summaryrefslogtreecommitdiff
path: root/source4/auth
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2006-07-27 11:24:18 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 14:10:25 -0500
commite8623667d32f717b0b746e5041500bd0ee6b3ae8 (patch)
treed789a33d4bf6f41b6e525478fe943b387500de2b /source4/auth
parent28b8ec0156e99d7bddc2aa243f6631a66c94a078 (diff)
downloadsamba-e8623667d32f717b0b746e5041500bd0ee6b3ae8.tar.gz
samba-e8623667d32f717b0b746e5041500bd0ee6b3ae8.tar.bz2
samba-e8623667d32f717b0b746e5041500bd0ee6b3ae8.zip
r17270: split the logic of saying this auth backend wants to handle this
request from the password checking. This will help to make the password checking hook async later metze (This used to be commit 5b26cbc3428b4c186235cc08c9ace1c23f59dd7f)
Diffstat (limited to 'source4/auth')
-rw-r--r--source4/auth/auth.c20
-rw-r--r--source4/auth/auth.h8
-rw-r--r--source4/auth/auth_anonymous.c23
-rw-r--r--source4/auth/auth_developer.c24
-rw-r--r--source4/auth/auth_sam.c68
-rw-r--r--source4/auth/auth_unix.c25
-rw-r--r--source4/auth/auth_winbind.c13
7 files changed, 140 insertions, 41 deletions
diff --git a/source4/auth/auth.c b/source4/auth/auth.c
index dfef0c8c4d..0b044af495 100644
--- a/source4/auth/auth.c
+++ b/source4/auth/auth.c
@@ -174,16 +174,20 @@ NTSTATUS auth_check_password(struct auth_context *auth_ctx,
for (method = auth_ctx->methods; method; method = method->next) {
NTSTATUS result;
- result = method->ops->check_password(method, mem_ctx, user_info, server_info);
-
- /* check if the module did anything */
- if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
- method_name = method->ops->name;
- nt_status = result;
- break;
+ /* check if the module wants to chek the password */
+ result = method->ops->want_check(method, mem_ctx, user_info);
+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
+ DEBUG(11,("auth_check_password: %s had nothing to say\n", method->ops->name));
+ continue;
}
- DEBUG(11,("auth_check_password: %s had nothing to say\n", method->ops->name));
+ method_name = method->ops->name;
+ nt_status = result;
+
+ if (!NT_STATUS_IS_OK(nt_status)) break;
+
+ nt_status = method->ops->check_password(method, mem_ctx, user_info, server_info);
+ break;
}
if (!NT_STATUS_IS_OK(nt_status)) {
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 724ccf91ca..20a91efc10 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -35,7 +35,8 @@
/* version 2 - initial samba4 version - metze */
/* version 3 - subsequent samba4 version - abartlet */
/* version 4 - subsequent samba4 version - metze */
-#define AUTH_INTERFACE_VERSION 4
+/* version 0 - till samba4 is stable - metze */
+#define AUTH_INTERFACE_VERSION 0
#define USER_INFO_CASE_INSENSITIVE_USERNAME 0x01 /* username may be in any case */
#define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */
@@ -134,6 +135,11 @@ struct auth_operations {
NTSTATUS (*get_challenge)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, DATA_BLOB *challenge);
+ /* Given the user supplied info, check if this backend want to handle the password checking */
+
+ NTSTATUS (*want_check)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info);
+
/* Given the user supplied info, check a password */
NTSTATUS (*check_password)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx,
diff --git a/source4/auth/auth_anonymous.c b/source4/auth/auth_anonymous.c
index ce960062eb..45c5f9a7f6 100644
--- a/source4/auth/auth_anonymous.c
+++ b/source4/auth/auth_anonymous.c
@@ -30,21 +30,36 @@
* anonymou logons to be dealt with in one place. Non-anonymou logons 'fail'
* and pass onto the next module.
**/
-static NTSTATUS anonymous_check_password(struct auth_method_context *ctx,
- TALLOC_CTX *mem_ctx,
- const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **_server_info)
+static NTSTATUS anonymous_want_check(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info)
{
if (user_info->client.account_name && *user_info->client.account_name) {
return NT_STATUS_NOT_IMPLEMENTED;
}
+ return NT_STATUS_OK;
+}
+
+/**
+ * Return a anonymous logon for anonymous users (username = "")
+ *
+ * Typically used as the first module in the auth chain, this allows
+ * anonymou logons to be dealt with in one place. Non-anonymou logons 'fail'
+ * and pass onto the next module.
+ **/
+static NTSTATUS anonymous_check_password(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info,
+ struct auth_serversupplied_info **_server_info)
+{
return auth_anonymous_server_info(mem_ctx, _server_info);
}
static struct auth_operations anonymous_auth_ops = {
.name = "anonymous",
.get_challenge = auth_get_challenge_not_implemented,
+ .want_check = anonymous_want_check,
.check_password = anonymous_check_password
};
diff --git a/source4/auth/auth_developer.c b/source4/auth/auth_developer.c
index 25c828c2a1..76044d4361 100644
--- a/source4/auth/auth_developer.c
+++ b/source4/auth/auth_developer.c
@@ -24,6 +24,13 @@
#include "auth/auth.h"
#include "libcli/security/security.h"
+static NTSTATUS name_to_ntstatus_want_check(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info)
+{
+ return NT_STATUS_OK;
+}
+
/**
* Return an error based on username
*
@@ -56,10 +63,7 @@ static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx,
DEBUG(5,("name_to_ntstatus_check_password: Error for user %s was 0x%08X\n", user, error_num));
nt_status = NT_STATUS(error_num);
}
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
+ NT_STATUS_NOT_OK_RETURN(nt_status);
server_info = talloc(mem_ctx, struct auth_serversupplied_info);
NT_STATUS_HAVE_NO_MEMORY(server_info);
@@ -128,6 +132,7 @@ static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx,
static struct auth_operations name_to_ntstatus_auth_ops = {
.name = "name_to_ntstatus",
.get_challenge = auth_get_challenge_not_implemented,
+ .want_check = name_to_ntstatus_want_check,
.check_password = name_to_ntstatus_check_password
};
@@ -157,18 +162,27 @@ static NTSTATUS fixed_challenge_get_challenge(struct auth_method_context *ctx, T
return NT_STATUS_OK;
}
+static NTSTATUS fixed_challenge_want_check(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info)
+{
+ /* don't handle any users */
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
static NTSTATUS fixed_challenge_check_password(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
struct auth_serversupplied_info **_server_info)
{
/* don't handle any users */
- return NT_STATUS_NOT_IMPLEMENTED;
+ return NT_STATUS_NO_SUCH_USER;
}
static struct auth_operations fixed_challenge_auth_ops = {
.name = "fixed_challenge",
.get_challenge = fixed_challenge_get_challenge,
+ .want_check = fixed_challenge_want_check,
.check_password = fixed_challenge_check_password
};
diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c
index 96d8a0d40a..7ce2cabbf9 100644
--- a/source4/auth/auth_sam.c
+++ b/source4/auth/auth_sam.c
@@ -334,6 +334,17 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx
return NT_STATUS_OK;
}
+static NTSTATUS authsam_ignoredomain_want_check(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info)
+{
+ if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ return NT_STATUS_OK;
+}
+
static NTSTATUS authsam_ignoredomain_check_password(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
@@ -345,31 +356,32 @@ static NTSTATUS authsam_ignoredomain_check_password(struct auth_method_context *
/****************************************************************************
Check SAM security (above) but with a few extra checks.
****************************************************************************/
-static NTSTATUS authsam_check_password(struct auth_method_context *ctx,
- TALLOC_CTX *mem_ctx,
- const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **server_info)
+static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info)
{
- const char *domain;
BOOL is_local_name, is_my_domain;
+ if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
is_local_name = is_myname(user_info->mapped.domain_name);
is_my_domain = strequal(user_info->mapped.domain_name, lp_workgroup());
/* check whether or not we service this domain/workgroup name */
switch (lp_server_role()) {
case ROLE_STANDALONE:
- domain = lp_netbios_name();
- break;
+ return NT_STATUS_OK;
+
case ROLE_DOMAIN_MEMBER:
if (!is_local_name) {
- DEBUG(6,("authsam_check_password: %s is not one of my local names (%s)\n",
- user_info->mapped.domain_name, (lp_server_role() == ROLE_DOMAIN_MEMBER
- ? "ROLE_DOMAIN_MEMBER" : "ROLE_STANDALONE") ));
+ DEBUG(6,("authsam_check_password: %s is not one of my local names (DOMAIN_MEMBER)\n",
+ user_info->mapped.domain_name));
return NT_STATUS_NOT_IMPLEMENTED;
}
- domain = lp_netbios_name();
- break;
+ return NT_STATUS_OK;
+
case ROLE_DOMAIN_PDC:
case ROLE_DOMAIN_BDC:
if (!is_local_name && !is_my_domain) {
@@ -377,11 +389,37 @@ static NTSTATUS authsam_check_password(struct auth_method_context *ctx,
user_info->mapped.domain_name));
return NT_STATUS_NOT_IMPLEMENTED;
}
+ return NT_STATUS_OK;
+ }
+
+ DEBUG(6,("authsam_check_password: lp_server_role() has an undefined value\n"));
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+/****************************************************************************
+Check SAM security (above) but with a few extra checks.
+****************************************************************************/
+static NTSTATUS authsam_check_password(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info,
+ struct auth_serversupplied_info **server_info)
+{
+ const char *domain;
+
+ /* check whether or not we service this domain/workgroup name */
+ switch (lp_server_role()) {
+ case ROLE_STANDALONE:
+ case ROLE_DOMAIN_MEMBER:
+ domain = lp_netbios_name();
+ break;
+
+ case ROLE_DOMAIN_PDC:
+ case ROLE_DOMAIN_BDC:
domain = lp_workgroup();
break;
+
default:
- DEBUG(6,("authsam_check_password: lp_server_role() has an undefined value\n"));
- return NT_STATUS_NOT_IMPLEMENTED;
+ return NT_STATUS_NO_SUCH_USER;
}
return authsam_check_password_internals(ctx, mem_ctx, domain, user_info, server_info);
@@ -390,12 +428,14 @@ static NTSTATUS authsam_check_password(struct auth_method_context *ctx,
static const struct auth_operations sam_ignoredomain_ops = {
.name = "sam_ignoredomain",
.get_challenge = auth_get_challenge_not_implemented,
+ .want_check = authsam_ignoredomain_want_check,
.check_password = authsam_ignoredomain_check_password
};
static const struct auth_operations sam_ops = {
.name = "sam",
.get_challenge = auth_get_challenge_not_implemented,
+ .want_check = authsam_want_check,
.check_password = authsam_check_password
};
diff --git a/source4/auth/auth_unix.c b/source4/auth/auth_unix.c
index 959eb6703c..635c45b399 100644
--- a/source4/auth/auth_unix.c
+++ b/source4/auth/auth_unix.c
@@ -773,20 +773,26 @@ static NTSTATUS check_unix_password(TALLOC_CTX *ctx, const struct auth_usersuppl
*
**/
+static NTSTATUS authunix_want_check(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info)
+{
+ if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ return NT_STATUS_OK;
+}
+
static NTSTATUS authunix_check_password(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **server_info)
+ struct auth_serversupplied_info **server_info)
{
TALLOC_CTX *check_ctx;
NTSTATUS nt_status;
struct passwd *pwd;
- if (! user_info->mapped.account_name || ! *user_info->mapped.account_name) {
- /* 'not for me' */
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
if (user_info->password_state != AUTH_PASSWORD_PLAIN) {
return NT_STATUS_INVALID_PARAMETER;
}
@@ -797,13 +803,13 @@ static NTSTATUS authunix_check_password(struct auth_method_context *ctx,
}
nt_status = check_unix_password(check_ctx, user_info, &pwd);
- if ( ! NT_STATUS_IS_OK(nt_status)) {
+ if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(check_ctx);
return nt_status;
}
nt_status = authunix_make_server_info(mem_ctx, user_info, pwd, server_info);
- if ( ! NT_STATUS_IS_OK(nt_status)) {
+ if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(check_ctx);
return nt_status;
}
@@ -815,7 +821,8 @@ static NTSTATUS authunix_check_password(struct auth_method_context *ctx,
static const struct auth_operations unix_ops = {
.name = "unix",
.get_challenge = auth_get_challenge_not_implemented,
- .check_password = authunix_check_password
+ .want_check = authunix_want_check,
+ .check_password = authunix_check_password
};
NTSTATUS auth_unix_init(void)
diff --git a/source4/auth/auth_winbind.c b/source4/auth/auth_winbind.c
index 4a031e6b94..3783d0f975 100644
--- a/source4/auth/auth_winbind.c
+++ b/source4/auth/auth_winbind.c
@@ -46,6 +46,18 @@ static NTSTATUS get_info3_from_ndr(TALLOC_CTX *mem_ctx, struct winbindd_response
}
}
+static NTSTATUS winbind_want_check(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info)
+{
+ if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ /* TODO: maybe limit the user scope to remote users only */
+ return NT_STATUS_OK;
+}
+
/* Authenticate a user with a challenge/response */
static NTSTATUS winbind_check_password(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
@@ -129,6 +141,7 @@ static NTSTATUS winbind_check_password(struct auth_method_context *ctx,
static const struct auth_operations winbind_ops = {
.name = "winbind",
.get_challenge = auth_get_challenge_not_implemented,
+ .want_check = winbind_want_check,
.check_password = winbind_check_password
};