summaryrefslogtreecommitdiffstats
path: root/source/auth
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2003-02-24 02:35:54 +0000
committerAndrew Bartlett <abartlet@samba.org>2003-02-24 02:35:54 +0000
commit74b5436c75114170ce7c780c19226103d0df9060 (patch)
treec6aa30cf6af4f7bcb72cd8d91b342f70af1c92cc /source/auth
parent822f6c2f38b9b30dca2358e99ad6a379f5890c89 (diff)
downloadsamba-74b5436c75114170ce7c780c19226103d0df9060.tar.gz
samba-74b5436c75114170ce7c780c19226103d0df9060.tar.xz
samba-74b5436c75114170ce7c780c19226103d0df9060.zip
Merge of server-side authentication changes to 3.0:
- user_ok() and user_in_group() now take a list of groups, instead of looking for the user in the members of all groups. - The 'server_info' returned from the authentication is now kept around - in future we won't copy the sesion key, username etc, we will just referece them directly. - rhosts upgraded to use the SAM if possible, otherwise fake up based on getpwnam(). - auth_util code to deal with groups upgraded to deal with non-winbind domain members again. Andrew Bartlett
Diffstat (limited to 'source/auth')
-rw-r--r--source/auth/auth_ntlmssp.c2
-rw-r--r--source/auth/auth_rhosts.c68
-rw-r--r--source/auth/auth_util.c73
3 files changed, 87 insertions, 56 deletions
diff --git a/source/auth/auth_ntlmssp.c b/source/auth/auth_ntlmssp.c
index 43542b24744..d32d2482966 100644
--- a/source/auth/auth_ntlmssp.c
+++ b/source/auth/auth_ntlmssp.c
@@ -131,7 +131,7 @@ NTSTATUS auth_ntlmssp_end(AUTH_NTLMSSP_STATE **auth_ntlmssp_state)
}
NTSTATUS auth_ntlmssp_update(AUTH_NTLMSSP_STATE *auth_ntlmssp_state,
- DATA_BLOB request, DATA_BLOB *reply)
+ const DATA_BLOB request, DATA_BLOB *reply)
{
return ntlmssp_server_update(auth_ntlmssp_state->ntlmssp_state, request, reply);
}
diff --git a/source/auth/auth_rhosts.c b/source/auth/auth_rhosts.c
index 4ed0e6bbc43..5451f7d9309 100644
--- a/source/auth/auth_rhosts.c
+++ b/source/auth/auth_rhosts.c
@@ -129,23 +129,19 @@ static BOOL check_user_equiv(const char *user, const char *remote, const char *e
return False;
}
-
/****************************************************************************
check for a possible hosts equiv or rhosts entry for the user
****************************************************************************/
-static BOOL check_hosts_equiv(struct passwd *pass)
+static BOOL check_hosts_equiv(SAM_ACCOUNT *account)
{
char *fname = NULL;
- if (!pass)
- return(False);
-
fname = lp_hosts_equiv();
/* note: don't allow hosts.equiv on root */
- if (fname && *fname && (pass->pw_uid != 0)) {
- if (check_user_equiv(pass->pw_name,client_name(),fname))
+ if (IS_SAM_UNIX_USER(account) && fname && *fname && (pdb_get_uid(account) != 0)) {
+ if (check_user_equiv(pdb_get_username(account),client_name(),fname))
return(True);
}
@@ -164,15 +160,18 @@ static NTSTATUS check_hostsequiv_security(const struct auth_context *auth_contex
auth_serversupplied_info **server_info)
{
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
- struct passwd *pass = Get_Pwnam(user_info->internal_username.str);
-
- if (pass) {
- if (check_hosts_equiv(pass)) {
- nt_status = NT_STATUS_OK;
- make_server_info_pw(server_info, pass);
- }
+ SAM_ACCOUNT *account = NULL;
+ if (!NT_STATUS_IS_OK(nt_status =
+ auth_get_sam_account(user_info->internal_username.str,
+ &account))) {
+ return nt_status;
+ }
+
+ if (check_hosts_equiv(account)) {
+ nt_status = make_server_info_sam(server_info, account);
} else {
- nt_status = NT_STATUS_NO_SUCH_USER;
+ pdb_free_sam(&account);
+ nt_status = NT_STATUS_LOGON_FAILURE;
}
return nt_status;
@@ -186,6 +185,7 @@ NTSTATUS auth_init_hostsequiv(struct auth_context *auth_context, const char* par
}
(*auth_method)->auth = check_hostsequiv_security;
+ (*auth_method)->name = "hostsequiv";
return NT_STATUS_OK;
}
@@ -201,24 +201,33 @@ static NTSTATUS check_rhosts_security(const struct auth_context *auth_context,
auth_serversupplied_info **server_info)
{
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
- struct passwd *pass = Get_Pwnam(user_info->internal_username.str);
+ SAM_ACCOUNT *account = NULL;
pstring rhostsfile;
+ const char *home;
- if (pass) {
- char *home = pass->pw_dir;
- if (home) {
- slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home);
- become_root();
- if (check_user_equiv(pass->pw_name,client_name(),rhostsfile)) {
- nt_status = NT_STATUS_OK;
- make_server_info_pw(server_info, pass);
- }
- unbecome_root();
- }
- } else {
- nt_status = NT_STATUS_NO_SUCH_USER;
+ if (!NT_STATUS_IS_OK(nt_status =
+ auth_get_sam_account(user_info->internal_username.str,
+ &account))) {
+ return nt_status;
}
+ home = pdb_get_unix_homedir(account);
+
+ if (home) {
+ slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home);
+ become_root();
+ if (check_user_equiv(pdb_get_username(account),client_name(),rhostsfile)) {
+ nt_status = make_server_info_sam(server_info, account);
+ } else {
+ pdb_free_sam(&account);
+ nt_status = NT_STATUS_LOGON_FAILURE;
+ }
+ unbecome_root();
+ } else {
+ pdb_free_sam(&account);
+ nt_status = NT_STATUS_LOGON_FAILURE;
+ }
+
return nt_status;
}
@@ -230,5 +239,6 @@ NTSTATUS auth_init_rhosts(struct auth_context *auth_context, const char *param,
}
(*auth_method)->auth = check_rhosts_security;
+ (*auth_method)->name = "rhosts";
return NT_STATUS_OK;
}
diff --git a/source/auth/auth_util.c b/source/auth/auth_util.c
index bbe0c7cf432..7d85153bd0e 100644
--- a/source/auth/auth_util.c
+++ b/source/auth/auth_util.c
@@ -78,6 +78,36 @@ void smb_user_control(const auth_usersupplied_info *user_info, auth_serversuppli
}
/****************************************************************************
+ Create a SAM_ACCOUNT - either by looking in the pdb, or by faking it up from
+ unix info.
+****************************************************************************/
+
+NTSTATUS auth_get_sam_account(const char *user, SAM_ACCOUNT **account)
+{
+ BOOL pdb_ret;
+ NTSTATUS nt_status;
+ if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(account))) {
+ return nt_status;
+ }
+
+ become_root();
+ pdb_ret = pdb_getsampwnam(*account, user);
+ unbecome_root();
+
+ if (!pdb_ret) {
+
+ struct passwd *pass = Get_Pwnam(user);
+ if (!pass)
+ return NT_STATUS_NO_SUCH_USER;
+
+ if (!NT_STATUS_IS_OK(nt_status = pdb_fill_sam_pw(*account, pass))) {
+ return nt_status;
+ }
+ }
+ return NT_STATUS_OK;
+}
+
+/****************************************************************************
Create an auth_usersupplied_data structure
****************************************************************************/
@@ -641,34 +671,25 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups,
* of groups.
******************************************************************************/
-static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid,
+static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass,
int *n_groups, DOM_SID **groups, gid_t **unix_groups)
{
uid_t uid;
- enum SID_NAME_USE snu;
- fstring str;
+ gid_t gid;
int n_unix_groups;
int i;
struct passwd *usr;
-
+
*n_groups = 0;
*groups = NULL;
-
- if (!sid_to_uid(user_sid, &uid, &snu)) {
- DEBUG(2, ("get_user_groups_from_local_sam: Failed to convert user SID %s to a uid!\n",
- sid_to_string(str, user_sid)));
- /* This might be a non-unix account */
- return NT_STATUS_OK;
- }
- /*
- * This is _essential_ to prevent occasional segfaults when
- * winbind can't find uid -> username mapping
- */
- if (!(usr = getpwuid_alloc(uid))) {
- DEBUG(0, ("Couldn't find passdb structure for UID = %d ! Aborting.\n", uid));
+ if (!IS_SAM_UNIX_USER(sampass)) {
+ DEBUG(1, ("user %s does not have a unix identity!\n", pdb_get_username(sampass)));
return NT_STATUS_NO_SUCH_USER;
- };
+ }
+
+ uid = pdb_get_uid(sampass);
+ gid = pdb_get_gid(sampass);
n_unix_groups = groups_max();
if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) {
@@ -677,7 +698,7 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid,
return NT_STATUS_NO_MEMORY;
}
- if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) {
+ if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) {
gid_t *groups_tmp;
groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups);
if (!groups_tmp) {
@@ -687,7 +708,7 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid,
}
*unix_groups = groups_tmp;
- if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) {
+ if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) {
DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n"));
SAFE_FREE(*unix_groups);
passwd_free(&usr);
@@ -695,9 +716,7 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid,
}
}
- debug_unix_user_token(DBGC_CLASS, 5, usr->pw_uid, usr->pw_gid, n_unix_groups, *unix_groups);
-
- passwd_free(&usr);
+ debug_unix_user_token(DBGC_CLASS, 5, uid, gid, n_unix_groups, *unix_groups);
if (n_unix_groups > 0) {
*groups = malloc(sizeof(DOM_SID) * n_unix_groups);
@@ -763,7 +782,7 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
}
if (!NT_STATUS_IS_OK(nt_status
- = get_user_groups_from_local_sam(pdb_get_user_sid(sampass),
+ = get_user_groups_from_local_sam(sampass,
&n_groupSIDs, &groupSIDs, &unix_groups)))
{
DEBUG(4,("get_user_groups_from_local_sam failed\n"));
@@ -838,7 +857,9 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info)
nt_status = make_server_info_sam(server_info, sampass);
- (*server_info)->guest = True;
+ if (NT_STATUS_IS_OK(nt_status)) {
+ (*server_info)->guest = True;
+ }
return nt_status;
}
@@ -996,7 +1017,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
returned to the caller. */
if (!NT_STATUS_IS_OK(nt_status
- = get_user_groups_from_local_sam(&user_sid,
+ = get_user_groups_from_local_sam(sam_account,
&n_lgroupSIDs,
&lgroupSIDs,
&unix_groups)))