summaryrefslogtreecommitdiff
path: root/source3/auth
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2003-06-30 17:24:59 +0000
committerGerald Carter <jerry@samba.org>2003-06-30 17:24:59 +0000
commitf2659351017a8b2ec12548a3967cdf2767738e08 (patch)
treef552a2a0cea5192d7aa01af3daac2beb43eb9b50 /source3/auth
parent1d8cd8faf620cb068d740d8fad7968525d45e83a (diff)
downloadsamba-f2659351017a8b2ec12548a3967cdf2767738e08.tar.gz
samba-f2659351017a8b2ec12548a3967cdf2767738e08.tar.bz2
samba-f2659351017a8b2ec12548a3967cdf2767738e08.zip
* rename samstrict auth method to sam
* rename original sam auth method to sam_ignoredomain * remove samstrict_dc auth method (now covered by 'sam') * fix wbinfo -a '...' and getent passwd bugs when running winbindd on a samba PDC (reported by Volker) (This used to be commit 52166faee793d337e045d64f7cb27ea7ac895f60)
Diffstat (limited to 'source3/auth')
-rw-r--r--source3/auth/auth_sam.c85
-rw-r--r--source3/auth/auth_util.c4
2 files changed, 31 insertions, 58 deletions
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index 161376616b..1690e4d5e1 100644
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -4,6 +4,7 @@
Copyright (C) Andrew Tridgell 1992-2000
Copyright (C) Luke Kenneth Casson Leighton 1996-2000
Copyright (C) Andrew Bartlett 2001
+ Copyright (C) Gerald Carter 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -470,14 +471,14 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context,
}
/* module initialisation */
-static NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
+static NTSTATUS auth_init_sam_ignoredomain(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
{
if (!make_auth_methods(auth_context, auth_method)) {
return NT_STATUS_NO_MEMORY;
}
(*auth_method)->auth = check_sam_security;
- (*auth_method)->name = "sam";
+ (*auth_method)->name = "sam_ignoredomain";
return NT_STATUS_OK;
}
@@ -492,83 +493,55 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context
const auth_usersupplied_info *user_info,
auth_serversupplied_info **server_info)
{
+ BOOL is_local_name, is_my_domain;
if (!user_info || !auth_context) {
return NT_STATUS_LOGON_FAILURE;
}
- /* If we are a domain member, we must not
- attempt to check the password locally,
- unless it is one of our aliases. */
+ is_local_name = is_myname(user_info->domain.str);
+ is_my_domain = strequal(user_info->domain.str, lp_workgroup());
+
+ /* check whether or not we service this domain/workgroup name */
- if (!is_myname(user_info->domain.str)) {
- DEBUG(7,("The requested user domain is not the local server name. [%s]\\[%s]\n",
- user_info->domain.str,user_info->internal_username.str));
- return NT_STATUS_NO_SUCH_USER;
+ switch ( lp_server_role() ) {
+ case ROLE_STANDALONE:
+ case ROLE_DOMAIN_MEMBER:
+ if ( !is_local_name ) {
+ DEBUG(6,("check_samstrict_security: %s is not one of my local names (%s)\n",
+ user_info->domain.str, (lp_server_role() == ROLE_DOMAIN_MEMBER
+ ? "ROLE_DOMAIN_MEMBER" : "ROLE_STANDALONE") ));
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+ case ROLE_DOMAIN_PDC:
+ case ROLE_DOMAIN_BDC:
+ if ( !is_local_name && !is_my_domain ) {
+ DEBUG(6,("check_samstrict_security: %s is not one of my local names or domain name (DC)\n",
+ user_info->domain.str));
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+ default: /* name is ok */
+ break;
}
return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, server_info);
}
/* module initialisation */
-static NTSTATUS auth_init_samstrict(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
+static NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
{
if (!make_auth_methods(auth_context, auth_method)) {
return NT_STATUS_NO_MEMORY;
}
(*auth_method)->auth = check_samstrict_security;
- (*auth_method)->name = "samstrict";
- return NT_STATUS_OK;
-}
-
-/****************************************************************************
-Check SAM security (above) but with a few extra checks if we're a DC.
-****************************************************************************/
-
-static NTSTATUS check_samstrict_dc_security(const struct auth_context *auth_context,
- void *my_private_data,
- TALLOC_CTX *mem_ctx,
- const auth_usersupplied_info *user_info,
- auth_serversupplied_info **server_info)
-{
-
- if (!user_info || !auth_context) {
- return NT_STATUS_LOGON_FAILURE;
- }
-
- /* If we are a PDC we must not check the password here
- unless it is one of our aliases, empty
- or equal to our domain name. Other names may be
- Trusted domains.
- */
-
- if ((!is_myworkgroup(user_info->domain.str))&&
- (!is_myname(user_info->domain.str))) {
- DEBUG(7,("The requested user domain is not the local server name or our domain. [%s]\\[%s]\n",
- user_info->domain.str,user_info->internal_username.str));
- return NT_STATUS_NO_SUCH_USER;
- }
-
- return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, server_info);
-}
-
-/* module initialisation */
-static NTSTATUS auth_init_samstrict_dc(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
-{
- if (!make_auth_methods(auth_context, auth_method)) {
- return NT_STATUS_NO_MEMORY;
- }
-
- (*auth_method)->auth = check_samstrict_dc_security;
- (*auth_method)->name = "samstrict_dc";
+ (*auth_method)->name = "sam";
return NT_STATUS_OK;
}
NTSTATUS auth_sam_init(void)
{
- smb_register_auth(AUTH_INTERFACE_VERSION, "samstrict_dc", auth_init_samstrict_dc);
- smb_register_auth(AUTH_INTERFACE_VERSION, "samstrict", auth_init_samstrict);
smb_register_auth(AUTH_INTERFACE_VERSION, "sam", auth_init_sam);
+ smb_register_auth(AUTH_INTERFACE_VERSION, "sam_ignoredomain", auth_init_sam_ignoredomain);
return NT_STATUS_OK;
}
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 71fdb0050b..1538fc50a1 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -216,8 +216,8 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
/* do what win2k does. Always map unknown domains to our own
and let the "passdb backend" handle unknown users */
- if ( !is_trusted_domain(domain) )
- domain = lp_workgroup();
+ if ( !is_trusted_domain(domain) )
+ domain = get_global_sam_name();
/* we know that it is a trusted domain (and we are allowing them) or it is our domain */