diff options
author | Andrew Bartlett <abartlet@samba.org> | 2003-01-13 13:11:36 +0000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2003-01-13 13:11:36 +0000 |
commit | 8a78a0a27ae5fdf43f137ea3c9fcd6dc4862a70f (patch) | |
tree | 7747416f53956e486c7cb3f41cbdf3c9a06a4eb5 /source3/auth/auth_sam.c | |
parent | 5bd2d3f2ee18284b755b2690de06a03de9391b06 (diff) | |
download | samba-8a78a0a27ae5fdf43f137ea3c9fcd6dc4862a70f.tar.gz samba-8a78a0a27ae5fdf43f137ea3c9fcd6dc4862a70f.tar.bz2 samba-8a78a0a27ae5fdf43f137ea3c9fcd6dc4862a70f.zip |
Patch from metze to add what he feels is the correct semantics for a Domain
Controller. As we have had a number of attempts at this over the last little
while, I need to get my test rig going, and give this whole area a poke...
Meanwhile, if you want to use this, just adjust your 'auth methods' line to use
samstrict_dc...
Andrew Bartlett
(This used to be commit 18e598ec24493026008fcfe486057555b8832108)
Diffstat (limited to 'source3/auth/auth_sam.c')
-rw-r--r-- | source3/auth/auth_sam.c | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 79fded870e..9650dc0940 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -480,6 +480,8 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context unless it is one of our aliases. */ if (!is_myname(user_info->domain.str)) { + DEBUG(7,("The requested user domain is not the local server name. [%s]\\[%s]\n", + user_info->domain.str,user_info->internal_username.str)); return NT_STATUS_NO_SUCH_USER; } @@ -498,4 +500,45 @@ NTSTATUS auth_init_samstrict(struct auth_context *auth_context, const char *para return NT_STATUS_OK; } +/**************************************************************************** +Check SAM security (above) but with a few extra checks if we're a DC. +****************************************************************************/ + +static NTSTATUS check_samstrict_dc_security(const struct auth_context *auth_context, + void *my_private_data, + TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, + auth_serversupplied_info **server_info) +{ + if (!user_info || !auth_context) { + return NT_STATUS_LOGON_FAILURE; + } + + /* If we are a domain member, we must not + attempt to check the password locally, + unless it is one of our aliases, empty + or our domain if we are a logon server.*/ + + + if ((!is_myworkgroup(user_info->domain.str))&& + (!is_myname(user_info->domain.str))) { + DEBUG(7,("The requested user domain is not the local server name or our domain. [%s]\\[%s]\n", + user_info->domain.str,user_info->internal_username.str)); + return NT_STATUS_NO_SUCH_USER; + } + + return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, server_info); +} + +/* module initialisation */ +NTSTATUS auth_init_samstrict_dc(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +{ + if (!make_auth_methods(auth_context, auth_method)) { + return NT_STATUS_NO_MEMORY; + } + + (*auth_method)->auth = check_samstrict_dc_security; + (*auth_method)->name = "samstrict_dc"; + return NT_STATUS_OK; +} |