diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2003-05-26 02:04:23 +0000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2003-05-26 02:04:23 +0000 |
| commit | 54e2ac64b7291d9c88d1525e7498e7750adbfbe0 (patch) | |
| tree | cfb52c6d24ef8f95d3eb15e2bfcad688cbb7248c | |
| parent | 6ace723c44f61c1166b90666ca6f5b2546ced46b (diff) | |
| download | samba-54e2ac64b7291d9c88d1525e7498e7750adbfbe0.tar.gz samba-54e2ac64b7291d9c88d1525e7498e7750adbfbe0.tar.bz2 samba-54e2ac64b7291d9c88d1525e7498e7750adbfbe0.zip | |
Add samstrict_dc from metze (been sitting in HEAD for way to long waiting for
me to review it).
This patch works well for a DC running with trusted domains, becouse it lets
you check the local SAM first, but only for this domain's users.
Andrew Bartlett
(This used to be commit e0bd4d2844e6073a83b72925bca1aec007a8dd0b)
| -rw-r--r-- | source3/auth/auth_sam.c | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index d46d362a92..13612db86e 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -501,6 +501,8 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context unless it is one of our aliases. */ if (!is_myname(user_info->domain.str)) { + DEBUG(7,("The requested user domain is not the local server name. [%s]\\[%s]\n", + user_info->domain.str,user_info->internal_username.str)); return NT_STATUS_NO_SUCH_USER; } @@ -519,8 +521,52 @@ NTSTATUS auth_init_samstrict(struct auth_context *auth_context, const char *para return NT_STATUS_OK; } +/**************************************************************************** +Check SAM security (above) but with a few extra checks if we're a DC. +****************************************************************************/ + +static NTSTATUS check_samstrict_dc_security(const struct auth_context *auth_context, + void *my_private_data, + TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, + auth_serversupplied_info **server_info) +{ + + if (!user_info || !auth_context) { + return NT_STATUS_LOGON_FAILURE; + } + + /* If we are a PDC we must not check the password here + unless it is one of our aliases, empty + or equal to our domain name. Other names may be + Trusted domains. + */ + + if ((!is_myworkgroup(user_info->domain.str))&& + (!is_myname(user_info->domain.str))) { + DEBUG(7,("The requested user domain is not the local server name or our domain. [%s]\\[%s]\n", + user_info->domain.str,user_info->internal_username.str)); + return NT_STATUS_NO_SUCH_USER; + } + + return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, server_info); +} + +/* module initialisation */ +NTSTATUS auth_init_samstrict_dc(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +{ + if (!make_auth_methods(auth_context, auth_method)) { + return NT_STATUS_NO_MEMORY; + } + + (*auth_method)->auth = check_samstrict_dc_security; + (*auth_method)->name = "samstrict_dc"; + return NT_STATUS_OK; +} + NTSTATUS auth_sam_init(void) { + smb_register_auth(AUTH_INTERFACE_VERSION, "samstrict_dc", auth_init_samstrict_dc); smb_register_auth(AUTH_INTERFACE_VERSION, "samstrict", auth_init_samstrict); smb_register_auth(AUTH_INTERFACE_VERSION, "sam", auth_init_sam); return NT_STATUS_OK; |