s4-auth: Do not override the NT_STATUS_NOT_IMPLEMENTED error for winbindd

This changes the auth code in winbindd to use this as a flag, and to
therefore contact the RW DC.

Change-Id: If4164d27b57b453b398642fdf7d46d03cd0e65f2
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>

diff --git a/auth/common_auth.h b/auth/common_auth.h
index d9bde018bf383b2ea35074cd7515ecfae623cba8..d1a775d431a7f2e965b76707b5e3ca6bde7267e8 100644 (file)
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -26,7 +26,7 @@
 #define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */
 #define USER_INFO_DONT_CHECK_UNIX_ACCOUNT   0x04 /* don't check unix account status */
 #define USER_INFO_INTERACTIVE_LOGON         0x08 /* Interactive logon */
-#define USER_INFO_LOCAL_SAM_ONLY            0x10 /* Only authenticate against the local SAM */
+#define USER_INFO_LOCAL_SAM_ONLY            0x10 /* Only authenticate against the local SAM, do not map missing passwords to NO_SUCH_USER */
 #define USER_INFO_INFO3_AND_NO_AUTHZ        0x20 /* Only fill in server_info->info3 and do not do any authorization steps */
 
 enum auth_password_state {

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 6d1192ededddb1131e43a50a2b2b571e4e3919a6..00261f725fa6a0c5c2ac08899730d88fbcc5de32 100644 (file)
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -232,6 +232,13 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
                if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) {
                        DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name));
                        TALLOC_FREE(tmp_ctx);
+                       if (user_info->flags & USER_INFO_LOCAL_SAM_ONLY) {
+                               /* we don't expose the NT_STATUS_NOT_IMPLEMENTED
+                                * internals, except when the caller is only probing
+                                * one method, as they may do the fallback 
+                                */
+                               nt_status = result;
+                       }
                        continue;
                }
 

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 1112b21cbae962c70b1b8e57f173621136104134..dd8f442d3d6c0ce6420857bf4a87fac74c6a6ee0 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1501,7 +1501,13 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(TALLOC_CTX *mem_ctx,
                result = winbindd_dual_auth_passdb(
                        mem_ctx, 0, name_domain, name_user,
                        &chal_blob, &lm_resp, &nt_resp, info3);
-               goto done;
+
+               /* 
+                * We need to try the remote NETLOGON server if this is NOT_IMPLEMENTED 
+                */
+               if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
+                       goto done;
+               }
        }
 
        /* check authentication loop */
@@ -1888,7 +1894,13 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
                        logon_parameters,
                        name_domain, name_user,
                        &chal_blob, &lm_response, &nt_response, info3);
-               goto process_result;
+
+               /* 
+                * We need to try the remote NETLOGON server if this is NOT_IMPLEMENTED 
+                */
+               if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
+                       goto process_result;
+               }
        }
 
        result = winbind_samlogon_retry_loop(domain,

diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 6d5747eb783318f1a9b53cbd3c6829d7493d0279..1d1bc5eb8565bcc8bd86b2a8c65370a4bf33fb15 100644 (file)
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -375,9 +375,13 @@ static void auth_check_password_async_trigger(struct tevent_context *ev,
        }
 
        if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
-               /* don't expose the NT_STATUS_NOT_IMPLEMENTED
-                  internals */
-               status = NT_STATUS_NO_SUCH_USER;
+               if (!(state->user_info->flags & USER_INFO_LOCAL_SAM_ONLY)) {
+                       /* don't expose the NT_STATUS_NOT_IMPLEMENTED
+                        * internals, except when the caller is only probing
+                        * one method, as they may do the fallback 
+                        */
+                       status = NT_STATUS_NO_SUCH_USER;
+               }
        }
 
        if (tevent_req_nterror(req, status)) {