(attached the patch now...,sorry:-)
I have changed the auth subsystem to use our new module stuff...
I also add 'samstrict_dc' witch is checks the domain str for all our netbios aliases and our own domain id we're a logon server...
I let abartlet change the default auth methods order based on lp_sercurity...later.
and a view small fixes
we should return NT_STATUS_LOGON_FAILURE when we can't get a pass for a trusted domain in 'auth_trustdomain'!
in this case we didn't trust this domain.
....
This patch depends on the patch for the module system and smb_register_vfs()
metze
-----------------------------------------------------------------------------
Stefan "metze" Metzmacher <[EMAIL PROTECTED]>
diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=.#* HEAD/source/auth/auth.c HEAD-modules/source/auth/auth.c --- HEAD/source/auth/auth.c Thu Dec 12 20:24:26 2002 +++ HEAD-modules/source/auth/auth.c Mon Dec 16 09:40:23 2002 @@ -1,7 +1,8 @@ /* Unix SMB/CIFS implementation. Password and authentication handling - Copyright (C) Andrew Bartlett 2001-2002 + Copyright (C) Andrew Bartlett 2001-2002 + Copyright (C) Stefan (metze) Metzmacher 2002 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -25,25 +26,85 @@ /** List of various built-in authentication modules */ -const struct auth_init_function_entry builtin_auth_init_functions[] = { - { "guest", auth_init_guest }, - { "rhosts", auth_init_rhosts }, - { "hostsequiv", auth_init_hostsequiv }, - { "sam", auth_init_sam }, - { "samstrict", auth_init_samstrict }, - { "unix", auth_init_unix }, - { "smbserver", auth_init_smbserver }, - { "ntdomain", auth_init_ntdomain }, - { "trustdomain", auth_init_trustdomain }, - { "winbind", auth_init_winbind }, +const struct { + char *name; + struct auth_method_ops *(*register_fn)(void); +} builtin_auth_methods[] = { + { "guest", auth_guest_register}, + { "rhosts", auth_rhosts_register }, + { "hostsequiv", auth_hostsequiv_register }, + { "sam", auth_sam_register }, + { "samstrict", auth_samstrict_register }, + { "samstrict_dc", auth_samstrict_dc_register }, + { "unix", auth_unix_register }, + { "smbserver", auth_smbserver_register }, + { "ntdomain", auth_ntdomain_register }, + { "trustdomain", auth_trustdomain_register }, + { "winbind", auth_winbind_register }, #ifdef DEVELOPER - { "name_to_ntstatus", auth_init_name_to_ntstatus }, - { "fixed_challenge", auth_init_fixed_challenge }, + { "name_to_ntstatus", auth_name_to_ntstatus_register }, + { "fixed_challenge", auth_fixed_challenge_register }, #endif - { "plugin", auth_init_plugin }, { NULL, NULL} }; +static struct auth_method_function_entry *global_auth_methods = NULL; + +static NTSTATUS smb_register_auth_method(const char *name, struct auth_method_ops +*auth_ops) +{ + struct auth_method_function_entry *entry = global_auth_methods; + + DEBUG(8,("Attempting to register auth method '%s'\n", name)); + + /* Check for duplicates */ + while(entry) { + if(strcasecmp(name, entry->name) == 0) { + DEBUG(1,("smb_register_auth: There already is a auth method +registered with the name %s!\n", name)); + return NT_STATUS_OBJECT_NAME_COLLISION; + } + entry = entry->next; + } + + if ((entry = smb_xmalloc(sizeof(struct auth_method_function_entry)))==NULL) { + DEBUG(0,("smb_register_auth_method; smb_xmalloc() failed\n")); + return NT_STATUS_NO_MEMORY; + } + + entry->name = strdup(name); + entry->ops = auth_ops; + + DLIST_ADD(global_auth_methods, entry); + DEBUG(10,("Successfully added auth_method '%s'\n", name)); + return NT_STATUS_OK; +} + +static void lazy_initialize_auth(void) +{ + int i; + static BOOL initialised = False; + + if(!initialised) { + initialised = True; + + for(i = 0; builtin_auth_methods[i].name; i++) { + +smb_register_auth_method(builtin_auth_methods[i].name,builtin_auth_methods[i].register_fn()); + } + } +} + +NTSTATUS smb_register_auth(const char *name, struct auth_method_ops *auth_ops, int +version) +{ + /* make sure the builtin methods are loaded before any module */ + lazy_initialize_auth(); + + if(version != AUTH_INTERFACE_VERSION){ + DEBUG(0,("smb_register_auth: module '%s' has wrong the +AUTH_INTERFACE_VERSION\n",name)); + return NT_STATUS_INVALID_PARAMETER; + } + + return smb_register_auth_method(name,auth_ops); +} + /**************************************************************************** Try to get a challenge out of the various authentication modules. Returns a const char of length 8 bytes. @@ -53,7 +114,7 @@ static const uint8 *get_ntlm_challenge(s { DATA_BLOB challenge = data_blob(NULL, 0); char *challenge_set_by = NULL; - auth_methods *auth_method; + struct auth_methods *auth_method; TALLOC_CTX *mem_ctx; if (auth_context->challenge.length) { @@ -62,7 +123,7 @@ static const uint8 *get_ntlm_challenge(s } for (auth_method = auth_context->auth_method_list; auth_method; auth_method = auth_method->next) { - if (auth_method->get_chal == NULL) { + if (auth_method->ops->get_chal==NULL) { DEBUG(5, ("auth_get_challenge: module %s did not want to specify a challenge\n", auth_method->name)); continue; } @@ -79,7 +140,7 @@ static const uint8 *get_ntlm_challenge(s smb_panic("talloc_init_named() failed!"); } - challenge = auth_method->get_chal(auth_context, &auth_method->private_data, mem_ctx); + challenge = auth_method->ops->get_chal(auth_context, +&auth_method->private_data, mem_ctx); if (!challenge.length) { DEBUG(3, ("auth_get_challenge: getting challenge from authentication method %s FAILED.\n", auth_method->name)); @@ -135,7 +196,7 @@ static BOOL check_domain_match(const cha if (!lp_allow_trusted_domains() && !(strequal("", domain) || - strequal(lp_workgroup(), domain) || + is_myworkgroup(domain) || is_myname(domain))) { DEBUG(1, ("check_domain_match: Attempt to connect as user %s from domain %s denied.\n", user, domain)); return False; @@ -179,7 +240,7 @@ static NTSTATUS check_ntlm_password(cons NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; const char *pdb_username; - auth_methods *auth_method; + struct auth_methods *auth_method; TALLOC_CTX *mem_ctx; if (!user_info || !auth_context || !server_info) @@ -214,7 +275,12 @@ static NTSTATUS check_ntlm_password(cons mem_ctx = talloc_init_named("%s authentication for user %s\\%s", auth_method->name, user_info->domain.str, user_info->smb_name.str); - nt_status = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info); + if (auth_method->ops->auth == NULL) { + DEBUG(1,("check_ntlm_password: module '%s' have no auth +function\n",auth_method->name)); + continue; + } + + nt_status = auth_method->ops->auth(auth_context, +auth_method->private_data, mem_ctx, user_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { DEBUG(3, ("check_ntlm_password: %s authentication for user [%s] suceeded\n", auth_method->name, user_info->smb_name.str)); @@ -309,15 +375,45 @@ static NTSTATUS make_auth_context(struct } /*************************************************************************** - Make a auth_info struct for the auth subsystem + Make and init an auth_methods struct ***************************************************************************/ +static NTSTATUS make_auth_method(struct auth_context *auth_context, struct +auth_methods **auth_method, struct auth_method_function_entry *entry) +{ + if (!auth_context) { + smb_panic("no auth_context supplied to make_auth_method()!\n"); + } + + if (!auth_method) { + smb_panic("make_auth_method: pointer to auth_method pointer is +NULL!\n"); + } + + if (!entry) { + smb_panic("make_auth_method: pointer to entry pointer is NULL!\n"); + } + + if (!entry->ops||!entry->name) { + smb_panic("make_auth_method: entry->ops or entry->name pointer is +NULL!\n"); + } + + if (((*auth_method) = (struct auth_methods +*)talloc(auth_context->mem_ctx,sizeof(struct auth_methods)))==NULL) { + DEBUG(0,("make_auth_method: talloc failed\n")); + return NT_STATUS_NO_MEMORY; + } + + ZERO_STRUCTP(*auth_method); + + (*auth_method)->name = entry->name; + (*auth_method)->ops = entry->ops; + + return NT_STATUS_OK; +} static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context, char **text_list) { - auth_methods *list = NULL; - auth_methods *t = NULL; - auth_methods *tmp; - int i; + struct auth_methods *list = NULL; + struct auth_methods *tmp, *method = NULL; + struct auth_method_function_entry *entry; + int i = 0; NTSTATUS nt_status; if (!text_list) { @@ -325,40 +421,38 @@ static NTSTATUS make_auth_context_text_l return NT_STATUS_UNSUCCESSFUL; } - if (!NT_STATUS_IS_OK(nt_status = make_auth_context(auth_context))) + if (NT_STATUS_IS_ERR(nt_status = make_auth_context(auth_context))) return nt_status; - for (;*text_list; text_list++) { - DEBUG(5,("make_auth_context_text_list: Attempting to find an auth method to match %s\n", + lazy_initialize_auth(); + + for (;*text_list; text_list++) { + BOOL found = False; + + DEBUG(5,("make_auth_context_text_list: Attempting to find an auth +method to match '%s'\n", *text_list)); - for (i = 0; builtin_auth_init_functions[i].name; i++) { - char *module_name = smb_xstrdup(*text_list); - char *module_params = NULL; - char *p; - - p = strchr(module_name, ':'); - if (p) { - *p = 0; - module_params = p+1; - trim_string(module_params, " ", " "); - } - - trim_string(module_name, " ", " "); - - if (strequal(builtin_auth_init_functions[i].name, module_name)) { - DEBUG(5,("make_auth_context_text_list: Found auth method %s (at pos %d)\n", *text_list, i)); - if (NT_STATUS_IS_OK(builtin_auth_init_functions[i].init(*auth_context, module_params, &t))) { - DEBUG(5,("make_auth_context_text_list: auth method %s has a valid init\n", - *text_list)); - DLIST_ADD_END(list, t, tmp); - } else { - DEBUG(0,("make_auth_context_text_list: auth method %s did not correctly init\n", - *text_list)); + for (entry = global_auth_methods;entry;entry = entry->next) { + if (strequal(entry->name, *text_list)) { + found = True; + DEBUG(5,("make_auth_context_text_list: Found auth +method '%s' (at pos %d)\n", *text_list, i)); + + if (NT_STATUS_IS_ERR(nt_status = +make_auth_method(*auth_context,&method, entry))) { + DEBUG(0,("make_auth_context_text_list: +make_auth_method failed for '%s'\n",*text_list)); + return nt_status; } + + DLIST_ADD_END(list, method, tmp); + i++; break; } - SAFE_FREE(module_name); } + + if (!found) { + DEBUG(5,("make_auth_context_text_list: don't find an auth +method '%s'\n", + *text_list)); + return NT_STATUS_INVALID_PARAMETER;/* or logon_failure ??? */ + } + } (*auth_context)->auth_method_list = list; @@ -372,14 +466,11 @@ static NTSTATUS make_auth_context_text_l NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) { - char **auth_method_list = NULL; + char **auth_method_list = NULL; + const char **lp_auth_list = NULL; NTSTATUS nt_status; - if (lp_auth_methods() && !str_list_copy(&auth_method_list, lp_auth_methods())) { - return NT_STATUS_NO_MEMORY; - } - - if (auth_method_list == NULL) { + if ((lp_auth_list = lp_auth_methods())==NULL) { switch (lp_security()) { case SEC_DOMAIN: @@ -416,16 +507,17 @@ NTSTATUS make_auth_context_subsystem(str DEBUG(5,("Unknown auth method!\n")); return NT_STATUS_UNSUCCESSFUL; } + nt_status = make_auth_context_text_list(auth_context, +auth_method_list); + str_list_free(&auth_method_list); } else { DEBUG(5,("Using specified auth order\n")); + nt_status = make_auth_context_text_list(auth_context, (char +**)lp_auth_list); } - if (!NT_STATUS_IS_OK(nt_status = make_auth_context_text_list(auth_context, auth_method_list))) { - str_list_free(&auth_method_list); - return nt_status; + if (NT_STATUS_IS_ERR(nt_status)) { + DEBUG(0,("make_auth_context_subsystem: make_auth_context_text_list() +failed\n")); } - - str_list_free(&auth_method_list); + return nt_status; } diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=.#* HEAD/source/auth/auth_builtin.c HEAD-modules/source/auth/auth_builtin.c --- HEAD/source/auth/auth_builtin.c Thu Dec 12 20:24:26 2002 +++ HEAD-modules/source/auth/auth_builtin.c Fri Dec 13 13:53:00 2002 @@ -50,14 +50,16 @@ static NTSTATUS check_guest_security(con /* Guest modules initialisation */ -NTSTATUS auth_init_guest(struct auth_context *auth_context, const char *options, auth_methods **auth_method) -{ - if (!make_auth_methods(auth_context, auth_method)) - return NT_STATUS_NO_MEMORY; +static struct auth_method_ops auth_guest_ops = { + check_guest_security, /* auth */ + NULL, /* get_chal */ + NULL, /* send_keepalive */ + NULL /* free_private_data */ +}; - (*auth_method)->auth = check_guest_security; - (*auth_method)->name = "guest"; - return NT_STATUS_OK; +struct auth_method_ops *auth_guest_register(void) +{ + return &auth_guest_ops; } /** @@ -101,14 +103,16 @@ static NTSTATUS check_name_to_ntstatus_s /** Module initailisation function */ -NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, const char *param, auth_methods **auth_method) -{ - if (!make_auth_methods(auth_context, auth_method)) - return NT_STATUS_NO_MEMORY; +static struct auth_method_ops auth_name_to_ntstatus_ops = { + check_name_to_ntstatus_security,/* auth */ + NULL, /* get_chal */ + NULL, /* send_keepalive */ + NULL /* free_private_data */ +}; - (*auth_method)->auth = check_name_to_ntstatus_security; - (*auth_method)->name = "name_to_ntstatus"; - return NT_STATUS_OK; +struct auth_method_ops *auth_name_to_ntstatus_register(void) +{ + return &auth_name_to_ntstatus_ops; } /** @@ -150,61 +154,14 @@ static DATA_BLOB auth_get_fixed_challeng /** Module initailisation function */ -NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char *param, auth_methods **auth_method) -{ - if (!make_auth_methods(auth_context, auth_method)) - return NT_STATUS_NO_MEMORY; - - (*auth_method)->auth = check_fixed_challenge_security; - (*auth_method)->get_chal = auth_get_fixed_challenge; - (*auth_method)->name = "fixed_challenge"; - return NT_STATUS_OK; -} - -/** - * Outsorce an auth module to an external loadable .so - * - * Only works on systems with dlopen() etc. - **/ - -/* Plugin modules initialisation */ +static struct auth_method_ops auth_fixed_challenge_ops = { + check_fixed_challenge_security, /* auth */ + auth_get_fixed_challenge, /* get_chal */ + NULL, /* send_keepalive */ + NULL /* free_private_data */ +}; -NTSTATUS auth_init_plugin(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +struct auth_method_ops *auth_fixed_challenge_register(void) { - void * dl_handle; - char *plugin_param, *plugin_name, *p; - auth_init_function plugin_init; - - if (param == NULL) { - DEBUG(0, ("auth_init_plugin: The plugin module needs an argument!\n")); - return NT_STATUS_UNSUCCESSFUL; - } - - plugin_name = smb_xstrdup(param); - p = strchr(plugin_name, ':'); - if (p) { - *p = 0; - plugin_param = p+1; - trim_string(plugin_param, " ", " "); - } else plugin_param = NULL; - - trim_string(plugin_name, " ", " "); - - DEBUG(5, ("auth_init_plugin: Trying to load auth plugin %s\n", plugin_name)); - dl_handle = sys_dlopen(plugin_name, RTLD_NOW ); - if (!dl_handle) { - DEBUG(0, ("auth_init_plugin: Failed to load auth plugin %s using sys_dlopen (%s)\n", - plugin_name, sys_dlerror())); - return NT_STATUS_UNSUCCESSFUL; - } - - plugin_init = sys_dlsym(dl_handle, "auth_init"); - if (!plugin_init){ - DEBUG(0, ("Failed to find function 'auth_init' using sys_dlsym in sam plugin %s (%s)\n", - plugin_name, sys_dlerror())); - return NT_STATUS_UNSUCCESSFUL; - } - - DEBUG(5, ("Starting sam plugin %s with paramater %s\n", plugin_name, plugin_param?plugin_param:"(null)")); - return plugin_init(auth_context, plugin_param, auth_method); -} + return &auth_fixed_challenge_ops; +} \ No newline at end of file diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=.#* HEAD/source/auth/auth_domain.c HEAD-modules/source/auth/auth_domain.c --- HEAD/source/auth/auth_domain.c Fri Dec 13 07:25:43 2002 +++ HEAD-modules/source/auth/auth_domain.c Mon Dec 16 08:55:37 2002 @@ -412,9 +412,12 @@ static NTSTATUS check_ntdomain_security( * Check that the requested domain is not our own machine name. * If it is, we should never check the PDC here, we use our own local * password file. + * + * we interpret domain "" as our own machine name too --metze */ - if(is_myname(user_info->domain.str)) { + if(is_myname(user_info->domain.str)|| + strequal("", user_info->domain.str)) { DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n")); return NT_STATUS_LOGON_FAILURE; } @@ -453,18 +456,18 @@ static NTSTATUS check_ntdomain_security( } /* module initialisation */ -NTSTATUS auth_init_ntdomain(struct auth_context *auth_context, const char* param, auth_methods **auth_method) -{ - if (!make_auth_methods(auth_context, auth_method)) { - return NT_STATUS_NO_MEMORY; - } +static struct auth_method_ops auth_ntdomain_ops = { + check_ntdomain_security, /* auth */ + NULL, /* get_chal */ + NULL, /* send_keepalive */ + NULL /* free_private_data */ +}; - (*auth_method)->name = "ntdomain"; - (*auth_method)->auth = check_ntdomain_security; - return NT_STATUS_OK; +struct auth_method_ops *auth_ntdomain_register(void) +{ + return &auth_ntdomain_ops; } - /**************************************************************************** Check for a valid username and password in a trusted domain ****************************************************************************/ @@ -490,9 +493,12 @@ static NTSTATUS check_trustdomain_securi * Check that the requested domain is not our own machine name. * If it is, we should never check the PDC here, we use our own local * password file. + * + * we interpret domain "" as our own machine name too --metze */ - if(is_myname(user_info->domain.str)) { + if(is_myname(user_info->domain.str)|| + strequal("", user_info->domain.str)) { DEBUG(3,("check_trustdomain_security: Requested domain was for this machine.\n")); return NT_STATUS_LOGON_FAILURE; } @@ -502,7 +508,7 @@ static NTSTATUS check_trustdomain_securi * If it is, we should use our own local password file. */ - if(strequal(lp_workgroup(), (user_info->domain.str))) { + if(is_myworkgroup(user_info->domain.str)) { DEBUG(3,("check_trustdomain_security: Requested domain was for this domain.\n")); return NT_STATUS_LOGON_FAILURE; } @@ -514,8 +520,8 @@ static NTSTATUS check_trustdomain_securi if (!secrets_fetch_trusted_domain_password(user_info->domain.str, &trust_password, &sid, &last_change_time)) { - DEBUG(0, ("check_trustdomain_security: could not fetch trust account password for domain %s\n", user_info->domain.str)); - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + DEBUG(0, ("check_trustdomain_security: could not fetch trust account +password for domain '%s', seems that we don't trust this domain.\n", +user_info->domain.str)); + return NT_STATUS_LOGON_FAILURE;/* we don't trust the domain */ } #ifdef DEBUG_PASSWORD @@ -541,13 +547,14 @@ static NTSTATUS check_trustdomain_securi } /* module initialisation */ -NTSTATUS auth_init_trustdomain(struct auth_context *auth_context, const char* param, auth_methods **auth_method) -{ - if (!make_auth_methods(auth_context, auth_method)) { - return NT_STATUS_NO_MEMORY; - } +static struct auth_method_ops auth_trustdomain_ops = { + check_trustdomain_security, /* auth */ + NULL, /* get_chal */ + NULL, /* send_keepalive */ + NULL /* free_private_data */ +}; - (*auth_method)->name = "trustdomain"; - (*auth_method)->auth = check_trustdomain_security; - return NT_STATUS_OK; +struct auth_method_ops *auth_trustdomain_register(void) +{ + return &auth_trustdomain_ops; } diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=.#* HEAD/source/auth/auth_rhosts.c HEAD-modules/source/auth/auth_rhosts.c --- HEAD/source/auth/auth_rhosts.c Fri May 24 05:43:52 2002 +++ HEAD-modules/source/auth/auth_rhosts.c Fri Dec 13 13:56:38 2002 @@ -179,16 +179,18 @@ static NTSTATUS check_hostsequiv_securit } /* module initialisation */ -NTSTATUS auth_init_hostsequiv(struct auth_context *auth_context, const char* param, auth_methods **auth_method) -{ - if (!make_auth_methods(auth_context, auth_method)) { - return NT_STATUS_NO_MEMORY; - } - (*auth_method)->auth = check_hostsequiv_security; - return NT_STATUS_OK; -} +static struct auth_method_ops auth_hostsequiv_ops = { + check_hostsequiv_security, /* auth */ + NULL, /* get_chal */ + NULL, /* send_keepalive */ + NULL /* free_private_data */ +}; +struct auth_method_ops *auth_hostsequiv_register(void) +{ + return &auth_hostsequiv_ops; +} /**************************************************************************** Check for a valid .rhosts/hosts.equiv entry for this user @@ -223,12 +225,15 @@ static NTSTATUS check_rhosts_security(co } /* module initialisation */ -NTSTATUS auth_init_rhosts(struct auth_context *auth_context, const char *param, auth_methods **auth_method) -{ - if (!make_auth_methods(auth_context, auth_method)) { - return NT_STATUS_NO_MEMORY; - } - (*auth_method)->auth = check_rhosts_security; - return NT_STATUS_OK; +static struct auth_method_ops auth_rhosts_ops = { + check_rhosts_security, /* auth */ + NULL, /* get_chal */ + NULL, /* send_keepalive */ + NULL /* free_private_data */ +}; + +struct auth_method_ops *auth_rhosts_register(void) +{ + return &auth_rhosts_ops; } diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=.#* HEAD/source/auth/auth_sam.c HEAD-modules/source/auth/auth_sam.c --- HEAD/source/auth/auth_sam.c Mon Nov 18 06:44:20 2002 +++ HEAD-modules/source/auth/auth_sam.c Mon Dec 16 08:55:48 2002 @@ -423,18 +423,18 @@ static NTSTATUS check_sam_security(const } /* module initialisation */ -NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *param, auth_methods **auth_method) -{ - if (!make_auth_methods(auth_context, auth_method)) { - return NT_STATUS_NO_MEMORY; - } +static struct auth_method_ops auth_sam_ops = { + check_sam_security, /* auth */ + NULL, /* get_chal */ + NULL, /* send_keepalive */ + NULL /* free_private_data */ +}; - (*auth_method)->auth = check_sam_security; - (*auth_method)->name = "sam"; - return NT_STATUS_OK; +struct auth_method_ops *auth_sam_register(void) +{ + return &auth_sam_ops; } - /**************************************************************************** Check SAM security (above) but with a few extra checks. ****************************************************************************/ @@ -452,9 +452,12 @@ static NTSTATUS check_samstrict_security /* If we are a domain member, we must not attempt to check the password locally, - unless it is one of our aliases. */ + unless it is one of our aliases + or empty */ if (!is_myname(user_info->domain.str)) { + DEBUG(7,("The requested user domain is not local. [%s]\\[%s}\n", + user_info->domain.str,user_info->internal_username.str)); return NT_STATUS_NO_SUCH_USER; } @@ -462,15 +465,57 @@ static NTSTATUS check_samstrict_security } /* module initialisation */ -NTSTATUS auth_init_samstrict(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +static struct auth_method_ops auth_samstrict_ops = { + check_samstrict_security, /* auth */ + NULL, /* get_chal */ + NULL, /* send_keepalive */ + NULL /* free_private_data */ +}; + +struct auth_method_ops *auth_samstrict_register(void) +{ + return &auth_samstrict_ops; +} + +/**************************************************************************** +Check SAM security (above) but with a few extra checks (if we're a DC). +****************************************************************************/ + +static NTSTATUS check_samstrict_dc_security(const struct auth_context *auth_context, + void *my_private_data, + TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, + auth_serversupplied_info **server_info) { - if (!make_auth_methods(auth_context, auth_method)) { - return NT_STATUS_NO_MEMORY; + + if (!user_info || !auth_context) { + return NT_STATUS_LOGON_FAILURE; } - (*auth_method)->auth = check_samstrict_security; - (*auth_method)->name = "samstrict"; - return NT_STATUS_OK; + /* If we are a domain member, we must not + attempt to check the password locally, + unless it is one of our aliases or our + domain if we are a logon server.*/ + + if ((!is_myworkgroup(user_info->domain.str))&& + (!is_myname(user_info->domain.str))){ + DEBUG(7,("The requested user domain is not local or our domain. +[%s]\\[%s]\n", + user_info->domain.str,user_info->internal_username.str)); + return NT_STATUS_NO_SUCH_USER; + } + + return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, +server_info); } +/* module initialisation */ +static struct auth_method_ops auth_samstrict_dc_ops = { + check_samstrict_dc_security, /* auth */ + NULL, /* get_chal */ + NULL, /* send_keepalive */ + NULL /* free_private_data */ +}; +struct auth_method_ops *auth_samstrict_dc_register(void) +{ + return &auth_samstrict_dc_ops; +} diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=.#* HEAD/source/auth/auth_server.c HEAD-modules/source/auth/auth_server.c --- HEAD/source/auth/auth_server.c Wed Nov 13 19:52:30 2002 +++ HEAD-modules/source/auth/auth_server.c Fri Dec 13 13:53:57 2002 @@ -388,15 +388,14 @@ use this machine as the password server. return(nt_status); } -NTSTATUS auth_init_smbserver(struct auth_context *auth_context, const char* param, auth_methods **auth_method) +static struct auth_method_ops auth_smbserver_ops = { + check_smbserver_security, /* auth */ + auth_get_challenge_server, /* get_chal */ + send_server_keepalive, /* send_keepalive */ + free_server_private_data /* free_private_data */ +}; + +struct auth_method_ops *auth_smbserver_register(void) { - if (!make_auth_methods(auth_context, auth_method)) { - return NT_STATUS_NO_MEMORY; - } - (*auth_method)->name = "smbserver"; - (*auth_method)->auth = check_smbserver_security; - (*auth_method)->get_chal = auth_get_challenge_server; - (*auth_method)->send_keepalive = send_server_keepalive; - (*auth_method)->free_private_data = free_server_private_data; - return NT_STATUS_OK; + return &auth_smbserver_ops; } diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=.#* HEAD/source/auth/auth_unix.c HEAD-modules/source/auth/auth_unix.c --- HEAD/source/auth/auth_unix.c Sun Oct 13 12:11:25 2002 +++ HEAD-modules/source/auth/auth_unix.c Fri Dec 13 13:57:02 2002 @@ -119,14 +119,16 @@ static NTSTATUS check_unix_security(cons } /* module initialisation */ -NTSTATUS auth_init_unix(struct auth_context *auth_context, const char* param, auth_methods **auth_method) -{ - if (!make_auth_methods(auth_context, auth_method)) { - return NT_STATUS_NO_MEMORY; - } - (*auth_method)->name = "unix"; - (*auth_method)->auth = check_unix_security; - return NT_STATUS_OK; +static struct auth_method_ops auth_unix_ops = { + check_unix_security, /* auth */ + NULL, /* get_chal */ + NULL, /* send_keepalive */ + NULL /* free_private_data */ +}; + +struct auth_method_ops *auth_unix_register(void) +{ + return &auth_unix_ops; } diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=.#* HEAD/source/auth/auth_util.c HEAD-modules/source/auth/auth_util.c --- HEAD/source/auth/auth_util.c Mon Nov 18 06:44:20 2002 +++ HEAD-modules/source/auth/auth_util.c Mon Dec 16 09:32:00 2002 @@ -177,51 +177,30 @@ NTSTATUS make_user_info_map(auth_usersup DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n", client_domain, smb_name, wksta_name)); - - if (lp_allow_trusted_domains() && *client_domain) { - /* the client could have given us a workstation name - or other crap for the workgroup - we really need a - way of telling if this domain name is one of our - trusted domain names - - Also don't allow "" as a domain, fixes a Win9X bug - where it doens't supply a domain for logon script - 'net use' commands. - - The way I do it here is by checking if the fully - qualified username exists. This is rather reliant - on winbind, but until we have a better method this - will have to do - */ - - domain = client_domain; - - if ((smb_name) && (*smb_name)) { /* Don't do this for guests */ - char *user = NULL; - if (asprintf(&user, "%s%s%s", - client_domain, lp_winbind_separator(), - smb_name) < 0) { - DEBUG(0, ("make_user_info_map: asprintf() failed!\n")); - return NT_STATUS_NO_MEMORY; - } + domain = client_domain; - DEBUG(5, ("make_user_info_map: testing for user %s\n", user)); - - if (Get_Pwnam(user) == NULL) { - DEBUG(5, ("make_user_info_map: test for user %s failed\n", user)); - domain = lp_workgroup(); - DEBUG(5, ("make_user_info_map: trusted domain %s doesn't appear to exist, using %s\n", - client_domain, domain)); - } else { - DEBUG(5, ("make_user_info_map: using trusted domain %s\n", domain)); - } - SAFE_FREE(user); - } - } else { + /* the client could have given us a workstation name + or other crap for the workgroup - we really need a + way of telling if this domain name is one of our + trusted domain names + + Also don't allow "" as a domain, fixes a Win9X bug + where it doens't supply a domain for logon script + 'net use' commands. + + */ + + if (strequal("", domain)){ + /* maybe we should use our global_myname() + * or let it be "", + * but it might be break the Win9X bug + * mentioned above. --metze*/ domain = lp_workgroup(); + DEBUG(5, ("make_user_info_map: no domain name given for user %s, +assuming it's our domain.\n", smb_name)); } - + + return make_user_info(user_info, smb_name, internal_username, client_domain, domain, @@ -1098,30 +1077,6 @@ void free_server_info(auth_serversupplie ZERO_STRUCT(**server_info); } SAFE_FREE(*server_info); -} - -/*************************************************************************** - Make an auth_methods struct -***************************************************************************/ - -BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_method) -{ - if (!auth_context) { - smb_panic("no auth_context supplied to make_auth_methods()!\n"); - } - - if (!auth_method) { - smb_panic("make_auth_methods: pointer to auth_method pointer is NULL!\n"); - } - - *auth_method = talloc(auth_context->mem_ctx, sizeof(**auth_method)); - if (!*auth_method) { - DEBUG(0,("make_auth_method: malloc failed!\n")); - return False; - } - ZERO_STRUCTP(*auth_method); - - return True; } /**************************************************************************** diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=.#* HEAD/source/auth/auth_winbind.c HEAD-modules/source/auth/auth_winbind.c --- HEAD/source/auth/auth_winbind.c Mon Nov 18 06:44:20 2002 +++ HEAD-modules/source/auth/auth_winbind.c Fri Dec 13 13:57:28 2002 @@ -125,13 +125,15 @@ static NTSTATUS check_winbind_security(c } /* module initialisation */ -NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char *param, auth_methods **auth_method) -{ - if (!make_auth_methods(auth_context, auth_method)) { - return NT_STATUS_NO_MEMORY; - } - (*auth_method)->name = "winbind"; - (*auth_method)->auth = check_winbind_security; - return NT_STATUS_OK; -} +static struct auth_method_ops auth_winbind_ops = { + check_winbind_security, /* auth */ + NULL, /* get_chal */ + NULL, /* send_keepalive */ + NULL /* free_private_data */ +}; + +struct auth_method_ops *auth_winbind_register(void) +{ + return &auth_winbind_ops; +} \ No newline at end of file diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=*.so --exclude=.#* --exclude=Makefile --exclude=stamp-h --exclude=configure --exclude=findsmb --exclude=*proto*.h --exclude=build_env.h --exclude=config.* --exclude=bin --exclude=*.configure --exclude=auth* --exclude=passdb* HEAD/source/lib/util.c HEAD-modules/source/lib/util.c --- HEAD/source/lib/util.c Thu Dec 12 20:24:26 2002 +++ HEAD-modules/source/lib/util.c Mon Dec 16 08:55:12 2002 @@ -1723,6 +1723,23 @@ BOOL is_myname_or_ipaddr(const char *s) } /******************************************************************* + Is the name specified our workgroup/domain name. + Returns true if it is equal, false otherwise. +********************************************************************/ + +BOOL is_myworkgroup(const char *s) +{ + BOOL ret = False; + + if (strequal(s, lp_workgroup())) { + ret=True; + } + + DEBUG(8, ("is_myworkgroup(\"%s\") returns %d\n", s, ret)); + return(ret); +} + +/******************************************************************* Set the horrid remote_arch string based on an enum. ********************************************************************/