auth4: add a "sam_failtrusts" module

This fails the authentication for any known domain with
NT_STATUS_NO_TRUST_LSA_SECRET.

This will be used on an AD_DC to fail authentication
for users of trusted domains sanely, instead of silently
mapping them to local users.

This is just a temporary solution, until we have full
async support in the gensec/auth4.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

1 files changed, 95 insertions, 1 deletions

diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index f22aa3074bb..17d66db3b04 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -689,7 +689,89 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
 	return NT_STATUS_NOT_IMPLEMENTED;
 }
 
-				   
+static NTSTATUS authsam_failtrusts_want_check(struct auth_method_context *ctx,
+					      TALLOC_CTX *mem_ctx,
+					      const struct auth_usersupplied_info *user_info)
+{
+	const char *effective_domain = user_info->mapped.domain_name;
+	struct dsdb_trust_routing_table *trt = NULL;
+	const struct lsa_TrustDomainInfoInfoEx *tdo = NULL;
+	NTSTATUS status;
+
+	/* check whether or not we service this domain/workgroup name */
+	switch (lpcfg_server_role(ctx->auth_ctx->lp_ctx)) {
+	case ROLE_ACTIVE_DIRECTORY_DC:
+		/* handled later */
+		break;
+
+	default:
+		DBG_ERR("lpcfg_server_role() has an undefined value\n");
+		return NT_STATUS_NOT_IMPLEMENTED;
+	}
+
+	/*
+	 * Now we handle the AD DC case...
+	 */
+	if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
+		return NT_STATUS_NOT_IMPLEMENTED;
+	}
+
+	if (effective_domain == NULL || strequal(effective_domain, "")) {
+		const char *p = NULL;
+
+		p = strchr_m(user_info->mapped.account_name, '@');
+		if (p != NULL) {
+			effective_domain = p + 1;
+		}
+	}
+
+	if (effective_domain == NULL || strequal(effective_domain, "")) {
+		DBG_DEBUG("%s is not a trusted domain\n",
+			  effective_domain);
+		return NT_STATUS_NOT_IMPLEMENTED;
+	}
+
+	/*
+	 * as last option we check the routing table if the
+	 * domain is within our forest.
+	 */
+	status = dsdb_trust_routing_table_load(ctx->auth_ctx->sam_ctx,
+					       mem_ctx, &trt);
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_ERR("authsam_check_password: dsdb_trust_routing_table_load() %s\n",
+			 nt_errstr(status));
+		return status;
+	}
+
+	tdo = dsdb_trust_routing_by_name(trt, effective_domain);
+	if (tdo == NULL) {
+		DBG_DEBUG("%s is not a known TLN (DC)\n",
+			  effective_domain);
+		TALLOC_FREE(trt);
+		return NT_STATUS_NOT_IMPLEMENTED;
+	}
+
+	/*
+	 * We now about the domain...
+	 */
+	TALLOC_FREE(trt);
+	return NT_STATUS_OK;
+}
+
+static NTSTATUS authsam_failtrusts_check_password(struct auth_method_context *ctx,
+						  TALLOC_CTX *mem_ctx,
+						  const struct auth_usersupplied_info *user_info,
+						  struct auth_user_info_dc **user_info_dc)
+{
+	/*
+	 * This should a good error for now,
+	 * until this module gets removed
+	 * and we have a full async path
+	 * to winbind.
+	 */
+	return NT_STATUS_NO_TRUST_LSA_SECRET;
+}
+
 /* Wrapper for the auth subsystem pointer */
 static NTSTATUS authsam_get_user_info_dc_principal_wrapper(TALLOC_CTX *mem_ctx,
 							  struct auth4_context *auth_context,
@@ -714,6 +796,12 @@ static const struct auth_operations sam_ops = {
 	.get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper,
 };
 
+static const struct auth_operations sam_failtrusts_ops = {
+	.name		           = "sam_failtrusts",
+	.want_check	           = authsam_failtrusts_want_check,
+	.check_password	           = authsam_failtrusts_check_password,
+};
+
 _PUBLIC_ NTSTATUS auth4_sam_init(void);
 _PUBLIC_ NTSTATUS auth4_sam_init(void)
 {
@@ -731,5 +819,11 @@ _PUBLIC_ NTSTATUS auth4_sam_init(void)
 		return ret;
 	}
 
+	ret = auth_register(&sam_failtrusts_ops);
+	if (!NT_STATUS_IS_OK(ret)) {
+		DEBUG(0,("Failed to register 'sam_failtrusts' auth backend!\n"));
+		return ret;
+	}
+
 	return ret;
 }