summaryrefslogtreecommitdiff
path: root/source4/auth
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2010-09-12 10:06:39 +1000
committerAndrew Tridgell <tridge@samba.org>2010-09-15 15:39:34 +1000
commit13a8745cae2b38c8071b182a4c020305c76e62b8 (patch)
treed0ab513cd0367dbc9c4f7bd65663883791a9d6f0 /source4/auth
parentf6d85be52830d17dbf6e7b01bf854a49dccbc7f8 (diff)
downloadsamba-13a8745cae2b38c8071b182a4c020305c76e62b8.tar.gz
samba-13a8745cae2b38c8071b182a4c020305c76e62b8.tar.bz2
samba-13a8745cae2b38c8071b182a4c020305c76e62b8.zip
s4-rodc: add a trigger message for REPL_SECRET to auth_sam
when an RODC tries to authenticate against an account and the account has no password information it needs to send a message to the drepl server to tell it to try and replicate the secret information from a writeable DC Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/auth')
-rw-r--r--source4/auth/ntlm/auth_sam.c52
1 files changed, 52 insertions, 0 deletions
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index fdcc5bd90e..8de33ffa78 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -32,6 +32,8 @@
#include "dsdb/samdb/samdb.h"
#include "dsdb/common/util.h"
#include "param/param.h"
+#include "librpc/gen_ndr/ndr_irpc_c.h"
+#include "lib/messaging/irpc.h"
extern const char *user_attrs[];
extern const char *domain_ref_attrs[];
@@ -135,6 +137,37 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context,
}
+/*
+ send a message to the drepl server telling it to initiate a
+ REPL_SECRET getncchanges extended op to fetch the users secrets
+ */
+static void auth_sam_trigger_repl_secret(TALLOC_CTX *mem_ctx, struct auth_context *auth_context,
+ struct ldb_dn *user_dn)
+{
+ struct dcerpc_binding_handle *irpc_handle;
+ struct drepl_trigger_repl_secret r;
+ struct tevent_req *req;
+
+ irpc_handle = irpc_binding_handle_by_name(mem_ctx, auth_context->msg_ctx,
+ "dreplsrv",
+ &ndr_table_irpc);
+ if (irpc_handle == NULL) {
+ DEBUG(1,(__location__ ": Unable to get binding handle for dreplsrv\n"));
+ return;
+ }
+
+ r.in.user_dn = ldb_dn_get_linearized(user_dn);
+
+ req = dcerpc_drepl_trigger_repl_secret_r_send(mem_ctx,
+ auth_context->event_ctx,
+ irpc_handle,
+ &r);
+
+ /* we aren't interested in a reply */
+ talloc_free(req);
+ talloc_free(irpc_handle);
+}
+
static NTSTATUS authsam_authenticate(struct auth_context *auth_context,
TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
@@ -165,6 +198,25 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context,
nt_status = samdb_result_passwords(mem_ctx, auth_context->lp_ctx, msg, &lm_pwd, &nt_pwd);
NT_STATUS_NOT_OK_RETURN(nt_status);
+ if (lm_pwd == NULL && nt_pwd == NULL) {
+ bool am_rodc;
+ if (samdb_rodc(auth_context->sam_ctx, &am_rodc) == LDB_SUCCESS && am_rodc) {
+ /* we don't have passwords for this
+ * account. We are an RODC, and this account
+ * may be one for which we either are denied
+ * REPL_SECRET replication or we haven't yet
+ * done the replication. We return
+ * NT_STATUS_NOT_IMPLEMENTED which tells the
+ * auth code to try the next authentication
+ * mechanism. We also send a message to our
+ * drepl server to tell it to try and
+ * replicate the secrets for this account.
+ */
+ auth_sam_trigger_repl_secret(mem_ctx, auth_context, msg->dn);
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+ }
+
nt_status = authsam_password_ok(auth_context, mem_ctx,
acct_flags, lm_pwd, nt_pwd,
user_info, user_sess_key, lm_sess_key);