1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

auth3: let auth_check_ntlm_password() return pauthoritative

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Stefan Metzmacher 2017-03-17 09:43:59 +01:00
parent 111a6bfc03
commit 65d5f845ed
6 changed files with 43 additions and 41 deletions

View File

@ -153,22 +153,25 @@ static bool check_domain_match(const char *user, const char *domain)
* filled in, either at creation or by calling the challenge geneation * filled in, either at creation or by calling the challenge geneation
* function auth_get_challenge(). * function auth_get_challenge().
* *
* @param server_info If successful, contains information about the authentication, * @param pserver_info If successful, contains information about the authentication,
* including a struct samu struct describing the user. * including a struct samu struct describing the user.
*
* @param pauthoritative Indicates if the result should be treated as final
* result.
* *
* @return An NTSTATUS with NT_STATUS_OK or an appropriate error. * @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
* *
**/ **/
NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
const struct auth_context *auth_context, const struct auth_context *auth_context,
const struct auth_usersupplied_info *user_info, const struct auth_usersupplied_info *user_info,
struct auth_serversupplied_info **pserver_info) struct auth_serversupplied_info **pserver_info,
uint8_t *pauthoritative)
{ {
TALLOC_CTX *frame; TALLOC_CTX *frame;
const char *auth_method_name = ""; const char *auth_method_name = "";
/* if all the modules say 'not for me' this is reasonable */ /* if all the modules say 'not for me' this is reasonable */
NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER; NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
const char *unix_username; const char *unix_username;
auth_methods *auth_method; auth_methods *auth_method;
struct auth_serversupplied_info *server_info; struct auth_serversupplied_info *server_info;
@ -179,6 +182,8 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
frame = talloc_stackframe(); frame = talloc_stackframe();
*pauthoritative = 1;
DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n",
user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name)); user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));
@ -236,23 +241,18 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
DBG_DEBUG("%s had nothing to say\n", auth_method->name); DBG_DEBUG("%s had nothing to say\n", auth_method->name);
} }
/* check if the module did anything */ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED) && *pauthoritative = 0;
((user_info->flags & USER_INFO_LOCAL_SAM_ONLY) == 0)) {
/*
* we don't expose the NT_STATUS_NOT_IMPLEMENTED
* internals, except when the caller is only probing
* one method, as they may do the fallback
*/
nt_status = NT_STATUS_NO_SUCH_USER; nt_status = NT_STATUS_NO_SUCH_USER;
} }
if (!NT_STATUS_IS_OK(nt_status)) { if (!NT_STATUS_IS_OK(nt_status)) {
DBG_INFO("%s authentication for user [%s] FAILED with " DBG_INFO("%s authentication for user [%s] FAILED with "
"error %s\n", "error %s, authoritative=%u\n",
auth_method_name, auth_method_name,
user_info->client.account_name, user_info->client.account_name,
nt_errstr(nt_status)); nt_errstr(nt_status),
*pauthoritative);
goto fail; goto fail;
} }
@ -313,9 +313,10 @@ fail:
/* failed authentication; check for guest lapping */ /* failed authentication; check for guest lapping */
DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n", DEBUG(2, ("check_ntlm_password: Authentication for user "
"[%s] -> [%s] FAILED with error %s, authoritative=%u\n",
user_info->client.account_name, user_info->mapped.account_name, user_info->client.account_name, user_info->mapped.account_name,
nt_errstr(nt_status))); nt_errstr(nt_status), *pauthoritative));
ZERO_STRUCTP(pserver_info); ZERO_STRUCTP(pserver_info);
TALLOC_FREE(frame); TALLOC_FREE(frame);

View File

@ -145,6 +145,7 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
struct auth_serversupplied_info *server_info; struct auth_serversupplied_info *server_info;
NTSTATUS nt_status; NTSTATUS nt_status;
bool username_was_mapped; bool username_was_mapped;
uint8_t authoritative = 0;
/* The client has given us its machine name (which we only get over NBT transport). /* The client has given us its machine name (which we only get over NBT transport).
We need to possibly reload smb.conf if smb.conf includes depend on the machine name. */ We need to possibly reload smb.conf if smb.conf includes depend on the machine name. */
@ -179,13 +180,16 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
nt_status = auth_check_ntlm_password(mem_ctx, nt_status = auth_check_ntlm_password(mem_ctx,
auth_context, auth_context,
mapped_user_info, mapped_user_info,
&server_info); &server_info,
&authoritative);
if (!NT_STATUS_IS_OK(nt_status)) { if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: %s\n", DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: "
"%s, authoritative=%u\n",
user_info->client.domain_name, user_info->client.domain_name,
user_info->client.account_name, user_info->client.account_name,
nt_errstr(nt_status))); nt_errstr(nt_status),
authoritative));
} }
username_was_mapped = mapped_user_info->was_mapped; username_was_mapped = mapped_user_info->was_mapped;

View File

@ -78,8 +78,11 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
* filled in, either at creation or by calling the challenge geneation * filled in, either at creation or by calling the challenge geneation
* function auth_get_challenge(). * function auth_get_challenge().
* *
* @param server_info If successful, contains information about the authentication, * @param pserver_info If successful, contains information about the authentication,
* including a struct samu struct describing the user. * including a struct samu struct describing the user.
*
* @param pauthoritative Indicates if the result should be treated as final
* result.
* *
* @return An NTSTATUS with NT_STATUS_OK or an appropriate error. * @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
* *
@ -87,7 +90,8 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
const struct auth_context *auth_context, const struct auth_context *auth_context,
const struct auth_usersupplied_info *user_info, const struct auth_usersupplied_info *user_info,
struct auth_serversupplied_info **server_info); struct auth_serversupplied_info **pserver_info,
uint8_t *pauthoritative);
/* The following definitions come from auth/auth_builtin.c */ /* The following definitions come from auth/auth_builtin.c */

View File

@ -1682,7 +1682,8 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
status = auth_check_ntlm_password(p->mem_ctx, status = auth_check_ntlm_password(p->mem_ctx,
auth_context, auth_context,
user_info, user_info,
&server_info); &server_info,
r->out.authoritative);
} }
TALLOC_FREE(auth_context); TALLOC_FREE(auth_context);
@ -1694,15 +1695,6 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
/* Check account and password */ /* Check account and password */
if (!NT_STATUS_IS_OK(status)) { if (!NT_STATUS_IS_OK(status)) {
/* If we don't know what this domain is, we need to
indicate that we are not authoritative. This
allows the client to decide if it needs to try
a local user. Fix by jpjanosi@us.ibm.com, #2976 */
if ( NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)
&& !strequal(nt_domain, get_global_sam_name())
&& !is_trusted_domain(nt_domain) )
*r->out.authoritative = false; /* We are not authoritative */
TALLOC_FREE(server_info); TALLOC_FREE(server_info);
return status; return status;
} }

View File

@ -269,6 +269,7 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
struct auth_serversupplied_info *server_info; struct auth_serversupplied_info *server_info;
NTSTATUS status; NTSTATUS status;
bool ok; bool ok;
uint8_t authoritative = 0;
SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8, SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8,
local_nt_response); local_nt_response);
@ -316,10 +317,13 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
status = auth_check_ntlm_password(mem_ctx, status = auth_check_ntlm_password(mem_ctx,
auth_context, auth_context,
user_info, user_info,
&server_info); &server_info,
&authoritative);
if (!NT_STATUS_IS_OK(status)) { if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to test authentication with auth module: %s\n", nt_errstr(status))); DEBUG(0, ("Failed to test authentication with auth module: "
"%s authoritative[%u].\n",
nt_errstr(status), authoritative));
return False; return False;
} }

View File

@ -1293,12 +1293,9 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
status = auth_check_ntlm_password(mem_ctx, status = auth_check_ntlm_password(mem_ctx,
auth_context, auth_context,
user_info, user_info,
&server_info); &server_info,
pauthoritative);
if (!NT_STATUS_IS_OK(status)) { if (!NT_STATUS_IS_OK(status)) {
if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
*pauthoritative = 0;
}
TALLOC_FREE(frame); TALLOC_FREE(frame);
return status; return status;
} }