sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-20 22:50:26 +03:00
Code

s4:ldap_server: match windows in the error messages of failing LDAP Bind requests

Browse Source 
This is important for some applications to detect the
NT_STATUS_PASSWORD_MUST_CHANGE condition correctly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9048

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 81ccdad9d045a7a6d6a569d1685bb0bf4e64d12a)
This commit is contained in:
Stefan Metzmacher 2017-02-24 18:30:56 +01:00
parent 00e45e92d7
commit 53b73f18a1
1 changed files with 35 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
source4/ldap_server/ldap_bind.c
View File

@ -29,6 +29,37 @@
#include "param/param.h"
#include "../lib/util/tevent_ntstatus.h"
static char *ldapsrv_bind_error_msg(TALLOC_CTX *mem_ctx,
HRESULT hresult,
uint32_t DSID,
NTSTATUS status)
{
WERROR werr;
char *msg = NULL;
status = nt_status_squash(status);
werr = ntstatus_to_werror(status);
/*
* There are 4 lower case hex digits following 'v' at the end,
* but different Windows Versions return different values:
*
* Windows 2008R2 uses 'v1db1'
* Windows 2012R2 uses 'v2580'
*
* We just match Windows 2008R2 as that's what was referenced
* in https://bugzilla.samba.org/show_bug.cgi?id=9048
*/
msg = talloc_asprintf(mem_ctx, "%08X: LdapErr: DSID-%08X, comment: "
"AcceptSecurityContext error, data %x, v1db1",
(unsigned)HRES_ERROR_V(hresult),
(unsigned)DSID,
(unsigned)W_ERROR_V(werr));
return msg;
}
static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
{
struct ldap_BindRequest *req = &call->request->r.BindRequest;
@ -95,7 +126,8 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
status = nt_status_squash(status);
result = LDAP_INVALID_CREDENTIALS;
errstr = talloc_asprintf(reply, "Simple Bind Failed: %s", nt_errstr(status));
errstr = ldapsrv_bind_error_msg(reply, HRES_SEC_E_INVALID_TOKEN,
0x0C0903A9, status);
}
do_reply:
@ -344,7 +376,8 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
status = nt_status_squash(status);
if (result == 0) {
result = LDAP_INVALID_CREDENTIALS;
errstr = talloc_asprintf(reply, "SASL:[%s]: %s", req->creds.SASL.mechanism, nt_errstr(status));
errstr = ldapsrv_bind_error_msg(reply, HRES_SEC_E_LOGON_DENIED,
0x0C0904DC, status);
}
talloc_unlink(conn, conn->gensec);
conn->gensec = NULL;