s4-auth: Do not override the NT_STATUS_NOT_IMPLEMENTED error for winbindd

This changes the auth code in winbindd to use this as a flag, and to
therefore contact the RW DC.

Change-Id: If4164d27b57b453b398642fdf7d46d03cd0e65f2
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>

4 files changed, 29 insertions, 6 deletions

diff --git a/auth/common_auth.h b/auth/common_auth.h
index d9bde018bf3..d1a775d431a 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -26,7 +26,7 @@
 #define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */
 #define USER_INFO_DONT_CHECK_UNIX_ACCOUNT   0x04 /* don't check unix account status */
 #define USER_INFO_INTERACTIVE_LOGON         0x08 /* Interactive logon */
-#define USER_INFO_LOCAL_SAM_ONLY            0x10 /* Only authenticate against the local SAM */
+#define USER_INFO_LOCAL_SAM_ONLY            0x10 /* Only authenticate against the local SAM, do not map missing passwords to NO_SUCH_USER */
 #define USER_INFO_INFO3_AND_NO_AUTHZ        0x20 /* Only fill in server_info->info3 and do not do any authorization steps */
 
 enum auth_password_state {
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 6d1192ededd..00261f725fa 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -232,6 +232,13 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
 		if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) {
 			DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name));
 			TALLOC_FREE(tmp_ctx);
+			if (user_info->flags & USER_INFO_LOCAL_SAM_ONLY) {
+				/* we don't expose the NT_STATUS_NOT_IMPLEMENTED
+				 * internals, except when the caller is only probing
+				 * one method, as they may do the fallback 
+				 */
+				nt_status = result;
+			}
 			continue;
 		}
 
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 1112b21cbae..dd8f442d3d6 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1501,7 +1501,13 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(TALLOC_CTX *mem_ctx,
 		result = winbindd_dual_auth_passdb(
 			mem_ctx, 0, name_domain, name_user,
 			&chal_blob, &lm_resp, &nt_resp, info3);
-		goto done;
+
+		/* 
+		 * We need to try the remote NETLOGON server if this is NOT_IMPLEMENTED 
+		 */
+		if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
+			goto done;
+		}
 	}
 
 	/* check authentication loop */
@@ -1888,7 +1894,13 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
 			logon_parameters,
 			name_domain, name_user,
 			&chal_blob, &lm_response, &nt_response, info3);
-		goto process_result;
+
+		/* 
+		 * We need to try the remote NETLOGON server if this is NOT_IMPLEMENTED 
+		 */
+		if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
+			goto process_result;
+		}
 	}
 
 	result = winbind_samlogon_retry_loop(domain,
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 6d5747eb783..1d1bc5eb856 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -375,9 +375,13 @@ static void auth_check_password_async_trigger(struct tevent_context *ev,
 	}
 
 	if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
-		/* don't expose the NT_STATUS_NOT_IMPLEMENTED
-		   internals */
-		status = NT_STATUS_NO_SUCH_USER;
+		if (!(state->user_info->flags & USER_INFO_LOCAL_SAM_ONLY)) {
+			/* don't expose the NT_STATUS_NOT_IMPLEMENTED
+			 * internals, except when the caller is only probing
+			 * one method, as they may do the fallback 
+			 */
+			status = NT_STATUS_NO_SUCH_USER;
+		}
 	}
 
 	if (tevent_req_nterror(req, status)) {