r11573: Adding Andrew Bartlett's patch to make machine account

logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes
the auth module interface to 2 (from 1). The effect of this is
that clients can access resources as a machine account if they
set these flags. This is the same as Windows (think of a VPN
where the vpn client authenticates itself to a VPN server
using machine account credentials - the vpn server checks
that the machine password was valid by performing a machine
account check with the PDC in the same was as it would a
user account check. I may add in a restriction (parameter)
to allow this behaviour to be turned off (as it was previously).
That may be on by default.
Andrew Bartlett please review this change carefully.
Jeremy.
(This used to be commit d1caef866326346fb191f8129d13d98379f18cd8)

diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index 8d29367835b0f2b14a66258ebf986ccf56af9f99..94b138e55b1afee134c6734f1bdfbb6bbddf5085 100644 (file)
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -218,15 +218,16 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
          */
 
        nt_status = rpccli_netlogon_sam_network_logon(netlogon_pipe,
-                                       mem_ctx,
-                                       dc_name,                   /* server name */
-                                       user_info->smb_name.str,   /* user name logging on. */
-                                       user_info->domain.str,     /* domain name */
-                                       user_info->wksta_name.str, /* workstation name */
-                                       chal,                      /* 8 byte challenge. */
-                                       user_info->lm_resp,        /* lanman 24 byte response */
-                                       user_info->nt_resp,        /* nt 24 byte response */
-                                       &info3);                   /* info3 out */
+                                                     mem_ctx,
+                                                     user_info->logon_parameters,/* flags such as 'allow workstation logon' */ 
+                                                     dc_name,                    /* server name */
+                                                     user_info->smb_name.str,    /* user name logging on. */
+                                                     user_info->domain.str,      /* domain name */
+                                                     user_info->wksta_name.str,  /* workstation name */
+                                                     chal,                       /* 8 byte challenge. */
+                                                     user_info->lm_resp,         /* lanman 24 byte response */
+                                                     user_info->nt_resp,         /* nt 24 byte response */
+                                                     &info3);                    /* info3 out */
 
        /* Let go as soon as possible so we avoid any potential deadlocks
           with winbind lookup up users or groups. */

diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index 738af73f49691d3287c36c9135d48cabee1901cf..2fef8f1e9b56ca686d7ddcc080ced0b387da8187 100644 (file)
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -101,6 +101,8 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
                                       NULL, NULL, NULL,
                                       True);
 
+       user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
+
        if (!NT_STATUS_IS_OK(nt_status)) {
                return nt_status;
        }

diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index bb4df707ef7f482a9c22a48d8468a00a24a76343..c92cecdde59ddb45ed0a6d415165c340975e4b51 100644 (file)
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -208,15 +208,18 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx,
        }
        
        if (acct_ctrl & ACB_SVRTRUST) {
-               DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", pdb_get_username(sampass)));
-               return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
+               if (!(user_info->logon_parameters & MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT)) {
+                       DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", pdb_get_username(sampass)));
+                       return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
+               }
        }
-       
+
        if (acct_ctrl & ACB_WSTRUST) {
-               DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", pdb_get_username(sampass)));
-               return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
+               if (!(user_info->logon_parameters & MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)) {
+                       DEBUG(2,("sam_account_ok: Wksta trust account %s denied by server\n", pdb_get_username(sampass)));
+                       return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
+               }
        }
-       
        return NT_STATUS_OK;
 }
 

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 49122bd4412f37b904d2af3b3018dcd8d4ce79f9..6a92c8782e8b4dcee1a9b0217c5aea2c20ab2334 100644 (file)
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -164,6 +164,8 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info,
 
        (*user_info)->encrypted = encrypted;
 
+       (*user_info)->logon_parameters = 0;
+
        DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name));
 
        return NT_STATUS_OK;
@@ -223,6 +225,7 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info,
                                     const char *smb_name, 
                                     const char *client_domain, 
                                     const char *wksta_name, 
+                                    uint32 logon_parameters,
                                     const uchar *lm_network_pwd, int lm_pwd_len,
                                     const uchar *nt_network_pwd, int nt_pwd_len)
 {
@@ -238,9 +241,12 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info,
                                       nt_pwd_len ? &nt_blob : NULL,
                                       NULL, NULL, NULL,
                                       True);
-       
+
+       if (NT_STATUS_IS_OK(nt_status)) {
+               (*user_info)->logon_parameters = logon_parameters;
+       }
        ret = NT_STATUS_IS_OK(nt_status) ? True : False;
-               
+
        data_blob_free(&lm_blob);
        data_blob_free(&nt_blob);
        return ret;
@@ -255,6 +261,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
                                         const char *smb_name, 
                                         const char *client_domain, 
                                         const char *wksta_name, 
+                                        uint32 logon_parameters,
                                         const uchar chal[8], 
                                         const uchar lm_interactive_pwd[16], 
                                         const uchar nt_interactive_pwd[16], 
@@ -337,6 +344,10 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
                                               NULL,
                                               True);
 
+               if (NT_STATUS_IS_OK(nt_status)) {
+                       (*user_info)->logon_parameters = logon_parameters;
+               }
+
                ret = NT_STATUS_IS_OK(nt_status) ? True : False;
                data_blob_free(&local_lm_blob);
                data_blob_free(&local_nt_blob);

diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c
index 0c263b6ab31bc60ef42a545727dbadbd65ae1b29..ad72bd9a1fd561c4ba8c00de255c2a73d68bcb78 100644 (file)
--- a/source3/auth/auth_winbind.c
+++ b/source3/auth/auth_winbind.c
@@ -88,6 +88,8 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
 
        request.flags = WBFLAG_PAM_INFO3_NDR;
 
+       request.data.auth_crap.logon_parameters = user_info->logon_parameters;
+
        fstrcpy(request.data.auth_crap.user, 
                          user_info->smb_name.str);
        fstrcpy(request.data.auth_crap.domain, 

diff --git a/source3/include/auth.h b/source3/include/auth.h
index 7282f4d38b272e88f18dd2dab79455bddaf1af83..f3dae1108b387fa5d674b504cc08bb279f65c03f 100644 (file)
--- a/source3/include/auth.h
+++ b/source3/include/auth.h
@@ -21,15 +21,12 @@
 */
 
 /* AUTH_STR - string */
-typedef struct normal_string
-{
+typedef struct normal_string {
        int len;
        char *str;
 } AUTH_STR;
 
-typedef struct auth_usersupplied_info
-{
-       
+typedef struct auth_usersupplied_info {
        DATA_BLOB lm_resp;
        DATA_BLOB nt_resp;
        DATA_BLOB lm_interactive_pwd;
@@ -44,6 +41,8 @@ typedef struct auth_usersupplied_info
        AUTH_STR           smb_name;        /* username before mapping */
        AUTH_STR           wksta_name;           /* workstation name (netbios calling name) unicode string */
        
+       uint32 logon_parameters;
+
 } auth_usersupplied_info;
 
 #define SAM_FILL_NAME  0x01
@@ -52,8 +51,7 @@ typedef struct auth_usersupplied_info
 #define SAM_FILL_UNIX  0x08
 #define SAM_FILL_ALL (SAM_FILL_NAME | SAM_FILL_INFO3 | SAM_FILL_SAM | SAM_FILL_UNIX)
 
-typedef struct auth_serversupplied_info 
-{
+typedef struct auth_serversupplied_info {
        BOOL guest;
 
        uid_t uid;
@@ -144,14 +142,14 @@ struct auth_init_function_entry {
        struct auth_init_function_entry *prev, *next;
 };
 
-typedef struct auth_ntlmssp_state
-{
+typedef struct auth_ntlmssp_state {
        TALLOC_CTX *mem_ctx;
        struct auth_context *auth_context;
        struct auth_serversupplied_info *server_info;
        struct ntlmssp_state *ntlmssp_state;
 } AUTH_NTLMSSP_STATE;
 
-#define AUTH_INTERFACE_VERSION 1
+/* Changed from 1 -> 2 to add the logon_parameters field. */
+#define AUTH_INTERFACE_VERSION 2
 
 #endif /* _SMBAUTH_H_ */

diff --git a/source3/include/libsmbclient.h b/source3/include/libsmbclient.h
index 2d7d96c2dd0b88cca31107f1bcbfb355b5188243..46896d68e48deb1f021cf55d3c9dd4d5ea4dede2 100644 (file)
--- a/source3/include/libsmbclient.h
+++ b/source3/include/libsmbclient.h
@@ -339,6 +339,11 @@ typedef int (*smbc_remove_cached_srv_fn)(SMBCCTX * c, SMBCSRV *srv);
 typedef int (*smbc_purge_cached_fn)     (SMBCCTX * c);
 
 
+/* close was renamed to close_fn, because close is often a macro.
+ * Allow backward compatability where this is not the case  */
+#ifndef close
+#define close close_fn
+#endif
 
 
 /**@ingroup structure

diff --git a/source3/include/rpc_netlogon.h b/source3/include/rpc_netlogon.h
index b004e26397ed673514de8c131a560384b3c48429..c73cd03f103d387fa7521a2752165d79831c04e3 100644 (file)
--- a/source3/include/rpc_netlogon.h
+++ b/source3/include/rpc_netlogon.h
@@ -95,6 +95,9 @@
 #define SE_GROUP_LOGON_ID              0xC0000000
 #define SE_GROUP_RESOURCE              0x20000000
 
+/* Flags for controlling the behaviour of a particular logon */
+#define MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT      ( 0x020 )
+#define MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT ( 0x800 )
 
 #if 0
 /* I think this is correct - it's what gets parsed on the wire. JRA. */

diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c
index 6436346668a3be0d0a4ee2ada33e0d87653444ff..45195fb86ab8a36c17295db25adbb0eb649f1a48 100644 (file)
--- a/source3/nsswitch/wbinfo.c
+++ b/source3/nsswitch/wbinfo.c
@@ -630,6 +630,8 @@ static BOOL wbinfo_auth_crap(char *username)
                
        parse_wbinfo_domain_user(username, name_domain, name_user);
 
+       request.data.auth_crap.logon_parameters = MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT | MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT;
+
        fstrcpy(request.data.auth_crap.user, name_user);
 
        fstrcpy(request.data.auth_crap.domain, 

diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h
index c851ca7480ccfe6ae5d26e7103b4383c1a704e12..eda68ae5c71237df03d7f0da5fba3ae67c944e26 100644 (file)
--- a/source3/nsswitch/winbindd_nss.h
+++ b/source3/nsswitch/winbindd_nss.h
@@ -202,6 +202,7 @@ struct winbindd_request {
                } auth;              /* pam_winbind auth module */
                 struct {
                         unsigned char chal[8];
+                       uint32 logon_parameters;
                         fstring user;
                         fstring domain;
                         fstring lm_resp;

diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index c2324291a6389bca6f6098636239b8aed41a0a5a..3571142c5846d27aca893aa6ed5e273bbab50628 100644 (file)
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -343,15 +343,16 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
                }
 
                result = rpccli_netlogon_sam_network_logon(netlogon_pipe,
-                                                       state->mem_ctx,
-                                                       contact_domain->dcname, /* server name */
-                                                       name_user,              /* user name */
-                                                       name_domain,            /* target domain */
-                                                       global_myname(),        /* workstation */
-                                                       chal,
-                                                       lm_resp,
-                                                       nt_resp,
-                                                       &info3);
+                                                          state->mem_ctx,
+                                                          0,
+                                                          contact_domain->dcname, /* server name */
+                                                          name_user,              /* user name */
+                                                          name_domain,            /* target domain */
+                                                          global_myname(),        /* workstation */
+                                                          chal,
+                                                          lm_resp,
+                                                          nt_resp,
+                                                          &info3);
                attempts += 1;
 
                /* We have to try a second time as cm_connect_netlogon
@@ -624,15 +625,16 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
                }
 
                result = rpccli_netlogon_sam_network_logon(netlogon_pipe,
-                                                       state->mem_ctx,
-                                                       contact_domain->dcname,
-                                                       name_user,
-                                                       name_domain, 
-                                                       global_myname(),
-                                                       state->request.data.auth_crap.chal,
-                                                       lm_resp,
-                                                       nt_resp,
-                                                       &info3);
+                                                          state->mem_ctx,
+                                                          state->request.data.auth_crap.logon_parameters,
+                                                          contact_domain->dcname,
+                                                          name_user,
+                                                          name_domain, 
+                                                          global_myname(),
+                                                          state->request.data.auth_crap.chal,
+                                                          lm_resp,
+                                                          nt_resp,
+                                                          &info3);
 
                attempts += 1;
 

diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 85b557471b5e5876b78fb1394154716f7d6bcce8..af0062f2b390ab7f16739bc67881e621e5d8340f 100644 (file)
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -528,11 +528,12 @@ NTSTATUS rpccli_netlogon_sam_deltas(struct rpc_pipe_client *cli, TALLOC_CTX *mem
 /* Logon domain user */
 
 NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
-                               TALLOC_CTX *mem_ctx,
-                               const char *domain,
-                                const char *username,
-                               const char *password,
-                                int logon_type)
+                                  TALLOC_CTX *mem_ctx,
+                                  uint32 logon_parameters,
+                                  const char *domain,
+                                  const char *username,
+                                  const char *password,
+                                  int logon_type)
 {
        prs_struct qbuf, rbuf;
        NET_Q_SAM_LOGON q;
@@ -566,7 +567,7 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
                 nt_lm_owf_gen(password, nt_owf_user_pwd, lm_owf_user_pwd);
 
                 init_id_info1(&ctr.auth.id1, domain, 
-                              0, /* param_ctrl */
+                             logon_parameters, /* param_ctrl */
                               0xdead, 0xbeef, /* LUID? */
                               username, clnt_name_slash,
                               (const char *)cli->dc->sess_key, lm_owf_user_pwd,
@@ -585,7 +586,7 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
                 SMBNTencrypt(password, chal, local_nt_response);
 
                 init_id_info2(&ctr.auth.id2, domain, 
-                              0, /* param_ctrl */
+                             logon_parameters, /* param_ctrl */
                               0xdead, 0xbeef, /* LUID? */
                               username, clnt_name_slash, chal,
                               local_lm_response, 24, local_nt_response, 24);
@@ -636,6 +637,7 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
 
 NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
                                           TALLOC_CTX *mem_ctx,
+                                          uint32 logon_parameters,
                                           const char *server,
                                           const char *username,
                                           const char *domain,
@@ -688,7 +690,7 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
         ctr.switch_value = NET_LOGON_TYPE;
 
        init_id_info2(&ctr.auth.id2, domain,
-                     0, /* param_ctrl */
+                     logon_parameters, /* param_ctrl */
                      0xdead, 0xbeef, /* LUID? */
                      username, workstation_name_slash, (const uchar*)chal,
                      lm_response.data, lm_response.length, nt_response.data, nt_response.length);

diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index f75ad6bba001e3e7c5c07f1b5b2bf688bf01110a..91566d325cfbc9101f6935def994838ceb4d4c93 100644 (file)
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -695,6 +695,7 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *
                if (!make_user_info_netlogon_network(&user_info, 
                                                     nt_username, nt_domain, 
                                                     wksname,
+                                                    ctr->auth.id2.param_ctrl,
                                                     ctr->auth.id2.lm_chal_resp.buffer,
                                                     ctr->auth.id2.lm_chal_resp.str_str_len,
                                                     ctr->auth.id2.nt_chal_resp.buffer,
@@ -719,7 +720,9 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *
 
                if (!make_user_info_netlogon_interactive(&user_info, 
                                                         nt_username, nt_domain, 
-                                                        nt_workstation, chal,
+                                                        nt_workstation, 
+                                                        ctr->auth.id1.param_ctrl,
+                                                        chal,
                                                         ctr->auth.id1.lm_owf.data, 
                                                         ctr->auth.id1.nt_owf.data, 
                                                         p->dc->sess_key)) {

diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
index 153daa5cf2d51e3c8fa3fdb006a7c710dc5a982b..d8f5a75b54e21972e0e700afcdbcf63ee6c93a28 100644 (file)
--- a/source3/rpcclient/cmd_netlogon.c
+++ b/source3/rpcclient/cmd_netlogon.c
@@ -272,7 +272,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
 
         /* Perform the sam logon */
 
-        result = rpccli_netlogon_sam_logon(cli, mem_ctx, lp_workgroup(), username, password, logon_type);
+        result = rpccli_netlogon_sam_logon(cli, mem_ctx, 0, lp_workgroup(), username, password, logon_type);
 
        if (!NT_STATUS_IS_OK(result))
                goto done;

diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index d61abb64654ab36326e8a4c1e95fe55459fe7900..433ba06982473f0c3970c474ae55458bd4f64033 100644 (file)
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -323,6 +323,8 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
 
        request.flags = flags;
 
+       request.data.auth_crap.logon_parameters = MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT | MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT;
+
        if (require_membership_of_sid)
                fstrcpy(request.data.auth_crap.require_membership_of_sid, require_membership_of_sid);