*/
nt_status = rpccli_netlogon_sam_network_logon(netlogon_pipe,
- mem_ctx,
- dc_name, /* server name */
- user_info->smb_name.str, /* user name logging on. */
- user_info->domain.str, /* domain name */
- user_info->wksta_name.str, /* workstation name */
- chal, /* 8 byte challenge. */
- user_info->lm_resp, /* lanman 24 byte response */
- user_info->nt_resp, /* nt 24 byte response */
- &info3); /* info3 out */
+ mem_ctx,
+ user_info->logon_parameters,/* flags such as 'allow workstation logon' */
+ dc_name, /* server name */
+ user_info->smb_name.str, /* user name logging on. */
+ user_info->domain.str, /* domain name */
+ user_info->wksta_name.str, /* workstation name */
+ chal, /* 8 byte challenge. */
+ user_info->lm_resp, /* lanman 24 byte response */
+ user_info->nt_resp, /* nt 24 byte response */
+ &info3); /* info3 out */
/* Let go as soon as possible so we avoid any potential deadlocks
with winbind lookup up users or groups. */
NULL, NULL, NULL,
True);
+ user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
+
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
}
if (acct_ctrl & ACB_SVRTRUST) {
- DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", pdb_get_username(sampass)));
- return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
+ if (!(user_info->logon_parameters & MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT)) {
+ DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", pdb_get_username(sampass)));
+ return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
+ }
}
-
+
if (acct_ctrl & ACB_WSTRUST) {
- DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", pdb_get_username(sampass)));
- return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
+ if (!(user_info->logon_parameters & MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)) {
+ DEBUG(2,("sam_account_ok: Wksta trust account %s denied by server\n", pdb_get_username(sampass)));
+ return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
+ }
}
-
return NT_STATUS_OK;
}
(*user_info)->encrypted = encrypted;
+ (*user_info)->logon_parameters = 0;
+
DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name));
return NT_STATUS_OK;
const char *smb_name,
const char *client_domain,
const char *wksta_name,
+ uint32 logon_parameters,
const uchar *lm_network_pwd, int lm_pwd_len,
const uchar *nt_network_pwd, int nt_pwd_len)
{
nt_pwd_len ? &nt_blob : NULL,
NULL, NULL, NULL,
True);
-
+
+ if (NT_STATUS_IS_OK(nt_status)) {
+ (*user_info)->logon_parameters = logon_parameters;
+ }
ret = NT_STATUS_IS_OK(nt_status) ? True : False;
-
+
data_blob_free(&lm_blob);
data_blob_free(&nt_blob);
return ret;
const char *smb_name,
const char *client_domain,
const char *wksta_name,
+ uint32 logon_parameters,
const uchar chal[8],
const uchar lm_interactive_pwd[16],
const uchar nt_interactive_pwd[16],
NULL,
True);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ (*user_info)->logon_parameters = logon_parameters;
+ }
+
ret = NT_STATUS_IS_OK(nt_status) ? True : False;
data_blob_free(&local_lm_blob);
data_blob_free(&local_nt_blob);
request.flags = WBFLAG_PAM_INFO3_NDR;
+ request.data.auth_crap.logon_parameters = user_info->logon_parameters;
+
fstrcpy(request.data.auth_crap.user,
user_info->smb_name.str);
fstrcpy(request.data.auth_crap.domain,
*/
/* AUTH_STR - string */
-typedef struct normal_string
-{
+typedef struct normal_string {
int len;
char *str;
} AUTH_STR;
-typedef struct auth_usersupplied_info
-{
-
+typedef struct auth_usersupplied_info {
DATA_BLOB lm_resp;
DATA_BLOB nt_resp;
DATA_BLOB lm_interactive_pwd;
AUTH_STR smb_name; /* username before mapping */
AUTH_STR wksta_name; /* workstation name (netbios calling name) unicode string */
+ uint32 logon_parameters;
+
} auth_usersupplied_info;
#define SAM_FILL_NAME 0x01
#define SAM_FILL_UNIX 0x08
#define SAM_FILL_ALL (SAM_FILL_NAME | SAM_FILL_INFO3 | SAM_FILL_SAM | SAM_FILL_UNIX)
-typedef struct auth_serversupplied_info
-{
+typedef struct auth_serversupplied_info {
BOOL guest;
uid_t uid;
struct auth_init_function_entry *prev, *next;
};
-typedef struct auth_ntlmssp_state
-{
+typedef struct auth_ntlmssp_state {
TALLOC_CTX *mem_ctx;
struct auth_context *auth_context;
struct auth_serversupplied_info *server_info;
struct ntlmssp_state *ntlmssp_state;
} AUTH_NTLMSSP_STATE;
-#define AUTH_INTERFACE_VERSION 1
+/* Changed from 1 -> 2 to add the logon_parameters field. */
+#define AUTH_INTERFACE_VERSION 2
#endif /* _SMBAUTH_H_ */
typedef int (*smbc_purge_cached_fn) (SMBCCTX * c);
+/* close was renamed to close_fn, because close is often a macro.
+ * Allow backward compatability where this is not the case */
+#ifndef close
+#define close close_fn
+#endif
/**@ingroup structure
#define SE_GROUP_LOGON_ID 0xC0000000
#define SE_GROUP_RESOURCE 0x20000000
+/* Flags for controlling the behaviour of a particular logon */
+#define MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT ( 0x020 )
+#define MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT ( 0x800 )
#if 0
/* I think this is correct - it's what gets parsed on the wire. JRA. */
parse_wbinfo_domain_user(username, name_domain, name_user);
+ request.data.auth_crap.logon_parameters = MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT | MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT;
+
fstrcpy(request.data.auth_crap.user, name_user);
fstrcpy(request.data.auth_crap.domain,
} auth; /* pam_winbind auth module */
struct {
unsigned char chal[8];
+ uint32 logon_parameters;
fstring user;
fstring domain;
fstring lm_resp;
}
result = rpccli_netlogon_sam_network_logon(netlogon_pipe,
- state->mem_ctx,
- contact_domain->dcname, /* server name */
- name_user, /* user name */
- name_domain, /* target domain */
- global_myname(), /* workstation */
- chal,
- lm_resp,
- nt_resp,
- &info3);
+ state->mem_ctx,
+ 0,
+ contact_domain->dcname, /* server name */
+ name_user, /* user name */
+ name_domain, /* target domain */
+ global_myname(), /* workstation */
+ chal,
+ lm_resp,
+ nt_resp,
+ &info3);
attempts += 1;
/* We have to try a second time as cm_connect_netlogon
}
result = rpccli_netlogon_sam_network_logon(netlogon_pipe,
- state->mem_ctx,
- contact_domain->dcname,
- name_user,
- name_domain,
- global_myname(),
- state->request.data.auth_crap.chal,
- lm_resp,
- nt_resp,
- &info3);
+ state->mem_ctx,
+ state->request.data.auth_crap.logon_parameters,
+ contact_domain->dcname,
+ name_user,
+ name_domain,
+ global_myname(),
+ state->request.data.auth_crap.chal,
+ lm_resp,
+ nt_resp,
+ &info3);
attempts += 1;
/* Logon domain user */
NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
- TALLOC_CTX *mem_ctx,
- const char *domain,
- const char *username,
- const char *password,
- int logon_type)
+ TALLOC_CTX *mem_ctx,
+ uint32 logon_parameters,
+ const char *domain,
+ const char *username,
+ const char *password,
+ int logon_type)
{
prs_struct qbuf, rbuf;
NET_Q_SAM_LOGON q;
nt_lm_owf_gen(password, nt_owf_user_pwd, lm_owf_user_pwd);
init_id_info1(&ctr.auth.id1, domain,
- 0, /* param_ctrl */
+ logon_parameters, /* param_ctrl */
0xdead, 0xbeef, /* LUID? */
username, clnt_name_slash,
(const char *)cli->dc->sess_key, lm_owf_user_pwd,
SMBNTencrypt(password, chal, local_nt_response);
init_id_info2(&ctr.auth.id2, domain,
- 0, /* param_ctrl */
+ logon_parameters, /* param_ctrl */
0xdead, 0xbeef, /* LUID? */
username, clnt_name_slash, chal,
local_lm_response, 24, local_nt_response, 24);
NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
+ uint32 logon_parameters,
const char *server,
const char *username,
const char *domain,
ctr.switch_value = NET_LOGON_TYPE;
init_id_info2(&ctr.auth.id2, domain,
- 0, /* param_ctrl */
+ logon_parameters, /* param_ctrl */
0xdead, 0xbeef, /* LUID? */
username, workstation_name_slash, (const uchar*)chal,
lm_response.data, lm_response.length, nt_response.data, nt_response.length);
if (!make_user_info_netlogon_network(&user_info,
nt_username, nt_domain,
wksname,
+ ctr->auth.id2.param_ctrl,
ctr->auth.id2.lm_chal_resp.buffer,
ctr->auth.id2.lm_chal_resp.str_str_len,
ctr->auth.id2.nt_chal_resp.buffer,
if (!make_user_info_netlogon_interactive(&user_info,
nt_username, nt_domain,
- nt_workstation, chal,
+ nt_workstation,
+ ctr->auth.id1.param_ctrl,
+ chal,
ctr->auth.id1.lm_owf.data,
ctr->auth.id1.nt_owf.data,
p->dc->sess_key)) {
/* Perform the sam logon */
- result = rpccli_netlogon_sam_logon(cli, mem_ctx, lp_workgroup(), username, password, logon_type);
+ result = rpccli_netlogon_sam_logon(cli, mem_ctx, 0, lp_workgroup(), username, password, logon_type);
if (!NT_STATUS_IS_OK(result))
goto done;
request.flags = flags;
+ request.data.auth_crap.logon_parameters = MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT | MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT;
+
if (require_membership_of_sid)
fstrcpy(request.data.auth_crap.require_membership_of_sid, require_membership_of_sid);