Winbindd change password request
Alexey Kobozev
cobedump at gmail.com
Mon Jun 19 09:51:06 GMT 2006
Andrew Bartlett wrote:
> On Thu, 2006-06-15 at 16:13 +0200, Alexey Kobozev wrote:
>> Hi guys!
>>
>> Attached is the patch for crap change password in winbindd and ntlm_auth
>> It was done on samba 3.0.23rc2
>> Please review it.
>
> My main problem is with the way the ntlm_auth interface has been
> designed. This options introduces a lot more command-line options.
>
> I would prefer something that was handled as a new --helper-protocol,
> similar to ntlm-server-1. Using a new helper protocol allows easier
> 'versioning' if you need to change behaviors, which is important, as we
> need to maintain ntlm_auth's interface in the long term.
OK. Here we go. We've removed the command line arguments for change
password and added new helper protocol ntlm-crap-chng-pswd-1
-------------- next part --------------
diff -rup samba-3.0.23rc2/source/nsswitch/winbindd.c samba-3.0.23rc2-patched/source/nsswitch/winbindd.c
--- samba-3.0.23rc2/source/nsswitch/winbindd.c 2006-06-13 04:52:16.000000000 +0300
+++ samba-3.0.23rc2-patched/source/nsswitch/winbindd.c 2006-06-15 16:00:21.000000000 +0300
@@ -214,6 +214,7 @@ static struct winbindd_dispatch_table {
{ WINBINDD_PAM_AUTH_CRAP, winbindd_pam_auth_crap, "AUTH_CRAP" },
{ WINBINDD_PAM_CHAUTHTOK, winbindd_pam_chauthtok, "CHAUTHTOK" },
{ WINBINDD_PAM_LOGOFF, winbindd_pam_logoff, "PAM_LOGOFF" },
+ { WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP, winbindd_pam_chng_pswd_auth_crap, "CHNG_PSWD_AUTH_CRAP" },
/* Enumeration functions */
diff -rup samba-3.0.23rc2/source/nsswitch/winbindd_misc.c samba-3.0.23rc2-patched/source/nsswitch/winbindd_misc.c
--- samba-3.0.23rc2/source/nsswitch/winbindd_misc.c 2006-04-20 05:29:21.000000000 +0300
+++ samba-3.0.23rc2-patched/source/nsswitch/winbindd_misc.c 2006-06-15 16:00:30.000000000 +0300
@@ -445,8 +445,12 @@ static void domain_info_init_recv(void *
request_ok(state);
}
+
void winbindd_ping(struct winbindd_cli_state *state)
{
+ void *res = NULL;
+ int count = 0;
+
DEBUG(3, ("[%5lu]: ping\n", (unsigned long)state->pid));
request_ok(state);
}
diff -rup samba-3.0.23rc2/source/nsswitch/winbindd_nss.h samba-3.0.23rc2-patched/source/nsswitch/winbindd_nss.h
--- samba-3.0.23rc2/source/nsswitch/winbindd_nss.h 2006-05-23 21:54:32.000000000 +0300
+++ samba-3.0.23rc2-patched/source/nsswitch/winbindd_nss.h 2006-06-15 16:00:40.000000000 +0300
@@ -65,6 +65,7 @@ enum winbindd_cmd {
WINBINDD_PAM_AUTH_CRAP,
WINBINDD_PAM_CHAUTHTOK,
WINBINDD_PAM_LOGOFF,
+ WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP,
/* List various things */
@@ -226,6 +227,18 @@ struct winbindd_request {
} chauthtok; /* pam_winbind passwd module */
struct {
fstring user;
+ fstring domain;
+ unsigned char new_nt_pswd[516];
+ uint16 new_nt_pswd_len;
+ unsigned char old_nt_hash_enc[16];
+ uint16 old_nt_hash_enc_len;
+ unsigned char new_lm_pswd[516];
+ uint16 new_lm_pswd_len;
+ unsigned char old_lm_hash_enc[16];
+ uint16 old_lm_hash_enc_len;
+ } chng_pswd_auth_crap;/* pam_winbind passwd module */
+ struct {
+ fstring user;
fstring krb5ccname;
uid_t uid;
} logoff; /* pam_winbind session module */
diff -rup samba-3.0.23rc2/source/nsswitch/winbindd_pam.c samba-3.0.23rc2-patched/source/nsswitch/winbindd_pam.c
--- samba-3.0.23rc2/source/nsswitch/winbindd_pam.c 2006-06-09 22:30:30.000000000 +0300
+++ samba-3.0.23rc2-patched/source/nsswitch/winbindd_pam.c 2006-06-19 10:54:20.675404792 +0300
@@ -1853,3 +1853,116 @@ process_result:
return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
}
+/* Change user password with auth crap*/
+
+void winbindd_pam_chng_pswd_auth_crap(struct winbindd_cli_state *state)
+{
+ NTSTATUS result;
+ DATA_BLOB new_nt_password;
+ DATA_BLOB old_nt_hash_enc;
+ DATA_BLOB new_lm_password;
+ DATA_BLOB old_lm_hash_enc;
+ fstring domain,user;
+ POLICY_HND dom_pol;
+ struct winbindd_domain *contact_domain;
+ struct rpc_pipe_client *cli;
+
+ /* Ensure null termination */
+ state->request.data.chng_pswd_auth_crap.user[sizeof(state->request.data.chng_pswd_auth_crap.user)-1]=0;
+ state->request.data.chng_pswd_auth_crap.domain[sizeof(state->request.data.chng_pswd_auth_crap.domain)-1]=0;
+ *domain = 0;
+ *user = 0;
+
+ DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n", (unsigned long)state->pid,
+ state->request.data.chng_pswd_auth_crap.domain, state->request.data.chng_pswd_auth_crap.user));
+
+ if (*state->request.data.chng_pswd_auth_crap.domain)
+ {
+ fstrcpy(domain,state->request.data.chng_pswd_auth_crap.domain);
+ }
+ else
+ {
+ parse_domain_user(state->request.data.chng_pswd_auth_crap.user, domain, user);
+
+ if(!*domain)
+ {
+ DEBUG(5,("no domain specified with username (%s) - failing auth\n", state->request.data.chng_pswd_auth_crap.user));
+ result = NT_STATUS_NO_SUCH_USER;
+ goto done;
+ }
+ }
+
+ if(!*domain && lp_winbind_use_default_domain())
+ {
+ fstrcpy(domain,(char *)lp_workgroup());
+ }
+
+ if(!*user)
+ {
+ fstrcpy(user, state->request.data.chng_pswd_auth_crap.user);
+ }
+
+ DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid, domain, user));
+
+ /* Setup crap */
+ if (!(contact_domain = find_domain_from_name(domain)))
+ {
+ DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n",
+ state->request.data.chng_pswd_auth_crap.user, domain, user, domain));
+ result = NT_STATUS_NO_SUCH_USER;
+ goto done;
+ }
+
+ /* Change password */
+ new_nt_password = data_blob_talloc(state->mem_ctx,
+ state->request.data.chng_pswd_auth_crap.new_nt_pswd,
+ state->request.data.chng_pswd_auth_crap.new_nt_pswd_len);
+
+ old_nt_hash_enc = data_blob_talloc(state->mem_ctx,
+ state->request.data.chng_pswd_auth_crap.old_nt_hash_enc,
+ state->request.data.chng_pswd_auth_crap.old_nt_hash_enc_len);
+
+ if(state->request.data.chng_pswd_auth_crap.new_lm_pswd_len > 0)
+ {
+ new_lm_password = data_blob_talloc(state->mem_ctx,
+ state->request.data.chng_pswd_auth_crap.new_lm_pswd,
+ state->request.data.chng_pswd_auth_crap.new_lm_pswd_len);
+
+ old_lm_hash_enc = data_blob_talloc(state->mem_ctx,
+ state->request.data.chng_pswd_auth_crap.old_lm_hash_enc,
+ state->request.data.chng_pswd_auth_crap.old_lm_hash_enc_len);
+ }
+ else
+ {
+ new_lm_password.length = 0;
+ old_lm_hash_enc.length = 0;
+ }
+
+ /* Get sam handle */
+
+ result = cm_connect_sam(contact_domain, state->mem_ctx, &cli, &dom_pol);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
+ goto done;
+ }
+
+ result = rpccli_samr_chng_pswd_auth_crap(cli, state->mem_ctx, user, new_nt_password, old_nt_hash_enc, new_lm_password, old_lm_hash_enc);
+
+done:
+ state->response.data.auth.nt_status = NT_STATUS_V(result);
+ fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
+ fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
+ state->response.data.auth.pam_error = nt_status_to_pam(result);
+
+ DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
+ ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
+ domain,
+ user,
+ state->response.data.auth.nt_status_string,
+ state->response.data.auth.pam_error));
+
+ if (NT_STATUS_IS_OK(result))
+ request_ok(state);
+ else
+ request_error(state);
+}
diff -rup samba-3.0.23rc2/source/rpc_client/cli_samr.c samba-3.0.23rc2-patched/source/rpc_client/cli_samr.c
--- samba-3.0.23rc2/source/rpc_client/cli_samr.c 2006-05-23 21:54:29.000000000 +0300
+++ samba-3.0.23rc2-patched/source/rpc_client/cli_samr.c 2006-06-15 16:01:11.000000000 +0300
@@ -1288,6 +1288,73 @@ NTSTATUS rpccli_samr_chgpasswd_user(stru
return result;
}
+/* User change passwd with auth crap */
+
+NTSTATUS rpccli_samr_chng_pswd_auth_crap(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ const char *username,
+ DATA_BLOB new_nt_password,
+ DATA_BLOB old_nt_hash_enc,
+ DATA_BLOB new_lm_password,
+ DATA_BLOB old_lm_hash_enc)
+{
+ prs_struct qbuf, rbuf;
+ SAMR_Q_CHGPASSWD_USER q;
+ SAMR_R_CHGPASSWD_USER r;
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ uchar new_lanman_password[516];
+ uchar old_lanman_hash_enc[16];
+ uchar *new_lm_ptr = NULL;
+ uchar *old_lm_hash_ptr = NULL;
+
+ char *srv_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", cli->cli->desthost);
+
+ DEBUG(5,("rpccli_samr_chng_pswd_auth_crap on server: %s\n", srv_name_slash));
+
+ ZERO_STRUCT(q);
+ ZERO_STRUCT(r);
+ ZERO_STRUCT(new_lanman_password);
+ ZERO_STRUCT(old_lanman_hash_enc);
+
+ if(!new_lm_password.length || !old_lm_hash_enc.length || !lp_client_lanman_auth())
+ {
+ DEBUG(5,("rpccli_samr_chng_pswd_auth_crap lanman cred not used\n"));
+ new_lm_ptr = new_lanman_password;
+ old_lm_hash_ptr = old_lanman_hash_enc;
+ }
+ else
+ {
+ new_lm_ptr = new_lm_password.data;
+ old_lm_hash_ptr = old_lm_hash_enc.data;
+ }
+
+
+ /* Marshall data and send request */
+
+ init_samr_q_chgpasswd_user(&q, srv_name_slash, username,
+ new_nt_password.data,
+ old_nt_hash_enc.data,
+ new_lm_ptr,
+ old_lm_hash_ptr);
+
+ CLI_DO_RPC(cli, mem_ctx, PI_SAMR, SAMR_CHGPASSWD_USER,
+ q, r,
+ qbuf, rbuf,
+ samr_io_q_chgpasswd_user,
+ samr_io_r_chgpasswd_user,
+ NT_STATUS_UNSUCCESSFUL);
+
+ /* Return output parameters */
+
+ if (!NT_STATUS_IS_OK(result = r.status)) {
+ goto done;
+ }
+
+ done:
+
+ return result;
+}
+
/* change password 3 */
NTSTATUS rpccli_samr_chgpasswd3(struct rpc_pipe_client *cli,
diff -rup samba-3.0.23rc2/source/utils/ntlm_auth.c samba-3.0.23rc2-patched/source/utils/ntlm_auth.c
--- samba-3.0.23rc2/source/utils/ntlm_auth.c 2006-05-23 21:54:35.000000000 +0300
+++ samba-3.0.23rc2-patched/source/utils/ntlm_auth.c 2006-06-19 11:20:04.700677272 +0300
@@ -38,6 +38,7 @@ enum stdio_helper_mode {
GSS_SPNEGO,
GSS_SPNEGO_CLIENT,
NTLM_SERVER_1,
+ NTLM_CRAP_CHNG_PSWD_1,
NUM_HELPER_MODES
};
@@ -62,6 +63,8 @@ static void manage_gss_spnego_client_req
static void manage_ntlm_server_1_request (enum stdio_helper_mode stdio_helper_mode,
char *buf, int length);
+static void manage_ntlm_crap_chng_pswd_1_request(enum stdio_helper_mode helper_mode, char *buf, int length);
+
static const struct {
enum stdio_helper_mode mode;
const char *name;
@@ -74,6 +77,7 @@ static const struct {
{ GSS_SPNEGO, "gss-spnego", manage_gss_spnego_request},
{ GSS_SPNEGO_CLIENT, "gss-spnego-client", manage_gss_spnego_client_request},
{ NTLM_SERVER_1, "ntlm-server-1", manage_ntlm_server_1_request},
+ { NTLM_CRAP_CHNG_PSWD_1, "ntlm-crap-chng-pswd-1", manage_ntlm_crap_chng_pswd_1_request},
{ NUM_HELPER_MODES, NULL, NULL}
};
@@ -390,7 +394,87 @@ NTSTATUS contact_winbind_auth_crap(const
free_response(&response);
return nt_status;
}
-
+
+/* contact server to change user password using auth crap */
+static NTSTATUS contact_winbind_change_pswd_auth_crap(const char *username,
+ const char *domain,
+ const DATA_BLOB new_nt_pswd,
+ const DATA_BLOB old_nt_hash_enc,
+ const DATA_BLOB new_lm_pswd,
+ const DATA_BLOB old_lm_hash_enc,
+ char **error_string)
+{
+ NTSTATUS nt_status;
+ NSS_STATUS result;
+ struct winbindd_request request;
+ struct winbindd_response response;
+
+ if (!get_require_membership_sid())
+ {
+ if(error_string)
+ *error_string = smb_xstrdup("Can't get membership sid.");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ ZERO_STRUCT(request);
+ ZERO_STRUCT(response);
+
+ if(username != NULL)
+ fstrcpy(request.data.chng_pswd_auth_crap.user, username);
+ if(domain != NULL)
+ fstrcpy(request.data.chng_pswd_auth_crap.domain,domain);
+
+ if(new_nt_pswd.length)
+ {
+ memcpy(request.data.chng_pswd_auth_crap.new_nt_pswd, new_nt_pswd.data, sizeof(request.data.chng_pswd_auth_crap.new_nt_pswd));
+ request.data.chng_pswd_auth_crap.new_nt_pswd_len = new_nt_pswd.length;
+ }
+
+ if(old_nt_hash_enc.length)
+ {
+ memcpy(request.data.chng_pswd_auth_crap.old_nt_hash_enc, old_nt_hash_enc.data, sizeof(request.data.chng_pswd_auth_crap.old_nt_hash_enc));
+ request.data.chng_pswd_auth_crap.old_nt_hash_enc_len = old_nt_hash_enc.length;
+ }
+
+ if(new_lm_pswd.length)
+ {
+ memcpy(request.data.chng_pswd_auth_crap.new_lm_pswd, new_lm_pswd.data, sizeof(request.data.chng_pswd_auth_crap.new_lm_pswd));
+ request.data.chng_pswd_auth_crap.new_lm_pswd_len = new_lm_pswd.length;
+ }
+
+ if(old_lm_hash_enc.length)
+ {
+ memcpy(request.data.chng_pswd_auth_crap.old_lm_hash_enc, old_lm_hash_enc.data, sizeof(request.data.chng_pswd_auth_crap.old_lm_hash_enc));
+ request.data.chng_pswd_auth_crap.old_lm_hash_enc_len = old_lm_hash_enc.length;
+ }
+
+ result = winbindd_request_response(WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP, &request, &response);
+
+ /* Display response */
+
+ if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0))
+ {
+ nt_status = NT_STATUS_UNSUCCESSFUL;
+ if (error_string)
+ *error_string = smb_xstrdup("Reading winbind reply failed!");
+ free_response(&response);
+ return nt_status;
+ }
+
+ nt_status = (NT_STATUS(response.data.auth.nt_status));
+ if (!NT_STATUS_IS_OK(nt_status))
+ {
+ if (error_string)
+ *error_string = smb_xstrdup(response.data.auth.error_string);
+ free_response(&response);
+ return nt_status;
+ }
+
+ free_response(&response);
+
+ return nt_status;
+}
+
static NTSTATUS winbind_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
{
static const char zeros[16];
@@ -1580,6 +1664,178 @@ static void manage_ntlm_server_1_request
}
}
+static void manage_ntlm_crap_chng_pswd_1_request(enum stdio_helper_mode helper_mode, char *buf, int length)
+{
+ char *request, *parameter;
+ static DATA_BLOB new_nt_pswd;
+ static DATA_BLOB old_nt_hash_enc;
+ static DATA_BLOB new_lm_pswd;
+ static DATA_BLOB old_lm_hash_enc;
+ static char *full_username = NULL;
+ static char *username = NULL;
+ static char *domain = NULL;
+
+ if (strequal(buf, "."))
+ {
+ if (!full_username && !username)
+ {
+ x_fprintf(x_stdout, "Error: No username supplied!\n");
+ }
+ else if ((!new_nt_pswd.data || !old_nt_hash_enc.data) && (!new_lm_pswd.data || old_lm_hash_enc.data) )
+ {
+ x_fprintf(x_stdout, "Error: No NT or LM password blobs supplied!\n");
+ }
+ else
+ {
+ char *error_string = NULL;
+
+ if (full_username && !username)
+ {
+ fstring fstr_user;
+ fstring fstr_domain;
+
+ if (!parse_ntlm_auth_domain_user(full_username, fstr_user, fstr_domain))
+ {
+ /* username might be 'tainted', don't print into our new-line deleimianted stream */
+ x_fprintf(x_stdout, "Error: Could not parse into domain and username\n");
+ SAFE_FREE(username);
+ username = smb_xstrdup(full_username);
+ }
+ else
+ {
+ SAFE_FREE(username);
+ SAFE_FREE(domain);
+ username = smb_xstrdup(fstr_user);
+ domain = smb_xstrdup(fstr_domain);
+ }
+
+ }
+
+ if(!NT_STATUS_IS_OK(contact_winbind_change_pswd_auth_crap(username,
+ domain,
+ new_nt_pswd,
+ old_nt_hash_enc,
+ new_lm_pswd,
+ old_lm_hash_enc,
+ &error_string)))
+ {
+ x_fprintf(x_stdout, "Password-Change: No\n");
+ x_fprintf(x_stdout, "Password-Change-Error: %s\n.\n", error_string);
+ }
+ else
+ {
+ x_fprintf(x_stdout, "Password-Change: Yes\n");
+ }
+
+ SAFE_FREE(error_string);
+ }
+ /* clear out the state */
+ new_nt_pswd = data_blob(NULL, 0);
+ old_nt_hash_enc = data_blob(NULL, 0);
+ new_lm_pswd = data_blob(NULL, 0);
+ old_nt_hash_enc = data_blob(NULL, 0);
+ SAFE_FREE(full_username);
+ SAFE_FREE(username);
+ SAFE_FREE(domain);
+ x_fprintf(x_stdout, ".\n");
+
+ return;
+ }
+
+ request = buf;
+
+ /* Indicates a base64 encoded structure */
+ parameter = strstr_m(request, ":: ");
+ if (!parameter)
+ {
+ parameter = strstr_m(request, ": ");
+
+ if (!parameter)
+ {
+ DEBUG(0, ("Parameter not found!\n"));
+ x_fprintf(x_stdout, "Error: Parameter not found!\n.\n");
+ return;
+ }
+
+ parameter[0] ='\0';
+ parameter++;
+ parameter[0] ='\0';
+ parameter++;
+
+ }
+ else
+ {
+ parameter[0] ='\0';
+ parameter++;
+ parameter[0] ='\0';
+ parameter++;
+ parameter[0] ='\0';
+ parameter++;
+
+ base64_decode_inplace(parameter);
+ }
+
+ if (strequal(request, "new-nt-pswd-blob")) {
+ new_nt_pswd = strhex_to_data_blob(NULL, parameter);
+ if (new_nt_pswd.length != 516)
+ {
+ x_fprintf(x_stdout, "Error: hex decode of %s failed! (got %d bytes, expected 516)\n.\n",
+ parameter,
+ (int)new_nt_pswd.length);
+ new_nt_pswd = data_blob(NULL, 0);
+ }
+ }
+ else if (strequal(request, "old-nt-hash-blob"))
+ {
+ old_nt_hash_enc = strhex_to_data_blob(NULL, parameter);
+ if (old_nt_hash_enc.length < 16)
+ {
+ x_fprintf(x_stdout, "Error: hex decode of %s failed! (got %d bytes, expected 16)\n.\n",
+ parameter,
+ (int)old_nt_hash_enc.length);
+ old_nt_hash_enc = data_blob(NULL, 0);
+ }
+ }
+ else if (strequal(request, "new-lm-pswd-blob"))
+ {
+ new_lm_pswd = strhex_to_data_blob(NULL, parameter);
+ if (new_lm_pswd.length != 24)
+ {
+ x_fprintf(x_stdout, "Error: hex decode of %s failed! (got %d bytes, expected 516)\n.\n",
+ parameter,
+ (int)new_lm_pswd.length);
+ new_lm_pswd = data_blob(NULL, 0);
+ }
+ }
+ else if (strequal(request, "old-lm-hash-blob"))
+ {
+ old_lm_hash_enc = strhex_to_data_blob(NULL, parameter);
+ if (old_lm_hash_enc.length < 16)
+ {
+ x_fprintf(x_stdout, "Error: hex decode of %s failed! (got %d bytes, expected 16)\n.\n",
+ parameter,
+ (int)old_lm_hash_enc.length);
+ old_lm_hash_enc = data_blob(NULL, 0);
+ }
+ }
+ else if (strequal(request, "nt-domain"))
+ {
+ domain = smb_xstrdup(parameter);
+ }
+ else if(strequal(request, "username"))
+ {
+ username = smb_xstrdup(parameter);
+ }
+ else if (strequal(request, "full-username"))
+ {
+ full_username = smb_xstrdup(parameter);
+ }
+ else
+ {
+ x_fprintf(x_stdout, "Error: Unknown request %s\n.\n", request);
+ }
+}
+
static void manage_squid_request(enum stdio_helper_mode helper_mode, stdio_helper_function fn)
{
char buf[SQUID_BUFFER_SIZE+1];
@@ -1722,7 +1978,6 @@ enum {
static const char *hex_challenge;
static const char *hex_lm_response;
static const char *hex_nt_response;
-
poptContext pc;
/* NOTE: DO NOT change this interface without considering the implications!
@@ -1808,8 +2063,8 @@ enum {
exit(1);
}
break;
-
- case OPT_REQUIRE_MEMBERSHIP:
+
+ case OPT_REQUIRE_MEMBERSHIP:
if (StrnCaseCmp("S-", require_membership_of, 2) == 0) {
require_membership_of_sid = require_membership_of;
}
More information about the samba-technical
mailing list