diff options
author | Stefan Metzmacher <metze@samba.org> | 2019-12-11 14:53:20 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2020-02-10 16:32:37 +0000 |
commit | 98d2d5a40358e26d34c81047d80b79876a8ddab9 (patch) | |
tree | bbdeedbac82c534cb6b951cc6a5fc631c23758f1 /auth | |
parent | 28d9493d232020a65b1b4634408c9341ef1dc39c (diff) | |
download | samba-98d2d5a40358e26d34c81047d80b79876a8ddab9.tar.gz |
auth/gensec: map NT_STATUS_{INVALID_ACCOUNT_NAME,NO_SUCH_DOMAIN} to NT_STATUS_NO_SUCH_USER
This means nt_status_squash() will map NT_STATUS_NO_SUCH_USER to
LOGON_FAILURE later.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'auth')
-rw-r--r-- | auth/gensec/gensec.c | 39 |
1 files changed, 37 insertions, 2 deletions
diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c index 91d8cce3f4c..becf4ce8685 100644 --- a/auth/gensec/gensec.c +++ b/auth/gensec/gensec.c @@ -502,8 +502,43 @@ static void gensec_update_done(struct tevent_req *subreq) TALLOC_FREE(subreq); state->status = status; if (GENSEC_UPDATE_IS_NTERROR(status)) { - DBG_INFO("%s[%p]: %s%s%s\n", state->ops->name, - state->gensec_security, nt_errstr(status), + NTSTATUS orig_status = status; + bool force_no_such_user = false; + + /* + * callers only expect NT_STATUS_NO_SUCH_USER. + */ + if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_ACCOUNT_NAME)) { + force_no_such_user = true; + } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN)) { + force_no_such_user = true; + } + + if (state->gensec_security->subcontext) { + /* + * We should only map on the outer + * gensec_update exchange, spnego + * needs the raw status. + */ + force_no_such_user = false; + } + + if (force_no_such_user) { + /* + * nt_status_squash() may map + * to NT_STATUS_LOGON_FAILURE later + */ + status = NT_STATUS_NO_SUCH_USER; + } + + DBG_INFO("%s[%p]: %s%s%s%s%s\n", + state->ops->name, + state->gensec_security, + NT_STATUS_EQUAL(status, orig_status) ? + "" : nt_errstr(orig_status), + NT_STATUS_EQUAL(status, orig_status) ? + "" : " ", + nt_errstr(status), debug_subreq ? " " : "", debug_subreq ? debug_subreq : ""); tevent_req_nterror(req, status); |