Patch from metze to add what he feels is the correct semantics for a Domain

Controller.  As we have had a number of attempts at this over the last little
while, I need to get my test rig going, and give this whole area a poke...

Meanwhile, if you want to use this, just adjust your 'auth methods' line to use
samstrict_dc...

Andrew Bartlett
(This used to be commit 18e598ec24493026008fcfe486057555b8832108)

3 files changed, 61 insertions, 0 deletions

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 5d56603b9f..2abdec3a39 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -31,6 +31,7 @@ static const struct auth_init_function_entry builtin_auth_init_functions[] = {
 	{ "hostsequiv", auth_init_hostsequiv },
 	{ "sam", auth_init_sam },	
 	{ "samstrict", auth_init_samstrict },
+	{ "samstrict_dc", auth_init_samstrict_dc },
 	{ "unix", auth_init_unix },
 	{ "smbserver", auth_init_smbserver },
 	{ "ntdomain", auth_init_ntdomain },
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index 79fded870e..9650dc0940 100644
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -480,6 +480,8 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context
 	   unless it is one of our aliases. */
 	
 	if (!is_myname(user_info->domain.str)) {
+		DEBUG(7,("The requested user domain is not the local server name. [%s]\\[%s]\n",
+			user_info->domain.str,user_info->internal_username.str));
 		return NT_STATUS_NO_SUCH_USER;
 	}
 	
@@ -498,4 +500,45 @@ NTSTATUS auth_init_samstrict(struct auth_context *auth_context, const char *para
 	return NT_STATUS_OK;
 }
 
+/****************************************************************************
+Check SAM security (above) but with a few extra checks if we're a DC.
+****************************************************************************/
+
+static NTSTATUS check_samstrict_dc_security(const struct auth_context *auth_context,
+					 void *my_private_data, 
+					 TALLOC_CTX *mem_ctx,
+					 const auth_usersupplied_info *user_info, 
+					 auth_serversupplied_info **server_info)
+{
 
+	if (!user_info || !auth_context) {
+		return NT_STATUS_LOGON_FAILURE;
+	}
+
+	/* If we are a domain member, we must not 
+	   attempt to check the password locally,
+	   unless it is one of our aliases, empty
+	   or our domain if we are a logon server.*/
+	
+
+	if ((!is_myworkgroup(user_info->domain.str))&&
+		(!is_myname(user_info->domain.str))) {
+		DEBUG(7,("The requested user domain is not the local server name or our domain. [%s]\\[%s]\n",
+			user_info->domain.str,user_info->internal_username.str));
+		return NT_STATUS_NO_SUCH_USER;
+	}		
+
+	return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, server_info);
+}
+
+/* module initialisation */
+NTSTATUS auth_init_samstrict_dc(struct auth_context *auth_context, const char *param, auth_methods **auth_method) 
+{
+	if (!make_auth_methods(auth_context, auth_method)) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	(*auth_method)->auth = check_samstrict_dc_security;
+	(*auth_method)->name = "samstrict_dc";
+	return NT_STATUS_OK;
+}
diff --git a/source3/lib/util.c b/source3/lib/util.c
index 9ab33ce2ed..07f7328b05 100644
--- a/source3/lib/util.c
+++ b/source3/lib/util.c
@@ -1720,6 +1720,23 @@ BOOL is_myname_or_ipaddr(const char *s)
 }
 
 /*******************************************************************
+ Is the name specified our workgroup/domain.
+ Returns true if it is equal, false otherwise.
+********************************************************************/
+
+BOOL is_myworkgroup(const char *s)
+{
+	BOOL ret = False;
+
+	if (strequal(s, lp_workgroup())) {
+		ret=True;
+	}
+
+	DEBUG(8, ("is_myworkgroup(\"%s\") returns %d\n", s, ret));
+	return(ret);
+}
+
+/*******************************************************************
  Set the horrid remote_arch string based on an enum.
 ********************************************************************/