1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-10 01:18:15 +03:00

s4-auth: Do not override the NT_STATUS_NOT_IMPLEMENTED error for winbindd

This changes the auth code in winbindd to use this as a flag, and to
therefore contact the RW DC.

Change-Id: If4164d27b57b453b398642fdf7d46d03cd0e65f2
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
This commit is contained in:
Andrew Bartlett 2014-06-30 12:04:03 +12:00
parent 5d069a04fc
commit 0b77cd969c
4 changed files with 29 additions and 6 deletions

View File

@ -26,7 +26,7 @@
#define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */
#define USER_INFO_DONT_CHECK_UNIX_ACCOUNT 0x04 /* don't check unix account status */
#define USER_INFO_INTERACTIVE_LOGON 0x08 /* Interactive logon */
#define USER_INFO_LOCAL_SAM_ONLY 0x10 /* Only authenticate against the local SAM */
#define USER_INFO_LOCAL_SAM_ONLY 0x10 /* Only authenticate against the local SAM, do not map missing passwords to NO_SUCH_USER */
#define USER_INFO_INFO3_AND_NO_AUTHZ 0x20 /* Only fill in server_info->info3 and do not do any authorization steps */
enum auth_password_state {

View File

@ -232,6 +232,13 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) {
DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name));
TALLOC_FREE(tmp_ctx);
if (user_info->flags & USER_INFO_LOCAL_SAM_ONLY) {
/* we don't expose the NT_STATUS_NOT_IMPLEMENTED
* internals, except when the caller is only probing
* one method, as they may do the fallback
*/
nt_status = result;
}
continue;
}

View File

@ -1501,7 +1501,13 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(TALLOC_CTX *mem_ctx,
result = winbindd_dual_auth_passdb(
mem_ctx, 0, name_domain, name_user,
&chal_blob, &lm_resp, &nt_resp, info3);
goto done;
/*
* We need to try the remote NETLOGON server if this is NOT_IMPLEMENTED
*/
if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
goto done;
}
}
/* check authentication loop */
@ -1888,7 +1894,13 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
logon_parameters,
name_domain, name_user,
&chal_blob, &lm_response, &nt_response, info3);
goto process_result;
/*
* We need to try the remote NETLOGON server if this is NOT_IMPLEMENTED
*/
if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
goto process_result;
}
}
result = winbind_samlogon_retry_loop(domain,

View File

@ -375,9 +375,13 @@ static void auth_check_password_async_trigger(struct tevent_context *ev,
}
if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
/* don't expose the NT_STATUS_NOT_IMPLEMENTED
internals */
status = NT_STATUS_NO_SUCH_USER;
if (!(state->user_info->flags & USER_INFO_LOCAL_SAM_ONLY)) {
/* don't expose the NT_STATUS_NOT_IMPLEMENTED
* internals, except when the caller is only probing
* one method, as they may do the fallback
*/
status = NT_STATUS_NO_SUCH_USER;
}
}
if (tevent_req_nterror(req, status)) {