svn commit: samba r10844 - in branches/SAMBA_4_0/source: nsswitch winbind

abartlet at samba.org abartlet at samba.org
Sun Oct 9 12:13:06 GMT 2005 

Author: abartlet
Date: 2005-10-09 12:13:05 +0000 (Sun, 09 Oct 2005)
New Revision: 10844

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=10844

Log:
Add challenge-response authentication to Samba4's winbindd for VL.

Plaintext should be simple, but I'm going to do some infrustructure
work first.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/nsswitch/winbindd_nss.h
   branches/SAMBA_4_0/source/winbind/wb_samba3_cmd.c
   branches/SAMBA_4_0/source/winbind/wb_samba3_protocol.c


Changeset:
Modified: branches/SAMBA_4_0/source/nsswitch/winbindd_nss.h
===================================================================
--- branches/SAMBA_4_0/source/nsswitch/winbindd_nss.h	2005-10-09 08:32:06 UTC (rev 10843)
+++ branches/SAMBA_4_0/source/nsswitch/winbindd_nss.h	2005-10-09 12:13:05 UTC (rev 10844)
@@ -186,7 +186,6 @@
 	pid_t pid;               /* pid of calling process */
 	uint32_t flags;            /* flags relavant to a given request */
 	winbind_string domain_name;	/* name of domain for which the request applies */
-	int msgid;
 
 	union {
 		winbind_string winsreq;     /* WINS request */
@@ -247,6 +246,8 @@
 			winbind_string cache_key;
 		} dual_sidaliases;
 	} data;
+	char *extra_data;
+	size_t extra_len;
 	char null_term;
 };
 

Modified: branches/SAMBA_4_0/source/winbind/wb_samba3_cmd.c
===================================================================
--- branches/SAMBA_4_0/source/winbind/wb_samba3_cmd.c	2005-10-09 08:32:06 UTC (rev 10843)
+++ branches/SAMBA_4_0/source/winbind/wb_samba3_cmd.c	2005-10-09 12:13:05 UTC (rev 10844)
@@ -33,6 +33,7 @@
 #include "libcli/smb_composite/smb_composite.h"
 #include "include/version.h"
 #include "lib/events/events.h"
+#include "librpc/gen_ndr/ndr_netlogon.h"
 
 NTSTATUS wbsrv_samba3_interface_version(struct wbsrv_samba3_call *s3call)
 {
@@ -175,3 +176,122 @@
 		return;
 	}
 }
+
+NTSTATUS wbsrv_samba3_pam_auth(struct wbsrv_samba3_call *s3call)
+{
+	struct wbsrv_service *service =
+		s3call->call->wbconn->listen_socket->service;
+	
+	s3call->response.result			= WINBINDD_ERROR;
+	return NT_STATUS_OK;
+}
+
+NTSTATUS wbsrv_samba3_pam_auth_crap(struct wbsrv_samba3_call *s3call)
+{
+	struct wbsrv_service *service =
+		s3call->call->wbconn->listen_socket->service;
+	struct creds_CredentialState *creds_state;
+	struct netr_Authenticator auth, auth2;
+	struct netr_NetworkInfo ninfo;
+	struct netr_LogonSamLogon r;
+	NTSTATUS status;
+	TALLOC_CTX *mem_ctx = talloc_new(s3call);
+	if (!mem_ctx) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	ZERO_STRUCT(auth2);
+	creds_state = cli_credentials_get_netlogon_creds(service->schannel_creds);
+	
+	creds_client_authenticator(creds_state, &auth);
+
+	ninfo.identity_info.account_name.string = s3call->request.data.auth_crap.user;
+	ninfo.identity_info.domain_name.string = s3call->request.data.auth_crap.domain;
+	ninfo.identity_info.parameter_control = 0;
+	ninfo.identity_info.logon_id_low = 0;
+	ninfo.identity_info.logon_id_high = 0;
+	ninfo.identity_info.workstation.string = s3call->request.data.auth_crap.workstation;
+	memcpy(ninfo.challenge, s3call->request.data.auth_crap.chal,
+	       sizeof(ninfo.challenge));
+	ninfo.nt.length = s3call->request.data.auth_crap.nt_resp_len;
+	ninfo.nt.data = s3call->request.data.auth_crap.nt_resp;
+	ninfo.lm.length = s3call->request.data.auth_crap.lm_resp_len;
+	ninfo.lm.data = s3call->request.data.auth_crap.lm_resp;
+
+	r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(service->netlogon_pipe));
+	r.in.workstation = cli_credentials_get_workstation(service->schannel_creds);
+	r.in.credential = &auth;
+	r.in.return_authenticator = &auth2;
+	r.in.logon_level = 2;
+	r.in.validation_level = 3;
+	r.in.logon.network = &ninfo;
+
+	r.out.return_authenticator = NULL;
+	status = dcerpc_netr_LogonSamLogon(service->netlogon_pipe, mem_ctx, &r);
+	if (!r.out.return_authenticator || 
+	    !creds_client_check(creds_state, &r.out.return_authenticator->cred)) {
+		DEBUG(0, ("Credentials check failed!\n"));
+		status = NT_STATUS_ACCESS_DENIED;
+	}
+	if (NT_STATUS_IS_OK(status)) {
+		struct netr_SamBaseInfo *base;
+		switch (r.in.validation_level) {
+		case 2:
+			base = &r.out.validation.sam2->base;
+			break;
+		case 3:
+			base = &r.out.validation.sam3->base;
+			break;
+		case 6:
+			base = &r.out.validation.sam6->base;
+			break;
+		}
+
+		creds_decrypt_samlogon(creds_state, 
+				       r.in.validation_level, 
+				       &r.out.validation);
+
+		if ((s3call->request.flags & WBFLAG_PAM_INFO3_NDR) 
+		    && (r.in.validation_level == 3)) {
+			DATA_BLOB tmp_blob, tmp_blob2;
+			status = ndr_push_struct_blob(&tmp_blob, mem_ctx, r.out.validation.sam3,
+						      (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3);
+			if (NT_STATUS_IS_OK(status)) {
+				tmp_blob2 = data_blob_talloc(mem_ctx, NULL, tmp_blob.length + 4);
+				if (!tmp_blob2.data) {
+					status = NT_STATUS_NO_MEMORY;
+				}
+			}
+			/* Ugly Samba3 winbind pipe compatability */
+			if (NT_STATUS_IS_OK(status)) {
+				SIVAL(tmp_blob2.data, 0, 1);
+				memcpy(tmp_blob2.data + 4, tmp_blob.data, tmp_blob.length); 
+			}
+			s3call->response.extra_data = talloc_steal(s3call, tmp_blob2.data);
+			s3call->response.length += tmp_blob2.length;
+		}
+		if (s3call->request.flags & WBFLAG_PAM_USER_SESSION_KEY) {
+			memcpy(s3call->response.data.auth.user_session_key, 
+			       base->key.key, sizeof(s3call->response.data.auth.user_session_key) /* 16 */);
+		}
+		if (s3call->request.flags & WBFLAG_PAM_LMKEY) {
+			memcpy(s3call->response.data.auth.first_8_lm_hash, 
+			       base->LMSessKey.key, sizeof(s3call->response.data.auth.first_8_lm_hash) /* 8 */);
+		}
+	}
+		
+	if (!NT_STATUS_IS_OK(status)) {
+		struct winbindd_response *resp = &s3call->response;
+		resp->result = WINBINDD_ERROR;
+	} else {
+		struct winbindd_response *resp = &s3call->response;
+		resp->result = WINBINDD_OK;
+	}
+		
+	WBSRV_SAMBA3_SET_STRING(s3call->response.data.auth.nt_status_string,
+				nt_errstr(status));
+	WBSRV_SAMBA3_SET_STRING(s3call->response.data.auth.error_string,
+				nt_errstr(status));
+	s3call->response.data.auth.pam_error = nt_status_to_pam(status);
+	return NT_STATUS_OK;
+}

Modified: branches/SAMBA_4_0/source/winbind/wb_samba3_protocol.c
===================================================================
--- branches/SAMBA_4_0/source/winbind/wb_samba3_protocol.c	2005-10-09 08:32:06 UTC (rev 10843)
+++ branches/SAMBA_4_0/source/winbind/wb_samba3_protocol.c	2005-10-09 12:13:05 UTC (rev 10844)
@@ -93,6 +93,12 @@
 
 	case WINBINDD_LOOKUPNAME:
 		return wbsrv_samba3_lookupname(s3call);
+
+	case WINBINDD_PAM_AUTH:
+		return wbsrv_samba3_pam_auth(s3call);
+
+	case WINBINDD_PAM_AUTH_CRAP:
+		return wbsrv_samba3_pam_auth_crap(s3call);
 	}
 
 	s3call->response.result = WINBINDD_ERROR;

More information about the samba-cvs mailing list