From 8a6fc79ad8d9f1b6c4f604b173426bf821f98208 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sat, 28 Jun 2003 08:29:42 +0000 Subject: [PATCH] add check for NT_STATUS_NOT_IMPLEMENTED in auth check so that map to guest = bad user works again when "trustdomain" is listed as last auth method. Also clean up some more DC location calls. (This used to be commit 77a5b1032f39b8d20925721b719fdcfff910cb06) --- source3/auth/auth.c | 14 ++++++++++++- source3/auth/auth_domain.c | 41 +++++++++++++++++++++++++------------- source3/auth/auth_util.c | 31 ++++++++++------------------ 3 files changed, 50 insertions(+), 36 deletions(-) diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 891f47486b8..25b856cd57b 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -244,10 +244,22 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, return NT_STATUS_LOGON_FAILURE; for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) { + NTSTATUS result; + mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name, user_info->domain.str, user_info->smb_name.str); - nt_status = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info); + result = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info); + + /* check if the module did anything */ + if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) { + DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name)); + talloc_destroy(mem_ctx); + continue; + } + + nt_status = result; + if (NT_STATUS_IS_OK(nt_status)) { DEBUG(3, ("check_ntlm_password: %s authentication for user [%s] succeeded\n", auth_method->name, user_info->smb_name.str)); diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index df19a274fbc..84453ac3b58 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -401,11 +401,12 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; - char *password_server; unsigned char trust_passwd[16]; time_t last_change_time; const char *domain = lp_workgroup(); uint32 sec_channel_type = 0; + fstring dc_name; + struct in_addr dc_ip; if (!user_info || !server_info || !auth_context) { DEBUG(1,("check_ntdomain_security: Critical variables not present. Failing.\n")); @@ -443,17 +444,15 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, } } - /* - * Treat each name in the 'password server =' line as a potential - * PDC/BDC. Contact each in turn and try and authenticate. - */ - - password_server = lp_passwordserver(); - + if ( !rpc_dc_name(user_info->domain.str, dc_name, &dc_ip) ) { + DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n", + user_info->domain.str)); + return NT_STATUS_NO_LOGON_SERVERS; + } + nt_status = domain_client_validate(mem_ctx, user_info, domain, (uchar *)auth_context->challenge.data, - server_info, - password_server, global_myname(), sec_channel_type,trust_passwd, last_change_time); + server_info, dc_name, global_myname(), sec_channel_type,trust_passwd, last_change_time); return nt_status; } @@ -485,6 +484,8 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte char *trust_password; time_t last_change_time; DOM_SID sid; + fstring dc_name; + struct in_addr dc_ip; if (!user_info || !server_info || !auth_context) { DEBUG(1,("check_trustdomain_security: Critical variables not present. Failing.\n")); @@ -509,9 +510,15 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte if(strequal(lp_workgroup(), (user_info->domain.str))) { DEBUG(3,("check_trustdomain_security: Requested domain was for this domain.\n")); - return NT_STATUS_LOGON_FAILURE; + return NT_STATUS_NOT_IMPLEMENTED; } + /* no point is bothering if this is not a trusted domain */ + /* this return makes "map to guest = bad user" work again */ + + if ( !is_trusted_domain( user_info->domain.str ) ) + return NT_STATUS_NO_SUCH_USER; + /* * Get the trusted account password for the trusted domain * No need to become_root() as secrets_init() is done at startup. @@ -537,11 +544,17 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte } #endif + if ( !rpc_dc_name(user_info->domain.str, dc_name, &dc_ip) ) { + DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n", + user_info->domain.str)); + return NT_STATUS_NO_LOGON_SERVERS; + } + nt_status = domain_client_validate(mem_ctx, user_info, user_info->domain.str, (uchar *)auth_context->challenge.data, - server_info, "*" /* Do a lookup */, - lp_workgroup(), SEC_CHAN_DOMAIN, trust_md4_password, last_change_time); - + server_info, dc_name, lp_workgroup(), + SEC_CHAN_DOMAIN, trust_md4_password, last_change_time); + return nt_status; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7d0f44f1d1f..fe4900f9f49 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -204,32 +204,22 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n", client_domain, smb_name, wksta_name)); - if (lp_allow_trusted_domains() && *client_domain) { - - /* the client could have given us a workstation name - or other crap for the workgroup - we really need a - way of telling if this domain name is one of our - trusted domain names - - Also don't allow "" as a domain, fixes a Win9X bug + /* don't allow "" as a domain, fixes a Win9X bug where it doens't supply a domain for logon script - 'net use' commands. - - Finally, we do this by looking up a cache of trusted domains! - */ + 'net use' commands.*/ + if ( *client_domain ) domain = client_domain; + else + domain = lp_workgroup(); - if (is_trusted_domain(domain)) { - return make_user_info(user_info, smb_name, internal_username, - client_domain, domain, wksta_name, - lm_pwd, nt_pwd, plaintext, ntlmssp_flags, - encrypted); - } + /* do what win2k does. Always map unknown domains to our own + and let the "passdb backend" handle unknown users */ - } else { + if ( !is_trusted_domain(domain) ) domain = lp_workgroup(); - } + + /* we know that it is a trusted domain (and we are allowing them) or it is our domain */ return make_user_info(user_info, smb_name, internal_username, @@ -238,7 +228,6 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, lm_pwd, nt_pwd, plaintext, ntlmssp_flags, encrypted); - } /**************************************************************************** -- 2.34.1