auth: Remove dfs_auth() from pass_check.c and s4's auth_unix

The waf build has no logic to detect DCE/DFS, so this plaintext
authentication mechanism is dead code.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

2 files changed, 0 insertions, 319 deletions

diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c
index 10889bde45..27e1c20cc9 100644
--- a/source3/auth/pass_check.c
+++ b/source3/auth/pass_check.c
@@ -97,317 +97,6 @@ static bool afs_auth(char *user, char *password)
 #endif
 
 
-#ifdef WITH_DFS
-
-#include <dce/dce_error.h>
-#include <dce/sec_login.h>
-
-/*****************************************************************
- This new version of the DFS_AUTH code was donated by Karsten Muuss
- <muuss@or.uni-bonn.de>. It fixes the following problems with the
- old code :
-
-  - Server credentials may expire
-  - Client credential cache files have wrong owner
-  - purge_context() function is called with invalid argument
-
- This new code was modified to ensure that on exit the uid/gid is
- still root, and the original directory is restored. JRA.
-******************************************************************/
-
-sec_login_handle_t my_dce_sec_context;
-int dcelogin_atmost_once = 0;
-
-/*******************************************************************
-check on a DCE/DFS authentication
-********************************************************************/
-static bool dfs_auth(char *user, char *password)
-{
-	struct tm *t;
-	error_status_t err;
-	int err2;
-	int prterr;
-	signed32 expire_time, current_time;
-	boolean32 password_reset;
-	struct passwd *pw;
-	sec_passwd_rec_t passwd_rec;
-	sec_login_auth_src_t auth_src = sec_login_auth_src_network;
-	unsigned char dce_errstr[dce_c_error_string_len];
-	gid_t egid;
-
-	if (dcelogin_atmost_once)
-		return (False);
-
-#ifdef HAVE_CRYPT
-	/*
-	 * We only go for a DCE login context if the given password
-	 * matches that stored in the local password file.. 
-	 * Assumes local passwd file is kept in sync w/ DCE RGY!
-	 */
-
-	if (strcmp((char *)crypt(password, get_this_salt()), get_this_crypted()))
-	{
-		return (False);
-	}
-#endif
-
-	sec_login_get_current_context(&my_dce_sec_context, &err);
-	if (err != error_status_ok)
-	{
-		dce_error_inq_text(err, dce_errstr, &err2);
-		DEBUG(0, ("DCE can't get current context. %s\n", dce_errstr));
-
-		return (False);
-	}
-
-	sec_login_certify_identity(my_dce_sec_context, &err);
-	if (err != error_status_ok)
-	{
-		dce_error_inq_text(err, dce_errstr, &err2);
-		DEBUG(0, ("DCE can't get current context. %s\n", dce_errstr));
-
-		return (False);
-	}
-
-	sec_login_get_expiration(my_dce_sec_context, &expire_time, &err);
-	if (err != error_status_ok)
-	{
-		dce_error_inq_text(err, dce_errstr, &err2);
-		DEBUG(0, ("DCE can't get expiration. %s\n", dce_errstr));
-
-		return (False);
-	}
-
-	time(&current_time);
-
-	if (expire_time < (current_time + 60))
-	{
-		struct passwd *pw;
-		sec_passwd_rec_t *key;
-
-		sec_login_get_pwent(my_dce_sec_context,
-				    (sec_login_passwd_t *) & pw, &err);
-		if (err != error_status_ok)
-		{
-			dce_error_inq_text(err, dce_errstr, &err2);
-			DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr));
-
-			return (False);
-		}
-
-		sec_login_refresh_identity(my_dce_sec_context, &err);
-		if (err != error_status_ok)
-		{
-			dce_error_inq_text(err, dce_errstr, &err2);
-			DEBUG(0, ("DCE can't refresh identity. %s\n",
-				  dce_errstr));
-
-			return (False);
-		}
-
-		sec_key_mgmt_get_key(rpc_c_authn_dce_secret, NULL,
-				     (unsigned char *)pw->pw_name,
-				     sec_c_key_version_none,
-				     (void **)&key, &err);
-		if (err != error_status_ok)
-		{
-			dce_error_inq_text(err, dce_errstr, &err2);
-			DEBUG(0, ("DCE can't get key for %s. %s\n",
-				  pw->pw_name, dce_errstr));
-
-			return (False);
-		}
-
-		sec_login_valid_and_cert_ident(my_dce_sec_context, key,
-					       &password_reset, &auth_src,
-					       &err);
-		if (err != error_status_ok)
-		{
-			dce_error_inq_text(err, dce_errstr, &err2);
-			DEBUG(0,
-			      ("DCE can't validate and certify identity for %s. %s\n",
-			       pw->pw_name, dce_errstr));
-		}
-
-		sec_key_mgmt_free_key(key, &err);
-		if (err != error_status_ok)
-		{
-			dce_error_inq_text(err, dce_errstr, &err2);
-			DEBUG(0, ("DCE can't free key.\n", dce_errstr));
-		}
-	}
-
-	if (sec_login_setup_identity((unsigned char *)user,
-				     sec_login_no_flags,
-				     &my_dce_sec_context, &err) == 0)
-	{
-		dce_error_inq_text(err, dce_errstr, &err2);
-		DEBUG(0, ("DCE Setup Identity for %s failed: %s\n",
-			  user, dce_errstr));
-		return (False);
-	}
-
-	sec_login_get_pwent(my_dce_sec_context,
-			    (sec_login_passwd_t *) & pw, &err);
-	if (err != error_status_ok)
-	{
-		dce_error_inq_text(err, dce_errstr, &err2);
-		DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr));
-
-		return (False);
-	}
-
-	sec_login_purge_context(&my_dce_sec_context, &err);
-	if (err != error_status_ok)
-	{
-		dce_error_inq_text(err, dce_errstr, &err2);
-		DEBUG(0, ("DCE can't purge context. %s\n", dce_errstr));
-
-		return (False);
-	}
-
-	/*
-	 * NB. I'd like to change these to call something like change_to_user()
-	 * instead but currently we don't have a connection
-	 * context to become the correct user. This is already
-	 * fairly platform specific code however, so I think
-	 * this should be ok. I have added code to go
-	 * back to being root on error though. JRA.
-	 */
-
-	egid = getegid();
-
-	set_effective_gid(pw->pw_gid);
-	set_effective_uid(pw->pw_uid);
-
-	if (sec_login_setup_identity((unsigned char *)user,
-				     sec_login_no_flags,
-				     &my_dce_sec_context, &err) == 0)
-	{
-		dce_error_inq_text(err, dce_errstr, &err2);
-		DEBUG(0, ("DCE Setup Identity for %s failed: %s\n",
-			  user, dce_errstr));
-		goto err;
-	}
-
-	sec_login_get_pwent(my_dce_sec_context,
-			    (sec_login_passwd_t *) & pw, &err);
-	if (err != error_status_ok)
-	{
-		dce_error_inq_text(err, dce_errstr, &err2);
-		DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr));
-		goto err;
-	}
-
-	passwd_rec.version_number = sec_passwd_c_version_none;
-	passwd_rec.pepper = NULL;
-	passwd_rec.key.key_type = sec_passwd_plain;
-	passwd_rec.key.tagged_union.plain = (idl_char *) password;
-
-	sec_login_validate_identity(my_dce_sec_context,
-				    &passwd_rec, &password_reset,
-				    &auth_src, &err);
-	if (err != error_status_ok)
-	{
-		dce_error_inq_text(err, dce_errstr, &err2);
-		DEBUG(0,
-		      ("DCE Identity Validation failed for principal %s: %s\n",
-		       user, dce_errstr));
-		goto err;
-	}
-
-	sec_login_certify_identity(my_dce_sec_context, &err);
-	if (err != error_status_ok)
-	{
-		dce_error_inq_text(err, dce_errstr, &err2);
-		DEBUG(0, ("DCE certify identity failed: %s\n", dce_errstr));
-		goto err;
-	}
-
-	if (auth_src != sec_login_auth_src_network)
-	{
-		DEBUG(0, ("DCE context has no network credentials.\n"));
-	}
-
-	sec_login_set_context(my_dce_sec_context, &err);
-	if (err != error_status_ok)
-	{
-		dce_error_inq_text(err, dce_errstr, &err2);
-		DEBUG(0,
-		      ("DCE login failed for principal %s, cant set context: %s\n",
-		       user, dce_errstr));
-
-		sec_login_purge_context(&my_dce_sec_context, &err);
-		goto err;
-	}
-
-	sec_login_get_pwent(my_dce_sec_context,
-			    (sec_login_passwd_t *) & pw, &err);
-	if (err != error_status_ok)
-	{
-		dce_error_inq_text(err, dce_errstr, &err2);
-		DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr));
-		goto err;
-	}
-
-	DEBUG(0, ("DCE login succeeded for principal %s on pid %d\n",
-		  user, getpid()));
-
-	DEBUG(3, ("DCE principal: %s\n"
-		  "          uid: %d\n"
-		  "          gid: %d\n",
-		  pw->pw_name, pw->pw_uid, pw->pw_gid));
-	DEBUG(3, ("         info: %s\n"
-		  "          dir: %s\n"
-		  "        shell: %s\n",
-		  pw->pw_gecos, pw->pw_dir, pw->pw_shell));
-
-	sec_login_get_expiration(my_dce_sec_context, &expire_time, &err);
-	if (err != error_status_ok)
-	{
-		dce_error_inq_text(err, dce_errstr, &err2);
-		DEBUG(0, ("DCE can't get expiration. %s\n", dce_errstr));
-		goto err;
-	}
-
-	set_effective_uid(0);
-	set_effective_gid(0);
-
-	t = localtime(&expire_time);
-	if (t) {
-		const char *asct = asctime(t);
-		if (asct) {
-			DEBUG(0,("DCE context expires: %s", asct));
-		}
-	}
-
-	dcelogin_atmost_once = 1;
-	return (True);
-
-      err:
-
-	/* Go back to root, JRA. */
-	set_effective_uid(0);
-	set_effective_gid(egid);
-	return (False);
-}
-
-void dfs_unlogin(void)
-{
-	error_status_t err;
-	int err2;
-	unsigned char dce_errstr[dce_c_error_string_len];
-
-	sec_login_purge_context(&my_dce_sec_context, &err);
-	if (err != error_status_ok)
-	{
-		dce_error_inq_text(err, dce_errstr, &err2);
-		DEBUG(0,
-		      ("DCE purge login context failed for server instance %d: %s\n",
-		       getpid(), dce_errstr));
-	}
-}
-#endif
 
 #ifdef LINUX_BIGCRYPT
 /****************************************************************************
@@ -483,10 +172,6 @@ static NTSTATUS password_check(const char *user, const char *password, const voi
 		return NT_STATUS_OK;
 #endif /* WITH_AFS */
 
-#ifdef WITH_DFS
-	if (dfs_auth(user, password))
-		return NT_STATUS_OK;
-#endif /* WITH_DFS */
 
 #ifdef OSF1_ENH_SEC
 
diff --git a/source4/auth/ntlm/auth_unix.c b/source4/auth/ntlm/auth_unix.c
index 57bca6cc5b..86139b4409 100644
--- a/source4/auth/ntlm/auth_unix.c
+++ b/source4/auth/ntlm/auth_unix.c
@@ -518,10 +518,6 @@ static NTSTATUS password_check(const char *username, const char *password,
 		return NT_STATUS_OK;
 #endif /* WITH_AFS */
 
-#ifdef WITH_DFS
-	if (dfs_auth(username, password))
-		return NT_STATUS_OK;
-#endif /* WITH_DFS */
 
 #ifdef OSF1_ENH_SEC