102-srv_netlog_nt.c.diff   [plain text]


--- samba/source/rpc_server/srv_netlog_nt.c.orig	2004-12-10 16:41:32.000000000 -0800
+++ samba/source/rpc_server/srv_netlog_nt.c	2004-12-10 16:39:49.000000000 -0800
@@ -312,11 +312,55 @@
 	DOM_CHAL srv_cred;
 	UTIME srv_time;
 	fstring mach_acct;
+#ifdef WITH_OPENDIRECTORY
+	tDirStatus dirStatus = eDSNullParameter;
+#endif
 
 	srv_time.time = 0;
 
 	rpcstr_pull(mach_acct, q_u->clnt_id.uni_acct_name.buffer,sizeof(fstring),q_u->clnt_id.uni_acct_name.uni_str_len*2,0);
 
+#ifdef WITH_OPENDIRECTORY
+	if (p->dc.challenge_sent) {
+
+		/* from client / server challenges and md4 password, generate sess key */
+		if (lp_opendirectory()) {
+			//check acct_ctrl flags
+			become_root();
+			dirStatus = opendirectory_cred_session_key(&p->dc.clnt_chal, &p->dc.srv_chal, mach_acct, p->dc.sess_key, NULL);
+			unbecome_root();
+			DEBUG(4, ("_net_auth opendirectory_cred_session_key [%d]\n", dirStatus));
+		} else if (get_md4pw((char *)p->dc.md4pw, mach_acct)) {
+			cred_session_key(&p->dc.clnt_chal, &p->dc.srv_chal,
+					 p->dc.md4pw, p->dc.sess_key);
+		} else {
+			status = NT_STATUS_ACCESS_DENIED;
+			goto exit;
+		}
+		
+		/* check that the client credentials are valid */
+		if (cred_assert(&q_u->clnt_chal, p->dc.sess_key, &p->dc.clnt_cred.challenge, srv_time)) {
+			
+			/* create server challenge for inclusion in the reply */
+			cred_create(p->dc.sess_key, &p->dc.srv_cred.challenge, srv_time, &srv_cred);
+		
+			/* copy the received client credentials for use next time */
+			memcpy(p->dc.clnt_cred.challenge.data, q_u->clnt_chal.data, sizeof(q_u->clnt_chal.data));
+			memcpy(p->dc.srv_cred .challenge.data, q_u->clnt_chal.data, sizeof(q_u->clnt_chal.data));
+			
+			/* Save the machine account name. */
+			fstrcpy(p->dc.mach_acct, mach_acct);
+		
+			p->dc.authenticated = True;
+
+		} else {
+			status = NT_STATUS_ACCESS_DENIED;
+		}
+	} else {
+		status = NT_STATUS_ACCESS_DENIED;
+	}
+exit:
+#else
 	if (p->dc.challenge_sent && get_md4pw((char *)p->dc.md4pw, mach_acct)) {
 
 		/* from client / server challenges and md4 password, generate sess key */
@@ -344,6 +388,7 @@
 	} else {
 		status = NT_STATUS_ACCESS_DENIED;
 	}
+#endif
 	
 	/* set up the LSA AUTH response */
 	init_net_r_auth(r_u, &srv_cred, status);
@@ -374,6 +419,9 @@
 	UTIME srv_time;
 	NEG_FLAGS srv_flgs;
 	fstring mach_acct;
+#ifdef WITH_OPENDIRECTORY
+	tDirStatus dirStatus = eDSNullParameter;
+#endif
 
 	srv_time.time = 0;
 
@@ -385,7 +433,49 @@
 	}
 
 	rpcstr_pull(mach_acct, q_u->clnt_id.uni_acct_name.buffer,sizeof(fstring),q_u->clnt_id.uni_acct_name.uni_str_len*2,0);
+#ifdef WITH_OPENDIRECTORY
+	if (p->dc.challenge_sent) {
+		
+		/* from client / server challenges and md4 password, generate sess key */
+		if (lp_opendirectory()) {
+			//check acct_ctrl flags
+			become_root();
+			dirStatus = opendirectory_cred_session_key(&p->dc.clnt_chal, &p->dc.srv_chal, mach_acct, p->dc.sess_key, NULL);
+			unbecome_root();
+			DEBUG(4, ("_net_auth_2 opendirectory_cred_session_key [%d]\n", dirStatus));
+		} else if (get_md4pw((char *)p->dc.md4pw, mach_acct)) {
+		cred_session_key(&p->dc.clnt_chal, &p->dc.srv_chal,
+				 p->dc.md4pw, p->dc.sess_key);
+		} else {
+			DEBUG(0, ("_net_auth_2 CAN NOT COMPUTE SESSION KEY \n"));
+			status = NT_STATUS_ACCESS_DENIED;
+			goto exit;
+		}
+		
+		/* check that the client credentials are valid */
+		if (cred_assert(&q_u->clnt_chal, p->dc.sess_key, &p->dc.clnt_cred.challenge, srv_time)) {
+			
+			/* create server challenge for inclusion in the reply */
+			cred_create(p->dc.sess_key, &p->dc.srv_cred.challenge, srv_time, &srv_cred);
 
+			/* copy the received client credentials for use next time */
+			memcpy(p->dc.clnt_cred.challenge.data, q_u->clnt_chal.data, sizeof(q_u->clnt_chal.data));
+			memcpy(p->dc.srv_cred .challenge.data, q_u->clnt_chal.data, sizeof(q_u->clnt_chal.data));
+			
+			/* Save the machine account name. */
+			fstrcpy(p->dc.mach_acct, mach_acct);
+			
+			p->dc.authenticated = True;
+
+		} else {
+			status = NT_STATUS_ACCESS_DENIED;
+		}
+	} else {
+		status = NT_STATUS_ACCESS_DENIED;
+	}
+	
+exit:
+#else
 	if (p->dc.challenge_sent && get_md4pw((char *)p->dc.md4pw, mach_acct)) {
 		
 		/* from client / server challenges and md4 password, generate sess key */
@@ -413,7 +503,7 @@
 	} else {
 		status = NT_STATUS_ACCESS_DENIED;
 	}
-	
+#endif	
 	srv_flgs.neg_flags = 0x000001ff;
 
 	if (lp_server_schannel() != False) {
@@ -446,6 +536,9 @@
 	int i;
 	uint32 acct_ctrl;
 	const uchar *old_pw;
+#ifdef WITH_OPENDIRECTORY
+	tDirStatus dirStatus = eDSNullParameter;
+#endif
 
 	/* checks and updates credentials.  creates reply credentials */
 	if (!(p->dc.authenticated && deal_with_creds(p->dc.sess_key, &p->dc.clnt_cred, &q_u->clnt_id.cred, &srv_cred)))
@@ -490,6 +583,21 @@
 		DEBUG(100,("%02X ", pwd[i]));
 	DEBUG(100,("\n"));
 
+#ifdef WITH_OPENDIRECTORY
+	if (lp_opendirectory()) {
+		become_root();
+		dirStatus = opendirectory_set_workstation_nthash(p->dc.mach_acct, pwd, NULL);
+		unbecome_root();
+		DEBUG(2, ("_net_srv_pwset opendirectory_set_workstation_nthash [%d]\n", dirStatus));
+		if (dirStatus != eDSNoErr) {
+			pdb_free_sam(&sampass);
+			return NT_STATUS_UNSUCCESSFUL;
+		} else {
+			status = NT_STATUS_OK;
+		}
+	} else {
+#endif
+
 	old_pw = pdb_get_nt_passwd(sampass);
 
 	if (old_pw && memcmp(pwd, old_pw, 16) == 0) {
@@ -522,7 +630,9 @@
 	}
 	if (ret)
 		status = NT_STATUS_OK;
-
+#ifdef WITH_OPENDIRECTORY
+ 	}
+#endif
 	/* set up the LSA Server Password Set response */
 	init_net_r_srv_pwset(r_u, &srv_cred, status);