From 61116049cabc292c2f2d570af4d68ddc537b91f5 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 3 Jul 2003 14:36:42 +0000
Subject: This patch takes the work the jerry did for beta2, and generalises
 it:

 - The 'not implmented' checks are now done by all auth modules
 - the ntdomain/trustdomain/winbind modules are more presise as to
   what domain names they can and cannot handle
 - The become_root() calls are now around the winbind pipe opening only,
   not the entire auth call
 - The unix username is kept seperate from the NT username, removing the
   need for 'clean off the domain\' in parse_net.c
 - All sid->uid translations are now validated with getpwuid() to put a very
   basic stop to logins with 'half deleted' accounts.

Andrew Bartlett
(This used to be commit 85f88191b9927cc434645ef4c1eaf5ec0e8af2ec)
---
 source3/auth/auth.c | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

(limited to 'source3/auth/auth.c')

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index d99b00d4a7..9f109dc66e 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -203,8 +203,8 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context,
 				    const struct auth_usersupplied_info *user_info, 
 				    struct auth_serversupplied_info **server_info)
 {
-	
-	NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
+	/* if all the modules say 'not for me' this is reasonable */
+	NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
 	const char *pdb_username;
 	auth_methods *auth_method;
 	TALLOC_CTX *mem_ctx;
@@ -269,12 +269,8 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context,
 		}
 
 		talloc_destroy(mem_ctx);
-		
-		/* this sucks.  Somehow we have to know if an authentication module is 
-		   authoritative for a user.  Fixme!!!  --jerry */
-		
-		if ( NT_STATUS_IS_OK(nt_status) || 
-			NT_STATUS_V(nt_status) == NT_STATUS_V(NT_STATUS_WRONG_PASSWORD) )
+
+		if ( NT_STATUS_IS_OK(nt_status))
 		{
 				break;			
 		}
@@ -463,8 +459,13 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context)
 			break;
 		case SEC_USER:
 			if (lp_encrypted_passwords()) {	
-				DEBUG(5,("Making default auth method list for security=user, encrypt passwords = yes\n"));
-				auth_method_list = str_list_make("guest sam", NULL);
+				if ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role() == ROLE_DOMAIN_BDC)) {
+					DEBUG(5,("Making default auth method list for DC, security=user, encrypt passwords = yes\n"));
+					auth_method_list = str_list_make("guest sam winbind:trustdomain", NULL);
+				} else {
+					DEBUG(5,("Making default auth method list for standalone security=user, encrypt passwords = yes\n"));
+					auth_method_list = str_list_make("guest sam", NULL);
+				}
 			} else {
 				DEBUG(5,("Making default auth method list for security=user, encrypt passwords = no\n"));
 				auth_method_list = str_list_make("guest unix", NULL);
-- 
cgit