diff options
| author | Stefan Metzmacher <metze@samba.org> | 2017-03-17 11:52:51 +0100 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2017-03-24 11:57:10 +0100 |
| commit | 541d6873479b2e7843c6ebc31e8fa238403f0416 (patch) | |
| tree | 7a7af4a31717495d36b480981f2d66fdd7eb1cdb | |
| parent | d568ebbcf9500dc59a9938d8a0d62a7044102e65 (diff) | |
| download | samba-541d6873479b2e7843c6ebc31e8fa238403f0416.tar.gz | |
auth: let auth4_context->check_ntlm_password() return pauthoritative
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
| -rw-r--r-- | auth/common_auth.h | 1 | ||||
| -rw-r--r-- | auth/ntlmssp/ntlmssp_server.c | 3 | ||||
| -rw-r--r-- | source3/auth/auth_generic.c | 2 | ||||
| -rw-r--r-- | source3/auth/auth_ntlmssp.c | 12 | ||||
| -rw-r--r-- | source3/auth/proto.h | 1 | ||||
| -rw-r--r-- | source3/utils/ntlm_auth.c | 9 | ||||
| -rw-r--r-- | source4/auth/ntlm/auth.c | 4 |
7 files changed, 24 insertions, 8 deletions
diff --git a/auth/common_auth.h b/auth/common_auth.h index d1a775d431a..5d232f4d09b 100644 --- a/auth/common_auth.h +++ b/auth/common_auth.h @@ -110,6 +110,7 @@ struct auth4_context { NTSTATUS (*check_ntlm_password)(struct auth4_context *auth_ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, + uint8_t *pauthoritative, void **server_returned_info, DATA_BLOB *nt_session_key, DATA_BLOB *lm_session_key); diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c index ddee8756bfe..eab8121448e 100644 --- a/auth/ntlmssp/ntlmssp_server.c +++ b/auth/ntlmssp/ntlmssp_server.c @@ -726,9 +726,12 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec user_info->password.response.nt.data = talloc_steal(user_info, ntlmssp_state->nt_resp.data); if (auth_context->check_ntlm_password) { + uint8_t authoritative = 0; + nt_status = auth_context->check_ntlm_password(auth_context, gensec_ntlmssp, user_info, + &authoritative, &gensec_ntlmssp->server_returned_info, user_session_key, lm_session_key); } diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c index 95c70e8f5f5..875b7ff5949 100644 --- a/source3/auth/auth_generic.c +++ b/source3/auth/auth_generic.c @@ -389,10 +389,12 @@ NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context, { NTSTATUS nt_status; void *server_info; + uint8_t authoritative = 0; nt_status = auth_context->check_ntlm_password(auth_context, talloc_tos(), user_info, + &authoritative, &server_info, NULL, NULL); if (NT_STATUS_IS_OK(nt_status)) { diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 0ff3bdd3439..a48c44457f3 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -136,6 +136,7 @@ NTSTATUS auth3_set_challenge(struct auth4_context *auth4_context, const uint8_t NTSTATUS auth3_check_password(struct auth4_context *auth4_context, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, + uint8_t *pauthoritative, void **server_returned_info, DATA_BLOB *session_key, DATA_BLOB *lm_session_key) { @@ -145,7 +146,11 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context, struct auth_serversupplied_info *server_info; NTSTATUS nt_status; bool username_was_mapped; - uint8_t authoritative = 0; + + /* + * Be authoritative by default. + */ + *pauthoritative = 1; /* The client has given us its machine name (which we only get over NBT transport). We need to possibly reload smb.conf if smb.conf includes depend on the machine name. */ @@ -181,7 +186,7 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context, auth_context, mapped_user_info, &server_info, - &authoritative); + pauthoritative); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: " @@ -189,7 +194,7 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context, user_info->client.domain_name, user_info->client.account_name, nt_errstr(nt_status), - authoritative)); + *pauthoritative)); } username_was_mapped = mapped_user_info->was_mapped; @@ -203,6 +208,7 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context, user_info->client.domain_name, &server_info); if (NT_STATUS_IS_OK(nt_status)) { + *pauthoritative = 1; *server_returned_info = talloc_steal(mem_ctx, server_info); } return nt_status; diff --git a/source3/auth/proto.h b/source3/auth/proto.h index ccc284cadcf..c5f6ade1ea4 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -132,6 +132,7 @@ NTSTATUS auth3_set_challenge(struct auth4_context *auth4_context, const uint8_t NTSTATUS auth3_check_password(struct auth4_context *auth4_context, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, + uint8_t *pauthoritative, void **server_returned_info, DATA_BLOB *session_key, DATA_BLOB *lm_session_key); diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index 4bfab5ba45b..3bd945f53ce 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -947,6 +947,7 @@ static NTSTATUS ntlm_auth_set_challenge(struct auth4_context *auth_ctx, const ui static NTSTATUS winbind_pw_check(struct auth4_context *auth4_context, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, + uint8_t *pauthoritative, void **server_returned_info, DATA_BLOB *session_key, DATA_BLOB *lm_session_key) { @@ -955,7 +956,6 @@ static NTSTATUS winbind_pw_check(struct auth4_context *auth4_context, uint8_t lm_key[8]; uint8_t user_sess_key[16]; char *unix_name = NULL; - uint8_t authoritative = 0; nt_status = contact_winbind_auth_crap(user_info->client.account_name, user_info->client.domain_name, user_info->workstation_name, @@ -965,7 +965,7 @@ static NTSTATUS winbind_pw_check(struct auth4_context *auth4_context, WBFLAG_PAM_LMKEY | WBFLAG_PAM_USER_SESSION_KEY | WBFLAG_PAM_UNIX_NAME, 0, lm_key, user_sess_key, - &authoritative, + pauthoritative, &error_string, &unix_name); if (NT_STATUS_IS_OK(nt_status)) { @@ -995,7 +995,8 @@ static NTSTATUS winbind_pw_check(struct auth4_context *auth4_context, static NTSTATUS local_pw_check(struct auth4_context *auth4_context, TALLOC_CTX *mem_ctx, - const struct auth_usersupplied_info *user_info, + const struct auth_usersupplied_info *user_info, + uint8_t *pauthoritative, void **server_returned_info, DATA_BLOB *session_key, DATA_BLOB *lm_session_key) { @@ -1004,6 +1005,8 @@ static NTSTATUS local_pw_check(struct auth4_context *auth4_context, nt_lm_owf_gen (opt_password, nt_pw.hash, lm_pw.hash); + *pauthoritative = 1; + nt_status = ntlm_password_check(mem_ctx, true, true, 0, &auth4_context->challenge.data, diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c index 12e26f4c1fa..0eb22602c7f 100644 --- a/source4/auth/ntlm/auth.c +++ b/source4/auth/ntlm/auth.c @@ -189,15 +189,15 @@ _PUBLIC_ NTSTATUS auth_check_password(struct auth4_context *auth_ctx, static NTSTATUS auth_check_password_wrapper(struct auth4_context *auth_ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, + uint8_t *pauthoritative, void **server_returned_info, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key) { struct auth_user_info_dc *user_info_dc; NTSTATUS status; - uint8_t authoritative = 0; status = auth_check_password(auth_ctx, mem_ctx, user_info, - &user_info_dc, &authoritative); + &user_info_dc, pauthoritative); if (!NT_STATUS_IS_OK(status)) { return status; } |