auth3: let auth_check_ntlm_password() return pauthoritative

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

6 files changed, 43 insertions, 41 deletions

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index ef8fcef1010..11a777a404f 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -153,22 +153,25 @@ static bool check_domain_match(const char *user, const char *domain)
  *                  filled in, either at creation or by calling the challenge geneation 
  *                  function auth_get_challenge().  
  *
- * @param server_info If successful, contains information about the authentication, 
- *                    including a struct samu struct describing the user.
+ * @param pserver_info If successful, contains information about the authentication,
+ *                     including a struct samu struct describing the user.
+ *
+ * @param pauthoritative Indicates if the result should be treated as final
+ *                       result.
  *
  * @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
  *
  **/
-
 NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
 				  const struct auth_context *auth_context,
 				  const struct auth_usersupplied_info *user_info,
-				  struct auth_serversupplied_info **pserver_info)
+				  struct auth_serversupplied_info **pserver_info,
+				  uint8_t *pauthoritative)
 {
 	TALLOC_CTX *frame;
 	const char *auth_method_name = "";
 	/* if all the modules say 'not for me' this is reasonable */
-	NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
+	NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
 	const char *unix_username;
 	auth_methods *auth_method;
 	struct auth_serversupplied_info *server_info;
@@ -179,6 +182,8 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
 
 	frame = talloc_stackframe();
 
+	*pauthoritative = 1;
+
 	DEBUG(3, ("check_ntlm_password:  Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", 
 		  user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));
 
@@ -236,23 +241,18 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
 		DBG_DEBUG("%s had nothing to say\n", auth_method->name);
 	}
 
-	/* check if the module did anything */
-	if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED) &&
-	    ((user_info->flags & USER_INFO_LOCAL_SAM_ONLY) == 0)) {
-		/*
-		 * we don't expose the NT_STATUS_NOT_IMPLEMENTED
-		 * internals, except when the caller is only probing
-		 * one method, as they may do the fallback
-		 */
+	if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
+		*pauthoritative = 0;
 		nt_status = NT_STATUS_NO_SUCH_USER;
 	}
 
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DBG_INFO("%s authentication for user [%s] FAILED with "
-			 "error %s\n",
+			 "error %s, authoritative=%u\n",
 			 auth_method_name,
 			 user_info->client.account_name,
-			 nt_errstr(nt_status));
+			 nt_errstr(nt_status),
+			 *pauthoritative);
 		goto fail;
 	}
 
@@ -313,9 +313,10 @@ fail:
 
 	/* failed authentication; check for guest lapping */
 
-	DEBUG(2, ("check_ntlm_password:  Authentication for user [%s] -> [%s] FAILED with error %s\n",
+	DEBUG(2, ("check_ntlm_password:  Authentication for user "
+		  "[%s] -> [%s] FAILED with error %s, authoritative=%u\n",
 		  user_info->client.account_name, user_info->mapped.account_name,
-		  nt_errstr(nt_status)));
+		  nt_errstr(nt_status), *pauthoritative));
 	ZERO_STRUCTP(pserver_info);
 
 	TALLOC_FREE(frame);
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index a0e49027af9..0ff3bdd3439 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -145,6 +145,7 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
 	struct auth_serversupplied_info *server_info;
 	NTSTATUS nt_status;
 	bool username_was_mapped;
+	uint8_t authoritative = 0;
 
 	/* The client has given us its machine name (which we only get over NBT transport).
 	   We need to possibly reload smb.conf if smb.conf includes depend on the machine name. */
@@ -179,13 +180,16 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
 	nt_status = auth_check_ntlm_password(mem_ctx,
 					     auth_context,
 					     mapped_user_info,
-					     &server_info);
+					     &server_info,
+					     &authoritative);
 
 	if (!NT_STATUS_IS_OK(nt_status)) {
-		DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: %s\n",
+		DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: "
+			 "%s, authoritative=%u\n",
 			 user_info->client.domain_name,
 			 user_info->client.account_name,
-			 nt_errstr(nt_status)));
+			 nt_errstr(nt_status),
+			 authoritative));
 	}
 
 	username_was_mapped = mapped_user_info->was_mapped;
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 11013461f3f..ccc284cadcf 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -78,8 +78,11 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
  *                  filled in, either at creation or by calling the challenge geneation 
  *                  function auth_get_challenge().  
  *
- * @param server_info If successful, contains information about the authentication, 
- *                    including a struct samu struct describing the user.
+ * @param pserver_info If successful, contains information about the authentication,
+ *                     including a struct samu struct describing the user.
+ *
+ * @param pauthoritative Indicates if the result should be treated as final
+ *                       result.
  *
  * @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
  *
@@ -87,7 +90,8 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
 NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
 				  const struct auth_context *auth_context,
 				  const struct auth_usersupplied_info *user_info,
-				  struct auth_serversupplied_info **server_info);
+				  struct auth_serversupplied_info **pserver_info,
+				  uint8_t *pauthoritative);
 
 /* The following definitions come from auth/auth_builtin.c  */
 
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 4c438022fc0..38d7bda9822 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1682,7 +1682,8 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
 		status = auth_check_ntlm_password(p->mem_ctx,
 						  auth_context,
 						  user_info,
-						  &server_info);
+						  &server_info,
+						  r->out.authoritative);
 	}
 
 	TALLOC_FREE(auth_context);
@@ -1694,15 +1695,6 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
 	/* Check account and password */
 
 	if (!NT_STATUS_IS_OK(status)) {
-		/* If we don't know what this domain is, we need to
-		   indicate that we are not authoritative.  This
-		   allows the client to decide if it needs to try
-		   a local user.  Fix by jpjanosi@us.ibm.com, #2976 */
-                if ( NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)
-		     && !strequal(nt_domain, get_global_sam_name())
-		     && !is_trusted_domain(nt_domain) )
-			*r->out.authoritative = false; /* We are not authoritative */
-
 		TALLOC_FREE(server_info);
 		return status;
 	}
diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c
index 000356644c1..b4428837c9e 100644
--- a/source3/torture/pdbtest.c
+++ b/source3/torture/pdbtest.c
@@ -269,7 +269,8 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
 	struct auth_serversupplied_info *server_info;
 	NTSTATUS status;
 	bool ok;
-	
+	uint8_t authoritative = 0;
+
 	SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8,
 		      local_nt_response);
 	SMBsesskeygen_ntv1(pdb_get_nt_passwd(pdb_entry), local_nt_session_key);
@@ -316,10 +317,13 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
 	status = auth_check_ntlm_password(mem_ctx,
 					  auth_context,
 					  user_info,
-					  &server_info);
+					  &server_info,
+					  &authoritative);
 
 	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0, ("Failed to test authentication with auth module: %s\n", nt_errstr(status)));
+		DEBUG(0, ("Failed to test authentication with auth module: "
+			  "%s authoritative[%u].\n",
+			  nt_errstr(status), authoritative));
 		return False;
 	}
 	
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 2bac9ec0089..74941c70115 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1293,12 +1293,9 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
 	status = auth_check_ntlm_password(mem_ctx,
 					  auth_context,
 					  user_info,
-					  &server_info);
-
+					  &server_info,
+					  pauthoritative);
 	if (!NT_STATUS_IS_OK(status)) {
-		if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
-			*pauthoritative = 0;
-		}
 		TALLOC_FREE(frame);
 		return status;
 	}