diff options
Diffstat (limited to 'source')
-rw-r--r-- | source/Makefile.in | 16 | ||||
-rw-r--r-- | source/include/lib_smb_proto.h | 136 | ||||
-rw-r--r-- | source/include/rpc_client_proto.h | 8 | ||||
-rw-r--r-- | source/ltconfig | 2 | ||||
-rw-r--r-- | source/pam_ntdom/README | 176 | ||||
-rw-r--r-- | source/pam_ntdom/pam_ntdom_auth.c | 359 | ||||
-rw-r--r-- | source/pam_ntdom/pam_ntdom_proto.h | 64 | ||||
-rw-r--r-- | source/pam_ntdom/rpc_validate.c | 128 | ||||
-rw-r--r-- | source/pam_ntdom/rpc_validate.h | 11 | ||||
-rw-r--r-- | source/pam_ntdom/support.c | 177 | ||||
-rw-r--r-- | source/rpc_client/msrpc_netlogon.c | 40 | ||||
-rw-r--r-- | source/samrd/srv_samr_passdb.c | 2 |
12 files changed, 1029 insertions, 90 deletions
diff --git a/source/Makefile.in b/source/Makefile.in index 2e4004a7b3f..8f4e2c6d269 100644 --- a/source/Makefile.in +++ b/source/Makefile.in @@ -619,6 +619,13 @@ RPCCLIENT_OBJ = lib/cmd_interp.o \ $(STUB_UID_OBJ) RPCCLIENT_LIBS = $(SAMBA_LIBS) +PAM_NTDOM_OBJ = pam_ntdom/pam_ntdom_auth.o \ + pam_ntdom/rpc_validate.o \ + pam_ntdom/support.o \ + $(SIDDB_OBJ) \ + $(STUB_UID_OBJ) +PAM_NTDOM_LIBS = $(SAMBA_LIBS) + SMBWRAPPER_OBJ = smbwrapper/smbw.o smbwrapper/wrapped.o \ smbwrapper/smbw_dir.o smbwrapper/smbw_stat.o \ smbwrapper/realcalls.o smbwrapper/shared.o @@ -1092,6 +1099,10 @@ nsswitch/ntdom.so: $(NSS_OBJ) $(LIBSAMBA_OBJ) @echo "Linking $@" @$(LINK) -shared -o $@ $(NSS_OBJ) $(LIBSAMBA_OBJ) +bin/pam_ntdom_auth.so: $(PAM_NTDOM_LIBS) $(PAM_NTDOM_OBJ) bin/.dummy + @echo Linking $@ + @$(LINK) -shared -Xlinker -x -o $@ $(PAM_NTDOM_LIBS) $(PAM_NTDOM_OBJ) + install: all \ installdirs \ install-libs installbin install-sbin \ @@ -1164,6 +1175,11 @@ all_other_proto_for_now: include/proto.h \ $(PROTO_OBJ) +pam_ntdom_proto: + @cd $(srcdir) && $(SHELL) script/mkproto.sh $(AWK) \ + -h _PAM_NTDOM_PROTO_H_ pam_ntdom/pam_ntdom_proto.h \ + $(PAM_NTDOM_OBJ) + winbindd_proto: @cd $(srcdir) && $(SHELL) script/mkproto.sh $(AWK) \ -h _WINBINDD_PROTO_H_ include/winbindd_proto.h \ diff --git a/source/include/lib_smb_proto.h b/source/include/lib_smb_proto.h index 4082fe77de4..19f42d6e478 100644 --- a/source/include/lib_smb_proto.h +++ b/source/include/lib_smb_proto.h @@ -23,6 +23,74 @@ void MD5Update(struct MD5Context *ctx, uchar const *buf, unsigned len); void MD5Final(uchar digest[16], struct MD5Context *ctx); void MD5Transform(uint32 buf[4], const uchar inext[64]); +/*The following definitions come from lib/util_hnd.c */ + +struct policy_cache *get_global_hnd_cache(void); +struct policy_cache *init_policy_cache(int num_pol_hnds); +void free_policy_cache(struct policy_cache *cache); +BOOL policy_hnd_set_name(struct policy_cache *cache, + POLICY_HND *hnd, const char *name); +const char *policy_hnd_get_name(struct policy_cache *cache, + const POLICY_HND *hnd); +BOOL dup_policy_hnd(struct policy_cache *cache, + POLICY_HND *hnd, + const POLICY_HND *from); +BOOL register_policy_hnd(struct policy_cache *cache, + const vuser_key *key, + POLICY_HND *hnd, + uint32 access_mask); +BOOL open_policy_hnd(struct policy_cache *cache, + const vuser_key *key, + POLICY_HND *hnd, + uint32 access_mask); +BOOL open_policy_hnd_link(struct policy_cache *cache, + const POLICY_HND *parent_hnd, + POLICY_HND *hnd, + uint32 access_mask); +int find_policy_by_hnd(struct policy_cache *cache, const POLICY_HND *hnd); +BOOL set_policy_state(struct policy_cache *cache, POLICY_HND *hnd, + void(*fn)(void*), void *dev); +void *get_policy_state_info(struct policy_cache *cache, const POLICY_HND *hnd); +BOOL policy_hnd_set_state_type(struct policy_cache *cache, + POLICY_HND *hnd, int type); +int policy_hnd_get_state_type(struct policy_cache *cache, + const POLICY_HND *hnd); +BOOL policy_hnd_check_state_type(struct policy_cache *cache, + const POLICY_HND *hnd, int type); +BOOL close_policy_hnd(struct policy_cache *cache, POLICY_HND *hnd); +BOOL policy_link_key(struct policy_cache *cache, const POLICY_HND *hnd, + POLICY_HND *to); +const vuser_key *get_policy_vuser_key(struct policy_cache *cache, + const POLICY_HND *hnd); +BOOL pol_get_usr_sesskey(struct policy_cache *cache, const POLICY_HND *hnd, + uchar usr_sess_key[16]); + +/*The following definitions come from lib/vuser.c */ + +BOOL is_valid_user_struct(const vuser_key * key); +user_struct *get_valid_user_struct(const vuser_key * key); +void invalidate_vuid(vuser_key * key); +BOOL validated_username(vuser_key * key, char *name, size_t len); +uint16 create_vuid(pid_t pid, + uid_t uid, gid_t gid, + int n_groups, gid_t * groups, + const char *unix_name, + const char *requested_name, + const char *real_name, + BOOL guest, const NET_USER_INFO_3 * info3); +uint16 register_vuid(pid_t pid, uid_t uid, gid_t gid, + const char *unix_name, + const char *requested_name, + BOOL guest, const NET_USER_INFO_3 * info3); +BOOL check_vuser_ok(struct uid_cache *cache, user_struct * vuser, int snum); + +/*The following definitions come from lib/vuser_db.c */ + +BOOL tdb_delete_vuid( const vuser_key *uk); +BOOL tdb_lookup_vuid( const vuser_key *uk, user_struct **usr); +BOOL tdb_store_vuid( const vuser_key *uk, user_struct *usr); +BOOL vuid_init_db(void); + /*The following definitions come from libsmb/clientgen.c */ int cli_set_port(struct cli_state *cli, int port); @@ -236,74 +304,6 @@ BOOL smb_safe_err_msg(uint8 class, uint32 num, char *ret, size_t len); BOOL smb_safe_errstr(char *inbuf, char *msg, size_t len); char *smb_errstr(char *inbuf); -/*The following definitions come from lib/util_hnd.c */ - -struct policy_cache *get_global_hnd_cache(void); -struct policy_cache *init_policy_cache(int num_pol_hnds); -void free_policy_cache(struct policy_cache *cache); -BOOL policy_hnd_set_name(struct policy_cache *cache, - POLICY_HND *hnd, const char *name); -const char *policy_hnd_get_name(struct policy_cache *cache, - const POLICY_HND *hnd); -BOOL dup_policy_hnd(struct policy_cache *cache, - POLICY_HND *hnd, - const POLICY_HND *from); -BOOL register_policy_hnd(struct policy_cache *cache, - const vuser_key *key, - POLICY_HND *hnd, - uint32 access_mask); -BOOL open_policy_hnd(struct policy_cache *cache, - const vuser_key *key, - POLICY_HND *hnd, - uint32 access_mask); -BOOL open_policy_hnd_link(struct policy_cache *cache, - const POLICY_HND *parent_hnd, - POLICY_HND *hnd, - uint32 access_mask); -int find_policy_by_hnd(struct policy_cache *cache, const POLICY_HND *hnd); -BOOL set_policy_state(struct policy_cache *cache, POLICY_HND *hnd, - void(*fn)(void*), void *dev); -void *get_policy_state_info(struct policy_cache *cache, const POLICY_HND *hnd); -BOOL policy_hnd_set_state_type(struct policy_cache *cache, - POLICY_HND *hnd, int type); -int policy_hnd_get_state_type(struct policy_cache *cache, - const POLICY_HND *hnd); -BOOL policy_hnd_check_state_type(struct policy_cache *cache, - const POLICY_HND *hnd, int type); -BOOL close_policy_hnd(struct policy_cache *cache, POLICY_HND *hnd); -BOOL policy_link_key(struct policy_cache *cache, const POLICY_HND *hnd, - POLICY_HND *to); -const vuser_key *get_policy_vuser_key(struct policy_cache *cache, - const POLICY_HND *hnd); -BOOL pol_get_usr_sesskey(struct policy_cache *cache, const POLICY_HND *hnd, - uchar usr_sess_key[16]); - -/*The following definitions come from lib/vuser.c */ - -BOOL is_valid_user_struct(const vuser_key * key); -user_struct *get_valid_user_struct(const vuser_key * key); -void invalidate_vuid(vuser_key * key); -BOOL validated_username(vuser_key * key, char *name, size_t len); -uint16 create_vuid(pid_t pid, - uid_t uid, gid_t gid, - int n_groups, gid_t * groups, - const char *unix_name, - const char *requested_name, - const char *real_name, - BOOL guest, const NET_USER_INFO_3 * info3); -uint16 register_vuid(pid_t pid, uid_t uid, gid_t gid, - const char *unix_name, - const char *requested_name, - BOOL guest, const NET_USER_INFO_3 * info3); -BOOL check_vuser_ok(struct uid_cache *cache, user_struct * vuser, int snum); - -/*The following definitions come from lib/vuser_db.c */ - -BOOL tdb_delete_vuid( const vuser_key *uk); -BOOL tdb_lookup_vuid( const vuser_key *uk, user_struct **usr); -BOOL tdb_store_vuid( const vuser_key *uk, user_struct *usr); -BOOL vuid_init_db(void); - /*The following definitions come from rpc_parse/parse_creds.c */ BOOL make_creds_unix(CREDS_UNIX *r_u, const char* user_name, diff --git a/source/include/rpc_client_proto.h b/source/include/rpc_client_proto.h index f28b8ce2748..d80889b992f 100644 --- a/source/include/rpc_client_proto.h +++ b/source/include/rpc_client_proto.h @@ -499,6 +499,14 @@ BOOL modify_trust_password(const char *domain, const char *srv_name, const uchar orig_trust_passwd_hash[16], const uchar new_trust_passwd_hash[16], uint16 sec_chan); +uint32 domain_client_validate(const char *server, + const char *user, const char *domain, + const char *acct_name, uint16 acct_type, + const char *challenge, + const char *smb_apasswd, + int smb_apasslen, + const char *smb_ntpasswd, + int smb_ntpasslen, NET_USER_INFO_3 * info3); uint32 check_domain_security(const char *orig_user, const char *domain, const uchar * challenge, const char *smb_apasswd, int smb_apasslen, diff --git a/source/ltconfig b/source/ltconfig index e7b25105795..1d2d9e377b9 100644 --- a/source/ltconfig +++ b/source/ltconfig @@ -185,7 +185,7 @@ enable_shared=yes # which needs '.lib'). enable_static=yes enable_fast_install=yes -enable_dlopen=unknown +enable_dlopen=yes enable_win32_dll=no ltmain= silent= diff --git a/source/pam_ntdom/README b/source/pam_ntdom/README new file mode 100644 index 00000000000..30f9006ef76 --- /dev/null +++ b/source/pam_ntdom/README @@ -0,0 +1,176 @@ +This is the README for pam_ntdom v0.25 +-------------------------------------- + +Getting pam_ntdom: + + http://samba.org/cvs.html, obtain Samba with a tag of SAMBA_TNG. + +This Plug-in Authentication Module allows a Linux user to authenticate +against an NT Server, Samba Server compiled with NT Domains enabled, +AT & T Advance File/Print Sharer or SCO Domain Controller, using the NT +Domain Authentication Protocol. + +This module is based on pam_smb (including this README file) which in +turn was based on pam_unix_auth. + +Please see the end of this file for contact details. + + +***************** + Configuration +***************** + +Linux workstation +----------------- + +This version of pam_ntdom works in conjunction with SAMBA_TNG installed +on your local system. You should not need to make any changes to your +Samba configuration on the local system (except that it must be the +SAMBA_TNG version). + +This version of pam_ntdom reads your Samba smb.conf file, so no additional +configuration is required. + + +************** + Installing +************** + +1) Obtain (cvs or ftp) the SAMBA_TNG distribution. + +2) Run configure +./configure + +3) run make bin/pam_ntdom_auth.so + +4) This will produce bin/.libs/pam_ntdom_auth.so. + Copy this file into the pam modules directory which for Redhat-4.2 is + /lib/security and for Solaris 2.6 is /usr/lib/security. + + *** DO NOT COPY bin/pam_ntdom_auth.so it is only a libtool script! *** + +5) Install the module into the PAM system: + +For Linux: + You then need to change the configuration files in /etc/pam.d for the + applications you wish to use NT authentication with. + +My /etc/pam.d/login is as follows for NT authenticated logins. +Note the pam_ntdom_auth.so line. + +#%PAM-1.0 +auth required /lib/security/pam_securetty.so +auth required /lib/security/pam_ntdom_auth.so +auth required /lib/security/pam_nologin.so +account required /lib/security/pam_pwdb.so +password required /lib/security/pam_cracklib.so +password required /lib/security/pam_pwdb.so shadow nullok use_authtok +session required /lib/security/pam_pwdb.so + +For Solaris: + You need to change the /etc/pam.conf other line to + +other auth required /usr/lib/security/pam_ntdom_auth.so.1 + + +6) If you have not already installed and configured SAMBA_TNG, follow + the instructions in source/README. You will not need to do + ./configure again, as that was already done in step 2) as instructed + in *this* README. + + *** YOU MUST do a make install of SAMBA_TNG *** + + this will copy the shared libraries into the location required by + pam_ntdom_auth.so. + + +************************* + Further Configuration +************************* + +The pam_ntdom modules has two configuration steps, + a) Command line options + b) Configuration file. + +A) Command line options + Most installations can skip this step as the module will + work grand without any command line arguments. + These arguments go in the /etc/pam.d + file on the auth line containing the pam_ntdom_auth.so module. + + The pam_ntdom module accepts 3 command line options. + 1. debug - This switches on syslog debugging of the module. + + 2. use_first_pass - This is a standard PAM Module command line option. + *********** N.B. Danger lurks here somewhere ***************** + + 3. nolocal - This allows authentication of a username/password + pair which are not in the local password file. + Do not switch this on unless you know what you are at. + ************************************************************** + +************************ +Notes +************************ + +- The user must be in the password file to allow the user to login. + +- If the user hasn't a starred password the password in the file + will work. + +- If the user has a starred password it will go to the NT server + and validate the user in the domain specified in the smb.conf file + + +************************ +Samba NT Domains +************************ + +As of 10jan98, the version of Samba required that supports NT Domains +is available under the cvs tag SAMBA_TNG. cvs instructions are at: + + http://samba.org/cvs.html. + +Samba, the Digest Archives and a list of Commercial companies that +support Samba is available from: + + http://samba.org/listproc + +Details on NT Domain Authentication and progress being made is +available from: + + http://cb1.com/~lkcl/ntdomain.html + + +************************ +Credits +************************ + +- Dave Airlie <David.Airlie@ul.ie> -- the Author of pam-smb, as all i've done + is replace his Validate_User function and rewrite this README file. + +- Andrew Morgan <morgan@parc.power.net> -- the Linux PAM project person, and + writer of the pam_unix_auth.c module, on which Dave Airlie based pam-smb. + +- Paul Ashton <paul@argo.demon.co.uk> -- Paul kicked the whole NT Domain + Authentication ball rolling, and first implemented NT Domains in Samba. + And second implemented it. + +- Andrew Tridgell and the Samba Team. Andrew for inviting me to join + the team, back in August 96, and to the other Samba Team members for + putting up with and encouraging me ever since. + +- The Microsoft NT Development Team, for an exceptionally good design of a + remote administration / authentication protocol. + + +************************ +Bugs and Comments +************************ + +Please report any bugs, comments and suggestions to: + + samba-technical@samba.org + +putting "[PAM-NTDOM]" at the start of the subject line. + diff --git a/source/pam_ntdom/pam_ntdom_auth.c b/source/pam_ntdom/pam_ntdom_auth.c new file mode 100644 index 00000000000..035fb5c5708 --- /dev/null +++ b/source/pam_ntdom/pam_ntdom_auth.c @@ -0,0 +1,359 @@ +/* + * Copyright Alexander O. Yuriev, 1996. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + This code has been changed heavily for smb authentication by + + pam_ntdom_auth -- David Airlie 1998 v1.3a ( airlied@samba.org ) + http://www.csn.ul.ie/~airlied + + all changes are (C) David Airlie 1998. +*/ + +#include "includes.h" + +#ifdef HAVE_SECURITY_PAM_APPL_H + +#include <security/pam_appl.h> + +#endif + +#define _PAM_EXTERN_FUNCTIONS + +#ifdef HAVE_SECURITY_PAM_MODULES_H +#include <security/pam_modules.h> +#endif + +#ifndef PAM_EXTERN +#define PAM_EXTERN extern +#endif + +extern int DEBUGLEVEL; + +#include "pam_ntdom_proto.h" + +#if 0 +extern int converse(pam_handle_t * pamh, + int nargs, + struct pam_message **message, + struct pam_response **response); + +extern int _set_auth_tok(pam_handle_t * pamh, + int flags, int argc, const char **argv); + +static int _pam_auth_smb(pam_handle_t * pamh, + int flags, int argc, const char **argv); + +static int _pam_set_credentials_smb(pam_handle_t * pamh, + int flags, int argc, const char **argv); + + +#endif + +/* + * + * _pam_auth_smb() actually performs UNIX/shadow authentication and + * then performs the NT Validation. + * + * First, if shadow support is available, attempt to perform + * authentication using shadow passwords. If shadow is not + * available, or user does not have a shadow password, fallback + * onto a normal UNIX authentication + * If neither shadow nor normal succeed it will send the username + * and password to a local server, which will do the authentication. + */ + +static int _pam_auth_smb(pam_handle_t * pamh, + int flags, int argc, const char **argv) +{ + int retval; + struct passwd *pw; + const char *name; + char *p, *pp; + int w, loop; + const char *salt; + fstring domain; + fstring ntname; + int debug = 0, use_first_pass = 0; + int unknown_user = 0; + int nolocal = 0; + +#ifdef HAVE_SHADOW_H + + struct spwd *sp; + +#endif + + DEBUGLEVEL = 0; + + /* Parse Command line options */ + + for (loop = 0; loop < argc; loop++) + { + if (!strcmp(argv[loop], "debug")) + { + debug = 1; + DEBUGLEVEL = 100; + } + else if (!strcmp(argv[loop], "use_first_pass")) + use_first_pass = 1; + else if (!strcmp(argv[loop], "nolocal")) + nolocal = 1; +#ifdef USE_LOGAUTH + else + syslog(LOG_AUTHPRIV | LOG_ERR, + "pam_ntdom: Unknown Command Line Option in pam.d : %s", + argv[loop]); +#endif + } + + if (!rpc_initialise()) + { +#ifdef USE_LOGAUTH + if (debug) + { + syslog(LOG_AUTHPRIV | LOG_ERR, + "pam_ntdom: initialisation failed\n"); + } +#endif + return PAM_SERVICE_ERR; + } + /* get the user'name' */ + + if ((retval = pam_get_user(pamh, &name, "login: ")) != PAM_SUCCESS) + { +#ifdef USE_LOGAUTH + syslog(LOG_AUTHPRIV | LOG_ERR, "pam_ntdom: User not found"); +#endif + return retval; + } + + pam_get_item(pamh, PAM_AUTHTOK, (void *)&p); + + if (!p) + { + if (use_first_pass != 1) + { + retval = _set_auth_tok(pamh, flags, argc, argv); + if (retval != PAM_SUCCESS) + return retval; + } + else + return PAM_AUTH_ERR; + } + + /* + We have to call pam_get_item() again because value of p should + change + */ + + pam_get_item(pamh, PAM_AUTHTOK, (void *)&p); + + if (!split_domain_name(name, domain, ntname)) + { + return PAM_BUF_ERR; + } + + /* If nolocal is specified pam_ntdom does not try and do local + username/password authentication .. this is a command line option + to pam_ntdom_auth.so in /etc/pam.d/ */ + + if (nolocal == 0) + { + pw = getpwnam(name); + + if (pw) + { + +#ifdef HAVE_SHADOW_H + + /* + * Support for shadow passwords on Linux and SVR4-based + * systems. Shadow passwords are optional on Linux - if + * there is no shadow password, use the non-shadow one. + */ + + sp = getspnam(name); + if (sp && (!strcmp(pw->pw_passwd, "x"))) + { + /* TODO: check if password has expired etc. */ + salt = sp->sp_pwdp; + } + else +#endif + salt = pw->pw_passwd; + } + else + unknown_user = 1; + + /* The 'always-encrypt' method does not make sense in PAM + because the framework requires return of a different + error code for non-existant users -- alex */ + if (!unknown_user) + { + if ((!pw->pw_passwd) && (!p)) + if (flags && PAM_DISALLOW_NULL_AUTHTOK) + return PAM_SUCCESS; + + pp = crypt(p, salt); + + if (strcmp(pp, salt) == 0) + { + if (debug) +#ifdef USE_LOGAUTH + syslog(LOG_AUTHPRIV | LOG_DEBUG, + "pam_ntdom: Local UNIX username/password pair correct."); +#endif + return PAM_SUCCESS; + } + + if (debug) + { +#ifdef USE_LOGAUTH + syslog(LOG_AUTHPRIV | LOG_DEBUG, + "pam_ntdom: Local UNIX username/password check incorrect."); +#endif + } + } + } /* End of Local Section */ + else + { /* If Local System Authentication is switched off */ +#ifdef USE_LOGAUTH + if (debug) + syslog(LOG_AUTHPRIV | LOG_DEBUG, + "No Local authentication done, relying on other modules for password file entry."); +#endif + } + +#ifdef USE_LOGAUTH + if (debug) + { + syslog(LOG_AUTHPRIV | LOG_DEBUG, + "pam_ntdom: Configuration Data, Domain %s.", domain); + } +#endif + +#ifdef USE_LOGAUTH + if (debug) + { + syslog(LOG_AUTHPRIV | LOG_DEBUG, + "pam_ntdom: user: %s domain: %s password: %s", + ntname, domain, p); + } +#endif + + w = Valid_User(ntname, p, domain); + + /* Users valid user for return value 0 is success + 1 and 2 indicate Network and protocol failures and + 3 is not logged on + */ + + switch (w) + { + case 0: +#ifdef USE_LOGAUTH + if (debug) + { + syslog(LOG_AUTHPRIV | LOG_DEBUG, + "pam_ntdom: Correct NT username/password pair"); + } +#endif + return PAM_SUCCESS; + case 1: + case 2: +#ifdef USE_LOGAUTH + if (debug) + { + syslog(LOG_AUTHPRIV | LOG_DEBUG, + "pam_ntdom: Authentication unavailable\n"); + } +#endif + return PAM_AUTHINFO_UNAVAIL; + break; + case 3: + default: +#ifdef USE_LOGAUTH + syslog(LOG_AUTHPRIV | LOG_NOTICE, + "pam_ntdom: Incorrect NT password for username : %s", + ntname); +#endif + return PAM_AUTH_ERR; + break; + } + +#ifdef USE_LOGAUTH + if (debug) + { + syslog(LOG_AUTHPRIV | LOG_DEBUG, + "pam_ntdom: Authentication failed\n"); + } +#endif + return PAM_AUTH_ERR; + +} + +/* + * The _pam_set_credentials_smb() does nothing. + */ + +static int _pam_set_credentials_smb(pam_handle_t * pamh, + int flags, int argc, const char **argv) +{ + return PAM_SUCCESS; /* This is a wrong result code. From what I + remember from reafing one of the guides + there's an error-level saying 'N/A func' + -- AOY + */ +} + +/* + * PAM framework looks for these entry-points to pass control to the + * authentication module. + */ + +PAM_EXTERN + int pam_sm_authenticate(pam_handle_t * pamh, + int flags, int argc, const char **argv) +{ + return _pam_auth_smb(pamh, flags, argc, argv); +} + +PAM_EXTERN + int pam_sm_setcred(pam_handle_t * pamh, + int flags, int argc, const char **argv) +{ + return _pam_set_credentials_smb(pamh, flags, argc, argv); +} diff --git a/source/pam_ntdom/pam_ntdom_proto.h b/source/pam_ntdom/pam_ntdom_proto.h new file mode 100644 index 00000000000..2366a708790 --- /dev/null +++ b/source/pam_ntdom/pam_ntdom_proto.h @@ -0,0 +1,64 @@ +#ifndef _PAM_NTDOM_PROTO_H_ +#define _PAM_NTDOM_PROTO_H_ +/* This file is automatically generated with "make proto". DO NOT EDIT */ + + +/*The following definitions come from lib/sids.c */ + +struct sid_map* add_sidmap_to_array(uint32 *len, struct sid_map ***array, + const struct sid_map *name); +BOOL get_member_domain_sid(void); +void generate_wellknown_sids(void); +BOOL create_sidmap_table(void); +BOOL generate_sam_sid(char *domain_name, DOM_SID *sid); +BOOL pwdb_initialise(BOOL is_server); +BOOL map_domain_name_to_sid(DOM_SID *sid, char **nt_domain); +BOOL map_wk_sid_to_name(const DOM_SID *sid, char *nt_domain, uint32 *type); +BOOL map_domain_sid_to_name(DOM_SID *sid, char *nt_domain); +BOOL map_domain_sid_to_any_dc(DOM_SID *sid, char *dc_name); +BOOL split_domain_name(const char *fullname, char *domain, char *name); +BOOL enumtrustdoms(char ***doms, uint32 *num_entries); + +/*The following definitions come from lib/stub_uid.c */ + +void become_root(BOOL save_dir); +void unbecome_root(BOOL restore_dir); +const vuser_key *get_sec_ctx(void); + +/*The following definitions come from lib/util_seaccess.c */ + +BOOL se_access_check(const SEC_DESC * sd, const NET_USER_INFO_3 * user, + uint32 acc_req, uint32 prev_grant_acc, + uint32 * acc_grant, + uint32 * status); + +/*The following definitions come from pam_ntdom/pam_ntdom_auth.c */ + + +/*The following definitions come from pam_ntdom/rpc_validate.c */ + +BOOL rpc_initialise(void); +int Valid_User(char *username, char *plaintext_pwd, char *domainname); + +/*The following definitions come from pam_ntdom/support.c */ + +int converse( pam_handle_t *pamh, + int nargs, + struct pam_message **message, + struct pam_response **response ); + +int _set_auth_tok( pam_handle_t *pamh, + int flags, + int argc, + const char **argv ); + +/* Implementation */ + +int converse( pam_handle_t *pamh, + int nargs, + struct pam_message **message, + struct pam_response **response ); +int _set_auth_tok( pam_handle_t *pamh, + int flags, int argc, + const char **argv ); +#endif /* _PAM_NTDOM_PROTO_H_ */ diff --git a/source/pam_ntdom/rpc_validate.c b/source/pam_ntdom/rpc_validate.c new file mode 100644 index 00000000000..bf7db5a9df8 --- /dev/null +++ b/source/pam_ntdom/rpc_validate.c @@ -0,0 +1,128 @@ +/* + Unix SMB/Netbios implementation. + Version 2.0 + PAM for NT Domains + Copyright (C) Andrew Tridgell 1994-2000 + Copyright (C) Luke Kenneth Casson Leighton 1996-2000 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "rpc_validate.h" +#include "nterr.h" + +extern int DEBUGLEVEL; + +static BOOL initialised = False; + +extern pstring global_myname; + +FILE *out_hnd; + + +/**************************************************************************** + main program +****************************************************************************/ +BOOL rpc_initialise(void) +{ + extern pstring debugf; + extern BOOL append_log; + + pstring servicesf = CONFIGFILE; + mode_t myumask = 0755; + + if (initialised) + { + return True; + } + + DEBUGLEVEL = 100; + + out_hnd = stdout; + + append_log = True; + slprintf(debugf, sizeof(debugf) - 1, "%s/log.pam_ntdom", LOGFILEBASE); + + TimeInit(); + charset_initialise(); + init_connections(); + + myumask = umask(0); + umask(myumask); + + if (!get_myname(global_myname, NULL)) + { + fprintf(stderr, "Failed to get my hostname.\n"); + return False; + } + + codepage_initialise(lp_client_code_page()); + + setup_logging(debugf, False); + reopen_logs(); + + if (!lp_load(servicesf, True, False, False)) + { + fprintf(stderr, + "Can't load %s - run testparm to debug it\n", + servicesf); + return False; + } + + load_interfaces(); + + if (!pwdb_initialise(False)) + { + return False; + } + + initialised = True; + + return True; +} + +/**************************************************************************** + validates a user. + ****************************************************************************/ +int Valid_User(char *username, char *plaintext_pwd, char *domainname) +{ + NET_USER_INFO_3 info3; + uchar ntpw[16]; + uchar lmpw[16]; + + uint32 status; + + ZERO_STRUCT(info3); + + DEBUG(3, ("%s pam_ntdom (version %s) login. user:%s domain:%s\n", + timestring(False), VERSION, username, domainname)); + + nt_lm_owf_gen(plaintext_pwd, ntpw, lmpw), + status = domain_client_validate("\\\\.", username, domainname, + global_myname, SEC_CHAN_WKSTA, + NULL, + lmpw, sizeof(lmpw), + ntpw, sizeof(ntpw), &info3); + + if (status != NT_STATUS_NOPROBLEMO) + { + fprintf(stderr, "login of %s to domain %s rejected.\n", + username, domainname); + return NTV_LOGON_ERROR; + } + + return NTV_NO_ERROR; +} diff --git a/source/pam_ntdom/rpc_validate.h b/source/pam_ntdom/rpc_validate.h new file mode 100644 index 00000000000..209908e4114 --- /dev/null +++ b/source/pam_ntdom/rpc_validate.h @@ -0,0 +1,11 @@ +#ifndef _RPC_VALIDATE_H_ +#define _RPC_VALIDATE_H_ +/* SMB User verification function */ + +#define NTV_NO_ERROR 0 +#define NTV_SERVER_ERROR 1 +#define NTV_PROTOCOL_ERROR 2 +#define NTV_LOGON_ERROR 3 +#define NTV_INITIALISATION_ERROR 1 + +#endif diff --git a/source/pam_ntdom/support.c b/source/pam_ntdom/support.c new file mode 100644 index 00000000000..6730ffd8d39 --- /dev/null +++ b/source/pam_ntdom/support.c @@ -0,0 +1,177 @@ +/* + * $Header: /data/src/mirror/cvs/samba/source/pam_ntdom/Attic/support.c,v 1.1.2.1 2000/04/09 02:04:30 lkcl Exp $ + */ + +/* + * Copyright Andrew Morgan, 1996. All rights reserved. + * Modified by Alexander O. Yuriev + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * $Log: support.c,v $ + * Revision 1.1.2.1 2000/04/09 02:04:30 lkcl + * added pam_ntdom. amazingly, it actually works. + * + * Revision 1.1 1998/04/17 15:34:25 lkcl + * + * adding pam_ntdom to samba source repository. this version is known as 0.21 + * + * further work to be done is: + * + * - to add the "change machine password" support so that the transmission + * of the user's password is secure. + * + * - the session key needs to be generated from a random number. + * + * - the domain server needs to be automatically detected (using a UDP 138 + * broadcast SAMQUERY packet to \\DOMAIN-NAME\MAILSLOT\NTLOGON) + * + * - the code to be changed from SamLogon immediately followed by SamLogoff + * to SamLogon when PAM user session starts followed by SamLogoff (or + * drop SMB connection) when PAM user session ends. + * + * this will result in the user _really_ joining the domain from the + * workstation, will all the benefits thereof (including that of the + * administrator being able to disconnect them!) + * + * Revision 1.1 1996/11/09 19:44:35 morgan + * Initial revision + * + * Revision 1.1 1996/04/17 01:11:08 alex + * Initial revision + * + */ + +#include <stdlib.h> /* define NULL */ + +#ifndef LINUX + + #include <security/pam_appl.h> + +#endif /* LINUX */ + +#include <security/pam_modules.h> + + +#ifndef NDEBUG + + #include <syslog.h> + +#endif /* NDEBUG */ + + +/* Phototype declarations */ + +int converse( pam_handle_t *pamh, + int nargs, + struct pam_message **message, + struct pam_response **response ); + +int _set_auth_tok( pam_handle_t *pamh, + int flags, + int argc, + const char **argv ); + +/* Implementation */ + +int converse( pam_handle_t *pamh, + int nargs, + struct pam_message **message, + struct pam_response **response ) + +{ + int retval; + struct pam_conv *conv; + + retval = pam_get_item( pamh, PAM_CONV, (const void **) &conv ) ; + if ( retval == PAM_SUCCESS ) + { + retval = conv->conv( nargs, + ( const struct pam_message ** ) message, + response, + conv->appdata_ptr ); + } + return retval; +} + +/***************************************************************************/ +/* prompt user for a using conversation calls */ +/***************************************************************************/ + +int _set_auth_tok( pam_handle_t *pamh, + int flags, int argc, + const char **argv ) +{ + int retval; + char *p; + + struct pam_message msg[1],*pmsg[1]; + struct pam_response *resp; + + /* set up conversation call */ + + pmsg[0] = &msg[0]; + msg[0].msg_style = PAM_PROMPT_ECHO_OFF; + msg[0].msg = "Password: "; + resp = NULL; + + if ( ( retval = converse( pamh, 1 , pmsg, &resp ) ) != PAM_SUCCESS ) + return retval; + + if ( resp ) + { + if ( ( flags & PAM_DISALLOW_NULL_AUTHTOK ) && + resp[0].resp == NULL ) + { + free( resp ); + return PAM_AUTH_ERR; + } + + p = resp[ 0 ].resp; + + /* This could be a memory leak. If resp[0].resp + is malloc()ed, then it has to be free()ed! + -- alex + */ + + resp[ 0 ].resp = NULL; + + } + else + return PAM_CONV_ERR; + + free( resp ); + pam_set_item( pamh, PAM_AUTHTOK, p ); + return PAM_SUCCESS; +} diff --git a/source/rpc_client/msrpc_netlogon.c b/source/rpc_client/msrpc_netlogon.c index 480414fbaa9..2e4c6a6dd6d 100644 --- a/source/rpc_client/msrpc_netlogon.c +++ b/source/rpc_client/msrpc_netlogon.c @@ -64,14 +64,14 @@ BOOL modify_trust_password(const char *domain, const char *srv_name, Do the same as security=server, but using NT Domain calls and a session key from the workstation trust account password. ************************************************************************/ -static uint32 domain_client_validate(const char *user, const char *domain, - const char *acct_name, uint16 acct_type, - const char *challenge, - const char *smb_apasswd, - int smb_apasslen, - const char *smb_ntpasswd, - int smb_ntpasslen, - NET_USER_INFO_3 * info3) +uint32 domain_client_validate(const char *server, + const char *user, const char *domain, + const char *acct_name, uint16 acct_type, + const char *challenge, + const char *smb_apasswd, + int smb_apasslen, + const char *smb_ntpasswd, + int smb_ntpasslen, NET_USER_INFO_3 * info3) { unsigned char trust_passwd[16]; NET_ID_INFO_CTR ctr; @@ -91,7 +91,11 @@ static uint32 domain_client_validate(const char *user, const char *domain, fstrcpy(trust_acct, acct_name); fstrcat(trust_acct, "$"); - if (!get_any_dc_name(domain, srv_name)) + if (server != NULL) + { + fstrcpy(srv_name, server); + } + else if (!get_any_dc_name(domain, srv_name)) { DEBUG(3, ("domain_client_validate: could not find domain %s, using local SAM\n", @@ -128,10 +132,9 @@ static uint32 domain_client_validate(const char *user, const char *domain, * Now start the NT Domain stuff :-). */ - status = - cli_nt_setup_creds(srv_name, domain, global_myname, - trust_acct, trust_passwd, acct_type, - &validation_level); + status = cli_nt_setup_creds(srv_name, domain, global_myname, + trust_acct, trust_passwd, acct_type, + &validation_level); if (status != 0x0) { DEBUG(0, ("domain_client_validate: credentials failed (%s)\n", @@ -201,10 +204,9 @@ static uint32 domain_client_validate(const char *user, const char *domain, if (status != 0x0) { - DEBUG(0, - ("domain_client_validate: unable to validate password for user %s in domain \ - %s to Domain controller %s.\n", - user, domain, srv_name)); + DEBUG(0, ("domain_client_validate: unable to validate \ + password for user %s in domain %s to \ + Domain controller %s.\n", user, domain, srv_name)); return status; } @@ -214,7 +216,7 @@ static uint32 domain_client_validate(const char *user, const char *domain, * locked out / disabled" etc!!!! */ - DEBUG(10, ("domain_client_validate: user %s\%s OK\n", domain, user)); + DEBUG(10, ("domain_client_validate: user %s\\%s OK\n", domain, user)); DEBUG(3, ("domain_client_validate: check lockout / pwd expired!\n")); return 0x0; @@ -263,7 +265,7 @@ uint32 check_domain_security(const char *orig_user, const char *domain, DEBUG(10, ("check_domain_security: %s(%d)\n", acct_name, acct_type)); - return domain_client_validate(orig_user, domain, + return domain_client_validate(NULL, orig_user, domain, acct_name, acct_type, challenge, smb_apasswd, smb_apasslen, diff --git a/source/samrd/srv_samr_passdb.c b/source/samrd/srv_samr_passdb.c index dade2fa0df6..49e534277df 100644 --- a/source/samrd/srv_samr_passdb.c +++ b/source/samrd/srv_samr_passdb.c @@ -989,10 +989,8 @@ uint32 _samr_query_dispinfo(const POLICY_HND * domain_pol, uint16 level, ********************************************************************/ uint32 _samr_delete_dom_user(POLICY_HND *user_pol) { - fstring user_name; uint32 user_rid = 0x0; DOM_SID user_sid; - struct sam_passwd *sam_pass; /* find the policy handle. open a policy on it. */ if (!get_policy_samr_sid(get_global_hnd_cache(), user_pol, &user_sid)) |