Linux Cubed Series 7: Sunsite

home *** CD-ROM | disk | FTP | other *** search

/ Linux Cubed Series 7: Sunsite / Linux Cubed Series 7 - Sunsite Vol 1.iso / system / network / samba / patches / samba-1.012 / samba-1

Wrap

Text File | 1995-07-11 | 61.2 KB | 2,106 lines

diff -u -r --new-file last-version/docs/smb.conf.5 samba-1.9.14alpha10/docs/smb.conf.5 --- last-version/docs/smb.conf.5 Thu Jul 6 16:42:42 1995 +++ samba-1.9.14alpha10/docs/smb.conf.5 Tue Jul 11 16:45:14 1995 @@ -332,6 +332,8 @@ dfree command +encrypt passwords + getwd cache hosts equiv @@ -366,6 +368,8 @@ packet size +passwd chat + passwd program password level @@ -850,6 +854,13 @@ .B Example: dont descend = /proc,/dev +.SS encrypt passwords (G) + +This boolean controls whether encrypted passwords will be negotiated +with the cient. Note that this option has no effect if you haven't +compiled in the necessary des libraries and encryption code. It +defaults to no. + .SS exec (S) This is an alias for preexec @@ -1483,12 +1494,50 @@ longer implemented as of version 1.7.00, and is kept only so old configuration files do not become invalid. +.SS passwd chat (G) +This string coontrols the "chat" conversation that takes places +between smbd and the local password changing program to change the +users password. The string describes a sequence of response-receive +pairs that smbd uses to determine what to send to the passwd program +and what to expect back. If the expected output is not received then +the password is not changed. + +This chat sequence is often quite site specific, deppending on what +local methods are used for password control (such as NIS+ etc). + +The string can contain the macros %o and %n which are substituted for +the old and new passwords respectively. It can aso contain the +standard macros \n \r \t and \s to give line-feed, carriage-return, +tab and space. + +The string can also contain a * which matches any sequence of +characters. + +Double quotes can be used to collect strings with spaces in them into +a single string. + +If the send string in any part of the chat sequence is a fullstop "." +then no string is sent. Similarly, is the expect string is a fullstop +then no string is expected. + +.B Example: + passwd chat = "*Enter OLD password*" %o\n "*Enter NEW password*" %n\n \ + "*Reenter NEW password*" %n\n "*Password changed*" + +.B Default: + passwd chat = *old*password* %o\n *new*password* %n\n *new*password* %n\n *changed* + .SS passwd program (G) The name of a program that can be used to set user passwords. This is only necessary if you have enabled remote password changing at compile time. Any occurances of %u will be replaced with the user name. + +Also note that many passwd programs insist in "reasonable" passwords, +such as a minimum length, or the inclusion of mixed case chars and +digits. This can pose a problem as some clients (such as Windows for +Workgroups) uppercase the password before sending it. .B Default: passwd program = /bin/passwd diff -u -r --new-file last-version/source/Makefile samba-1.9.14alpha10/source/Makefile --- last-version/source/Makefile Sun Jul 9 15:29:01 1995 +++ samba-1.9.14alpha10/source/Makefile Tue Jul 11 16:28:48 1995 @@ -84,6 +84,11 @@ # DCE_LIBDIR = -L$(DCE_BASE)/lib # DCE_LIBS = +# This is for SMB encrypted (lanman) passwords. +# DES_BASE=/usr/local/libdes +# DES_FLAGS= -I$(DES_BASE) +# DES_LIB= -L$(DES_BASE) -ldes +# PASSWD_FLAGS=-DSMB_PASSWD -DSMB_PASSWD_FILE=\"$(BASEDIR)/private/smbpasswd\" ##################################### # WHICH OPERATING SYSTEM? @@ -396,10 +401,11 @@ CFLAGS2 = -DCONFIGFILE=\"$(CONFIGFILE)\" -DLMHOSTSFILE=\"$(LMHOSTSFILE)\" CFLAGS3 = -DLOCKDIR=\"$(LOCKDIR)\" -DSMBRUN=\"$(SMBRUN)\" CFLAGS4 = -DWORKGROUP=\"$(WORKGROUP)\" -DGUEST_ACCOUNT=\"$(GUESTACCOUNT)\" -CFLAGS = $(CFLAGS1) $(CFLAGS2) $(CFLAGS3) $(CFLAGS4) $(FLAGSM) $(AFS_FLAGS) $(DCE_FLAGS) -LIBS = $(LIBS1) $(LIBSM) $(DCE_LIBS) +CFLAGS5 = $(CFLAGS1) $(CFLAGS2) $(CFLAGS3) $(CFLAGS4) $(FLAGSM) $(AFS_FLAGS) +CFLAGS = $(CFLAGS5) $(DCE_FLAGS) $(DES_FLAGS) $(PASSWD_FLAGS) +LIBS = $(LIBS1) $(LIBSM) $(DCE_LIBS) $(DES_LIB) -PROGS = smbd smbclient nmbd testparm testprns smbrun smbstatus +PROGS = smbd smbclient nmbd testparm testprns smbrun smbstatus smbpasswd SCRIPTS = smbtar all : CHECK $(PROGS) @@ -409,16 +415,19 @@ @echo "Using CFLAGS = $(CFLAGS)" @echo "Using LIBS = $(LIBS)" -INCLUDES1 = version.h local.h includes.h smb.h loadparm.h params.h +INCLUDES1 = version.h local.h includes.h smb.h loadparm.h params.h smbpass.h INCLUDES2 = pcap.h trans2.h reply.h INCLUDES = $(INCLUDES1) $(INCLUDES2) UTILOBJ = util.o charset.o kanji.o fault.o -PARAMOBJ = $(UTILOBJ) loadparm.o params.o pcap.o access.o username.o ufc.o +PARAMOBJ = $(UTILOBJ) loadparm.o params.o pcap.o access.o username.o ufc.o smbpass.o SMBDOBJ1 = $(PARAMOBJ) trans2.o message.o dir.o printing.o locking.o SMBDOBJ2 = ipc.o reply.o mangle.o chgpasswd.o password.o SMBDOBJ = $(SMBDOBJ1) $(SMBDOBJ2) +.SUFFIXES: +.SUFFIXES: .c .o .h + .c.o: $*.c $(INCLUDES) @echo Compiling $*.c @$(CC) $(CFLAGS) -c $*.c @@ -450,6 +459,10 @@ testprns: testprns.o $(PARAMOBJ) @echo Linking testprns @$(CC) $(CFLAGS) -o testprns testprns.o $(PARAMOBJ) $(LIBS) + +smbpasswd: smbpasswd.o $(PARAMOBJ) + @echo Linking smbpasswd + @$(CC) $(CFLAGS) -o smbpasswd smbpasswd.o $(PARAMOBJ) $(LIBS) install: installbin installman diff -u -r --new-file last-version/source/change-log samba-1.9.14alpha10/source/change-log --- last-version/source/change-log Sun Jul 9 16:27:09 1995 +++ samba-1.9.14alpha10/source/change-log Tue Jul 11 16:47:34 1995 @@ -1513,7 +1513,12 @@ - client and AFS changes + password.c reorganisation + "more" and "pwd" commands in client from Todd j. Derr (tjd@smi.med.pitt.edu) - fixed several nmbd bugs - + - released alpha9 + - fixed another "cd" bug in smbclient + - password encryption from Jeremy Allison + - added "passwd chat" option and chat interpretation code + - added "smb passwd file" option + - released alpha10 ========== todo: diff -u -r --new-file last-version/source/chgpasswd.c samba-1.9.14alpha10/source/chgpasswd.c --- last-version/source/chgpasswd.c Wed Jul 5 17:28:40 1995 +++ samba-1.9.14alpha10/source/chgpasswd.c Tue Jul 11 16:32:38 1995 @@ -35,37 +35,10 @@ #define MINPASSWDLENGTH 5 #define BUFSIZE 512 -static char *P1[] = -{ - "*old*password*", - "" -}; - -static char *P2[] = -{ - "*new*password*", - "" -}; - -static char *P3[] = -{ - "*new*password*", - "" -}; - -static char *P4[] = -{ - "\n", - "*entry changed*", - "*passwd changed*", - "*password changed*", - "" -}; - static int findpty (char **slave); static int talktochild(int master,char *oldpass,char *newpass,char *emess); static int dochild(int master,char *slavedev,char *name,char *oldpass,char *newpass); -static int expect(int master,char **expected,char *buf); +static int expect(int master,char *expected,char *buf); static void writestring (int fd,char *s); BOOL chgpasswd(char *name,char *oldpass,char *newpass) @@ -241,61 +214,70 @@ return(True); } +static void pwd_sub(char *buf,char *oldpass,char *newpass) +{ + string_sub(buf,"%o",oldpass); + string_sub(buf,"%n",newpass); + string_sub(buf,"\\n","\n"); + string_sub(buf,"\\r","\r"); + string_sub(buf,"\\s"," "); + string_sub(buf,"\\t","\t"); +} + static int talktochild (master, oldpass, newpass, emess) int master; char *oldpass, *newpass, *emess; { char buf[BUFSIZE]; char pswd[BUFSIZE+1]; - + int count=0; + char *chatsequence = lp_passwd_chat(); + char *ptr=chatsequence; + fstring chatbuf; + + if (!*chatsequence) { + DEBUG(0,("No passwd chat sequence - aborting password change\n")); + } + *buf = 0; *pswd = 0; *emess = 0; sleep(1); - - if (!expect(master, P1, buf)) /* Compare what is on the pty with what is stored in P1 */ - { - DEBUG(3,("Response 1 not correct: %s\n",buf)); - return (False); - } - sprintf(pswd, "%s\n", oldpass); - writestring(master, pswd); + while (next_token(&ptr,chatbuf,NULL)) { + BOOL ok=True; + count++; + pwd_sub(chatbuf,oldpass,newpass); + if (!strequal(chatbuf,".")) + ok = expect(master,chatbuf,buf); - if (!expect(master, P2, buf)) - { - DEBUG(3,("Response 2 not correct: %s\n",buf)); - return(False); - } - - sprintf(pswd,"%s\n", newpass); - writestring(master, pswd); +#if DEBUG_PASSWORD + DEBUG(100,("chatbuf=[%s] responsebuf=[%s]\n",chatbuf,buf)); +#endif - if (!expect(master, P3, buf)) - { - DEBUG(3,("Response 3 not correct: %s\n",buf)); + if (!ok) { + DEBUG(3,("response %d incorrect\n",count)); return(False); } - sprintf(pswd,"%s\n", newpass); - writestring(master, pswd); + if (!next_token(&ptr,chatbuf,NULL)) break; + pwd_sub(chatbuf,oldpass,newpass); + if (!strequal(chatbuf,".")) + writestring(master,chatbuf); - if (!expect(master, P4, buf)) - { - DEBUG(3,("Response 4 not correct: %s\n",buf)); - return(False); - } +#if DEBUG_PASSWORD + DEBUG(100,("sendbuf=[%s]\n",chatbuf)); +#endif + } + if (count<1) return(False); + return (True); } -static int expect(master, expected, buf) - int master; - char **expected; - char *buf; +static int expect(int master,char *expected,char *buf) { int n, m; - char **s; n = 0; buf[0] = 0; @@ -304,21 +286,20 @@ return False; } - /* allow 2 seconds for some output to appear */ - m = read_with_timeout(master, buf+n, 1, BUFSIZE-1-n, 2000, True); - if (m < 0) return False; + /* allow 4 seconds for some output to appear */ + m = read_with_timeout(master, buf+n, 1, BUFSIZE-1-n, 4000, True); + if (m < 0) + return False; n += m; buf[n] = 0; - for (s = expected; **s != 0; s++) { - { - string s1,s2; - strcpy(s1,buf); - strcpy(s2,*s); - if (do_match(s1, s2, False)) - return(True); - } + { + pstring s1,s2; + strcpy(s1,buf); + strcpy(s2,expected); + if (do_match(s1, s2, False)) + return(True); } } } diff -u -r --new-file last-version/source/client.c samba-1.9.14alpha10/source/client.c --- last-version/source/client.c Sun Jul 9 15:26:37 1995 +++ samba-1.9.14alpha10/source/client.c Mon Jul 10 09:43:19 1995 @@ -235,8 +235,13 @@ ****************************************************************************/ static BOOL chkpath(char *path,BOOL report) { + fstring path2; pstring inbuf,outbuf; char *p; + + strcpy(path2,path); + trim_string(path2,NULL,"\\"); + if (!*path2) *path2 = '\\'; bzero(outbuf,smb_size); set_message(outbuf,0,4 + strlen(path),True); diff -u -r --new-file last-version/source/includes.h samba-1.9.14alpha10/source/includes.h --- last-version/source/includes.h Thu Jul 6 17:42:16 1995 +++ samba-1.9.14alpha10/source/includes.h Tue Jul 11 13:35:34 1995 @@ -211,6 +211,7 @@ #ifdef sun386 #define NO_STRFTIME #define NO_UTIMBUF +#define mktime timelocal typedef unsigned short mode_t; #else #include <utime.h> @@ -778,6 +779,9 @@ #include "version.h" #include "smb.h" #include "byteorder.h" +#ifdef SMB_PASSWD +#include "smbpass.h" +#endif #ifdef KANJI #ifndef _KANJI_C_ diff -u -r --new-file last-version/source/ipc.c samba-1.9.14alpha10/source/ipc.c --- last-version/source/ipc.c Thu Jul 6 22:39:07 1995 +++ samba-1.9.14alpha10/source/ipc.c Tue Jul 11 13:36:01 1995 @@ -958,7 +958,7 @@ DEBUG(3,("Set password for <%s>\n",user)); - if (!password_ok(user,pass1,NULL) || !chgpasswd(user,pass1,pass2)) + if (!password_ok(user,pass1,strlen(pass1),NULL) || !chgpasswd(user,pass1,pass2)) SSVAL(*rparam,0,NERR_badpass); bzero(pass1,sizeof(fstring)); diff -u -r --new-file last-version/source/loadparm.c samba-1.9.14alpha10/source/loadparm.c --- last-version/source/loadparm.c Wed Jul 5 15:19:28 1995 +++ samba-1.9.14alpha10/source/loadparm.c Tue Jul 11 15:52:32 1995 @@ -120,8 +120,10 @@ char *szServerString; char *szAutoServices; char *szPasswdProgram; + char *szPasswdChat; char *szLogFile; char *szConfigFile; + char *szSMBPasswdFile; char *szPasswordServer; char *szSocketOptions; char *szValidChars; @@ -139,6 +141,7 @@ int printing; int maxdisksize; int lpqcachetime; + BOOL bEncryptPasswords; BOOL bStripDot; BOOL bNullPasswords; BOOL bLoadPrinters; @@ -327,6 +330,7 @@ {"printing", P_INTEGER, P_GLOBAL, &Globals.printing,handle_printing}, {"max disk size", P_INTEGER, P_GLOBAL, &Globals.maxdisksize, NULL}, {"lpq cache time", P_INTEGER, P_GLOBAL, &Globals.lpqcachetime, NULL}, + {"encrypt passwords",P_BOOL, P_GLOBAL, &Globals.bEncryptPasswords, NULL}, {"getwd cache", P_BOOL, P_GLOBAL, &use_getwd_cache, NULL}, {"read prediction", P_BOOL, P_GLOBAL, &Globals.bReadPrediction, NULL}, {"read bmpx", P_BOOL, P_GLOBAL, &Globals.bReadbmpx, NULL}, @@ -341,6 +345,7 @@ {"smbrun", P_GSTRING, P_GLOBAL, smbrun_path, NULL}, {"log file", P_STRING, P_GLOBAL, &Globals.szLogFile, NULL}, {"config file", P_STRING, P_GLOBAL, &Globals.szConfigFile, NULL}, + {"smb passwd file", P_STRING, P_GLOBAL, &Globals.szSMBPasswdFile, NULL}, {"hosts equiv", P_STRING, P_GLOBAL, &Globals.szHostsEquiv, NULL}, {"preload", P_STRING, P_GLOBAL, &Globals.szAutoServices, NULL}, {"auto services", P_STRING, P_GLOBAL, &Globals.szAutoServices, NULL}, @@ -357,6 +362,7 @@ {"message command", P_STRING, P_GLOBAL, &Globals.szMsgCommand, NULL}, {"dfree command", P_STRING, P_GLOBAL, &Globals.szDfree, NULL}, {"passwd program", P_STRING, P_GLOBAL, &Globals.szPasswdProgram, NULL}, + {"passwd chat", P_STRING, P_GLOBAL, &Globals.szPasswdChat, NULL}, {"valid chars", P_STRING, P_GLOBAL, &Globals.szValidChars, handle_valid_chars}, {"workgroup", P_STRING, P_GLOBAL, &Globals.szWorkGroup, NULL}, {"username map", P_STRING, P_GLOBAL, &Globals.szUsernameMap, NULL}, @@ -482,6 +488,10 @@ DEBUG(3,("Initialising global parameters\n")); +#ifdef SMB_PASSWD_FILE + string_set(&Globals.szSMBPasswdFile, SMB_PASSWD_FILE); +#endif + string_set(&Globals.szPasswdChat,"*old*password* %o\\n *new*password* %n\\n *new*password* %n\\n *changed*"); string_set(&Globals.szWorkGroup, WORKGROUP); string_set(&Globals.szPasswdProgram, "/bin/passwd"); string_set(&Globals.szPrintcapname, PRINTCAP_NAME); @@ -501,6 +511,7 @@ Globals.max_log_size = 5000; Globals.maxprotocol = PROTOCOL_NT1; Globals.security = SEC_SHARE; + Globals.bEncryptPasswords = False; Globals.printing = DEFAULT_PRINTING; Globals.bReadRaw = True; Globals.bWriteRaw = True; @@ -594,6 +605,7 @@ FN_GLOBAL_STRING(lp_logfile,&Globals.szLogFile) FN_GLOBAL_STRING(lp_configfile,&Globals.szConfigFile) +FN_GLOBAL_STRING(lp_smb_passwd_file,&Globals.szSMBPasswdFile) FN_GLOBAL_STRING(lp_serverstring,&Globals.szServerString) FN_GLOBAL_STRING(lp_printcapname,&Globals.szPrintcapname) FN_GLOBAL_STRING(lp_lockdir,&Globals.szLockDir) @@ -604,6 +616,7 @@ FN_GLOBAL_STRING(lp_hosts_equiv,&Globals.szHostsEquiv) FN_GLOBAL_STRING(lp_auto_services,&Globals.szAutoServices) FN_GLOBAL_STRING(lp_passwd_program,&Globals.szPasswdProgram) +FN_GLOBAL_STRING(lp_passwd_chat,&Globals.szPasswdChat) FN_GLOBAL_STRING(lp_passwordserver,&Globals.szPasswordServer) FN_GLOBAL_STRING(lp_workgroup,&Globals.szWorkGroup) FN_GLOBAL_STRING(lp_username_map,&Globals.szUsernameMap) @@ -617,6 +630,8 @@ FN_GLOBAL_BOOL(lp_writeraw,&Globals.bWriteRaw) FN_GLOBAL_BOOL(lp_null_passwords,&Globals.bNullPasswords) FN_GLOBAL_BOOL(lp_strip_dot,&Globals.bStripDot) +FN_GLOBAL_BOOL(lp_encrypted_passwords,&Globals.bEncryptPasswords) + FN_GLOBAL_INTEGER(lp_max_log_size,&Globals.max_log_size) FN_GLOBAL_INTEGER(lp_mangledstack,&Globals.mangled_stack) diff -u -r --new-file last-version/source/loadparm.h samba-1.9.14alpha10/source/loadparm.h --- last-version/source/loadparm.h Wed Jul 5 15:14:47 1995 +++ samba-1.9.14alpha10/source/loadparm.h Tue Jul 11 15:49:06 1995 @@ -38,11 +38,13 @@ extern BOOL lp_manglednames(int iService); extern char *lp_passwordserver(void); extern char *lp_passwd_program(void); +extern char *lp_passwd_chat(void); extern char *lp_guestaccount(int iService); extern char *lp_printcapname(void); extern char *lp_lockdir(void); extern char *lp_logfile(void); extern char *lp_configfile(void); +extern char *lp_smb_passwd_file(void); extern char *lp_rootdir(void); extern char *lp_defaultservice(void); extern char *lp_serverstring(void); @@ -66,6 +68,7 @@ extern BOOL lp_writeraw(void); extern BOOL lp_null_passwords(void); extern BOOL lp_strip_dot(void); +extern BOOL lp_encrypted_passwords(void); extern int lp_numservices(void); extern int lp_keepalive(void); extern int lp_passwordlevel(void); diff -u -r --new-file last-version/source/locking.c samba-1.9.14alpha10/source/locking.c --- last-version/source/locking.c Wed Jul 5 01:30:06 1995 +++ samba-1.9.14alpha10/source/locking.c Tue Jul 11 15:02:01 1995 @@ -27,131 +27,6 @@ pstring share_del_pending=""; -/**************************************************************************** -routine to do file locking -****************************************************************************/ -static BOOL fcntl_lock(int fd,int op,uint32 offset,uint32 count,int type) -{ -#if HAVE_FCNTL_LOCK - struct flock lock; - int ret; - -#if 1 - uint32 mask = 0xC0000000; - - /* make sure the count is reasonable, we might kill the lockd otherwise */ - count &= ~mask; - - /* the offset is often strange - remove 2 of its bits if either of - the top two bits are set. Shift the top ones by two bits. This - still allows OLE2 apps to operate, but should stop lockd from - dieing */ - if ((offset & mask) != 0) - offset = (offset & ~mask) | ((offset & mask) >> 2); -#else - unsigned long mask = ((unsigned)1<<31); - - /* interpret negative counts as large numbers */ - if (count < 0) - count &= ~mask; - - /* no negative offsets */ - offset &= ~mask; - - /* count + offset must be in range */ - while ((offset < 0 || (offset + count < 0)) && mask) - { - offset &= ~mask; - mask = mask >> 1; - } -#endif - - - DEBUG(5,("fcntl_lock %d %d %d %d %d\n",fd,op,(int)offset,(int)count,type)); - - lock.l_type = type; - lock.l_whence = SEEK_SET; - lock.l_start = (int)offset; - lock.l_len = (int)count; - lock.l_pid = 0; - - errno = 0; - - ret = fcntl(fd,op,&lock); - - if (errno != 0) - DEBUG(3,("fcntl lock gave errno %d (%s)\n",errno,strerror(errno))); - - /* a lock query */ - if (op == F_GETLK) - { - if ((ret != -1) && - (lock.l_type != F_UNLCK) && - (lock.l_pid != 0) && - (lock.l_pid != getpid())) - { - DEBUG(3,("fd %d is locked by pid %d\n",fd,lock.l_pid)); - return(True); - } - - /* it must be not locked or locked by me */ - return(False); - } - - /* a lock set or unset */ - if (ret == -1) - { - DEBUG(3,("lock failed at offset %d count %d op %d type %d (%s)\n", - offset,count,op,type,strerror(errno))); - - /* perhaps it doesn't support this sort of locking?? */ - if (errno == EINVAL) - { - DEBUG(3,("locking not supported? returning True\n")); - return(True); - } - - return(False); - } - - /* everything went OK */ - DEBUG(5,("Lock call successful\n")); - - return(True); -#else - return(False); -#endif -} - -/******************************************************************* -lock a file - returning a open file descriptor or -1 on failure -The timeout is in seconds. 0 means no timeout -********************************************************************/ -int file_lock(char *name,int timeout) -{ - int fd = open(name,O_RDWR|O_CREAT,0666); - time_t t=0; - if (fd < 0) return(-1); - - if (timeout) t = time(NULL); - while (!timeout || (time(NULL)-t < timeout)) { - if (fcntl_lock(fd,F_SETLK,0,1,F_WRLCK)) return(fd); - msleep(LOCK_RETRY_TIMEOUT); - } - - return(-1); -} - -/******************************************************************* -unlock a file locked by file_lock -********************************************************************/ -void file_unlock(int fd) -{ - if (fd<0) return; - fcntl_lock(fd,F_SETLK,0,1,F_UNLCK); - close(fd); -} - /**************************************************************************** utility function called to see if a file region is locked diff -u -r --new-file last-version/source/mksmbpasswd.sh samba-1.9.14alpha10/source/mksmbpasswd.sh --- last-version/source/mksmbpasswd.sh Thu Jan 1 10:00:00 1970 +++ samba-1.9.14alpha10/source/mksmbpasswd.sh Tue Jul 11 13:41:45 1995 @@ -0,0 +1,6 @@ +#!/bin/sh +awk 'BEGIN {FS=":" + printf("#\n# SMB password file.\n#\n") + } +{ printf( "%s:%s:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:%s:%s:%s\n", $1, $3, $5, $6, $7) } +' diff -u -r --new-file last-version/source/password.c samba-1.9.14alpha10/source/password.c --- last-version/source/password.c Sun Jul 9 15:07:48 1995 +++ samba-1.9.14alpha10/source/password.c Tue Jul 11 16:45:47 1995 @@ -28,7 +28,42 @@ /* users from session setup */ pstring session_users=""; +#ifdef SMB_PASSWD +/* Data to do lanman1/2 password challenge. */ +static unsigned char saved_challenge[8]; +static BOOL challenge_sent=False; +/******************************************************************* +Get the next challenge value - no repeats. +********************************************************************/ +void generate_next_challenge(char *challenge) +{ + extern void E1(char *,char *,char *); + static int counter = 0; + struct timeval tval; + int v1,v2; + GetTimeOfDay(&tval); + v1 = (counter++) + getpid() + tval.tv_sec; + v2 = (counter++) * getpid() + tval.tv_usec; + SIVAL(challenge,0,v1); + SIVAL(challenge,4,v2); + E1(challenge,"SAMBA",saved_challenge); + memcpy(challenge,saved_challenge,8); + challenge_sent = True; +} + +/******************************************************************* +get the last challenge sent +********************************************************************/ +BOOL last_challenge(char *challenge) +{ + if (!challenge_sent) return(False); + memcpy(challenge,saved_challenge,8); + challenge_sent = False; + return(True); +} +#endif + /* this holds info on user ids that are already validated for this VC */ user_struct *validated_users = NULL; int num_validated_users = 0; @@ -418,23 +453,83 @@ return(strcmp((char *)crypt(password,this_salt),this_crypted) == 0); } +#ifdef SMB_PASSWD +/**************************************************************************** +core of smb password checking routine. +****************************************************************************/ +BOOL smb_password_check(char *password, unsigned char *part_passwd, unsigned char *c8) +{ + /* Finish the encryption of part_passwd. */ + unsigned char p21[21]; + unsigned char p24[24]; + + if(part_passwd == NULL) + DEBUG(10,("No password set - allowing access\n")); + /* No password set - always true ! */ + if(part_passwd == NULL) + return 1; + + memset(p21,'\0',21); + memcpy(p21,part_passwd,16); + E_P24(p21, c8, p24); +#if DEBUG_PASSWORD + { + int i; + DEBUG(100,("Part password (P16) was |")); + for(i = 0; i < 16; i++) + DEBUG(100,("%X ", (unsigned char)part_passwd[i])); + DEBUG(100,("|\n")); + DEBUG(100,("Password from client was |")); + for(i = 0; i < 24; i++) + DEBUG(100,("%X ", (unsigned char)password[i])); + DEBUG(100,("|\n")); + DEBUG(100,("Given challenge was |")); + for(i = 0; i < 8; i++) + DEBUG(100,("%X ", (unsigned char)c8[i])); + DEBUG(100,("|\n")); + DEBUG(100,("Value from encryption was |")); + for(i = 0; i < 24; i++) + DEBUG(100,("%X ", (unsigned char)p24[i])); + DEBUG(100,("|\n")); + } +#endif + return (memcmp(p24, password, 24) == 0); +} +#endif + /**************************************************************************** check if a username/password is OK ****************************************************************************/ -BOOL password_ok(char *user,char *password, struct passwd *pwd) +BOOL password_ok(char *user,char *password, int pwlen, struct passwd *pwd) { pstring pass2; int level = lp_passwordlevel(); struct passwd *pass; +#ifdef SMB_PASSWD + char challenge[8]; + struct smb_passwd *smb_pass; + BOOL challenge_done = last_challenge(challenge); +#endif #if DEBUG_PASSWORD - DEBUG(100,("checking user=[%s] pass=[%s]\n",user,password)); +#ifdef SMB_PASSWD + int i; + if((pwlen == 24) && challenge_done) + { + DEBUG(100,("checking user=[%s] pass=[",user)); + for( i = 0; i < 24; i++) + DEBUG(100,("%0x ", (unsigned char)password[i])); + DEBUG(100,("]\n")); + } + else +#endif + DEBUG(100,("checking user=[%s] pass=[%s]\n",user,password)); #endif if (!password) return(False); - if (!*password && !lp_null_passwords()) + if (!pwlen && !lp_null_passwords()) return(False); if (pwd && !user) @@ -445,7 +540,40 @@ else pass = Get_Pwnam(user,True); - DEBUG(4,("Checking password for user %s (l=%d)\n",user,strlen(password))); +#ifdef SMB_PASSWD + if((pwlen == 24) && challenge_done) + { + DEBUG(4,("Checking password for user %s (l=24)\n",user)); + + if (!pass) + { + DEBUG(3,("Couldn't find user %s\n",user)); + return(False); + } + + smb_pass = get_smbpwnam(user); + if(!smb_pass) + { + DEBUG(3,("Couldn't find user %s in smb_passwd file.\n", user)); + return(False); + } + + /* Ensure the uid's match */ + if(smb_pass->smb_userid != pass->pw_uid) + { + DEBUG(3,("Error : UNIX and SMB uids in password files do not match !\n")); + return(False); + } + + if(smb_password_check(password, smb_pass->smb_passwd, challenge)) + { + update_protected_database(user,True); + return(True); + } + } +#endif + + DEBUG(4,("Checking password for user %s (l=%d)\n",user,pwlen)); if (!pass) { @@ -516,7 +644,6 @@ #endif } - /* try it as it came to us */ if (password_check(password)) { @@ -605,7 +732,7 @@ /**************************************************************************** validate a group username entry. Return the username or NULL ****************************************************************************/ -static char *validate_group(char *group,char *password,int snum) +static char *validate_group(char *group,char *password,int pwlen,int snum) { #if HAVE_GETGRNAM struct group *gptr = (struct group *)getgrnam(group); @@ -618,7 +745,7 @@ static fstring name; strcpy(name,*member); if (user_ok(name,snum) && - password_ok(name,password,NULL)) + password_ok(name,password,pwlen,NULL)) return(&name[0]); member++; } @@ -631,7 +758,7 @@ while (pwd = getpwent ()) { if (*(pwd->pw_passwd) && pwd->pw_gid == gptr->gr_gid) { /* This Entry have PASSWORD and same GID then check pwd */ - if (password_ok(0, password, pwd)) { + if (password_ok(0, password, pwlen, pwd)) { strcpy(tm, pwd->pw_name); endpwent (); return tm; @@ -651,7 +778,7 @@ /**************************************************************************** check for authority to login to a service with a given username/password ****************************************************************************/ -BOOL authorise_login(int snum,char *user,char *password,BOOL *guest,int vuid) +BOOL authorise_login(int snum,char *user,char *password, int pwlen, BOOL *guest,int vuid) { BOOL ok = False; @@ -678,14 +805,14 @@ /* check the given username and password */ if (!ok && (*user) && user_ok(user,snum)) { - ok = password_ok(user,password, NULL); + ok = password_ok(user,password, pwlen, NULL); if (ok) DEBUG(3,("ACCEPTED: given username password ok\n")); } /* check for a previously registered guest username */ if (!ok && (vuid >= 0) && validated_users[vuid].guest) { if (user_ok(validated_users[vuid].name,snum) && - password_ok(validated_users[vuid].name, password, NULL)) { + password_ok(validated_users[vuid].name, password, pwlen, NULL)) { strcpy(user, validated_users[vuid].name); validated_users[vuid].guest = False; DEBUG(3,("ACCEPTED: given password with registered user %s\n", user)); @@ -709,7 +836,7 @@ strcpy(user2,auser); if (!user_ok(user2,snum)) continue; - if (password_ok(user2,password, NULL)) { + if (password_ok(user2,password, pwlen, NULL)) { ok = True; strcpy(user,user2); DEBUG(3,("ACCEPTED: session list username and given password ok\n")); @@ -748,7 +875,7 @@ { if (*auser == '@') { - auser = validate_group(auser+1,password,snum); + auser = validate_group(auser+1,password,pwlen,snum); if (auser) { ok = True; @@ -760,7 +887,7 @@ { fstring user2; strcpy(user2,auser); - if (user_ok(user2,snum) && password_ok(user2,password,NULL)) + if (user_ok(user2,snum) && password_ok(user2,password,pwlen,NULL)) { ok = True; strcpy(user,user2); diff -u -r --new-file last-version/source/reply.c samba-1.9.14alpha10/source/reply.c --- last-version/source/reply.c Fri Jul 7 15:09:51 1995 +++ samba-1.9.14alpha10/source/reply.c Tue Jul 11 14:41:21 1995 @@ -120,14 +120,15 @@ int outsize = 0; int uid = SVAL(inbuf,smb_uid); int vuid; + int pwlen; *service = *user = *password = *dev = 0; vuid = valid_uid(uid); - parse_connect(inbuf,service,user,password,dev); + parse_connect(inbuf,service,user,password,&pwlen,dev); - connection_num = make_connection(service,user,password,dev,vuid); + connection_num = make_connection(service,user,password,pwlen,dev,vuid); if (connection_num < 0) switch (connection_num) @@ -168,6 +169,7 @@ int vuid; int smb_com2 = SVAL(inbuf,smb_vwv0); int smb_off2 = SVAL(inbuf,smb_vwv1); + int passlen = SVAL(inbuf,smb_vwv3); *service = *user = *password = *devicename = 0; @@ -178,7 +180,6 @@ vuid = valid_uid(uid); { - int passlen = SVAL(inbuf,smb_vwv3); char *path; char *p; memcpy(password,smb_buf(inbuf),passlen); @@ -201,7 +202,7 @@ DEBUG(4,("Got device type %s\n",devicename)); } - connection_num = make_connection(service,user,password,devicename,vuid); + connection_num = make_connection(service,user,password,passlen,devicename,vuid); if (connection_num < 0) switch (connection_num) @@ -303,17 +304,25 @@ } else { uint16 passlen1 = SVAL(inbuf,smb_vwv7); uint16 passlen2 = SVAL(inbuf,smb_vwv8); + BOOL doencrypt = SMBENCRYPT(); char *p = smb_buf(inbuf); if (passlen1 > 256) passlen1 = 0; if (passlen2 > 256) passlen2 = 0; /* I don't know why NT gives weird lengths sometimes */ - /* for Win95 */ - if (passlen1 > passlen2) { + if(doencrypt) { + /* Use the lanman2 password for now until the NT md4 password + is worked out. */ smb_apasslen = passlen1; - StrnCpy(smb_apasswd,p,smb_apasslen); + memcpy(smb_apasswd,p,smb_apasslen); } else { - smb_apasslen = passlen2; - StrnCpy(smb_apasswd,p + passlen1,smb_apasslen); + /* for Win95 */ + if (passlen1 > passlen2) { + smb_apasslen = passlen1; + StrnCpy(smb_apasswd,p,smb_apasslen); + } else { + smb_apasslen = passlen2; + StrnCpy(smb_apasswd,p + passlen1,smb_apasslen); + } } p += passlen1 + passlen2; strcpy(user,p); p = skip_string(p,1); @@ -344,7 +353,7 @@ guest = True; /* now check if it's a valid username/password */ - if (!guest && !password_ok(user,smb_apasswd, NULL)) + if (!guest && !password_ok(user,smb_apasswd,smb_apasslen,NULL)) { #if !GUEST_SESSSETUP if (lp_security() >= SEC_USER) diff -u -r --new-file last-version/source/server.c samba-1.9.14alpha10/source/server.c --- last-version/source/server.c Fri Jul 7 15:03:30 1995 +++ samba-1.9.14alpha10/source/server.c Tue Jul 11 14:58:25 1995 @@ -98,6 +98,9 @@ static int find_free_connection(int hash); +#ifdef SMB_PASSWD +extern void generate_next_challenge(char *challenge); +#endif /* for readability... */ #define IS_DOS_READONLY(test_mode) (((test_mode) & aRONLY) != 0) @@ -1834,7 +1837,7 @@ /**************************************************************************** make a connection to a service ****************************************************************************/ -int make_connection(char *service,char *user,char *password,char *dev,int vuid) +int make_connection(char *service,char *user,char *password, int pwlen, char *dev,int vuid) { int cnum; int snum; @@ -1860,12 +1863,12 @@ if (strequal(service,HOMES_NAME)) { if (*user && Get_Pwnam(user,True)) - return(make_connection(user,user,password,dev,vuid)); + return(make_connection(user,user,password,pwlen,dev,vuid)); if (validated_username(vuid)) { strcpy(user,validated_username(vuid)); - return(make_connection(user,user,password,dev,vuid)); + return(make_connection(user,user,password,pwlen,dev,vuid)); } } @@ -1896,7 +1899,7 @@ add_session_user(service); /* shall we let them in? */ - if (!authorise_login(snum,user,password,&guest,vuid)) + if (!authorise_login(snum,user,password,pwlen,&guest,vuid)) { DEBUG(2,("%s invalid username/password for %s\n",timestring(),service)); return(-1); @@ -2234,9 +2237,7 @@ SSVAL(outbuf,smb_vwv5,raw); /* tell redirector we support readbraw and writebraw (possibly) */ CVAL(outbuf,smb_flg) = 0x81; /* Reply, SMBlockread, SMBwritelock supported */ -#ifdef TESTING SSVAL(outbuf,smb_vwv1,0x1); /* user level security, don't encrypt */ -#endif Protocol = PROTOCOL_COREPLUS; @@ -2250,9 +2251,21 @@ int reply_lanman1(char *outbuf) { int raw = (lp_readraw()?1:0) | (lp_writeraw()?2:0); - int outsize = set_message(outbuf,13,0,True); + int outsize; + int secword=0; + BOOL doencrypt = SMBENCRYPT(); + + if (lp_security()>=SEC_USER) secword |= 1; + if (doencrypt) secword |= 2; + + outsize = set_message(outbuf,13,doencrypt?8:0,True); + SSVAL(outbuf,smb_vwv1,secword); +#ifdef SMB_PASSWD + /* Create a token value and add it to the outgoing packet. */ + if (doencrypt) + generate_next_challenge(smb_buf(outbuf)); +#endif CVAL(outbuf,smb_flg) = 0x81; /* Reply, SMBlockread, SMBwritelock supported */ - SSVAL(outbuf,smb_vwv1,(lp_security()>=SEC_USER)?1:0); /* user level security? don't encrypt */ SSVAL(outbuf,smb_vwv2,maxxmit); SSVAL(outbuf,smb_vwv3,lp_maxmux()); /* maxmux */ SSVAL(outbuf,smb_vwv4,1); @@ -2275,10 +2288,21 @@ int reply_lanman2(char *outbuf) { int raw = (lp_readraw()?1:0) | (lp_writeraw()?2:0); - - set_message(outbuf,13,0,True); + int outsize; + int secword=0; + BOOL doencrypt = SMBENCRYPT(); + + if (lp_security()>=SEC_USER) secword |= 1; + if (doencrypt) secword |= 2; + + outsize = set_message(outbuf,13,doencrypt?8:0,True); + SSVAL(outbuf,smb_vwv1,secword); +#ifdef SMB_PASSWD + /* Create a token value and add it to the outgoing packet. */ + if (doencrypt) + generate_next_challenge(smb_buf(outbuf)); +#endif - SSVAL(outbuf,smb_vwv1,(lp_security()>=SEC_USER)?1:0); SIVAL(outbuf,smb_vwv6,getpid()); Protocol = PROTOCOL_LANMAN2; @@ -2295,18 +2319,32 @@ SSVAL(outbuf,smb_vwv10, TimeDiff(0)/60); put_dos_date(outbuf,smb_vwv8,time(NULL)); - return (smb_len(outbuf)+4); + return (outsize); } /**************************************************************************** -reply for the lanman 2.0 protocol +reply for the nt protocol ****************************************************************************/ int reply_nt1(char *outbuf) { int capabilities=0x300; /* has dual names + lock_and_read */ + int secword=0; + BOOL doencrypt = SMBENCRYPT(); + + if (lp_security()>=SEC_USER) secword |= 1; + if (doencrypt) secword |= 2; + + set_message(outbuf,17,doencrypt?8:0,True); + CVAL(outbuf,smb_vwv1) = secword; +#ifdef SMB_PASSWD + /* Create a token value and add it to the outgoing packet. */ + if (doencrypt) { + generate_next_challenge(smb_buf(outbuf)); + /* Tell the nt machine how long the challenge is. */ + SSVALS(outbuf,smb_vwv16+1,8); + } +#endif - set_message(outbuf,17,0,True); - CVAL(outbuf,smb_vwv1) = (lp_security()>=SEC_USER)?1:0; SIVAL(outbuf,smb_vwv7+1,getpid()); /* session key */ Protocol = PROTOCOL_NT1; @@ -2417,7 +2455,7 @@ /**************************************************************************** parse a connect packet ****************************************************************************/ -void parse_connect(char *buf,char *service,char *user,char *password,char *dev) +void parse_connect(char *buf,char *service,char *user,char *password,int *pwlen,char *dev) { char *p = smb_buf(buf) + 1; char *p2; @@ -2433,6 +2471,7 @@ p += strlen(p) + 2; strcpy(password,p); + *pwlen = strlen(password); p += strlen(p) + 2; @@ -3809,7 +3848,6 @@ exit(1); } - reopen_logs(); DEBUG(2,("%s smbd version %s started\n",timestring(),VERSION)); diff -u -r --new-file last-version/source/smb.h samba-1.9.14alpha10/source/smb.h --- last-version/source/smb.h Fri Jul 7 14:59:25 1995 +++ samba-1.9.14alpha10/source/smb.h Tue Jul 11 15:03:11 1995 @@ -355,6 +355,11 @@ #define MAP_SYSTEM(cnum) (OPEN_CNUM(cnum) && lp_map_system(SNUM(cnum))) #define MAP_ARCHIVE(cnum) (OPEN_CNUM(cnum) && lp_map_archive(SNUM(cnum))) #define CREATE_MODE(cnum) (lp_create_mode(SNUM(cnum)) | 0700) +#ifdef SMB_PASSWD +#define SMBENCRYPT() (lp_encrypted_passwords()) +#else +#define SMBENCRYPT() (False) +#endif /* the basic packet size, assuming no words or bytes */ #define smb_size 39 @@ -548,6 +553,7 @@ }; /* and a few prototypes */ +BOOL fcntl_lock(int fd,int op,uint32 offset,uint32 count,int type); void BlockSignals(BOOL block); void msleep(int t); int file_lock(char *name,int timeout); @@ -625,8 +631,8 @@ int seek_file(int fnum,int pos); BOOL do_unlock(int fnum,int cnum,uint32 count,uint32 offset,int *eclass,uint32 *ecode); int get_printqueue(int snum,int cnum,print_queue_struct **queue,print_status_struct *status); -void parse_connect(char *buf,char *service,char *user,char *password,char *dev); -int make_connection(char *service,char *user,char *password,char *dev,int vuid); +void parse_connect(char *buf,char *service,char *user,char *password,int *pwlen,char *dev); +int make_connection(char *service,char *user,char *password, int pwlen, char *dev,int vuid); char *dptr_path(int key); char *dptr_wcard(int key); BOOL dptr_set_wcard(int key, char *wcard); @@ -646,10 +652,10 @@ int reply_trans2(char *inbuf,char *outbuf,int length,int bufsize); int reply_trans(char *inbuf,char *outbuf); char *ufc_crypt(char *key,char *salt); -BOOL authorise_login(int snum,char *user,char *password,BOOL *guest,int vuid); +BOOL authorise_login(int snum,char *user,char *password, int pwlen, BOOL *guest,int vuid); void add_session_user(char *user); int valid_uid(int uid); -BOOL password_ok(char *user,char *password, struct passwd *pwd); +BOOL password_ok(char *user,char *password, int pwlen, struct passwd *pwd); void register_uid(int uid,char *name,BOOL guest); BOOL fromhost(int sock,struct from_host *f); BOOL strhasupper(char *s); diff -u -r --new-file last-version/source/smbpass.c samba-1.9.14alpha10/source/smbpass.c --- last-version/source/smbpass.c Thu Jan 1 10:00:00 1970 +++ samba-1.9.14alpha10/source/smbpass.c Tue Jul 11 15:15:19 1995 @@ -0,0 +1,316 @@ +#ifdef SMB_PASSWD +/* + Unix SMB/Netbios implementation. + Version 1.9. + SMB parameters and setup + Copyright (C) Andrew Tridgell 1992-1995 + Modified by Jeremy Allison 1995. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "loadparm.h" +#include "des.h" + +extern int DEBUGLEVEL; + +#define uchar unsigned char + +void str_to_key(uchar *str,uchar *key) +{ + int i; + + key[0] = str[0]>>1; + key[1] = ((str[0]&0x01)<<6) | (str[1]>>2); + key[2] = ((str[1]&0x03)<<5) | (str[2]>>3); + key[3] = ((str[2]&0x07)<<4) | (str[3]>>4); + key[4] = ((str[3]&0x0F)<<3) | (str[4]>>5); + key[5] = ((str[4]&0x1F)<<2) | (str[5]>>6); + key[6] = ((str[5]&0x3F)<<1) | (str[6]>>7); + key[7] = str[6]&0x7F; + for (i=0;i<8;i++) { + key[i] = (key[i]<<1); + } + des_set_odd_parity(key); +} + +void D1(uchar *k, uchar *d, uchar *out) +{ + des_key_schedule ks; + des_cblock deskey; + + str_to_key(k,(uchar *)deskey); + des_set_key(deskey,ks); + des_ecb_encrypt(d, out, ks, DES_DECRYPT); +} + +void E1(uchar *k, uchar *d, uchar *out) +{ + des_key_schedule ks; + des_cblock deskey; + + str_to_key(k,(uchar *)deskey); + des_set_key(deskey,ks); + des_ecb_encrypt(d, out, ks, DES_ENCRYPT); +} + +void E_P16(uchar *p14,uchar *p16) +{ + uchar sp7[7]; + uchar sp8[] = {0xAA,0xD3,0xB4,0x35,0xB5,0x14,0x4,0xEE}; + uchar x[8]; + + memset(sp7,'\0',7); + + D1(sp7, sp8, x); + E1(p14, x, p16); + E1(p14+7, x, p16+8); +} + +void E_P24(uchar *p21, uchar *c8, uchar *p24) +{ + E1(p21, c8, p24); + E1(p21+7, c8, p24+8); + E1(p21+14, c8, p24+16); +} + + +/* + This implements the X/Open SMB password encryption + It takes a password, a 8 byte "crypt key" and puts 24 bytes of + encrypted password into p24 +*/ +void SMBencrypt(uchar *passwd, uchar *c8, uchar *p24) +{ + uchar p14[14], p21[21]; + + memset(p21,'\0',21); + memset(p14,'\0',14); + strncpy((char *)p14,(char *)passwd,14); + + E_P16(p14, p21); + E_P24(p21, c8, p24); +} + +/* Try and get a lock on the first byte of the + file. If this fails wait 5 seconds then try again. + If this fails then return an error. This ensures a + consistant view is always seen as all processes updating + this file should finish within 5 seconds. +*/ + +static int gotalarm; + +void gotalarm_sig() +{ + gotalarm = 1; +} + +/* Static buffers we will return. */ +static struct smb_passwd pw_buf; +static pstring user_name; +static unsigned char smbpwd[16]; + +/* + * Routine to search the smbpasswd file for an + * entry matching the username. + */ +struct smb_passwd *get_smbpwnam(const char *name) +{ + char linebuf[256]; + unsigned char c; + unsigned char *p; + unsigned char *newp; + long uidval; + long linebuf_len; + unsigned char lonybble, hinybble; + int i; + FILE *fp; + int lockfd; + char *pfile = lp_smb_passwd_file(); + + if (!*pfile) { + DEBUG(0,("No SMB password file set\n")); + return(NULL); + } + + DEBUG(10,("get_smbpwnam: opening file %s\n", pfile)); + + fp = fopen(pfile,"r"); + + if(fp == NULL) + { + DEBUG(0,("get_smbpwnam: unable to open file %s\n", pfile)); + return NULL; + } + + if((lockfd = file_lock(pfile,5))<0) { + DEBUG(0,("get_smbpwnam: unable to lock file %s\n", pfile)); + fclose(fp); + return NULL; + } + + /* make sure it is only rw by the owner */ + fchmod(fileno(fp),0600); + + /* We have a read lock on the file. */ + /* Scan the file, a line at a time and + check if the name matches. */ + while(!feof(fp)) + { + linebuf[0] = '\0'; + + fgets(linebuf, 256, fp); + if(ferror(fp)) + { + fclose(fp); + file_unlock(lockfd); + return NULL; + } + + /* Check if the string is terminated with a newline - + if not then we must keep reading and discard until + we get one. + */ + linebuf_len = strlen(linebuf); + if(linebuf[linebuf_len-1] != '\n') + { + c = '\0'; + while(!ferror(fp) && !feof(fp)) + { + c = fgetc(fp); + if(c == '\n') + break; + } + } + else + linebuf[linebuf_len-1] = '\0'; + +#ifdef DEBUG_PASSWORD + DEBUG(100, ("get_smbpwnam: got line |%s|\n", linebuf)); +#endif + if((linebuf[0] == 0) && feof(fp)) + { + DEBUG(4,("get_smbpwnam: end of file reached\n")); + break; + } + /* The line we have should be of the form :- + + username:uid:[32hex bytes]:....other flags presently ignored.... + + */ + + if(linebuf[0] == '#' || linebuf[0] == '\0') + { + DEBUG(4,("get_smbpwnam: skipping comment or blank line\n")); + continue; + } + p = (unsigned char *)strchr(linebuf, ':'); + if( p == NULL) + { + DEBUG(0,("get_smbpwnam: malformed password entry (no :)\n")); + continue; + } + /* As 256 is shorter than a pstring we don't + need to check length here - if this ever changes.... */ + strncpy( user_name, linebuf, (char *)p - linebuf); + user_name[(char *)p - linebuf] = '\0'; + if(strcasecmp(user_name, name)) + continue; + + /* User name matches - get uid and password */ + p++; /* Go past ':' */ + if(!isdigit(*p)) + { + DEBUG(0,("get_smbpwnam: malformed password entry (uid not number)\n")); + fclose(fp); + file_unlock(lockfd); + return NULL; + } + + uidval = strtol((char *)p, (char **)&newp, 10); + if(*newp != ':') + { + DEBUG(0,("get_smbpwnam: malformed password entry (no : after uid)\n")); + fclose(fp); + file_unlock(lockfd); + return NULL; + } + + /* Now get the password value - this should be 32 hex digits which + are the ascii representations of a 16 byte string. Get two at + a time and put them into the password. + */ + p = newp + 1; + if(*p == '*' || *p == 'X') + { + /* Password deliberately invalid - end here. */ + DEBUG(10,("get_smbpwnam: entry invalidated for user %s\n",user_name)); + fclose(fp); + file_unlock(lockfd); + return NULL; + } + if(linebuf_len < ((char *)p - linebuf + 33)) + { + DEBUG(0,("get_smbpwnam: malformed password entry (passwd too short)\n")); + fclose(fp); + file_unlock(lockfd); + return(False); + } + + if(p[32] != ':') + { + DEBUG(0,("get_smbpwnam: malformed password entry (no terminating :)\n")); + fclose(fp); + file_unlock(lockfd); + return NULL; + } + + if(strncasecmp((char *)p,"NO PASSWORD",11) == 0) { + pw_buf.smb_passwd = NULL; + } else { + for(i = 0; i < 32; i += 2) + { + hinybble = toupper(p[i]); + if(isdigit(hinybble)) + hinybble -= '0'; + else + hinybble = (hinybble - 'A') + 10; + lonybble = toupper(p[i+1]); + if(isdigit(lonybble)) + lonybble -= '0'; + else + lonybble = (lonybble - 'A') + 10; + smbpwd[i/2] = (hinybble << 4) | lonybble; + } + pw_buf.smb_passwd = smbpwd; + } + pw_buf.smb_name = user_name; + pw_buf.smb_userid = uidval; + fclose(fp); + file_unlock(lockfd); + DEBUG(5, ("get_smbpwname: returning passwd entry for user %s, uid %d\n", + user_name, uidval)); + return &pw_buf; + } + + fclose(fp); + file_unlock(lockfd); + return NULL; +} +#else +char smbpass_dummy[1]; /* To avoid compiler complaints */ +#endif diff -u -r --new-file last-version/source/smbpass.h samba-1.9.14alpha10/source/smbpass.h --- last-version/source/smbpass.h Thu Jan 1 10:00:00 1970 +++ samba-1.9.14alpha10/source/smbpass.h Tue Jul 11 13:41:27 1995 @@ -0,0 +1,47 @@ +#ifndef _SMBPASS_H_ +#define _SMBPASS_H_ +/* + Unix SMB/Netbios implementation. + Version 1.9. + SMB parameters and setup + Copyright (C) Jeremy Allison 1995 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +struct smb_passwd { + int smb_userid; + char *smb_name; + unsigned char *smb_passwd; /* Null if no password */ + /* Other fields / flags may be added later */ +}; + +/* Return a smb_passwd struct given a user name, 0 if fails. */ +struct smb_passwd *get_smbpwnam(const char *user); + +/* Lock the password file */ +int do_pw_lock(int, int); + +#ifndef uchar +#define uchar unsigned char +#endif + +/* SMB Encryption functions. */ +void str_to_key(unsigned char *str,unsigned char *key); +void E_P16(uchar *p14,uchar *p16); +void E_P24(unsigned char *p21, unsigned char *c8, unsigned char *p24); +void SMBencrypt(unsigned char *passwd, unsigned char *c8, unsigned char *p24); + +#endif diff -u -r --new-file last-version/source/smbpasswd.c samba-1.9.14alpha10/source/smbpasswd.c --- last-version/source/smbpasswd.c Thu Jan 1 10:00:00 1970 +++ samba-1.9.14alpha10/source/smbpasswd.c Tue Jul 11 15:30:14 1995 @@ -0,0 +1,368 @@ +#ifdef SMB_PASSWD + +/* + Unix SMB/Netbios implementation. + Version 1.9. + smbpasswd module. + Copyright (C) Jeremy Allison 1995. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "des.h" + +/* Static buffers we will return. */ +static struct smb_passwd pw_buf; +static pstring user_name; +static unsigned char smbpwd[16]; + +struct smb_passwd *_my_get_smbpwnam(FILE *fp, const char *name, BOOL *valid_old_pwd, long *pwd_seekpos) +{ + char linebuf[256]; + unsigned char c; + unsigned char *p; + unsigned char *newp; + long uidval; + long linebuf_len; + unsigned char lonybble, hinybble; + int i; + + /* Scan the file, a line at a time and + check if the name matches. */ + while(!feof(fp)) + { + linebuf[0] = '\0'; + *pwd_seekpos = ftell(fp); + + fgets(linebuf, 256, fp); + if(ferror(fp)) + return NULL; + + /* Check if the string is terminated with a newline - + if not then we must keep reading and discard until + we get one. + */ + linebuf_len = strlen(linebuf); + if(linebuf[linebuf_len-1] != '\n') + { + c = '\0'; + while(!ferror(fp) && !feof(fp)) + { + c = fgetc(fp); + if(c == '\n') + break; + } + } + else + linebuf[linebuf_len-1] = '\0'; + + if((linebuf[0] == 0) && feof(fp)) + break; + /* The line we have should be of the form :- + + username:uid:[32hex bytes]:....other flags presently ignored.... + + */ + + if(linebuf[0] == '#' || linebuf[0] == '\0') + continue; + p = (unsigned char *)strchr(linebuf, ':'); + if( p == NULL) + continue; + /* As 256 is shorter than a pstring we don't + need to check length here - if this ever changes.... */ + strncpy( user_name, linebuf, (char *)p - linebuf); + user_name[(char *)p - linebuf] = '\0'; + if(strcasecmp(user_name, name)) + continue; + + /* User name matches - get uid and password */ + p++; /* Go past ':' */ + if(!isdigit(*p)) + return(False); + + uidval = strtol((char *)p, (char **)&newp, 10); + if(*newp != ':') + return(False); + + /* Now get the password value - this should be 32 hex digits which + are the ascii representations of a 16 byte string. Get two at + a time and put them into the password. + */ + p = newp + 1; + *pwd_seekpos += ((char *)p - linebuf); /* Save exact position of + passwd in file - this is used + by smbpasswd.c + */ + if(*p == '*' || *p == 'X') + { + /* Password deliberately invalid - end here. */ + *valid_old_pwd = False; + pw_buf.smb_name = user_name; + pw_buf.smb_userid = uidval; + return(&pw_buf); + } + if(linebuf_len < ((char *)p - linebuf + 33)) + return(False); + + if(p[32] != ':') + return(False); + + if(strncasecmp(p,"NO PASSWORD",11) == 0) { + pw_buf.smb_passwd = NULL; /* No password */ + } else { + for(i = 0; i < 32; i += 2) + { + hinybble = toupper(p[i]); + if(isdigit(hinybble)) + hinybble -= '0'; + else + hinybble = (hinybble - 'A') + 10; + lonybble = toupper(p[i+1]); + if(isdigit(lonybble)) + lonybble -= '0'; + else + lonybble = (lonybble - 'A') + 10; + smbpwd[i/2] = (hinybble << 4) | lonybble; + } + pw_buf.smb_passwd = smbpwd; + } + + pw_buf.smb_name = user_name; + pw_buf.smb_userid = uidval; + *valid_old_pwd = True; + return &pw_buf; + } + return NULL; +} + +/* + * Print command usage on stderr and die. + */ + +void usage(const char *name) +{ + fprintf(stderr, "Usage is : %s [username]\n", name); + exit(1); +} + +int main(int argc, char **argv) +{ + int real_uid; + struct passwd *pwd; + fstring old_passwd; + uchar old_p16[16]; + fstring new_passwd; + uchar new_p16[16]; + char *p; + struct smb_passwd *smb_pwent; + FILE *fp; + BOOL valid_old_pwd = False; + long seekpos; + int pwfd; + char ascii_p16[33]; + char c; + int ret, i, err; + int lockfd=-1; + char *pfile = SMB_PASSWD_FILE; + + charset_initialise(); + +#ifndef DEBUG_PASSWORD + /* Check the effective uid */ + if(geteuid() != 0) { + fprintf(stderr, "%s: Must be setuid root.\n", argv[0]); + exit(1); + } +#endif + + /* Get the real uid */ + real_uid = getuid(); + + /* Deal with usage problems */ + if( real_uid == 0) { + /* As root we can change anothers password. */ + if(argc != 1 && argc != 2) + usage(argv[0]); + } else if(argc != 1) + usage(argv[0]); + + + if(real_uid == 0 && argc == 2) { + /* If we are root we can change anothers password. */ + strncpy( user_name, argv[1], sizeof(user_name)-1); + user_name[sizeof(user_name)-1] = '\0'; + pwd = getpwnam( user_name ); + } else { + pwd = getpwuid( real_uid ); + } + + if(pwd == 0) { + fprintf(stderr, "%s: Unable to get UNIX password entry for user.\n", argv[0]); + exit(1); + } + + /* If we are root we don't ask for the old password. */ + old_passwd[0] = '\0'; + if(real_uid != 0) { + p = getpass("Old SMB password:"); + strncpy(old_passwd, p, 14); + old_passwd[14] = '\0'; + strupper(old_passwd); + } + + new_passwd[0] = '\0'; + p = getpass("New SMB password:"); + strncpy(new_passwd, p, 14); + new_passwd[14] = '\0'; + p = getpass("Retype new SMB password:"); + if(strncmp(p, new_passwd, 14)) { + fprintf(stderr, "%s: Mismatch - password unchanged.\n", argv[0]); + exit(1); + } + strupper(new_passwd); + + if(new_passwd[0] == '\0') { + printf("Password not set\n"); + exit(0); + } + + /* Calculate the SMB hash functions of + both old an new passwords. */ + + memset(old_p16,'\0',16); + E_P16((uchar *)old_passwd,old_p16); + + memset(new_p16,'\0',16); + E_P16((uchar *)new_passwd,new_p16); + + /* Open the smbpaswd file XXXX - we need to parse smb.conf to + get the filename */ + if((fp = fopen(pfile, "r+")) == NULL) { + err = errno; + fprintf(stderr, "%s: Failed to open password file %s.\n", + argv[0], pfile); + errno = err; + perror(argv[0]); + exit(err); + } + + /* make sure it is only rw by the owner */ + fchmod(fileno(fp),0600); + + /* Lock the smbpasswd file for write. */ + if((lockfd=file_lock(pfile,5))<0) { + err = errno; + fprintf(stderr, "%s: Failed to lock password file %s.\n", + argv[0], pfile); + fclose(fp); + errno = err; + perror(argv[0]); + exit(err); + } + + /* Get the smb passwd entry for this user */ + smb_pwent = _my_get_smbpwnam( fp, pwd->pw_name, &valid_old_pwd, &seekpos); + if(smb_pwent == NULL) { + fprintf(stderr, "%s: Failed to find entry for user %s in file %s.\n", + argv[0], pwd->pw_name, pfile); + fclose(fp); + file_unlock(lockfd); + exit(1); + } + + /* If we are root we don't need to check the old password. */ + if( real_uid != 0) { + if( valid_old_pwd == False) { + fprintf(stderr, "%s: User %s is disabled, plase contact your administrator to enable it.\n", argv[0], pwd->pw_name); + fclose(fp); + file_unlock(lockfd); + exit(1); + } + /* Check the old passwd (if there was one). */ + if(smb_pwent->smb_passwd != NULL) { + if( memcmp( old_p16, smb_pwent->smb_passwd, 16)) { + fprintf(stderr, "%s: Couldn't change password.\n", argv[0]); + fclose(fp); + file_unlock(lockfd); + exit(1); + } + } + } + /* If we get here either we were root or the old password + checked out ok. */ + /* Create the 32 byte representation of the new p16 */ + for(i = 0; i < 16; i++) { + sprintf(&ascii_p16[i*2], "%02X", (uchar)new_p16[i]); + } + /* Do an atomic write into the file at the position + defined by seekpos. */ + pwfd = fileno(fp); + ret = lseek(pwfd, seekpos - 1, SEEK_SET); + if(ret != seekpos -1) { + err = errno; + fprintf(stderr, "%s: seek fail on file %s.\n", + argv[0], pfile); + fclose(fp); + errno = err; + perror(argv[0]); + file_unlock(lockfd); + exit(1); + } + /* Sanity check - ensure the character is a ':' */ + if(read(pwfd,&c,1) != 1) { + err = errno; + fprintf(stderr, "%s: read fail on file %s.\n", + argv[0], pfile); + fclose(fp); + errno = err; + perror(argv[0]); + file_unlock(lockfd); + exit(1); + } + if(c != ':') { + fprintf(stderr, "%s: sanity check on passwd file %s failed.\n", + argv[0], pfile); + fclose(fp); + file_unlock(lockfd); + exit(1); + } + if(write(pwfd,ascii_p16,32)!=32) { + err = errno; + fprintf(stderr, "%s: write fail in file %s.\n", + argv[0], pfile); + fclose(fp); + errno = err; + perror(argv[0]); + file_unlock(lockfd); + exit(err); + } + fclose(fp); + file_unlock(lockfd); + printf("Password changed\n"); + return 0; +} + +#else + +#include "includes.h" + +int main(int argc, char **argv) +{ + printf("smb password encryption not selected in Makefile\n"); + return 0; +} +#endif diff -u -r --new-file last-version/source/util.c samba-1.9.14alpha10/source/util.c --- last-version/source/util.c Fri Jul 7 15:03:59 1995 +++ samba-1.9.14alpha10/source/util.c Tue Jul 11 15:02:59 1995 @@ -127,6 +127,136 @@ return(0); } +/**************************************************************************** +routine to do file locking +****************************************************************************/ +BOOL fcntl_lock(int fd,int op,uint32 offset,uint32 count,int type) +{ +#if HAVE_FCNTL_LOCK + struct flock lock; + int ret; + +#if 1 + uint32 mask = 0xC0000000; + + /* make sure the count is reasonable, we might kill the lockd otherwise */ + count &= ~mask; + + /* the offset is often strange - remove 2 of its bits if either of + the top two bits are set. Shift the top ones by two bits. This + still allows OLE2 apps to operate, but should stop lockd from + dieing */ + if ((offset & mask) != 0) + offset = (offset & ~mask) | ((offset & mask) >> 2); +#else + unsigned long mask = ((unsigned)1<<31); + + /* interpret negative counts as large numbers */ + if (count < 0) + count &= ~mask; + + /* no negative offsets */ + offset &= ~mask; + + /* count + offset must be in range */ + while ((offset < 0 || (offset + count < 0)) && mask) + { + offset &= ~mask; + mask = mask >> 1; + } +#endif + + + DEBUG(5,("fcntl_lock %d %d %d %d %d\n",fd,op,(int)offset,(int)count,type)); + + lock.l_type = type; + lock.l_whence = SEEK_SET; + lock.l_start = (int)offset; + lock.l_len = (int)count; + lock.l_pid = 0; + + errno = 0; + + ret = fcntl(fd,op,&lock); + + if (errno != 0) + DEBUG(3,("fcntl lock gave errno %d (%s)\n",errno,strerror(errno))); + + /* a lock query */ + if (op == F_GETLK) + { + if ((ret != -1) && + (lock.l_type != F_UNLCK) && + (lock.l_pid != 0) && + (lock.l_pid != getpid())) + { + DEBUG(3,("fd %d is locked by pid %d\n",fd,lock.l_pid)); + return(True); + } + + /* it must be not locked or locked by me */ + return(False); + } + + /* a lock set or unset */ + if (ret == -1) + { + DEBUG(3,("lock failed at offset %d count %d op %d type %d (%s)\n", + offset,count,op,type,strerror(errno))); + + /* perhaps it doesn't support this sort of locking?? */ + if (errno == EINVAL) + { + DEBUG(3,("locking not supported? returning True\n")); + return(True); + } + + return(False); + } + + /* everything went OK */ + DEBUG(5,("Lock call successful\n")); + + return(True); +#else + return(False); +#endif +} + +/******************************************************************* +lock a file - returning a open file descriptor or -1 on failure +The timeout is in seconds. 0 means no timeout +********************************************************************/ +int file_lock(char *name,int timeout) +{ + int fd = open(name,O_RDWR|O_CREAT,0666); + time_t t=0; + if (fd < 0) return(-1); + +#if HAVE_FCNTL_LOCK + if (timeout) t = time(NULL); + while (!timeout || (time(NULL)-t < timeout)) { + if (fcntl_lock(fd,F_SETLK,0,1,F_WRLCK)) return(fd); + msleep(LOCK_RETRY_TIMEOUT); + } + return(-1); +#else + return(fd); +#endif +} + +/******************************************************************* +unlock a file locked by file_lock +********************************************************************/ +void file_unlock(int fd) +{ + if (fd<0) return; +#if HAVE_FCNTL_LOCK + fcntl_lock(fd,F_SETLK,0,1,F_UNLCK); +#endif + close(fd); +} + /******************************************************************* a gettimeofday wrapper ********************************************************************/ diff -u -r --new-file last-version/source/version.h samba-1.9.14alpha10/source/version.h --- last-version/source/version.h Sun Jul 9 16:54:33 1995 +++ samba-1.9.14alpha10/source/version.h Tue Jul 11 16:47:52 1995 @@ -1 +1 @@ -#define VERSION "1.9.14alpha9" +#define VERSION "1.9.14alpha10"