[PATCH] Correctly handle !authoritative in the rpc-based auth backends

Volker Lendecke vl at samba.org
Thu Mar 9 12:36:26 UTC 2017


Hi!

This is independently correct, but is quite ineffective so far. The
core auth backend loops don't do this yet, but I want to make the
final patchset smaller.

Review appreciated!

Thanks, Volker
-------------- next part --------------
>From a4c2d981c2a8214d9291b211b48f73b21f2e6c24 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sat, 11 Feb 2017 10:25:44 +0100
Subject: [PATCH 1/3] auth_winbind3: Correctly handle !authoritative

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source3/auth/auth_winbind.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c
index 2b5c84d..e6a6296 100644
--- a/source3/auth/auth_winbind.c
+++ b/source3/auth/auth_winbind.c
@@ -121,6 +121,15 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
 
 	if (wbc_status == WBC_ERR_AUTH_ERROR) {
 		nt_status = NT_STATUS(err->nt_status);
+
+		if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) &&
+		    (err->authoritative == 0)) {
+			/*
+			 * Trigger a fallback to local SAM
+			 */
+			nt_status = NT_STATUS_NOT_IMPLEMENTED;
+		}
+
 		wbcFreeMemory(err);
 		return nt_status;
 	}
-- 
2.1.4


>From 83dcf4e7468f46904d829f187b270dac1954c3d3 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sat, 25 Feb 2017 09:55:28 +0000
Subject: [PATCH 2/3] auth_winbind4: Correctly handle !authoritative

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source4/auth/ntlm/auth_winbind.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c
index 8b9a1ef..6f1976d 100644
--- a/source4/auth/ntlm/auth_winbind.c
+++ b/source4/auth/ntlm/auth_winbind.c
@@ -141,6 +141,11 @@ static NTSTATUS winbind_check_password(struct auth_method_context *ctx,
 	status = dcerpc_winbind_SamLogon_r(irpc_handle, s, &s->req);
 	NT_STATUS_NOT_OK_RETURN(status);
 
+	if (NT_STATUS_EQUAL(s->req.out.result, NT_STATUS_NO_SUCH_USER) &&
+	    !s->req.out.authoritative) {
+		return NT_STATUS_NOT_IMPLEMENTED;
+	}
+
 	status = make_user_info_dc_netlogon_validation(mem_ctx,
 						      user_info->client.account_name,
 						      s->req.in.validation_level,
-- 
2.1.4


>From c303fd74c4ee701155191fa2ab04146212b8102e Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sun, 12 Feb 2017 19:20:07 +0100
Subject: [PATCH 3/3] auth_ntdomain3: Correctly handle !authoritative

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source3/auth/auth_domain.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index d663923..b3ff518 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -229,6 +229,10 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
 		if (NT_STATUS_EQUAL(nt_status, NT_STATUS_UNSUCCESSFUL)) {
 			nt_status = NT_STATUS_NO_LOGON_SERVERS;
 		}
+		if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) &&
+		    (authoritative == 0)) {
+			nt_status = NT_STATUS_NOT_IMPLEMENTED;
+		}
 	} else {
 		nt_status = make_server_info_info3(mem_ctx,
 						   user_info->client.account_name,
-- 
2.1.4



More information about the samba-technical mailing list