diff options
author | Stefan Metzmacher <metze@samba.org> | 2017-03-22 10:37:22 +0100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2017-04-10 01:11:20 +0200 |
commit | bb6583fdf200677bd7ef17dfa9e57b6f5c14fb45 (patch) | |
tree | b215c913070037a32466b361359fcdaaa0c760ab /source4/auth | |
parent | 3caca9b7fb61196c1f7285cd6be8a257b306ff67 (diff) | |
download | samba-bb6583fdf200677bd7ef17dfa9e57b6f5c14fb45.tar.gz |
auth4: add a "sam_failtrusts" module
This fails the authentication for any known domain with
NT_STATUS_NO_TRUST_LSA_SECRET.
This will be used on an AD_DC to fail authentication
for users of trusted domains sanely, instead of silently
mapping them to local users.
This is just a temporary solution, until we have full
async support in the gensec/auth4.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/auth')
-rw-r--r-- | source4/auth/ntlm/auth_sam.c | 96 |
1 files changed, 95 insertions, 1 deletions
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index f22aa3074bb..17d66db3b04 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -689,7 +689,89 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx, return NT_STATUS_NOT_IMPLEMENTED; } - +static NTSTATUS authsam_failtrusts_want_check(struct auth_method_context *ctx, + TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info) +{ + const char *effective_domain = user_info->mapped.domain_name; + struct dsdb_trust_routing_table *trt = NULL; + const struct lsa_TrustDomainInfoInfoEx *tdo = NULL; + NTSTATUS status; + + /* check whether or not we service this domain/workgroup name */ + switch (lpcfg_server_role(ctx->auth_ctx->lp_ctx)) { + case ROLE_ACTIVE_DIRECTORY_DC: + /* handled later */ + break; + + default: + DBG_ERR("lpcfg_server_role() has an undefined value\n"); + return NT_STATUS_NOT_IMPLEMENTED; + } + + /* + * Now we handle the AD DC case... + */ + if (!user_info->mapped.account_name || !*user_info->mapped.account_name) { + return NT_STATUS_NOT_IMPLEMENTED; + } + + if (effective_domain == NULL || strequal(effective_domain, "")) { + const char *p = NULL; + + p = strchr_m(user_info->mapped.account_name, '@'); + if (p != NULL) { + effective_domain = p + 1; + } + } + + if (effective_domain == NULL || strequal(effective_domain, "")) { + DBG_DEBUG("%s is not a trusted domain\n", + effective_domain); + return NT_STATUS_NOT_IMPLEMENTED; + } + + /* + * as last option we check the routing table if the + * domain is within our forest. + */ + status = dsdb_trust_routing_table_load(ctx->auth_ctx->sam_ctx, + mem_ctx, &trt); + if (!NT_STATUS_IS_OK(status)) { + DBG_ERR("authsam_check_password: dsdb_trust_routing_table_load() %s\n", + nt_errstr(status)); + return status; + } + + tdo = dsdb_trust_routing_by_name(trt, effective_domain); + if (tdo == NULL) { + DBG_DEBUG("%s is not a known TLN (DC)\n", + effective_domain); + TALLOC_FREE(trt); + return NT_STATUS_NOT_IMPLEMENTED; + } + + /* + * We now about the domain... + */ + TALLOC_FREE(trt); + return NT_STATUS_OK; +} + +static NTSTATUS authsam_failtrusts_check_password(struct auth_method_context *ctx, + TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info, + struct auth_user_info_dc **user_info_dc) +{ + /* + * This should a good error for now, + * until this module gets removed + * and we have a full async path + * to winbind. + */ + return NT_STATUS_NO_TRUST_LSA_SECRET; +} + /* Wrapper for the auth subsystem pointer */ static NTSTATUS authsam_get_user_info_dc_principal_wrapper(TALLOC_CTX *mem_ctx, struct auth4_context *auth_context, @@ -714,6 +796,12 @@ static const struct auth_operations sam_ops = { .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper, }; +static const struct auth_operations sam_failtrusts_ops = { + .name = "sam_failtrusts", + .want_check = authsam_failtrusts_want_check, + .check_password = authsam_failtrusts_check_password, +}; + _PUBLIC_ NTSTATUS auth4_sam_init(void); _PUBLIC_ NTSTATUS auth4_sam_init(void) { @@ -731,5 +819,11 @@ _PUBLIC_ NTSTATUS auth4_sam_init(void) return ret; } + ret = auth_register(&sam_failtrusts_ops); + if (!NT_STATUS_IS_OK(ret)) { + DEBUG(0,("Failed to register 'sam_failtrusts' auth backend!\n")); + return ret; + } + return ret; } |