diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2003-03-24 09:54:13 +0000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2003-03-24 09:54:13 +0000 |
| commit | ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664 (patch) | |
| tree | 17ae0e845f587de52c9dfa29f205a0b47c2b6f34 /source/nsswitch/wb_common.c | |
| parent | 339c14906802db6ddb59f07a0c71dcc3c73cc3d6 (diff) | |
| download | samba-ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664.tar.gz samba-ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664.tar.xz samba-ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664.zip | |
(merge from HEAD)
NTLM Authentication:
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory
under lockdir, that the admin can change the group access for.
- This mode is now required to access with 'CRAP' authentication feature.
- This *will* break the current SQUID helper, so I've fixed up our ntlm_auth
replacement:
- Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a
challenge.
- Use this to make our ntlm_auth utility suitable for use in current Squid 2.5
servers.
- Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates
are needed.
- Now uses fgets(), not x_fgets() to cope with Squid environment (I think
somthing to do with non-blocking stdin).
- Add much more robust connection code to wb_common.c - it will not connect to
a server of a different protocol version, and it will automatically try and
reconnect to the 'privileged' pipe if possible.
- This could help with 'privileged' idmap operations etc in future.
- Add a generic HEX encode routine to util_str.c,
- fix a small line of dodgy C in StrnCpy_fn()
- Correctly pull our 'session key' out of the info3 from th the DC. This is
used in both the auth code, and in for export over the winbind pipe to
ntlm_auth.
- Given the user's challenge/response and access to the privileged pipe,
allow external access to the 'session key'. To be used for MSCHAPv2
integration.
Andrew Bartlett
Diffstat (limited to 'source/nsswitch/wb_common.c')
| -rw-r--r-- | source/nsswitch/wb_common.c | 73 |
1 files changed, 53 insertions, 20 deletions
diff --git a/source/nsswitch/wb_common.c b/source/nsswitch/wb_common.c index 89c751a4efb..ac1ccb217ed 100644 --- a/source/nsswitch/wb_common.c +++ b/source/nsswitch/wb_common.c @@ -131,27 +131,16 @@ static int make_safe_fd(int fd) /* Connect to winbindd socket */ -int winbind_open_pipe_sock(void) +static int winbind_named_pipe_sock(const char *dir) { -#ifdef HAVE_UNIXSOCKET struct sockaddr_un sunaddr; - static pid_t our_pid; struct stat st; pstring path; int fd; - if (our_pid != getpid()) { - close_sock(); - our_pid = getpid(); - } - - if (winbindd_fd != -1) { - return winbindd_fd; - } - /* Check permissions on unix socket directory */ - if (lstat(WINBINDD_SOCKET_DIR, &st) == -1) { + if (lstat(dir, &st) == -1) { return -1; } @@ -162,13 +151,13 @@ int winbind_open_pipe_sock(void) /* Connect to socket */ - strncpy(path, WINBINDD_SOCKET_DIR, sizeof(path) - 1); + strncpy(path, dir, sizeof(path) - 1); path[sizeof(path) - 1] = '\0'; - strncat(path, "/", sizeof(path) - 1); + strncat(path, "/", sizeof(path) - 1 - strlen(path)); path[sizeof(path) - 1] = '\0'; - strncat(path, WINBINDD_SOCKET_NAME, sizeof(path) - 1); + strncat(path, WINBINDD_SOCKET_NAME, sizeof(path) - 1 - strlen(path)); path[sizeof(path) - 1] = '\0'; ZERO_STRUCT(sunaddr); @@ -196,16 +185,60 @@ int winbind_open_pipe_sock(void) return -1; } - if ((winbindd_fd = make_safe_fd( fd)) == -1) { - return winbindd_fd; + if ((fd = make_safe_fd( fd)) == -1) { + return fd; } - if (connect(winbindd_fd, (struct sockaddr *)&sunaddr, + if (connect(fd, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) == -1) { - close_sock(); + close(fd); return -1; } + return fd; +} + +/* Connect to winbindd socket */ + +int winbind_open_pipe_sock(void) +{ +#ifdef HAVE_UNIXSOCKET + static pid_t our_pid; + struct winbindd_request request; + struct winbindd_response response; + ZERO_STRUCT(request); + ZERO_STRUCT(response); + + if (our_pid != getpid()) { + close_sock(); + our_pid = getpid(); + } + + if (winbindd_fd != -1) { + return winbindd_fd; + } + + if ((winbindd_fd = winbind_named_pipe_sock(WINBINDD_SOCKET_DIR)) == -1) { + return -1; + } + + /* version-check the socket */ + + if ((winbindd_request(WINBINDD_INTERFACE_VERSION, &request, &response) != NSS_STATUS_SUCCESS) || (response.data.interface_version != WINBIND_INTERFACE_VERSION)) { + close_sock(); + return -1; + } + + /* try and get priv pipe */ + + if (winbindd_request(WINBINDD_PRIV_PIPE_DIR, &request, &response) == NSS_STATUS_SUCCESS) { + int fd; + if ((fd = winbind_named_pipe_sock(response.extra_data)) != -1) { + close(winbindd_fd); + winbindd_fd = fd; + } + } + return winbindd_fd; #else return -1; |