102-srv_netlog_nt.c.diff [plain text]
--- samba/source/rpc_server/srv_netlog_nt.c.orig 2004-12-10 16:41:32.000000000 -0800
+++ samba/source/rpc_server/srv_netlog_nt.c 2004-12-10 16:39:49.000000000 -0800
@@ -312,11 +312,55 @@
DOM_CHAL srv_cred;
UTIME srv_time;
fstring mach_acct;
+#ifdef WITH_OPENDIRECTORY
+ tDirStatus dirStatus = eDSNullParameter;
+#endif
srv_time.time = 0;
rpcstr_pull(mach_acct, q_u->clnt_id.uni_acct_name.buffer,sizeof(fstring),q_u->clnt_id.uni_acct_name.uni_str_len*2,0);
+#ifdef WITH_OPENDIRECTORY
+ if (p->dc.challenge_sent) {
+
+ /* from client / server challenges and md4 password, generate sess key */
+ if (lp_opendirectory()) {
+ //check acct_ctrl flags
+ become_root();
+ dirStatus = opendirectory_cred_session_key(&p->dc.clnt_chal, &p->dc.srv_chal, mach_acct, p->dc.sess_key, NULL);
+ unbecome_root();
+ DEBUG(4, ("_net_auth opendirectory_cred_session_key [%d]\n", dirStatus));
+ } else if (get_md4pw((char *)p->dc.md4pw, mach_acct)) {
+ cred_session_key(&p->dc.clnt_chal, &p->dc.srv_chal,
+ p->dc.md4pw, p->dc.sess_key);
+ } else {
+ status = NT_STATUS_ACCESS_DENIED;
+ goto exit;
+ }
+
+ /* check that the client credentials are valid */
+ if (cred_assert(&q_u->clnt_chal, p->dc.sess_key, &p->dc.clnt_cred.challenge, srv_time)) {
+
+ /* create server challenge for inclusion in the reply */
+ cred_create(p->dc.sess_key, &p->dc.srv_cred.challenge, srv_time, &srv_cred);
+
+ /* copy the received client credentials for use next time */
+ memcpy(p->dc.clnt_cred.challenge.data, q_u->clnt_chal.data, sizeof(q_u->clnt_chal.data));
+ memcpy(p->dc.srv_cred .challenge.data, q_u->clnt_chal.data, sizeof(q_u->clnt_chal.data));
+
+ /* Save the machine account name. */
+ fstrcpy(p->dc.mach_acct, mach_acct);
+
+ p->dc.authenticated = True;
+
+ } else {
+ status = NT_STATUS_ACCESS_DENIED;
+ }
+ } else {
+ status = NT_STATUS_ACCESS_DENIED;
+ }
+exit:
+#else
if (p->dc.challenge_sent && get_md4pw((char *)p->dc.md4pw, mach_acct)) {
/* from client / server challenges and md4 password, generate sess key */
@@ -344,6 +388,7 @@
} else {
status = NT_STATUS_ACCESS_DENIED;
}
+#endif
/* set up the LSA AUTH response */
init_net_r_auth(r_u, &srv_cred, status);
@@ -374,6 +419,9 @@
UTIME srv_time;
NEG_FLAGS srv_flgs;
fstring mach_acct;
+#ifdef WITH_OPENDIRECTORY
+ tDirStatus dirStatus = eDSNullParameter;
+#endif
srv_time.time = 0;
@@ -385,7 +433,49 @@
}
rpcstr_pull(mach_acct, q_u->clnt_id.uni_acct_name.buffer,sizeof(fstring),q_u->clnt_id.uni_acct_name.uni_str_len*2,0);
+#ifdef WITH_OPENDIRECTORY
+ if (p->dc.challenge_sent) {
+
+ /* from client / server challenges and md4 password, generate sess key */
+ if (lp_opendirectory()) {
+ //check acct_ctrl flags
+ become_root();
+ dirStatus = opendirectory_cred_session_key(&p->dc.clnt_chal, &p->dc.srv_chal, mach_acct, p->dc.sess_key, NULL);
+ unbecome_root();
+ DEBUG(4, ("_net_auth_2 opendirectory_cred_session_key [%d]\n", dirStatus));
+ } else if (get_md4pw((char *)p->dc.md4pw, mach_acct)) {
+ cred_session_key(&p->dc.clnt_chal, &p->dc.srv_chal,
+ p->dc.md4pw, p->dc.sess_key);
+ } else {
+ DEBUG(0, ("_net_auth_2 CAN NOT COMPUTE SESSION KEY \n"));
+ status = NT_STATUS_ACCESS_DENIED;
+ goto exit;
+ }
+
+ /* check that the client credentials are valid */
+ if (cred_assert(&q_u->clnt_chal, p->dc.sess_key, &p->dc.clnt_cred.challenge, srv_time)) {
+
+ /* create server challenge for inclusion in the reply */
+ cred_create(p->dc.sess_key, &p->dc.srv_cred.challenge, srv_time, &srv_cred);
+ /* copy the received client credentials for use next time */
+ memcpy(p->dc.clnt_cred.challenge.data, q_u->clnt_chal.data, sizeof(q_u->clnt_chal.data));
+ memcpy(p->dc.srv_cred .challenge.data, q_u->clnt_chal.data, sizeof(q_u->clnt_chal.data));
+
+ /* Save the machine account name. */
+ fstrcpy(p->dc.mach_acct, mach_acct);
+
+ p->dc.authenticated = True;
+
+ } else {
+ status = NT_STATUS_ACCESS_DENIED;
+ }
+ } else {
+ status = NT_STATUS_ACCESS_DENIED;
+ }
+
+exit:
+#else
if (p->dc.challenge_sent && get_md4pw((char *)p->dc.md4pw, mach_acct)) {
/* from client / server challenges and md4 password, generate sess key */
@@ -413,7 +503,7 @@
} else {
status = NT_STATUS_ACCESS_DENIED;
}
-
+#endif
srv_flgs.neg_flags = 0x000001ff;
if (lp_server_schannel() != False) {
@@ -446,6 +536,9 @@
int i;
uint32 acct_ctrl;
const uchar *old_pw;
+#ifdef WITH_OPENDIRECTORY
+ tDirStatus dirStatus = eDSNullParameter;
+#endif
/* checks and updates credentials. creates reply credentials */
if (!(p->dc.authenticated && deal_with_creds(p->dc.sess_key, &p->dc.clnt_cred, &q_u->clnt_id.cred, &srv_cred)))
@@ -490,6 +583,21 @@
DEBUG(100,("%02X ", pwd[i]));
DEBUG(100,("\n"));
+#ifdef WITH_OPENDIRECTORY
+ if (lp_opendirectory()) {
+ become_root();
+ dirStatus = opendirectory_set_workstation_nthash(p->dc.mach_acct, pwd, NULL);
+ unbecome_root();
+ DEBUG(2, ("_net_srv_pwset opendirectory_set_workstation_nthash [%d]\n", dirStatus));
+ if (dirStatus != eDSNoErr) {
+ pdb_free_sam(&sampass);
+ return NT_STATUS_UNSUCCESSFUL;
+ } else {
+ status = NT_STATUS_OK;
+ }
+ } else {
+#endif
+
old_pw = pdb_get_nt_passwd(sampass);
if (old_pw && memcmp(pwd, old_pw, 16) == 0) {
@@ -522,7 +630,9 @@
}
if (ret)
status = NT_STATUS_OK;
-
+#ifdef WITH_OPENDIRECTORY
+ }
+#endif
/* set up the LSA Server Password Set response */
init_net_r_srv_pwset(r_u, &srv_cred, status);