#define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */
#define USER_INFO_DONT_CHECK_UNIX_ACCOUNT 0x04 /* don't check unix account status */
#define USER_INFO_INTERACTIVE_LOGON 0x08 /* Interactive logon */
-#define USER_INFO_LOCAL_SAM_ONLY 0x10 /* Only authenticate against the local SAM */
+#define USER_INFO_LOCAL_SAM_ONLY 0x10 /* Only authenticate against the local SAM, do not map missing passwords to NO_SUCH_USER */
#define USER_INFO_INFO3_AND_NO_AUTHZ 0x20 /* Only fill in server_info->info3 and do not do any authorization steps */
enum auth_password_state {
if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) {
DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name));
TALLOC_FREE(tmp_ctx);
+ if (user_info->flags & USER_INFO_LOCAL_SAM_ONLY) {
+ /* we don't expose the NT_STATUS_NOT_IMPLEMENTED
+ * internals, except when the caller is only probing
+ * one method, as they may do the fallback
+ */
+ nt_status = result;
+ }
continue;
}
result = winbindd_dual_auth_passdb(
mem_ctx, 0, name_domain, name_user,
&chal_blob, &lm_resp, &nt_resp, info3);
- goto done;
+
+ /*
+ * We need to try the remote NETLOGON server if this is NOT_IMPLEMENTED
+ */
+ if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
+ goto done;
+ }
}
/* check authentication loop */
logon_parameters,
name_domain, name_user,
&chal_blob, &lm_response, &nt_response, info3);
- goto process_result;
+
+ /*
+ * We need to try the remote NETLOGON server if this is NOT_IMPLEMENTED
+ */
+ if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
+ goto process_result;
+ }
}
result = winbind_samlogon_retry_loop(domain,
}
if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
- /* don't expose the NT_STATUS_NOT_IMPLEMENTED
- internals */
- status = NT_STATUS_NO_SUCH_USER;
+ if (!(state->user_info->flags & USER_INFO_LOCAL_SAM_ONLY)) {
+ /* don't expose the NT_STATUS_NOT_IMPLEMENTED
+ * internals, except when the caller is only probing
+ * one method, as they may do the fallback
+ */
+ status = NT_STATUS_NO_SUCH_USER;
+ }
}
if (tevent_req_nterror(req, status)) {