From 98d2d5a40358e26d34c81047d80b79876a8ddab9 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 11 Dec 2019 14:53:20 +0100 Subject: auth/gensec: map NT_STATUS_{INVALID_ACCOUNT_NAME,NO_SUCH_DOMAIN} to NT_STATUS_NO_SUCH_USER This means nt_status_squash() will map NT_STATUS_NO_SUCH_USER to LOGON_FAILURE later. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider --- auth/gensec/gensec.c | 39 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 37 insertions(+), 2 deletions(-) (limited to 'auth/gensec') diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c index 91d8cce3f4c..becf4ce8685 100644 --- a/auth/gensec/gensec.c +++ b/auth/gensec/gensec.c @@ -502,8 +502,43 @@ static void gensec_update_done(struct tevent_req *subreq) TALLOC_FREE(subreq); state->status = status; if (GENSEC_UPDATE_IS_NTERROR(status)) { - DBG_INFO("%s[%p]: %s%s%s\n", state->ops->name, - state->gensec_security, nt_errstr(status), + NTSTATUS orig_status = status; + bool force_no_such_user = false; + + /* + * callers only expect NT_STATUS_NO_SUCH_USER. + */ + if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_ACCOUNT_NAME)) { + force_no_such_user = true; + } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN)) { + force_no_such_user = true; + } + + if (state->gensec_security->subcontext) { + /* + * We should only map on the outer + * gensec_update exchange, spnego + * needs the raw status. + */ + force_no_such_user = false; + } + + if (force_no_such_user) { + /* + * nt_status_squash() may map + * to NT_STATUS_LOGON_FAILURE later + */ + status = NT_STATUS_NO_SUCH_USER; + } + + DBG_INFO("%s[%p]: %s%s%s%s%s\n", + state->ops->name, + state->gensec_security, + NT_STATUS_EQUAL(status, orig_status) ? + "" : nt_errstr(orig_status), + NT_STATUS_EQUAL(status, orig_status) ? + "" : " ", + nt_errstr(status), debug_subreq ? " " : "", debug_subreq ? debug_subreq : ""); tevent_req_nterror(req, status); -- cgit v1.2.1