auth4: Add authoritative flag to check_password

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

7 files changed, 32 insertions, 15 deletions

diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index e1b642eb92d..c12e233219f 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -63,7 +63,9 @@ struct auth_operations {
 
 	NTSTATUS (*check_password)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx,
 				   const struct auth_usersupplied_info *user_info,
-				   struct auth_user_info_dc **interim_info);
+				   struct auth_user_info_dc **interim_info,
+				   bool *authoritative);
+
 
 	/* Lookup a 'session info interim' return based only on the principal or DN */
 	NTSTATUS (*get_user_info_dc_principal)(TALLOC_CTX *mem_ctx,
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index c8c3e11e5b3..51d1ed399bf 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -371,10 +371,12 @@ static void auth_check_password_async_trigger(struct tevent_context *ev,
 		tevent_req_data(req, struct auth_check_password_state);
 	NTSTATUS status;
 	struct auth_method_context *method;
+	bool authoritative = true;
 
 	status = NT_STATUS_OK;
 
 	for (method=state->auth_ctx->methods; method; method = method->next) {
+		authoritative = true;
 
 		/* we fill in state->method here so debug messages in
 		   the callers know which method failed */
@@ -396,8 +398,10 @@ static void auth_check_password_async_trigger(struct tevent_context *ev,
 		status = method->ops->check_password(method,
 						     state,
 						     state->user_info,
-						     &state->user_info_dc);
-		if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
+						     &state->user_info_dc,
+						     &authoritative);
+		if (!authoritative ||
+		    NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
 			DEBUG(11,("auth_check_password_send: "
 				  "%s passes to the next method\n",
 				  method->ops->name));
@@ -408,7 +412,8 @@ static void auth_check_password_async_trigger(struct tevent_context *ev,
 		break;
 	}
 
-	if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
+	if (!authoritative ||
+	    NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
 		state->authoritative = 0;
 		status = NT_STATUS_NO_SUCH_USER;
 	}
diff --git a/source4/auth/ntlm/auth_anonymous.c b/source4/auth/ntlm/auth_anonymous.c
index 6d3d0ace82c..e8a9ed3b225 100644
--- a/source4/auth/ntlm/auth_anonymous.c
+++ b/source4/auth/ntlm/auth_anonymous.c
@@ -84,7 +84,8 @@ static NTSTATUS anonymous_want_check(struct auth_method_context *ctx,
 static NTSTATUS anonymous_check_password(struct auth_method_context *ctx,
 			      		 TALLOC_CTX *mem_ctx,
 					 const struct auth_usersupplied_info *user_info, 
-					 struct auth_user_info_dc **_user_info_dc)
+					 struct auth_user_info_dc **_user_info_dc,
+					 bool *authoritative)
 {
 	return auth_anonymous_user_info_dc(mem_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx), _user_info_dc);
 }
diff --git a/source4/auth/ntlm/auth_developer.c b/source4/auth/ntlm/auth_developer.c
index e7e4be96ae8..870357795f6 100644
--- a/source4/auth/ntlm/auth_developer.c
+++ b/source4/auth/ntlm/auth_developer.c
@@ -49,7 +49,8 @@ static NTSTATUS name_to_ntstatus_want_check(struct auth_method_context *ctx,
 static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx,
 			      		        TALLOC_CTX *mem_ctx,
 					        const struct auth_usersupplied_info *user_info, 
-					        struct auth_user_info_dc **_user_info_dc)
+					        struct auth_user_info_dc **_user_info_dc,
+						bool *authoritative)
 {
 	NTSTATUS nt_status;
 	struct auth_user_info_dc *user_info_dc;
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index f7da04e6573..54cc6437595 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -190,7 +190,8 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
 						  uint16_t acct_flags,
 						  const struct auth_usersupplied_info *user_info,
 						  DATA_BLOB *user_sess_key,
-						  DATA_BLOB *lm_sess_key)
+						  DATA_BLOB *lm_sess_key,
+						  bool *authoritative)
 {
 	NTSTATUS nt_status;
 	NTSTATUS auth_status;
@@ -495,7 +496,8 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context,
 				     struct ldb_dn *domain_dn,
 				     struct ldb_message *msg,
 				     const struct auth_usersupplied_info *user_info,
-				     DATA_BLOB *user_sess_key, DATA_BLOB *lm_sess_key)
+				     DATA_BLOB *user_sess_key, DATA_BLOB *lm_sess_key,
+				     bool *authoritative)
 {
 	NTSTATUS nt_status;
 	bool interactive = (user_info->password_state == AUTH_PASSWORD_HASH);
@@ -530,7 +532,8 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context,
 	nt_status = authsam_password_check_and_record(auth_context, tmp_ctx,
 						      domain_dn, msg, acct_flags,
 						      user_info,
-						      user_sess_key, lm_sess_key);
+						      user_sess_key, lm_sess_key,
+						      authoritative);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		TALLOC_FREE(tmp_ctx);
 		return nt_status;
@@ -572,7 +575,8 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context,
 static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx,
 						 TALLOC_CTX *mem_ctx,
 						 const struct auth_usersupplied_info *user_info, 
-						 struct auth_user_info_dc **user_info_dc)
+						 struct auth_user_info_dc **user_info_dc,
+						 bool *authoritative)
 {
 	NTSTATUS nt_status;
 	const char *account_name = user_info->mapped.account_name;
@@ -647,7 +651,7 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx
 	}
 
 	nt_status = authsam_authenticate(ctx->auth_ctx, tmp_ctx, ctx->auth_ctx->sam_ctx, domain_dn, msg, user_info,
-					 &user_sess_key, &lm_sess_key);
+					 &user_sess_key, &lm_sess_key, authoritative);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(tmp_ctx);
 		return nt_status;
@@ -882,7 +886,8 @@ static NTSTATUS authsam_failtrusts_want_check(struct auth_method_context *ctx,
 static NTSTATUS authsam_failtrusts_check_password(struct auth_method_context *ctx,
 						  TALLOC_CTX *mem_ctx,
 						  const struct auth_usersupplied_info *user_info,
-						  struct auth_user_info_dc **user_info_dc)
+						  struct auth_user_info_dc **user_info_dc,
+						  bool *authoritative)
 {
 	/*
 	 * This should a good error for now,
diff --git a/source4/auth/ntlm/auth_unix.c b/source4/auth/ntlm/auth_unix.c
index ad780bafc82..c01ec35e14c 100644
--- a/source4/auth/ntlm/auth_unix.c
+++ b/source4/auth/ntlm/auth_unix.c
@@ -713,7 +713,8 @@ static NTSTATUS authunix_want_check(struct auth_method_context *ctx,
 static NTSTATUS authunix_check_password(struct auth_method_context *ctx,
 					TALLOC_CTX *mem_ctx,
 					const struct auth_usersupplied_info *user_info,
-					struct auth_user_info_dc **user_info_dc)
+					struct auth_user_info_dc **user_info_dc,
+					bool *authoritative)
 {
 	TALLOC_CTX *check_ctx;
 	NTSTATUS nt_status;
diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c
index f5bd22acef6..7c815fc020e 100644
--- a/source4/auth/ntlm/auth_winbind.c
+++ b/source4/auth/ntlm/auth_winbind.c
@@ -99,7 +99,8 @@ struct winbind_check_password_state {
 static NTSTATUS winbind_check_password(struct auth_method_context *ctx,
 				       TALLOC_CTX *mem_ctx,
 				       const struct auth_usersupplied_info *user_info, 
-				       struct auth_user_info_dc **user_info_dc)
+				       struct auth_user_info_dc **user_info_dc,
+				       bool *authoritative)
 {
 	NTSTATUS status;
 	struct dcerpc_binding_handle *irpc_handle;
@@ -207,7 +208,8 @@ static NTSTATUS winbind_check_password(struct auth_method_context *ctx,
 static NTSTATUS winbind_check_password_wbclient(struct auth_method_context *ctx,
 						TALLOC_CTX *mem_ctx,
 						const struct auth_usersupplied_info *user_info,
-						struct auth_user_info_dc **user_info_dc)
+						struct auth_user_info_dc **user_info_dc,
+						bool *authoritative)
 {
 	struct wbcAuthUserParams params;
 	struct wbcAuthUserInfo *info = NULL;