The branch, v4-0-test has been updated
via a1e60ebc6d1e794011df5f69f691f4ec8622e991 (commit)
via 6ffabb38d03ad90d8731ab3e0eb692438db967ee (commit)
via f0c95cd74fb6fea57cef89b59e5d2f10ea25c138 (commit)
via 6bb4c1e6a38a842787177a399bf88f05015f5ec0 (commit)
via 71ec5bfb3e973bd68649a598d006efcdda18f1b6 (commit)
via 6dbbcf8aaf9b93af970d1701dfb185460d4dc788 (commit)
via 40fe386b0374df8b390b995c332d048dbbc08f1b (commit)
via 53ea233649d12d77233611e272cf5f470177571c (commit)
via 687e81883d37e3d1f55d3a7a87e20fb860888dde (commit)
via 717dcb2c54b1e22b7c8efb322deec55abb7689c2 (commit)
via 2c3a3d0134b5fe4cd9dfdb05d1b140b2c9b502f1 (commit)
via 58935acc7c8e97323d5d5979234ef26ef8a100a4 (commit)
via ec4a108d1d35cd4bb2170f1bb122546266b9b745 (commit)
via 62136febe7bb1122a57737ca43d1ed0800453d77 (commit)
from 38f455e0054acc1fdaea267e03f8aad337309cf2 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit a1e60ebc6d1e794011df5f69f691f4ec8622e991
Author: Andrew Bartlett <[EMAIL PROTECTED]>
Date: Mon May 5 13:21:18 2008 +1000
Add a new implementation of security=server.
This is not intended for general use, and will not be easily exposed
(if I have anything to do with it), but should allow the CIFS proxy to
re-use the connection.
A work in progress.
Andrew Bartlett
commit 6ffabb38d03ad90d8731ab3e0eb692438db967ee
Author: Andrew Bartlett <[EMAIL PROTECTED]>
Date: Mon May 5 12:58:15 2008 +1000
Allow an NTLM response to be specified into the auth subsystem.
This allows it to be proxied for NTLM pass-though authentication (aka
security=server and associated man-in-the-middle attacks).
Andrew Bartlett
commit f0c95cd74fb6fea57cef89b59e5d2f10ea25c138
Author: Andrew Bartlett <[EMAIL PROTECTED]>
Date: Mon May 5 12:57:23 2008 +1000
Reorder this function in the file, so it reads bottom-up.
The rest of this file reads bottom-up, but this function
(connect_send_negprot()) was out of place.
Andrew Bartlett
commit 6bb4c1e6a38a842787177a399bf88f05015f5ec0
Merge: 71ec5bfb3e973bd68649a598d006efcdda18f1b6
38f455e0054acc1fdaea267e03f8aad337309cf2
Author: Andrew Bartlett <[EMAIL PROTECTED]>
Date: Thu May 1 16:41:36 2008 +1000
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into
4-0-abartlet
commit 71ec5bfb3e973bd68649a598d006efcdda18f1b6
Author: Andrew Bartlett <[EMAIL PROTECTED]>
Date: Sat Apr 26 09:50:15 2008 +0100
Fix dependencies on gensec_krb5 and the NTLMSSP code.
This is so that gensec_krb5 does not depend on the NTLM authentication
code.
Andrew Bartlett
commit 6dbbcf8aaf9b93af970d1701dfb185460d4dc788
Author: Andrew Bartlett <[EMAIL PROTECTED]>
Date: Fri Apr 25 15:59:22 2008 +0100
Revert to using the old CIFS connection API.
Rather than add a new 'out' member to the API, simply fill in the
'tree' early enough that we can access the server challenge there.
Andrew Bartlett
commit 40fe386b0374df8b390b995c332d048dbbc08f1b
Author: Andrew Bartlett <[EMAIL PROTECTED]>
Date: Fri Apr 25 15:08:52 2008 +0100
Make the composite 'connect to server' code useful for security=server
The ability to short-circuit the connection code to only do a negprot
allows us to do the rest once we have the user's password. We return
the 8 byte challenge so we can pass it to the client.
Andrew Bartlett
commit 53ea233649d12d77233611e272cf5f470177571c
Author: Andrew Bartlett <[EMAIL PROTECTED]>
Date: Fri Apr 25 15:08:23 2008 +0100
Don't compile files twice when the compilation fails.
Andrew Bartlett
commit 687e81883d37e3d1f55d3a7a87e20fb860888dde
Author: Andrew Bartlett <[EMAIL PROTECTED]>
Date: Fri Apr 25 15:05:07 2008 +0100
When a test harness program fails, make the testsuite fail.
The problem fixed here is that pidl tests were not causing the 'number
of tests failing' count to increase, due to the way return codes are
processed on pipelines, in the shell.
By setting an exit code if we print 'failure', we ensure we fail
appropriately.
Andrew Bartlett
commit 717dcb2c54b1e22b7c8efb322deec55abb7689c2
Author: Andrew Bartlett <[EMAIL PROTECTED]>
Date: Fri Apr 25 09:25:14 2008 +0100
Remove vampire.py as the 'net' binary is the right interface.
As some future point we might get these scripting interfaces into
better shape, and provide a python interface to this functionality
again.
Andrew Bartlett
commit 2c3a3d0134b5fe4cd9dfdb05d1b140b2c9b502f1
Merge: 58935acc7c8e97323d5d5979234ef26ef8a100a4
5f3a70f285ad8a412105c0e498e486f93fc279bc
Author: Andrew Bartlett <[EMAIL PROTECTED]>
Date: Fri Apr 25 09:24:12 2008 +0100
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into
4-0-abartlet
commit 58935acc7c8e97323d5d5979234ef26ef8a100a4
Author: Andrew Bartlett <[EMAIL PROTECTED]>
Date: Thu Apr 24 16:27:36 2008 +0100
Add comment explaining why io.in.workgroup isn't important.
This protocol feild isn't used by servers (apparently), so we might be
able to get rid of it.
Andrew Bartlett
commit ec4a108d1d35cd4bb2170f1bb122546266b9b745
Author: Andrew Bartlett <[EMAIL PROTECTED]>
Date: Thu Apr 24 13:30:36 2008 +0100
Add documentation to session token functions.
commit 62136febe7bb1122a57737ca43d1ed0800453d77
Author: Andrew Bartlett <[EMAIL PROTECTED]>
Date: Thu Apr 24 11:49:41 2008 +0100
Remove unused KANJI and terminal code options.
Someone can re-add this with tests and an actual implementation.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
source/auth/auth.c | 1 +
source/auth/auth_server.c | 494 +++++++++-----------------
source/auth/config.mk | 12 +
source/auth/credentials/credentials.c | 20 +-
source/auth/credentials/credentials.h | 9 +
source/auth/credentials/credentials_ntlm.c | 52 +++
source/auth/gensec/config.mk | 2 +-
source/auth/ntlmssp/config.mk | 2 +-
source/auth/session.h | 14 +-
source/auth/system_session.c | 7 +-
source/build/make/rules.mk | 3 +-
source/client/client.c | 9 -
source/libcli/raw/clitree.c | 5 +
source/libcli/smb_composite/connect.c | 81 +++--
source/libcli/smb_composite/sesssetup.c | 2 +-
source/libcli/smb_composite/smb_composite.h | 4 +-
source/script/harness2subunit.pl | 6 +-
source/setup/vampire.py | 53 ---
18 files changed, 325 insertions(+), 451 deletions(-)
delete mode 100755 source/setup/vampire.py
Changeset truncated at 500 lines:
diff --git a/source/auth/auth.c b/source/auth/auth.c
index 6c86cf2..b74a438 100644
--- a/source/auth/auth.c
+++ b/source/auth/auth.c
@@ -521,6 +521,7 @@ _PUBLIC_ NTSTATUS auth_init(void)
extern NTSTATUS auth_anonymous_init(void);
extern NTSTATUS auth_unix_init(void);
extern NTSTATUS auth_sam_init(void);
+ extern NTSTATUS auth_server_init(void);
init_module_fn static_init[] = { STATIC_auth_MODULES };
diff --git a/source/auth/auth_server.c b/source/auth/auth_server.c
index f200ad9..be5f84f 100644
--- a/source/auth/auth_server.c
+++ b/source/auth/auth_server.c
@@ -1,9 +1,10 @@
/*
Unix SMB/CIFS implementation.
- Authenticate to a remote server
- Copyright (C) Andrew Tridgell 1992-1998
- Copyright (C) Andrew Bartlett 2001
-
+ Authenticate by using a remote server
+ Copyright (C) Andrew Bartlett 2001-2002, 2008
+ Copyright (C) Jelmer Vernooij 2002
+ Copyright (C) Stefan Metzmacher 2005
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
@@ -19,359 +20,206 @@
*/
#include "includes.h"
-
-/****************************************************************************
- Support for server level security.
-****************************************************************************/
-
-static struct smbcli_state *server_cryptkey(TALLOC_CTX *mem_ctx, bool unicode,
int maxprotocol, struct resolve_context *resolve_ctx)
+#include "auth/auth.h"
+#include "auth/auth_proto.h"
+#include "auth/credentials/credentials.h"
+#include "libcli/security/security.h"
+#include "librpc/gen_ndr/ndr_samr.h"
+#include "libcli/smb_composite/smb_composite.h"
+#include "param/param.h"
+#include "libcli/resolve/resolve.h"
+
+/* This version of 'security=server' rewirtten from scratch for Samba4
+ * libraries in 2008 */
+
+
+static NTSTATUS server_want_check(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info
*user_info)
{
- struct smbcli_state *cli = NULL;
- fstring desthost;
- struct in_addr dest_ip;
- const char *p;
- char *pserver;
- bool connected_ok = false;
-
- if (!(cli = smbcli_initialise(cli)))
- return NULL;
-
- /* security = server just can't function with spnego */
- cli->use_spnego = false;
-
- pserver = talloc_strdup(mem_ctx, lp_passwordserver());
- p = pserver;
-
- while(next_token( &p, desthost, LIST_SEP, sizeof(desthost))) {
- strupper(desthost);
-
- if(!resolve_name(resolve_ctx, desthost, &dest_ip, 0x20)) {
- DEBUG(1,("server_cryptkey: Can't resolve address for
%s\n",desthost));
- continue;
- }
-
- if (ismyip(dest_ip)) {
- DEBUG(1,("Password server loop - disabling password
server %s\n",desthost));
- continue;
- }
-
- /* we use a mutex to prevent two connections at once - when a
- Win2k PDC get two connections where one hasn't completed a
- session setup yet it will send a TCP reset to the first
- connection (tridge) */
-
- if (!grab_server_mutex(desthost)) {
- return NULL;
- }
-
- if (smbcli_connect(cli, desthost, &dest_ip)) {
- DEBUG(3,("connected to password server %s\n",desthost));
- connected_ok = true;
- break;
- }
- }
+ return NT_STATUS_OK;
+}
+/**
+ * The challenge from the target server, when operating in security=server
+ **/
+static NTSTATUS server_get_challenge(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx, DATA_BLOB *_blob)
+{
+ struct smb_composite_connect io;
+ struct smbcli_options smb_options;
+ const char **host_list;
+ NTSTATUS status;
- if (!connected_ok) {
- release_server_mutex();
- DEBUG(0,("password server not available\n"));
- talloc_free(cli);
- return NULL;
- }
+ /* Make a connection to the target server, found by 'password server'
in smb.conf */
- if (!attempt_netbios_session_request(cli, lp_netbios_name(),
- desthost, &dest_ip)) {
- release_server_mutex();
- DEBUG(1,("password server fails session request\n"));
- talloc_free(cli);
- return NULL;
+ lp_smbcli_options(ctx->auth_ctx->lp_ctx, &smb_options);
+
+ /* Make a negprot, WITHOUT SPNEGO, so we get a challenge nice an easy */
+ io.in.options.use_spnego = false;
+
+ /* Hope we don't get * (the default), as this won't work... */
+ host_list = lp_passwordserver(ctx->auth_ctx->lp_ctx);
+ if (!host_list) {
+ return NT_STATUS_INTERNAL_ERROR;
}
-
- if (strequal(desthost,myhostname(mem_ctx))) {
- exit_server("Password server loop!");
+ io.in.dest_host = host_list[0];
+ if (strequal(io.in.dest_host, "*")) {
+ return NT_STATUS_INTERNAL_ERROR;
}
-
- DEBUG(3,("got session\n"));
+ io.in.dest_ports = lp_smb_ports(ctx->auth_ctx->lp_ctx);
- if (!smbcli_negprot(cli, unicode, maxprotocol)) {
- DEBUG(1,("%s rejected the negprot\n",desthost));
- release_server_mutex();
- talloc_free(cli);
- return NULL;
- }
+ io.in.called_name = strupper_talloc(mem_ctx, io.in.dest_host);
- if (cli->protocol < PROTOCOL_LANMAN2 ||
- !(cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) {
- DEBUG(1,("%s isn't in user level security mode\n",desthost));
- release_server_mutex();
- talloc_free(cli);
- return NULL;
- }
+ /* We don't want to get as far as the session setup */
+ io.in.credentials = NULL;
+ io.in.service = NULL;
- /* Get the first session setup done quickly, to avoid silly
- Win2k bugs. (The next connection to the server will kill
- this one...
- */
-
- if (!smbcli_session_setup(cli, "", "", 0, "", 0,
- "")) {
- DEBUG(0,("%s rejected the initial session setup (%s)\n",
- desthost, smbcli_errstr(cli)));
- release_server_mutex();
- talloc_free(cli);
- return NULL;
- }
-
- release_server_mutex();
-
- DEBUG(3,("password server OK\n"));
-
- return cli;
-}
+ io.in.workgroup = ""; /* only used with SPNEGO, disabled above */
-/****************************************************************************
- Clean up our allocated cli.
-****************************************************************************/
+ io.in.options = smb_options;
-static void free_server_private_data(void **private_data_pointer)
-{
- struct smbcli_state **cli = (struct smbcli_state
**)private_data_pointer;
- if (*cli && (*cli)->initialised) {
- talloc_free(*cli);
+ status = smb_composite_connect(&io, mem_ctx,
lp_resolve_context(ctx->auth_ctx->lp_ctx),
+ ctx->auth_ctx->event_ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ *_blob = io.out.tree->session->transport->negotiate.secblob;
+ ctx->private_data = talloc_steal(ctx, io.out.tree->session);
}
+ return NT_STATUS_OK;
}
-/****************************************************************************
- Get the challenge out of a password server.
-****************************************************************************/
-
-static DATA_BLOB auth_get_challenge_server(const struct auth_context
*auth_context,
- void **my_private_data,
- TALLOC_CTX *mem_ctx)
+/**
+ * Return an error based on username
+ *
+ * This function allows the testing of obsure errors, as well as the generation
+ * of NT_STATUS -> DOS error mapping tables.
+ *
+ * This module is of no value to end-users.
+ *
+ * The password is ignored.
+ *
+ * @return An NTSTATUS value based on the username
+ **/
+
+static NTSTATUS server_check_password(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info
*user_info,
+ struct auth_serversupplied_info
**_server_info)
{
- struct smbcli_state *cli = server_cryptkey(mem_ctx,
lp_cli_maxprotocol(auth_context->lp_ctx));
+ NTSTATUS nt_status;
+ struct auth_serversupplied_info *server_info;
+ struct cli_credentials *creds;
+ const char *user;
+ struct smb_composite_sesssetup session_setup;
+
+ struct smbcli_session *session = talloc_get_type(ctx->private_data,
struct smbcli_session);
+
+ creds = cli_credentials_init(mem_ctx);
+
+ NT_STATUS_HAVE_NO_MEMORY(creds);
- if (cli) {
- DEBUG(3,("using password server validation\n"));
-
- if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) ==
0) {
- /* We can't work with unencrypted password servers
- unless 'encrypt passwords = no' */
- DEBUG(5,("make_auth_info_server: Server is unencrypted,
no challenge available..\n"));
-
- /* However, it is still a perfectly fine connection
- to pass that unencrypted password over */
- *my_private_data = (void *)cli;
- return data_blob(NULL, 0);
-
- } else if (cli->secblob.length < 8) {
- /* We can't do much if we don't get a full challenge */
- DEBUG(2,("make_auth_info_server: Didn't receive a full
challenge from server\n"));
- talloc_free(cli);
- return data_blob(NULL, 0);
- }
-
- *my_private_data = (void *)cli;
-
- /* The return must be allocated on the caller's mem_ctx, as our
own will be
- destoyed just after the call. */
- return data_blob_talloc(auth_context->mem_ctx,
cli->secblob.data,8);
- } else {
- return data_blob(NULL, 0);
+ cli_credentials_set_username(creds, user_info->client.account_name,
CRED_SPECIFIED);
+ cli_credentials_set_domain(creds, user_info->client.domain_name,
CRED_SPECIFIED);
+
+ switch (user_info->password_state) {
+ case AUTH_PASSWORD_PLAIN:
+ cli_credentials_set_password(creds,
user_info->password.plaintext,
+ CRED_SPECIFIED);
+ break;
+ case AUTH_PASSWORD_HASH:
+ cli_credentials_set_nt_hash(creds, user_info->password.hash.nt,
+ CRED_SPECIFIED);
+ break;
+
+ case AUTH_PASSWORD_RESPONSE:
+ cli_credentials_set_ntlm_response(creds,
&user_info->password.response.lanman, &user_info->password.response.nt,
CRED_SPECIFIED);
+ break;
}
-}
+ session_setup.in.sesskey = session->transport->negotiate.sesskey;
+ session_setup.in.capabilities =
session->transport->negotiate.capabilities;
-/****************************************************************************
- Check for a valid username and password in security=server mode.
- - Validate a password with the password server.
-****************************************************************************/
+ session_setup.in.credentials = creds;
+ session_setup.in.workgroup = ""; /* Only used with SPNEGO, which we are
not doing */
-static NTSTATUS check_smbserver_security(const struct auth_context
*auth_context,
- void *my_private_data,
- TALLOC_CTX *mem_ctx,
- const auth_usersupplied_info
*user_info,
- auth_serversupplied_info **server_info)
-{
- struct smbcli_state *cli;
- static uint8_t badpass[24];
- static fstring baduser;
- static bool tested_password_server = false;
- static bool bad_password_server = false;
- NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
- bool locally_made_cli = false;
-
- /*
- * Check that the requested domain is not our own machine name.
- * If it is, we should never check the PDC here, we use our own local
- * password file.
- */
-
- if (lp_is_myname(auth_context->lp_ctx, user_info->domain.str)) {
- DEBUG(3,("check_smbserver_security: Requested domain was for
this machine.\n"));
- return NT_STATUS_LOGON_FAILURE;
- }
+ /* Check password with remove server - this should be async some day */
+ nt_status = smb_composite_sesssetup(session, &session_setup);
- cli = my_private_data;
-
- if (cli) {
- } else {
- cli = server_cryptkey(mem_ctx,
lp_unicode(auth_context->lp_ctx), lp_cli_maxprotocol(auth_context->lp_ctx),
lp_resolve_context(auth_context->lp_ctx));
- locally_made_cli = true;
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
}
- if (!cli || !cli->initialised) {
- DEBUG(1,("password server is not connected (cli not
initilised)\n"));
- return NT_STATUS_LOGON_FAILURE;
- }
-
- if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
- if (user_info->encrypted) {
- DEBUG(1,("password server %s is plaintext, but we are
encrypted. This just can't work :-(\n", cli->desthost));
- return NT_STATUS_LOGON_FAILURE;
- }
- } else {
- if (memcmp(cli->secblob.data, auth_context->challenge.data, 8)
!= 0) {
- DEBUG(1,("the challenge that the password server (%s)
supplied us is not the one we gave our client. This just can't work :-(\n",
cli->desthost));
- return NT_STATUS_LOGON_FAILURE;
- }
- }
+ server_info = talloc(mem_ctx, struct auth_serversupplied_info);
+ NT_STATUS_HAVE_NO_MEMORY(server_info);
- if(badpass[0] == 0)
- memset(badpass, 0x1f, sizeof(badpass));
+ server_info->account_sid = dom_sid_parse_talloc(server_info,
SID_NT_ANONYMOUS);
+ NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
- if((user_info->nt_resp.length == sizeof(badpass)) &&
- !memcmp(badpass, user_info->nt_resp.data, sizeof(badpass))) {
- /*
- * Very unlikely, our random bad password is the same as the
users
- * password.
- */
- memset(badpass, badpass[0]+1, sizeof(badpass));
- }
+ /* is this correct? */
+ server_info->primary_group_sid = dom_sid_parse_talloc(server_info,
SID_BUILTIN_GUESTS);
+ NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
- if(baduser[0] == 0) {
- fstrcpy(baduser, INVALID_USER_PREFIX);
- fstrcat(baduser, lp_netbios_name());
- }
+ server_info->n_domain_groups = 0;
+ server_info->domain_groups = NULL;
- /*
- * Attempt a session setup with a totally incorrect password.
- * If this succeeds with the guest bit *NOT* set then the password
- * server is broken and is not correctly setting the guest bit. We
- * need to detect this as some versions of NT4.x are broken. JRA.
- */
-
- /* I sure as hell hope that there aren't servers out there that take
- * NTLMv2 and have this bug, as we don't test for that...
- * - [EMAIL PROTECTED]
- */
-
- if ((!tested_password_server) && (lp_paranoid_server_security())) {
- if (smbcli_session_setup(cli, baduser, (char *)badpass,
sizeof(badpass),
- (char *)badpass, sizeof(badpass),
user_info->domain.str)) {
-
- /*
- * We connected to the password server so we
- * can say we've tested it.
- */
- tested_password_server = true;
-
- if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) {
- DEBUG(0,("server_validate: password server %s
allows users as non-guest \
-with a bad password.\n", cli->desthost));
- DEBUG(0,("server_validate: This is broken (and
insecure) behaviour. Please do not \
-use this machine as the password server.\n"));
- smbcli_ulogoff(cli);
-
- /*
- * Password server has the bug.
- */
- bad_password_server = true;
- return NT_STATUS_LOGON_FAILURE;
- }
- smbcli_ulogoff(cli);
- }
- } else {
-
- /*
- * We have already tested the password server.
- * Fail immediately if it has the bug.
- */
-
- if(bad_password_server) {
- DEBUG(0,("server_validate: [1] password server %s
allows users as non-guest \
-with a bad password.\n", cli->desthost));
- DEBUG(0,("server_validate: [1] This is broken (and
insecure) behaviour. Please do not \
-use this machine as the password server.\n"));
- return NT_STATUS_LOGON_FAILURE;
- }
- }
+ /* annoying, but the Anonymous really does have a session key,
+ and it is all zeros! */
+ server_info->user_session_key = data_blob(NULL, 0);
+ server_info->lm_session_key = data_blob(NULL, 0);
- /*
- * Now we know the password server will correctly set the guest bit, or
is
- * not guest enabled, we can try with the real password.
- */
-
- if (!user_info->encrypted) {
- /* Plaintext available */
- if (!smbcli_session_setup(cli, user_info->smb_name.str,
- (char
*)user_info->plaintext_password.data,
- user_info->plaintext_password.length,
- NULL, 0,
- user_info->domain.str)) {
- DEBUG(1,("password server %s rejected the password\n",
cli->desthost));
- /* Make this smbcli_nt_error() when the conversion is
in */
- nt_status = smbcli_nt_error(cli);
- } else {
- nt_status = NT_STATUS_OK;
- }
- } else {
- if (!smbcli_session_setup(cli, user_info->smb_name.str,
- (char *)user_info->lm_resp.data,
- user_info->lm_resp.length,
- (char *)user_info->nt_resp.data,
- user_info->nt_resp.length,
- user_info->domain.str)) {
- DEBUG(1,("password server %s rejected the password\n",
cli->desthost));
- /* Make this smbcli_nt_error() when the conversion is
in */
- nt_status = smbcli_nt_error(cli);
- } else {
- nt_status = NT_STATUS_OK;
- }
- }
+ server_info->account_name = talloc_strdup(server_info,
user_info->client.account_name);
+ NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
- /* if logged in as guest then reject */
- if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) {
- DEBUG(1,("password server %s gave us guest only\n",
cli->desthost));
- nt_status = NT_STATUS_LOGON_FAILURE;
- }
+ server_info->domain_name = talloc_strdup(server_info,
user_info->client.domain_name);
+ NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
- smbcli_ulogoff(cli);
+ server_info->full_name = NULL;
- if NT_STATUS_IS_OK(nt_status) {
- struct passwd *pass =
Get_Pwnam(user_info->internal_username.str);
- if (pass) {
- nt_status = make_server_info_pw(auth_context,
server_info, pass);
- } else {
- nt_status = NT_STATUS_NO_SUCH_USER;
- }
- }
+ server_info->logon_script = talloc_strdup(server_info, "");
+ NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
- if (locally_made_cli) {
- talloc_free(cli);
- }
--
Samba Shared Repository
