mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
auth3: let auth_check_ntlm_password() return pauthoritative
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
111a6bfc03
commit
65d5f845ed
@ -153,22 +153,25 @@ static bool check_domain_match(const char *user, const char *domain)
|
||||
* filled in, either at creation or by calling the challenge geneation
|
||||
* function auth_get_challenge().
|
||||
*
|
||||
* @param server_info If successful, contains information about the authentication,
|
||||
* including a struct samu struct describing the user.
|
||||
* @param pserver_info If successful, contains information about the authentication,
|
||||
* including a struct samu struct describing the user.
|
||||
*
|
||||
* @param pauthoritative Indicates if the result should be treated as final
|
||||
* result.
|
||||
*
|
||||
* @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
|
||||
*
|
||||
**/
|
||||
|
||||
NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
|
||||
const struct auth_context *auth_context,
|
||||
const struct auth_usersupplied_info *user_info,
|
||||
struct auth_serversupplied_info **pserver_info)
|
||||
struct auth_serversupplied_info **pserver_info,
|
||||
uint8_t *pauthoritative)
|
||||
{
|
||||
TALLOC_CTX *frame;
|
||||
const char *auth_method_name = "";
|
||||
/* if all the modules say 'not for me' this is reasonable */
|
||||
NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
|
||||
NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
|
||||
const char *unix_username;
|
||||
auth_methods *auth_method;
|
||||
struct auth_serversupplied_info *server_info;
|
||||
@ -179,6 +182,8 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
|
||||
|
||||
frame = talloc_stackframe();
|
||||
|
||||
*pauthoritative = 1;
|
||||
|
||||
DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n",
|
||||
user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));
|
||||
|
||||
@ -236,23 +241,18 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
|
||||
DBG_DEBUG("%s had nothing to say\n", auth_method->name);
|
||||
}
|
||||
|
||||
/* check if the module did anything */
|
||||
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED) &&
|
||||
((user_info->flags & USER_INFO_LOCAL_SAM_ONLY) == 0)) {
|
||||
/*
|
||||
* we don't expose the NT_STATUS_NOT_IMPLEMENTED
|
||||
* internals, except when the caller is only probing
|
||||
* one method, as they may do the fallback
|
||||
*/
|
||||
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
|
||||
*pauthoritative = 0;
|
||||
nt_status = NT_STATUS_NO_SUCH_USER;
|
||||
}
|
||||
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
DBG_INFO("%s authentication for user [%s] FAILED with "
|
||||
"error %s\n",
|
||||
"error %s, authoritative=%u\n",
|
||||
auth_method_name,
|
||||
user_info->client.account_name,
|
||||
nt_errstr(nt_status));
|
||||
nt_errstr(nt_status),
|
||||
*pauthoritative);
|
||||
goto fail;
|
||||
}
|
||||
|
||||
@ -313,9 +313,10 @@ fail:
|
||||
|
||||
/* failed authentication; check for guest lapping */
|
||||
|
||||
DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n",
|
||||
DEBUG(2, ("check_ntlm_password: Authentication for user "
|
||||
"[%s] -> [%s] FAILED with error %s, authoritative=%u\n",
|
||||
user_info->client.account_name, user_info->mapped.account_name,
|
||||
nt_errstr(nt_status)));
|
||||
nt_errstr(nt_status), *pauthoritative));
|
||||
ZERO_STRUCTP(pserver_info);
|
||||
|
||||
TALLOC_FREE(frame);
|
||||
|
@ -145,6 +145,7 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
|
||||
struct auth_serversupplied_info *server_info;
|
||||
NTSTATUS nt_status;
|
||||
bool username_was_mapped;
|
||||
uint8_t authoritative = 0;
|
||||
|
||||
/* The client has given us its machine name (which we only get over NBT transport).
|
||||
We need to possibly reload smb.conf if smb.conf includes depend on the machine name. */
|
||||
@ -179,13 +180,16 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
|
||||
nt_status = auth_check_ntlm_password(mem_ctx,
|
||||
auth_context,
|
||||
mapped_user_info,
|
||||
&server_info);
|
||||
&server_info,
|
||||
&authoritative);
|
||||
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: %s\n",
|
||||
DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: "
|
||||
"%s, authoritative=%u\n",
|
||||
user_info->client.domain_name,
|
||||
user_info->client.account_name,
|
||||
nt_errstr(nt_status)));
|
||||
nt_errstr(nt_status),
|
||||
authoritative));
|
||||
}
|
||||
|
||||
username_was_mapped = mapped_user_info->was_mapped;
|
||||
|
@ -78,8 +78,11 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
|
||||
* filled in, either at creation or by calling the challenge geneation
|
||||
* function auth_get_challenge().
|
||||
*
|
||||
* @param server_info If successful, contains information about the authentication,
|
||||
* including a struct samu struct describing the user.
|
||||
* @param pserver_info If successful, contains information about the authentication,
|
||||
* including a struct samu struct describing the user.
|
||||
*
|
||||
* @param pauthoritative Indicates if the result should be treated as final
|
||||
* result.
|
||||
*
|
||||
* @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
|
||||
*
|
||||
@ -87,7 +90,8 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
|
||||
NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
|
||||
const struct auth_context *auth_context,
|
||||
const struct auth_usersupplied_info *user_info,
|
||||
struct auth_serversupplied_info **server_info);
|
||||
struct auth_serversupplied_info **pserver_info,
|
||||
uint8_t *pauthoritative);
|
||||
|
||||
/* The following definitions come from auth/auth_builtin.c */
|
||||
|
||||
|
@ -1682,7 +1682,8 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
|
||||
status = auth_check_ntlm_password(p->mem_ctx,
|
||||
auth_context,
|
||||
user_info,
|
||||
&server_info);
|
||||
&server_info,
|
||||
r->out.authoritative);
|
||||
}
|
||||
|
||||
TALLOC_FREE(auth_context);
|
||||
@ -1694,15 +1695,6 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
|
||||
/* Check account and password */
|
||||
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
/* If we don't know what this domain is, we need to
|
||||
indicate that we are not authoritative. This
|
||||
allows the client to decide if it needs to try
|
||||
a local user. Fix by jpjanosi@us.ibm.com, #2976 */
|
||||
if ( NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)
|
||||
&& !strequal(nt_domain, get_global_sam_name())
|
||||
&& !is_trusted_domain(nt_domain) )
|
||||
*r->out.authoritative = false; /* We are not authoritative */
|
||||
|
||||
TALLOC_FREE(server_info);
|
||||
return status;
|
||||
}
|
||||
|
@ -269,7 +269,8 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
|
||||
struct auth_serversupplied_info *server_info;
|
||||
NTSTATUS status;
|
||||
bool ok;
|
||||
|
||||
uint8_t authoritative = 0;
|
||||
|
||||
SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8,
|
||||
local_nt_response);
|
||||
SMBsesskeygen_ntv1(pdb_get_nt_passwd(pdb_entry), local_nt_session_key);
|
||||
@ -316,10 +317,13 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
|
||||
status = auth_check_ntlm_password(mem_ctx,
|
||||
auth_context,
|
||||
user_info,
|
||||
&server_info);
|
||||
&server_info,
|
||||
&authoritative);
|
||||
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(0, ("Failed to test authentication with auth module: %s\n", nt_errstr(status)));
|
||||
DEBUG(0, ("Failed to test authentication with auth module: "
|
||||
"%s authoritative[%u].\n",
|
||||
nt_errstr(status), authoritative));
|
||||
return False;
|
||||
}
|
||||
|
||||
|
@ -1293,12 +1293,9 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
|
||||
status = auth_check_ntlm_password(mem_ctx,
|
||||
auth_context,
|
||||
user_info,
|
||||
&server_info);
|
||||
|
||||
&server_info,
|
||||
pauthoritative);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
|
||||
*pauthoritative = 0;
|
||||
}
|
||||
TALLOC_FREE(frame);
|
||||
return status;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user