--------------------- PatchSet 1528 Date: 2001/02/09 14:37:07 Author: kinkie Branch: auth_rewrite Tag: (none) Log: Updated from ntlm branch. Much more resilient to authentication errors now. Members: src/auth/ntlm/helpers/NTLMSSP/ntlm_auth.c:1.1.2.10->1.1.2.11 src/auth/ntlm/helpers/NTLMSSP/smbval/session.c:1.1.2.2->1.1.2.3 Index: squid/src/auth/ntlm/helpers/NTLMSSP/ntlm_auth.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/ntlm/helpers/NTLMSSP/Attic/ntlm_auth.c,v retrieving revision 1.1.2.10 retrieving revision 1.1.2.11 diff -u -r1.1.2.10 -r1.1.2.11 --- squid/src/auth/ntlm/helpers/NTLMSSP/ntlm_auth.c 9 Feb 2001 14:03:37 -0000 1.1.2.10 +++ squid/src/auth/ntlm/helpers/NTLMSSP/ntlm_auth.c 9 Feb 2001 14:37:07 -0000 1.1.2.11 @@ -19,12 +19,16 @@ #include "ntlmauth.h" #include "ntlm.h" #include "util.h" +#include "smbval/smblib-common.h" +#include "smbval/rfcnb-error.h" /* these are part of rfcnb-priv.h and smblib-priv.h */ extern int SMB_Get_Error_Msg (int msg, char *msgbuf, int len); extern int SMB_Get_Last_Error (); -extern int SMB_Get_Last_SMB_Err(); +extern int SMB_Get_Last_SMB_Err (); +extern int RFCNB_Get_Last_Error (); +#include #define BUFFER_SIZE 10240 @@ -101,7 +105,7 @@ creds = fetch_credentials (failedauth, authlen); if (creds) { - lc(creds); + lc (creds); SEND2 ("LD %s", creds); } else @@ -132,11 +136,7 @@ "%s [-b] [-f] domain\\controller [domain\\controller ...]\n" "-b, if specified, enables load-balancing among controllers\n" "-f, if specified, enables failover among controllers\n" - "-l, if specified, changes behavior on domain controller failyures to" - "\tlast-ditch\n\n" "You MUST specify at least one Domain Controller.\n" - "You can use either \\ or / as separator between the domain name \n" - "\tand the controller name\n", - my_program_name, my_program_name); + "-l, if specified, changes behavior on domain controller failyures to" "\tlast-ditch\n\n" "You MUST specify at least one Domain Controller.\n" "You can use either \\ or / as separator between the domain name \n" "\tand the controller name\n", my_program_name, my_program_name); } @@ -266,7 +266,12 @@ int plen; if (fgets (buf, BUFFER_SIZE, stdin) == NULL) - exit (0); /* BIIG buffer */ + { + fprintf (stderr, "fgets() failed! dying..... errno=%d (%s)\n", errno, strerror (errno)); + abort (); + exit (1); /* BIIG buffer */ + } + debug ("managing request\n"); ch2 = memchr (buf, '\n', BUFFER_SIZE); /* safer against overrun than strchr */ if (ch2) { @@ -311,29 +316,29 @@ /* check against the DC */ plen = strlen (buf) * 3 / 4; /* we only need it here. Optimization */ cred = ntlm_check_auth ((ntlm_authenticate *) decoded, plen); +#ifdef OLDCRUFT if (cred == NULL) { - int errorclass, errorcode; + int errorclass, errorcode; #ifdef DEBUG - SMB_Get_Error_Msg(SMB_Get_Last_SMB_Err(), - error_messages_buffer,BUFFER_SIZE); - debug("Authentication failure. SMB error: %d: %s\n. Class=%d, " - "Code=%d\n", - SMB_Get_Last_SMB_Err(), error_messages_buffer, - SMB_Get_Last_SMB_Err() & 0xff, SMB_Get_Last_SMB_Err() >>16); + SMB_Get_Error_Msg (SMB_Get_Last_SMB_Err (), error_messages_buffer, BUFFER_SIZE); + debug ("Authentication failure. SMB error: %d: %s\n. Class=%d, Code=%d\n", SMB_Get_Last_SMB_Err (), error_messages_buffer, SMB_Get_Last_SMB_Err () & 0xff, SMB_Get_Last_SMB_Err () >> 16); + RFCNB_Get_Error_Msg (RFCNB_Get_Last_Error (), error_messages_buffer, BUFFER_SIZE); + debug ("RFCNB error status: code=%d (%s)\n", RFCNB_Get_Last_Error (), error_messages_buffer); #endif - /* This is kind of a special case, which happens when the - client sends credentials in a domain which is not trusted - by the domain we're using when authenticating. Unfortunately, - it can't currently be accommodated in the current framework so - I'll leave it hanging here, waiting for the general framework - to be expanded to better accommodate the generale case. */ - errorclass=SMB_Get_Last_SMB_Err() & 0xff; - errorcode=SMB_Get_Last_SMB_Err() >>16; - if (errorclass==1 && errorcode==5) { - SEND("NA Wrong password or untrusted domain"); - return; - } + /* This is kind of a special case, which happens when the + client sends credentials in a domain which is not trusted + by the domain we're using when authenticating. Unfortunately, + it can't currently be accommodated in the current framework so + I'll leave it hanging here, waiting for the general framework + to be expanded to better accommodate the generale case. */ + errorclass = SMB_Get_Last_SMB_Err () & 0xff; + errorcode = SMB_Get_Last_SMB_Err () >> 16; + if (errorclass == 1 && errorcode == 5) + { + SEND ("NA Wrong password or untrusted domain"); + return; + } switch (ntlm_errno) { case NTLM_LOGON_ERROR: @@ -352,8 +357,7 @@ /* dc_disconnect(); */ SMB_Get_Error_Msg (SMB_Get_Last_Error (), smb_error_buffer, 1000); - debug ("Last error was: %s, RFC errno=%d\n", smb_error_buffer, - RFCNB_Get_Last_Errno()); + debug ("Last error was: %s, RFC errno=%d\n", smb_error_buffer, RFCNB_Get_Last_Errno ()); if (failover_enabled) current_dc = current_dc->next; return; @@ -376,8 +380,7 @@ /* SEND("BH Domain controller failure"); */ /* dc_disconnect(); *//* maybe we're overreacting? */ SMB_Get_Error_Msg (SMB_Get_Last_Error (), smb_error_buffer, 1000); - debug ("Last error was: %s. RFCNB errno=%d\n", smb_error_buffer, - RFCNB_Get_Last_Errno()); + debug ("Last error was: %s. RFCNB errno=%d\n", smb_error_buffer, RFCNB_Get_Last_Errno ()); if (failover_enabled) current_dc = current_dc->next; return; @@ -390,6 +393,84 @@ return; } } +#else /* OLDCRUFT */ + if (cred == NULL) + { + int smblib_err, smb_errorclass, smb_errorcode, nb_error; + /* there was an error. We have two errno's to look at. + * libntlmssp's erno is insufficient, we'll have to look at + * the actual SMB library error codes, to acually figure + * out what's happening. The thing has braindamaged interfacess..*/ + smblib_err = SMB_Get_Last_Error (); + smb_errorclass = SMBlib_Error_Class (SMB_Get_Last_SMB_Err ()); + smb_errorcode = SMBlib_Error_Code (SMB_Get_Last_SMB_Err ()); + nb_error = RFCNB_Get_Last_Error (); + debug ("No creds. SMBlib error %d, SMB error class %d, " "SMB error code %d, NB error %d\n", smblib_err, smb_errorclass, smb_errorcode, nb_error); + /* Should I use smblib_err? Actually it seems I can do as well + * without it.. */ + if (nb_error != 0) + { /* netbios-level error */ + send_bh_or_ld ("NetBios error!", (ntlm_authenticate *) decoded, plen); + fprintf (stderr, "NetBios error code %d (%s)\n", nb_error, RFCNB_Error_Strings[abs (nb_error)]); + return; + } + switch (smb_errorclass) + { + case SMBC_SUCCESS: + debug ("Huh? Got a SMB success code but could check auth.."); + SEND ("NA Authentication failed"); + /* + send_bh_or_ld("SMB success, but no creds. Internal error?", + (ntlm_authenticate *) decoded, plen); + */ + return; + case SMBC_ERRDOS: + /*this is the most important one for errors */ + debug ("DOS error\n"); + switch (smb_errorcode) + { + /* two categories matter to us: those which could be + server errors, and those which are auth errors */ + case SMBD_noaccess: /* 5 */ + SEND ("NA Access denied"); + return; + case SMBD_badformat: + SEND ("NA bad format in authentication packet"); + return; + case SMBD_badaccess: + SEND ("NA Bad access request"); + return; + case SMBD_baddata: + SEND ("NA Bad Data"); + return; + default: + send_bh_or_ld ("DOS Error", (ntlm_authenticate *) decoded, plen); + return; + } + case SMBC_ERRSRV: /* server errors */ + debug ("Server error"); + switch (smb_errorcode) + { + /* mostly same as above */ + case SMBV_badpw: + SEND ("NA Bad password"); + return; + case SMBV_access: + SEND ("NA Server access error"); + return; + default: + send_bh_or_ld ("Server Error", (ntlm_authenticate *) decoded, plen); + return; + } + case SMBC_ERRHRD: /* hardware errors don't really matter */ + send_bh_or_ld ("Domain Controller Hardware error", (ntlm_authenticate *) decoded, plen); + return; + case SMBC_ERRCMD: + send_bh_or_ld ("Domain Controller Command Error", (ntlm_authenticate *) decoded, plen); + return; + } + } +#endif /* OLDCRUFT */ lc (cred); /* let's lowercase them for our convenience */ SEND2 ("AF %s", cred); return; @@ -429,6 +510,10 @@ { debug ("ntlm_auth build " __DATE__ ", " __TIME__ " starting up...\n"); +#ifdef DEBUG + debug ("changing dir to /tmp"); + chdir ("/tmp"); +#endif my_program_name = argv[0]; process_options (argc, argv); @@ -455,7 +540,6 @@ } while (1) { - debug ("managing request\n"); manage_request (); } return 0; Index: squid/src/auth/ntlm/helpers/NTLMSSP/smbval/session.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/ntlm/helpers/NTLMSSP/smbval/Attic/session.c,v retrieving revision 1.1.2.2 retrieving revision 1.1.2.3 diff -u -r1.1.2.2 -r1.1.2.3 --- squid/src/auth/ntlm/helpers/NTLMSSP/smbval/session.c 8 Jan 2001 00:14:58 -0000 1.1.2.2 +++ squid/src/auth/ntlm/helpers/NTLMSSP/smbval/session.c 9 Feb 2001 14:37:42 -0000 1.1.2.3 @@ -38,7 +38,7 @@ /* global data structures */ -static char *RFCNB_Error_Strings[] = +char *RFCNB_Error_Strings[] = { "RFCNBE_OK: Routine completed successfully.",