[PATCH] auth samstrict_dc ...

Stefan (metze) Metzmacher metze at metzemix.de
Mon Dec 30 21:25:00 GMT 2002 

Hi Andrew,

here are the auth changes without the module changes...




metze
-----------------------------------------------------------------------------
Stefan "metze" Metzmacher <metze at metzemix.de>
-------------- next part --------------
diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=*.so --exclude=.#* --exclude=Makefile --exclude=stamp-h --exclude=configure --exclude=findsmb --exclude=*proto*.h --exclude=build_env.h --exclude=tdbsam2_parse_info.h --exclude=config.* --exclude=bin --exclude=*.configure HEAD/source/auth/auth.c HEAD-auth/source/auth/auth.c
--- HEAD/source/auth/auth.c	Sun Dec 22 10:17:55 2002
+++ HEAD-auth/source/auth/auth.c	Sun Dec 29 18:50:33 2002
@@ -31,6 +31,7 @@ const struct auth_init_function_entry bu
 	{ "hostsequiv", auth_init_hostsequiv },
 	{ "sam", auth_init_sam },	
 	{ "samstrict", auth_init_samstrict },
+	{ "samstrict_dc", auth_init_samstrict_dc },
 	{ "unix", auth_init_unix },
 	{ "smbserver", auth_init_smbserver },
 	{ "ntdomain", auth_init_ntdomain },
@@ -135,7 +136,7 @@ static BOOL check_domain_match(const cha
 
 	if (!lp_allow_trusted_domains() &&
 	    !(strequal("", domain) || 
-	      strequal(lp_workgroup(), domain) || 
+	      is_myworkgroup(domain) || 
 	      is_myname(domain))) {
 		DEBUG(1, ("check_domain_match: Attempt to connect as user %s from domain %s denied.\n", user, domain));
 		return False;
@@ -391,9 +392,28 @@ NTSTATUS make_auth_context_subsystem(str
 			auth_method_list = str_list_make("guest sam smbserver", NULL);
 			break;
 		case SEC_USER:
-			if (lp_encrypted_passwords()) {	
-				DEBUG(5,("Making default auth method list for security=user, encrypt passwords = yes\n"));
-				auth_method_list = str_list_make("guest sam", NULL);
+			if (lp_encrypted_passwords()) {
+				if (lp_allow_trusted_domains()) {
+					if (lp_domain_logons()) {
+						DEBUG(5,("Making default auth method list for security=user, \n"));
+						DEBUGADD(5,("allow trusted domains = yes, encrypt passwords = yes, domain logons = yes\n"));
+						auth_method_list = str_list_make("guest samstrict_dc trustdomain", NULL);					
+					} else {	
+						DEBUG(5,("Making default auth method list for security=user, \n"));
+						DEBUGADD(5,("allow trusted domains = yes, encrypt passwords = yes, domain logons = no\n"));
+						auth_method_list = str_list_make("guest samstrict trustdomain", NULL);
+					}
+				} else {
+					if (lp_domain_logons()) {
+						DEBUG(5,("Making default auth method list for security=user, \n"));
+						DEBUGADD(5,("allow trusted domains = no, encrypt passwords = yes, domain logons = yes\n"));
+						auth_method_list = str_list_make("guest samstrict_dc", NULL);					
+					} else {	
+						DEBUG(5,("Making default auth method list for security=user, \n"));
+						DEBUGADD(5,("allow trusted domains = no, encrypt passwords = yes, domain logons = no\n"));
+						auth_method_list = str_list_make("guest samstrict", NULL);
+					}
+				}
 			} else {
 				DEBUG(5,("Making default auth method list for security=user, encrypt passwords = no\n"));
 				auth_method_list = str_list_make("guest unix", NULL);
diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=*.so --exclude=.#* --exclude=Makefile --exclude=stamp-h --exclude=configure --exclude=findsmb --exclude=*proto*.h --exclude=build_env.h --exclude=tdbsam2_parse_info.h --exclude=config.* --exclude=bin --exclude=*.configure HEAD/source/auth/auth_domain.c HEAD-auth/source/auth/auth_domain.c
--- HEAD/source/auth/auth_domain.c	Fri Dec 13 07:25:43 2002
+++ HEAD-auth/source/auth/auth_domain.c	Sun Dec 29 11:08:11 2002
@@ -414,7 +414,8 @@ static NTSTATUS check_ntdomain_security(
 	 * password file.
 	 */
 
-	if(is_myname(user_info->domain.str)) {
+	if(is_myname(user_info->domain.str)||
+		strequal("", user_info->domain.str)) {
 		DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n"));
 		return NT_STATUS_LOGON_FAILURE;
 	}
@@ -492,7 +493,8 @@ static NTSTATUS check_trustdomain_securi
 	 * password file.
 	 */
 
-	if(is_myname(user_info->domain.str)) {
+	if(is_myname(user_info->domain.str)||
+		strequal("", user_info->domain.str)) {
 		DEBUG(3,("check_trustdomain_security: Requested domain was for this machine.\n"));
 		return NT_STATUS_LOGON_FAILURE;
 	}
@@ -502,7 +504,7 @@ static NTSTATUS check_trustdomain_securi
 	 * If it is, we should use our own local password file.
 	 */
 
-	if(strequal(lp_workgroup(), (user_info->domain.str))) {
+	if(is_myworkgroup(user_info->domain.str)) {
 		DEBUG(3,("check_trustdomain_security: Requested domain was for this domain.\n"));
 		return NT_STATUS_LOGON_FAILURE;
 	}
@@ -515,7 +517,7 @@ static NTSTATUS check_trustdomain_securi
 	if (!secrets_fetch_trusted_domain_password(user_info->domain.str, &trust_password, &sid, &last_change_time))
 	{
 		DEBUG(0, ("check_trustdomain_security: could not fetch trust account password for domain %s\n", user_info->domain.str));
-		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+		return NT_STATUS_LOGON_FAILURE;/* we don't trust the domain */
 	}
 
 #ifdef DEBUG_PASSWORD
diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=*.so --exclude=.#* --exclude=Makefile --exclude=stamp-h --exclude=configure --exclude=findsmb --exclude=*proto*.h --exclude=build_env.h --exclude=tdbsam2_parse_info.h --exclude=config.* --exclude=bin --exclude=*.configure HEAD/source/auth/auth_sam.c HEAD-auth/source/auth/auth_sam.c
--- HEAD/source/auth/auth_sam.c	Mon Nov 18 06:44:20 2002
+++ HEAD-auth/source/auth/auth_sam.c	Sun Dec 29 18:56:24 2002
@@ -452,9 +452,13 @@ static NTSTATUS check_samstrict_security
 
 	/* If we are a domain member, we must not 
 	   attempt to check the password locally,
-	   unless it is one of our aliases. */
+	   unless it is one of our aliases 
+	   or empty */
 	
-	if (!is_myname(user_info->domain.str)) {
+	if ((!is_myname(user_info->domain.str))&&
+		(!strequal("", user_info->domain.str))) {
+		DEBUG(7,("The requested user domain is not local. [%s]\\[%s}\n",
+			user_info->domain.str,user_info->internal_username.str));
 		return NT_STATUS_NO_SUCH_USER;
 	}
 	
@@ -473,4 +477,46 @@ NTSTATUS auth_init_samstrict(struct auth
 	return NT_STATUS_OK;
 }
 
+/****************************************************************************
+Check SAM security (above) but with a few extra checks.
+****************************************************************************/
 
+static NTSTATUS check_samstrict_dc_security(const struct auth_context *auth_context,
+					 void *my_private_data, 
+					 TALLOC_CTX *mem_ctx,
+					 const auth_usersupplied_info *user_info, 
+					 auth_serversupplied_info **server_info)
+{
+
+	if (!user_info || !auth_context) {
+		return NT_STATUS_LOGON_FAILURE;
+	}
+
+	/* If we are a domain member, we must not 
+	   attempt to check the password locally,
+	   unless it is one of our aliases, empty
+	   or our domain if we are a logon server.*/
+	
+
+	if ((!is_myworkgroup(user_info->domain.str))&&
+		(!is_myname(user_info->domain.str))&&
+		(!strequal("", user_info->domain.str))){
+		DEBUG(7,("The requested user domain is not local or our domain. [%s]\\[%s]\n",
+			user_info->domain.str,user_info->internal_username.str));
+		return NT_STATUS_NO_SUCH_USER;
+	}		
+
+	return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, server_info);
+}
+
+/* module initialisation */
+NTSTATUS auth_init_samstrict_dc(struct auth_context *auth_context, const char *param, auth_methods **auth_method) 
+{
+	if (!make_auth_methods(auth_context, auth_method)) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	(*auth_method)->auth = check_samstrict_dc_security;
+	(*auth_method)->name = "samstrict_dc";
+	return NT_STATUS_OK;
+}
diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=*.so --exclude=.#* --exclude=Makefile --exclude=stamp-h --exclude=configure --exclude=findsmb --exclude=*proto*.h --exclude=build_env.h --exclude=tdbsam2_parse_info.h --exclude=config.* --exclude=bin --exclude=*.configure HEAD/source/auth/auth_util.c HEAD-auth/source/auth/auth_util.c
--- HEAD/source/auth/auth_util.c	Mon Nov 18 06:44:20 2002
+++ HEAD-auth/source/auth/auth_util.c	Mon Dec 30 22:01:39 2002
@@ -177,51 +177,30 @@ NTSTATUS make_user_info_map(auth_usersup
 	
 	DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n",
 	      client_domain, smb_name, wksta_name));
-	
-	if (lp_allow_trusted_domains() && *client_domain) {
 
-		/* the client could have given us a workstation name
-		   or other crap for the workgroup - we really need a
-		   way of telling if this domain name is one of our
-		   trusted domain names 
-
-		   Also don't allow "" as a domain, fixes a Win9X bug 
-		   where it doens't supply a domain for logon script
-		   'net use' commands.
-
-		   The way I do it here is by checking if the fully
-		   qualified username exists. This is rather reliant
-		   on winbind, but until we have a better method this
-		   will have to do 
-		*/
-
-		domain = client_domain;
-
-		if ((smb_name) && (*smb_name)) { /* Don't do this for guests */
-			char *user = NULL;
-			if (asprintf(&user, "%s%s%s", 
-				 client_domain, lp_winbind_separator(), 
-				 smb_name) < 0) {
-				DEBUG(0, ("make_user_info_map: asprintf() failed!\n"));
-				return NT_STATUS_NO_MEMORY;
-			}
-
-			DEBUG(5, ("make_user_info_map: testing for user %s\n", user));
-			
-			if (Get_Pwnam(user) == NULL) {
-				DEBUG(5, ("make_user_info_map: test for user %s failed\n", user));
-				domain = lp_workgroup();
-				DEBUG(5, ("make_user_info_map: trusted domain %s doesn't appear to exist, using %s\n", 
-					  client_domain, domain));
-			} else {
-				DEBUG(5, ("make_user_info_map: using trusted domain %s\n", domain));
-			}
-			SAFE_FREE(user);
-		}
-	} else {
+	domain = client_domain;
+
+	/* the client could have given us a workstation name
+	   or other crap for the workgroup - we really need a
+	   way of telling if this domain name is one of our
+	   trusted domain names 
+
+	   Also don't allow "" as a domain, fixes a Win9X bug 
+	   where it doens't supply a domain for logon script
+	   'net use' commands.
+
+	*/
+
+	if (!domain || strequal("", domain)) {
+		/* maybe we should use our global_myname() 
+		 * or let it be "",
+		 * but it might be break the Win9X bug 
+		 * mentioned above. --metze*/
 		domain = lp_workgroup();
+		DEBUG(5, ("make_user_info_map: no domain name given for user [%s], assuming it's our domain.\n", smb_name));
 	}
-	
+
+
 	return make_user_info(user_info, 
 			      smb_name, internal_username,
 			      client_domain, domain,
diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=*.so --exclude=.#* --exclude=Makefile --exclude=stamp-h --exclude=configure --exclude=findsmb --exclude=*proto*.h --exclude=build_env.h --exclude=tdbsam2_parse_info.h --exclude=config.* --exclude=bin --exclude=*.configure HEAD/source/lib/util.c HEAD-auth/source/lib/util.c
--- HEAD/source/lib/util.c	Thu Dec 12 20:24:26 2002
+++ HEAD-auth/source/lib/util.c	Sun Dec 29 11:10:23 2002
@@ -1723,6 +1723,23 @@ BOOL is_myname_or_ipaddr(const char *s)
 }
 
 /*******************************************************************
+ Is the name specified one of my netbios names.
+ Returns true if it is equal, false otherwise.
+********************************************************************/
+
+BOOL is_myworkgroup(const char *s)
+{
+	BOOL ret = False;
+
+	if (strequal(s, lp_workgroup())) {
+		ret=True;
+	}
+
+	DEBUG(8, ("is_myworkgroup(\"%s\") returns %d\n", s, ret));
+	return(ret);
+}
+
+/*******************************************************************
  Set the horrid remote_arch string based on an enum.
 ********************************************************************/

More information about the samba-technical mailing list