summaryrefslogtreecommitdiff
path: root/source3/auth
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2003-05-26 02:04:23 +0000
committerAndrew Bartlett <abartlet@samba.org>2003-05-26 02:04:23 +0000
commit54e2ac64b7291d9c88d1525e7498e7750adbfbe0 (patch)
treecfb52c6d24ef8f95d3eb15e2bfcad688cbb7248c /source3/auth
parent6ace723c44f61c1166b90666ca6f5b2546ced46b (diff)
downloadsamba-54e2ac64b7291d9c88d1525e7498e7750adbfbe0.tar.gz
samba-54e2ac64b7291d9c88d1525e7498e7750adbfbe0.tar.bz2
samba-54e2ac64b7291d9c88d1525e7498e7750adbfbe0.zip
Add samstrict_dc from metze (been sitting in HEAD for way to long waiting for
me to review it). This patch works well for a DC running with trusted domains, becouse it lets you check the local SAM first, but only for this domain's users. Andrew Bartlett (This used to be commit e0bd4d2844e6073a83b72925bca1aec007a8dd0b)
Diffstat (limited to 'source3/auth')
-rw-r--r--source3/auth/auth_sam.c46
1 files changed, 46 insertions, 0 deletions
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index d46d362a92..13612db86e 100644
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -501,6 +501,8 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context
unless it is one of our aliases. */
if (!is_myname(user_info->domain.str)) {
+ DEBUG(7,("The requested user domain is not the local server name. [%s]\\[%s]\n",
+ user_info->domain.str,user_info->internal_username.str));
return NT_STATUS_NO_SUCH_USER;
}
@@ -519,8 +521,52 @@ NTSTATUS auth_init_samstrict(struct auth_context *auth_context, const char *para
return NT_STATUS_OK;
}
+/****************************************************************************
+Check SAM security (above) but with a few extra checks if we're a DC.
+****************************************************************************/
+
+static NTSTATUS check_samstrict_dc_security(const struct auth_context *auth_context,
+ void *my_private_data,
+ TALLOC_CTX *mem_ctx,
+ const auth_usersupplied_info *user_info,
+ auth_serversupplied_info **server_info)
+{
+
+ if (!user_info || !auth_context) {
+ return NT_STATUS_LOGON_FAILURE;
+ }
+
+ /* If we are a PDC we must not check the password here
+ unless it is one of our aliases, empty
+ or equal to our domain name. Other names may be
+ Trusted domains.
+ */
+
+ if ((!is_myworkgroup(user_info->domain.str))&&
+ (!is_myname(user_info->domain.str))) {
+ DEBUG(7,("The requested user domain is not the local server name or our domain. [%s]\\[%s]\n",
+ user_info->domain.str,user_info->internal_username.str));
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, server_info);
+}
+
+/* module initialisation */
+NTSTATUS auth_init_samstrict_dc(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
+{
+ if (!make_auth_methods(auth_context, auth_method)) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ (*auth_method)->auth = check_samstrict_dc_security;
+ (*auth_method)->name = "samstrict_dc";
+ return NT_STATUS_OK;
+}
+
NTSTATUS auth_sam_init(void)
{
+ smb_register_auth(AUTH_INTERFACE_VERSION, "samstrict_dc", auth_init_samstrict_dc);
smb_register_auth(AUTH_INTERFACE_VERSION, "samstrict", auth_init_samstrict);
smb_register_auth(AUTH_INTERFACE_VERSION, "sam", auth_init_sam);
return NT_STATUS_OK;