sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-27 14:04:05 +03:00
Code

Merge auth changes from HEAD:

Browse Source 
- better error codes than NT_STATUS_UNSUCCESSFUL for domain logon errors
 - make auth_winbind load the ntdomain module if winbind isn't there.
 - use new trusted domains cache to determine if the domain is valid.

Andrew Bartlett
This commit is contained in:
Andrew Bartlett -
parent 748ed3552b
commit ec8d6524c6
5 changed files with 83 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
source/auth/auth.c
View File

@ -334,6 +334,52 @@ static NTSTATUS make_auth_context(struct auth_context **auth_context)
return NT_STATUS_OK;
}
BOOL load_auth_module(struct auth_context *auth_context,
const char *module, auth_methods **ret)
{
static BOOL initialised_static_modules = False;
struct auth_init_function_entry *entry;
char *module_name = smb_xstrdup(module);
char *module_params = NULL;
char *p;
BOOL good = False;
/* Initialise static modules if not done so yet */
if(!initialised_static_modules) {
static_init_auth;
initialised_static_modules = True;
}
DEBUG(5,("load_auth_module: Attempting to find an auth method to match %s\n",
module));
p = strchr(module_name, ':');
if (p) {
*p = 0;
module_params = p+1;
trim_string(module_params, " ", " ");
}
trim_string(module_name, " ", " ");
entry = auth_find_backend_entry(module_name);
if(!(entry = auth_find_backend_entry(module_name)) && !smb_probe_module("auth", module_name) &&
!(entry = auth_find_backend_entry(module_name))) {
DEBUG(0,("load_auth_module: can't find auth method %s!\n", module_name));
} else if (!NT_STATUS_IS_OK(entry->init(auth_context, module_params, ret))) {
DEBUG(0,("load_auth_module: auth method %s did not correctly init\n",
module));
} else {
DEBUG(5,("load_auth_module: auth method %s has a valid init\n",
module));
good = True;
}
SAFE_FREE(module_name);
return good;
}
/***************************************************************************
Make a auth_info struct for the auth subsystem
***************************************************************************/
@ -344,7 +390,6 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context,
auth_methods *t = NULL;
auth_methods *tmp;
NTSTATUS nt_status;
static BOOL initialised_static_modules = False;
if (!text_list) {
DEBUG(2,("make_auth_context_text_list: No auth method list!?\n"));
@ -354,44 +399,10 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context,
if (!NT_STATUS_IS_OK(nt_status = make_auth_context(auth_context)))
return nt_status;
/* Initialise static modules if not done so yet */
if(!initialised_static_modules) {
static_init_auth;
initialised_static_modules = True;
}
for (;*text_list; text_list++) {
struct auth_init_function_entry *entry;
char *module_name = smb_xstrdup(*text_list);
char *module_params = NULL;
char *p;
DEBUG(5,("make_auth_context_text_list: Attempting to find an auth method to match %s\n",
*text_list));
p = strchr(module_name, ':');
if (p) {
*p = 0;
module_params = p+1;
trim_string(module_params, " ", " ");
}
trim_string(module_name, " ", " ");
entry = auth_find_backend_entry(module_name);
if(!(entry = auth_find_backend_entry(module_name)) && !smb_probe_module("auth", module_name) &&
!(entry = auth_find_backend_entry(module_name))) {
DEBUG(0,("make_auth_context_text_list: can't find auth method %s!\n", module_name));
} else if (!NT_STATUS_IS_OK(entry->init(*auth_context, module_params, &t))) {
DEBUG(0,("make_auth_context_text_list: auth method %s did not correctly init\n",
*text_list));
} else {
DEBUG(5,("make_auth_context_text_list: auth method %s has a valid init\n",
*text_list));
DLIST_ADD_END(list, t, tmp);
}
SAFE_FREE(module_name);
if (load_auth_module(*auth_context, *text_list, &t)) {
DLIST_ADD_END(list, t, tmp);
}
}
(*auth_context)->auth_method_list = list;
@ -417,7 +428,7 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context)
{
case SEC_DOMAIN:
DEBUG(5,("Making default auth method list for security=domain\n"));
auth_method_list = str_list_make("guest sam winbind ntdomain", NULL);
auth_method_list = str_list_make("guest sam winbind:ntdomain", NULL);
break;
case SEC_SERVER:
DEBUG(5,("Making default auth method list for security=server\n"));
@ -443,7 +454,7 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context)
break;
case SEC_ADS:
DEBUG(5,("Making default auth method list for security=ADS\n"));
auth_method_list = str_list_make("guest sam winbind ntdomain", NULL);
auth_method_list = str_list_make("guest sam winbind:ntdomain", NULL);
break;
default:
DEBUG(5,("Unknown auth method!\n"));

8
source/auth/auth_builtin.c
View File

@ -50,7 +50,7 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context,
/* Guest modules initialisation */
NTSTATUS auth_init_guest(struct auth_context *auth_context, const char *options, auth_methods **auth_method)
static NTSTATUS auth_init_guest(struct auth_context *auth_context, const char *options, auth_methods **auth_method)
{
if (!make_auth_methods(auth_context, auth_method))
return NT_STATUS_NO_MEMORY;
@ -60,6 +60,7 @@ NTSTATUS auth_init_guest(struct auth_context *auth_context, const char *options,
return NT_STATUS_OK;
}
#ifdef DEVELOPER
/**
* Return an error based on username
*
@ -101,7 +102,7 @@ static NTSTATUS check_name_to_ntstatus_security(const struct auth_context *auth_
/** Module initialisation function */
NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
static NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
{
if (!make_auth_methods(auth_context, auth_method))
return NT_STATUS_NO_MEMORY;
@ -150,7 +151,7 @@ static DATA_BLOB auth_get_fixed_challenge(const struct auth_context *auth_contex
/** Module initailisation function */
NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
static NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
{
if (!make_auth_methods(auth_context, auth_method))
return NT_STATUS_NO_MEMORY;
@ -160,6 +161,7 @@ NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char
(*auth_method)->name = "fixed_challenge";
return NT_STATUS_OK;
}
#endif /* DEVELOPER */
int auth_builtin_init(void)
{

7
source/auth/auth_domain.c
View File

@ -175,6 +175,11 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
&dest_ip, 0, "IPC$", "IPC", "", "", "",0, retry);
if (!NT_STATUS_IS_OK(result)) {
/* map to something more useful */
if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) {
result = NT_STATUS_NO_LOGON_SERVERS;
}
release_server_mutex();
return result;
}
@ -272,7 +277,7 @@ static NTSTATUS find_connect_dc(struct cli_state **cli,
struct in_addr dc_ip;
fstring srv_name;
if ( !rpc_find_dc(lp_workgroup(), srv_name, &dc_ip) ) {
if (!rpc_find_dc(domain, srv_name, &dc_ip)) {
DEBUG(0,("find_connect_dc: Failed to find an DCs for %s\n", lp_workgroup()));
return NT_STATUS_NO_LOGON_SERVERS;
}

31
source/auth/auth_util.c
View File

@ -219,35 +219,18 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
where it doens't supply a domain for logon script
'net use' commands.
The way I do it here is by checking if the fully
qualified username exists. This is rather reliant
on winbind, but until we have a better method this
will have to do
Finally, we do this by looking up a cache of trusted domains!
*/
domain = client_domain;
if ((smb_name) && (*smb_name)) { /* Don't do this for guests */
char *user = NULL;
if (asprintf(&user, "%s%s%s",
client_domain, lp_winbind_separator(),
smb_name) < 0) {
DEBUG(0, ("make_user_info_map: asprintf() failed!\n"));
return NT_STATUS_NO_MEMORY;
}
DEBUG(5, ("make_user_info_map: testing for user %s\n", user));
if (Get_Pwnam(user) == NULL) {
DEBUG(5, ("make_user_info_map: test for user %s failed\n", user));
domain = lp_workgroup();
DEBUG(5, ("make_user_info_map: trusted domain %s doesn't appear to exist, using %s\n",
client_domain, domain));
} else {
DEBUG(5, ("make_user_info_map: using trusted domain %s\n", domain));
}
SAFE_FREE(user);
if (is_trusted_domain(domain)) {
return make_user_info(user_info, smb_name, internal_username,
client_domain, domain, wksta_name,
lm_pwd, nt_pwd, plaintext, ntlmssp_flags,
encrypted);
}
} else {
domain = lp_workgroup();
}

16
source/auth/auth_winbind.c
View File

@ -103,6 +103,11 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
result = winbindd_request(WINBINDD_PAM_AUTH_CRAP, &request, &response);
if (result == NSS_STATUS_UNAVAIL) {
struct auth_methods *auth_method = my_private_data;
return auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info);
}
nt_status = NT_STATUS(response.data.auth.nt_status);
if (result == NSS_STATUS_SUCCESS && response.extra_data) {
@ -127,11 +132,18 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
/* module initialisation */
NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
{
if (!make_auth_methods(auth_context, auth_method))
return NT_STATUS_NO_MEMORY;
(*auth_method)->name = "winbind";
(*auth_method)->auth = check_winbind_security;
if (param && *param) {
/* we load the 'fallback' module - if winbind isn't here, call this
module */
if (!load_auth_module(auth_context, param, &(*auth_method)->private_data)) {
return NT_STATUS_UNSUCCESSFUL;
}
}
return NT_STATUS_OK;
}