irpc_handle, &req);
}
-static void send_bad_password_netlogon(TALLOC_CTX *mem_ctx,
- struct samba_kdc_db_context *kdc_db_ctx,
- struct auth_usersupplied_info *user_info)
-{
- struct dcerpc_binding_handle *irpc_handle;
- struct winbind_SamLogon req;
- struct netr_IdentityInfo *identity_info;
- struct netr_NetworkInfo *network_info;
-
- irpc_handle = irpc_binding_handle_by_name(mem_ctx, kdc_db_ctx->msg_ctx,
- "winbind_server",
- &ndr_table_winbind);
- if (irpc_handle == NULL) {
- DEBUG(0, ("Winbind forwarding for [%s]\\[%s] failed, "
- "no winbind_server running!\n",
- user_info->mapped.domain_name, user_info->mapped.account_name));
- return;
- }
-
- network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
- if (network_info == NULL) {
- DEBUG(0, ("Winbind forwarding failed: No memory\n"));
- return;
- }
-
- identity_info = &network_info->identity_info;
- req.in.logon_level = 2;
- req.in.logon.network = network_info;
-
- identity_info->domain_name.string = user_info->mapped.domain_name;
- identity_info->parameter_control = user_info->logon_parameters; /* TODO */
- identity_info->logon_id = user_info->logon_id;
- identity_info->account_name.string = user_info->mapped.account_name;
- identity_info->workstation.string
- = talloc_asprintf(identity_info, "krb5-bad-pw on RODC from %s",
- tsocket_address_string(user_info->remote_host,
- identity_info));
- if (identity_info->workstation.string == NULL) {
- DEBUG(0, ("Winbind forwarding failed: No memory allocating workstation string\n"));
- return;
- }
-
- req.in.validation_level = 3;
-
- /*
- * The memory in identity_info and user_info only needs to be
- * valid until the end of this function call, as it will be
- * pushed to NDR during this call
- */
-
- dcerpc_winbind_SamLogon_r_send(mem_ctx, kdc_db_ctx->ev_ctx,
- irpc_handle, &req);
-}
-
static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db,
hdb_entry_ex *entry,
struct sockaddr *from_addr,
.password_type = auth_type,
.logon_id = logon_id
};
-
size_t sa_socklen = 0;
+ int final_ret = 0;
switch (from_addr->sa_family) {
case AF_INET:
struct tsocket_address *remote_host;
NTSTATUS status;
int ret;
+ bool rwdc_fallback = false;
ret = tsocket_address_bsd_from_sockaddr(frame, from_addr,
sa_socklen,
if (hdb_auth_status == HDB_AUTH_WRONG_PASSWORD) {
authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
status = NT_STATUS_WRONG_PASSWORD;
- /*
- * TODO We currently send a bad password via NETLOGON,
- * however, it should probably forward the ticket to
- * another KDC to allow login after password changes.
- */
- if (kdc_db_ctx->rodc) {
- send_bad_password_netlogon(frame, kdc_db_ctx, &ui);
- }
+ rwdc_fallback = kdc_db_ctx->rodc;
} else {
status = NT_STATUS_OK;
}
+ if (rwdc_fallback) {
+ /*
+ * Forward the request to an RWDC in order
+ * to give an authoritative answer to the client.
+ */
+ ui.password_type = "Forwarding to RWDC";
+ final_ret = HDB_ERR_NOT_FOUND_HERE;
+ }
+
log_authentication_event(kdc_db_ctx->msg_ctx,
kdc_db_ctx->lp_ctx,
start_time,
ui.remote_host = remote_host;
}
+ /* Note this is not forwarded to an RWDC */
+
log_authentication_event(kdc_db_ctx->msg_ctx,
kdc_db_ctx->lp_ctx,
start_time,
break;
}
}
- return 0;
+ return final_ret;
}
/* This interface is to be called by the KDC and libnet_keytab_dump,