summaryrefslogtreecommitdiff
path: root/auth
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2019-12-11 14:53:20 +0100
committerStefan Metzmacher <metze@samba.org>2020-02-10 16:32:37 +0000
commit98d2d5a40358e26d34c81047d80b79876a8ddab9 (patch)
treebbdeedbac82c534cb6b951cc6a5fc631c23758f1 /auth
parent28d9493d232020a65b1b4634408c9341ef1dc39c (diff)
downloadsamba-98d2d5a40358e26d34c81047d80b79876a8ddab9.tar.gz
auth/gensec: map NT_STATUS_{INVALID_ACCOUNT_NAME,NO_SUCH_DOMAIN} to NT_STATUS_NO_SUCH_USER
This means nt_status_squash() will map NT_STATUS_NO_SUCH_USER to LOGON_FAILURE later. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'auth')
-rw-r--r--auth/gensec/gensec.c39
1 files changed, 37 insertions, 2 deletions
diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index 91d8cce3f4c..becf4ce8685 100644
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -502,8 +502,43 @@ static void gensec_update_done(struct tevent_req *subreq)
TALLOC_FREE(subreq);
state->status = status;
if (GENSEC_UPDATE_IS_NTERROR(status)) {
- DBG_INFO("%s[%p]: %s%s%s\n", state->ops->name,
- state->gensec_security, nt_errstr(status),
+ NTSTATUS orig_status = status;
+ bool force_no_such_user = false;
+
+ /*
+ * callers only expect NT_STATUS_NO_SUCH_USER.
+ */
+ if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_ACCOUNT_NAME)) {
+ force_no_such_user = true;
+ } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN)) {
+ force_no_such_user = true;
+ }
+
+ if (state->gensec_security->subcontext) {
+ /*
+ * We should only map on the outer
+ * gensec_update exchange, spnego
+ * needs the raw status.
+ */
+ force_no_such_user = false;
+ }
+
+ if (force_no_such_user) {
+ /*
+ * nt_status_squash() may map
+ * to NT_STATUS_LOGON_FAILURE later
+ */
+ status = NT_STATUS_NO_SUCH_USER;
+ }
+
+ DBG_INFO("%s[%p]: %s%s%s%s%s\n",
+ state->ops->name,
+ state->gensec_security,
+ NT_STATUS_EQUAL(status, orig_status) ?
+ "" : nt_errstr(orig_status),
+ NT_STATUS_EQUAL(status, orig_status) ?
+ "" : " ",
+ nt_errstr(status),
debug_subreq ? " " : "",
debug_subreq ? debug_subreq : "");
tevent_req_nterror(req, status);