diff options
author | Garming Sam <garming@catalyst.net.nz> | 2017-04-03 15:21:29 +1200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2017-05-30 08:06:06 +0200 |
commit | a6a19e4308d4e81418eb5810cf492407dc91344b (patch) | |
tree | 6d1fa2d58e14d99901572c3e087b1ab441076995 /source4/auth | |
parent | deec2af7d2d0beb612bc9f35cca66cc825b9816d (diff) | |
download | samba-a6a19e4308d4e81418eb5810cf492407dc91344b.tar.gz |
auth4: Add authoritative flag to check_password
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/auth')
-rw-r--r-- | source4/auth/auth.h | 4 | ||||
-rw-r--r-- | source4/auth/ntlm/auth.c | 11 | ||||
-rw-r--r-- | source4/auth/ntlm/auth_anonymous.c | 3 | ||||
-rw-r--r-- | source4/auth/ntlm/auth_developer.c | 3 | ||||
-rw-r--r-- | source4/auth/ntlm/auth_sam.c | 17 | ||||
-rw-r--r-- | source4/auth/ntlm/auth_unix.c | 3 | ||||
-rw-r--r-- | source4/auth/ntlm/auth_winbind.c | 6 |
7 files changed, 32 insertions, 15 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h index e1b642eb92d..c12e233219f 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -63,7 +63,9 @@ struct auth_operations { NTSTATUS (*check_password)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, - struct auth_user_info_dc **interim_info); + struct auth_user_info_dc **interim_info, + bool *authoritative); + /* Lookup a 'session info interim' return based only on the principal or DN */ NTSTATUS (*get_user_info_dc_principal)(TALLOC_CTX *mem_ctx, diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c index c8c3e11e5b3..51d1ed399bf 100644 --- a/source4/auth/ntlm/auth.c +++ b/source4/auth/ntlm/auth.c @@ -371,10 +371,12 @@ static void auth_check_password_async_trigger(struct tevent_context *ev, tevent_req_data(req, struct auth_check_password_state); NTSTATUS status; struct auth_method_context *method; + bool authoritative = true; status = NT_STATUS_OK; for (method=state->auth_ctx->methods; method; method = method->next) { + authoritative = true; /* we fill in state->method here so debug messages in the callers know which method failed */ @@ -396,8 +398,10 @@ static void auth_check_password_async_trigger(struct tevent_context *ev, status = method->ops->check_password(method, state, state->user_info, - &state->user_info_dc); - if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) { + &state->user_info_dc, + &authoritative); + if (!authoritative || + NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) { DEBUG(11,("auth_check_password_send: " "%s passes to the next method\n", method->ops->name)); @@ -408,7 +412,8 @@ static void auth_check_password_async_trigger(struct tevent_context *ev, break; } - if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) { + if (!authoritative || + NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) { state->authoritative = 0; status = NT_STATUS_NO_SUCH_USER; } diff --git a/source4/auth/ntlm/auth_anonymous.c b/source4/auth/ntlm/auth_anonymous.c index 6d3d0ace82c..e8a9ed3b225 100644 --- a/source4/auth/ntlm/auth_anonymous.c +++ b/source4/auth/ntlm/auth_anonymous.c @@ -84,7 +84,8 @@ static NTSTATUS anonymous_want_check(struct auth_method_context *ctx, static NTSTATUS anonymous_check_password(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, - struct auth_user_info_dc **_user_info_dc) + struct auth_user_info_dc **_user_info_dc, + bool *authoritative) { return auth_anonymous_user_info_dc(mem_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx), _user_info_dc); } diff --git a/source4/auth/ntlm/auth_developer.c b/source4/auth/ntlm/auth_developer.c index e7e4be96ae8..870357795f6 100644 --- a/source4/auth/ntlm/auth_developer.c +++ b/source4/auth/ntlm/auth_developer.c @@ -49,7 +49,8 @@ static NTSTATUS name_to_ntstatus_want_check(struct auth_method_context *ctx, static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, - struct auth_user_info_dc **_user_info_dc) + struct auth_user_info_dc **_user_info_dc, + bool *authoritative) { NTSTATUS nt_status; struct auth_user_info_dc *user_info_dc; diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index f7da04e6573..54cc6437595 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -190,7 +190,8 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con uint16_t acct_flags, const struct auth_usersupplied_info *user_info, DATA_BLOB *user_sess_key, - DATA_BLOB *lm_sess_key) + DATA_BLOB *lm_sess_key, + bool *authoritative) { NTSTATUS nt_status; NTSTATUS auth_status; @@ -495,7 +496,8 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context, struct ldb_dn *domain_dn, struct ldb_message *msg, const struct auth_usersupplied_info *user_info, - DATA_BLOB *user_sess_key, DATA_BLOB *lm_sess_key) + DATA_BLOB *user_sess_key, DATA_BLOB *lm_sess_key, + bool *authoritative) { NTSTATUS nt_status; bool interactive = (user_info->password_state == AUTH_PASSWORD_HASH); @@ -530,7 +532,8 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context, nt_status = authsam_password_check_and_record(auth_context, tmp_ctx, domain_dn, msg, acct_flags, user_info, - user_sess_key, lm_sess_key); + user_sess_key, lm_sess_key, + authoritative); if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE(tmp_ctx); return nt_status; @@ -572,7 +575,8 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context, static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, - struct auth_user_info_dc **user_info_dc) + struct auth_user_info_dc **user_info_dc, + bool *authoritative) { NTSTATUS nt_status; const char *account_name = user_info->mapped.account_name; @@ -647,7 +651,7 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx } nt_status = authsam_authenticate(ctx->auth_ctx, tmp_ctx, ctx->auth_ctx->sam_ctx, domain_dn, msg, user_info, - &user_sess_key, &lm_sess_key); + &user_sess_key, &lm_sess_key, authoritative); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return nt_status; @@ -882,7 +886,8 @@ static NTSTATUS authsam_failtrusts_want_check(struct auth_method_context *ctx, static NTSTATUS authsam_failtrusts_check_password(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, - struct auth_user_info_dc **user_info_dc) + struct auth_user_info_dc **user_info_dc, + bool *authoritative) { /* * This should a good error for now, diff --git a/source4/auth/ntlm/auth_unix.c b/source4/auth/ntlm/auth_unix.c index ad780bafc82..c01ec35e14c 100644 --- a/source4/auth/ntlm/auth_unix.c +++ b/source4/auth/ntlm/auth_unix.c @@ -713,7 +713,8 @@ static NTSTATUS authunix_want_check(struct auth_method_context *ctx, static NTSTATUS authunix_check_password(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, - struct auth_user_info_dc **user_info_dc) + struct auth_user_info_dc **user_info_dc, + bool *authoritative) { TALLOC_CTX *check_ctx; NTSTATUS nt_status; diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c index f5bd22acef6..7c815fc020e 100644 --- a/source4/auth/ntlm/auth_winbind.c +++ b/source4/auth/ntlm/auth_winbind.c @@ -99,7 +99,8 @@ struct winbind_check_password_state { static NTSTATUS winbind_check_password(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, - struct auth_user_info_dc **user_info_dc) + struct auth_user_info_dc **user_info_dc, + bool *authoritative) { NTSTATUS status; struct dcerpc_binding_handle *irpc_handle; @@ -207,7 +208,8 @@ static NTSTATUS winbind_check_password(struct auth_method_context *ctx, static NTSTATUS winbind_check_password_wbclient(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, - struct auth_user_info_dc **user_info_dc) + struct auth_user_info_dc **user_info_dc, + bool *authoritative) { struct wbcAuthUserParams params; struct wbcAuthUserInfo *info = NULL; |