diff -c -r samba-2.0.4b/source/Makefile.in samba-2.0.4b-dce-1.0/source/Makefile.in *** samba-2.0.4b/source/Makefile.in Fri May 14 23:20:03 1999 --- samba-2.0.4b-dce-1.0/source/Makefile.in Wed Jun 23 15:43:50 1999 *************** *** 138,144 **** locking/shmem.o locking/shmem_sysv.o PASSDB_OBJ = passdb/passdb.o passdb/smbpassfile.o passdb/smbpass.o \ ! passdb/pass_check.o passdb/ldap.o passdb/nispass.o passdb/smbpasschange.o SMBD_OBJ1 = smbd/server.o smbd/files.o smbd/chgpasswd.o smbd/connection.o \ smbd/dfree.o smbd/dir.o smbd/password.o smbd/conn.o smbd/fileio.o \ --- 138,144 ---- locking/shmem.o locking/shmem_sysv.o PASSDB_OBJ = passdb/passdb.o passdb/smbpassfile.o passdb/smbpass.o \ ! passdb/pass_check.o passdb/dce_pass.o passdb/ldap.o passdb/nispass.o passdb/smbpasschange.o SMBD_OBJ1 = smbd/server.o smbd/files.o smbd/chgpasswd.o smbd/connection.o \ smbd/dfree.o smbd/dir.o smbd/password.o smbd/conn.o smbd/fileio.o \ diff -c -r samba-2.0.4b/source/acconfig.h samba-2.0.4b-dce-1.0/source/acconfig.h *** samba-2.0.4b/source/acconfig.h Mon May 17 15:28:10 1999 --- samba-2.0.4b-dce-1.0/source/acconfig.h Fri Jul 9 11:31:32 1999 *************** *** 17,22 **** --- 17,24 ---- #undef HAVE_SHORT_INO_T #undef WITH_SMBWRAPPER #undef WITH_AFS + #undef WITH_DCE + #undef WITH_DCE_ENCRYPTED #undef WITH_DFS #undef SUNOS5 #undef SUNOS4 diff -c -r samba-2.0.4b/source/configure samba-2.0.4b-dce-1.0/source/configure *** samba-2.0.4b/source/configure Sun May 16 05:13:38 1999 --- samba-2.0.4b-dce-1.0/source/configure Wed Jun 23 15:12:42 1999 *************** *** 21,26 **** --- 21,32 ---- --with-afs Include AFS support --without-afs Don't include AFS support (default)" ac_help="$ac_help + --with-dce Include DCE support + --without-dce Don't include DCE support (default)" + ac_help="$ac_help + --with-dce-encrypted Include DCE support for encrypted passwords + --without-dce-encrypted Don't include DCE support for encrypted passwords (default)" + ac_help="$ac_help --with-dfs Include DFS support --without-dfs Don't include DFS support (default)" ac_help="$ac_help *************** *** 8890,8904 **** ################################################# ! # check for the DFS auth system ! echo $ac_n "checking whether to use DFS auth""... $ac_c" 1>&6 ! echo "configure:8896: checking whether to use DFS auth" >&5 # Check whether --with-dfs or --without-dfs was given. if test "${with_dfs+set}" = set; then withval="$with_dfs" case "$withval" in yes) echo "$ac_t""yes" 1>&6 cat >> confdefs.h <<\EOF #define WITH_DFS 1 EOF --- 8896,8963 ---- ################################################# ! # check for the DCE auth system ! echo $ac_n "checking whether to use DCE auth""... $ac_c" 1>&6 ! echo "configure:8790: checking whether to use DCE auth" >&5 ! # Check whether --with-dce or --without-dce was given. ! if test "${with_dce+set}" = set; then ! withval="$with_dce" ! case "$withval" in ! yes) ! echo "$ac_t""yes" 1>&6 ! LIBS="-ldce -lpthread $LIBS" ! CPPFLAGS="$CPPFLAGS -D_REENTRANT" ! cat >> confdefs.h <<\EOF ! #define WITH_DCE 1 ! EOF ! ! ;; ! *) ! echo "$ac_t""no" 1>&6 ! ;; ! esac ! else ! echo "$ac_t""no" 1>&6 ! ! fi ! ! ################################################# ! # check for the DCE auth system w/encrypted passwords ! echo $ac_n "checking whether to use DCE auth encrypted""... $ac_c" 1>&6 ! echo "configure:8791: checking whether to use DCE auth encrypted" >&5 ! # Check whether --with-dce-encrypted or --without-dce-encrypted was given. ! if test "${with_dce_encrypted+set}" = set; then ! withval="$with_dce_encrypted" ! case "$withval" in ! yes) ! echo "$ac_t""yes" 1>&6 ! LIBS="-lsec_auth $LIBS" ! cat >> confdefs.h <<\EOF ! #define WITH_DCE_ENCRYPTED 1 ! EOF ! ! ;; ! *) ! echo "$ac_t""no" 1>&6 ! ;; ! esac ! else ! echo "$ac_t""no" 1>&6 ! ! fi ! ! ! ################################################# ! # check for DFS ! echo $ac_n "checking whether to use DFS""... $ac_c" 1>&6 ! echo "configure:8792: checking whether to use DFS" >&5 # Check whether --with-dfs or --without-dfs was given. if test "${with_dfs+set}" = set; then withval="$with_dfs" case "$withval" in yes) echo "$ac_t""yes" 1>&6 + LIBS="$LIBS -ldcedfs" cat >> confdefs.h <<\EOF #define WITH_DFS 1 EOF diff -c -r samba-2.0.4b/source/include/config.h.in samba-2.0.4b-dce-1.0/source/include/config.h.in *** samba-2.0.4b/source/include/config.h.in Sun May 16 05:14:13 1999 --- samba-2.0.4b-dce-1.0/source/include/config.h.in Wed Jun 23 15:13:45 1999 *************** *** 80,85 **** --- 80,87 ---- #undef HAVE_SHORT_INO_T #undef WITH_SMBWRAPPER #undef WITH_AFS + #undef WITH_DCE + #undef WITH_DCE_ENCRYPTED #undef WITH_DFS #undef SUNOS5 #undef SUNOS4 diff -c -r samba-2.0.4b/source/include/proto.h samba-2.0.4b-dce-1.0/source/include/proto.h *** samba-2.0.4b/source/include/proto.h Fri May 14 23:20:23 1999 --- samba-2.0.4b-dce-1.0/source/include/proto.h Wed Jun 23 15:14:58 1999 *************** *** 1194,1199 **** --- 1194,1203 ---- BOOL (*sfunc)(char *), BOOL (*pfunc)(char *, char *) ); + /*The following definitions come from passdb/dce_pass.c */ + + struct passdb_ops *dce_initialize_password_db(void); + /*The following definitions come from passdb/ldap.c */ struct passdb_ops *ldap_initialize_password_db(void); *************** *** 1204,1210 **** /*The following definitions come from passdb/pass_check.c */ - void dfs_unlogin(void); BOOL pass_check(char *user,char *password, int pwlen, struct passwd *pwd, BOOL (*fn)(char *, char *)); --- 1208,1213 ---- diff -c -r samba-2.0.4b/source/include/smb.h samba-2.0.4b-dce-1.0/source/include/smb.h *** samba-2.0.4b/source/include/smb.h Fri Apr 9 17:33:38 1999 --- samba-2.0.4b-dce-1.0/source/include/smb.h Wed Jun 23 15:15:24 1999 *************** *** 1350,1360 **** int slprintf(); #endif - #ifdef WITH_DFS - void dfs_unlogin(void); - extern int dcelogin_atmost_once; - #endif - #ifdef NOSTRDUP char *strdup(char *s); #endif --- 1350,1355 ---- diff -c -r samba-2.0.4b/source/passdb/dce_pass.c samba-2.0.4b-dce-1.0/source/passdb/dce_pass.c *** samba-2.0.4b/source/passdb/dce_pass.c Fri Jul 9 11:28:50 1999 --- samba-2.0.4b-dce-1.0/source/passdb/dce_pass.c Wed Jun 23 15:43:11 1999 *************** *** 0 **** --- 1,138 ---- + #include "includes.h" + + #ifdef WITH_DCE_ENCRYPTED + + extern int DEBUGLEVEL; + + /*************************************************************** + Start to enumerate the smbpasswd list. Returns a void pointer + to ensure no modification outside this module. + ****************************************************************/ + + static void *startdcesmbpwent(BOOL update) + { + return NULL; + } + + /*************************************************************** + End enumeration of the smbpasswd list. + ****************************************************************/ + + static void enddcesmbpwent(void *vp) + { + } + + /************************************************************************* + Routine to return the next entry in the smbpasswd list. + *************************************************************************/ + static struct smb_passwd *getdcesmbpwent(void *vp) + { + return NULL; + } + + /************************************************************************* + Return the current position in the smbpasswd list as an SMB_BIG_UINT. + This must be treated as an opaque token. + *************************************************************************/ + + static SMB_BIG_UINT getdcesmbpwpos(void *vp) + { + return 0; + } + + /************************************************************************* + Set the current position in the smbpasswd list from an SMB_BIG_UINT. + This must be treated as an opaque token. + *************************************************************************/ + + static BOOL setdcesmbpwpos(void *vp, SMB_BIG_UINT tok) + { + return 0; + } + + + struct smb_passwd *getdcesmbpwuid(uid_t smb_userid) + { + static struct smb_passwd pwd; + struct passwd *unix_pwd; + static pstring user_name; + static unsigned char smbpwd[16] = {1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1}; + static unsigned char smbntpwd[16] = {1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1}; + + if (!(unix_pwd = getpwuid(smb_userid))) { + DEBUG(0, ("getdcesmbpwuid getpwuid failed for %d", smb_userid)); + return NULL; + } + + strncpy(user_name, unix_pwd->pw_name, 1024); + pwd.smb_name = user_name; + pwd.smb_userid = smb_userid; + pwd.smb_passwd = smbpwd; + pwd.smb_nt_passwd = smbntpwd; + pwd.acct_ctrl = ACB_NORMAL; + + return &pwd; + } + + + struct smb_passwd *getdcesmbpwrid(uint32 user_rid) + { + return getdcesmbpwuid(pdb_user_rid_to_uid(user_rid)); + } + + + struct smb_passwd *getdcesmbpwnam(char *name) + { + static struct smb_passwd pwd; + struct passwd *unix_pwd; + static pstring user_name; + static unsigned char smbpwd[16] = {1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1}; + static unsigned char smbntpwd[16] = {1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1}; + + if (!(unix_pwd = getpwnam(name))) { + DEBUG(0, ("getdcesmbpwnam getpwnam failed for %s", name)); + return NULL; + } + + strncpy(user_name, name, 1024); + pwd.smb_name = user_name; + pwd.smb_userid = unix_pwd->pw_uid; + pwd.smb_passwd = smbpwd; + pwd.smb_nt_passwd = smbntpwd; + pwd.acct_ctrl = ACB_NORMAL; + + return &pwd; + } + + + static struct passdb_ops dce_ops = { + startdcesmbpwent, + enddcesmbpwent, + getdcesmbpwpos, + setdcesmbpwpos, + getdcesmbpwnam, + getdcesmbpwuid, + getdcesmbpwrid, + getdcesmbpwent, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL + }; + + struct passdb_ops *dce_initialize_password_db(void) + { + return &dce_ops; + } + + #else + /* Do *NOT* make this function static. It breaks the compile on gcc. JRA */ + void smbpass_dummy_function(void) { } /* stop some compilers complaining */ + #endif /* USE_SMBPASS_DB */ diff -c -r samba-2.0.4b/source/passdb/pass_check.c samba-2.0.4b-dce-1.0/source/passdb/pass_check.c *** samba-2.0.4b/source/passdb/pass_check.c Fri Mar 26 13:25:40 1999 --- samba-2.0.4b-dce-1.0/source/passdb/pass_check.c Wed Jun 23 15:21:42 1999 *************** *** 167,461 **** } #endif - #ifdef WITH_DFS - - #include #include ! /***************************************************************** ! This new version of the DFS_AUTH code was donated by Karsten Muuss ! . It fixes the following problems with the ! old code : ! ! - Server credentials may expire ! - Client credential cache files have wrong owner ! - purge_context() function is called with invalid argument ! ! This new code was modified to ensure that on exit the uid/gid is ! still root, and the original directory is restored. JRA. ! ******************************************************************/ ! ! sec_login_handle_t my_dce_sec_context; ! int dcelogin_atmost_once = 0; ! ! /******************************************************************* ! check on a DCE/DFS authentication ! ********************************************************************/ ! static BOOL dfs_auth(char *user,char *password) ! { ! error_status_t err; ! int err2; ! int prterr; ! signed32 expire_time, current_time; ! boolean32 password_reset; ! struct passwd *pw; ! sec_passwd_rec_t passwd_rec; ! sec_login_auth_src_t auth_src = sec_login_auth_src_network; ! unsigned char dce_errstr[dce_c_error_string_len]; ! gid_t egid; ! ! if (dcelogin_atmost_once) return(False); ! ! #ifdef HAVE_CRYPT ! /* ! * We only go for a DCE login context if the given password ! * matches that stored in the local password file.. ! * Assumes local passwd file is kept in sync w/ DCE RGY! ! */ ! ! if (strcmp((char *)crypt(password,this_salt),this_crypted)) { ! return(False); ! } ! #endif ! ! sec_login_get_current_context(&my_dce_sec_context, &err); ! if (err != error_status_ok ) { ! dce_error_inq_text(err, dce_errstr, &err2); ! DEBUG(0,("DCE can't get current context. %s\n", dce_errstr)); ! ! return(False); ! } ! ! sec_login_certify_identity(my_dce_sec_context, &err); ! if (err != error_status_ok) { ! dce_error_inq_text(err, dce_errstr, &err2); ! DEBUG(0,("DCE can't get current context. %s\n", dce_errstr)); ! ! return(False); ! } ! ! sec_login_get_expiration(my_dce_sec_context, &expire_time, &err); ! if (err != error_status_ok) { ! dce_error_inq_text(err, dce_errstr, &err2); ! DEBUG(0,("DCE can't get expiration. %s\n", dce_errstr)); ! ! return(False); ! } ! ! time(¤t_time); ! ! if (expire_time < (current_time + 60)) { ! struct passwd *pw; ! sec_passwd_rec_t *key; ! ! sec_login_get_pwent(my_dce_sec_context, ! (sec_login_passwd_t*)&pw, &err); ! if (err != error_status_ok ) { ! dce_error_inq_text(err, dce_errstr, &err2); ! DEBUG(0,("DCE can't get pwent. %s\n", dce_errstr)); ! ! return(False); ! } ! ! sec_login_refresh_identity(my_dce_sec_context, &err); ! if (err != error_status_ok) { ! dce_error_inq_text(err, dce_errstr, &err2); ! DEBUG(0,("DCE can't refresh identity. %s\n", ! dce_errstr)); ! ! return(False); ! } ! ! sec_key_mgmt_get_key(rpc_c_authn_dce_secret, NULL, ! (unsigned char *)pw->pw_name, ! sec_c_key_version_none, ! (void**)&key, &err); ! if (err != error_status_ok) { ! dce_error_inq_text(err, dce_errstr, &err2); ! DEBUG(0,("DCE can't get key for %s. %s\n", ! pw->pw_name, dce_errstr)); ! ! return(False); ! } ! ! sec_login_valid_and_cert_ident(my_dce_sec_context, key, ! &password_reset, &auth_src, ! &err); ! if (err != error_status_ok ) { ! dce_error_inq_text(err, dce_errstr, &err2); ! DEBUG(0,("DCE can't validate and certify identity for %s. %s\n", ! pw->pw_name, dce_errstr)); ! } ! sec_key_mgmt_free_key(key, &err); ! if (err != error_status_ok ) { ! dce_error_inq_text(err, dce_errstr, &err2); ! DEBUG(0,("DCE can't free key.\n", dce_errstr)); ! } ! } ! ! if (sec_login_setup_identity((unsigned char *)user, ! sec_login_no_flags, ! &my_dce_sec_context, ! &err) == 0) { ! dce_error_inq_text(err, dce_errstr, &err2); ! DEBUG(0,("DCE Setup Identity for %s failed: %s\n", ! user,dce_errstr)); ! return(False); ! } ! ! sec_login_get_pwent(my_dce_sec_context, ! (sec_login_passwd_t*)&pw, &err); ! if (err != error_status_ok) { ! dce_error_inq_text(err, dce_errstr, &err2); ! DEBUG(0,("DCE can't get pwent. %s\n", dce_errstr)); ! ! return(False); ! } ! ! sec_login_purge_context(&my_dce_sec_context, &err); ! if (err != error_status_ok) { ! dce_error_inq_text(err, dce_errstr, &err2); ! DEBUG(0,("DCE can't purge context. %s\n", dce_errstr)); ! ! return(False); ! } ! ! /* ! * NB. I'd like to change these to call something like become_user() ! * instead but currently we don't have a connection ! * context to become the correct user. This is already ! * fairly platform specific code however, so I think ! * this should be ok. I have added code to go ! * back to being root on error though. JRA. ! */ ! ! egid = getegid(); ! ! if (set_effective_gid(pw->pw_gid) != 0) { ! DEBUG(0,("Can't set egid to %d (%s)\n", ! pw->pw_gid, strerror(errno))); ! return False; ! } ! ! if (set_effective_uid(pw->pw_uid) != 0) { ! set_effective_gid(egid); ! DEBUG(0,("Can't set euid to %d (%s)\n", ! pw->pw_uid, strerror(errno))); ! return False; ! } ! ! if (sec_login_setup_identity((unsigned char *)user, ! sec_login_no_flags, ! &my_dce_sec_context, ! &err) == 0) { ! dce_error_inq_text(err, dce_errstr, &err2); ! DEBUG(0,("DCE Setup Identity for %s failed: %s\n", ! user,dce_errstr)); ! goto err; ! } ! ! sec_login_get_pwent(my_dce_sec_context, ! (sec_login_passwd_t*)&pw, &err); ! if (err != error_status_ok ) { ! dce_error_inq_text(err, dce_errstr, &err2); ! DEBUG(0,("DCE can't get pwent. %s\n", dce_errstr)); ! goto err; ! } ! ! passwd_rec.version_number = sec_passwd_c_version_none; ! passwd_rec.pepper = NULL; ! passwd_rec.key.key_type = sec_passwd_plain; ! passwd_rec.key.tagged_union.plain = (idl_char *)password; ! ! sec_login_validate_identity(my_dce_sec_context, ! &passwd_rec, &password_reset, ! &auth_src, &err); ! if (err != error_status_ok ) { ! dce_error_inq_text(err, dce_errstr, &err2); ! DEBUG(0,("DCE Identity Validation failed for principal %s: %s\n", ! user,dce_errstr)); ! goto err; ! } ! ! sec_login_certify_identity(my_dce_sec_context, &err); ! if (err != error_status_ok) { ! dce_error_inq_text(err, dce_errstr, &err2); ! DEBUG(0,("DCE certify identity failed: %s\n", dce_errstr)); ! goto err; ! } ! ! if (auth_src != sec_login_auth_src_network) { ! DEBUG(0,("DCE context has no network credentials.\n")); ! } ! ! sec_login_set_context(my_dce_sec_context, &err); ! if (err != error_status_ok) { ! dce_error_inq_text(err, dce_errstr, &err2); ! DEBUG(0,("DCE login failed for principal %s, cant set context: %s\n", ! user,dce_errstr)); ! ! sec_login_purge_context(&my_dce_sec_context, &err); ! goto err; ! } ! ! sec_login_get_pwent(my_dce_sec_context, ! (sec_login_passwd_t*)&pw, &err); ! if (err != error_status_ok) { ! dce_error_inq_text(err, dce_errstr, &err2); ! DEBUG(0,("DCE can't get pwent. %s\n", dce_errstr)); ! goto err; ! } ! ! DEBUG(0,("DCE login succeeded for principal %s on pid %d\n", ! user, getpid())); ! ! DEBUG(3,("DCE principal: %s\n" ! " uid: %d\n" ! " gid: %d\n", ! pw->pw_name, pw->pw_uid, pw->pw_gid)); ! DEBUG(3,(" info: %s\n" ! " dir: %s\n" ! " shell: %s\n", ! pw->pw_gecos, pw->pw_dir, pw->pw_shell)); ! ! sec_login_get_expiration(my_dce_sec_context, &expire_time, &err); ! if (err != error_status_ok) { ! dce_error_inq_text(err, dce_errstr, &err2); ! DEBUG(0,("DCE can't get expiration. %s\n", dce_errstr)); ! goto err; ! } ! ! set_effective_uid(0); ! set_effective_gid(0); ! ! DEBUG(0,("DCE context expires: %s",asctime(localtime(&expire_time)))); ! ! dcelogin_atmost_once = 1; ! return (True); ! ! err: ! ! /* Go back to root, JRA. */ ! set_effective_uid(0); ! set_effective_gid(egid); ! return(False); } ! void dfs_unlogin(void) { ! error_status_t err; ! int err2; ! unsigned char dce_errstr[dce_c_error_string_len]; ! ! sec_login_purge_context(&my_dce_sec_context, &err); ! if (err != error_status_ok) { ! dce_error_inq_text(err, dce_errstr, &err2); ! DEBUG(0,("DCE purge login context failed for server instance %d: %s\n", ! getpid(), dce_errstr)); ! } } #endif #ifdef KRB5_AUTH --- 167,237 ---- } #endif + #ifdef WITH_DCE #include + #include ! sec_login_handle_t dce_login_context = NULL; ! int dce_auth(char *user, char *password) ! { ! error_status_t dce_st; ! dce_error_string_t dce_error; ! int dce_error_st; ! sec_login_auth_src_t auth_src; ! sec_passwd_rec_t pw_entry; ! boolean32 reset_passwd; ! sec_passwd_str_t tmp_pw; ! ! if (!sec_login_setup_identity(user, sec_login_no_flags, &dce_login_context, &dce_st)) ! { ! dce_error_inq_text(dce_st, dce_error, &dce_error_st); ! DEBUG(0, ("dce_auth: unable to setup identity for %s - %s\n", user, dce_error)); ! return 0; ! } ! ! pw_entry.version_number = sec_passwd_c_version_none; ! pw_entry.pepper = NULL; ! pw_entry.key.key_type = sec_passwd_plain; ! strncpy( (char *)tmp_pw, password, sec_passwd_str_max_len); ! tmp_pw[sec_passwd_str_max_len] = '\0'; ! pw_entry.key.tagged_union.plain = &(tmp_pw[0]); ! ! if (!sec_login_valid_and_cert_ident(dce_login_context, &pw_entry, &reset_passwd, &auth_src, &dce_st)) ! { ! dce_error_inq_text(dce_st, dce_error, &dce_error_st); ! DEBUG(0, ("dce_auth: unable to validate identity for %s - %s\n", user, dce_error)); ! return 0; ! } ! ! if (auth_src != sec_login_auth_src_network) ! { ! sec_login_purge_context(&dce_login_context, &dce_st); ! DEBUG(0, ("dce_auth: no network credentials for %s\n", user)); ! return 0; ! } ! ! sec_login_set_context(dce_login_context, &dce_st); ! ! if (dce_st) ! { ! dce_error_inq_text(dce_st, dce_error, &dce_error_st); ! DEBUG(0, ("dce_auth: unable to set context for %s - %s\n", user, dce_error)); ! sec_login_purge_context(&dce_login_context, &dce_st); ! return 0; ! } ! return 1; } ! void dce_logout() { ! error_status_t dce_st; ! ! if (dce_login_context) ! sec_login_purge_context(&dce_login_context, &dce_st); } + #endif #ifdef KRB5_AUTH *************** *** 693,701 **** if (afs_auth(this_user,password)) return(True); #endif /* WITH_AFS */ ! #ifdef WITH_DFS ! if (dfs_auth(this_user,password)) return(True); ! #endif /* WITH_DFS */ #ifdef KRB5_AUTH if (krb5_auth(this_user,password)) return(True); --- 469,477 ---- if (afs_auth(this_user,password)) return(True); #endif /* WITH_AFS */ ! #ifdef WITH_DCE ! if (dce_auth(this_user,password)) return(True); ! #endif /* WITH_DCE */ #ifdef KRB5_AUTH if (krb5_auth(this_user,password)) return(True); diff -c -r samba-2.0.4b/source/passdb/passdb.c samba-2.0.4b-dce-1.0/source/passdb/passdb.c *** samba-2.0.4b/source/passdb/passdb.c Wed Apr 7 13:00:34 1999 --- samba-2.0.4b-dce-1.0/source/passdb/passdb.c Wed Jun 23 15:22:13 1999 *************** *** 74,79 **** --- 74,81 ---- #ifdef WITH_NISPLUS pdb_ops = nisplus_initialize_password_db(); + #elif defined(WITH_DCE_ENCRYPTED) + pdb_ops = dce_initialize_password_db(); #elif defined(WITH_LDAP) pdb_ops = ldap_initialize_password_db(); #else diff -c -r samba-2.0.4b/source/smbd/dosmode.c samba-2.0.4b-dce-1.0/source/smbd/dosmode.c *** samba-2.0.4b/source/smbd/dosmode.c Tue Feb 16 13:55:03 1999 --- samba-2.0.4b-dce-1.0/source/smbd/dosmode.c Wed Jun 23 15:24:22 1999 *************** *** 81,88 **** DEBUG(8,("dos_mode: %s\n", path)); if ((sbuf->st_mode & S_IWUSR) == 0) ! result |= aRONLY; if (MAP_ARCHIVE(conn) && ((sbuf->st_mode & S_IXUSR) != 0)) result |= aARCH; --- 81,92 ---- DEBUG(8,("dos_mode: %s\n", path)); + #ifdef WITH_DFS + if (access(path, W_OK)) + #else if ((sbuf->st_mode & S_IWUSR) == 0) ! #endif ! result |= aRONLY; if (MAP_ARCHIVE(conn) && ((sbuf->st_mode & S_IXUSR) != 0)) result |= aARCH; diff -c -r samba-2.0.4b/source/smbd/password.c samba-2.0.4b-dce-1.0/source/smbd/password.c *** samba-2.0.4b/source/smbd/password.c Thu Apr 1 12:00:47 1999 --- samba-2.0.4b-dce-1.0/source/smbd/password.c Wed Jun 23 15:30:53 1999 *************** *** 21,26 **** --- 21,36 ---- #include "includes.h" + #ifdef WITH_DCE_ENCRYPTED + + #include + #include + #include + #include + + extern sec_login_handle_t dce_login_context; + #endif + extern int DEBUGLEVEL; extern int Protocol; *************** *** 308,313 **** --- 318,360 ---- } } } + #ifdef WITH_DCE_ENCRYPTED + static BOOL dce_update_encrypted_pw(char *user, char *password) + { + sec_rgy_login_name_t login_name; + sec_passwd_version_t new_version; + sec_passwd_rec_t key; + error_status_t dce_st; + sec_passwd_str_t pw; + sec_rgy_handle_t rgy_handle; + dce_error_string_t dce_error; + int dce_error_st; + + strncpy(login_name.pname, user, sec_rgy_name_max_len); + strncpy(login_name.gname, "", sec_rgy_name_max_len); + strncpy(login_name.oname, "", sec_rgy_name_max_len); + + key.version_number = sec_passwd_c_version_none; + key.pepper = NULL; + key.key.key_type = sec_passwd_plain; + strncpy( (char *)pw, password, sec_passwd_str_max_len); + pw[sec_passwd_str_max_len] = '\0'; + key.key.tagged_union.plain = &(pw[0]); + + sec_rgy_site_open_update(NULL, &rgy_handle, &dce_st); + + sec_rgy_acct_passwd(rgy_handle, &login_name, &key, &key, sec_passwd_des, &new_version, &dce_st); + + if (dce_st != error_status_ok) + { + dce_error_inq_text(dce_st, dce_error, &dce_error_st); + DEBUG(0, ("dce_update_encrypted_pw: sec_rgy_account_password failed for %s - %s\n", user, dce_error)); + return 0; + } + + return 1; + } + #endif /**************************************************************************** *************** *** 389,394 **** --- 436,602 ---- return (memcmp(p24, password, 24) == 0); } + #ifdef WITH_DCE_ENCRYPTED + BOOL dce_smb_password_check(char *user, unsigned char *challenge, unsigned char *response, int hash_type) + { + error_status_t dce_st; + dce_error_string_t dce_error; + int dce_error_st; + sec_login_auth_src_t auth_src; + sec_passwd_rec_t pw_entry; + boolean32 reset_passwd; + sec_passwd_str_t tmp_pw; + rpc_ns_handle_t import_context; + rpc_binding_handle_t handle; + unsigned_char_t *server_princ_name; + sec_rgy_name_t princ_name; + + rpc_ns_binding_import_begin(rpc_c_ns_syntax_default, SEC_AUTH_RPC_GROUP_NAME, + sec_auth_v1_0_c_ifspec, NULL, &import_context, + &dce_st); + + if (dce_st) + { + dce_error_inq_text(dce_st, dce_error, &dce_error_st); + DEBUG(0, ("rpc_ns_binding_import_begin failed - %s\n", dce_error)); + return 0; + } + + rpc_ns_binding_import_next(import_context, &handle, &dce_st); + + if (dce_st) + { + dce_error_inq_text(dce_st, dce_error, &dce_error_st); + DEBUG(0, ("rpc_ns_binding_import_next failed - %s\n", dce_error)); + return 0; + } + + rpc_ns_binding_import_done(&import_context, &dce_st); + + if (dce_st) + { + dce_error_inq_text(dce_st, dce_error, &dce_error_st); + DEBUG(0, ("rpc_ns_binding_import_done failed - %s\n", dce_error)); + return 0; + } + + rpc_ep_resolve_binding(handle, sec_auth_v1_0_c_ifspec, &dce_st); + + if (dce_st) + { + dce_error_inq_text(dce_st, dce_error, &dce_error_st); + DEBUG(0, ("rpc_ep_resolve_binding failed - %s\n", dce_error)); + return 0; + } + + rpc_mgmt_inq_server_princ_name(handle, rpc_c_authn_dce_secret, + &server_princ_name, &dce_st); + + if (dce_st) + { + dce_error_inq_text(dce_st, dce_error, &dce_error_st); + DEBUG(0, ("rpc_mgmt_inq_server_princ_name failed - %s\n", dce_error)); + return 0; + } + + sec_id_parse_name(sec_rgy_default_handle, server_princ_name, NULL, NULL, + princ_name, NULL, &dce_st); + + if (dce_st) + { + dce_error_inq_text(dce_st, dce_error, &dce_error_st); + DEBUG(0, ("sec_id_parse_name failed - %s\n", dce_error)); + return 0; + } + + { + int is_member = sec_rgy_pgo_is_member(sec_rgy_default_handle, sec_rgy_domain_group, + "sec_auth", princ_name, &dce_st); + + if (dce_st) + { + dce_error_inq_text(dce_st, dce_error, &dce_error_st); + DEBUG(0, ("sec_rgy_pgo_is_member failed - %s\n", dce_error)); + return 0; + } + + if (!is_member) + { + DEBUG(0, ("%s not valid sec_auth server\n", princ_name)); + return 0; + } + } + + rpc_binding_set_auth_info(handle, server_princ_name, + rpc_c_protect_level_pkt_privacy, rpc_c_authn_dce_secret, + NULL, rpc_c_authz_name, &dce_st); + + if (dce_st) + { + dce_error_inq_text(dce_st, dce_error, &dce_error_st); + DEBUG(0, ("rpc_binding_set_auth_info failed - %s\n", dce_error)); + return 0; + } + + if (hash_type == 1) + { + sec_auth_ms_nthash(handle, user, challenge, response, &pw_entry, &dce_st); + } + else + { + sec_auth_ms_lmhash(handle, user, challenge, response, &pw_entry, &dce_st); + } + + if (dce_st != error_status_ok) + { + dce_error_inq_text(dce_st, dce_error, &dce_error_st); + DEBUG(0, ("dce_smb_password_check: sec_auth failed for %s - %s\n", user, dce_error)); + return 0; + } + + rpc_binding_free(&handle, &dce_st); + + if (dce_st) + { + dce_error_inq_text(dce_st, dce_error, &dce_error_st); + DEBUG(0, ("rpc_binding_free failed - %s\n", dce_error)); + } + + + if (!sec_login_setup_identity(user, sec_login_no_flags, &dce_login_context, &dce_st)) + { + dce_error_inq_text(dce_st, dce_error, &dce_error_st); + DEBUG(0, ("dce_smb_password_check: unable to setup identity for %s - %s\n", user, dce_error)); + return 0; + } + + if (!sec_login_valid_and_cert_ident(dce_login_context, &pw_entry, &reset_passwd, &auth_src, &dce_st)) + { + dce_error_inq_text(dce_st, dce_error, &dce_error_st); + DEBUG(0, ("dce_smb_password_check: unable to validate identity for %s - %s\n", user, dce_error)); + return 0; + } + + if (auth_src != sec_login_auth_src_network) + { + sec_login_purge_context(&dce_login_context, &dce_st); + DEBUG(0, ("dce_smb_password_check: no network credentials for %s\n", user)); + return 0; + } + + sec_login_set_context(dce_login_context, &dce_st); + + if (dce_st) + { + dce_error_inq_text(dce_st, dce_error, &dce_error_st); + DEBUG(0, ("dce_smb_password_check: unable to set context for %s - %s\n", user, dce_error)); + sec_login_purge_context(&dce_login_context, &dce_st); + return 0; + } + return 1; + } + #endif + /**************************************************************************** Do a specific test for an smb password being correct, given a smb_password and the lanman and NT responses. *************** *** 429,437 **** use it (ie. does it exist in the smbpasswd file). */ DEBUG(4,("smb_password_ok: Checking NT MD4 password\n")); ! if (smb_password_check((char *)nt_pass, ! (uchar *)smb_pass->smb_nt_passwd, ! challenge)) { DEBUG(4,("NT MD4 password check succeeded\n")); return(True); } --- 637,649 ---- use it (ie. does it exist in the smbpasswd file). */ DEBUG(4,("smb_password_ok: Checking NT MD4 password\n")); ! ! #ifdef WITH_DCE_ENCRYPTED ! if (dce_smb_password_check(smb_pass->smb_name, challenge, nt_pass, 1)) ! #else ! if (smb_password_check((char *)nt_pass, (uchar *)smb_pass->smb_nt_passwd, challenge)) ! #endif ! { DEBUG(4,("NT MD4 password check succeeded\n")); return(True); } *************** *** 450,458 **** return True; } if((smb_pass->smb_passwd != NULL) && ! smb_password_check((char *)lm_pass, ! (uchar *)smb_pass->smb_passwd, challenge)) { DEBUG(4,("LM MD4 password check succeeded\n")); return(True); } --- 662,675 ---- return True; } + #ifdef WITH_DCE_ENCRYPTED + if((smb_pass->smb_passwd != NULL) && + dce_smb_password_check(smb_pass->smb_name, challenge, lm_pass, 0)) + #else if((smb_pass->smb_passwd != NULL) && ! smb_password_check((char *)lm_pass, (uchar *)smb_pass->smb_passwd, challenge)) ! #endif ! { DEBUG(4,("LM MD4 password check succeeded\n")); return(True); } *************** *** 557,563 **** return pass_check(user, password, pwlen, pwd, lp_update_encrypted() ? ! update_smbpassword_file : NULL); } /**************************************************************************** --- 774,785 ---- return pass_check(user, password, pwlen, pwd, lp_update_encrypted() ? ! #ifdef WITH_DCE_ENCRYPTED ! dce_update_encrypted_pw ! #else ! update_smbpassword_file ! #endif ! : NULL); } /**************************************************************************** diff -c -r samba-2.0.4b/source/smbd/quotas.c samba-2.0.4b-dce-1.0/source/smbd/quotas.c *** samba-2.0.4b/source/smbd/quotas.c Fri Feb 12 13:41:05 1999 --- samba-2.0.4b-dce-1.0/source/smbd/quotas.c Wed Jun 23 15:32:47 1999 *************** *** 30,36 **** extern int DEBUGLEVEL; ! #ifdef LINUX #include #include --- 30,336 ---- extern int DEBUGLEVEL; ! #ifdef WITH_DFS ! ! #include ! #include ! #include ! #include ! #include ! #include ! #include ! #include ! #include ! #include ! #include ! #include ! #include ! #include ! #include ! #include ! #include ! #include ! #include ! #include ! #include ! #include ! #include ! #include ! #include ! ! #define FLSERVER_H_SIZE 5 ! static rpc_binding_handle_t flserver_h[FLSERVER_H_SIZE]; ! static int flserver_h_count = 0; ! static int flserver_h_index = 0; ! ! static int path_to_fid(char *path, struct afsFid *fidp) ! { ! struct afs_ioctl ioctl_data; ! ! ioctl_data.in_size = 0; ! ioctl_data.out_size = sizeof(afsFid); ! ioctl_data.out = (caddr_t) fidp; ! ! return (!pioctl(path, VIOCGETFID, &ioctl_data, 1)); ! } ! ! static int bind_flservers() ! { ! unsigned32 import_status, group_status, rpc_status; ! rpc_ns_handle_t import_context; ! rpc_ns_handle_t group_context; ! unsigned_char_t *name, *string_binding, *protseq, *network_addr; ! uuid_t obj_uuid; ! unsigned_char_t *string_uuid; ! rpc_binding_handle_t temp_h; ! dce_error_string_t dce_error; ! int dce_error_st; ! ! ! rpc_ns_entry_object_inq_begin(rpc_c_ns_syntax_default, "/.:/fs", ! &import_context, &import_status); ! ! if (import_status) ! { ! dce_error_inq_text(import_status, dce_error, &dce_error_st); ! DEBUG(0, ("dfsquota: bind_flservers.entry_object_inq_begin failed - %s\n", dce_error)); ! return 0; ! } ! ! rpc_ns_entry_object_inq_next(import_context, &obj_uuid, &import_status); ! ! if (import_status) ! { ! dce_error_inq_text(import_status, dce_error, &dce_error_st); ! DEBUG(0, ("dfsquota: bind_flservers.entry_object_inq_next failed - %s\n", dce_error)); ! return 0; ! } ! ! rpc_ns_entry_object_inq_done(&import_context, &import_status); ! ! uuid_to_string(&obj_uuid, &string_uuid, &import_status); ! ! if (import_status) ! { ! dce_error_inq_text(import_status, dce_error, &dce_error_st); ! DEBUG(0, ("dfsquota: bind_flservers.uuid_to_string failed - %s\n", dce_error)); ! return 0; ! } ! ! rpc_ns_group_mbr_inq_begin(rpc_c_ns_syntax_default, "/.:/fs", rpc_c_ns_syntax_default, ! &group_context, &group_status); ! ! if (group_status) ! { ! dce_error_inq_text(group_status, dce_error, &dce_error_st); ! DEBUG(0, ("dfsquota: bind_flservers.group_mbr_inq_begin failed - %s\n", dce_error)); ! return 0; ! } ! ! while ((!group_status) && (flserver_h_count < FLSERVER_H_SIZE)) ! { ! rpc_ns_group_mbr_inq_next(group_context, &name, &group_status); ! ! if (group_status) ! { ! if (group_status != rpc_s_no_more_members) ! { ! dce_error_inq_text(group_status, dce_error, &dce_error_st); ! DEBUG(0, ("dfsquota: bind_flservers.group_mbr_inq_next failed - %s\n", dce_error)); ! } ! continue; ! } ! ! rpc_ns_binding_import_begin(rpc_c_ns_syntax_default, name, NULL, ! NULL, &import_context, &import_status); ! ! if (import_status) ! { ! dce_error_inq_text(import_status, dce_error, &dce_error_st); ! DEBUG(0, ("dfsquota: bind_flservers.binding_import_begin failed - %s\n", dce_error)); ! rpc_ns_binding_import_done(&import_context, &import_status); ! continue; ! } ! ! rpc_ns_binding_import_next(import_context, &temp_h, &import_status); ! ! if (import_status) ! { ! dce_error_inq_text(import_status, dce_error, &dce_error_st); ! DEBUG(0, ("dfsquota: bind_flservers.binding_import_next failed - %s\n", dce_error)); ! rpc_ns_binding_import_done(&import_context, &import_status); ! continue; ! } ! ! rpc_binding_to_string_binding(temp_h, &string_binding, &import_status); ! rpc_binding_free(&temp_h, &rpc_status); ! ! if (import_status) ! { ! dce_error_inq_text(import_status, dce_error, &dce_error_st); ! DEBUG(0, ("dfsquota: bind_flservers.to_string_binding failed - %s\n", dce_error)); ! rpc_ns_binding_import_done(&import_context, &import_status); ! continue; ! } ! ! rpc_string_binding_parse(string_binding, NULL, &protseq, &network_addr, ! NULL, NULL, &import_status); ! rpc_string_free(&string_binding, &rpc_status); ! ! if (import_status) ! { ! dce_error_inq_text(import_status, dce_error, &dce_error_st); ! DEBUG(0, ("dfsquota: bind_flservers.binding_parse failed - %s\n", dce_error)); ! rpc_ns_binding_import_done(&import_context, &import_status); ! continue; ! } ! ! rpc_string_binding_compose(string_uuid, ! protseq, network_addr, NULL, NULL, ! &string_binding, &import_status); ! rpc_string_free(&protseq, &rpc_status); ! rpc_string_free(&network_addr, &rpc_status); ! ! if (import_status) ! { ! dce_error_inq_text(import_status, dce_error, &dce_error_st); ! DEBUG(0, ("dfsquota: bind_flservers.binding_compose failed - %s\n", dce_error)); ! rpc_ns_binding_import_done(&import_context, &import_status); ! continue; ! } ! ! rpc_binding_from_string_binding(string_binding, ! &flserver_h[flserver_h_count], ! &import_status); ! rpc_string_free(&string_binding, &rpc_status); ! ! if (import_status) ! { ! dce_error_inq_text(import_status, dce_error, &dce_error_st); ! DEBUG(0, ("dfsquota: bind_flservers.from_string_binding failed - %s\n", dce_error)); ! } ! else ! flserver_h_count++; ! ! rpc_ns_binding_import_done(&import_context, &import_status); ! } ! rpc_ns_group_mbr_inq_done(&group_context, &group_status); ! rpc_string_free(&string_uuid, &import_status); ! ! return flserver_h_count; ! } ! ! ! BOOL disk_quotas(char *path, SMB_BIG_UINT *bsize, SMB_BIG_UINT *dfree, SMB_BIG_UINT *dsize) ! { ! struct afsFid fidp; ! struct vldbentry fl_entry; ! unsigned32 status, status2; ! unsigned_char_t *string_binding; ! rpc_binding_handle_t ftserver_h; ! struct ftserver_status ft_status; ! struct afsHyper hyper; ! unsigned32 ft_quota, ft_used; ! int index; ! ! if (flserver_h_count == 0) ! if (!bind_flservers()) ! { ! DEBUG(0, ("dfsquota: retrying flserver bind\n")); ! if (!bind_flservers()) ! { ! DEBUG(0, ("dfsquota: unable to bind to any flservers\n")); ! return 0; ! } ! } ! ! if (!path_to_fid(path, &fidp)) ! { ! DEBUG(0, ("dfsquota: path_to_fid failed for %s\n", path)); ! return 0; ! } ! ! for(index = 0; index < flserver_h_count; index++) ! { ! int raised = 0; ! ! TRY ! status = VL_GetEntryByID(flserver_h[flserver_h_index], &fidp.Volume, -1, &fl_entry); ! CATCH_ALL ! status = THIS_CATCH->status.status; ! DEBUG(0, ("dfsquota: flserver[%d] rpc failed - %d\n", flserver_h_index, status)); ! raised = 1; ! ENDTRY ! ! if (!raised) ! { ! if (status) ! { ! DEBUG(0, ("dfsquota: flserver call failed - %d\n", status)); ! return 0; ! } ! else ! break; ! } ! else if ((status >= rpc_s_mod) && (status <= (rpc_s_mod+4096))) ! { ! error_status_t reset_status; ! ! rpc_binding_reset(flserver_h[flserver_h_index], &reset_status); ! if (reset_status) ! DEBUG(0, ("dfsquota: flserver[%d] handle reset failed - %d\n", flserver_h_index, reset_status)); ! } ! ! flserver_h_index = ((flserver_h_index + 1) % flserver_h_count); ! } ! ! if (index == flserver_h_count) ! { ! DEBUG(0, ("dfsquota - all flservers failed\n")); ! return 0; ! } ! ! flserver_h_index = ((flserver_h_index + 1) % flserver_h_count); ! ! rpc_string_binding_compose(NULL, "ncadg_ip_udp", ! inet_ntoa(((struct sockaddr_in *)(&fl_entry.siteAddr[0]))->sin_addr), ! NULL, NULL, &string_binding, &status); ! ! if (status) ! return 0; ! ! rpc_binding_from_string_binding(string_binding, &ftserver_h, &status); ! rpc_string_free(&string_binding, &status2); ! ! if (status) ! return 0; ! ! TRY ! status = FTSERVER_GetOneVolStatus(ftserver_h, &fidp.Volume, ! fl_entry.sitePartition[0], 0, &ft_status); ! CATCH_ALL ! status = THIS_CATCH->status.status; ! ENDTRY; ! ! rpc_binding_free(&ftserver_h, &status2); ! ! if (status) ! { ! DEBUG(0, ("dfsquota: ftserver call failed - %d\n", status)); ! return 0; ! } ! ! ft_quota = ((0xffc00000 & (AFS_hgethi(ft_status.vsd.visQuotaLimit) << 22)) | (0x003fffff & (AFS_hgetlo(ft_status.vsd.visQuotaLimit) >> 10))); ! ! ft_used = ((0xffc00000 & (AFS_hgethi(ft_status.vsd.visQuotaUsage) << 22)) | (0x003fffff & (AFS_hgetlo(ft_status.vsd.visQuotaUsage) >> 10))); ! ! *bsize = 1024; ! *dfree = (ft_quota - ft_used); ! *dsize = ft_quota; ! return 1; ! } ! ! #elif LINUX #include #include diff -c -r samba-2.0.4b/source/smbd/server.c samba-2.0.4b-dce-1.0/source/smbd/server.c *** samba-2.0.4b/source/smbd/server.c Wed Apr 28 14:44:59 1999 --- samba-2.0.4b-dce-1.0/source/smbd/server.c Wed Jun 23 15:34:07 1999 *************** *** 40,50 **** extern pstring user_socket_options; - #ifdef WITH_DFS - extern int dcelogin_atmost_once; - #endif /* WITH_DFS */ - - extern fstring remote_machine; extern pstring OriginalDir; extern pstring myhostname; --- 40,45 ---- *************** *** 409,418 **** respond_to_all_remaining_local_messages(); ! #ifdef WITH_DFS ! if (dcelogin_atmost_once) { ! dfs_unlogin(); ! } #endif if (!reason) { --- 404,411 ---- respond_to_all_remaining_local_messages(); ! #ifdef WITH_DCE ! dce_logout(); #endif if (!reason) {