2 Unix SMB/CIFS implementation.
3 Main SMB reply routines
4 Copyright (C) Andrew Tridgell 1992-1998
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 #define DBGC_CLASS DBGC_AUTH
26 /****************************************************************************
27 Create a SAM_ACCOUNT - either by looking in the pdb, or by faking it up from
29 ****************************************************************************/
31 static NTSTATUS auth_get_sam_account(const char *user, SAM_ACCOUNT **account)
35 if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(account))) {
40 pdb_ret = pdb_getsampwnam(*account, user);
45 struct passwd *pass = Get_Pwnam(user);
47 return NT_STATUS_NO_SUCH_USER;
49 if (!NT_STATUS_IS_OK(nt_status = pdb_fill_sam_pw(*account, pass))) {
56 /****************************************************************************
57 Read the a hosts.equiv or .rhosts file and check if it
58 allows this user from this machine.
59 ****************************************************************************/
61 static BOOL check_user_equiv(const char *user, const char *remote, const char *equiv_file)
66 char **lines = file_lines_load(equiv_file, NULL);
69 DEBUG(5, ("check_user_equiv %s %s %s\n", user, remote, equiv_file));
70 if (! lines) return False;
71 for (i=0; lines[i]; i++) {
73 trim_char(buf,' ',' ');
75 if (buf[0] != '#' && buf[0] != '\n')
77 BOOL is_group = False;
80 if (strcmp(buf, "NO_PLUS\n") == 0)
82 DEBUG(6, ("check_user_equiv NO_PLUS\n"));
89 if (*bp == '\n' && plus_allowed)
91 /* a bare plus means everbody allowed */
92 DEBUG(6, ("check_user_equiv everybody allowed\n"));
93 file_lines_free(lines);
97 else if (buf[0] == '-')
107 file_host = strtok(bp, " \t\n");
108 file_user = strtok(NULL, " \t\n");
109 DEBUG(7, ("check_user_equiv %s %s\n", file_host ? file_host : "(null)",
110 file_user ? file_user : "(null)" ));
111 if (file_host && *file_host)
113 BOOL host_ok = False;
115 #if defined(HAVE_NETGROUP) && defined(HAVE_YP_GET_DEFAULT_DOMAIN)
118 static char *mydomain = NULL;
120 yp_get_default_domain(&mydomain);
121 if (mydomain && innetgr(file_host,remote,user,mydomain))
127 DEBUG(1,("Netgroups not configured\n"));
132 /* is it this host */
133 /* the fact that remote has come from a call of gethostbyaddr
134 * means that it may have the fully qualified domain name
135 * so we could look up the file version to get it into
136 * a canonical form, but I would rather just type it
137 * in full in the equiv file
139 if (!host_ok && !is_group && strequal(remote, file_host))
145 /* is it this user */
146 if (file_user == 0 || strequal(user, file_user))
148 DEBUG(5, ("check_user_equiv matched %s%s %s\n",
149 (plus ? "+" : "-"), file_host,
150 (file_user ? file_user : "")));
151 file_lines_free(lines);
152 return (plus ? True : False);
158 file_lines_free(lines);
162 /****************************************************************************
163 check for a possible hosts equiv or rhosts entry for the user
164 ****************************************************************************/
166 static BOOL check_hosts_equiv(SAM_ACCOUNT *account)
171 fname = lp_hosts_equiv();
172 if (!NT_STATUS_IS_OK(sid_to_uid(pdb_get_user_sid(account), &uid)))
175 /* note: don't allow hosts.equiv on root */
176 if (fname && *fname && uid != 0) {
177 if (check_user_equiv(pdb_get_username(account),client_name(),fname))
185 /****************************************************************************
186 Check for a valid .rhosts/hosts.equiv entry for this user
187 ****************************************************************************/
189 static NTSTATUS check_hostsequiv_security(const struct auth_context *auth_context,
190 void *my_private_data,
192 const auth_usersupplied_info *user_info,
193 auth_serversupplied_info **server_info)
196 SAM_ACCOUNT *account = NULL;
197 if (!NT_STATUS_IS_OK(nt_status =
198 auth_get_sam_account(user_info->internal_username.str,
200 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER))
201 nt_status = NT_STATUS_NOT_IMPLEMENTED;
205 if (check_hosts_equiv(account)) {
206 nt_status = make_server_info_sam(server_info, account);
208 pdb_free_sam(&account);
209 nt_status = NT_STATUS_NOT_IMPLEMENTED;
215 /* module initialisation */
216 static NTSTATUS auth_init_hostsequiv(struct auth_context *auth_context, const char* param, auth_methods **auth_method)
218 if (!make_auth_methods(auth_context, auth_method)) {
219 return NT_STATUS_NO_MEMORY;
222 (*auth_method)->auth = check_hostsequiv_security;
223 (*auth_method)->name = "hostsequiv";
228 /****************************************************************************
229 Check for a valid .rhosts/hosts.equiv entry for this user
230 ****************************************************************************/
232 static NTSTATUS check_rhosts_security(const struct auth_context *auth_context,
233 void *my_private_data,
235 const auth_usersupplied_info *user_info,
236 auth_serversupplied_info **server_info)
239 SAM_ACCOUNT *account = NULL;
243 if (!NT_STATUS_IS_OK(nt_status =
244 auth_get_sam_account(user_info->internal_username.str,
246 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER))
247 nt_status = NT_STATUS_NOT_IMPLEMENTED;
251 home = pdb_get_unix_homedir(account);
254 slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home);
256 if (check_user_equiv(pdb_get_username(account),client_name(),rhostsfile)) {
257 nt_status = make_server_info_sam(server_info, account);
259 pdb_free_sam(&account);
263 pdb_free_sam(&account);
264 nt_status = NT_STATUS_NOT_IMPLEMENTED;
270 /* module initialisation */
271 static NTSTATUS auth_init_rhosts(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
273 if (!make_auth_methods(auth_context, auth_method)) {
274 return NT_STATUS_NO_MEMORY;
277 (*auth_method)->auth = check_rhosts_security;
278 (*auth_method)->name = "rhosts";
282 NTSTATUS auth_rhosts_init(void)
284 smb_register_auth(AUTH_INTERFACE_VERSION, "rhosts", auth_init_rhosts);
285 smb_register_auth(AUTH_INTERFACE_VERSION, "hostsequiv", auth_init_hostsequiv);