Bad fallover to next authentication module?
Tom Alsberg
alsbergt at cs.huji.ac.il
Thu Jul 8 08:48:53 GMT 2004
I've observed that the auth subsystem will just try the next
authentication module on any failure of the current one - is that
intentional?
I see it as a problem, since I cannot, for example, put a module on
the beginning of the chain that will impose additional restrictions on
authentication.
Also, you often get a the wrong error status on failure. E.g. the
first module will recognize the user but inhibit it from logging on by
NT_STATUS_INVALID_WORKSTATION/NT_STATUS_ACCOUNT_DISABLED, and the next
modules will just not even authenticate it properly and return
NT_STATUS_LOGON_FAILURE (or NT_STATUS_NO_SUCH_USER), and the user will
get that, instead of the more correct NT_STATUS_INVALID_WORKSTATION...
My fix to this was the following:
diff -ur source.orig/auth/auth.c source/auth/auth.c
--- source.orig/auth/auth.c Sun Apr 4 09:37:32 2004
+++ source/auth/auth.c Thu Jul 8 11:37:34 2004
@@ -273,10 +273,13 @@
talloc_destroy(mem_ctx);
- if ( NT_STATUS_IS_OK(nt_status))
- {
- break;
- }
+ if (NT_STATUS_V(result) ==
+ NT_STATUS_V(NT_STATUS_NO_SUCH_USER) ||
+ NT_STATUS_V(result) ==
+ NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED))
+ continue;
+ else
+ break;
}
if (NT_STATUS_IS_OK(nt_status)) {
But that's probably not really correct either.
Why not use a scheme like in PAM, where there would be
NT_STATUS_IGNORE which will go to the next module, and a failure will
really be considered a failure (of course, if all modules do
NT_STATUS_IGNORE, then it'll still fail)?
Or, what should modules do in such cases?
Thanks,
-- Tom
--
Tom Alsberg - hacker (being the best description fitting this space)
Web page: http://www.cs.huji.ac.il/~alsbergt/
DISCLAIMER: The above message does not even necessarily represent what
my fingers have typed on the keyboard, save anything further.
More information about the samba-technical
mailing list