A number of things to clean up the auth subsytem a bit...

We now default encrypt passwords = yes

We now check plaintext passwords (however aquired) with the 'sam' backend
rather than unix, if encrypt passwords = yes.

(this kills off the 'local' backed.  The sam backend may be renamed in its
place)

The new 'samstrict' wrapper backend checks that the user's domain is one of
our netbios aliases - this ensures that we don't get fallback crazies with
security = domain.

Similarly, the code in the 'ntdomain' and 'smbserver' backends now checks
that the user was not local before contacting the DC.

The default ordering has changed, we now check the local stuff first - but
becouse of the changes above, we will really only ever contact one
auth source.

Andrew Bartlett
(This used to be commit e89b47f65e7eaf5eb288a3d6ba2d3d115c628e7e)

7 files changed, 110 insertions, 53 deletions

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index e68f4a1aac..e22c52702c 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -36,7 +36,7 @@ static BOOL check_domain_match(char *user, char *domain)
    */
 
   if (!lp_allow_trusted_domains() &&
-      (!strequal(lp_workgroup(), domain) || strequal("", domain))) {
+      (strequal("", domain) || strequal(lp_workgroup(), domain) || is_netbios_alias_or_name(domain))) {
       DEBUG(1, ("check_domain_match: Attempt to connect as user %s from domain %s denied.\n", user, domain));
       return False;
   } else {
diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c
index 482ae6dee1..2bba36f754 100644
--- a/source3/auth/auth_builtin.c
+++ b/source3/auth/auth_builtin.c
@@ -56,36 +56,6 @@ BOOL auth_init_guest(auth_methods **auth_method)
 }
 
 /****************************************************************************
- Check against either sam or unix, depending on encryption.
-****************************************************************************/
-
-static NTSTATUS check_local_security(void *my_private_data,
-			      const auth_usersupplied_info *user_info, 
-			      const auth_authsupplied_info *auth_info,
-			      auth_serversupplied_info **server_info)
-{
-	NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
-
-	if (user_info->encrypted) {
-		nt_status = check_sam_security(my_private_data, user_info, auth_info, server_info);
-	} else {
-		nt_status = check_unix_security(my_private_data, user_info, auth_info, server_info);
-	}
-	
-	return nt_status;
-}
-
-BOOL auth_init_local(auth_methods **auth_method) 
-{
-	if (!make_auth_methods(auth_method)) {
-		return False;
-	}
-
-	(*auth_method)->auth = check_local_security;
-	return True;
-}
-
-/****************************************************************************
  Return an error based on username
 ****************************************************************************/
 
diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index c605356af8..a41e43bd82 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -285,17 +285,6 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info,
 	NTSTATUS status;
 	struct passwd *pass;
 
-	/* 
-	 * Check that the requested domain is not our own machine name.
-	 * If it is, we should never check the PDC here, we use our own local
-	 * password file.
-	 */
-
-	if(strequal(user_info->domain.str, global_myname)) {
-		DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n"));
-		return NT_STATUS_LOGON_FAILURE;
-	}
-
 	/*
 	 * At this point, smb_apasswd points to the lanman response to
 	 * the challenge in local_challenge, and smb_ntpasswd points to
@@ -445,6 +434,22 @@ static NTSTATUS check_ntdomain_security(void *my_private_data,
 	unsigned char trust_passwd[16];
 	time_t last_change_time;
 
+	if (!user_info || !server_info || !auth_info) {
+		DEBUG(1,("check_ntdomain_security: Critical variables not present.  Failing.\n"));
+		return NT_STATUS_LOGON_FAILURE;
+	}
+
+	/* 
+	 * Check that the requested domain is not our own machine name.
+	 * If it is, we should never check the PDC here, we use our own local
+	 * password file.
+	 */
+
+	if(is_netbios_alias_or_name(user_info->domain.str)) {
+		DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n"));
+		return NT_STATUS_LOGON_FAILURE;
+	}
+
 	become_root();
 
 	/*
diff --git a/source3/auth/auth_info.c b/source3/auth/auth_info.c
index 8087be48f2..99648aba8d 100644
--- a/source3/auth/auth_info.c
+++ b/source3/auth/auth_info.c
@@ -25,9 +25,9 @@ const struct auth_init_function builtin_auth_init_functions[] = {
 	{ "guest", auth_init_guest },
 	{ "rhosts", auth_init_rhosts },
 	{ "hostsequiv", auth_init_hostsequiv },
-	{ "sam", auth_init_sam },
+	{ "sam", auth_init_sam },	
+	{ "samstrict", auth_init_samstrict },
 	{ "unix", auth_init_unix },
-	{ "local", auth_init_local },
 	{ "smbserver", auth_init_smbserver },
 	{ "ntdomain", auth_init_ntdomain },
 	{ "winbind", auth_init_winbind },
@@ -139,23 +139,33 @@ BOOL make_auth_info_subsystem(auth_authsupplied_info **auth_info)
 		{
 		case SEC_DOMAIN:
 			DEBUG(5,("Making default auth method list for security=domain\n"));
-			auth_method_list = lp_list_make("guest ntdomain local");
+			auth_method_list = lp_list_make("guest samstrict ntdomain");
 			break;
 		case SEC_SERVER:
 			DEBUG(5,("Making default auth method list for security=server\n"));
-			auth_method_list = lp_list_make("guest smbserver local");
+			auth_method_list = lp_list_make("guest samstrict smbserver");
 			break;
 		case SEC_USER:
-			DEBUG(5,("Making default auth method list for security=user\n"));
-			auth_method_list = lp_list_make("guest local");
+			if (lp_encrypted_passwords()) {	
+				DEBUG(5,("Making default auth method list for security=user, encrypt passwords = yes\n"));
+				auth_method_list = lp_list_make("guest sam");
+			} else {
+				DEBUG(5,("Making default auth method list for security=user, encrypt passwords = no\n"));
+				auth_method_list = lp_list_make("guest unix");
+			}
 			break;
 		case SEC_SHARE:
-			DEBUG(5,("Making default auth method list for security=share\n"));
-			auth_method_list = lp_list_make("guest local");
+			if (lp_encrypted_passwords()) {
+				DEBUG(5,("Making default auth method list for security=share, encrypt passwords = yes\n"));
+				auth_method_list = lp_list_make("guest sam");
+			} else {
+				DEBUG(5,("Making default auth method list for security=share, encrypt passwords = no\n"));
+				auth_method_list = lp_list_make("guest unix");
+			}
 			break;
 		case SEC_ADS:
 			DEBUG(5,("Making default auth method list for security=ADS\n"));
-			auth_method_list = lp_list_make("guest ads ntdomain local");
+			auth_method_list = lp_list_make("guest samstrict ads ntdomain");
 			break;
 		default:
 			DEBUG(5,("Unknown auth method!\n"));
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index 421349a765..d899006cf8 100644
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -337,7 +337,7 @@ SMB hash supplied in the user_info structure
 return an NT_STATUS constant.
 ****************************************************************************/
 
-NTSTATUS check_sam_security(void *my_private_dat,
+static NTSTATUS check_sam_security(void *my_private_data,
 			    const auth_usersupplied_info *user_info, 
 			    const auth_authsupplied_info *auth_info,
 			    auth_serversupplied_info **server_info)
@@ -408,5 +408,40 @@ BOOL auth_init_sam(auth_methods **auth_method)
 	return True;
 }
 
+/****************************************************************************
+check if a username/password is OK assuming the password is a 24 byte
+SMB hash supplied in the user_info structure
+return an NT_STATUS constant.
+****************************************************************************/
+
+static NTSTATUS check_samstrict_security(void *my_private_data,
+				  const auth_usersupplied_info *user_info, 
+				  const auth_authsupplied_info *auth_info,
+				  auth_serversupplied_info **server_info)
+{
+
+	if (!user_info || !auth_info) {
+		return NT_STATUS_LOGON_FAILURE;
+	}
+
+	/* If we are a domain member, we must not 
+	   attempt to check the password locally,
+	   unless it is one of our aliases. */
+	
+	if (!is_netbios_alias_or_name(user_info->domain.str)) {
+		return NT_STATUS_NO_SUCH_USER;
+	}
+	
+	return check_sam_security(my_private_data, user_info, auth_info, server_info);
+}
+
+BOOL auth_init_samstrict(auth_methods **auth_method) 
+{
+	if (!make_auth_methods(auth_method)) {
+		return False;
+	}
 
+	(*auth_method)->auth = check_samstrict_security;
+	return True;
+}
 
diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c
index a3cfc3a0e6..d061a5a84f 100644
--- a/source3/auth/auth_server.c
+++ b/source3/auth/auth_server.c
@@ -186,6 +186,17 @@ static NTSTATUS check_smbserver_security(void *my_private_data,
 	NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
 	BOOL locally_made_cli = False;
 
+	/* 
+	 * Check that the requested domain is not our own machine name.
+	 * If it is, we should never check the PDC here, we use our own local
+	 * password file.
+	 */
+
+	if(is_netbios_alias_or_name(user_info->domain.str)) {
+		DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n"));
+		return NT_STATUS_LOGON_FAILURE;
+	}
+
 	cli = my_private_data;
 	
 	if (cli) {
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 393c4a74a2..9d8a4abc5e 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -1238,7 +1238,7 @@ static void init_globals(void)
 	Globals.minprotocol = PROTOCOL_CORE;
 	Globals.security = SEC_USER;
 	Globals.paranoid_server_security = True;
-	Globals.bEncryptPasswords = False;
+	Globals.bEncryptPasswords = True;
 	Globals.bUpdateEncrypt = False;
 	Globals.bReadRaw = True;
 	Globals.bWriteRaw = True;
@@ -3850,3 +3850,29 @@ void get_private_directory(pstring privdir)
 {
 	pstrcpy (privdir, lp_private_dir());
 }
+
+
+/****************************************************************
+ Is netbios alias or name
+*****************************************************************/
+
+BOOL is_netbios_alias_or_name(char *name)
+{
+	char **netbios_aliases = lp_netbios_aliases();
+	
+	if (StrCaseCmp(name, global_myname) == 0) {
+		return True;
+	}
+
+	for (netbios_aliases = lp_netbios_aliases();
+	     netbios_aliases && *netbios_aliases;
+	     netbios_aliases++) {
+		if (StrCaseCmp(name, *netbios_aliases) == 0) {
+			return True;
+		}
+	}
+	
+	return False;
+}
+
+