_info->mapped.domain_name)); 411 403 return NT_STATUS_NO_LOGON_SERVERS; 412 404 } 413 405 414 406 nt_status = domain_client_validate(mem_ctx, 415 407 user_info, … … 419 411 dc_name, 420 412 &dc_ss); 421 413 422 414 return nt_status; 423 415 } … … 426 418 static NTSTATUS auth_init_ntdomain(struct auth_context *auth_context, const char* param, auth_methods **auth_method) 427 419 { 428 if (!make_auth_methods(auth_context, auth_method)) { 420 struct auth_methods *result; 421 422 result = TALLOC_ZERO_P(auth_context, struct auth_methods); 423 if (result == NULL) { 429 424 return NT_STATUS_NO_MEMORY; 430 425 } 431 432 (*auth_method)->name = "ntdomain"; 433 (*auth_method)->auth = check_ntdomain_security; 426 result->name = "ntdomain"; 427 result->auth = check_ntdomain_security; 428 429 *auth_method = result; 434 430 return NT_STATUS_OK; 435 431 } … … 443 439 void *my_private_data, 444 440 TALLOC_CTX *mem_ctx, 445 const auth_usersupplied_info *user_info,446 auth_serversupplied_info **server_info)441 const struct auth_usersupplied_info *user_info, 442 struct auth_serversupplied_info **server_info) 447 443 { 448 444 NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; … … 457 453 } 458 454 455 DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name)); 456 459 457 /* 460 458 * Check that the requested domain is not our own machine name or domain name. 461 459 */ 462 460 463 if( strequal(get_global_sam_name(), user_info-> domain)) {461 if( strequal(get_global_sam_name(), user_info->mapped.domain_name)) { 464 462 DEBUG(3,("check_trustdomain_security: Requested domain [%s] was for this machine.\n", 465 user_info-> domain));463 user_info->mapped.domain_name)); 466 464 return NT_STATUS_NOT_IMPLEMENTED; 467 465 } … … 471 469 The logic is that if we know nothing about the domain, that 472 470 user is not known to us and does not exist */ 473 474 if ( !is_trusted_domain( user_info-> domain) )471 472 if ( !is_trusted_domain( user_info->mapped.domain_name ) ) 475 473 return NT_STATUS_NOT_IMPLEMENTED; 476 474 … … 480 478 */ 481 479 482 if (!pdb_get_trusteddom_pw(user_info-> domain, &trust_password,480 if (!pdb_get_trusteddom_pw(user_info->mapped.domain_name, &trust_password, 483 481 NULL, NULL)) { 484 482 DEBUG(0, ("check_trustdomain_security: could not fetch trust " 485 483 "account password for domain %s\n", 486 user_info-> domain));484 user_info->mapped.domain_name)); 487 485 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; 488 486 } 489 487 490 488 #ifdef DEBUG_PASSWORD 491 DEBUG(100, ("Trust password for domain %s is %s\n", user_info-> domain,489 DEBUG(100, ("Trust password for domain %s is %s\n", user_info->mapped.domain_name, 492 490 trust_password)); 493 491 #endif … … 505 503 /* use get_dc_name() for consistency even through we know that it will be 506 504 a netbios name */ 507 508 if ( !get_dc_name(user_info-> domain, NULL, dc_name, &dc_ss) ) {505 506 if ( !get_dc_name(user_info->mapped.domain_name, NULL, dc_name, &dc_ss) ) { 509 507 DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n", 510 user_info-> domain));508 user_info->mapped.domain_name)); 511 509 return NT_STATUS_NO_LOGON_SERVERS; 512 510 } 513 511 514 512 nt_status = domain_client_validate(mem_ctx, 515 user_info,516 user_info->domain,517 (uchar *)auth_context->challenge.data,518 server_info,519 dc_name,520 &dc_ss);513 user_info, 514 user_info->mapped.domain_name, 515 (uchar *)auth_context->challenge.data, 516 server_info, 517 dc_name, 518 &dc_ss); 521 519 522 520 return nt_status; … … 526 524 static NTSTATUS auth_init_trustdomain(struct auth_context *auth_context, const char* param, auth_methods **auth_method) 527 525 { 528 if (!make_auth_methods(auth_context, auth_method)) { 526 struct auth_methods *result; 527 528 result = TALLOC_ZERO_P(auth_context, struct auth_methods); 529 if (result == NULL) { 529 530 return NT_STATUS_NO_MEMORY; 530 531 } 531 532 (*auth_method)->name = "trustdomain"; 533 (*auth_method)->auth = check_trustdomain_security; 532 result->name = "trustdomain"; 533 result->auth = check_trustdomain_security; 534 535 *auth_method = result; 534 536 return NT_STATUS_OK; 535 537 }
Note:
See TracChangeset
for help on using the changeset viewer.
