diff options
author | Gerald Carter <jerry@samba.org> | 2003-06-30 17:24:59 +0000 |
---|---|---|
committer | Gerald Carter <jerry@samba.org> | 2003-06-30 17:24:59 +0000 |
commit | f2659351017a8b2ec12548a3967cdf2767738e08 (patch) | |
tree | f552a2a0cea5192d7aa01af3daac2beb43eb9b50 /source3/auth | |
parent | 1d8cd8faf620cb068d740d8fad7968525d45e83a (diff) | |
download | samba-f2659351017a8b2ec12548a3967cdf2767738e08.tar.gz samba-f2659351017a8b2ec12548a3967cdf2767738e08.tar.bz2 samba-f2659351017a8b2ec12548a3967cdf2767738e08.zip |
* rename samstrict auth method to sam
* rename original sam auth method to sam_ignoredomain
* remove samstrict_dc auth method (now covered by 'sam')
* fix wbinfo -a '...' and getent passwd bugs when running
winbindd on a samba PDC (reported by Volker)
(This used to be commit 52166faee793d337e045d64f7cb27ea7ac895f60)
Diffstat (limited to 'source3/auth')
-rw-r--r-- | source3/auth/auth_sam.c | 85 | ||||
-rw-r--r-- | source3/auth/auth_util.c | 4 |
2 files changed, 31 insertions, 58 deletions
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 161376616b..1690e4d5e1 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -4,6 +4,7 @@ Copyright (C) Andrew Tridgell 1992-2000 Copyright (C) Luke Kenneth Casson Leighton 1996-2000 Copyright (C) Andrew Bartlett 2001 + Copyright (C) Gerald Carter 2003 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -470,14 +471,14 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, } /* module initialisation */ -static NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +static NTSTATUS auth_init_sam_ignoredomain(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { return NT_STATUS_NO_MEMORY; } (*auth_method)->auth = check_sam_security; - (*auth_method)->name = "sam"; + (*auth_method)->name = "sam_ignoredomain"; return NT_STATUS_OK; } @@ -492,83 +493,55 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context const auth_usersupplied_info *user_info, auth_serversupplied_info **server_info) { + BOOL is_local_name, is_my_domain; if (!user_info || !auth_context) { return NT_STATUS_LOGON_FAILURE; } - /* If we are a domain member, we must not - attempt to check the password locally, - unless it is one of our aliases. */ + is_local_name = is_myname(user_info->domain.str); + is_my_domain = strequal(user_info->domain.str, lp_workgroup()); + + /* check whether or not we service this domain/workgroup name */ - if (!is_myname(user_info->domain.str)) { - DEBUG(7,("The requested user domain is not the local server name. [%s]\\[%s]\n", - user_info->domain.str,user_info->internal_username.str)); - return NT_STATUS_NO_SUCH_USER; + switch ( lp_server_role() ) { + case ROLE_STANDALONE: + case ROLE_DOMAIN_MEMBER: + if ( !is_local_name ) { + DEBUG(6,("check_samstrict_security: %s is not one of my local names (%s)\n", + user_info->domain.str, (lp_server_role() == ROLE_DOMAIN_MEMBER + ? "ROLE_DOMAIN_MEMBER" : "ROLE_STANDALONE") )); + return NT_STATUS_NOT_IMPLEMENTED; + } + case ROLE_DOMAIN_PDC: + case ROLE_DOMAIN_BDC: + if ( !is_local_name && !is_my_domain ) { + DEBUG(6,("check_samstrict_security: %s is not one of my local names or domain name (DC)\n", + user_info->domain.str)); + return NT_STATUS_NOT_IMPLEMENTED; + } + default: /* name is ok */ + break; } return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, server_info); } /* module initialisation */ -static NTSTATUS auth_init_samstrict(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +static NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { return NT_STATUS_NO_MEMORY; } (*auth_method)->auth = check_samstrict_security; - (*auth_method)->name = "samstrict"; - return NT_STATUS_OK; -} - -/**************************************************************************** -Check SAM security (above) but with a few extra checks if we're a DC. -****************************************************************************/ - -static NTSTATUS check_samstrict_dc_security(const struct auth_context *auth_context, - void *my_private_data, - TALLOC_CTX *mem_ctx, - const auth_usersupplied_info *user_info, - auth_serversupplied_info **server_info) -{ - - if (!user_info || !auth_context) { - return NT_STATUS_LOGON_FAILURE; - } - - /* If we are a PDC we must not check the password here - unless it is one of our aliases, empty - or equal to our domain name. Other names may be - Trusted domains. - */ - - if ((!is_myworkgroup(user_info->domain.str))&& - (!is_myname(user_info->domain.str))) { - DEBUG(7,("The requested user domain is not the local server name or our domain. [%s]\\[%s]\n", - user_info->domain.str,user_info->internal_username.str)); - return NT_STATUS_NO_SUCH_USER; - } - - return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, server_info); -} - -/* module initialisation */ -static NTSTATUS auth_init_samstrict_dc(struct auth_context *auth_context, const char *param, auth_methods **auth_method) -{ - if (!make_auth_methods(auth_context, auth_method)) { - return NT_STATUS_NO_MEMORY; - } - - (*auth_method)->auth = check_samstrict_dc_security; - (*auth_method)->name = "samstrict_dc"; + (*auth_method)->name = "sam"; return NT_STATUS_OK; } NTSTATUS auth_sam_init(void) { - smb_register_auth(AUTH_INTERFACE_VERSION, "samstrict_dc", auth_init_samstrict_dc); - smb_register_auth(AUTH_INTERFACE_VERSION, "samstrict", auth_init_samstrict); smb_register_auth(AUTH_INTERFACE_VERSION, "sam", auth_init_sam); + smb_register_auth(AUTH_INTERFACE_VERSION, "sam_ignoredomain", auth_init_sam_ignoredomain); return NT_STATUS_OK; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 71fdb0050b..1538fc50a1 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -216,8 +216,8 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, /* do what win2k does. Always map unknown domains to our own and let the "passdb backend" handle unknown users */ - if ( !is_trusted_domain(domain) ) - domain = lp_workgroup(); + if ( !is_trusted_domain(domain) ) + domain = get_global_sam_name(); /* we know that it is a trusted domain (and we are allowing them) or it is our domain */ |