svn commit: samba r17270 - in branches/SAMBA_4_0/source/auth: .

metze at samba.org metze at samba.org
Thu Jul 27 11:24:19 GMT 2006


Author: metze
Date: 2006-07-27 11:24:18 +0000 (Thu, 27 Jul 2006)
New Revision: 17270

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=17270

Log:
split the logic of saying this auth backend wants to handle this
request from the password checking. This will help to make
the password checking hook async later

metze
Modified:
   branches/SAMBA_4_0/source/auth/auth.c
   branches/SAMBA_4_0/source/auth/auth.h
   branches/SAMBA_4_0/source/auth/auth_anonymous.c
   branches/SAMBA_4_0/source/auth/auth_developer.c
   branches/SAMBA_4_0/source/auth/auth_sam.c
   branches/SAMBA_4_0/source/auth/auth_unix.c
   branches/SAMBA_4_0/source/auth/auth_winbind.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/auth.c
===================================================================
--- branches/SAMBA_4_0/source/auth/auth.c	2006-07-27 10:32:12 UTC (rev 17269)
+++ branches/SAMBA_4_0/source/auth/auth.c	2006-07-27 11:24:18 UTC (rev 17270)
@@ -174,16 +174,20 @@
 	for (method = auth_ctx->methods; method; method = method->next) {
 		NTSTATUS result;
 
-		result = method->ops->check_password(method, mem_ctx, user_info, server_info);
-
-		/* check if the module did anything */
-		if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
-			method_name = method->ops->name;
-			nt_status = result;
-			break;
+		/* check if the module wants to chek the password */
+		result = method->ops->want_check(method, mem_ctx, user_info);
+		if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
+			DEBUG(11,("auth_check_password: %s had nothing to say\n", method->ops->name));
+			continue;
 		}
 
-		DEBUG(11,("auth_check_password: %s had nothing to say\n", method->ops->name));
+		method_name = method->ops->name;
+		nt_status = result;
+
+		if (!NT_STATUS_IS_OK(nt_status)) break;
+
+		nt_status = method->ops->check_password(method, mem_ctx, user_info, server_info);
+		break;
 	}
 
 	if (!NT_STATUS_IS_OK(nt_status)) {

Modified: branches/SAMBA_4_0/source/auth/auth.h
===================================================================
--- branches/SAMBA_4_0/source/auth/auth.h	2006-07-27 10:32:12 UTC (rev 17269)
+++ branches/SAMBA_4_0/source/auth/auth.h	2006-07-27 11:24:18 UTC (rev 17270)
@@ -35,7 +35,8 @@
 /* version 2 - initial samba4 version - metze */
 /* version 3 - subsequent samba4 version - abartlet */
 /* version 4 - subsequent samba4 version - metze */
-#define AUTH_INTERFACE_VERSION 4
+/* version 0 - till samba4 is stable - metze */
+#define AUTH_INTERFACE_VERSION 0
 
 #define USER_INFO_CASE_INSENSITIVE_USERNAME 0x01 /* username may be in any case */
 #define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */
@@ -134,6 +135,11 @@
 
 	NTSTATUS (*get_challenge)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, DATA_BLOB *challenge);
 
+	/* Given the user supplied info, check if this backend want to handle the password checking */
+
+	NTSTATUS (*want_check)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx,
+			       const struct auth_usersupplied_info *user_info);
+
 	/* Given the user supplied info, check a password */
 
 	NTSTATUS (*check_password)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx,

Modified: branches/SAMBA_4_0/source/auth/auth_anonymous.c
===================================================================
--- branches/SAMBA_4_0/source/auth/auth_anonymous.c	2006-07-27 10:32:12 UTC (rev 17269)
+++ branches/SAMBA_4_0/source/auth/auth_anonymous.c	2006-07-27 11:24:18 UTC (rev 17270)
@@ -30,21 +30,36 @@
  * anonymou logons to be dealt with in one place.  Non-anonymou logons 'fail'
  * and pass onto the next module.
  **/
+static NTSTATUS anonymous_want_check(struct auth_method_context *ctx,
+			      	     TALLOC_CTX *mem_ctx,
+				     const struct auth_usersupplied_info *user_info)
+{
+	if (user_info->client.account_name && *user_info->client.account_name) {
+		return NT_STATUS_NOT_IMPLEMENTED;
+	}
+
+	return NT_STATUS_OK;
+}
+
+/**
+ * Return a anonymous logon for anonymous users (username = "")
+ *
+ * Typically used as the first module in the auth chain, this allows
+ * anonymou logons to be dealt with in one place.  Non-anonymou logons 'fail'
+ * and pass onto the next module.
+ **/
 static NTSTATUS anonymous_check_password(struct auth_method_context *ctx,
 			      		 TALLOC_CTX *mem_ctx,
 					 const struct auth_usersupplied_info *user_info, 
 					 struct auth_serversupplied_info **_server_info)
 {
-	if (user_info->client.account_name && *user_info->client.account_name) {
-		return NT_STATUS_NOT_IMPLEMENTED;
-	}
-
 	return auth_anonymous_server_info(mem_ctx, _server_info);
 }
 
 static struct auth_operations anonymous_auth_ops = {
 	.name		= "anonymous",
 	.get_challenge	= auth_get_challenge_not_implemented,
+	.want_check	= anonymous_want_check,
 	.check_password	= anonymous_check_password
 };
 

Modified: branches/SAMBA_4_0/source/auth/auth_developer.c
===================================================================
--- branches/SAMBA_4_0/source/auth/auth_developer.c	2006-07-27 10:32:12 UTC (rev 17269)
+++ branches/SAMBA_4_0/source/auth/auth_developer.c	2006-07-27 11:24:18 UTC (rev 17270)
@@ -24,6 +24,13 @@
 #include "auth/auth.h"
 #include "libcli/security/security.h"
 
+static NTSTATUS name_to_ntstatus_want_check(struct auth_method_context *ctx,
+			      		    TALLOC_CTX *mem_ctx,
+					    const struct auth_usersupplied_info *user_info)
+{
+	return NT_STATUS_OK;
+}
+
 /** 
  * Return an error based on username
  *
@@ -56,11 +63,8 @@
 		DEBUG(5,("name_to_ntstatus_check_password: Error for user %s was 0x%08X\n", user, error_num));
 		nt_status = NT_STATUS(error_num);
 	}
+	NT_STATUS_NOT_OK_RETURN(nt_status);
 
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		return nt_status;
-	}
-
 	server_info = talloc(mem_ctx, struct auth_serversupplied_info);
 	NT_STATUS_HAVE_NO_MEMORY(server_info);
 
@@ -128,6 +132,7 @@
 static struct auth_operations name_to_ntstatus_auth_ops = {
 	.name		= "name_to_ntstatus",
 	.get_challenge	= auth_get_challenge_not_implemented,
+	.want_check	= name_to_ntstatus_want_check,
 	.check_password	= name_to_ntstatus_check_password
 };
 
@@ -157,18 +162,27 @@
 	return NT_STATUS_OK;
 }
 
+static NTSTATUS fixed_challenge_want_check(struct auth_method_context *ctx,
+			      		   TALLOC_CTX *mem_ctx,
+					   const struct auth_usersupplied_info *user_info)
+{
+	/* don't handle any users */
+	return NT_STATUS_NOT_IMPLEMENTED;
+}
+
 static NTSTATUS fixed_challenge_check_password(struct auth_method_context *ctx,
 			      		       TALLOC_CTX *mem_ctx,
 					       const struct auth_usersupplied_info *user_info,
 					       struct auth_serversupplied_info **_server_info)
 {
 	/* don't handle any users */
-	return NT_STATUS_NOT_IMPLEMENTED;
+	return NT_STATUS_NO_SUCH_USER;
 }
 
 static struct auth_operations fixed_challenge_auth_ops = {
 	.name		= "fixed_challenge",
 	.get_challenge	= fixed_challenge_get_challenge,
+	.want_check	= fixed_challenge_want_check,
 	.check_password	= fixed_challenge_check_password
 };
 

Modified: branches/SAMBA_4_0/source/auth/auth_sam.c
===================================================================
--- branches/SAMBA_4_0/source/auth/auth_sam.c	2006-07-27 10:32:12 UTC (rev 17269)
+++ branches/SAMBA_4_0/source/auth/auth_sam.c	2006-07-27 11:24:18 UTC (rev 17270)
@@ -334,6 +334,17 @@
 	return NT_STATUS_OK;
 }
 
+static NTSTATUS authsam_ignoredomain_want_check(struct auth_method_context *ctx,
+						TALLOC_CTX *mem_ctx,
+						const struct auth_usersupplied_info *user_info)
+{
+	if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
+		return NT_STATUS_NOT_IMPLEMENTED;
+	}
+
+	return NT_STATUS_OK;
+}
+
 static NTSTATUS authsam_ignoredomain_check_password(struct auth_method_context *ctx,
 						    TALLOC_CTX *mem_ctx,
 						    const struct auth_usersupplied_info *user_info, 
@@ -345,31 +356,32 @@
 /****************************************************************************
 Check SAM security (above) but with a few extra checks.
 ****************************************************************************/
-static NTSTATUS authsam_check_password(struct auth_method_context *ctx,
-				       TALLOC_CTX *mem_ctx,
-				       const struct auth_usersupplied_info *user_info, 
-				       struct auth_serversupplied_info **server_info)
+static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
+				   TALLOC_CTX *mem_ctx,
+				   const struct auth_usersupplied_info *user_info)
 {
-	const char *domain;
 	BOOL is_local_name, is_my_domain;
 
+	if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
+		return NT_STATUS_NOT_IMPLEMENTED;
+	}
+
 	is_local_name = is_myname(user_info->mapped.domain_name);
 	is_my_domain  = strequal(user_info->mapped.domain_name, lp_workgroup());
 
 	/* check whether or not we service this domain/workgroup name */
 	switch (lp_server_role()) {
 		case ROLE_STANDALONE:
-			domain = lp_netbios_name();
-			break;
+			return NT_STATUS_OK;
+
 		case ROLE_DOMAIN_MEMBER:
 			if (!is_local_name) {
-				DEBUG(6,("authsam_check_password: %s is not one of my local names (%s)\n",
-					user_info->mapped.domain_name, (lp_server_role() == ROLE_DOMAIN_MEMBER 
-					? "ROLE_DOMAIN_MEMBER" : "ROLE_STANDALONE") ));
+				DEBUG(6,("authsam_check_password: %s is not one of my local names (DOMAIN_MEMBER)\n",
+					user_info->mapped.domain_name));
 				return NT_STATUS_NOT_IMPLEMENTED;
 			}
-			domain = lp_netbios_name();
-			break;
+			return NT_STATUS_OK;
+
 		case ROLE_DOMAIN_PDC:
 		case ROLE_DOMAIN_BDC:
 			if (!is_local_name && !is_my_domain) {
@@ -377,11 +389,37 @@
 					user_info->mapped.domain_name));
 				return NT_STATUS_NOT_IMPLEMENTED;
 			}
+			return NT_STATUS_OK;
+	}
+
+	DEBUG(6,("authsam_check_password: lp_server_role() has an undefined value\n"));
+	return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+/****************************************************************************
+Check SAM security (above) but with a few extra checks.
+****************************************************************************/
+static NTSTATUS authsam_check_password(struct auth_method_context *ctx,
+				       TALLOC_CTX *mem_ctx,
+				       const struct auth_usersupplied_info *user_info, 
+				       struct auth_serversupplied_info **server_info)
+{
+	const char *domain;
+
+	/* check whether or not we service this domain/workgroup name */
+	switch (lp_server_role()) {
+		case ROLE_STANDALONE:
+		case ROLE_DOMAIN_MEMBER:
+			domain = lp_netbios_name();
+			break;
+
+		case ROLE_DOMAIN_PDC:
+		case ROLE_DOMAIN_BDC:
 			domain = lp_workgroup();
 			break;
+
 		default:
-			DEBUG(6,("authsam_check_password: lp_server_role() has an undefined value\n"));
-			return NT_STATUS_NOT_IMPLEMENTED;
+			return NT_STATUS_NO_SUCH_USER;
 	}
 
 	return authsam_check_password_internals(ctx, mem_ctx, domain, user_info, server_info);
@@ -390,12 +428,14 @@
 static const struct auth_operations sam_ignoredomain_ops = {
 	.name		= "sam_ignoredomain",
 	.get_challenge	= auth_get_challenge_not_implemented,
+	.want_check	= authsam_ignoredomain_want_check,
 	.check_password	= authsam_ignoredomain_check_password
 };
 
 static const struct auth_operations sam_ops = {
 	.name		= "sam",
 	.get_challenge	= auth_get_challenge_not_implemented,
+	.want_check	= authsam_want_check,
 	.check_password	= authsam_check_password
 };
 

Modified: branches/SAMBA_4_0/source/auth/auth_unix.c
===================================================================
--- branches/SAMBA_4_0/source/auth/auth_unix.c	2006-07-27 10:32:12 UTC (rev 17269)
+++ branches/SAMBA_4_0/source/auth/auth_unix.c	2006-07-27 11:24:18 UTC (rev 17270)
@@ -773,20 +773,26 @@
  *
  **/
 
+static NTSTATUS authunix_want_check(struct auth_method_context *ctx,
+				    TALLOC_CTX *mem_ctx,
+				    const struct auth_usersupplied_info *user_info)
+{
+	if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
+		return NT_STATUS_NOT_IMPLEMENTED;
+	}
+
+	return NT_STATUS_OK;
+}
+
 static NTSTATUS authunix_check_password(struct auth_method_context *ctx,
 					TALLOC_CTX *mem_ctx,
 					const struct auth_usersupplied_info *user_info,
-					struct  auth_serversupplied_info **server_info)
+					struct auth_serversupplied_info **server_info)
 {
 	TALLOC_CTX *check_ctx;
 	NTSTATUS nt_status;
 	struct passwd *pwd;
 
-	if (! user_info->mapped.account_name || ! *user_info->mapped.account_name) {
-		/* 'not for me' */
-		return NT_STATUS_NOT_IMPLEMENTED;
-	}
-
 	if (user_info->password_state != AUTH_PASSWORD_PLAIN) {
 		return NT_STATUS_INVALID_PARAMETER;
 	}
@@ -797,13 +803,13 @@
 	}
 
 	nt_status = check_unix_password(check_ctx, user_info, &pwd);
-	if ( ! NT_STATUS_IS_OK(nt_status)) {
+	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(check_ctx);
 		return nt_status;
 	}
 
 	nt_status = authunix_make_server_info(mem_ctx, user_info, pwd, server_info);
-	if ( ! NT_STATUS_IS_OK(nt_status)) {
+	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(check_ctx);
 		return nt_status;
 	}
@@ -815,7 +821,8 @@
 static const struct auth_operations unix_ops = {
 	.name		= "unix",
 	.get_challenge	= auth_get_challenge_not_implemented,
-	.check_password = authunix_check_password
+	.want_check	= authunix_want_check,
+	.check_password	= authunix_check_password
 };
 
 NTSTATUS auth_unix_init(void)

Modified: branches/SAMBA_4_0/source/auth/auth_winbind.c
===================================================================
--- branches/SAMBA_4_0/source/auth/auth_winbind.c	2006-07-27 10:32:12 UTC (rev 17269)
+++ branches/SAMBA_4_0/source/auth/auth_winbind.c	2006-07-27 11:24:18 UTC (rev 17270)
@@ -46,6 +46,18 @@
 	}
 }
 
+static NTSTATUS winbind_want_check(struct auth_method_context *ctx,
+				   TALLOC_CTX *mem_ctx,
+				   const struct auth_usersupplied_info *user_info)
+{
+	if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
+		return NT_STATUS_NOT_IMPLEMENTED;
+	}
+
+	/* TODO: maybe limit the user scope to remote users only */
+	return NT_STATUS_OK;
+}
+
 /* Authenticate a user with a challenge/response */
 static NTSTATUS winbind_check_password(struct auth_method_context *ctx,
 				       TALLOC_CTX *mem_ctx,
@@ -129,6 +141,7 @@
 static const struct auth_operations winbind_ops = {
 	.name		= "winbind",
 	.get_challenge	= auth_get_challenge_not_implemented,
+	.want_check	= winbind_want_check,
 	.check_password	= winbind_check_password
 };
 



More information about the samba-cvs mailing list