/* Given a kdc entry, consult the account_ok routine in auth/auth_sam.c * for consistency */ NTSTATUS samba_kdc_check_client_access(struct samba_kdc_entry *kdc_entry, const char *client_name, const char *workstation, bool password_change) { TALLOC_CTX *tmp_ctx; NTSTATUS nt_status; tmp_ctx = talloc_named(NULL, 0, "samba_kdc_check_client_access"); if (!tmp_ctx) { return NT_STATUS_NO_MEMORY; } /* we allow all kinds of trusts here */ nt_status = authsam_account_ok(tmp_ctx, kdc_entry->kdc_db_ctx->samdb, MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT, kdc_entry->realm_dn, kdc_entry->msg, workstation, client_name, true, password_change); talloc_free(tmp_ctx); return nt_status; }
static NTSTATUS authsam_authenticate(struct auth_context *auth_context, TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, struct ldb_dn *domain_dn, struct ldb_message *msg, const struct auth_usersupplied_info *user_info, DATA_BLOB *user_sess_key, DATA_BLOB *lm_sess_key) { struct samr_Password *lm_pwd, *nt_pwd; NTSTATUS nt_status; uint16_t acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, msg, domain_dn); /* Quit if the account was locked out. */ if (acct_flags & ACB_AUTOLOCK) { DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", user_info->mapped.account_name)); return NT_STATUS_ACCOUNT_LOCKED_OUT; } /* You can only do an interactive login to normal accounts */ if (user_info->flags & USER_INFO_INTERACTIVE_LOGON) { if (!(acct_flags & ACB_NORMAL)) { return NT_STATUS_NO_SUCH_USER; } } nt_status = samdb_result_passwords(mem_ctx, auth_context->lp_ctx, msg, &lm_pwd, &nt_pwd); NT_STATUS_NOT_OK_RETURN(nt_status); nt_status = authsam_password_ok(auth_context, mem_ctx, acct_flags, lm_pwd, nt_pwd, user_info, user_sess_key, lm_sess_key); NT_STATUS_NOT_OK_RETURN(nt_status); nt_status = authsam_account_ok(mem_ctx, sam_ctx, user_info->logon_parameters, domain_dn, msg, user_info->workstation_name, user_info->mapped.account_name, false, false); return nt_status; }
static NTSTATUS authsam_authenticate(struct auth_context *auth_context, TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, struct ldb_dn *domain_dn, struct ldb_message *msg, const struct auth_usersupplied_info *user_info, DATA_BLOB *user_sess_key, DATA_BLOB *lm_sess_key) { struct samr_Password *lm_pwd, *nt_pwd; NTSTATUS nt_status; uint16_t acct_flags = samdb_result_acct_flags(auth_context->sam_ctx, mem_ctx, msg, domain_dn); /* Quit if the account was locked out. */ if (acct_flags & ACB_AUTOLOCK) { DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", user_info->mapped.account_name)); return NT_STATUS_ACCOUNT_LOCKED_OUT; } /* You can only do an interactive login to normal accounts */ if (user_info->flags & USER_INFO_INTERACTIVE_LOGON) { if (!(acct_flags & ACB_NORMAL)) { return NT_STATUS_NO_SUCH_USER; } } nt_status = samdb_result_passwords(mem_ctx, auth_context->lp_ctx, msg, &lm_pwd, &nt_pwd); NT_STATUS_NOT_OK_RETURN(nt_status); if (lm_pwd == NULL && nt_pwd == NULL) { bool am_rodc; if (samdb_rodc(auth_context->sam_ctx, &am_rodc) == LDB_SUCCESS && am_rodc) { /* we don't have passwords for this * account. We are an RODC, and this account * may be one for which we either are denied * REPL_SECRET replication or we haven't yet * done the replication. We return * NT_STATUS_NOT_IMPLEMENTED which tells the * auth code to try the next authentication * mechanism. We also send a message to our * drepl server to tell it to try and * replicate the secrets for this account. */ auth_sam_trigger_repl_secret(mem_ctx, auth_context, msg->dn); return NT_STATUS_NOT_IMPLEMENTED; } } nt_status = authsam_password_ok(auth_context, mem_ctx, acct_flags, lm_pwd, nt_pwd, user_info, user_sess_key, lm_sess_key); NT_STATUS_NOT_OK_RETURN(nt_status); nt_status = authsam_account_ok(mem_ctx, auth_context->sam_ctx, user_info->logon_parameters, domain_dn, msg, user_info->workstation_name, user_info->mapped.account_name, false, false); return nt_status; }
static NTSTATUS authsam_authenticate(struct auth4_context *auth_context, TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, struct ldb_dn *domain_dn, struct ldb_message *msg, const struct auth_usersupplied_info *user_info, DATA_BLOB *user_sess_key, DATA_BLOB *lm_sess_key, bool *authoritative) { NTSTATUS nt_status; bool interactive = (user_info->password_state == AUTH_PASSWORD_HASH); uint32_t acct_flags = samdb_result_acct_flags(msg, NULL); struct netr_SendToSamBase *send_to_sam = NULL; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); if (!tmp_ctx) { return NT_STATUS_NO_MEMORY; } /* You can only do an interactive login to normal accounts */ if (user_info->flags & USER_INFO_INTERACTIVE_LOGON) { if (!(acct_flags & ACB_NORMAL)) { TALLOC_FREE(tmp_ctx); return NT_STATUS_NO_SUCH_USER; } if (acct_flags & ACB_SMARTCARD_REQUIRED) { if (acct_flags & ACB_DISABLED) { DEBUG(2,("authsam_authenticate: Account for user '%s' " "was disabled.\n", user_info->mapped.account_name)); TALLOC_FREE(tmp_ctx); return NT_STATUS_ACCOUNT_DISABLED; } DEBUG(2,("authsam_authenticate: Account for user '%s' " "requires interactive smartcard logon.\n", user_info->mapped.account_name)); TALLOC_FREE(tmp_ctx); return NT_STATUS_SMARTCARD_LOGON_REQUIRED; } } nt_status = authsam_password_check_and_record(auth_context, tmp_ctx, domain_dn, msg, acct_flags, user_info, user_sess_key, lm_sess_key, authoritative); if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE(tmp_ctx); return nt_status; } nt_status = authsam_account_ok(tmp_ctx, auth_context->sam_ctx, user_info->logon_parameters, domain_dn, msg, user_info->workstation_name, user_info->mapped.account_name, false, false); if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE(tmp_ctx); return nt_status; } nt_status = authsam_logon_success_accounting(auth_context->sam_ctx, msg, domain_dn, interactive, &send_to_sam); if (send_to_sam != NULL) { auth_sam_trigger_zero_password(tmp_ctx, auth_context->msg_ctx, auth_context->event_ctx, send_to_sam); } if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE(tmp_ctx); return nt_status; } if (user_sess_key && user_sess_key->data) { talloc_steal(mem_ctx, user_sess_key->data); } if (lm_sess_key && lm_sess_key->data) { talloc_steal(mem_ctx, lm_sess_key->data); } TALLOC_FREE(tmp_ctx); return nt_status; }