mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
auth3: let auth_check_ntlm_password() return pauthoritative
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
111a6bfc03
commit
65d5f845ed
@ -153,22 +153,25 @@ static bool check_domain_match(const char *user, const char *domain)
|
|||||||
* filled in, either at creation or by calling the challenge geneation
|
* filled in, either at creation or by calling the challenge geneation
|
||||||
* function auth_get_challenge().
|
* function auth_get_challenge().
|
||||||
*
|
*
|
||||||
* @param server_info If successful, contains information about the authentication,
|
* @param pserver_info If successful, contains information about the authentication,
|
||||||
* including a struct samu struct describing the user.
|
* including a struct samu struct describing the user.
|
||||||
*
|
*
|
||||||
|
* @param pauthoritative Indicates if the result should be treated as final
|
||||||
|
* result.
|
||||||
|
*
|
||||||
* @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
|
* @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
|
||||||
*
|
*
|
||||||
**/
|
**/
|
||||||
|
|
||||||
NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
|
NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
|
||||||
const struct auth_context *auth_context,
|
const struct auth_context *auth_context,
|
||||||
const struct auth_usersupplied_info *user_info,
|
const struct auth_usersupplied_info *user_info,
|
||||||
struct auth_serversupplied_info **pserver_info)
|
struct auth_serversupplied_info **pserver_info,
|
||||||
|
uint8_t *pauthoritative)
|
||||||
{
|
{
|
||||||
TALLOC_CTX *frame;
|
TALLOC_CTX *frame;
|
||||||
const char *auth_method_name = "";
|
const char *auth_method_name = "";
|
||||||
/* if all the modules say 'not for me' this is reasonable */
|
/* if all the modules say 'not for me' this is reasonable */
|
||||||
NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
|
NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
|
||||||
const char *unix_username;
|
const char *unix_username;
|
||||||
auth_methods *auth_method;
|
auth_methods *auth_method;
|
||||||
struct auth_serversupplied_info *server_info;
|
struct auth_serversupplied_info *server_info;
|
||||||
@ -179,6 +182,8 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
|
|||||||
|
|
||||||
frame = talloc_stackframe();
|
frame = talloc_stackframe();
|
||||||
|
|
||||||
|
*pauthoritative = 1;
|
||||||
|
|
||||||
DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n",
|
DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n",
|
||||||
user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));
|
user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));
|
||||||
|
|
||||||
@ -236,23 +241,18 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
|
|||||||
DBG_DEBUG("%s had nothing to say\n", auth_method->name);
|
DBG_DEBUG("%s had nothing to say\n", auth_method->name);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* check if the module did anything */
|
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
|
||||||
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED) &&
|
*pauthoritative = 0;
|
||||||
((user_info->flags & USER_INFO_LOCAL_SAM_ONLY) == 0)) {
|
|
||||||
/*
|
|
||||||
* we don't expose the NT_STATUS_NOT_IMPLEMENTED
|
|
||||||
* internals, except when the caller is only probing
|
|
||||||
* one method, as they may do the fallback
|
|
||||||
*/
|
|
||||||
nt_status = NT_STATUS_NO_SUCH_USER;
|
nt_status = NT_STATUS_NO_SUCH_USER;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||||
DBG_INFO("%s authentication for user [%s] FAILED with "
|
DBG_INFO("%s authentication for user [%s] FAILED with "
|
||||||
"error %s\n",
|
"error %s, authoritative=%u\n",
|
||||||
auth_method_name,
|
auth_method_name,
|
||||||
user_info->client.account_name,
|
user_info->client.account_name,
|
||||||
nt_errstr(nt_status));
|
nt_errstr(nt_status),
|
||||||
|
*pauthoritative);
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -313,9 +313,10 @@ fail:
|
|||||||
|
|
||||||
/* failed authentication; check for guest lapping */
|
/* failed authentication; check for guest lapping */
|
||||||
|
|
||||||
DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n",
|
DEBUG(2, ("check_ntlm_password: Authentication for user "
|
||||||
|
"[%s] -> [%s] FAILED with error %s, authoritative=%u\n",
|
||||||
user_info->client.account_name, user_info->mapped.account_name,
|
user_info->client.account_name, user_info->mapped.account_name,
|
||||||
nt_errstr(nt_status)));
|
nt_errstr(nt_status), *pauthoritative));
|
||||||
ZERO_STRUCTP(pserver_info);
|
ZERO_STRUCTP(pserver_info);
|
||||||
|
|
||||||
TALLOC_FREE(frame);
|
TALLOC_FREE(frame);
|
||||||
|
@ -145,6 +145,7 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
|
|||||||
struct auth_serversupplied_info *server_info;
|
struct auth_serversupplied_info *server_info;
|
||||||
NTSTATUS nt_status;
|
NTSTATUS nt_status;
|
||||||
bool username_was_mapped;
|
bool username_was_mapped;
|
||||||
|
uint8_t authoritative = 0;
|
||||||
|
|
||||||
/* The client has given us its machine name (which we only get over NBT transport).
|
/* The client has given us its machine name (which we only get over NBT transport).
|
||||||
We need to possibly reload smb.conf if smb.conf includes depend on the machine name. */
|
We need to possibly reload smb.conf if smb.conf includes depend on the machine name. */
|
||||||
@ -179,13 +180,16 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
|
|||||||
nt_status = auth_check_ntlm_password(mem_ctx,
|
nt_status = auth_check_ntlm_password(mem_ctx,
|
||||||
auth_context,
|
auth_context,
|
||||||
mapped_user_info,
|
mapped_user_info,
|
||||||
&server_info);
|
&server_info,
|
||||||
|
&authoritative);
|
||||||
|
|
||||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||||
DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: %s\n",
|
DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: "
|
||||||
|
"%s, authoritative=%u\n",
|
||||||
user_info->client.domain_name,
|
user_info->client.domain_name,
|
||||||
user_info->client.account_name,
|
user_info->client.account_name,
|
||||||
nt_errstr(nt_status)));
|
nt_errstr(nt_status),
|
||||||
|
authoritative));
|
||||||
}
|
}
|
||||||
|
|
||||||
username_was_mapped = mapped_user_info->was_mapped;
|
username_was_mapped = mapped_user_info->was_mapped;
|
||||||
|
@ -78,16 +78,20 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
|
|||||||
* filled in, either at creation or by calling the challenge geneation
|
* filled in, either at creation or by calling the challenge geneation
|
||||||
* function auth_get_challenge().
|
* function auth_get_challenge().
|
||||||
*
|
*
|
||||||
* @param server_info If successful, contains information about the authentication,
|
* @param pserver_info If successful, contains information about the authentication,
|
||||||
* including a struct samu struct describing the user.
|
* including a struct samu struct describing the user.
|
||||||
*
|
*
|
||||||
|
* @param pauthoritative Indicates if the result should be treated as final
|
||||||
|
* result.
|
||||||
|
*
|
||||||
* @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
|
* @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
|
||||||
*
|
*
|
||||||
**/
|
**/
|
||||||
NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
|
NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
|
||||||
const struct auth_context *auth_context,
|
const struct auth_context *auth_context,
|
||||||
const struct auth_usersupplied_info *user_info,
|
const struct auth_usersupplied_info *user_info,
|
||||||
struct auth_serversupplied_info **server_info);
|
struct auth_serversupplied_info **pserver_info,
|
||||||
|
uint8_t *pauthoritative);
|
||||||
|
|
||||||
/* The following definitions come from auth/auth_builtin.c */
|
/* The following definitions come from auth/auth_builtin.c */
|
||||||
|
|
||||||
|
@ -1682,7 +1682,8 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
|
|||||||
status = auth_check_ntlm_password(p->mem_ctx,
|
status = auth_check_ntlm_password(p->mem_ctx,
|
||||||
auth_context,
|
auth_context,
|
||||||
user_info,
|
user_info,
|
||||||
&server_info);
|
&server_info,
|
||||||
|
r->out.authoritative);
|
||||||
}
|
}
|
||||||
|
|
||||||
TALLOC_FREE(auth_context);
|
TALLOC_FREE(auth_context);
|
||||||
@ -1694,15 +1695,6 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
|
|||||||
/* Check account and password */
|
/* Check account and password */
|
||||||
|
|
||||||
if (!NT_STATUS_IS_OK(status)) {
|
if (!NT_STATUS_IS_OK(status)) {
|
||||||
/* If we don't know what this domain is, we need to
|
|
||||||
indicate that we are not authoritative. This
|
|
||||||
allows the client to decide if it needs to try
|
|
||||||
a local user. Fix by jpjanosi@us.ibm.com, #2976 */
|
|
||||||
if ( NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)
|
|
||||||
&& !strequal(nt_domain, get_global_sam_name())
|
|
||||||
&& !is_trusted_domain(nt_domain) )
|
|
||||||
*r->out.authoritative = false; /* We are not authoritative */
|
|
||||||
|
|
||||||
TALLOC_FREE(server_info);
|
TALLOC_FREE(server_info);
|
||||||
return status;
|
return status;
|
||||||
}
|
}
|
||||||
|
@ -269,6 +269,7 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
|
|||||||
struct auth_serversupplied_info *server_info;
|
struct auth_serversupplied_info *server_info;
|
||||||
NTSTATUS status;
|
NTSTATUS status;
|
||||||
bool ok;
|
bool ok;
|
||||||
|
uint8_t authoritative = 0;
|
||||||
|
|
||||||
SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8,
|
SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8,
|
||||||
local_nt_response);
|
local_nt_response);
|
||||||
@ -316,10 +317,13 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
|
|||||||
status = auth_check_ntlm_password(mem_ctx,
|
status = auth_check_ntlm_password(mem_ctx,
|
||||||
auth_context,
|
auth_context,
|
||||||
user_info,
|
user_info,
|
||||||
&server_info);
|
&server_info,
|
||||||
|
&authoritative);
|
||||||
|
|
||||||
if (!NT_STATUS_IS_OK(status)) {
|
if (!NT_STATUS_IS_OK(status)) {
|
||||||
DEBUG(0, ("Failed to test authentication with auth module: %s\n", nt_errstr(status)));
|
DEBUG(0, ("Failed to test authentication with auth module: "
|
||||||
|
"%s authoritative[%u].\n",
|
||||||
|
nt_errstr(status), authoritative));
|
||||||
return False;
|
return False;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1293,12 +1293,9 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
|
|||||||
status = auth_check_ntlm_password(mem_ctx,
|
status = auth_check_ntlm_password(mem_ctx,
|
||||||
auth_context,
|
auth_context,
|
||||||
user_info,
|
user_info,
|
||||||
&server_info);
|
&server_info,
|
||||||
|
pauthoritative);
|
||||||
if (!NT_STATUS_IS_OK(status)) {
|
if (!NT_STATUS_IS_OK(status)) {
|
||||||
if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
|
|
||||||
*pauthoritative = 0;
|
|
||||||
}
|
|
||||||
TALLOC_FREE(frame);
|
TALLOC_FREE(frame);
|
||||||
return status;
|
return status;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user