Author: abartlet Date: 2005-10-31 06:01:55 +0000 (Mon, 31 Oct 2005) New Revision: 11413
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=11413 Log: More comments, plus always check (and update) the credentials chain, regardless the authentication result on a particular user. Andrew Bartlett Modified: branches/SAMBA_4_0/source/winbind/wb_pam_auth.c Changeset: Modified: branches/SAMBA_4_0/source/winbind/wb_pam_auth.c =================================================================== --- branches/SAMBA_4_0/source/winbind/wb_pam_auth.c 2005-10-31 05:45:19 UTC (rev 11412) +++ branches/SAMBA_4_0/source/winbind/wb_pam_auth.c 2005-10-31 06:01:55 UTC (rev 11413) @@ -28,6 +28,7 @@ #include "smbd/service_stream.h" #include "libcli/auth/credentials.h" +/* Oh, there is so much to keep an eye on when authenticating a user. Oh my! */ struct pam_auth_crap_state { struct composite_context *ctx; struct event_context *event_ctx; @@ -51,6 +52,14 @@ void *p); static NTSTATUS crap_samlogon_recv_req(struct composite_context *ctx, void *p); +/* NTLM authentication. + + Fill parameters into a control block to pass to the next function. + No application logic, this is done by the helper function paramters + to wb_domain_request_send() + +*/ + struct composite_context *wb_cmd_pam_auth_crap_send(struct wbsrv_call *call, uint32_t logon_parameters, const char *domain, @@ -104,6 +113,11 @@ return NULL; } +/* + NTLM Authentication + + Send of a SamLogon request to authenticate a user. +*/ static struct composite_context *crap_samlogon_send_req(struct wbsrv_domain *domain, void *p) { @@ -149,6 +163,11 @@ state, &state->r); } +/* + NTLM Authentication + + Check the SamLogon reply, decrypt and parse out the session keys and the info3 structure +*/ static NTSTATUS crap_samlogon_recv_req(struct composite_context *ctx, void *p) { @@ -161,9 +180,6 @@ status = composite_netr_LogonSamLogon_recv(ctx); if (!NT_STATUS_IS_OK(status)) return status; - status = state->r.out.result; - if (!NT_STATUS_IS_OK(status)) return status; - if ((state->r.out.return_authenticator == NULL) || (!creds_client_check(state->creds_state, &state->r.out.return_authenticator->cred))) { @@ -171,6 +187,12 @@ return NT_STATUS_ACCESS_DENIED; } + status = state->r.out.result; + if (!NT_STATUS_IS_OK(status)) return status; + + /* Decrypt the session keys before we reform the info3, so the + * person on the other end of winbindd pipe doesn't have to. + * They won't have the encryption key anyway */ creds_decrypt_samlogon(state->creds_state, state->r.in.validation_level, &state->r.out.validation); @@ -180,13 +202,17 @@ state->r.out.validation.sam3, (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3); NT_STATUS_NOT_OK_RETURN(status); - + + /* The Samba3 protocol is a bit broken (due to non-IDL + * heritage, so for compatability we must add a non-zero 4 + * bytes to the info3 */ state->info3 = data_blob_talloc(state, NULL, tmp_blob.length+4); NT_STATUS_HAVE_NO_MEMORY(state->info3.data); SIVAL(state->info3.data, 0, 1); memcpy(state->info3.data+4, tmp_blob.data, tmp_blob.length); + /* We actually only ask for level 3, and assume it above, but anyway... */ base = NULL; switch(state->r.in.validation_level) { case 2: @@ -206,7 +232,9 @@ state->user_session_key = base->key; state->lm_key = base->LMSessKey; - /* Give the caller the most accurate username possible */ + /* Give the caller the most accurate username possible. + * Assists where case sensitive comparisons may be done by our + * ntlm_auth callers */ if (base->account_name.string) { state->user_name = base->account_name.string; talloc_steal(state, base->account_name.string);