trying to get anonymous access working properly in netlogond,

so that user-password-changing works. [urr... connection? hellooo? it's a long story...]
author: Luke Leighton <lkcl@samba.org> 2000-05-02 10:26:03 +0000
committer: Luke Leighton <lkcl@samba.org> 2000-05-02 10:26:03 +0000
commit: a3bbd2eec8811e7a4239fe3eb88dbc5e0396eab4 (patch)
tree: d9c925459eb86fa2c38ca1b751357e46bf1d7f90
parent: 25022754408eebce57b6552a095fe14197bee22f (diff)
download: samba-a3bbd2eec8811e7a4239fe3eb88dbc5e0396eab4.tar.gz
samba-a3bbd2eec8811e7a4239fe3eb88dbc5e0396eab4.tar.xz
samba-a3bbd2eec8811e7a4239fe3eb88dbc5e0396eab4.zip
4 files changed, 94 insertions, 43 deletions
diff --git a/source/libsmb/clidomain.c b/source/libsmb/clidomain.c
index be065389e9e..d1003c44f84 100644
--- a/source/libsmb/clidomain.c
+++ b/source/libsmb/clidomain.c
@@ -244,10 +244,11 @@ BOOL get_any_dc_name(const char *domain, char *srv_name)
 
 	DEBUG(10,("get_any_dc_name: domain %s\n", domain));
 
-	if (strequal(domain, global_myname)
-	    || strequal(domain, "Builtin"))
+	if (strequal(domain, global_myname) ||
+			strequal(domain, "Builtin") ||
+			strequal(domain, ""))
 	{
-		DEBUG(10,("get_any_dc_name: our own server!\n"));
+		DEBUG(10,("get_any_dc_name: our own server\n"));
 		fstrcpy(srv_name, "\\\\.");
 		return True;
 	}
diff --git a/source/libsmb/nterr.c b/source/libsmb/nterr.c
index de5582e92c5..b99d574484e 100644
--- a/source/libsmb/nterr.c
+++ b/source/libsmb/nterr.c
@@ -547,9 +547,6 @@ BOOL get_safe_nt_error_msg(uint32 nt_code, char *msg, size_t len)
 const char *get_nt_error_msg(uint32 nt_code)
 {
 	static pstring msg;
-	if (get_safe_nt_error_msg(nt_code, msg, sizeof(msg)))
-	{
-		return msg;
-	}
-	return "unknown error";
+	get_safe_nt_error_msg(nt_code, msg, sizeof(msg));
+	return msg;
 }
diff --git a/source/netlogond/srv_netlogon_nt.c b/source/netlogond/srv_netlogon_nt.c
index 8bba8a2206b..0540a9efaba 100644
--- a/source/netlogond/srv_netlogon_nt.c
+++ b/source/netlogond/srv_netlogon_nt.c
@@ -314,7 +314,7 @@ static uint32 net_login_interactive(const NET_ID_INFO_1 * id1,
 }
 
 /*************************************************************************
- net_login_network:
+ net_login_general:
  *************************************************************************/
 static uint32 net_login_general(const NET_ID_INFO_4 * id4,
 				struct dcinfo *dc, char usr_sess_key[16])
@@ -901,12 +901,12 @@ uint32 _net_sam_logon(const UNISTR2 *uni_logon_srv,
 	NTTIME pass_last_set_time;
 	NTTIME pass_can_change_time;
 	NTTIME pass_must_change_time;
-	UNISTR2 *uni_nt_name;
-	UNISTR2 *uni_full_name;
-	UNISTR2 *uni_logon_script;
-	UNISTR2 *uni_profile_path;
-	UNISTR2 *uni_home_dir;
-	UNISTR2 *uni_dir_drive;
+	UNISTR2 *uni_nt_name = NULL;
+	UNISTR2 *uni_full_name = NULL;
+	UNISTR2 *uni_logon_script = NULL;
+	UNISTR2 *uni_profile_path = NULL;
+	UNISTR2 *uni_home_dir = NULL;
+	UNISTR2 *uni_dir_drive = NULL;
 	uint32 user_rid;
 	uint32 group_rid;
 	int num_gids = 0;
@@ -917,6 +917,13 @@ uint32 _net_sam_logon(const UNISTR2 *uni_logon_srv,
 	UNISTR2 uni_myname;
 	UNISTR2 uni_sam_name;
 	uint32 status = NT_STATUS_NOPROBLEMO;
+	uint32 lm_pw_len = 0;
+	uint32 nt_pw_len = 0;
+	BOOL anonymouse = False;
+
+	ZERO_STRUCT(ctr);
+	ZERO_STRUCT(lm_pw8);
+	ZERO_STRUCT(usr_sess_key);
 
 	/*
 	 * checks and updates credentials.  creates reply credentials
@@ -950,6 +957,8 @@ uint32 _net_sam_logon(const UNISTR2 *uni_logon_srv,
 		{
 			uni_samusr = &id_ctr->auth.id1.uni_user_name;
 			uni_domain = &id_ctr->auth.id1.uni_domain_name;
+			nt_pw_len = 16;
+			lm_pw_len = 16;
 			DEBUG(3, ("SAM Logon (Interactive)."));
 			break;
 		}
@@ -957,6 +966,8 @@ uint32 _net_sam_logon(const UNISTR2 *uni_logon_srv,
 		{
 			uni_samusr = &id_ctr->auth.id2.uni_user_name;
 			uni_domain = &id_ctr->auth.id2.uni_domain_name;
+			nt_pw_len = id_ctr->auth.id2.hdr_nt_chal_resp.str_str_len;
+			lm_pw_len = id_ctr->auth.id2.hdr_lm_chal_resp.str_str_len;
 			DEBUG(3, ("SAM Logon (Network). "));
 			break;
 		}
@@ -964,6 +975,8 @@ uint32 _net_sam_logon(const UNISTR2 *uni_logon_srv,
 		{
 			uni_samusr = &id_ctr->auth.id4.uni_user_name;
 			uni_domain = &id_ctr->auth.id4.uni_domain_name;
+			lm_pw_len = id_ctr->auth.id4.hdr_general.str_str_len;
+			nt_pw_len = 0;
 			DEBUG(3, ("SAM Logon (General). "));
 			break;
 		}
@@ -984,7 +997,8 @@ uint32 _net_sam_logon(const UNISTR2 *uni_logon_srv,
 	 */
 
 	if (lp_server_role() == ROLE_STANDALONE &&
-			!strequal(nt_samname, global_myname))
+			(!strequal(nt_samname, global_myname) &&
+			 !strequal(nt_samname, "")))
 	{
 		DEBUG(1,("_net_sam_logon: stand-alone server cannot remote-auth domain users!\n"));
 		return NT_STATUS_ACCESS_DENIED;
@@ -995,6 +1009,7 @@ uint32 _net_sam_logon(const UNISTR2 *uni_logon_srv,
 	 */
 
 	if (!strequal(nt_samname, global_sam_name) &&
+	    !strequal(nt_samname, "") &&
 	    !strequal(nt_samname, global_myname))
 	{
 		DEBUG(5,("remote-auth: SAM name: %s my name: %s\n",
@@ -1045,6 +1060,19 @@ uint32 _net_sam_logon(const UNISTR2 *uni_logon_srv,
 	}
 
 	/*
+	 * check anonymous status
+	 */
+
+	if (lm_pw_len <= 1 && nt_pw_len == 0 &&
+	    strlen(nt_username) == 0 && strlen(nt_samname) == 0)
+	{
+		char *guest_acct = lp_guestaccount(-1);
+		anonymouse = guest_acct && guest_acct[0];
+		DEBUG(5,("Anonymous Access allowed: %s\n",
+					BOOLSTR(anonymouse)));
+	}
+
+	/*
 	 * IMPORTANT: do a General Login BEFORE the others,
 	 * because "update encrypted" may be enabled, which
 	 * will result in the smb password entry being added.
@@ -1074,24 +1102,30 @@ uint32 _net_sam_logon(const UNISTR2 *uni_logon_srv,
 	 * needed for the user profile.
 	 */
 
-	become_root(True);
-	status_pwd = direct_samr_userinfo(uni_samusr, 21, &ctr,
-					  &gids, &num_gids, False);
-	unbecome_root(True);
-
-	if (status_pwd != NT_STATUS_NOPROBLEMO)
+	if (!anonymouse)
 	{
-		free_samr_userinfo_ctr(&ctr);
+		become_root(True);
+		status_pwd = direct_samr_userinfo(uni_samusr, 21, &ctr,
+						  &gids, &num_gids, False);
+		unbecome_root(True);
+
+		if (status_pwd != NT_STATUS_NOPROBLEMO)
+		{
+			free_samr_userinfo_ctr(&ctr);
 
-		return TooMuchInformation(status_pwd);
+			return TooMuchInformation(status_pwd);
+		}
+		acb_info = ctr.info.id21->acb_info;
+	}
+	else
+	{
+		acb_info = ACB_NORMAL | ACB_PWNOTREQ;
 	}
 
 	/*
 	 * check the Account Control Bits
 	 */
 
-	acb_info = ctr.info.id21->acb_info;
-
 	if (IS_BITS_SET_ALL(acb_info, ACB_DISABLED))
 	{
 		return TooMuchInformation(NT_STATUS_ACCOUNT_DISABLED);
@@ -1116,20 +1150,34 @@ uint32 _net_sam_logon(const UNISTR2 *uni_logon_srv,
 	 * get some user profile info
 	 */
 
-	logon_time = ctr.info.id21->logon_time;
-	logoff_time = ctr.info.id21->logoff_time;
-	kickoff_time = ctr.info.id21->kickoff_time;
-	pass_last_set_time = ctr.info.id21->pass_last_set_time;
-	pass_can_change_time = ctr.info.id21->pass_can_change_time;
-	pass_must_change_time = ctr.info.id21->pass_must_change_time;
-	uni_nt_name = &ctr.info.id21->uni_user_name;
-	uni_full_name = &ctr.info.id21->uni_full_name;
-	uni_home_dir = &ctr.info.id21->uni_home_dir;
-	uni_dir_drive = &ctr.info.id21->uni_dir_drive;
-	uni_logon_script = &ctr.info.id21->uni_logon_script;
-	uni_profile_path = &ctr.info.id21->uni_profile_path;
-	user_rid = ctr.info.id21->user_rid;
-	group_rid = ctr.info.id21->group_rid;
+	if (!anonymouse)
+	{
+		logon_time = ctr.info.id21->logon_time;
+		logoff_time = ctr.info.id21->logoff_time;
+		kickoff_time = ctr.info.id21->kickoff_time;
+		pass_last_set_time = ctr.info.id21->pass_last_set_time;
+		pass_can_change_time = ctr.info.id21->pass_can_change_time;
+		pass_must_change_time = ctr.info.id21->pass_must_change_time;
+		uni_nt_name = &ctr.info.id21->uni_user_name;
+		uni_full_name = &ctr.info.id21->uni_full_name;
+		uni_home_dir = &ctr.info.id21->uni_home_dir;
+		uni_dir_drive = &ctr.info.id21->uni_dir_drive;
+		uni_logon_script = &ctr.info.id21->uni_logon_script;
+		uni_profile_path = &ctr.info.id21->uni_profile_path;
+		user_rid = ctr.info.id21->user_rid;
+		group_rid = ctr.info.id21->group_rid;
+	}
+	else
+	{
+		init_nt_time(&logon_time);
+		init_nt_time(&logoff_time);
+		init_nt_time(&kickoff_time);
+		init_nt_time(&pass_last_set_time);
+		init_nt_time(&pass_can_change_time);
+		init_nt_time(&pass_must_change_time);
+		user_rid = DOMAIN_USER_RID_GUEST;
+		group_rid = DOMAIN_GROUP_RID_GUESTS;
+	}
 
 	/*
 	 * validate password - if required
@@ -1172,6 +1220,10 @@ uint32 _net_sam_logon(const UNISTR2 *uni_logon_srv,
 			return TooMuchInformation(status);
 		}
 	}
+	else
+	{
+		(*auth_resp) = 1;
+	}
 
 	/* lkclXXXX this is the point at which, if the login was
 	   successful, that the SAM Local Security Authority should
diff --git a/source/rpc_client/msrpc_netlogon.c b/source/rpc_client/msrpc_netlogon.c
index 578b018fe44..122d2633ab7 100644
--- a/source/rpc_client/msrpc_netlogon.c
+++ b/source/rpc_client/msrpc_netlogon.c
@@ -239,13 +239,14 @@ uint32 check_domain_security(const char *orig_user, const char *domain,
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	if (domain == NULL || strequal(domain, ""))
+	if (domain == NULL)
 	{
-		domain = global_myworkgroup;
+		domain = "";
 	}
 
 	if (strequal(domain, global_myworkgroup) ||
-	    strequal(domain, global_myname))
+	    strequal(domain, global_myname) ||
+	    strequal(domain, ""))
 	{
 		/*
 		 * local
author	Luke Leighton <lkcl@samba.org>	2000-05-02 10:26:03 +0000
committer	Luke Leighton <lkcl@samba.org>	2000-05-02 10:26:03 +0000
commit	a3bbd2eec8811e7a4239fe3eb88dbc5e0396eab4 (patch)
tree	d9c925459eb86fa2c38ca1b751357e46bf1d7f90
parent	25022754408eebce57b6552a095fe14197bee22f (diff)
download	samba-a3bbd2eec8811e7a4239fe3eb88dbc5e0396eab4.tar.gz samba-a3bbd2eec8811e7a4239fe3eb88dbc5e0396eab4.tar.xz samba-a3bbd2eec8811e7a4239fe3eb88dbc5e0396eab4.zip