svn commit: samba r17270 - in branches/SAMBA_4_0/source/auth: .
metze at samba.org
metze at samba.org
Thu Jul 27 11:24:19 GMT 2006
Author: metze
Date: 2006-07-27 11:24:18 +0000 (Thu, 27 Jul 2006)
New Revision: 17270
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=17270
Log:
split the logic of saying this auth backend wants to handle this
request from the password checking. This will help to make
the password checking hook async later
metze
Modified:
branches/SAMBA_4_0/source/auth/auth.c
branches/SAMBA_4_0/source/auth/auth.h
branches/SAMBA_4_0/source/auth/auth_anonymous.c
branches/SAMBA_4_0/source/auth/auth_developer.c
branches/SAMBA_4_0/source/auth/auth_sam.c
branches/SAMBA_4_0/source/auth/auth_unix.c
branches/SAMBA_4_0/source/auth/auth_winbind.c
Changeset:
Modified: branches/SAMBA_4_0/source/auth/auth.c
===================================================================
--- branches/SAMBA_4_0/source/auth/auth.c 2006-07-27 10:32:12 UTC (rev 17269)
+++ branches/SAMBA_4_0/source/auth/auth.c 2006-07-27 11:24:18 UTC (rev 17270)
@@ -174,16 +174,20 @@
for (method = auth_ctx->methods; method; method = method->next) {
NTSTATUS result;
- result = method->ops->check_password(method, mem_ctx, user_info, server_info);
-
- /* check if the module did anything */
- if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
- method_name = method->ops->name;
- nt_status = result;
- break;
+ /* check if the module wants to chek the password */
+ result = method->ops->want_check(method, mem_ctx, user_info);
+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
+ DEBUG(11,("auth_check_password: %s had nothing to say\n", method->ops->name));
+ continue;
}
- DEBUG(11,("auth_check_password: %s had nothing to say\n", method->ops->name));
+ method_name = method->ops->name;
+ nt_status = result;
+
+ if (!NT_STATUS_IS_OK(nt_status)) break;
+
+ nt_status = method->ops->check_password(method, mem_ctx, user_info, server_info);
+ break;
}
if (!NT_STATUS_IS_OK(nt_status)) {
Modified: branches/SAMBA_4_0/source/auth/auth.h
===================================================================
--- branches/SAMBA_4_0/source/auth/auth.h 2006-07-27 10:32:12 UTC (rev 17269)
+++ branches/SAMBA_4_0/source/auth/auth.h 2006-07-27 11:24:18 UTC (rev 17270)
@@ -35,7 +35,8 @@
/* version 2 - initial samba4 version - metze */
/* version 3 - subsequent samba4 version - abartlet */
/* version 4 - subsequent samba4 version - metze */
-#define AUTH_INTERFACE_VERSION 4
+/* version 0 - till samba4 is stable - metze */
+#define AUTH_INTERFACE_VERSION 0
#define USER_INFO_CASE_INSENSITIVE_USERNAME 0x01 /* username may be in any case */
#define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */
@@ -134,6 +135,11 @@
NTSTATUS (*get_challenge)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, DATA_BLOB *challenge);
+ /* Given the user supplied info, check if this backend want to handle the password checking */
+
+ NTSTATUS (*want_check)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info);
+
/* Given the user supplied info, check a password */
NTSTATUS (*check_password)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx,
Modified: branches/SAMBA_4_0/source/auth/auth_anonymous.c
===================================================================
--- branches/SAMBA_4_0/source/auth/auth_anonymous.c 2006-07-27 10:32:12 UTC (rev 17269)
+++ branches/SAMBA_4_0/source/auth/auth_anonymous.c 2006-07-27 11:24:18 UTC (rev 17270)
@@ -30,21 +30,36 @@
* anonymou logons to be dealt with in one place. Non-anonymou logons 'fail'
* and pass onto the next module.
**/
+static NTSTATUS anonymous_want_check(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info)
+{
+ if (user_info->client.account_name && *user_info->client.account_name) {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ return NT_STATUS_OK;
+}
+
+/**
+ * Return a anonymous logon for anonymous users (username = "")
+ *
+ * Typically used as the first module in the auth chain, this allows
+ * anonymou logons to be dealt with in one place. Non-anonymou logons 'fail'
+ * and pass onto the next module.
+ **/
static NTSTATUS anonymous_check_password(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
struct auth_serversupplied_info **_server_info)
{
- if (user_info->client.account_name && *user_info->client.account_name) {
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
return auth_anonymous_server_info(mem_ctx, _server_info);
}
static struct auth_operations anonymous_auth_ops = {
.name = "anonymous",
.get_challenge = auth_get_challenge_not_implemented,
+ .want_check = anonymous_want_check,
.check_password = anonymous_check_password
};
Modified: branches/SAMBA_4_0/source/auth/auth_developer.c
===================================================================
--- branches/SAMBA_4_0/source/auth/auth_developer.c 2006-07-27 10:32:12 UTC (rev 17269)
+++ branches/SAMBA_4_0/source/auth/auth_developer.c 2006-07-27 11:24:18 UTC (rev 17270)
@@ -24,6 +24,13 @@
#include "auth/auth.h"
#include "libcli/security/security.h"
+static NTSTATUS name_to_ntstatus_want_check(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info)
+{
+ return NT_STATUS_OK;
+}
+
/**
* Return an error based on username
*
@@ -56,11 +63,8 @@
DEBUG(5,("name_to_ntstatus_check_password: Error for user %s was 0x%08X\n", user, error_num));
nt_status = NT_STATUS(error_num);
}
+ NT_STATUS_NOT_OK_RETURN(nt_status);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
-
server_info = talloc(mem_ctx, struct auth_serversupplied_info);
NT_STATUS_HAVE_NO_MEMORY(server_info);
@@ -128,6 +132,7 @@
static struct auth_operations name_to_ntstatus_auth_ops = {
.name = "name_to_ntstatus",
.get_challenge = auth_get_challenge_not_implemented,
+ .want_check = name_to_ntstatus_want_check,
.check_password = name_to_ntstatus_check_password
};
@@ -157,18 +162,27 @@
return NT_STATUS_OK;
}
+static NTSTATUS fixed_challenge_want_check(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info)
+{
+ /* don't handle any users */
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
static NTSTATUS fixed_challenge_check_password(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
struct auth_serversupplied_info **_server_info)
{
/* don't handle any users */
- return NT_STATUS_NOT_IMPLEMENTED;
+ return NT_STATUS_NO_SUCH_USER;
}
static struct auth_operations fixed_challenge_auth_ops = {
.name = "fixed_challenge",
.get_challenge = fixed_challenge_get_challenge,
+ .want_check = fixed_challenge_want_check,
.check_password = fixed_challenge_check_password
};
Modified: branches/SAMBA_4_0/source/auth/auth_sam.c
===================================================================
--- branches/SAMBA_4_0/source/auth/auth_sam.c 2006-07-27 10:32:12 UTC (rev 17269)
+++ branches/SAMBA_4_0/source/auth/auth_sam.c 2006-07-27 11:24:18 UTC (rev 17270)
@@ -334,6 +334,17 @@
return NT_STATUS_OK;
}
+static NTSTATUS authsam_ignoredomain_want_check(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info)
+{
+ if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ return NT_STATUS_OK;
+}
+
static NTSTATUS authsam_ignoredomain_check_password(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
@@ -345,31 +356,32 @@
/****************************************************************************
Check SAM security (above) but with a few extra checks.
****************************************************************************/
-static NTSTATUS authsam_check_password(struct auth_method_context *ctx,
- TALLOC_CTX *mem_ctx,
- const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **server_info)
+static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info)
{
- const char *domain;
BOOL is_local_name, is_my_domain;
+ if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
is_local_name = is_myname(user_info->mapped.domain_name);
is_my_domain = strequal(user_info->mapped.domain_name, lp_workgroup());
/* check whether or not we service this domain/workgroup name */
switch (lp_server_role()) {
case ROLE_STANDALONE:
- domain = lp_netbios_name();
- break;
+ return NT_STATUS_OK;
+
case ROLE_DOMAIN_MEMBER:
if (!is_local_name) {
- DEBUG(6,("authsam_check_password: %s is not one of my local names (%s)\n",
- user_info->mapped.domain_name, (lp_server_role() == ROLE_DOMAIN_MEMBER
- ? "ROLE_DOMAIN_MEMBER" : "ROLE_STANDALONE") ));
+ DEBUG(6,("authsam_check_password: %s is not one of my local names (DOMAIN_MEMBER)\n",
+ user_info->mapped.domain_name));
return NT_STATUS_NOT_IMPLEMENTED;
}
- domain = lp_netbios_name();
- break;
+ return NT_STATUS_OK;
+
case ROLE_DOMAIN_PDC:
case ROLE_DOMAIN_BDC:
if (!is_local_name && !is_my_domain) {
@@ -377,11 +389,37 @@
user_info->mapped.domain_name));
return NT_STATUS_NOT_IMPLEMENTED;
}
+ return NT_STATUS_OK;
+ }
+
+ DEBUG(6,("authsam_check_password: lp_server_role() has an undefined value\n"));
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+/****************************************************************************
+Check SAM security (above) but with a few extra checks.
+****************************************************************************/
+static NTSTATUS authsam_check_password(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info,
+ struct auth_serversupplied_info **server_info)
+{
+ const char *domain;
+
+ /* check whether or not we service this domain/workgroup name */
+ switch (lp_server_role()) {
+ case ROLE_STANDALONE:
+ case ROLE_DOMAIN_MEMBER:
+ domain = lp_netbios_name();
+ break;
+
+ case ROLE_DOMAIN_PDC:
+ case ROLE_DOMAIN_BDC:
domain = lp_workgroup();
break;
+
default:
- DEBUG(6,("authsam_check_password: lp_server_role() has an undefined value\n"));
- return NT_STATUS_NOT_IMPLEMENTED;
+ return NT_STATUS_NO_SUCH_USER;
}
return authsam_check_password_internals(ctx, mem_ctx, domain, user_info, server_info);
@@ -390,12 +428,14 @@
static const struct auth_operations sam_ignoredomain_ops = {
.name = "sam_ignoredomain",
.get_challenge = auth_get_challenge_not_implemented,
+ .want_check = authsam_ignoredomain_want_check,
.check_password = authsam_ignoredomain_check_password
};
static const struct auth_operations sam_ops = {
.name = "sam",
.get_challenge = auth_get_challenge_not_implemented,
+ .want_check = authsam_want_check,
.check_password = authsam_check_password
};
Modified: branches/SAMBA_4_0/source/auth/auth_unix.c
===================================================================
--- branches/SAMBA_4_0/source/auth/auth_unix.c 2006-07-27 10:32:12 UTC (rev 17269)
+++ branches/SAMBA_4_0/source/auth/auth_unix.c 2006-07-27 11:24:18 UTC (rev 17270)
@@ -773,20 +773,26 @@
*
**/
+static NTSTATUS authunix_want_check(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info)
+{
+ if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ return NT_STATUS_OK;
+}
+
static NTSTATUS authunix_check_password(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **server_info)
+ struct auth_serversupplied_info **server_info)
{
TALLOC_CTX *check_ctx;
NTSTATUS nt_status;
struct passwd *pwd;
- if (! user_info->mapped.account_name || ! *user_info->mapped.account_name) {
- /* 'not for me' */
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
if (user_info->password_state != AUTH_PASSWORD_PLAIN) {
return NT_STATUS_INVALID_PARAMETER;
}
@@ -797,13 +803,13 @@
}
nt_status = check_unix_password(check_ctx, user_info, &pwd);
- if ( ! NT_STATUS_IS_OK(nt_status)) {
+ if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(check_ctx);
return nt_status;
}
nt_status = authunix_make_server_info(mem_ctx, user_info, pwd, server_info);
- if ( ! NT_STATUS_IS_OK(nt_status)) {
+ if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(check_ctx);
return nt_status;
}
@@ -815,7 +821,8 @@
static const struct auth_operations unix_ops = {
.name = "unix",
.get_challenge = auth_get_challenge_not_implemented,
- .check_password = authunix_check_password
+ .want_check = authunix_want_check,
+ .check_password = authunix_check_password
};
NTSTATUS auth_unix_init(void)
Modified: branches/SAMBA_4_0/source/auth/auth_winbind.c
===================================================================
--- branches/SAMBA_4_0/source/auth/auth_winbind.c 2006-07-27 10:32:12 UTC (rev 17269)
+++ branches/SAMBA_4_0/source/auth/auth_winbind.c 2006-07-27 11:24:18 UTC (rev 17270)
@@ -46,6 +46,18 @@
}
}
+static NTSTATUS winbind_want_check(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info)
+{
+ if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ /* TODO: maybe limit the user scope to remote users only */
+ return NT_STATUS_OK;
+}
+
/* Authenticate a user with a challenge/response */
static NTSTATUS winbind_check_password(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
@@ -129,6 +141,7 @@
static const struct auth_operations winbind_ops = {
.name = "winbind",
.get_challenge = auth_get_challenge_not_implemented,
+ .want_check = winbind_want_check,
.check_password = winbind_check_password
};
More information about the samba-cvs
mailing list