svn commit: samba r17616 - in branches/SAMBA_3_0/source/nsswitch: .

jra at samba.org jra at samba.org
Sun Aug 20 01:25:27 GMT 2006 

Author: jra
Date: 2006-08-20 01:25:26 +0000 (Sun, 20 Aug 2006)
New Revision: 17616

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=17616

Log:
Add the lm and nt hashes to the cached credentials
stored - only store the password if we're going to
be doing a krb5 refresh. GD please review this change !
Now to add code to reference count the cached creds
(to allow multiple pam_logon/pam_logoffs to keep the
creds around), ensure that the cred cache is called
on all successful pam_logons (if we have winbindd cache
pam credentials = true, set this by default) and finally
ensure the creds cache is changed on successful password
change. GD - you *really* need to review this :-).
Jeremy.

Modified:
   branches/SAMBA_3_0/source/nsswitch/winbindd_ccache_access.c
   branches/SAMBA_3_0/source/nsswitch/winbindd_cred_cache.c
   branches/SAMBA_3_0/source/nsswitch/winbindd_nss.h


Changeset:
Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_ccache_access.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_ccache_access.c	2006-08-19 22:18:03 UTC (rev 17615)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_ccache_access.c	2006-08-20 01:25:26 UTC (rev 17616)
@@ -40,9 +40,10 @@
 	return False;
 }
 
-static NTSTATUS do_ntlm_auth_with_password(const char *username,
+static NTSTATUS do_ntlm_auth_with_hashes(const char *username,
 					const char *domain,
-					const char *password,
+					const unsigned char lm_hash[LM_HASH_LEN],
+					const unsigned char nt_hash[NT_HASH_LEN],
 					const DATA_BLOB initial_msg,
 					const DATA_BLOB challenge_msg,
 					DATA_BLOB *auth_msg)
@@ -75,10 +76,10 @@
 		goto done;
 	}
 
-	status = ntlmssp_set_password(ntlmssp_state, password);
+	status = ntlmssp_set_hashes(ntlmssp_state, lm_hash, nt_hash);
         
 	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(1, ("Could not set password: %s\n",
+		DEBUG(1, ("Could not set hashes: %s\n",
 			nt_errstr(status)));
 		goto done;
 	}
@@ -256,7 +257,8 @@
 	if (!initial.data || !challenge.data) {
 		result = NT_STATUS_NO_MEMORY;
 	} else {
-		result = do_ntlm_auth_with_password(name_user, name_domain, entry->pass,
+		result = do_ntlm_auth_with_hashes(name_user, name_domain,
+						entry->lm_hash, entry->nt_hash,
 						initial, challenge, &auth);
 	}
 

Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_cred_cache.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_cred_cache.c	2006-08-19 22:18:03 UTC (rev 17615)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_cred_cache.c	2006-08-20 01:25:26 UTC (rev 17616)
@@ -25,7 +25,7 @@
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND
 
-#define MAX_CCACHES 100 
+#define MAX_CCACHES 10000
 
 static struct WINBINDD_CCACHE_ENTRY *ccache_list;
 
@@ -75,19 +75,24 @@
 			DLIST_REMOVE(ccache_list, entry);
 			TALLOC_FREE(entry->event); /* unregisters events */
 #ifdef HAVE_MUNLOCK
-			if (entry->pass) {	
-				size_t len = strlen(entry->pass)+1;
+			if (entry->nt_hash) {	
+				size_t len = NT_HASH_LEN + LM_HASH_LEN;
+
+				if (entry->pass) {
+					len += strlen(entry->pass)+1;
+				}
+
 #ifdef DEBUG_PASSWORD
-				DEBUG(10,("unlocking memory: %p\n", entry->pass));
+				DEBUG(10,("unlocking memory: %p\n", entry->nt_hash));
 #endif
-				memset(entry->pass, 0, len);
-				if ((munlock(entry->pass, len)) == -1) {
+				memset(entry->nt_hash, 0, len);
+				if ((munlock(entry->nt_hash, len)) == -1) {
 					DEBUG(0,("failed to munlock memory: %s (%d)\n", 
 						strerror(errno), errno));
 					return map_nt_error_from_unix(errno);
 				}
 #ifdef DEBUG_PASSWORD
-				DEBUG(10,("munlocked memory: %p\n", entry->pass));
+				DEBUG(10,("munlocked memory: %p\n", entry->nt_hash));
 #endif
 			}
 #endif /* HAVE_MUNLOCK */
@@ -109,7 +114,6 @@
 	time_t new_start;
 	struct timeval t;
 
-
 	DEBUG(10,("krb5_ticket_refresh_handler called\n"));
 	DEBUGADD(10,("event called for: %s, %s\n", entry->ccname, entry->username));
 
@@ -245,30 +249,47 @@
 		NT_STATUS_HAVE_NO_MEMORY(new_entry->service);
 	}
 
-	if (schedule_refresh_event && pass) {
+	if (pass) {
+		size_t len = NT_HASH_LEN + LM_HASH_LEN;
+
+		/* We only store the plaintext if we're going to
+		   schedule a krb5 refresh. */
+
+		if (schedule_refresh_event) {
+			len += strlen(pass)+1;
+		}
+		
+		/* new_entry->nt_hash is the base pointer for the block
+		   of memory pointed into by new_entry->lm_hash and
+		   new_entry->pass (if we're storing plaintext). */
+
+		new_entry->nt_hash = (unsigned char *)TALLOC_ZERO(mem_ctx, len);
+		NT_STATUS_HAVE_NO_MEMORY(new_entry->nt_hash);
+
+		new_entry->lm_hash = new_entry->nt_hash + NT_HASH_LEN;
 #ifdef HAVE_MLOCK
-		size_t len = strlen(pass)+1;
-		
-		new_entry->pass = (char *)TALLOC_ZERO(mem_ctx, len);
-		NT_STATUS_HAVE_NO_MEMORY(new_entry->pass);
-		
 #ifdef DEBUG_PASSWORD
-		DEBUG(10,("mlocking memory: %p\n", new_entry->pass));
+		DEBUG(10,("mlocking memory: %p\n", new_entry->nt_hash));
 #endif		
-		if ((mlock(new_entry->pass, len)) == -1) {
+		if ((mlock(new_entry->nt_hash, len)) == -1) {
 			DEBUG(0,("failed to mlock memory: %s (%d)\n", 
 				strerror(errno), errno));
 			return map_nt_error_from_unix(errno);
 		} 
 		
 #ifdef DEBUG_PASSWORD
-		DEBUG(10,("mlocked memory: %p\n", new_entry->pass));
+		DEBUG(10,("mlocked memory: %p\n", new_entry->nt_hash));
 #endif		
-		memcpy(new_entry->pass, pass, len);
-#else
-		new_entry->pass = talloc_strdup(mem_ctx, pass);
-		NT_STATUS_HAVE_NO_MEMORY(new_entry->pass);
 #endif /* HAVE_MLOCK */
+
+		/* Create and store the password hashes. */
+		E_md4hash(pass, new_entry->nt_hash);
+		E_deshash(pass, new_entry->lm_hash);
+
+		if (schedule_refresh_event) {
+			new_entry->pass = (char *)new_entry->lm_hash + LM_HASH_LEN;
+			memcpy(new_entry->pass, pass, len - NT_HASH_LEN - LM_HASH_LEN);
+		}
 	}
 
 	new_entry->create_time = create_time;
@@ -279,7 +300,6 @@
 	}
 	new_entry->uid = uid;
 
-
 	if (schedule_refresh_event && renew_until > 0) {
 
 		struct timeval t = timeval_set((ticket_end -1 ), 0);
@@ -316,7 +336,7 @@
 		return NT_STATUS_OK;
 	}
 
-	mem_ctx = talloc_init("winbindd_ccache_krb5_handling");
+	mem_ctx = talloc_init("winbindd_ccache_handling");
 	if (mem_ctx == NULL) {
 		return NT_STATUS_NO_MEMORY;
 	}

Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_nss.h
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_nss.h	2006-08-19 22:18:03 UTC (rev 17615)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_nss.h	2006-08-20 01:25:26 UTC (rev 17616)
@@ -462,6 +462,8 @@
 	const char *service;
 	const char *username;
 	const char *sid_string;
+	unsigned char *nt_hash; /* Base pointer for the following 2 */
+	unsigned char *lm_hash;
 	char *pass;
 	uid_t uid;
 	time_t create_time;

More information about the samba-cvs mailing list