summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2003-06-28 08:29:42 +0000
committerGerald Carter <jerry@samba.org>2003-06-28 08:29:42 +0000
commit8a6fc79ad8d9f1b6c4f604b173426bf821f98208 (patch)
tree6cfda8b5d1f1b94c9471c98b91277cd1e4b10500
parentb2fbc05c6bfd92354c8970c66581a32daaf6e6a3 (diff)
downloadsamba-8a6fc79ad8d9f1b6c4f604b173426bf821f98208.tar.gz
samba-8a6fc79ad8d9f1b6c4f604b173426bf821f98208.tar.bz2
samba-8a6fc79ad8d9f1b6c4f604b173426bf821f98208.zip
add check for NT_STATUS_NOT_IMPLEMENTED in auth check so that
map to guest = bad user works again when "trustdomain" is listed as last auth method. Also clean up some more DC location calls. (This used to be commit 77a5b1032f39b8d20925721b719fdcfff910cb06)
-rw-r--r--source3/auth/auth.c14
-rw-r--r--source3/auth/auth_domain.c41
-rw-r--r--source3/auth/auth_util.c31
3 files changed, 50 insertions, 36 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 891f47486b..25b856cd57 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -244,10 +244,22 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context,
return NT_STATUS_LOGON_FAILURE;
for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) {
+ NTSTATUS result;
+
mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name,
user_info->domain.str, user_info->smb_name.str);
- nt_status = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info);
+ result = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info);
+
+ /* check if the module did anything */
+ if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) {
+ DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name));
+ talloc_destroy(mem_ctx);
+ continue;
+ }
+
+ nt_status = result;
+
if (NT_STATUS_IS_OK(nt_status)) {
DEBUG(3, ("check_ntlm_password: %s authentication for user [%s] succeeded\n",
auth_method->name, user_info->smb_name.str));
diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index df19a274fb..84453ac3b5 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -401,11 +401,12 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context,
auth_serversupplied_info **server_info)
{
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
- char *password_server;
unsigned char trust_passwd[16];
time_t last_change_time;
const char *domain = lp_workgroup();
uint32 sec_channel_type = 0;
+ fstring dc_name;
+ struct in_addr dc_ip;
if (!user_info || !server_info || !auth_context) {
DEBUG(1,("check_ntdomain_security: Critical variables not present. Failing.\n"));
@@ -443,17 +444,15 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context,
}
}
- /*
- * Treat each name in the 'password server =' line as a potential
- * PDC/BDC. Contact each in turn and try and authenticate.
- */
-
- password_server = lp_passwordserver();
-
+ if ( !rpc_dc_name(user_info->domain.str, dc_name, &dc_ip) ) {
+ DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n",
+ user_info->domain.str));
+ return NT_STATUS_NO_LOGON_SERVERS;
+ }
+
nt_status = domain_client_validate(mem_ctx, user_info, domain,
(uchar *)auth_context->challenge.data,
- server_info,
- password_server, global_myname(), sec_channel_type,trust_passwd, last_change_time);
+ server_info, dc_name, global_myname(), sec_channel_type,trust_passwd, last_change_time);
return nt_status;
}
@@ -485,6 +484,8 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte
char *trust_password;
time_t last_change_time;
DOM_SID sid;
+ fstring dc_name;
+ struct in_addr dc_ip;
if (!user_info || !server_info || !auth_context) {
DEBUG(1,("check_trustdomain_security: Critical variables not present. Failing.\n"));
@@ -509,9 +510,15 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte
if(strequal(lp_workgroup(), (user_info->domain.str))) {
DEBUG(3,("check_trustdomain_security: Requested domain was for this domain.\n"));
- return NT_STATUS_LOGON_FAILURE;
+ return NT_STATUS_NOT_IMPLEMENTED;
}
+ /* no point is bothering if this is not a trusted domain */
+ /* this return makes "map to guest = bad user" work again */
+
+ if ( !is_trusted_domain( user_info->domain.str ) )
+ return NT_STATUS_NO_SUCH_USER;
+
/*
* Get the trusted account password for the trusted domain
* No need to become_root() as secrets_init() is done at startup.
@@ -537,11 +544,17 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte
}
#endif
+ if ( !rpc_dc_name(user_info->domain.str, dc_name, &dc_ip) ) {
+ DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n",
+ user_info->domain.str));
+ return NT_STATUS_NO_LOGON_SERVERS;
+ }
+
nt_status = domain_client_validate(mem_ctx, user_info, user_info->domain.str,
(uchar *)auth_context->challenge.data,
- server_info, "*" /* Do a lookup */,
- lp_workgroup(), SEC_CHAN_DOMAIN, trust_md4_password, last_change_time);
-
+ server_info, dc_name, lp_workgroup(),
+ SEC_CHAN_DOMAIN, trust_md4_password, last_change_time);
+
return nt_status;
}
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 7d0f44f1d1..fe4900f9f4 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -204,32 +204,22 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n",
client_domain, smb_name, wksta_name));
- if (lp_allow_trusted_domains() && *client_domain) {
-
- /* the client could have given us a workstation name
- or other crap for the workgroup - we really need a
- way of telling if this domain name is one of our
- trusted domain names
-
- Also don't allow "" as a domain, fixes a Win9X bug
+ /* don't allow "" as a domain, fixes a Win9X bug
where it doens't supply a domain for logon script
- 'net use' commands.
-
- Finally, we do this by looking up a cache of trusted domains!
- */
+ 'net use' commands.*/
+ if ( *client_domain )
domain = client_domain;
+ else
+ domain = lp_workgroup();
- if (is_trusted_domain(domain)) {
- return make_user_info(user_info, smb_name, internal_username,
- client_domain, domain, wksta_name,
- lm_pwd, nt_pwd, plaintext, ntlmssp_flags,
- encrypted);
- }
+ /* do what win2k does. Always map unknown domains to our own
+ and let the "passdb backend" handle unknown users */
- } else {
+ if ( !is_trusted_domain(domain) )
domain = lp_workgroup();
- }
+
+ /* we know that it is a trusted domain (and we are allowing them) or it is our domain */
return make_user_info(user_info,
smb_name, internal_username,
@@ -238,7 +228,6 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
lm_pwd, nt_pwd,
plaintext,
ntlmssp_flags, encrypted);
-
}
/****************************************************************************