From 4499007e45637f172c4afb0ec2e048cf795a3cbe Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 26 Nov 2001 06:47:04 +0000 Subject: A number of things to clean up the auth subsytem a bit... We now default encrypt passwords = yes We now check plaintext passwords (however aquired) with the 'sam' backend rather than unix, if encrypt passwords = yes. (this kills off the 'local' backed. The sam backend may be renamed in its place) The new 'samstrict' wrapper backend checks that the user's domain is one of our netbios aliases - this ensures that we don't get fallback crazies with security = domain. Similarly, the code in the 'ntdomain' and 'smbserver' backends now checks that the user was not local before contacting the DC. The default ordering has changed, we now check the local stuff first - but becouse of the changes above, we will really only ever contact one auth source. Andrew Bartlett (This used to be commit e89b47f65e7eaf5eb288a3d6ba2d3d115c628e7e) --- source3/auth/auth_sam.c | 37 ++++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_sam.c') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 421349a765..d899006cf8 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -337,7 +337,7 @@ SMB hash supplied in the user_info structure return an NT_STATUS constant. ****************************************************************************/ -NTSTATUS check_sam_security(void *my_private_dat, +static NTSTATUS check_sam_security(void *my_private_data, const auth_usersupplied_info *user_info, const auth_authsupplied_info *auth_info, auth_serversupplied_info **server_info) @@ -408,5 +408,40 @@ BOOL auth_init_sam(auth_methods **auth_method) return True; } +/**************************************************************************** +check if a username/password is OK assuming the password is a 24 byte +SMB hash supplied in the user_info structure +return an NT_STATUS constant. +****************************************************************************/ + +static NTSTATUS check_samstrict_security(void *my_private_data, + const auth_usersupplied_info *user_info, + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) +{ + + if (!user_info || !auth_info) { + return NT_STATUS_LOGON_FAILURE; + } + + /* If we are a domain member, we must not + attempt to check the password locally, + unless it is one of our aliases. */ + + if (!is_netbios_alias_or_name(user_info->domain.str)) { + return NT_STATUS_NO_SUCH_USER; + } + + return check_sam_security(my_private_data, user_info, auth_info, server_info); +} + +BOOL auth_init_samstrict(auth_methods **auth_method) +{ + if (!make_auth_methods(auth_method)) { + return False; + } + (*auth_method)->auth = check_samstrict_security; + return True; +} -- cgit