diff options
-rw-r--r-- | source4/auth/auth.c | 20 | ||||
-rw-r--r-- | source4/auth/auth.h | 8 | ||||
-rw-r--r-- | source4/auth/auth_anonymous.c | 23 | ||||
-rw-r--r-- | source4/auth/auth_developer.c | 24 | ||||
-rw-r--r-- | source4/auth/auth_sam.c | 68 | ||||
-rw-r--r-- | source4/auth/auth_unix.c | 25 | ||||
-rw-r--r-- | source4/auth/auth_winbind.c | 13 |
7 files changed, 140 insertions, 41 deletions
diff --git a/source4/auth/auth.c b/source4/auth/auth.c index dfef0c8c4d..0b044af495 100644 --- a/source4/auth/auth.c +++ b/source4/auth/auth.c @@ -174,16 +174,20 @@ NTSTATUS auth_check_password(struct auth_context *auth_ctx, for (method = auth_ctx->methods; method; method = method->next) { NTSTATUS result; - result = method->ops->check_password(method, mem_ctx, user_info, server_info); - - /* check if the module did anything */ - if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) { - method_name = method->ops->name; - nt_status = result; - break; + /* check if the module wants to chek the password */ + result = method->ops->want_check(method, mem_ctx, user_info); + if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) { + DEBUG(11,("auth_check_password: %s had nothing to say\n", method->ops->name)); + continue; } - DEBUG(11,("auth_check_password: %s had nothing to say\n", method->ops->name)); + method_name = method->ops->name; + nt_status = result; + + if (!NT_STATUS_IS_OK(nt_status)) break; + + nt_status = method->ops->check_password(method, mem_ctx, user_info, server_info); + break; } if (!NT_STATUS_IS_OK(nt_status)) { diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 724ccf91ca..20a91efc10 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -35,7 +35,8 @@ /* version 2 - initial samba4 version - metze */ /* version 3 - subsequent samba4 version - abartlet */ /* version 4 - subsequent samba4 version - metze */ -#define AUTH_INTERFACE_VERSION 4 +/* version 0 - till samba4 is stable - metze */ +#define AUTH_INTERFACE_VERSION 0 #define USER_INFO_CASE_INSENSITIVE_USERNAME 0x01 /* username may be in any case */ #define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */ @@ -134,6 +135,11 @@ struct auth_operations { NTSTATUS (*get_challenge)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, DATA_BLOB *challenge); + /* Given the user supplied info, check if this backend want to handle the password checking */ + + NTSTATUS (*want_check)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info); + /* Given the user supplied info, check a password */ NTSTATUS (*check_password)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, diff --git a/source4/auth/auth_anonymous.c b/source4/auth/auth_anonymous.c index ce960062eb..45c5f9a7f6 100644 --- a/source4/auth/auth_anonymous.c +++ b/source4/auth/auth_anonymous.c @@ -30,21 +30,36 @@ * anonymou logons to be dealt with in one place. Non-anonymou logons 'fail' * and pass onto the next module. **/ -static NTSTATUS anonymous_check_password(struct auth_method_context *ctx, - TALLOC_CTX *mem_ctx, - const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **_server_info) +static NTSTATUS anonymous_want_check(struct auth_method_context *ctx, + TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info) { if (user_info->client.account_name && *user_info->client.account_name) { return NT_STATUS_NOT_IMPLEMENTED; } + return NT_STATUS_OK; +} + +/** + * Return a anonymous logon for anonymous users (username = "") + * + * Typically used as the first module in the auth chain, this allows + * anonymou logons to be dealt with in one place. Non-anonymou logons 'fail' + * and pass onto the next module. + **/ +static NTSTATUS anonymous_check_password(struct auth_method_context *ctx, + TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info, + struct auth_serversupplied_info **_server_info) +{ return auth_anonymous_server_info(mem_ctx, _server_info); } static struct auth_operations anonymous_auth_ops = { .name = "anonymous", .get_challenge = auth_get_challenge_not_implemented, + .want_check = anonymous_want_check, .check_password = anonymous_check_password }; diff --git a/source4/auth/auth_developer.c b/source4/auth/auth_developer.c index 25c828c2a1..76044d4361 100644 --- a/source4/auth/auth_developer.c +++ b/source4/auth/auth_developer.c @@ -24,6 +24,13 @@ #include "auth/auth.h" #include "libcli/security/security.h" +static NTSTATUS name_to_ntstatus_want_check(struct auth_method_context *ctx, + TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info) +{ + return NT_STATUS_OK; +} + /** * Return an error based on username * @@ -56,10 +63,7 @@ static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx, DEBUG(5,("name_to_ntstatus_check_password: Error for user %s was 0x%08X\n", user, error_num)); nt_status = NT_STATUS(error_num); } - - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } + NT_STATUS_NOT_OK_RETURN(nt_status); server_info = talloc(mem_ctx, struct auth_serversupplied_info); NT_STATUS_HAVE_NO_MEMORY(server_info); @@ -128,6 +132,7 @@ static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx, static struct auth_operations name_to_ntstatus_auth_ops = { .name = "name_to_ntstatus", .get_challenge = auth_get_challenge_not_implemented, + .want_check = name_to_ntstatus_want_check, .check_password = name_to_ntstatus_check_password }; @@ -157,18 +162,27 @@ static NTSTATUS fixed_challenge_get_challenge(struct auth_method_context *ctx, T return NT_STATUS_OK; } +static NTSTATUS fixed_challenge_want_check(struct auth_method_context *ctx, + TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info) +{ + /* don't handle any users */ + return NT_STATUS_NOT_IMPLEMENTED; +} + static NTSTATUS fixed_challenge_check_password(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, struct auth_serversupplied_info **_server_info) { /* don't handle any users */ - return NT_STATUS_NOT_IMPLEMENTED; + return NT_STATUS_NO_SUCH_USER; } static struct auth_operations fixed_challenge_auth_ops = { .name = "fixed_challenge", .get_challenge = fixed_challenge_get_challenge, + .want_check = fixed_challenge_want_check, .check_password = fixed_challenge_check_password }; diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c index 96d8a0d40a..7ce2cabbf9 100644 --- a/source4/auth/auth_sam.c +++ b/source4/auth/auth_sam.c @@ -334,6 +334,17 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx return NT_STATUS_OK; } +static NTSTATUS authsam_ignoredomain_want_check(struct auth_method_context *ctx, + TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info) +{ + if (!user_info->mapped.account_name || !*user_info->mapped.account_name) { + return NT_STATUS_NOT_IMPLEMENTED; + } + + return NT_STATUS_OK; +} + static NTSTATUS authsam_ignoredomain_check_password(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, @@ -345,31 +356,32 @@ static NTSTATUS authsam_ignoredomain_check_password(struct auth_method_context * /**************************************************************************** Check SAM security (above) but with a few extra checks. ****************************************************************************/ -static NTSTATUS authsam_check_password(struct auth_method_context *ctx, - TALLOC_CTX *mem_ctx, - const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **server_info) +static NTSTATUS authsam_want_check(struct auth_method_context *ctx, + TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info) { - const char *domain; BOOL is_local_name, is_my_domain; + if (!user_info->mapped.account_name || !*user_info->mapped.account_name) { + return NT_STATUS_NOT_IMPLEMENTED; + } + is_local_name = is_myname(user_info->mapped.domain_name); is_my_domain = strequal(user_info->mapped.domain_name, lp_workgroup()); /* check whether or not we service this domain/workgroup name */ switch (lp_server_role()) { case ROLE_STANDALONE: - domain = lp_netbios_name(); - break; + return NT_STATUS_OK; + case ROLE_DOMAIN_MEMBER: if (!is_local_name) { - DEBUG(6,("authsam_check_password: %s is not one of my local names (%s)\n", - user_info->mapped.domain_name, (lp_server_role() == ROLE_DOMAIN_MEMBER - ? "ROLE_DOMAIN_MEMBER" : "ROLE_STANDALONE") )); + DEBUG(6,("authsam_check_password: %s is not one of my local names (DOMAIN_MEMBER)\n", + user_info->mapped.domain_name)); return NT_STATUS_NOT_IMPLEMENTED; } - domain = lp_netbios_name(); - break; + return NT_STATUS_OK; + case ROLE_DOMAIN_PDC: case ROLE_DOMAIN_BDC: if (!is_local_name && !is_my_domain) { @@ -377,11 +389,37 @@ static NTSTATUS authsam_check_password(struct auth_method_context *ctx, user_info->mapped.domain_name)); return NT_STATUS_NOT_IMPLEMENTED; } + return NT_STATUS_OK; + } + + DEBUG(6,("authsam_check_password: lp_server_role() has an undefined value\n")); + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************************** +Check SAM security (above) but with a few extra checks. +****************************************************************************/ +static NTSTATUS authsam_check_password(struct auth_method_context *ctx, + TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info, + struct auth_serversupplied_info **server_info) +{ + const char *domain; + + /* check whether or not we service this domain/workgroup name */ + switch (lp_server_role()) { + case ROLE_STANDALONE: + case ROLE_DOMAIN_MEMBER: + domain = lp_netbios_name(); + break; + + case ROLE_DOMAIN_PDC: + case ROLE_DOMAIN_BDC: domain = lp_workgroup(); break; + default: - DEBUG(6,("authsam_check_password: lp_server_role() has an undefined value\n")); - return NT_STATUS_NOT_IMPLEMENTED; + return NT_STATUS_NO_SUCH_USER; } return authsam_check_password_internals(ctx, mem_ctx, domain, user_info, server_info); @@ -390,12 +428,14 @@ static NTSTATUS authsam_check_password(struct auth_method_context *ctx, static const struct auth_operations sam_ignoredomain_ops = { .name = "sam_ignoredomain", .get_challenge = auth_get_challenge_not_implemented, + .want_check = authsam_ignoredomain_want_check, .check_password = authsam_ignoredomain_check_password }; static const struct auth_operations sam_ops = { .name = "sam", .get_challenge = auth_get_challenge_not_implemented, + .want_check = authsam_want_check, .check_password = authsam_check_password }; diff --git a/source4/auth/auth_unix.c b/source4/auth/auth_unix.c index 959eb6703c..635c45b399 100644 --- a/source4/auth/auth_unix.c +++ b/source4/auth/auth_unix.c @@ -773,20 +773,26 @@ static NTSTATUS check_unix_password(TALLOC_CTX *ctx, const struct auth_usersuppl * **/ +static NTSTATUS authunix_want_check(struct auth_method_context *ctx, + TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info) +{ + if (!user_info->mapped.account_name || !*user_info->mapped.account_name) { + return NT_STATUS_NOT_IMPLEMENTED; + } + + return NT_STATUS_OK; +} + static NTSTATUS authunix_check_password(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **server_info) + struct auth_serversupplied_info **server_info) { TALLOC_CTX *check_ctx; NTSTATUS nt_status; struct passwd *pwd; - if (! user_info->mapped.account_name || ! *user_info->mapped.account_name) { - /* 'not for me' */ - return NT_STATUS_NOT_IMPLEMENTED; - } - if (user_info->password_state != AUTH_PASSWORD_PLAIN) { return NT_STATUS_INVALID_PARAMETER; } @@ -797,13 +803,13 @@ static NTSTATUS authunix_check_password(struct auth_method_context *ctx, } nt_status = check_unix_password(check_ctx, user_info, &pwd); - if ( ! NT_STATUS_IS_OK(nt_status)) { + if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(check_ctx); return nt_status; } nt_status = authunix_make_server_info(mem_ctx, user_info, pwd, server_info); - if ( ! NT_STATUS_IS_OK(nt_status)) { + if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(check_ctx); return nt_status; } @@ -815,7 +821,8 @@ static NTSTATUS authunix_check_password(struct auth_method_context *ctx, static const struct auth_operations unix_ops = { .name = "unix", .get_challenge = auth_get_challenge_not_implemented, - .check_password = authunix_check_password + .want_check = authunix_want_check, + .check_password = authunix_check_password }; NTSTATUS auth_unix_init(void) diff --git a/source4/auth/auth_winbind.c b/source4/auth/auth_winbind.c index 4a031e6b94..3783d0f975 100644 --- a/source4/auth/auth_winbind.c +++ b/source4/auth/auth_winbind.c @@ -46,6 +46,18 @@ static NTSTATUS get_info3_from_ndr(TALLOC_CTX *mem_ctx, struct winbindd_response } } +static NTSTATUS winbind_want_check(struct auth_method_context *ctx, + TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info) +{ + if (!user_info->mapped.account_name || !*user_info->mapped.account_name) { + return NT_STATUS_NOT_IMPLEMENTED; + } + + /* TODO: maybe limit the user scope to remote users only */ + return NT_STATUS_OK; +} + /* Authenticate a user with a challenge/response */ static NTSTATUS winbind_check_password(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, @@ -129,6 +141,7 @@ static NTSTATUS winbind_check_password(struct auth_method_context *ctx, static const struct auth_operations winbind_ops = { .name = "winbind", .get_challenge = auth_get_challenge_not_implemented, + .want_check = winbind_want_check, .check_password = winbind_check_password }; |