summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/auth/auth.c20
-rw-r--r--source4/auth/auth.h8
-rw-r--r--source4/auth/auth_anonymous.c23
-rw-r--r--source4/auth/auth_developer.c24
-rw-r--r--source4/auth/auth_sam.c68
-rw-r--r--source4/auth/auth_unix.c25
-rw-r--r--source4/auth/auth_winbind.c13
7 files changed, 140 insertions, 41 deletions
diff --git a/source4/auth/auth.c b/source4/auth/auth.c
index dfef0c8c4d..0b044af495 100644
--- a/source4/auth/auth.c
+++ b/source4/auth/auth.c
@@ -174,16 +174,20 @@ NTSTATUS auth_check_password(struct auth_context *auth_ctx,
for (method = auth_ctx->methods; method; method = method->next) {
NTSTATUS result;
- result = method->ops->check_password(method, mem_ctx, user_info, server_info);
-
- /* check if the module did anything */
- if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
- method_name = method->ops->name;
- nt_status = result;
- break;
+ /* check if the module wants to chek the password */
+ result = method->ops->want_check(method, mem_ctx, user_info);
+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
+ DEBUG(11,("auth_check_password: %s had nothing to say\n", method->ops->name));
+ continue;
}
- DEBUG(11,("auth_check_password: %s had nothing to say\n", method->ops->name));
+ method_name = method->ops->name;
+ nt_status = result;
+
+ if (!NT_STATUS_IS_OK(nt_status)) break;
+
+ nt_status = method->ops->check_password(method, mem_ctx, user_info, server_info);
+ break;
}
if (!NT_STATUS_IS_OK(nt_status)) {
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 724ccf91ca..20a91efc10 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -35,7 +35,8 @@
/* version 2 - initial samba4 version - metze */
/* version 3 - subsequent samba4 version - abartlet */
/* version 4 - subsequent samba4 version - metze */
-#define AUTH_INTERFACE_VERSION 4
+/* version 0 - till samba4 is stable - metze */
+#define AUTH_INTERFACE_VERSION 0
#define USER_INFO_CASE_INSENSITIVE_USERNAME 0x01 /* username may be in any case */
#define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */
@@ -134,6 +135,11 @@ struct auth_operations {
NTSTATUS (*get_challenge)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, DATA_BLOB *challenge);
+ /* Given the user supplied info, check if this backend want to handle the password checking */
+
+ NTSTATUS (*want_check)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info);
+
/* Given the user supplied info, check a password */
NTSTATUS (*check_password)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx,
diff --git a/source4/auth/auth_anonymous.c b/source4/auth/auth_anonymous.c
index ce960062eb..45c5f9a7f6 100644
--- a/source4/auth/auth_anonymous.c
+++ b/source4/auth/auth_anonymous.c
@@ -30,21 +30,36 @@
* anonymou logons to be dealt with in one place. Non-anonymou logons 'fail'
* and pass onto the next module.
**/
-static NTSTATUS anonymous_check_password(struct auth_method_context *ctx,
- TALLOC_CTX *mem_ctx,
- const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **_server_info)
+static NTSTATUS anonymous_want_check(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info)
{
if (user_info->client.account_name && *user_info->client.account_name) {
return NT_STATUS_NOT_IMPLEMENTED;
}
+ return NT_STATUS_OK;
+}
+
+/**
+ * Return a anonymous logon for anonymous users (username = "")
+ *
+ * Typically used as the first module in the auth chain, this allows
+ * anonymou logons to be dealt with in one place. Non-anonymou logons 'fail'
+ * and pass onto the next module.
+ **/
+static NTSTATUS anonymous_check_password(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info,
+ struct auth_serversupplied_info **_server_info)
+{
return auth_anonymous_server_info(mem_ctx, _server_info);
}
static struct auth_operations anonymous_auth_ops = {
.name = "anonymous",
.get_challenge = auth_get_challenge_not_implemented,
+ .want_check = anonymous_want_check,
.check_password = anonymous_check_password
};
diff --git a/source4/auth/auth_developer.c b/source4/auth/auth_developer.c
index 25c828c2a1..76044d4361 100644
--- a/source4/auth/auth_developer.c
+++ b/source4/auth/auth_developer.c
@@ -24,6 +24,13 @@
#include "auth/auth.h"
#include "libcli/security/security.h"
+static NTSTATUS name_to_ntstatus_want_check(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info)
+{
+ return NT_STATUS_OK;
+}
+
/**
* Return an error based on username
*
@@ -56,10 +63,7 @@ static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx,
DEBUG(5,("name_to_ntstatus_check_password: Error for user %s was 0x%08X\n", user, error_num));
nt_status = NT_STATUS(error_num);
}
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
+ NT_STATUS_NOT_OK_RETURN(nt_status);
server_info = talloc(mem_ctx, struct auth_serversupplied_info);
NT_STATUS_HAVE_NO_MEMORY(server_info);
@@ -128,6 +132,7 @@ static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx,
static struct auth_operations name_to_ntstatus_auth_ops = {
.name = "name_to_ntstatus",
.get_challenge = auth_get_challenge_not_implemented,
+ .want_check = name_to_ntstatus_want_check,
.check_password = name_to_ntstatus_check_password
};
@@ -157,18 +162,27 @@ static NTSTATUS fixed_challenge_get_challenge(struct auth_method_context *ctx, T
return NT_STATUS_OK;
}
+static NTSTATUS fixed_challenge_want_check(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info)
+{
+ /* don't handle any users */
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
static NTSTATUS fixed_challenge_check_password(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
struct auth_serversupplied_info **_server_info)
{
/* don't handle any users */
- return NT_STATUS_NOT_IMPLEMENTED;
+ return NT_STATUS_NO_SUCH_USER;
}
static struct auth_operations fixed_challenge_auth_ops = {
.name = "fixed_challenge",
.get_challenge = fixed_challenge_get_challenge,
+ .want_check = fixed_challenge_want_check,
.check_password = fixed_challenge_check_password
};
diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c
index 96d8a0d40a..7ce2cabbf9 100644
--- a/source4/auth/auth_sam.c
+++ b/source4/auth/auth_sam.c
@@ -334,6 +334,17 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx
return NT_STATUS_OK;
}
+static NTSTATUS authsam_ignoredomain_want_check(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info)
+{
+ if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ return NT_STATUS_OK;
+}
+
static NTSTATUS authsam_ignoredomain_check_password(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
@@ -345,31 +356,32 @@ static NTSTATUS authsam_ignoredomain_check_password(struct auth_method_context *
/****************************************************************************
Check SAM security (above) but with a few extra checks.
****************************************************************************/
-static NTSTATUS authsam_check_password(struct auth_method_context *ctx,
- TALLOC_CTX *mem_ctx,
- const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **server_info)
+static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info)
{
- const char *domain;
BOOL is_local_name, is_my_domain;
+ if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
is_local_name = is_myname(user_info->mapped.domain_name);
is_my_domain = strequal(user_info->mapped.domain_name, lp_workgroup());
/* check whether or not we service this domain/workgroup name */
switch (lp_server_role()) {
case ROLE_STANDALONE:
- domain = lp_netbios_name();
- break;
+ return NT_STATUS_OK;
+
case ROLE_DOMAIN_MEMBER:
if (!is_local_name) {
- DEBUG(6,("authsam_check_password: %s is not one of my local names (%s)\n",
- user_info->mapped.domain_name, (lp_server_role() == ROLE_DOMAIN_MEMBER
- ? "ROLE_DOMAIN_MEMBER" : "ROLE_STANDALONE") ));
+ DEBUG(6,("authsam_check_password: %s is not one of my local names (DOMAIN_MEMBER)\n",
+ user_info->mapped.domain_name));
return NT_STATUS_NOT_IMPLEMENTED;
}
- domain = lp_netbios_name();
- break;
+ return NT_STATUS_OK;
+
case ROLE_DOMAIN_PDC:
case ROLE_DOMAIN_BDC:
if (!is_local_name && !is_my_domain) {
@@ -377,11 +389,37 @@ static NTSTATUS authsam_check_password(struct auth_method_context *ctx,
user_info->mapped.domain_name));
return NT_STATUS_NOT_IMPLEMENTED;
}
+ return NT_STATUS_OK;
+ }
+
+ DEBUG(6,("authsam_check_password: lp_server_role() has an undefined value\n"));
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+/****************************************************************************
+Check SAM security (above) but with a few extra checks.
+****************************************************************************/
+static NTSTATUS authsam_check_password(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info,
+ struct auth_serversupplied_info **server_info)
+{
+ const char *domain;
+
+ /* check whether or not we service this domain/workgroup name */
+ switch (lp_server_role()) {
+ case ROLE_STANDALONE:
+ case ROLE_DOMAIN_MEMBER:
+ domain = lp_netbios_name();
+ break;
+
+ case ROLE_DOMAIN_PDC:
+ case ROLE_DOMAIN_BDC:
domain = lp_workgroup();
break;
+
default:
- DEBUG(6,("authsam_check_password: lp_server_role() has an undefined value\n"));
- return NT_STATUS_NOT_IMPLEMENTED;
+ return NT_STATUS_NO_SUCH_USER;
}
return authsam_check_password_internals(ctx, mem_ctx, domain, user_info, server_info);
@@ -390,12 +428,14 @@ static NTSTATUS authsam_check_password(struct auth_method_context *ctx,
static const struct auth_operations sam_ignoredomain_ops = {
.name = "sam_ignoredomain",
.get_challenge = auth_get_challenge_not_implemented,
+ .want_check = authsam_ignoredomain_want_check,
.check_password = authsam_ignoredomain_check_password
};
static const struct auth_operations sam_ops = {
.name = "sam",
.get_challenge = auth_get_challenge_not_implemented,
+ .want_check = authsam_want_check,
.check_password = authsam_check_password
};
diff --git a/source4/auth/auth_unix.c b/source4/auth/auth_unix.c
index 959eb6703c..635c45b399 100644
--- a/source4/auth/auth_unix.c
+++ b/source4/auth/auth_unix.c
@@ -773,20 +773,26 @@ static NTSTATUS check_unix_password(TALLOC_CTX *ctx, const struct auth_usersuppl
*
**/
+static NTSTATUS authunix_want_check(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info)
+{
+ if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ return NT_STATUS_OK;
+}
+
static NTSTATUS authunix_check_password(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **server_info)
+ struct auth_serversupplied_info **server_info)
{
TALLOC_CTX *check_ctx;
NTSTATUS nt_status;
struct passwd *pwd;
- if (! user_info->mapped.account_name || ! *user_info->mapped.account_name) {
- /* 'not for me' */
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
if (user_info->password_state != AUTH_PASSWORD_PLAIN) {
return NT_STATUS_INVALID_PARAMETER;
}
@@ -797,13 +803,13 @@ static NTSTATUS authunix_check_password(struct auth_method_context *ctx,
}
nt_status = check_unix_password(check_ctx, user_info, &pwd);
- if ( ! NT_STATUS_IS_OK(nt_status)) {
+ if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(check_ctx);
return nt_status;
}
nt_status = authunix_make_server_info(mem_ctx, user_info, pwd, server_info);
- if ( ! NT_STATUS_IS_OK(nt_status)) {
+ if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(check_ctx);
return nt_status;
}
@@ -815,7 +821,8 @@ static NTSTATUS authunix_check_password(struct auth_method_context *ctx,
static const struct auth_operations unix_ops = {
.name = "unix",
.get_challenge = auth_get_challenge_not_implemented,
- .check_password = authunix_check_password
+ .want_check = authunix_want_check,
+ .check_password = authunix_check_password
};
NTSTATUS auth_unix_init(void)
diff --git a/source4/auth/auth_winbind.c b/source4/auth/auth_winbind.c
index 4a031e6b94..3783d0f975 100644
--- a/source4/auth/auth_winbind.c
+++ b/source4/auth/auth_winbind.c
@@ -46,6 +46,18 @@ static NTSTATUS get_info3_from_ndr(TALLOC_CTX *mem_ctx, struct winbindd_response
}
}
+static NTSTATUS winbind_want_check(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info)
+{
+ if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ /* TODO: maybe limit the user scope to remote users only */
+ return NT_STATUS_OK;
+}
+
/* Authenticate a user with a challenge/response */
static NTSTATUS winbind_check_password(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
@@ -129,6 +141,7 @@ static NTSTATUS winbind_check_password(struct auth_method_context *ctx,
static const struct auth_operations winbind_ops = {
.name = "winbind",
.get_challenge = auth_get_challenge_not_implemented,
+ .want_check = winbind_want_check,
.check_password = winbind_check_password
};