Пример #1
0
const char *get_global_sam_name(void)
{
	if (IS_DC) {
		return lp_workgroup();
	}
	return lp_netbios_name();
}
Пример #2
0
void check_master_browser_exists(time_t t)
{
	static time_t lastrun=0;
	struct subnet_record *subrec;
	const char *workgroup_name = lp_workgroup();

	if (t < (lastrun + (CHECK_TIME_MST_BROWSE * 60)))
		return;

	lastrun = t;

	dump_workgroups(False);

	for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) {
		struct work_record *work;

		for (work = subrec->workgrouplist; work; work = work->next) {
			if (strequal(work->work_group, workgroup_name) && !AM_LOCAL_MASTER_BROWSER(work)) {
				/* Do a name query for the local master browser on this net. */
				query_name( subrec, work->work_group, 0x1d,
					check_for_master_browser_success,
					check_for_master_browser_fail,
					NULL);
			}
		}
	}
}
Пример #3
0
/*
  reply to a SAM LOGON request
 */
static void nbtd_ntlogon_sam_logon(struct dgram_mailslot_handler *dgmslot, 
				   struct nbtd_interface *iface,
				   struct nbt_dgram_packet *packet,
				   const struct socket_address *src,
				   struct nbt_ntlogon_packet *ntlogon)
{
	struct nbt_name *name = &packet->data.msg.dest_name;
	struct nbtd_interface *reply_iface = nbtd_find_reply_iface(iface, src->addr, False);
	struct nbt_ntlogon_packet reply;
	struct nbt_ntlogon_sam_logon_reply *logon;

	/* only answer sam logon requests on the PDC or LOGON names */
	if (name->type != NBT_NAME_PDC && name->type != NBT_NAME_LOGON) {
		return;
	}

	/* setup a SAM LOGON reply */
	ZERO_STRUCT(reply);
	reply.command = NTLOGON_SAM_LOGON_REPLY;
	logon = &reply.req.reply;

	logon->server           = talloc_asprintf(packet, "\\\\%s", lp_netbios_name());
	logon->user_name        = ntlogon->req.logon.user_name;
	logon->domain           = lp_workgroup();
	logon->nt_version       = 1;
	logon->lmnt_token       = 0xFFFF;
	logon->lm20_token       = 0xFFFF;

	packet->data.msg.dest_name.type = 0;

	dgram_mailslot_ntlogon_reply(reply_iface->dgmsock, 
				     packet, 
				     ntlogon->req.logon.mailslot_name,
				     &reply);
}
Пример #4
0
/***************************************************** 
return a connection to a server
*******************************************************/
static struct cli_state *connect_one(const char *share)
{
	struct cli_state *c;
	struct in_addr ip;
	NTSTATUS nt_status;
	zero_ip(&ip);
	
	if (!cmdline_auth_info.got_pass) {
		char *pass = getpass("Password: ");
		if (pass) {
			pstrcpy(cmdline_auth_info.password, pass);
			cmdline_auth_info.got_pass = True;
		}
	}

	if (NT_STATUS_IS_OK(nt_status = cli_full_connection(&c, global_myname(), server, 
							    &ip, 0,
							    share, "?????",  
							    cmdline_auth_info.username, lp_workgroup(),
							    cmdline_auth_info.password, 0,
							    cmdline_auth_info.signing_state, NULL))) {
		return c;
	} else {
		DEBUG(0,("cli_full_connection failed! (%s)\n", nt_errstr(nt_status)));
		return NULL;
	}
}
Пример #5
0
BOOL get_dc_name(const char *domain, const char *realm, fstring srv_name, struct in_addr *ip_out)
{
	struct in_addr dc_ip;
	BOOL ret;
	BOOL our_domain = False;

	zero_ip(&dc_ip);

	ret = False;
	
	if ( strequal(lp_workgroup(), domain) || strequal(lp_realm(), realm) )
		our_domain = True;
	
	/* always try to obey what the admin specified in smb.conf 
	   (for the local domain) */
	
	if ( (our_domain && lp_security()==SEC_ADS) || realm ) {
		ret = ads_dc_name(domain, realm, &dc_ip, srv_name);
	}
	
	if (!ret) {
		/* fall back on rpc methods if the ADS methods fail */
		ret = rpc_dc_name(domain, srv_name, &dc_ip);
	}
		
	*ip_out = dc_ip;

	return ret;
}
void announce_remote(time_t t)
{
    char *s;
    const char *ptr;
    static time_t last_time = 0;
    pstring s2;
    struct in_addr addr;
    char *comment;
    int stype = lp_default_server_announce();

    if (last_time && (t < (last_time + REMOTE_ANNOUNCE_INTERVAL)))
        return;

    last_time = t;

    s = lp_remote_announce();
    if (!*s)
        return;

    comment = string_truncate(lp_serverstring(), MAX_SERVER_STRING_LENGTH);

    for (ptr=s; next_token(&ptr,s2,NULL,sizeof(s2)); ) {
        /* The entries are of the form a.b.c.d/WORKGROUP with
        		WORKGROUP being optional */
        const char *wgroup;
        char *pwgroup;
        int i;

        pwgroup = strchr_m(s2,'/');
        if (pwgroup)
            *pwgroup++ = 0;
        if (!pwgroup || !*pwgroup)
            wgroup = lp_workgroup();
        else
            wgroup = pwgroup;

        addr = *interpret_addr2(s2);

        /* Announce all our names including aliases */
        /* Give the ip address as the address of our first
        		broadcast subnet. */

        for(i=0; my_netbios_names(i); i++) {
            const char *name = my_netbios_names(i);

            DEBUG(5,("announce_remote: Doing remote announce for server %s to IP %s.\n",
                     name, inet_ntoa(addr) ));

            send_announcement(FIRST_SUBNET, ANN_HostAnnouncement,
                              name,                      /* From nbt name. */
                              wgroup, 0x1d,              /* To nbt name. */
                              addr,                      /* To ip. */
                              REMOTE_ANNOUNCE_INTERVAL,  /* Time until next announce. */
                              name,                      /* Name to announce. */
                              stype,                     /* Type field. */
                              comment);
        }
    }
}
Пример #7
0
static NTSTATUS gensec_ntlmssp3_client_start(struct gensec_security *gensec_security)
{
	NTSTATUS nt_status;
	struct gensec_ntlmssp_context *gensec_ntlmssp;
	const char *user, *domain;
	const char *password;

	nt_status = gensec_ntlmssp_start(gensec_security);
	NT_STATUS_NOT_OK_RETURN(nt_status);

	gensec_ntlmssp =
		talloc_get_type_abort(gensec_security->private_data,
				      struct gensec_ntlmssp_context);

	nt_status = ntlmssp_client_start(gensec_ntlmssp,
					 lp_netbios_name(), lp_workgroup(),
					 lp_client_ntlmv2_auth(), &gensec_ntlmssp->ntlmssp_state);
	if (!NT_STATUS_IS_OK(nt_status)) {
		return nt_status;
	}

	cli_credentials_get_ntlm_username_domain(gensec_security->credentials, gensec_ntlmssp, &user, &domain);
	if (!user || !domain) {
		return NT_STATUS_NO_MEMORY;
	}

	nt_status = ntlmssp_set_username(gensec_ntlmssp->ntlmssp_state, user);
	if (!NT_STATUS_IS_OK(nt_status)) {
		return nt_status;
	}

	nt_status = ntlmssp_set_domain(gensec_ntlmssp->ntlmssp_state, domain);
	if (!NT_STATUS_IS_OK(nt_status)) {
		return nt_status;
	}

	password = cli_credentials_get_password(gensec_security->credentials);
	if (!password) {
		return NT_STATUS_NO_MEMORY;
	}

	nt_status = ntlmssp_set_password(gensec_ntlmssp->ntlmssp_state, password);
	if (!NT_STATUS_IS_OK(nt_status)) {
		return nt_status;
	}

	if (gensec_ntlmssp->gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
		gensec_ntlmssp->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
	}
	if (gensec_ntlmssp->gensec_security->want_features & GENSEC_FEATURE_SIGN) {
		gensec_ntlmssp->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
	}
	if (gensec_ntlmssp->gensec_security->want_features & GENSEC_FEATURE_SEAL) {
		gensec_ntlmssp->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
		gensec_ntlmssp->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
	}

	return NT_STATUS_OK;
}
Пример #8
0
static struct cli_state *connect_one(const char *share)
{
	struct cli_state *c;
	NTSTATUS nt_status;
	uint32_t flags = 0;

	if (get_cmdline_auth_info_use_machine_account(smbcquotas_auth_info) &&
	    !set_cmdline_auth_info_machine_account_creds(smbcquotas_auth_info)) {
		return NULL;
	}

	if (get_cmdline_auth_info_use_kerberos(smbcquotas_auth_info)) {
		flags |= CLI_FULL_CONNECTION_USE_KERBEROS |
			 CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;

	}

	set_cmdline_auth_info_getpass(smbcquotas_auth_info);

	nt_status = cli_full_connection(&c, lp_netbios_name(), server,
					    NULL, 0,
					    share, "?????",
					    get_cmdline_auth_info_username(smbcquotas_auth_info),
					    lp_workgroup(),
					    get_cmdline_auth_info_password(smbcquotas_auth_info),
					    flags,
					    get_cmdline_auth_info_signing_state(smbcquotas_auth_info));
	if (!NT_STATUS_IS_OK(nt_status)) {
		DEBUG(0,("cli_full_connection failed! (%s)\n", nt_errstr(nt_status)));
		return NULL;
	}

	if (get_cmdline_auth_info_smb_encrypt(smbcquotas_auth_info)) {
		nt_status = cli_cm_force_encryption(c,
					get_cmdline_auth_info_username(smbcquotas_auth_info),
					get_cmdline_auth_info_password(smbcquotas_auth_info),
					lp_workgroup(),
					share);
		if (!NT_STATUS_IS_OK(nt_status)) {
			cli_shutdown(c);
			return NULL;
		}
	}

	return c;
}
Пример #9
0
static NTSTATUS cmd_netlogon_sam_deltas(struct cli_state *cli, 
                                        TALLOC_CTX *mem_ctx, int argc,
                                        char **argv)
{
	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
        unsigned char trust_passwd[16];
        uint32 database_id, num_deltas, tmp;
        SAM_DELTA_HDR *hdr_deltas;
        SAM_DELTA_CTR *deltas;
        UINT64_S seqnum;

        if (argc != 3) {
                fprintf(stderr, "Usage: %s database_id seqnum\n", argv[0]);
                return NT_STATUS_OK;
        }

        database_id = atoi(argv[1]);
        tmp = atoi(argv[2]);

        seqnum.low = tmp & 0xffff;
        seqnum.high = 0;

        if (!secrets_init()) {
                fprintf(stderr, "Unable to initialise secrets database\n");
                goto done;
        }

        /* Initialise session credentials */

	if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd,
                                                  NULL)) {
		fprintf(stderr, "could not fetch trust account password\n");
		goto done;
	}        

        result = cli_nt_setup_creds(cli, trust_passwd);

        if (!NT_STATUS_IS_OK(result)) {
                fprintf(stderr, "Error initialising session creds\n");
                goto done;
        }

        /* Synchronise sam database */

	result = cli_netlogon_sam_deltas(cli, mem_ctx, database_id,
					 seqnum, &num_deltas, 
					 &hdr_deltas, &deltas);

	if (!NT_STATUS_IS_OK(result))
		goto done;

        /* Display results */

        display_sam_sync(num_deltas, hdr_deltas, deltas);
        
 done:
        return result;
}
Пример #10
0
static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli, 
				       TALLOC_CTX *mem_ctx, int argc,
				       const char **argv)
{
	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
	int logon_type = NetlogonNetworkInformation;
	const char *username, *password;
	uint32_t logon_param = 0;
	const char *workstation = NULL;
	struct netr_SamInfo3 *info3 = NULL;
	uint8_t authoritative = 0;
	uint32_t flags = 0;

	/* Check arguments */

	if (argc < 3 || argc > 6) {
		fprintf(stderr, "Usage: samlogon <username> <password> [workstation]"
			"[logon_type (1 or 2)] [logon_parameter]\n");
		return NT_STATUS_OK;
	}

	username = argv[1];
	password = argv[2];

	if (argc >= 4) 
		workstation = argv[3];

	if (argc >= 5)
		sscanf(argv[4], "%i", &logon_type);

	if (argc == 6)
		sscanf(argv[5], "%x", &logon_param);

	if (rpcclient_netlogon_creds == NULL) {
		result = NT_STATUS_UNSUCCESSFUL;
		goto done;
	}

	/* Perform the sam logon */

	result = rpccli_netlogon_password_logon(rpcclient_netlogon_creds,
						cli->binding_handle,
						mem_ctx,
						logon_param,
						lp_workgroup(),
						username,
						password,
						workstation,
						logon_type,
						&authoritative,
						&flags,
						&info3);
	if (!NT_STATUS_IS_OK(result))
		goto done;

 done:
	return result;
}
Пример #11
0
BOOL torture_domain_open_samr(struct torture_context *torture)
{
	NTSTATUS status;
	const char *binding;
	struct libnet_context *ctx;
	struct event_context *evt_ctx=NULL;
	TALLOC_CTX *mem_ctx;
	struct policy_handle domain_handle, handle;
	struct lsa_String name;
	struct libnet_DomainOpen io;
	struct samr_Close r;
	BOOL ret = True;

	mem_ctx = talloc_init("test_domainopen_lsa");
	binding = torture_setting_string(torture, "binding", NULL);

	ctx = libnet_context_init(evt_ctx);
	ctx->cred = cmdline_credentials;

	name.string = lp_workgroup();

	/*
	 * Testing synchronous version
	 */
	printf("opening domain\n");
	
	io.in.type         = DOMAIN_SAMR;
	io.in.domain_name  = name.string;
	io.in.access_mask  = SEC_FLAG_MAXIMUM_ALLOWED;

	status = libnet_DomainOpen(ctx, mem_ctx, &io);
	if (!NT_STATUS_IS_OK(status)) {
		printf("Composite domain open failed - %s\n", nt_errstr(status));
		ret = False;
		goto done;
	}

	domain_handle = ctx->samr.handle;

	r.in.handle   = &domain_handle;
	r.out.handle  = &handle;
	
	printf("closing domain handle\n");
	
	status = dcerpc_samr_Close(ctx->samr.pipe, mem_ctx, &r);
	if (!NT_STATUS_IS_OK(status)) {
		printf("Close failed - %s\n", nt_errstr(status));
		ret = False;
		goto done;
	}

done:
	talloc_free(mem_ctx);
	talloc_free(ctx);

	return ret;
}
Пример #12
0
/*
  do some samr ops using the schannel connection
 */
static BOOL test_samr_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
{
	NTSTATUS status;
	struct samr_GetDomPwInfo r;
	struct samr_Connect connect;
	struct samr_OpenDomain opendom;
	int i;
	struct lsa_String name;
	struct policy_handle handle;
	struct policy_handle domain_handle;

	name.string = lp_workgroup();
	r.in.domain_name = &name;

	connect.in.system_name = 0;
	connect.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
	connect.out.connect_handle = &handle;
	
	printf("Testing Connect and OpenDomain on BUILTIN\n");

	status = dcerpc_samr_Connect(p, mem_ctx, &connect);
	if (!NT_STATUS_IS_OK(status)) {
		if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
			printf("Connect failed (expected, schannel mapped to anonymous): %s\n",
			       nt_errstr(status));
		} else {
			printf("Connect failed - %s\n", nt_errstr(status));
			return False;
		}
	} else {
		opendom.in.connect_handle = &handle;
		opendom.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
		opendom.in.sid = dom_sid_parse_talloc(mem_ctx, "S-1-5-32");
		opendom.out.domain_handle = &domain_handle;
		
		status = dcerpc_samr_OpenDomain(p, mem_ctx, &opendom);
		if (!NT_STATUS_IS_OK(status)) {
			printf("OpenDomain failed - %s\n", nt_errstr(status));
			return False;
		}
	}

	printf("Testing GetDomPwInfo with name %s\n", r.in.domain_name->string);
	
	/* do several ops to test credential chaining */
	for (i=0;i<5;i++) {
		status = dcerpc_samr_GetDomPwInfo(p, mem_ctx, &r);
		if (!NT_STATUS_IS_OK(status)) {
			if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
				printf("GetDomPwInfo op %d failed - %s\n", i, nt_errstr(status));
				return False;
			}
		}
	}

	return True;
}
Пример #13
0
static NTSTATUS cmd_netlogon_sam_sync(struct cli_state *cli, 
                                      TALLOC_CTX *mem_ctx, int argc,
                                      char **argv)
{
	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
        unsigned char trust_passwd[16];
        uint32 database_id = 0, num_deltas;
        SAM_DELTA_HDR *hdr_deltas;
        SAM_DELTA_CTR *deltas;
	DOM_CRED ret_creds;

        if (argc > 2) {
                fprintf(stderr, "Usage: %s [database_id]\n", argv[0]);
                return NT_STATUS_OK;
        }

        if (argc == 2)
                database_id = atoi(argv[1]);

        if (!secrets_init()) {
                fprintf(stderr, "Unable to initialise secrets database\n");
                return result;
        }

        /* Initialise session credentials */

	if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd,
                                                  NULL)) {
		fprintf(stderr, "could not fetch trust account password\n");
		goto done;
	}        

        result = cli_nt_setup_creds(cli, trust_passwd);

        if (!NT_STATUS_IS_OK(result)) {
                fprintf(stderr, "Error initialising session creds\n");
                goto done;
        }

	/* on first call the returnAuthenticator is empty */
	memset(&ret_creds, 0, sizeof(ret_creds));
 
        /* Synchronise sam database */

	result = cli_netlogon_sam_sync(cli, mem_ctx, &ret_creds, database_id,
				       &num_deltas, &hdr_deltas, &deltas);

	if (!NT_STATUS_IS_OK(result))
		goto done;

        /* Display results */

        display_sam_sync(num_deltas, hdr_deltas, deltas);

 done:
        return result;
}
Пример #14
0
bool torture_domain_open_samr(struct torture_context *torture)
{
	NTSTATUS status;
	struct libnet_context *ctx;
	TALLOC_CTX *mem_ctx;
	struct policy_handle domain_handle, handle;
	struct libnet_DomainOpen io;
	struct samr_Close r;
	const char *domain_name;
	bool ret = true;

	mem_ctx = talloc_init("test_domainopen_lsa");

	ctx = libnet_context_init(torture->ev, torture->lp_ctx);
	ctx->cred = cmdline_credentials;

	/* we're accessing domain controller so the domain name should be
	   passed (it's going to be resolved to dc name and address) instead
	   of specific server name. */
	domain_name = lp_workgroup(torture->lp_ctx);

	/*
	 * Testing synchronous version
	 */
	printf("opening domain\n");
	
	io.in.type         = DOMAIN_SAMR;
	io.in.domain_name  = domain_name;
	io.in.access_mask  = SEC_FLAG_MAXIMUM_ALLOWED;

	status = libnet_DomainOpen(ctx, mem_ctx, &io);
	if (!NT_STATUS_IS_OK(status)) {
		printf("Composite domain open failed - %s\n", nt_errstr(status));
		ret = false;
		goto done;
	}

	domain_handle = ctx->samr.handle;

	r.in.handle   = &domain_handle;
	r.out.handle  = &handle;
	
	printf("closing domain handle\n");
	
	status = dcerpc_samr_Close(ctx->samr.pipe, mem_ctx, &r);
	if (!NT_STATUS_IS_OK(status)) {
		printf("Close failed - %s\n", nt_errstr(status));
		ret = false;
		goto done;
	}

done:
	talloc_free(mem_ctx);
	talloc_free(ctx);

	return ret;
}
Пример #15
0
enum winbindd_result winbindd_domain_name(struct winbindd_cli_state *state)
{

	DEBUG(3, ("[%5lu]: request domain name\n", (unsigned long)state->pid));
	
	fstrcpy(state->response.data.domain_name, lp_workgroup());

	return WINBINDD_OK;
}
Пример #16
0
static void init_sid_name_map (void)
{
	int i = 0;
	
	if (sid_name_map_initialized) return;

	generate_wellknown_sids();

	if ((lp_security() == SEC_USER) && lp_domain_logons()) {
		sid_name_map[i].sid = get_global_sam_sid();
		/* This is not lp_workgroup() for good reason:
		   it must stay around longer than the lp_*() 
		   strings do */
		sid_name_map[i].name = strdup(lp_workgroup());
		sid_name_map[i].known_users = NULL;
		i++;
		sid_name_map[i].sid = get_global_sam_sid();
		sid_name_map[i].name = strdup(global_myname());
		sid_name_map[i].known_users = NULL;
		i++;
	} else {
		sid_name_map[i].sid = get_global_sam_sid();
		sid_name_map[i].name = strdup(global_myname());
		sid_name_map[i].known_users = NULL;
		i++;
	}

	sid_name_map[i].sid = &global_sid_Builtin;
	sid_name_map[i].name = "BUILTIN";
	sid_name_map[i].known_users = &builtin_groups[0];
	i++;
	
	sid_name_map[i].sid = &global_sid_World_Domain;
	sid_name_map[i].name = "";
	sid_name_map[i].known_users = &everyone_users[0];
	i++;

	sid_name_map[i].sid = &global_sid_Creator_Owner_Domain;
	sid_name_map[i].name = "";
	sid_name_map[i].known_users = &creator_owner_users[0];
	i++;
		
	sid_name_map[i].sid = &global_sid_NT_Authority;
	sid_name_map[i].name = "NT Authority";
	sid_name_map[i].known_users = &nt_authority_users[0];
	i++;
		
	/* End of array. */
	sid_name_map[i].sid = NULL;
	sid_name_map[i].name = NULL;
	sid_name_map[i].known_users = NULL;
	
	sid_name_map_initialized = True;
		
	return;
}
Пример #17
0
static PyObject *py_auth_smbd(PyObject *self, PyObject *args, PyObject *kw)
{
	static char *kwlist[] = 
		{"username", "password", "use_lm_hash", "use_nt_hash", NULL };
	struct winbindd_request request;
	struct winbindd_response response;
	char *username, *password;
	int use_lm_hash = 1, use_nt_hash = 1;

	if (!PyArg_ParseTupleAndKeywords(
		    args, kw, "ss|ii", kwlist, &username, &password, 
		    &use_lm_hash, &use_nt_hash))
		return NULL;

	ZERO_STRUCT(request);
	ZERO_STRUCT(response);

	if (push_utf8_fstring(request.data.auth_crap.user, username) == -1) {
		PyErr_SetString("unable to create utf8 string");
		return NULL;
	}

	generate_random_buffer(request.data.smbd_auth_crap.chal, 8);
        
	if (use_lm_hash) {
		SMBencrypt((uchar *)password, 
			   request.data.smbd_auth_crap.chal, 
			   (uchar *)request.data.smbd_auth_crap.lm_resp);
		request.data.smbd_auth_crap.lm_resp_len = 24;
	}

	if (use_nt_hash) {
		SMBNTencrypt((uchar *)password, 
			     request.data.smbd_auth_crap.chal,
			     (uchar *)request.data.smbd_auth_crap.nt_resp);
		request.data.smbd_auth_crap.nt_resp_len = 24;
	}

	if (!secrets_fetch_trust_account_password(
		    lp_workgroup(), request.data.smbd_auth_crap.proof, NULL)) {
		PyErr_SetString(
			winbind_error, "unable to fetch domain secret");
		return NULL;
	}



	if (winbindd_request(WINBINDD_SMBD_AUTH_CRAP, &request, &response) 
	    != NSS_STATUS_SUCCESS) {
		PyErr_SetString(winbind_error, "lookup failed");
		return NULL;		
	}
	
	return PyInt_FromLong(response.data.auth.nt_status);
}
Пример #18
0
/****************************************************************************
  display tree of smb workgroups, servers and shares
 ****************************************************************************/
static BOOL get_workgroups(struct user_auth_info *user_info)
{
	struct cli_state *cli, *cli2;
	struct in_addr server_ip;
	pstring master_workgroup;

	/* Try to connect to a #1d name of our current workgroup.  If that
	   doesn't work broadcast for a master browser and then jump off
	   that workgroup. */

	pstrcpy(master_workgroup, lp_workgroup());

	if (!use_bcast && !find_master_ip(lp_workgroup(), &server_ip)) {
		DEBUG(4, ("Unable to find master browser for workgroup %s, falling back to broadcast\n", 
					master_workgroup));
		use_bcast = True;
	} else if(!use_bcast) {
		if (!(cli = get_ipc_connect(inet_ntoa(server_ip), &server_ip, user_info)))
			return False;
	}

	if (!(cli2 = get_ipc_connect_master_ip_bcast(master_workgroup, user_info))) {
		DEBUG(4, ("Unable to find master browser by "
					"broadcast\n"));
		if(cli) cli_shutdown(cli);
		return False;
	}

	if(cli2) {
		if(cli) cli_shutdown(cli);
		cli = cli2;
	}

	if (!cli_NetServerEnum(cli, master_workgroup, 
				SV_TYPE_DOMAIN_ENUM, add_name, &workgroups)) {
		if(cli) cli_shutdown(cli);
		return False;
	}

	if(cli) cli_shutdown(cli);
	return True;
}
Пример #19
0
static NTSTATUS cmd_netlogon_sam_logon(struct cli_state *cli, 
                                       TALLOC_CTX *mem_ctx, int argc,
                                       char **argv)
{
        unsigned char trust_passwd[16];
        NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
        int logon_type = NET_LOGON_TYPE;
        char *username, *password;

        /* Check arguments */

        if (argc < 3 || argc > 4) {
                fprintf(stderr, "Usage: samlogon <username> <password> "
                        "[logon_type]\n");
                return NT_STATUS_OK;
        }

        username = argv[1];
        password = argv[2];

        if (argc == 4)
                sscanf(argv[3], "%i", &logon_type);

        /* Authenticate ourselves with the domain controller */

        if (!secrets_init()) {
                fprintf(stderr, "Unable to initialise secrets database\n");
                return result;
        }

	if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd,
                                                  NULL)) {
		fprintf(stderr, "could not fetch trust account password\n");
		goto done;
	}        

        result = cli_nt_setup_creds(cli, trust_passwd);

        if (!NT_STATUS_IS_OK(result)) {
                fprintf(stderr, "Error initialising session creds\n");
                goto done;
        }

        /* Perform the sam logon */

        result = cli_netlogon_sam_logon(cli, mem_ctx, username, password,
                                        logon_type);

	if (!NT_STATUS_IS_OK(result))
		goto done;

 done:
        return result;
}
Пример #20
0
static BOOL is_our_primary_domain(const char *domain)
{
	int role = lp_server_role();

	if ((role == ROLE_DOMAIN_MEMBER) && strequal(lp_workgroup(), domain)) {
		return True;
	} else if (strequal(get_global_sam_name(), domain)) {
		return True;
	}
	return False;
}
Пример #21
0
/****************************************************************************
  display tree of smb workgroups, servers and shares
****************************************************************************/
static bool get_workgroups(struct user_auth_info *user_info)
{
        struct cli_state *cli;
        struct sockaddr_storage server_ss;
	TALLOC_CTX *ctx = talloc_tos();
	char *master_workgroup = NULL;

        /* Try to connect to a #1d name of our current workgroup.  If that
           doesn't work broadcast for a master browser and then jump off
           that workgroup. */

	master_workgroup = talloc_strdup(ctx, lp_workgroup());
	if (!master_workgroup) {
		return false;
	}

        if (!use_bcast && !find_master_ip(lp_workgroup(), &server_ss)) {
                DEBUG(4, ("Unable to find master browser for workgroup %s, falling back to broadcast\n", 
			  master_workgroup));
				use_bcast = True;
		} else if(!use_bcast) {
			char addr[INET6_ADDRSTRLEN];
			print_sockaddr(addr, sizeof(addr), &server_ss);
			if (!(cli = get_ipc_connect(addr, &server_ss, user_info)))
				return False;
		}

		if (!(cli = get_ipc_connect_master_ip_bcast(talloc_tos(),
							user_info,
							&master_workgroup))) {
			DEBUG(4, ("Unable to find master browser by "
				  "broadcast\n"));
			return False;
        }

        if (!cli_NetServerEnum(cli, master_workgroup,
                               SV_TYPE_DOMAIN_ENUM, add_name, &workgroups))
                return False;

        return True;
}
static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context,
					void *my_private_data, 
					TALLOC_CTX *mem_ctx,
					const struct auth_usersupplied_info *user_info,
					struct auth_serversupplied_info **server_info)
{
	NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
	const char *domain = lp_workgroup();
	fstring dc_name;
	struct sockaddr_storage dc_ss;

	if ( lp_server_role() != ROLE_DOMAIN_MEMBER ) {
		DEBUG(0,("check_ntdomain_security: Configuration error!  Cannot use "
			"ntdomain auth method when not a member of a domain.\n"));
		return NT_STATUS_NOT_IMPLEMENTED;
	}

	if (!user_info || !server_info || !auth_context) {
		DEBUG(1,("check_ntdomain_security: Critical variables not present.  Failing.\n"));
		return NT_STATUS_INVALID_PARAMETER;
	}

	DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name));

	/* 
	 * Check that the requested domain is not our own machine name.
	 * If it is, we should never check the PDC here, we use our own local
	 * password file.
	 */

	if(strequal(get_global_sam_name(), user_info->mapped.domain_name)) {
		DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n"));
		return NT_STATUS_NOT_IMPLEMENTED;
	}

	/* we need our DC to send the net_sam_logon() request to */

	if ( !get_dc_name(domain, NULL, dc_name, &dc_ss) ) {
		DEBUG(5,("check_ntdomain_security: unable to locate a DC for domain %s\n",
			user_info->mapped.domain_name));
		return NT_STATUS_NO_LOGON_SERVERS;
	}

	nt_status = domain_client_validate(mem_ctx,
					user_info,
					domain,
					(uchar *)auth_context->challenge.data,
					server_info,
					dc_name,
					&dc_ss);

	return nt_status;
}
void update_trustdom_cache( void )
{
	char **domain_names;
	struct dom_sid *dom_sids;
	uint32 num_domains;
	uint32 last_check;
	int time_diff;
	TALLOC_CTX *mem_ctx = NULL;
	time_t now = time(NULL);
	int i;

	/* get the timestamp.  We have to initialise it if the last timestamp == 0 */	
	if ( (last_check = trustdom_cache_fetch_timestamp()) == 0 ) 
		trustdom_cache_store_timestamp(0, now+TRUSTDOM_UPDATE_INTERVAL);

	time_diff = (int) (now - last_check);

	if ( (time_diff > 0) && (time_diff < TRUSTDOM_UPDATE_INTERVAL) ) {
		DEBUG(10,("update_trustdom_cache: not time to update trustdom_cache yet\n"));
		return;
	}

	/* note that we don't lock the timestamp. This prevents this
	   smbd from blocking all other smbd daemons while we
	   enumerate the trusted domains */
	trustdom_cache_store_timestamp(now, now+TRUSTDOM_UPDATE_INTERVAL);

	if ( !(mem_ctx = talloc_init("update_trustdom_cache")) ) {
		DEBUG(0,("update_trustdom_cache: talloc_init() failed!\n"));
		goto done;
	}

	/* get the domains and store them */

	if ( enumerate_domain_trusts(mem_ctx, lp_workgroup(), &domain_names, 
		&num_domains, &dom_sids)) {
		for ( i=0; i<num_domains; i++ ) {
			trustdom_cache_store( domain_names[i], NULL, &dom_sids[i], 
				now+TRUSTDOM_UPDATE_INTERVAL);
		}		
	} else {
		/* we failed to fetch the list of trusted domains - restore the old
		   timestamp */
		trustdom_cache_store_timestamp(last_check, 
					       last_check+TRUSTDOM_UPDATE_INTERVAL);
	}

done:	
	talloc_destroy( mem_ctx );

	return;
}
Пример #24
0
void register_my_workgroup_one_subnet(struct subnet_record *subrec)
{
	int i;

	struct work_record *work;

	/* Create the workgroup on the subnet. */
	if((work = create_workgroup_on_subnet(subrec, lp_workgroup(), 
					      PERMANENT_TTL)) == NULL) {
		DEBUG(0,("register_my_workgroup_and_names: Failed to create my workgroup %s on subnet %s. \
Exiting.\n", lp_workgroup(), subrec->subnet_name));
		return;
	}
Пример #25
0
static int add_signature(char *outbuf, char *p)
{
	char *start = p;
	fstring lanman;

	fstr_sprintf( lanman, "Samba %s", SAMBA_VERSION_STRING);

	p += srvstr_push(outbuf, p, "Unix", -1, STR_TERMINATE);
	p += srvstr_push(outbuf, p, lanman, -1, STR_TERMINATE);
	p += srvstr_push(outbuf, p, lp_workgroup(), -1, STR_TERMINATE);

	return PTR_DIFF(p, start);
}
Пример #26
0
NTSTATUS map_user_info(TALLOC_CTX *mem_ctx,
		       const struct auth_usersupplied_info *user_info,
		       struct auth_usersupplied_info **user_info_mapped)
{
	const char *domain;
	char *account_name;
	char *d;
	DEBUG(5,("map_user_info: Mapping user [%s]\\[%s] from workstation [%s]\n",
		user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));

	account_name = talloc_strdup(mem_ctx, user_info->client.account_name);
	if (!account_name) {
		return NT_STATUS_NO_MEMORY;
	}
	
	/* don't allow "" as a domain, fixes a Win9X bug 
	   where it doens't supply a domain for logon script
	   'net use' commands.                                 */

	/* Split [email protected] names into user and realm components.  This is TODO to fix with proper userprincipalname support */
	if (user_info->client.domain_name && *user_info->client.domain_name) {
		domain = user_info->client.domain_name;
	} else if (strchr_m(user_info->client.account_name, '@')) {
		d = strchr_m(account_name, '@');
		if (!d) {
			return NT_STATUS_INTERNAL_ERROR;
		}
		d[0] = '\0';
		d++;
		domain = d;
	} else {
		domain = lp_workgroup();
	}

	*user_info_mapped = talloc(mem_ctx, struct auth_usersupplied_info);
	if (!*user_info_mapped) {
		return NT_STATUS_NO_MEMORY;
	}
	talloc_reference(*user_info_mapped, user_info);
	**user_info_mapped = *user_info;
	(*user_info_mapped)->mapped_state = True;
	(*user_info_mapped)->mapped.domain_name = talloc_strdup(*user_info_mapped, domain);
	(*user_info_mapped)->mapped.account_name = talloc_strdup(*user_info_mapped, account_name);
	talloc_free(account_name);
	if (!(*user_info_mapped)->mapped.domain_name 
	    || !(*user_info_mapped)->mapped.account_name) {
		return NT_STATUS_NO_MEMORY;
	}

	return NT_STATUS_OK;
}
Пример #27
0
void browse_sync_remote(time_t t)
{
	char *s;
	const char *ptr;
	static time_t last_time = 0;
	char *s2;
	struct in_addr addr;
	struct work_record *work;
	char outbuf[1024];
	char *p;
	unstring myname;
	TALLOC_CTX *frame = NULL;

	if (last_time && (t < (last_time + REMOTE_ANNOUNCE_INTERVAL)))
		return;

	last_time = t;

	s = lp_remote_browse_sync(talloc_tos());
	if (!*s)
		return;

	/*
	 * We only do this if we are the local master browser
	 * for our workgroup on the firsst subnet.
	 */

	if((work = find_workgroup_on_subnet(FIRST_SUBNET, lp_workgroup())) == NULL) {   
		DEBUG(0,("browse_sync_remote: Cannot find workgroup %s on subnet %s\n",
			lp_workgroup(), FIRST_SUBNET->subnet_name ));
		return;
	}

	if(!AM_LOCAL_MASTER_BROWSER(work)) {
		DEBUG(5,("browse_sync_remote: We can only do this if we are a local master browser \
for workgroup %s on subnet %s.\n", lp_workgroup(), FIRST_SUBNET->subnet_name ));
		return;
	}
Пример #28
0
static int ejs_tree_connect(MprVarHandle eid, int argc, char **argv)
{
	struct cli_credentials *creds;
	struct smb_composite_connect io;
	struct smbcli_tree *tree;
	char *hostname, *sharename;
	NTSTATUS result;
	TALLOC_CTX *mem_ctx;

	if (argc != 2) {
		ejsSetErrorMsg(eid, "tree_connect(): invalid number of args");
		return -1;
	}

	/* Set up host, share destination */

	mem_ctx = talloc_new(mprMemCtx());
	smbcli_parse_unc(argv[0], mem_ctx, &hostname, &sharename);

	/* Set up credentials */

	creds = cli_credentials_init(NULL);
	cli_credentials_set_conf(creds);
	cli_credentials_parse_string(creds, argv[1], CRED_SPECIFIED);

	/* Do connect */

	io.in.dest_host              = hostname;
	io.in.port                   = 0;
	io.in.called_name            = strupper_talloc(mem_ctx, hostname);
	io.in.service                = sharename;
	io.in.service_type           = "?????";
	io.in.credentials            = creds;
	io.in.fallback_to_anonymous  = False;
	io.in.workgroup              = lp_workgroup();

	result = smb_composite_connect(&io, mem_ctx, NULL);
	tree = io.out.tree;

	talloc_free(mem_ctx);

	if (!NT_STATUS_IS_OK(result)) {
		mpr_Return(eid, mprNTSTATUS(result));
		return 0;
	}

	mpr_Return(eid, mprCreatePtrVar(tree));

	return 0;
}
Пример #29
0
/*
  setup for schannel on any pipes opened on this connection
*/
static NTSTATUS setup_schannel( struct cli_state *cli, const char *domain )
{
	NTSTATUS ret;
	uchar trust_password[16];
	uint32 sec_channel_type;
	DOM_SID sid;
	time_t lct;

	/* use the domain trust password if we're on a DC 
	   and this is not our domain */
	
	if ( IS_DC && !strequal(domain, lp_workgroup()) ) {
		char *pass = NULL;
		
		if ( !secrets_fetch_trusted_domain_password( domain, 
			&pass, &sid, &lct) )
		{
			return NT_STATUS_UNSUCCESSFUL;
		}	

		sec_channel_type = SEC_CHAN_DOMAIN;
		E_md4hash(pass, trust_password);
		SAFE_FREE( pass );
		
	} else {
		if (!secrets_fetch_trust_account_password(lp_workgroup(),
			trust_password, NULL, &sec_channel_type)) 
		{
			return NT_STATUS_UNSUCCESSFUL;
		}
	}

	ret = cli_nt_setup_netsec(cli, sec_channel_type, 
		AUTH_PIPE_NETSEC | AUTH_PIPE_SIGN, trust_password);

	return ret;
}
Пример #30
0
BOOL torture_domain_open_lsa(struct torture_context *torture)
{
	NTSTATUS status;
	BOOL ret = True;
	struct libnet_context *ctx;
	struct libnet_DomainOpen r;
	struct lsa_Close lsa_close;
	struct policy_handle h;
	const char *domain_name;

	/* we're accessing domain controller so the domain name should be
	   passed (it's going to be resolved to dc name and address) instead
	   of specific server name. */
	domain_name = lp_workgroup();

	ctx = libnet_context_init(NULL);
	if (ctx == NULL) {
		d_printf("failed to create libnet context\n");
		return False;
	}

	ctx->cred = cmdline_credentials;

	ZERO_STRUCT(r);
	r.in.type = DOMAIN_LSA;
	r.in.domain_name = domain_name;
	r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;

	status = libnet_DomainOpen(ctx, torture, &r);
	if (!NT_STATUS_IS_OK(status)) {
		d_printf("failed to open domain on lsa service: %s\n", nt_errstr(status));
		ret = False;
		goto done;
	}

	ZERO_STRUCT(lsa_close);
	lsa_close.in.handle  = &ctx->lsa.handle;
	lsa_close.out.handle = &h;
	
	status = dcerpc_lsa_Close(ctx->lsa.pipe, ctx, &lsa_close);
	if (!NT_STATUS_IS_OK(status)) {
		d_printf("failed to close domain on lsa service: %s\n", nt_errstr(status));
		ret = False;
	}

done:
	talloc_free(ctx);
	return ret;
}