1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

auth3: let auth_check_ntlm_password() return pauthoritative

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Stefan Metzmacher 2017-03-17 09:43:59 +01:00
parent 111a6bfc03
commit 65d5f845ed
6 changed files with 43 additions and 41 deletions

View File

@ -153,22 +153,25 @@ static bool check_domain_match(const char *user, const char *domain)
* filled in, either at creation or by calling the challenge geneation
* function auth_get_challenge().
*
* @param server_info If successful, contains information about the authentication,
* including a struct samu struct describing the user.
* @param pserver_info If successful, contains information about the authentication,
* including a struct samu struct describing the user.
*
* @param pauthoritative Indicates if the result should be treated as final
* result.
*
* @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
*
**/
NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
const struct auth_context *auth_context,
const struct auth_usersupplied_info *user_info,
struct auth_serversupplied_info **pserver_info)
struct auth_serversupplied_info **pserver_info,
uint8_t *pauthoritative)
{
TALLOC_CTX *frame;
const char *auth_method_name = "";
/* if all the modules say 'not for me' this is reasonable */
NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
const char *unix_username;
auth_methods *auth_method;
struct auth_serversupplied_info *server_info;
@ -179,6 +182,8 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
frame = talloc_stackframe();
*pauthoritative = 1;
DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n",
user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));
@ -236,23 +241,18 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
DBG_DEBUG("%s had nothing to say\n", auth_method->name);
}
/* check if the module did anything */
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED) &&
((user_info->flags & USER_INFO_LOCAL_SAM_ONLY) == 0)) {
/*
* we don't expose the NT_STATUS_NOT_IMPLEMENTED
* internals, except when the caller is only probing
* one method, as they may do the fallback
*/
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
*pauthoritative = 0;
nt_status = NT_STATUS_NO_SUCH_USER;
}
if (!NT_STATUS_IS_OK(nt_status)) {
DBG_INFO("%s authentication for user [%s] FAILED with "
"error %s\n",
"error %s, authoritative=%u\n",
auth_method_name,
user_info->client.account_name,
nt_errstr(nt_status));
nt_errstr(nt_status),
*pauthoritative);
goto fail;
}
@ -313,9 +313,10 @@ fail:
/* failed authentication; check for guest lapping */
DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n",
DEBUG(2, ("check_ntlm_password: Authentication for user "
"[%s] -> [%s] FAILED with error %s, authoritative=%u\n",
user_info->client.account_name, user_info->mapped.account_name,
nt_errstr(nt_status)));
nt_errstr(nt_status), *pauthoritative));
ZERO_STRUCTP(pserver_info);
TALLOC_FREE(frame);

View File

@ -145,6 +145,7 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
struct auth_serversupplied_info *server_info;
NTSTATUS nt_status;
bool username_was_mapped;
uint8_t authoritative = 0;
/* The client has given us its machine name (which we only get over NBT transport).
We need to possibly reload smb.conf if smb.conf includes depend on the machine name. */
@ -179,13 +180,16 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
nt_status = auth_check_ntlm_password(mem_ctx,
auth_context,
mapped_user_info,
&server_info);
&server_info,
&authoritative);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: %s\n",
DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: "
"%s, authoritative=%u\n",
user_info->client.domain_name,
user_info->client.account_name,
nt_errstr(nt_status)));
nt_errstr(nt_status),
authoritative));
}
username_was_mapped = mapped_user_info->was_mapped;

View File

@ -78,8 +78,11 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
* filled in, either at creation or by calling the challenge geneation
* function auth_get_challenge().
*
* @param server_info If successful, contains information about the authentication,
* including a struct samu struct describing the user.
* @param pserver_info If successful, contains information about the authentication,
* including a struct samu struct describing the user.
*
* @param pauthoritative Indicates if the result should be treated as final
* result.
*
* @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
*
@ -87,7 +90,8 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
const struct auth_context *auth_context,
const struct auth_usersupplied_info *user_info,
struct auth_serversupplied_info **server_info);
struct auth_serversupplied_info **pserver_info,
uint8_t *pauthoritative);
/* The following definitions come from auth/auth_builtin.c */

View File

@ -1682,7 +1682,8 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
status = auth_check_ntlm_password(p->mem_ctx,
auth_context,
user_info,
&server_info);
&server_info,
r->out.authoritative);
}
TALLOC_FREE(auth_context);
@ -1694,15 +1695,6 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
/* Check account and password */
if (!NT_STATUS_IS_OK(status)) {
/* If we don't know what this domain is, we need to
indicate that we are not authoritative. This
allows the client to decide if it needs to try
a local user. Fix by jpjanosi@us.ibm.com, #2976 */
if ( NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)
&& !strequal(nt_domain, get_global_sam_name())
&& !is_trusted_domain(nt_domain) )
*r->out.authoritative = false; /* We are not authoritative */
TALLOC_FREE(server_info);
return status;
}

View File

@ -269,7 +269,8 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
struct auth_serversupplied_info *server_info;
NTSTATUS status;
bool ok;
uint8_t authoritative = 0;
SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8,
local_nt_response);
SMBsesskeygen_ntv1(pdb_get_nt_passwd(pdb_entry), local_nt_session_key);
@ -316,10 +317,13 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
status = auth_check_ntlm_password(mem_ctx,
auth_context,
user_info,
&server_info);
&server_info,
&authoritative);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to test authentication with auth module: %s\n", nt_errstr(status)));
DEBUG(0, ("Failed to test authentication with auth module: "
"%s authoritative[%u].\n",
nt_errstr(status), authoritative));
return False;
}

View File

@ -1293,12 +1293,9 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
status = auth_check_ntlm_password(mem_ctx,
auth_context,
user_info,
&server_info);
&server_info,
pauthoritative);
if (!NT_STATUS_IS_OK(status)) {
if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
*pauthoritative = 0;
}
TALLOC_FREE(frame);
return status;
}