diff options
author | Andrew Bartlett <abartlet@samba.org> | 2003-04-24 11:56:09 +0000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2003-04-24 11:56:09 +0000 |
commit | 59e0836b7f4221fd002abab083f71f04dffe7648 (patch) | |
tree | da660ef946a99ed5fc5a74af265d014b73f2e250 /source3/auth | |
parent | 3f03ecf5627ec0eda7fdbb4314ba804574751ede (diff) | |
download | samba-59e0836b7f4221fd002abab083f71f04dffe7648.tar.gz samba-59e0836b7f4221fd002abab083f71f04dffe7648.tar.bz2 samba-59e0836b7f4221fd002abab083f71f04dffe7648.zip |
Merge auth changes from HEAD:
- better error codes than NT_STATUS_UNSUCCESSFUL for domain logon errors
- make auth_winbind load the ntdomain module if winbind isn't there.
- use new trusted domains cache to determine if the domain is valid.
Andrew Bartlett
(This used to be commit ec8d6524c6b0c70927a2b57aab71d9e3a7f8a150)
Diffstat (limited to 'source3/auth')
-rw-r--r-- | source3/auth/auth.c | 91 | ||||
-rw-r--r-- | source3/auth/auth_builtin.c | 8 | ||||
-rw-r--r-- | source3/auth/auth_domain.c | 7 | ||||
-rw-r--r-- | source3/auth/auth_util.c | 31 | ||||
-rw-r--r-- | source3/auth/auth_winbind.c | 16 |
5 files changed, 83 insertions, 70 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 71e9ab0428..09e8f5e722 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -334,6 +334,52 @@ static NTSTATUS make_auth_context(struct auth_context **auth_context) return NT_STATUS_OK; } +BOOL load_auth_module(struct auth_context *auth_context, + const char *module, auth_methods **ret) +{ + static BOOL initialised_static_modules = False; + + struct auth_init_function_entry *entry; + char *module_name = smb_xstrdup(module); + char *module_params = NULL; + char *p; + BOOL good = False; + + /* Initialise static modules if not done so yet */ + if(!initialised_static_modules) { + static_init_auth; + initialised_static_modules = True; + } + + DEBUG(5,("load_auth_module: Attempting to find an auth method to match %s\n", + module)); + + p = strchr(module_name, ':'); + if (p) { + *p = 0; + module_params = p+1; + trim_string(module_params, " ", " "); + } + + trim_string(module_name, " ", " "); + + entry = auth_find_backend_entry(module_name); + + if(!(entry = auth_find_backend_entry(module_name)) && !smb_probe_module("auth", module_name) && + !(entry = auth_find_backend_entry(module_name))) { + DEBUG(0,("load_auth_module: can't find auth method %s!\n", module_name)); + } else if (!NT_STATUS_IS_OK(entry->init(auth_context, module_params, ret))) { + DEBUG(0,("load_auth_module: auth method %s did not correctly init\n", + module)); + } else { + DEBUG(5,("load_auth_module: auth method %s has a valid init\n", + module)); + good = True; + } + SAFE_FREE(module_name); + return good; +} + /*************************************************************************** Make a auth_info struct for the auth subsystem ***************************************************************************/ @@ -344,7 +390,6 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context, auth_methods *t = NULL; auth_methods *tmp; NTSTATUS nt_status; - static BOOL initialised_static_modules = False; if (!text_list) { DEBUG(2,("make_auth_context_text_list: No auth method list!?\n")); @@ -354,44 +399,10 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context, if (!NT_STATUS_IS_OK(nt_status = make_auth_context(auth_context))) return nt_status; - /* Initialise static modules if not done so yet */ - if(!initialised_static_modules) { - static_init_auth; - initialised_static_modules = True; - } - for (;*text_list; text_list++) { - struct auth_init_function_entry *entry; - char *module_name = smb_xstrdup(*text_list); - char *module_params = NULL; - char *p; - - DEBUG(5,("make_auth_context_text_list: Attempting to find an auth method to match %s\n", - *text_list)); - - p = strchr(module_name, ':'); - if (p) { - *p = 0; - module_params = p+1; - trim_string(module_params, " ", " "); - } - - trim_string(module_name, " ", " "); - - entry = auth_find_backend_entry(module_name); - - if(!(entry = auth_find_backend_entry(module_name)) && !smb_probe_module("auth", module_name) && - !(entry = auth_find_backend_entry(module_name))) { - DEBUG(0,("make_auth_context_text_list: can't find auth method %s!\n", module_name)); - } else if (!NT_STATUS_IS_OK(entry->init(*auth_context, module_params, &t))) { - DEBUG(0,("make_auth_context_text_list: auth method %s did not correctly init\n", - *text_list)); - } else { - DEBUG(5,("make_auth_context_text_list: auth method %s has a valid init\n", - *text_list)); - DLIST_ADD_END(list, t, tmp); - } - SAFE_FREE(module_name); + if (load_auth_module(*auth_context, *text_list, &t)) { + DLIST_ADD_END(list, t, tmp); + } } (*auth_context)->auth_method_list = list; @@ -417,7 +428,7 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) { case SEC_DOMAIN: DEBUG(5,("Making default auth method list for security=domain\n")); - auth_method_list = str_list_make("guest sam winbind ntdomain", NULL); + auth_method_list = str_list_make("guest sam winbind:ntdomain", NULL); break; case SEC_SERVER: DEBUG(5,("Making default auth method list for security=server\n")); @@ -443,7 +454,7 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) break; case SEC_ADS: DEBUG(5,("Making default auth method list for security=ADS\n")); - auth_method_list = str_list_make("guest sam winbind ntdomain", NULL); + auth_method_list = str_list_make("guest sam winbind:ntdomain", NULL); break; default: DEBUG(5,("Unknown auth method!\n")); diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index 509a4afba9..5d72898006 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -50,7 +50,7 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context, /* Guest modules initialisation */ -NTSTATUS auth_init_guest(struct auth_context *auth_context, const char *options, auth_methods **auth_method) +static NTSTATUS auth_init_guest(struct auth_context *auth_context, const char *options, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) return NT_STATUS_NO_MEMORY; @@ -60,6 +60,7 @@ NTSTATUS auth_init_guest(struct auth_context *auth_context, const char *options, return NT_STATUS_OK; } +#ifdef DEVELOPER /** * Return an error based on username * @@ -101,7 +102,7 @@ static NTSTATUS check_name_to_ntstatus_security(const struct auth_context *auth_ /** Module initialisation function */ -NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +static NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) return NT_STATUS_NO_MEMORY; @@ -150,7 +151,7 @@ static DATA_BLOB auth_get_fixed_challenge(const struct auth_context *auth_contex /** Module initailisation function */ -NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +static NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) return NT_STATUS_NO_MEMORY; @@ -160,6 +161,7 @@ NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char (*auth_method)->name = "fixed_challenge"; return NT_STATUS_OK; } +#endif /* DEVELOPER */ int auth_builtin_init(void) { diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index e49a41763b..db5f7d82b0 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -175,6 +175,11 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, &dest_ip, 0, "IPC$", "IPC", "", "", "",0, retry); if (!NT_STATUS_IS_OK(result)) { + /* map to something more useful */ + if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) { + result = NT_STATUS_NO_LOGON_SERVERS; + } + release_server_mutex(); return result; } @@ -272,7 +277,7 @@ static NTSTATUS find_connect_dc(struct cli_state **cli, struct in_addr dc_ip; fstring srv_name; - if ( !rpc_find_dc(lp_workgroup(), srv_name, &dc_ip) ) { + if (!rpc_find_dc(domain, srv_name, &dc_ip)) { DEBUG(0,("find_connect_dc: Failed to find an DCs for %s\n", lp_workgroup())); return NT_STATUS_NO_LOGON_SERVERS; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d0f1fc1e34..a3ca0b226f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -219,35 +219,18 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, where it doens't supply a domain for logon script 'net use' commands. - The way I do it here is by checking if the fully - qualified username exists. This is rather reliant - on winbind, but until we have a better method this - will have to do + Finally, we do this by looking up a cache of trusted domains! */ domain = client_domain; - if ((smb_name) && (*smb_name)) { /* Don't do this for guests */ - char *user = NULL; - if (asprintf(&user, "%s%s%s", - client_domain, lp_winbind_separator(), - smb_name) < 0) { - DEBUG(0, ("make_user_info_map: asprintf() failed!\n")); - return NT_STATUS_NO_MEMORY; - } - - DEBUG(5, ("make_user_info_map: testing for user %s\n", user)); - - if (Get_Pwnam(user) == NULL) { - DEBUG(5, ("make_user_info_map: test for user %s failed\n", user)); - domain = lp_workgroup(); - DEBUG(5, ("make_user_info_map: trusted domain %s doesn't appear to exist, using %s\n", - client_domain, domain)); - } else { - DEBUG(5, ("make_user_info_map: using trusted domain %s\n", domain)); - } - SAFE_FREE(user); + if (is_trusted_domain(domain)) { + return make_user_info(user_info, smb_name, internal_username, + client_domain, domain, wksta_name, + lm_pwd, nt_pwd, plaintext, ntlmssp_flags, + encrypted); } + } else { domain = lp_workgroup(); } diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index e2a292dd01..df08b6440a 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -103,6 +103,11 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, result = winbindd_request(WINBINDD_PAM_AUTH_CRAP, &request, &response); + if (result == NSS_STATUS_UNAVAIL) { + struct auth_methods *auth_method = my_private_data; + return auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info); + } + nt_status = NT_STATUS(response.data.auth.nt_status); if (result == NSS_STATUS_SUCCESS && response.extra_data) { @@ -127,11 +132,18 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, /* module initialisation */ NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { - if (!make_auth_methods(auth_context, auth_method)) - return NT_STATUS_NO_MEMORY; (*auth_method)->name = "winbind"; (*auth_method)->auth = check_winbind_security; + + if (param && *param) { + /* we load the 'fallback' module - if winbind isn't here, call this + module */ + if (!load_auth_module(auth_context, param, &(*auth_method)->private_data)) { + return NT_STATUS_UNSUCCESSFUL; + } + + } return NT_STATUS_OK; } |