diff options
-rw-r--r-- | source3/auth/auth.c | 35 | ||||
-rw-r--r-- | source3/auth/auth_ntlmssp.c | 10 | ||||
-rw-r--r-- | source3/auth/proto.h | 10 | ||||
-rw-r--r-- | source3/rpc_server/netlogon/srv_netlog_nt.c | 12 | ||||
-rw-r--r-- | source3/torture/pdbtest.c | 10 | ||||
-rw-r--r-- | source3/winbindd/winbindd_pam.c | 7 |
6 files changed, 43 insertions, 41 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c index ef8fcef1010..11a777a404f 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -153,22 +153,25 @@ static bool check_domain_match(const char *user, const char *domain) * filled in, either at creation or by calling the challenge geneation * function auth_get_challenge(). * - * @param server_info If successful, contains information about the authentication, - * including a struct samu struct describing the user. + * @param pserver_info If successful, contains information about the authentication, + * including a struct samu struct describing the user. + * + * @param pauthoritative Indicates if the result should be treated as final + * result. * * @return An NTSTATUS with NT_STATUS_OK or an appropriate error. * **/ - NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, const struct auth_context *auth_context, const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **pserver_info) + struct auth_serversupplied_info **pserver_info, + uint8_t *pauthoritative) { TALLOC_CTX *frame; const char *auth_method_name = ""; /* if all the modules say 'not for me' this is reasonable */ - NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER; + NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; const char *unix_username; auth_methods *auth_method; struct auth_serversupplied_info *server_info; @@ -179,6 +182,8 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, frame = talloc_stackframe(); + *pauthoritative = 1; + DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name)); @@ -236,23 +241,18 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, DBG_DEBUG("%s had nothing to say\n", auth_method->name); } - /* check if the module did anything */ - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED) && - ((user_info->flags & USER_INFO_LOCAL_SAM_ONLY) == 0)) { - /* - * we don't expose the NT_STATUS_NOT_IMPLEMENTED - * internals, except when the caller is only probing - * one method, as they may do the fallback - */ + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) { + *pauthoritative = 0; nt_status = NT_STATUS_NO_SUCH_USER; } if (!NT_STATUS_IS_OK(nt_status)) { DBG_INFO("%s authentication for user [%s] FAILED with " - "error %s\n", + "error %s, authoritative=%u\n", auth_method_name, user_info->client.account_name, - nt_errstr(nt_status)); + nt_errstr(nt_status), + *pauthoritative); goto fail; } @@ -313,9 +313,10 @@ fail: /* failed authentication; check for guest lapping */ - DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n", + DEBUG(2, ("check_ntlm_password: Authentication for user " + "[%s] -> [%s] FAILED with error %s, authoritative=%u\n", user_info->client.account_name, user_info->mapped.account_name, - nt_errstr(nt_status))); + nt_errstr(nt_status), *pauthoritative)); ZERO_STRUCTP(pserver_info); TALLOC_FREE(frame); diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index a0e49027af9..0ff3bdd3439 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -145,6 +145,7 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context, struct auth_serversupplied_info *server_info; NTSTATUS nt_status; bool username_was_mapped; + uint8_t authoritative = 0; /* The client has given us its machine name (which we only get over NBT transport). We need to possibly reload smb.conf if smb.conf includes depend on the machine name. */ @@ -179,13 +180,16 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context, nt_status = auth_check_ntlm_password(mem_ctx, auth_context, mapped_user_info, - &server_info); + &server_info, + &authoritative); if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: %s\n", + DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: " + "%s, authoritative=%u\n", user_info->client.domain_name, user_info->client.account_name, - nt_errstr(nt_status))); + nt_errstr(nt_status), + authoritative)); } username_was_mapped = mapped_user_info->was_mapped; diff --git a/source3/auth/proto.h b/source3/auth/proto.h index 11013461f3f..ccc284cadcf 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -78,8 +78,11 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context, * filled in, either at creation or by calling the challenge geneation * function auth_get_challenge(). * - * @param server_info If successful, contains information about the authentication, - * including a struct samu struct describing the user. + * @param pserver_info If successful, contains information about the authentication, + * including a struct samu struct describing the user. + * + * @param pauthoritative Indicates if the result should be treated as final + * result. * * @return An NTSTATUS with NT_STATUS_OK or an appropriate error. * @@ -87,7 +90,8 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context, NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, const struct auth_context *auth_context, const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **server_info); + struct auth_serversupplied_info **pserver_info, + uint8_t *pauthoritative); /* The following definitions come from auth/auth_builtin.c */ diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index 4c438022fc0..38d7bda9822 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -1682,7 +1682,8 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, status = auth_check_ntlm_password(p->mem_ctx, auth_context, user_info, - &server_info); + &server_info, + r->out.authoritative); } TALLOC_FREE(auth_context); @@ -1694,15 +1695,6 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, /* Check account and password */ if (!NT_STATUS_IS_OK(status)) { - /* If we don't know what this domain is, we need to - indicate that we are not authoritative. This - allows the client to decide if it needs to try - a local user. Fix by jpjanosi@us.ibm.com, #2976 */ - if ( NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER) - && !strequal(nt_domain, get_global_sam_name()) - && !is_trusted_domain(nt_domain) ) - *r->out.authoritative = false; /* We are not authoritative */ - TALLOC_FREE(server_info); return status; } diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c index 000356644c1..b4428837c9e 100644 --- a/source3/torture/pdbtest.c +++ b/source3/torture/pdbtest.c @@ -269,7 +269,8 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry) struct auth_serversupplied_info *server_info; NTSTATUS status; bool ok; - + uint8_t authoritative = 0; + SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8, local_nt_response); SMBsesskeygen_ntv1(pdb_get_nt_passwd(pdb_entry), local_nt_session_key); @@ -316,10 +317,13 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry) status = auth_check_ntlm_password(mem_ctx, auth_context, user_info, - &server_info); + &server_info, + &authoritative); if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("Failed to test authentication with auth module: %s\n", nt_errstr(status))); + DEBUG(0, ("Failed to test authentication with auth module: " + "%s authoritative[%u].\n", + nt_errstr(status), authoritative)); return False; } diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 2bac9ec0089..74941c70115 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -1293,12 +1293,9 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx, status = auth_check_ntlm_password(mem_ctx, auth_context, user_info, - &server_info); - + &server_info, + pauthoritative); if (!NT_STATUS_IS_OK(status)) { - if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) { - *pauthoritative = 0; - } TALLOC_FREE(frame); return status; } |