[PATCH] smb_register_auth()
Stefan (metze) Metzmacher
metze at metzemix.de
Mon Dec 16 10:00:01 GMT 2002
Hi Jelmer,
(attached the patch now...,sorry:-)
I have changed the auth subsystem to use our new module stuff...
I also add 'samstrict_dc' witch is checks the domain str for all our
netbios aliases and our own domain id we're a logon server...
I let abartlet change the default auth methods order based on
lp_sercurity...later.
and a view small fixes
we should return NT_STATUS_LOGON_FAILURE when we can't get a pass for a
trusted domain in 'auth_trustdomain'!
in this case we didn't trust this domain.
....
This patch depends on the patch for the module system and smb_register_vfs()
metze
-----------------------------------------------------------------------------
Stefan "metze" Metzmacher <metze at metzemix.de>
-------------- next part --------------
diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=.#* HEAD/source/auth/auth.c HEAD-modules/source/auth/auth.c
--- HEAD/source/auth/auth.c Thu Dec 12 20:24:26 2002
+++ HEAD-modules/source/auth/auth.c Mon Dec 16 09:40:23 2002
@@ -1,7 +1,8 @@
/*
Unix SMB/CIFS implementation.
Password and authentication handling
- Copyright (C) Andrew Bartlett 2001-2002
+ Copyright (C) Andrew Bartlett 2001-2002
+ Copyright (C) Stefan (metze) Metzmacher 2002
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -25,25 +26,85 @@
/** List of various built-in authentication modules */
-const struct auth_init_function_entry builtin_auth_init_functions[] = {
- { "guest", auth_init_guest },
- { "rhosts", auth_init_rhosts },
- { "hostsequiv", auth_init_hostsequiv },
- { "sam", auth_init_sam },
- { "samstrict", auth_init_samstrict },
- { "unix", auth_init_unix },
- { "smbserver", auth_init_smbserver },
- { "ntdomain", auth_init_ntdomain },
- { "trustdomain", auth_init_trustdomain },
- { "winbind", auth_init_winbind },
+const struct {
+ char *name;
+ struct auth_method_ops *(*register_fn)(void);
+} builtin_auth_methods[] = {
+ { "guest", auth_guest_register},
+ { "rhosts", auth_rhosts_register },
+ { "hostsequiv", auth_hostsequiv_register },
+ { "sam", auth_sam_register },
+ { "samstrict", auth_samstrict_register },
+ { "samstrict_dc", auth_samstrict_dc_register },
+ { "unix", auth_unix_register },
+ { "smbserver", auth_smbserver_register },
+ { "ntdomain", auth_ntdomain_register },
+ { "trustdomain", auth_trustdomain_register },
+ { "winbind", auth_winbind_register },
#ifdef DEVELOPER
- { "name_to_ntstatus", auth_init_name_to_ntstatus },
- { "fixed_challenge", auth_init_fixed_challenge },
+ { "name_to_ntstatus", auth_name_to_ntstatus_register },
+ { "fixed_challenge", auth_fixed_challenge_register },
#endif
- { "plugin", auth_init_plugin },
{ NULL, NULL}
};
+static struct auth_method_function_entry *global_auth_methods = NULL;
+
+static NTSTATUS smb_register_auth_method(const char *name, struct auth_method_ops *auth_ops)
+{
+ struct auth_method_function_entry *entry = global_auth_methods;
+
+ DEBUG(8,("Attempting to register auth method '%s'\n", name));
+
+ /* Check for duplicates */
+ while(entry) {
+ if(strcasecmp(name, entry->name) == 0) {
+ DEBUG(1,("smb_register_auth: There already is a auth method registered with the name %s!\n", name));
+ return NT_STATUS_OBJECT_NAME_COLLISION;
+ }
+ entry = entry->next;
+ }
+
+ if ((entry = smb_xmalloc(sizeof(struct auth_method_function_entry)))==NULL) {
+ DEBUG(0,("smb_register_auth_method; smb_xmalloc() failed\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ entry->name = strdup(name);
+ entry->ops = auth_ops;
+
+ DLIST_ADD(global_auth_methods, entry);
+ DEBUG(10,("Successfully added auth_method '%s'\n", name));
+ return NT_STATUS_OK;
+}
+
+static void lazy_initialize_auth(void)
+{
+ int i;
+ static BOOL initialised = False;
+
+ if(!initialised) {
+ initialised = True;
+
+ for(i = 0; builtin_auth_methods[i].name; i++) {
+ smb_register_auth_method(builtin_auth_methods[i].name,builtin_auth_methods[i].register_fn());
+ }
+ }
+}
+
+NTSTATUS smb_register_auth(const char *name, struct auth_method_ops *auth_ops, int version)
+{
+ /* make sure the builtin methods are loaded before any module */
+ lazy_initialize_auth();
+
+ if(version != AUTH_INTERFACE_VERSION){
+ DEBUG(0,("smb_register_auth: module '%s' has wrong the AUTH_INTERFACE_VERSION\n",name));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ return smb_register_auth_method(name,auth_ops);
+}
+
/****************************************************************************
Try to get a challenge out of the various authentication modules.
Returns a const char of length 8 bytes.
@@ -53,7 +114,7 @@ static const uint8 *get_ntlm_challenge(s
{
DATA_BLOB challenge = data_blob(NULL, 0);
char *challenge_set_by = NULL;
- auth_methods *auth_method;
+ struct auth_methods *auth_method;
TALLOC_CTX *mem_ctx;
if (auth_context->challenge.length) {
@@ -62,7 +123,7 @@ static const uint8 *get_ntlm_challenge(s
}
for (auth_method = auth_context->auth_method_list; auth_method; auth_method = auth_method->next) {
- if (auth_method->get_chal == NULL) {
+ if (auth_method->ops->get_chal==NULL) {
DEBUG(5, ("auth_get_challenge: module %s did not want to specify a challenge\n", auth_method->name));
continue;
}
@@ -79,7 +140,7 @@ static const uint8 *get_ntlm_challenge(s
smb_panic("talloc_init_named() failed!");
}
- challenge = auth_method->get_chal(auth_context, &auth_method->private_data, mem_ctx);
+ challenge = auth_method->ops->get_chal(auth_context, &auth_method->private_data, mem_ctx);
if (!challenge.length) {
DEBUG(3, ("auth_get_challenge: getting challenge from authentication method %s FAILED.\n",
auth_method->name));
@@ -135,7 +196,7 @@ static BOOL check_domain_match(const cha
if (!lp_allow_trusted_domains() &&
!(strequal("", domain) ||
- strequal(lp_workgroup(), domain) ||
+ is_myworkgroup(domain) ||
is_myname(domain))) {
DEBUG(1, ("check_domain_match: Attempt to connect as user %s from domain %s denied.\n", user, domain));
return False;
@@ -179,7 +240,7 @@ static NTSTATUS check_ntlm_password(cons
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
const char *pdb_username;
- auth_methods *auth_method;
+ struct auth_methods *auth_method;
TALLOC_CTX *mem_ctx;
if (!user_info || !auth_context || !server_info)
@@ -214,7 +275,12 @@ static NTSTATUS check_ntlm_password(cons
mem_ctx = talloc_init_named("%s authentication for user %s\\%s", auth_method->name,
user_info->domain.str, user_info->smb_name.str);
- nt_status = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info);
+ if (auth_method->ops->auth == NULL) {
+ DEBUG(1,("check_ntlm_password: module '%s' have no auth function\n",auth_method->name));
+ continue;
+ }
+
+ nt_status = auth_method->ops->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info);
if (NT_STATUS_IS_OK(nt_status)) {
DEBUG(3, ("check_ntlm_password: %s authentication for user [%s] suceeded\n",
auth_method->name, user_info->smb_name.str));
@@ -309,15 +375,45 @@ static NTSTATUS make_auth_context(struct
}
/***************************************************************************
- Make a auth_info struct for the auth subsystem
+ Make and init an auth_methods struct
***************************************************************************/
+static NTSTATUS make_auth_method(struct auth_context *auth_context, struct auth_methods **auth_method, struct auth_method_function_entry *entry)
+{
+ if (!auth_context) {
+ smb_panic("no auth_context supplied to make_auth_method()!\n");
+ }
+
+ if (!auth_method) {
+ smb_panic("make_auth_method: pointer to auth_method pointer is NULL!\n");
+ }
+
+ if (!entry) {
+ smb_panic("make_auth_method: pointer to entry pointer is NULL!\n");
+ }
+
+ if (!entry->ops||!entry->name) {
+ smb_panic("make_auth_method: entry->ops or entry->name pointer is NULL!\n");
+ }
+
+ if (((*auth_method) = (struct auth_methods *)talloc(auth_context->mem_ctx,sizeof(struct auth_methods)))==NULL) {
+ DEBUG(0,("make_auth_method: talloc failed\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ZERO_STRUCTP(*auth_method);
+
+ (*auth_method)->name = entry->name;
+ (*auth_method)->ops = entry->ops;
+
+ return NT_STATUS_OK;
+}
static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context, char **text_list)
{
- auth_methods *list = NULL;
- auth_methods *t = NULL;
- auth_methods *tmp;
- int i;
+ struct auth_methods *list = NULL;
+ struct auth_methods *tmp, *method = NULL;
+ struct auth_method_function_entry *entry;
+ int i = 0;
NTSTATUS nt_status;
if (!text_list) {
@@ -325,40 +421,38 @@ static NTSTATUS make_auth_context_text_l
return NT_STATUS_UNSUCCESSFUL;
}
- if (!NT_STATUS_IS_OK(nt_status = make_auth_context(auth_context)))
+ if (NT_STATUS_IS_ERR(nt_status = make_auth_context(auth_context)))
return nt_status;
- for (;*text_list; text_list++) {
- DEBUG(5,("make_auth_context_text_list: Attempting to find an auth method to match %s\n",
+ lazy_initialize_auth();
+
+ for (;*text_list; text_list++) {
+ BOOL found = False;
+
+ DEBUG(5,("make_auth_context_text_list: Attempting to find an auth method to match '%s'\n",
*text_list));
- for (i = 0; builtin_auth_init_functions[i].name; i++) {
- char *module_name = smb_xstrdup(*text_list);
- char *module_params = NULL;
- char *p;
-
- p = strchr(module_name, ':');
- if (p) {
- *p = 0;
- module_params = p+1;
- trim_string(module_params, " ", " ");
- }
-
- trim_string(module_name, " ", " ");
-
- if (strequal(builtin_auth_init_functions[i].name, module_name)) {
- DEBUG(5,("make_auth_context_text_list: Found auth method %s (at pos %d)\n", *text_list, i));
- if (NT_STATUS_IS_OK(builtin_auth_init_functions[i].init(*auth_context, module_params, &t))) {
- DEBUG(5,("make_auth_context_text_list: auth method %s has a valid init\n",
- *text_list));
- DLIST_ADD_END(list, t, tmp);
- } else {
- DEBUG(0,("make_auth_context_text_list: auth method %s did not correctly init\n",
- *text_list));
+ for (entry = global_auth_methods;entry;entry = entry->next) {
+ if (strequal(entry->name, *text_list)) {
+ found = True;
+ DEBUG(5,("make_auth_context_text_list: Found auth method '%s' (at pos %d)\n", *text_list, i));
+
+ if (NT_STATUS_IS_ERR(nt_status = make_auth_method(*auth_context,&method, entry))) {
+ DEBUG(0,("make_auth_context_text_list: make_auth_method failed for '%s'\n",*text_list));
+ return nt_status;
}
+
+ DLIST_ADD_END(list, method, tmp);
+ i++;
break;
}
- SAFE_FREE(module_name);
}
+
+ if (!found) {
+ DEBUG(5,("make_auth_context_text_list: don't find an auth method '%s'\n",
+ *text_list));
+ return NT_STATUS_INVALID_PARAMETER;/* or logon_failure ??? */
+ }
+
}
(*auth_context)->auth_method_list = list;
@@ -372,14 +466,11 @@ static NTSTATUS make_auth_context_text_l
NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context)
{
- char **auth_method_list = NULL;
+ char **auth_method_list = NULL;
+ const char **lp_auth_list = NULL;
NTSTATUS nt_status;
- if (lp_auth_methods() && !str_list_copy(&auth_method_list, lp_auth_methods())) {
- return NT_STATUS_NO_MEMORY;
- }
-
- if (auth_method_list == NULL) {
+ if ((lp_auth_list = lp_auth_methods())==NULL) {
switch (lp_security())
{
case SEC_DOMAIN:
@@ -416,16 +507,17 @@ NTSTATUS make_auth_context_subsystem(str
DEBUG(5,("Unknown auth method!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
+ nt_status = make_auth_context_text_list(auth_context, auth_method_list);
+ str_list_free(&auth_method_list);
} else {
DEBUG(5,("Using specified auth order\n"));
+ nt_status = make_auth_context_text_list(auth_context, (char **)lp_auth_list);
}
- if (!NT_STATUS_IS_OK(nt_status = make_auth_context_text_list(auth_context, auth_method_list))) {
- str_list_free(&auth_method_list);
- return nt_status;
+ if (NT_STATUS_IS_ERR(nt_status)) {
+ DEBUG(0,("make_auth_context_subsystem: make_auth_context_text_list() failed\n"));
}
-
- str_list_free(&auth_method_list);
+
return nt_status;
}
diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=.#* HEAD/source/auth/auth_builtin.c HEAD-modules/source/auth/auth_builtin.c
--- HEAD/source/auth/auth_builtin.c Thu Dec 12 20:24:26 2002
+++ HEAD-modules/source/auth/auth_builtin.c Fri Dec 13 13:53:00 2002
@@ -50,14 +50,16 @@ static NTSTATUS check_guest_security(con
/* Guest modules initialisation */
-NTSTATUS auth_init_guest(struct auth_context *auth_context, const char *options, auth_methods **auth_method)
-{
- if (!make_auth_methods(auth_context, auth_method))
- return NT_STATUS_NO_MEMORY;
+static struct auth_method_ops auth_guest_ops = {
+ check_guest_security, /* auth */
+ NULL, /* get_chal */
+ NULL, /* send_keepalive */
+ NULL /* free_private_data */
+};
- (*auth_method)->auth = check_guest_security;
- (*auth_method)->name = "guest";
- return NT_STATUS_OK;
+struct auth_method_ops *auth_guest_register(void)
+{
+ return &auth_guest_ops;
}
/**
@@ -101,14 +103,16 @@ static NTSTATUS check_name_to_ntstatus_s
/** Module initailisation function */
-NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
-{
- if (!make_auth_methods(auth_context, auth_method))
- return NT_STATUS_NO_MEMORY;
+static struct auth_method_ops auth_name_to_ntstatus_ops = {
+ check_name_to_ntstatus_security,/* auth */
+ NULL, /* get_chal */
+ NULL, /* send_keepalive */
+ NULL /* free_private_data */
+};
- (*auth_method)->auth = check_name_to_ntstatus_security;
- (*auth_method)->name = "name_to_ntstatus";
- return NT_STATUS_OK;
+struct auth_method_ops *auth_name_to_ntstatus_register(void)
+{
+ return &auth_name_to_ntstatus_ops;
}
/**
@@ -150,61 +154,14 @@ static DATA_BLOB auth_get_fixed_challeng
/** Module initailisation function */
-NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
-{
- if (!make_auth_methods(auth_context, auth_method))
- return NT_STATUS_NO_MEMORY;
-
- (*auth_method)->auth = check_fixed_challenge_security;
- (*auth_method)->get_chal = auth_get_fixed_challenge;
- (*auth_method)->name = "fixed_challenge";
- return NT_STATUS_OK;
-}
-
-/**
- * Outsorce an auth module to an external loadable .so
- *
- * Only works on systems with dlopen() etc.
- **/
-
-/* Plugin modules initialisation */
+static struct auth_method_ops auth_fixed_challenge_ops = {
+ check_fixed_challenge_security, /* auth */
+ auth_get_fixed_challenge, /* get_chal */
+ NULL, /* send_keepalive */
+ NULL /* free_private_data */
+};
-NTSTATUS auth_init_plugin(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
+struct auth_method_ops *auth_fixed_challenge_register(void)
{
- void * dl_handle;
- char *plugin_param, *plugin_name, *p;
- auth_init_function plugin_init;
-
- if (param == NULL) {
- DEBUG(0, ("auth_init_plugin: The plugin module needs an argument!\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- plugin_name = smb_xstrdup(param);
- p = strchr(plugin_name, ':');
- if (p) {
- *p = 0;
- plugin_param = p+1;
- trim_string(plugin_param, " ", " ");
- } else plugin_param = NULL;
-
- trim_string(plugin_name, " ", " ");
-
- DEBUG(5, ("auth_init_plugin: Trying to load auth plugin %s\n", plugin_name));
- dl_handle = sys_dlopen(plugin_name, RTLD_NOW );
- if (!dl_handle) {
- DEBUG(0, ("auth_init_plugin: Failed to load auth plugin %s using sys_dlopen (%s)\n",
- plugin_name, sys_dlerror()));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- plugin_init = sys_dlsym(dl_handle, "auth_init");
- if (!plugin_init){
- DEBUG(0, ("Failed to find function 'auth_init' using sys_dlsym in sam plugin %s (%s)\n",
- plugin_name, sys_dlerror()));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- DEBUG(5, ("Starting sam plugin %s with paramater %s\n", plugin_name, plugin_param?plugin_param:"(null)"));
- return plugin_init(auth_context, plugin_param, auth_method);
-}
+ return &auth_fixed_challenge_ops;
+}
\ No newline at end of file
diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=.#* HEAD/source/auth/auth_domain.c HEAD-modules/source/auth/auth_domain.c
--- HEAD/source/auth/auth_domain.c Fri Dec 13 07:25:43 2002
+++ HEAD-modules/source/auth/auth_domain.c Mon Dec 16 08:55:37 2002
@@ -412,9 +412,12 @@ static NTSTATUS check_ntdomain_security(
* Check that the requested domain is not our own machine name.
* If it is, we should never check the PDC here, we use our own local
* password file.
+ *
+ * we interpret domain "" as our own machine name too --metze
*/
- if(is_myname(user_info->domain.str)) {
+ if(is_myname(user_info->domain.str)||
+ strequal("", user_info->domain.str)) {
DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n"));
return NT_STATUS_LOGON_FAILURE;
}
@@ -453,18 +456,18 @@ static NTSTATUS check_ntdomain_security(
}
/* module initialisation */
-NTSTATUS auth_init_ntdomain(struct auth_context *auth_context, const char* param, auth_methods **auth_method)
-{
- if (!make_auth_methods(auth_context, auth_method)) {
- return NT_STATUS_NO_MEMORY;
- }
+static struct auth_method_ops auth_ntdomain_ops = {
+ check_ntdomain_security, /* auth */
+ NULL, /* get_chal */
+ NULL, /* send_keepalive */
+ NULL /* free_private_data */
+};
- (*auth_method)->name = "ntdomain";
- (*auth_method)->auth = check_ntdomain_security;
- return NT_STATUS_OK;
+struct auth_method_ops *auth_ntdomain_register(void)
+{
+ return &auth_ntdomain_ops;
}
-
/****************************************************************************
Check for a valid username and password in a trusted domain
****************************************************************************/
@@ -490,9 +493,12 @@ static NTSTATUS check_trustdomain_securi
* Check that the requested domain is not our own machine name.
* If it is, we should never check the PDC here, we use our own local
* password file.
+ *
+ * we interpret domain "" as our own machine name too --metze
*/
- if(is_myname(user_info->domain.str)) {
+ if(is_myname(user_info->domain.str)||
+ strequal("", user_info->domain.str)) {
DEBUG(3,("check_trustdomain_security: Requested domain was for this machine.\n"));
return NT_STATUS_LOGON_FAILURE;
}
@@ -502,7 +508,7 @@ static NTSTATUS check_trustdomain_securi
* If it is, we should use our own local password file.
*/
- if(strequal(lp_workgroup(), (user_info->domain.str))) {
+ if(is_myworkgroup(user_info->domain.str)) {
DEBUG(3,("check_trustdomain_security: Requested domain was for this domain.\n"));
return NT_STATUS_LOGON_FAILURE;
}
@@ -514,8 +520,8 @@ static NTSTATUS check_trustdomain_securi
if (!secrets_fetch_trusted_domain_password(user_info->domain.str, &trust_password, &sid, &last_change_time))
{
- DEBUG(0, ("check_trustdomain_security: could not fetch trust account password for domain %s\n", user_info->domain.str));
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ DEBUG(0, ("check_trustdomain_security: could not fetch trust account password for domain '%s', seems that we don't trust this domain.\n", user_info->domain.str));
+ return NT_STATUS_LOGON_FAILURE;/* we don't trust the domain */
}
#ifdef DEBUG_PASSWORD
@@ -541,13 +547,14 @@ static NTSTATUS check_trustdomain_securi
}
/* module initialisation */
-NTSTATUS auth_init_trustdomain(struct auth_context *auth_context, const char* param, auth_methods **auth_method)
-{
- if (!make_auth_methods(auth_context, auth_method)) {
- return NT_STATUS_NO_MEMORY;
- }
+static struct auth_method_ops auth_trustdomain_ops = {
+ check_trustdomain_security, /* auth */
+ NULL, /* get_chal */
+ NULL, /* send_keepalive */
+ NULL /* free_private_data */
+};
- (*auth_method)->name = "trustdomain";
- (*auth_method)->auth = check_trustdomain_security;
- return NT_STATUS_OK;
+struct auth_method_ops *auth_trustdomain_register(void)
+{
+ return &auth_trustdomain_ops;
}
diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=.#* HEAD/source/auth/auth_rhosts.c HEAD-modules/source/auth/auth_rhosts.c
--- HEAD/source/auth/auth_rhosts.c Fri May 24 05:43:52 2002
+++ HEAD-modules/source/auth/auth_rhosts.c Fri Dec 13 13:56:38 2002
@@ -179,16 +179,18 @@ static NTSTATUS check_hostsequiv_securit
}
/* module initialisation */
-NTSTATUS auth_init_hostsequiv(struct auth_context *auth_context, const char* param, auth_methods **auth_method)
-{
- if (!make_auth_methods(auth_context, auth_method)) {
- return NT_STATUS_NO_MEMORY;
- }
- (*auth_method)->auth = check_hostsequiv_security;
- return NT_STATUS_OK;
-}
+static struct auth_method_ops auth_hostsequiv_ops = {
+ check_hostsequiv_security, /* auth */
+ NULL, /* get_chal */
+ NULL, /* send_keepalive */
+ NULL /* free_private_data */
+};
+struct auth_method_ops *auth_hostsequiv_register(void)
+{
+ return &auth_hostsequiv_ops;
+}
/****************************************************************************
Check for a valid .rhosts/hosts.equiv entry for this user
@@ -223,12 +225,15 @@ static NTSTATUS check_rhosts_security(co
}
/* module initialisation */
-NTSTATUS auth_init_rhosts(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
-{
- if (!make_auth_methods(auth_context, auth_method)) {
- return NT_STATUS_NO_MEMORY;
- }
- (*auth_method)->auth = check_rhosts_security;
- return NT_STATUS_OK;
+static struct auth_method_ops auth_rhosts_ops = {
+ check_rhosts_security, /* auth */
+ NULL, /* get_chal */
+ NULL, /* send_keepalive */
+ NULL /* free_private_data */
+};
+
+struct auth_method_ops *auth_rhosts_register(void)
+{
+ return &auth_rhosts_ops;
}
diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=.#* HEAD/source/auth/auth_sam.c HEAD-modules/source/auth/auth_sam.c
--- HEAD/source/auth/auth_sam.c Mon Nov 18 06:44:20 2002
+++ HEAD-modules/source/auth/auth_sam.c Mon Dec 16 08:55:48 2002
@@ -423,18 +423,18 @@ static NTSTATUS check_sam_security(const
}
/* module initialisation */
-NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
-{
- if (!make_auth_methods(auth_context, auth_method)) {
- return NT_STATUS_NO_MEMORY;
- }
+static struct auth_method_ops auth_sam_ops = {
+ check_sam_security, /* auth */
+ NULL, /* get_chal */
+ NULL, /* send_keepalive */
+ NULL /* free_private_data */
+};
- (*auth_method)->auth = check_sam_security;
- (*auth_method)->name = "sam";
- return NT_STATUS_OK;
+struct auth_method_ops *auth_sam_register(void)
+{
+ return &auth_sam_ops;
}
-
/****************************************************************************
Check SAM security (above) but with a few extra checks.
****************************************************************************/
@@ -452,9 +452,12 @@ static NTSTATUS check_samstrict_security
/* If we are a domain member, we must not
attempt to check the password locally,
- unless it is one of our aliases. */
+ unless it is one of our aliases
+ or empty */
if (!is_myname(user_info->domain.str)) {
+ DEBUG(7,("The requested user domain is not local. [%s]\\[%s}\n",
+ user_info->domain.str,user_info->internal_username.str));
return NT_STATUS_NO_SUCH_USER;
}
@@ -462,15 +465,57 @@ static NTSTATUS check_samstrict_security
}
/* module initialisation */
-NTSTATUS auth_init_samstrict(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
+static struct auth_method_ops auth_samstrict_ops = {
+ check_samstrict_security, /* auth */
+ NULL, /* get_chal */
+ NULL, /* send_keepalive */
+ NULL /* free_private_data */
+};
+
+struct auth_method_ops *auth_samstrict_register(void)
+{
+ return &auth_samstrict_ops;
+}
+
+/****************************************************************************
+Check SAM security (above) but with a few extra checks (if we're a DC).
+****************************************************************************/
+
+static NTSTATUS check_samstrict_dc_security(const struct auth_context *auth_context,
+ void *my_private_data,
+ TALLOC_CTX *mem_ctx,
+ const auth_usersupplied_info *user_info,
+ auth_serversupplied_info **server_info)
{
- if (!make_auth_methods(auth_context, auth_method)) {
- return NT_STATUS_NO_MEMORY;
+
+ if (!user_info || !auth_context) {
+ return NT_STATUS_LOGON_FAILURE;
}
- (*auth_method)->auth = check_samstrict_security;
- (*auth_method)->name = "samstrict";
- return NT_STATUS_OK;
+ /* If we are a domain member, we must not
+ attempt to check the password locally,
+ unless it is one of our aliases or our
+ domain if we are a logon server.*/
+
+ if ((!is_myworkgroup(user_info->domain.str))&&
+ (!is_myname(user_info->domain.str))){
+ DEBUG(7,("The requested user domain is not local or our domain. [%s]\\[%s]\n",
+ user_info->domain.str,user_info->internal_username.str));
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, server_info);
}
+/* module initialisation */
+static struct auth_method_ops auth_samstrict_dc_ops = {
+ check_samstrict_dc_security, /* auth */
+ NULL, /* get_chal */
+ NULL, /* send_keepalive */
+ NULL /* free_private_data */
+};
+struct auth_method_ops *auth_samstrict_dc_register(void)
+{
+ return &auth_samstrict_dc_ops;
+}
diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=.#* HEAD/source/auth/auth_server.c HEAD-modules/source/auth/auth_server.c
--- HEAD/source/auth/auth_server.c Wed Nov 13 19:52:30 2002
+++ HEAD-modules/source/auth/auth_server.c Fri Dec 13 13:53:57 2002
@@ -388,15 +388,14 @@ use this machine as the password server.
return(nt_status);
}
-NTSTATUS auth_init_smbserver(struct auth_context *auth_context, const char* param, auth_methods **auth_method)
+static struct auth_method_ops auth_smbserver_ops = {
+ check_smbserver_security, /* auth */
+ auth_get_challenge_server, /* get_chal */
+ send_server_keepalive, /* send_keepalive */
+ free_server_private_data /* free_private_data */
+};
+
+struct auth_method_ops *auth_smbserver_register(void)
{
- if (!make_auth_methods(auth_context, auth_method)) {
- return NT_STATUS_NO_MEMORY;
- }
- (*auth_method)->name = "smbserver";
- (*auth_method)->auth = check_smbserver_security;
- (*auth_method)->get_chal = auth_get_challenge_server;
- (*auth_method)->send_keepalive = send_server_keepalive;
- (*auth_method)->free_private_data = free_server_private_data;
- return NT_STATUS_OK;
+ return &auth_smbserver_ops;
}
diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=.#* HEAD/source/auth/auth_unix.c HEAD-modules/source/auth/auth_unix.c
--- HEAD/source/auth/auth_unix.c Sun Oct 13 12:11:25 2002
+++ HEAD-modules/source/auth/auth_unix.c Fri Dec 13 13:57:02 2002
@@ -119,14 +119,16 @@ static NTSTATUS check_unix_security(cons
}
/* module initialisation */
-NTSTATUS auth_init_unix(struct auth_context *auth_context, const char* param, auth_methods **auth_method)
-{
- if (!make_auth_methods(auth_context, auth_method)) {
- return NT_STATUS_NO_MEMORY;
- }
- (*auth_method)->name = "unix";
- (*auth_method)->auth = check_unix_security;
- return NT_STATUS_OK;
+static struct auth_method_ops auth_unix_ops = {
+ check_unix_security, /* auth */
+ NULL, /* get_chal */
+ NULL, /* send_keepalive */
+ NULL /* free_private_data */
+};
+
+struct auth_method_ops *auth_unix_register(void)
+{
+ return &auth_unix_ops;
}
diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=.#* HEAD/source/auth/auth_util.c HEAD-modules/source/auth/auth_util.c
--- HEAD/source/auth/auth_util.c Mon Nov 18 06:44:20 2002
+++ HEAD-modules/source/auth/auth_util.c Mon Dec 16 09:32:00 2002
@@ -177,51 +177,30 @@ NTSTATUS make_user_info_map(auth_usersup
DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n",
client_domain, smb_name, wksta_name));
-
- if (lp_allow_trusted_domains() && *client_domain) {
- /* the client could have given us a workstation name
- or other crap for the workgroup - we really need a
- way of telling if this domain name is one of our
- trusted domain names
-
- Also don't allow "" as a domain, fixes a Win9X bug
- where it doens't supply a domain for logon script
- 'net use' commands.
-
- The way I do it here is by checking if the fully
- qualified username exists. This is rather reliant
- on winbind, but until we have a better method this
- will have to do
- */
-
- domain = client_domain;
-
- if ((smb_name) && (*smb_name)) { /* Don't do this for guests */
- char *user = NULL;
- if (asprintf(&user, "%s%s%s",
- client_domain, lp_winbind_separator(),
- smb_name) < 0) {
- DEBUG(0, ("make_user_info_map: asprintf() failed!\n"));
- return NT_STATUS_NO_MEMORY;
- }
+ domain = client_domain;
- DEBUG(5, ("make_user_info_map: testing for user %s\n", user));
-
- if (Get_Pwnam(user) == NULL) {
- DEBUG(5, ("make_user_info_map: test for user %s failed\n", user));
- domain = lp_workgroup();
- DEBUG(5, ("make_user_info_map: trusted domain %s doesn't appear to exist, using %s\n",
- client_domain, domain));
- } else {
- DEBUG(5, ("make_user_info_map: using trusted domain %s\n", domain));
- }
- SAFE_FREE(user);
- }
- } else {
+ /* the client could have given us a workstation name
+ or other crap for the workgroup - we really need a
+ way of telling if this domain name is one of our
+ trusted domain names
+
+ Also don't allow "" as a domain, fixes a Win9X bug
+ where it doens't supply a domain for logon script
+ 'net use' commands.
+
+ */
+
+ if (strequal("", domain)){
+ /* maybe we should use our global_myname()
+ * or let it be "",
+ * but it might be break the Win9X bug
+ * mentioned above. --metze*/
domain = lp_workgroup();
+ DEBUG(5, ("make_user_info_map: no domain name given for user %s, assuming it's our domain.\n", smb_name));
}
-
+
+
return make_user_info(user_info,
smb_name, internal_username,
client_domain, domain,
@@ -1098,30 +1077,6 @@ void free_server_info(auth_serversupplie
ZERO_STRUCT(**server_info);
}
SAFE_FREE(*server_info);
-}
-
-/***************************************************************************
- Make an auth_methods struct
-***************************************************************************/
-
-BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_method)
-{
- if (!auth_context) {
- smb_panic("no auth_context supplied to make_auth_methods()!\n");
- }
-
- if (!auth_method) {
- smb_panic("make_auth_methods: pointer to auth_method pointer is NULL!\n");
- }
-
- *auth_method = talloc(auth_context->mem_ctx, sizeof(**auth_method));
- if (!*auth_method) {
- DEBUG(0,("make_auth_method: malloc failed!\n"));
- return False;
- }
- ZERO_STRUCTP(*auth_method);
-
- return True;
}
/****************************************************************************
diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=.#* HEAD/source/auth/auth_winbind.c HEAD-modules/source/auth/auth_winbind.c
--- HEAD/source/auth/auth_winbind.c Mon Nov 18 06:44:20 2002
+++ HEAD-modules/source/auth/auth_winbind.c Fri Dec 13 13:57:28 2002
@@ -125,13 +125,15 @@ static NTSTATUS check_winbind_security(c
}
/* module initialisation */
-NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
-{
- if (!make_auth_methods(auth_context, auth_method)) {
- return NT_STATUS_NO_MEMORY;
- }
- (*auth_method)->name = "winbind";
- (*auth_method)->auth = check_winbind_security;
- return NT_STATUS_OK;
-}
+static struct auth_method_ops auth_winbind_ops = {
+ check_winbind_security, /* auth */
+ NULL, /* get_chal */
+ NULL, /* send_keepalive */
+ NULL /* free_private_data */
+};
+
+struct auth_method_ops *auth_winbind_register(void)
+{
+ return &auth_winbind_ops;
+}
\ No newline at end of file
diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=*.so --exclude=.#* --exclude=Makefile --exclude=stamp-h --exclude=configure --exclude=findsmb --exclude=*proto*.h --exclude=build_env.h --exclude=config.* --exclude=bin --exclude=*.configure --exclude=auth* --exclude=passdb* HEAD/source/lib/util.c HEAD-modules/source/lib/util.c
--- HEAD/source/lib/util.c Thu Dec 12 20:24:26 2002
+++ HEAD-modules/source/lib/util.c Mon Dec 16 08:55:12 2002
@@ -1723,6 +1723,23 @@ BOOL is_myname_or_ipaddr(const char *s)
}
/*******************************************************************
+ Is the name specified our workgroup/domain name.
+ Returns true if it is equal, false otherwise.
+********************************************************************/
+
+BOOL is_myworkgroup(const char *s)
+{
+ BOOL ret = False;
+
+ if (strequal(s, lp_workgroup())) {
+ ret=True;
+ }
+
+ DEBUG(8, ("is_myworkgroup(\"%s\") returns %d\n", s, ret));
+ return(ret);
+}
+
+/*******************************************************************
Set the horrid remote_arch string based on an enum.
********************************************************************/
More information about the samba-technical
mailing list