[PATCH] Correctly handle !authoritative in the rpc-based auth backends

Stefan Metzmacher metze at samba.org
Wed Mar 22 16:00:47 UTC 2017


Am 22.03.2017 um 14:56 schrieb Andrew Bartlett via samba-technical:
> On Wed, 2017-03-22 at 10:56 +0100, Stefan Metzmacher via samba-
> technical wrote:
>> Am 22.03.2017 um 09:19 schrieb Stefan Metzmacher via samba-technical:
>>> Hi Andrew,
>>>
>>>>>>>> On Mon, Mar 20, 2017 at 10:54:59AM +0100, Stefan
>>>>>>>> Metzmacher
>>>>>>>> wrote:
>>>>>>>>> I'm currently looking into this and I might have
>>>>>>>>> something
>>>>>>>>> that should
>>>>>>>>> do the job without changing too much within the next
>>>>>>>>> days.
>>>>>>>>
>>>>>>>> Can you share your ideas?
>>>>>>>
>>>>>>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=r
>>>>>>> efs/he
>>>>>>> ads/master3-auth
>>>>>>
>>>>>> Ok,
>>>>>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=ref
>>>>>> s/head
>>>>>> s/master3-auth-ok
>>>>>> contains the first preparation step that should not really
>>>>>> change
>>>>>> the logic.
>>>>>
>>>>> The following patchset also passed autobuild and should not
>>>>> change
>>>>> the
>>>>> logic.
>>>>
>>>> Can you help me understand how this patch doesn't change the
>>>> logic?
>>>>
>>>> auth3: Don't try other auth modules on any error
>>>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=987e5
>>>> ab6310
>>>> 6f2d427fe11ad780962f2f1e317bf
>>>
>>> If you look at the current make_auth_context_subsystem(), then
>>> the behavior change is more theoretical. The most complex
>>> combination of modules is "guest sam winbind:*".
>>> And check_guest_security(), auth_samstrict_auth() and
>>> check_winbind_security()
>>> seem to verify user_info->mapped.*, so we'll never process the
>>> same authentication in more than one module. Except maybe
>>> a problem from make_server_info_guest(), but at that point we've
>>> already verified that the username was empty and no password was
>>> provided and in that case any further module will always generate
>>> result != NT_STATUS_OK.
>>>
>>>> Otherwise it looks OK.
>>>
>>> Is it ok to push it with your review, now?
>>> So that we have it out of our way?
>>
>> I guess we should add "BUG: https://bugzilla.samba.org/show_bug.cgi?i
>> d=2976"
>> to at least some of the commits.
> 
> Thanks.  I'm going to add what tests I can tomorrow, and then review
> and push it, thanks to your clarification above.

I rearanged the patches a bit.

The attached patches for bugs
https://bugzilla.samba.org/show_bug.cgi?id=8630
(support for 'map untrusted to domain = auto')
and
https://bugzilla.samba.org/show_bug.cgi?id=2976
are attached (required in the given order)

The unrelated idl patches can be pushed before...

I'm currently running autobuilds with for the patches related to
each bug, 1st just 8630, then 8630+2976 and so on...

I'll post the patches for
https://bugzilla.samba.org/show_bug.cgi?id=12709
(The auth4 stack maps any client provided domain to the local domain
before calling the backends)
and
https://bugzilla.samba.org/show_bug.cgi?id=12710
(The netlogon server should not allow LogonSamLogon for anonymous)
in the next mail.

The patches attached here are also in
https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master3-auth-ok

Please just review, I'll push then.

Thanks!
metze
-------------- next part --------------
From 1a4b6ff21dc41c7105f7c00452ff2fb99460c285 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 19:28:16 +0100
Subject: [PATCH 1/4] netlogon.idl: make netr_LogonInfoClass public

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 librpc/idl/netlogon.idl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl
index 621d537..e4b499f 100644
--- a/librpc/idl/netlogon.idl
+++ b/librpc/idl/netlogon.idl
@@ -168,7 +168,7 @@ interface netlogon
 		[size_is(length)] uint8 *data;
 	} netr_GenericInfo;
 
-	typedef enum {
+	typedef [public] enum {
 		NetlogonInteractiveInformation = 1,
 		NetlogonNetworkInformation = 2,
 		NetlogonServiceInformation = 3,
-- 
1.9.1


From 3cbb6b0a4465c1335e065979e78c23563daea931 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 20 Mar 2017 13:50:36 +0100
Subject: [PATCH 2/4] lsa.idl: add SID_NAME_LABEL

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 librpc/idl/lsa.idl | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/librpc/idl/lsa.idl b/librpc/idl/lsa.idl
index 66a07e5..68569db 100644
--- a/librpc/idl/lsa.idl
+++ b/librpc/idl/lsa.idl
@@ -505,7 +505,8 @@ import "misc.idl", "security.idl";
 		SID_NAME_DELETED  = 6, /* deleted account: needed for c2 rating */
 		SID_NAME_INVALID  = 7, /* invalid account */
 		SID_NAME_UNKNOWN  = 8, /* oops. */
-		SID_NAME_COMPUTER = 9  /* machine */
+		SID_NAME_COMPUTER = 9, /* machine */
+		SID_NAME_LABEL    = 10 /* Mandatory Label */
 	} lsa_SidType;
 
 	typedef struct {
-- 
1.9.1


From 4dc21689a0dcc905d981e7cb7fd36209144e6a42 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 20 Mar 2017 13:50:59 +0100
Subject: [PATCH 3/4] libcli/security: add SID_NAME_LABEL to sid_type_lookup()

---
 libcli/security/util_sid.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c
index ac44876..0709a7a 100644
--- a/libcli/security/util_sid.c
+++ b/libcli/security/util_sid.c
@@ -189,7 +189,8 @@ static const struct {
 	{SID_NAME_DELETED, "Deleted Account"},
 	{SID_NAME_INVALID, "Invalid Account"},
 	{SID_NAME_UNKNOWN, "UNKNOWN"},
-	{SID_NAME_COMPUTER, "Computer"}
+	{SID_NAME_COMPUTER, "Computer"},
+	{SID_NAME_LABEL, "Mandatory Label"}
 };
 
 const char *sid_type_lookup(uint32_t sid_type)
-- 
1.9.1


From 4e27637988596767a464f873283936d3d0ac7f15 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 20 Mar 2017 13:56:03 +0100
Subject: [PATCH 4/4] libwbclient: add WBC_SID_NAME_LABEL

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 nsswitch/libwbclient/tests/wbclient.c | 2 ++
 nsswitch/libwbclient/wbc_sid.c        | 1 +
 nsswitch/libwbclient/wbclient.h       | 3 ++-
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/nsswitch/libwbclient/tests/wbclient.c b/nsswitch/libwbclient/tests/wbclient.c
index 0412bed..b3c93a1 100644
--- a/nsswitch/libwbclient/tests/wbclient.c
+++ b/nsswitch/libwbclient/tests/wbclient.c
@@ -216,6 +216,8 @@ static bool test_wbc_sidtypestring(struct torture_context *tctx)
 				 "SID_UNKNOWN", "SID_UNKNOWN failed");
 	torture_assert_str_equal(tctx, wbcSidTypeString(WBC_SID_NAME_COMPUTER),
 				 "SID_COMPUTER",  "SID_COMPUTER failed");
+	torture_assert_str_equal(tctx, wbcSidTypeString(WBC_SID_NAME_LABEL),
+				 "SID_LABEL",  "SID_LABEL failed");
 	return true;
 }
 
diff --git a/nsswitch/libwbclient/wbc_sid.c b/nsswitch/libwbclient/wbc_sid.c
index cc71b9e..baaeb60 100644
--- a/nsswitch/libwbclient/wbc_sid.c
+++ b/nsswitch/libwbclient/wbc_sid.c
@@ -1081,6 +1081,7 @@ const char* wbcSidTypeString(enum wbcSidType type)
 	case WBC_SID_NAME_INVALID:  return "SID_INVALID";
 	case WBC_SID_NAME_UNKNOWN:  return "SID_UNKNOWN";
 	case WBC_SID_NAME_COMPUTER: return "SID_COMPUTER";
+	case WBC_SID_NAME_LABEL:    return "SID_LABEL";
 	default:                    return "Unknown type";
 	}
 }
diff --git a/nsswitch/libwbclient/wbclient.h b/nsswitch/libwbclient/wbclient.h
index 77915b9..d22bc03 100644
--- a/nsswitch/libwbclient/wbclient.h
+++ b/nsswitch/libwbclient/wbclient.h
@@ -139,7 +139,8 @@ enum wbcSidType {
 	WBC_SID_NAME_DELETED=6,
 	WBC_SID_NAME_INVALID=7,
 	WBC_SID_NAME_UNKNOWN=8,
-	WBC_SID_NAME_COMPUTER=9
+	WBC_SID_NAME_COMPUTER=9,
+	WBC_SID_NAME_LABEL=10
 };
 
 /**
-- 
1.9.1

-------------- next part --------------
From cf1371d43c1f8004b482544818a8928746892d28 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 16 Mar 2017 15:09:26 +0100
Subject: [PATCH 1/8] auth3: call is_trusted_domain() as the last condition
 make_user_info_map()

We should avoid contacting winbind if we already know the domain is our
local sam or our primary domain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/auth/auth_util.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 5d9f0e0..43e073b 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -132,9 +132,11 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
 	 * non-domain member box will also map to WORKSTATION\user.
 	 * This also deals with the client passing in a "" domain */
 
-	if (!upn_form && !is_trusted_domain(domain) &&
+	if (!upn_form &&
 	    !strequal(domain, my_sam_name()) &&
-	    !strequal(domain, get_global_sam_name())) {
+	    !strequal(domain, get_global_sam_name()) &&
+	    !is_trusted_domain(domain))
+	{
 		if (lp_map_untrusted_to_domain())
 			domain = my_sam_name();
 		else
-- 
1.9.1


From 874bf54d28b38f9b24bd8b1084306b78b48f0505 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 13 Mar 2017 08:43:06 +0100
Subject: [PATCH 2/8] auth3: Slightly simplify make_auth_context_subsystem()
 step1

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
 source3/auth/auth.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 1cbe46e..034701d 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -471,10 +471,12 @@ NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
 	char **auth_method_list = NULL; 
 	NTSTATUS nt_status;
 
-	if (lp_auth_methods()
-	    && !(auth_method_list = str_list_copy(talloc_tos(), 
-			      lp_auth_methods()))) {
-		return NT_STATUS_NO_MEMORY;
+	if (lp_auth_methods()) {
+		DEBUG(5,("Using specified auth order\n"));
+		nt_status = make_auth_context_text_list(
+			mem_ctx, auth_context,
+			discard_const_p(char *, lp_auth_methods()));
+		return nt_status;
 	}
 
 	if (auth_method_list == NULL) {
-- 
1.9.1


From 07af71f043de9e2e8b7b127ccb95f4550bde8b27 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 13 Mar 2017 08:43:06 +0100
Subject: [PATCH 3/8] auth3: Slightly simplify make_auth_context_subsystem()
 step2

Use "git show -b" to see the simple diff.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
 source3/auth/auth.c | 73 +++++++++++++++++++++++++----------------------------
 1 file changed, 34 insertions(+), 39 deletions(-)

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 034701d..5f3cdb6 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -479,48 +479,43 @@ NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
 		return nt_status;
 	}
 
-	if (auth_method_list == NULL) {
-		switch (lp_server_role()) 
-		{
-		case ROLE_DOMAIN_MEMBER:
-			DEBUG(5,("Making default auth method list for server role = 'domain member'\n"));
+	switch (lp_server_role()) {
+	case ROLE_DOMAIN_MEMBER:
+		DEBUG(5,("Making default auth method list for server role = 'domain member'\n"));
+		auth_method_list = str_list_make_v3(
+			talloc_tos(), "guest sam winbind:ntdomain",
+			NULL);
+		break;
+	case ROLE_DOMAIN_BDC:
+	case ROLE_DOMAIN_PDC:
+		DEBUG(5,("Making default auth method list for DC\n"));
+		auth_method_list = str_list_make_v3(
+			talloc_tos(),
+			"guest sam winbind:trustdomain",
+			NULL);
+		break;
+	case ROLE_STANDALONE:
+		DEBUG(5,("Making default auth method list for server role = 'standalone server', encrypt passwords = yes\n"));
+		if (lp_encrypt_passwords()) {
 			auth_method_list = str_list_make_v3(
-				talloc_tos(), "guest sam winbind:ntdomain",
-				NULL);
-			break;
-		case ROLE_DOMAIN_BDC:
-		case ROLE_DOMAIN_PDC:
-			DEBUG(5,("Making default auth method list for DC\n"));
-			auth_method_list = str_list_make_v3(
-				talloc_tos(),
-				"guest sam winbind:trustdomain",
-				NULL);
-			break;
-		case ROLE_STANDALONE:
-			DEBUG(5,("Making default auth method list for server role = 'standalone server', encrypt passwords = yes\n"));
-			if (lp_encrypt_passwords()) {
-				auth_method_list = str_list_make_v3(
-						talloc_tos(), "guest sam",
-						NULL);
-			} else {
-				DEBUG(5,("Making default auth method list for server role = 'standalone server', encrypt passwords = no\n"));
-				auth_method_list = str_list_make_v3(
-					talloc_tos(), "guest unix", NULL);
-			}
-			break;
-		case ROLE_ACTIVE_DIRECTORY_DC:
-			DEBUG(5,("Making default auth method list for server role = 'active directory domain controller'\n"));
+					talloc_tos(), "guest sam",
+					NULL);
+		} else {
+			DEBUG(5,("Making default auth method list for server role = 'standalone server', encrypt passwords = no\n"));
 			auth_method_list = str_list_make_v3(
-				talloc_tos(),
-				"samba4",
-				NULL);
-			break;
-		default:
-			DEBUG(5,("Unknown auth method!\n"));
-			return NT_STATUS_UNSUCCESSFUL;
+				talloc_tos(), "guest unix", NULL);
 		}
-	} else {
-		DEBUG(5,("Using specified auth order\n"));
+		break;
+	case ROLE_ACTIVE_DIRECTORY_DC:
+		DEBUG(5,("Making default auth method list for server role = 'active directory domain controller'\n"));
+		auth_method_list = str_list_make_v3(
+			talloc_tos(),
+			"samba4",
+			NULL);
+		break;
+	default:
+		DEBUG(5,("Unknown auth method!\n"));
+		return NT_STATUS_UNSUCCESSFUL;
 	}
 
 	nt_status = make_auth_context_text_list(mem_ctx, auth_context,
-- 
1.9.1


From 96d7edbddf3d8362178b42fbfc398154010e975d Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 13 Mar 2017 08:58:43 +0100
Subject: [PATCH 4/8] auth3: Introduce make_auth_context_specific

Take a string instead of a string list. Simplifies
make_auth_context_subsystem and later similar callers

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
 source3/auth/auth.c | 49 +++++++++++++++++++++++++++----------------------
 1 file changed, 27 insertions(+), 22 deletions(-)

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 5f3cdb6..2b0eb50 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -461,6 +461,26 @@ static NTSTATUS make_auth_context_text_list(TALLOC_CTX *mem_ctx,
 	return NT_STATUS_OK;
 }
 
+static NTSTATUS make_auth_context_specific(TALLOC_CTX *mem_ctx,
+					   struct auth_context **auth_context,
+					   const char *methods)
+{
+	char **method_list;
+	NTSTATUS status;
+
+	method_list = str_list_make_v3(talloc_tos(), methods, NULL);
+	if (method_list == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	status = make_auth_context_text_list(
+		mem_ctx, auth_context, method_list);
+
+	TALLOC_FREE(method_list);
+
+	return status;
+}
+
 /***************************************************************************
  Make a auth_context struct for the auth subsystem
 ***************************************************************************/
@@ -468,7 +488,7 @@ static NTSTATUS make_auth_context_text_list(TALLOC_CTX *mem_ctx,
 NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
 				     struct auth_context **auth_context)
 {
-	char **auth_method_list = NULL; 
+	const char *methods = NULL;
 	NTSTATUS nt_status;
 
 	if (lp_auth_methods()) {
@@ -482,47 +502,32 @@ NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
 	switch (lp_server_role()) {
 	case ROLE_DOMAIN_MEMBER:
 		DEBUG(5,("Making default auth method list for server role = 'domain member'\n"));
-		auth_method_list = str_list_make_v3(
-			talloc_tos(), "guest sam winbind:ntdomain",
-			NULL);
+		methods = "guest sam winbind:ntdomain";
 		break;
 	case ROLE_DOMAIN_BDC:
 	case ROLE_DOMAIN_PDC:
 		DEBUG(5,("Making default auth method list for DC\n"));
-		auth_method_list = str_list_make_v3(
-			talloc_tos(),
-			"guest sam winbind:trustdomain",
-			NULL);
+		methods = "guest sam winbind:trustdomain";
 		break;
 	case ROLE_STANDALONE:
 		DEBUG(5,("Making default auth method list for server role = 'standalone server', encrypt passwords = yes\n"));
 		if (lp_encrypt_passwords()) {
-			auth_method_list = str_list_make_v3(
-					talloc_tos(), "guest sam",
-					NULL);
+			methods = "guest sam";
 		} else {
 			DEBUG(5,("Making default auth method list for server role = 'standalone server', encrypt passwords = no\n"));
-			auth_method_list = str_list_make_v3(
-				talloc_tos(), "guest unix", NULL);
+			methods = "guest unix";
 		}
 		break;
 	case ROLE_ACTIVE_DIRECTORY_DC:
 		DEBUG(5,("Making default auth method list for server role = 'active directory domain controller'\n"));
-		auth_method_list = str_list_make_v3(
-			talloc_tos(),
-			"samba4",
-			NULL);
+		methods = "samba4";
 		break;
 	default:
 		DEBUG(5,("Unknown auth method!\n"));
 		return NT_STATUS_UNSUCCESSFUL;
 	}
 
-	nt_status = make_auth_context_text_list(mem_ctx, auth_context,
-						auth_method_list);
-
-	TALLOC_FREE(auth_method_list);
-	return nt_status;
+	return make_auth_context_specific(mem_ctx, auth_context, methods);
 }
 
 /***************************************************************************
-- 
1.9.1


From 04722489ff47860e6c4d76cfacf2791cf748331d Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sat, 11 Feb 2017 15:05:52 +0100
Subject: [PATCH 5/8] auth3: Don't try other auth modules on any error

So far if any kind of error has happened, we just tried further auth
modules. An auth module should have the chance to definitely say "no,
this is a valid error, no further attempts anywhere else". The protocol
so far was for an auth module to return NT_STATUS_NOT_IMPLEMENTED if it
wanted to pass on to other modules, but any error led to the next auth
modules also being given a try.

This patch makes any auth module return code except NOT_IMPLEMENTED to
terminate the loop, such that every module has to explicitly request to
pass on to the next module via NOT_IMPLEMENTED.

All modules we reference in make_auth_context_subsystem() have code to
explicitly say "not for me please" with NOT_IMPLEMENTED.

This *might* break existing setups which fail in for example "guest" or
"winbind" due to other reasons. I prefer it this way though, because
adding another parameter like "This is a real authoritative failure,
don't go looking somewhere else" will only add to the mess.
But it's more a theoretical than a practical change with the
default auth backends.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
 source3/auth/auth.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 2b0eb50..ff41404 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -250,9 +250,7 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
 				  auth_method->name, user_info->client.account_name, nt_errstr(nt_status)));
 		}
 
-		if (NT_STATUS_IS_OK(nt_status)) {
-			break;
-		}
+		break;
 	}
 
 	/* successful authentication */
-- 
1.9.1


From 72dc964d3981625e784485d9c924ea91d0ca24c2 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sun, 19 Feb 2017 15:37:51 +0100
Subject: [PATCH 6/8] SIGN-OFF auth3: fallback to "sam_ignoredomain" as
 DOMAIN_MEMBER or STANDALONE server

This is in the spirit of the "map untrusted to domain" parameter: We
fall back to the local SAM when we get a non-authoritative NO_SUCH_USER
from our domain controller. With this change we can implement
"map untrusted to domain = auto".

We should not strictly need 'sam' before 'winbind', but it makes
it clearer to read and has the same effect.

We'll do this for the PDC/BDC case in a later commit,
because we need to change the auth methods used by the netlogon server first.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

TODO Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
 source3/auth/auth.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index ff41404..dcbc317 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -500,7 +500,7 @@ NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
 	switch (lp_server_role()) {
 	case ROLE_DOMAIN_MEMBER:
 		DEBUG(5,("Making default auth method list for server role = 'domain member'\n"));
-		methods = "guest sam winbind:ntdomain";
+		methods = "guest sam winbind:ntdomain sam_ignoredomain";
 		break;
 	case ROLE_DOMAIN_BDC:
 	case ROLE_DOMAIN_PDC:
@@ -510,7 +510,7 @@ NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
 	case ROLE_STANDALONE:
 		DEBUG(5,("Making default auth method list for server role = 'standalone server', encrypt passwords = yes\n"));
 		if (lp_encrypt_passwords()) {
-			methods = "guest sam";
+			methods = "guest sam_ignoredomain";
 		} else {
 			DEBUG(5,("Making default auth method list for server role = 'standalone server', encrypt passwords = no\n"));
 			methods = "guest unix";
-- 
1.9.1


From b720427d68c6408a264215864974163ecd2a87cb Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 22 Mar 2017 12:08:20 +0100
Subject: [PATCH 7/8] auth3: prepare the logic for "map untrusted to domain =
 auto"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/auth/auth_util.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 43e073b..1655f22 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -109,6 +109,7 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
 	bool was_mapped;
 	char *internal_username = NULL;
 	bool upn_form = false;
+	int map_untrusted = lp_map_untrusted_to_domain();
 
 	if (client_domain[0] == '\0' && strchr(smb_name, '@')) {
 		upn_form = true;
@@ -132,15 +133,16 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
 	 * non-domain member box will also map to WORKSTATION\user.
 	 * This also deals with the client passing in a "" domain */
 
-	if (!upn_form &&
+	if (map_untrusted != Auto && !upn_form &&
 	    !strequal(domain, my_sam_name()) &&
 	    !strequal(domain, get_global_sam_name()) &&
 	    !is_trusted_domain(domain))
 	{
-		if (lp_map_untrusted_to_domain())
+		if (map_untrusted) {
 			domain = my_sam_name();
-		else
+		} else {
 			domain = get_global_sam_name();
+		}
 		DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] from "
 			  "workstation [%s]\n",
 			  client_domain, domain, smb_name, workstation_name));
-- 
1.9.1


From fa3c00bf92a7efae6d76a4595fd64b5398d3f8d2 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 22 Mar 2017 12:11:26 +0100
Subject: [PATCH 8/8] docs-xml: document "map untrusted to domain = auto"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 .../smbdotconf/security/mapuntrustedtodomain.xml   | 23 ++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
index 496e7c2..f745e9a 100644
--- a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
+++ b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
@@ -1,6 +1,7 @@
 <samba:parameter name="map untrusted to domain"
                  context="G"
-                 type="boolean"
+                 type="enum"
+                 enumlist="enum_bool_auto"
                  deprecated="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
@@ -20,13 +21,31 @@
     </para>
 
     <para>
-    When this parameter is set to <constant>yes</constant> smbd provides the
+    The above describes the situation with <smbconfoption name="map untrusted to domain">no</smbconfoption>,
+    witch was the default up to Samba 4.6.
+    </para>
+
+    <para>
+    When this parameter is set to <smbconfoption name="map untrusted to domain">yes</smbconfoption> smbd provides the
     legacy behavior of mapping untrusted domain names to the primary domain.
     When smbd is not acting as a domain member server, this parameter has no
     effect.
     </para>
 
+    <para>
+    When this parameter is set to <smbconfoption name="map untrusted to domain">auto</smbconfoption> smbd will
+    deferr the mapping decision to the stack of auth method backends.
+    Each auth method is able to say I'm not authoritative and the
+    next backend will be used. This is basically the behavior
+    implemented in Windows.
+    </para>
+
+    <para>
+    <smbconfoption name="map untrusted to domain">auto</smbconfoption> was added
+    for Samba 4.7, and might be backport to some 4.6 release.
+    </para>
 </description>
 
 <value type="default">no</value>
+<value type="example">auto</value>
 </samba:parameter>
-- 
1.9.1

-------------- next part --------------
From 7d70848655e91aeb1f2c04ad6a17a8d61271aa55 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 11:41:04 +0100
Subject: [PATCH 01/30] auth4: make auth_check_password_wrapper() static

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source4/auth/auth.h      |  6 ------
 source4/auth/ntlm/auth.c | 10 +++++-----
 2 files changed, 5 insertions(+), 11 deletions(-)

diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 7c62318..feddb46 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -145,12 +145,6 @@ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx,
 			     struct loadparm_context *lp_ctx,
 			     struct auth4_context **auth_ctx);
 
-NTSTATUS auth_check_password_wrapper(struct auth4_context *auth_ctx,
-			     TALLOC_CTX *mem_ctx,
-			     const struct auth_usersupplied_info *user_info, 
-			     void **server_returned_info,
-			     DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key);
-
 NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
 			     TALLOC_CTX *mem_ctx,
 			     const struct auth_usersupplied_info *user_info, 
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 05d6c3c..2260244 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -184,11 +184,11 @@ _PUBLIC_ NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
 	return status;
 }
 
-_PUBLIC_ NTSTATUS auth_check_password_wrapper(struct auth4_context *auth_ctx,
-					      TALLOC_CTX *mem_ctx,
-					      const struct auth_usersupplied_info *user_info, 
-					      void **server_returned_info,
-					      DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
+static NTSTATUS auth_check_password_wrapper(struct auth4_context *auth_ctx,
+					    TALLOC_CTX *mem_ctx,
+					    const struct auth_usersupplied_info *user_info,
+					    void **server_returned_info,
+					    DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
 {
 	struct auth_user_info_dc *user_info_dc;
 	NTSTATUS status;
-- 
1.9.1


From c8ebd51ae65875fba2f47a242b2a66cb36813e8d Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 6 Mar 2017 14:32:18 +0100
Subject: [PATCH 02/30] wbinfo: Add "authoritative" to wbinfo -a output

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
 nsswitch/wbinfo.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index 80b245a..57f2b3b 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -1823,13 +1823,15 @@ static bool wbinfo_auth_crap(char *username, bool use_ntlmv2, bool use_lanman)
 
 	if (wbc_status == WBC_ERR_AUTH_ERROR) {
 		d_fprintf(stderr,
-			 "wbcAuthenticateUserEx(%s%c%s): error code was %s (0x%x)\n"
+			 "wbcAuthenticateUserEx(%s%c%s): error code was "
+			  "%s (0x%x, authoritative=%"PRIu8")\n"
 			 "error message was: %s\n",
 			 name_domain,
 			 winbind_separator(),
 			 name_user,
 			 err->nt_string,
 			 err->nt_status,
+			 err->authoritative,
 			 err->display_string);
 		wbcFreeMemory(err);
 	} else if (WBC_ERROR_IS_OK(wbc_status)) {
-- 
1.9.1


From b05a3fa0a077ec5430778d560019244a7ef11186 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sat, 11 Feb 2017 15:44:01 +0100
Subject: [PATCH 03/30] auth3: Simplify the logic in auth_check_ntlm_password

Move everything but the strict loop logic outside. This makes the
loop exit condition clearer to me: Anything but NOT_IMPLEMENTED breaks
the loop.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
 source3/auth/auth.c | 58 ++++++++++++++++++++++++++---------------------------
 1 file changed, 29 insertions(+), 29 deletions(-)

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index dcbc317..e1a80cf 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -166,6 +166,7 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
 				  struct auth_serversupplied_info **pserver_info)
 {
 	TALLOC_CTX *frame;
+	const char *auth_method_name = "";
 	/* if all the modules say 'not for me' this is reasonable */
 	NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
 	const char *unix_username;
@@ -214,51 +215,50 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
 	}
 
 	for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) {
-		NTSTATUS result;
+
+		auth_method_name = auth_method->name;
 
 		if (user_info->flags & USER_INFO_LOCAL_SAM_ONLY
 		    && !(auth_method->flags & AUTH_METHOD_LOCAL_SAM)) {
 			continue;
 		}
 
-		result = auth_method->auth(auth_context,
-					   auth_method->private_data,
-					   talloc_tos(),
-					   user_info,
-					   &server_info);
-
-		/* check if the module did anything */
-		if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
-			DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name));
-			if (user_info->flags & USER_INFO_LOCAL_SAM_ONLY) {
-				/* we don't expose the NT_STATUS_NOT_IMPLEMENTED
-				 * internals, except when the caller is only probing
-				 * one method, as they may do the fallback 
-				 */
-				nt_status = result;
-			}
-			continue;
-		}
-
-		nt_status = result;
+		nt_status = auth_method->auth(auth_context,
+					      auth_method->private_data,
+					      talloc_tos(),
+					      user_info,
+					      &server_info);
 
-		if (NT_STATUS_IS_OK(nt_status)) {
-			DEBUG(3, ("check_ntlm_password: %s authentication for user [%s] succeeded\n", 
-				  auth_method->name, user_info->client.account_name));
-		} else {
-			DEBUG(5, ("check_ntlm_password: %s authentication for user [%s] FAILED with error %s\n", 
-				  auth_method->name, user_info->client.account_name, nt_errstr(nt_status)));
+		if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
+			break;
 		}
 
-		break;
+		DBG_DEBUG("%s had nothing to say\n", auth_method->name);
 	}
 
-	/* successful authentication */
+	/* check if the module did anything */
+	if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED) &&
+	    ((user_info->flags & USER_INFO_LOCAL_SAM_ONLY) == 0)) {
+		/*
+		 * we don't expose the NT_STATUS_NOT_IMPLEMENTED
+		 * internals, except when the caller is only probing
+		 * one method, as they may do the fallback
+		 */
+		nt_status = NT_STATUS_NO_SUCH_USER;
+	}
 
 	if (!NT_STATUS_IS_OK(nt_status)) {
+		DBG_INFO("%s authentication for user [%s] FAILED with "
+			 "error %s\n",
+			 auth_method_name,
+			 user_info->client.account_name,
+			 nt_errstr(nt_status));
 		goto fail;
 	}
 
+	DBG_NOTICE("%s authentication for user [%s] succeeded\n",
+		   auth_method_name, user_info->client.account_name);
+
 	unix_username = server_info->unix_name;
 
 	/* We skip doing this step if the caller asked us not to */
-- 
1.9.1


From b626945a0b3597152d82e332b3dfcf18af73afdc Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 13 Mar 2017 08:08:44 +0100
Subject: [PATCH 04/30] auth3: Introduce auth3_context_set_challenge

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
 source3/auth/auth.c  | 14 +++++++++++++-
 source3/auth/proto.h |  2 ++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index e1a80cf..59f653c 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -547,4 +547,16 @@ NTSTATUS make_auth_context_fixed(TALLOC_CTX *mem_ctx,
 	return nt_status;
 }
 
-
+bool auth3_context_set_challenge(struct auth_context *ctx, uint8_t chal[8],
+				 const char *challenge_set_by)
+{
+	ctx->challenge = data_blob_talloc(ctx, chal, 8);
+	if (ctx->challenge.data == NULL) {
+		return false;
+	}
+	ctx->challenge_set_by = talloc_strdup(ctx, challenge_set_by);
+	if (ctx->challenge_set_by == NULL) {
+		return false;
+	}
+	return true;
+}
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 5fd3158..83ea2a5 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -43,6 +43,8 @@ NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
 NTSTATUS make_auth_context_fixed(TALLOC_CTX *mem_ctx,
 				 struct auth_context **auth_context,
 				 uchar chal[8]) ;
+bool auth3_context_set_challenge(struct auth_context *ctx, uint8_t chal[8],
+				 const char *challenge_set_by);
 
 /****************************************************************************
  Try to get a challenge out of the various authentication modules.
-- 
1.9.1


From bb130813ab72fa50dc34d65072c8c8a8f030b92a Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 13 Mar 2017 08:14:00 +0100
Subject: [PATCH 05/30] winbindd: Call make_auth_context_subsystem directly

Soon we'll call specific methods here

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
 source3/winbindd/winbindd_pam.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 782b28a..4ff6eaa 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1235,6 +1235,7 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
 	struct tsocket_address *local;
 	struct netr_SamInfo3 *info3;
 	NTSTATUS status;
+	bool ok;
 	int rc;
 	TALLOC_CTX *frame = talloc_stackframe();
 
@@ -1268,15 +1269,22 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
 		user_info->flags |= USER_INFO_INTERACTIVE_LOGON;
 	}
 
-	status = make_auth_context_fixed(frame, &auth_context, challenge->data);
+	status = make_auth_context_subsystem(frame, &auth_context);
 
 	if (!NT_STATUS_IS_OK(status)) {
-		DBG_ERR("make_auth_context_fixed failed: %s\n",
+		DBG_ERR("make_auth_context_subsystem failed: %s\n",
 			nt_errstr(status));
 		TALLOC_FREE(frame);
 		return status;
 	}
 
+	ok = auth3_context_set_challenge(auth_context,
+					 challenge->data, "fixed");
+	if (!ok) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
+
 	status = auth_check_ntlm_password(mem_ctx,
 					  auth_context,
 					  user_info,
-- 
1.9.1


From 466f5f9b3b1895d65015121e73538af460ee1f82 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Thu, 9 Mar 2017 15:19:06 +0100
Subject: [PATCH 06/30] netlogond3: "authorititative" is a uint8

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
 source3/rpc_server/netlogon/srv_netlog_nt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index ef2c827..005bd03 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1510,7 +1510,7 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
 			return NT_STATUS_INTERNAL_ERROR;
 	}
 
-	*r->out.authoritative = true; /* authoritative response */
+	*r->out.authoritative = 1; /* authoritative response */
 
 	switch (r->in.validation_level) {
 	case 2:
-- 
1.9.1


From 9b33dfcbc175f049ef697bde6919ef96ca16f3e4 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 13 Mar 2017 08:14:00 +0100
Subject: [PATCH 07/30] netlogond3: Call make_auth_context_subsystem directly

Soon we'll call specific methods here

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
 source3/rpc_server/netlogon/srv_netlog_nt.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 005bd03..09feb13 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1586,13 +1586,20 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
 	{
 		const char *wksname = nt_workstation;
 		const char *workgroup = lp_workgroup();
+		bool ok;
 
-		status = make_auth_context_fixed(talloc_tos(), &auth_context,
-						 logon->network->challenge);
+		status = make_auth_context_subsystem(talloc_tos(),
+						     &auth_context);
 		if (!NT_STATUS_IS_OK(status)) {
 			return status;
 		}
 
+		ok = auth3_context_set_challenge(
+			auth_context, logon->network->challenge, "fixed");
+		if (!ok) {
+			return NT_STATUS_NO_MEMORY;
+		}
+
 		/* For a network logon, the workstation name comes in with two
 		 * backslashes in the front. Strip them if they are there. */
 
-- 
1.9.1


From 5cbe382fd9c73eadfb6dada8660c4c241a026bfa Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 16 Mar 2017 15:54:18 +0100
Subject: [PATCH 08/30] netlogond3: only call make_auth_context_subsystem() in
 one place

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/rpc_server/netlogon/srv_netlog_nt.c | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 09feb13..088ffe1 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1580,6 +1580,12 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
 					      r->in.logon_level,
 					      logon);
 
+	status = make_auth_context_subsystem(talloc_tos(),
+					     &auth_context);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
 	switch (r->in.logon_level) {
 	case NetlogonNetworkInformation:
 	case NetlogonNetworkTransitiveInformation:
@@ -1588,12 +1594,6 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
 		const char *workgroup = lp_workgroup();
 		bool ok;
 
-		status = make_auth_context_subsystem(talloc_tos(),
-						     &auth_context);
-		if (!NT_STATUS_IS_OK(status)) {
-			return status;
-		}
-
 		ok = auth3_context_set_challenge(
 			auth_context, logon->network->challenge, "fixed");
 		if (!ok) {
@@ -1658,11 +1658,6 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
 		DEBUG(100,("decrypt of nt owf password:"));
 		dump_data(100, logon->password->ntpassword.hash, 16);
 #endif
-		status = make_auth_context_subsystem(talloc_tos(),
-						     &auth_context);
-		if (!NT_STATUS_IS_OK(status)) {
-			return status;
-		}
 
 		auth_get_ntlm_challenge(auth_context, chal);
 
-- 
1.9.1


From 0134e9abab3d3645e0650175d32730232bee60fd Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 13 Mar 2017 08:19:41 +0100
Subject: [PATCH 09/30] pdbtest: Call make_auth_context_subsystem directly

Last caller of make_auth_context_fixed

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
 source3/torture/pdbtest.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c
index fe51a76..a9f49bb 100644
--- a/source3/torture/pdbtest.c
+++ b/source3/torture/pdbtest.c
@@ -268,6 +268,7 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
 	struct netr_SamInfo3 *info3_sam, *info3_auth;
 	struct auth_serversupplied_info *server_info;
 	NTSTATUS status;
+	bool ok;
 	
 	SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8,
 		      local_nt_response);
@@ -298,13 +299,20 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
 		return False;
 	}
 
-	status = make_auth_context_fixed(NULL, &auth_context, challenge.data);
+	status = make_auth_context_subsystem(NULL, &auth_context);
 
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0, ("Failed to test authentication with check_sam_security_info3: %s\n", nt_errstr(status)));
 		return False;
 	}
-	
+
+	ok = auth3_context_set_challenge(
+		auth_context, challenge.data, "fixed");
+	if (!ok) {
+		DBG_ERR("auth3_context_set_challenge failed\n");
+		return false;
+	}
+
 	status = auth_check_ntlm_password(mem_ctx,
 					  auth_context,
 					  user_info,
-- 
1.9.1


From 91715c98ec41d7a1abf19b0c6181a46dc3d4df1b Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 13 Mar 2017 08:22:27 +0100
Subject: [PATCH 10/30] auth3: Remove unused make_auth_context_fixed

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
 source3/auth/auth.c  | 19 -------------------
 source3/auth/proto.h |  3 ---
 2 files changed, 22 deletions(-)

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 59f653c..32a1958 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -528,25 +528,6 @@ NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
 	return make_auth_context_specific(mem_ctx, auth_context, methods);
 }
 
-/***************************************************************************
- Make a auth_info struct with a fixed challenge
-***************************************************************************/
-
-NTSTATUS make_auth_context_fixed(TALLOC_CTX *mem_ctx,
-				 struct auth_context **auth_context,
-				 uchar chal[8])
-{
-	NTSTATUS nt_status;
-	nt_status = make_auth_context_subsystem(mem_ctx, auth_context);
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		return nt_status;
-	}
-
-	(*auth_context)->challenge = data_blob_talloc(*auth_context, chal, 8);
-	(*auth_context)->challenge_set_by = "fixed";
-	return nt_status;
-}
-
 bool auth3_context_set_challenge(struct auth_context *ctx, uint8_t chal[8],
 				 const char *challenge_set_by)
 {
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 83ea2a5..5ffe757 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -40,9 +40,6 @@ bool load_auth_module(struct auth_context *auth_context,
 		      const char *module, auth_methods **ret) ;
 NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
 				     struct auth_context **auth_context);
-NTSTATUS make_auth_context_fixed(TALLOC_CTX *mem_ctx,
-				 struct auth_context **auth_context,
-				 uchar chal[8]) ;
 bool auth3_context_set_challenge(struct auth_context *ctx, uint8_t chal[8],
 				 const char *challenge_set_by);
 
-- 
1.9.1


From 95d2025c678e1aac1153bc2e6e4a9cd2f656e4e7 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 09:13:02 +0100
Subject: [PATCH 11/30] auth3: add
 make_auth3_context_for_{ntlm,netlogon,winbind}

For now they'll all do the same, but that will change in the following commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/auth/auth.c  | 18 ++++++++++++++++++
 source3/auth/proto.h |  6 ++++++
 2 files changed, 24 insertions(+)

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 32a1958..bafb90f5 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -528,6 +528,24 @@ NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
 	return make_auth_context_specific(mem_ctx, auth_context, methods);
 }
 
+NTSTATUS make_auth3_context_for_ntlm(TALLOC_CTX *mem_ctx,
+				     struct auth_context **auth_context)
+{
+	return make_auth_context_subsystem(mem_ctx, auth_context);
+}
+
+NTSTATUS make_auth3_context_for_netlogon(TALLOC_CTX *mem_ctx,
+					 struct auth_context **auth_context)
+{
+	return make_auth_context_subsystem(mem_ctx, auth_context);
+}
+
+NTSTATUS make_auth3_context_for_winbind(TALLOC_CTX *mem_ctx,
+				        struct auth_context **auth_context)
+{
+	return make_auth_context_subsystem(mem_ctx, auth_context);
+}
+
 bool auth3_context_set_challenge(struct auth_context *ctx, uint8_t chal[8],
 				 const char *challenge_set_by)
 {
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 5ffe757..92b2a85 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -40,6 +40,12 @@ bool load_auth_module(struct auth_context *auth_context,
 		      const char *module, auth_methods **ret) ;
 NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
 				     struct auth_context **auth_context);
+NTSTATUS make_auth3_context_for_ntlm(TALLOC_CTX *mem_ctx,
+				     struct auth_context **auth_context);
+NTSTATUS make_auth3_context_for_netlogon(TALLOC_CTX *mem_ctx,
+					 struct auth_context **auth_context);
+NTSTATUS make_auth3_context_for_winbind(TALLOC_CTX *mem_ctx,
+					struct auth_context **auth_context);
 bool auth3_context_set_challenge(struct auth_context *ctx, uint8_t chal[8],
 				 const char *challenge_set_by);
 
-- 
1.9.1


From e75918d6ca2aa2b0c629898d360e094bea6587a4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 09:17:45 +0100
Subject: [PATCH 12/30] auth3: make use of make_auth3_context_for_ntlm()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/auth/auth_generic.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index f9b9184..95c70e8 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -208,7 +208,7 @@ NTSTATUS make_auth4_context(TALLOC_CTX *mem_ctx, struct auth4_context **auth4_co
 	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
 	NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
 
-	nt_status = make_auth_context_subsystem(tmp_ctx, &auth_context);
+	nt_status = make_auth3_context_for_ntlm(tmp_ctx, &auth_context);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		TALLOC_FREE(tmp_ctx);
 		return nt_status;
@@ -242,7 +242,7 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
 	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
 	NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
 
-	nt_status = make_auth_context_subsystem(tmp_ctx, &auth_context);
+	nt_status = make_auth3_context_for_ntlm(tmp_ctx, &auth_context);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		TALLOC_FREE(tmp_ctx);
 		return nt_status;
-- 
1.9.1


From b9879c119fcc8ea90caa85c5ba416e72a7b7dfff Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 12:29:26 +0100
Subject: [PATCH 13/30] pdbtest: make use of make_auth3_context_for_ntlm()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/torture/pdbtest.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c
index a9f49bb..0003566 100644
--- a/source3/torture/pdbtest.c
+++ b/source3/torture/pdbtest.c
@@ -299,7 +299,7 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
 		return False;
 	}
 
-	status = make_auth_context_subsystem(NULL, &auth_context);
+	status = make_auth3_context_for_ntlm(NULL, &auth_context);
 
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0, ("Failed to test authentication with check_sam_security_info3: %s\n", nt_errstr(status)));
-- 
1.9.1


From e17046bf1c6d828f55fb17fcaa6533a79f994b17 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 09:18:25 +0100
Subject: [PATCH 14/30] netlogond3: make use of
 make_auth3_context_for_netlogon()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/rpc_server/netlogon/srv_netlog_nt.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 088ffe1..4c43802 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1580,8 +1580,7 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
 					      r->in.logon_level,
 					      logon);
 
-	status = make_auth_context_subsystem(talloc_tos(),
-					     &auth_context);
+	status = make_auth3_context_for_netlogon(talloc_tos(), &auth_context);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
-- 
1.9.1


From 6c5ad7ec2f69d5a552de336ea8212da845c7ccf9 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 09:18:41 +0100
Subject: [PATCH 15/30] winbindd: make use of make_auth3_context_for_winbind()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/winbindd/winbindd_pam.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 4ff6eaa..fb6b8af 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1269,10 +1269,9 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
 		user_info->flags |= USER_INFO_INTERACTIVE_LOGON;
 	}
 
-	status = make_auth_context_subsystem(frame, &auth_context);
-
+	status = make_auth3_context_for_winbind(frame, &auth_context);
 	if (!NT_STATUS_IS_OK(status)) {
-		DBG_ERR("make_auth_context_subsystem failed: %s\n",
+		DBG_ERR("make_auth3_context_for_winbind failed: %s\n",
 			nt_errstr(status));
 		TALLOC_FREE(frame);
 		return status;
-- 
1.9.1


From 94f4ad2bfd218605c2eaa72045ed68ac2d416740 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 12:31:01 +0100
Subject: [PATCH 16/30] auth3: make make_auth_context_subsystem() static

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/auth/auth.c  | 4 ++--
 source3/auth/proto.h | 2 --
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index bafb90f5..31701dc 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -483,8 +483,8 @@ static NTSTATUS make_auth_context_specific(TALLOC_CTX *mem_ctx,
  Make a auth_context struct for the auth subsystem
 ***************************************************************************/
 
-NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
-				     struct auth_context **auth_context)
+static NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
+					    struct auth_context **auth_context)
 {
 	const char *methods = NULL;
 	NTSTATUS nt_status;
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 92b2a85..1101346 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -38,8 +38,6 @@
 NTSTATUS smb_register_auth(int version, const char *name, auth_init_function init);
 bool load_auth_module(struct auth_context *auth_context,
 		      const char *module, auth_methods **ret) ;
-NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
-				     struct auth_context **auth_context);
 NTSTATUS make_auth3_context_for_ntlm(TALLOC_CTX *mem_ctx,
 				     struct auth_context **auth_context);
 NTSTATUS make_auth3_context_for_netlogon(TALLOC_CTX *mem_ctx,
-- 
1.9.1


From db84e8290440e67f6eb4867231e8fd9f118681c6 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 12:08:59 +0100
Subject: [PATCH 17/30] auth4: add auth_context_create_for_netlogon()

For now it's the same as auth_context_create(), but this will
change the in the next commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source4/auth/auth.h      | 5 +++++
 source4/auth/ntlm/auth.c | 9 +++++++++
 2 files changed, 14 insertions(+)

diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index feddb46..95aacfe 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -144,6 +144,11 @@ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx,
 			     struct imessaging_context *msg,
 			     struct loadparm_context *lp_ctx,
 			     struct auth4_context **auth_ctx);
+NTSTATUS auth_context_create_for_netlogon(TALLOC_CTX *mem_ctx,
+					  struct tevent_context *ev,
+					  struct imessaging_context *msg,
+					  struct loadparm_context *lp_ctx,
+					  struct auth4_context **auth_ctx);
 
 NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
 			     TALLOC_CTX *mem_ctx,
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 2260244..926bf48 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -645,6 +645,15 @@ _PUBLIC_ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx,
 	return status;
 }
 
+_PUBLIC_ NTSTATUS auth_context_create_for_netlogon(TALLOC_CTX *mem_ctx,
+						   struct tevent_context *ev,
+						   struct imessaging_context *msg,
+						   struct loadparm_context *lp_ctx,
+						   struct auth4_context **auth_ctx)
+{
+	return auth_context_create(mem_ctx, ev, msg, lp_ctx, auth_ctx);
+}
+
 /* the list of currently registered AUTH backends */
 static struct auth_backend {
 	const struct auth_operations *ops;
-- 
1.9.1


From 2cb96788684afeabfb2f93c6a0572ab9f9836969 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 12:15:13 +0100
Subject: [PATCH 18/30] netlogon4: make use of
 auth_context_create_for_netlogon()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source4/rpc_server/netlogon/dcerpc_netlogon.c | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index afa9b1c..332afd3 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -868,11 +868,10 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
 	case NetlogonInteractiveTransitiveInformation:
 	case NetlogonServiceTransitiveInformation:
 
-		/* TODO: we need to deny anonymous access here */
-		nt_status = auth_context_create(mem_ctx,
-						dce_call->event_ctx, dce_call->msg_ctx,
-						dce_call->conn->dce_ctx->lp_ctx,
-						&auth_context);
+		nt_status = auth_context_create_for_netlogon(mem_ctx,
+					dce_call->event_ctx, dce_call->msg_ctx,
+					dce_call->conn->dce_ctx->lp_ctx,
+					&auth_context);
 		NT_STATUS_NOT_OK_RETURN(nt_status);
 
 		user_info->logon_parameters = r->in.logon->password->identity_info.parameter_control;
@@ -895,11 +894,10 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
 	case NetlogonNetworkInformation:
 	case NetlogonNetworkTransitiveInformation:
 
-		/* TODO: we need to deny anonymous access here */
-		nt_status = auth_context_create(mem_ctx,
-						dce_call->event_ctx, dce_call->msg_ctx,
-						dce_call->conn->dce_ctx->lp_ctx,
-						&auth_context);
+		nt_status = auth_context_create_for_netlogon(mem_ctx,
+					dce_call->event_ctx, dce_call->msg_ctx,
+					dce_call->conn->dce_ctx->lp_ctx,
+					&auth_context);
 		NT_STATUS_NOT_OK_RETURN(nt_status);
 
 		nt_status = auth_context_set_challenge(auth_context, r->in.logon->network->challenge, "netr_LogonSamLogonWithFlags");
-- 
1.9.1


From 32c8d1b033f03105ac298b193ebc40e60ed99645 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Thu, 2 Mar 2017 11:28:18 +0100
Subject: [PATCH 19/30] winbindd: NT_STATUS_CANT_ACCESS_DOMAIN_INFO means
 "Dunno"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
 source3/winbindd/winbindd_pam.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index fb6b8af..77f2bf7 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1344,6 +1344,16 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
 
 		result = cm_connect_netlogon(domain, &netlogon_pipe);
 
+		if (NT_STATUS_EQUAL(result,
+				    NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
+			/*
+			 * This means we don't have a trust account.
+			 */
+			*authoritative = 0;
+			result = NT_STATUS_NO_SUCH_USER;
+			break;
+		}
+
 		if (!NT_STATUS_IS_OK(result)) {
 			DEBUG(3,("Could not open handle to NETLOGON pipe "
 				 "(error: %s, attempts: %d)\n",
-- 
1.9.1


From 53200f8a9f2650807e7a25dfcc715af96e10d6b0 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 09:42:38 +0100
Subject: [PATCH 20/30] winbindd: let winbindd_dual_auth_passdb() return
 pauthoritative

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/winbindd/winbindd_pam.c | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 77f2bf7..2bac9ec 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1227,6 +1227,7 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
 					  const DATA_BLOB *lm_resp,
 					  const DATA_BLOB *nt_resp,
 					  bool interactive,
+					  uint8_t *pauthoritative,
 					  struct netr_SamInfo3 **pinfo3)
 {
 	struct auth_context *auth_context;
@@ -1239,6 +1240,11 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
 	int rc;
 	TALLOC_CTX *frame = talloc_stackframe();
 
+	/*
+	 * We are authoritative by default
+	 */
+	*pauthoritative = 1;
+
 	rc = tsocket_address_inet_from_strings(frame,
 					       "ip",
 					       "127.0.0.1",
@@ -1290,6 +1296,9 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
 					  &server_info);
 
 	if (!NT_STATUS_IS_OK(status)) {
+		if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
+			*pauthoritative = 0;
+		}
 		TALLOC_FREE(frame);
 		return status;
 	}
@@ -1563,12 +1572,14 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(TALLOC_CTX *mem_ctx,
 			mem_ctx, 0, name_domain, name_user,
 			&chal_blob, &lm_resp, &nt_resp,
 			true, /* interactive */
+			&authoritative,
 			info3);
 
 		/* 
-		 * We need to try the remote NETLOGON server if this is NOT_IMPLEMENTED 
+		 * We need to try the remote NETLOGON server if this is
+		 * not authoritative.
 		 */
-		if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
+		if (authoritative != 0) {
 			goto done;
 		}
 	}
@@ -1983,13 +1994,14 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
 			name_domain, name_user,
 			&chal_blob, &lm_response, &nt_response,
 			false, /* interactive */
+			authoritative,
 			info3);
 
 		/* 
-		 * We need to try the remote NETLOGON server if this is NOT_IMPLEMENTED 
+		 * We need to try the remote NETLOGON server if this is
+		 * not authoritative.
 		 */
-		if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
-			*authoritative = 1;
+		if (*authoritative != 0) {
 			*flags = 0;
 			goto process_result;
 		}
-- 
1.9.1


From 08f2c1cb1f0e75b55e3d62c02f4fa047492647b0 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 09:43:59 +0100
Subject: [PATCH 21/30] auth3: let auth_check_ntlm_password() return
 pauthoritative

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/auth/auth.c                         | 35 +++++++++++++++--------------
 source3/auth/auth_ntlmssp.c                 | 10 ++++++---
 source3/auth/proto.h                        | 10 ++++++---
 source3/rpc_server/netlogon/srv_netlog_nt.c | 12 ++--------
 source3/torture/pdbtest.c                   | 10 ++++++---
 source3/winbindd/winbindd_pam.c             |  7 ++----
 6 files changed, 43 insertions(+), 41 deletions(-)

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 31701dc..cd490fb 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -153,22 +153,25 @@ static bool check_domain_match(const char *user, const char *domain)
  *                  filled in, either at creation or by calling the challenge geneation 
  *                  function auth_get_challenge().  
  *
- * @param server_info If successful, contains information about the authentication, 
- *                    including a struct samu struct describing the user.
+ * @param pserver_info If successful, contains information about the authentication,
+ *                     including a struct samu struct describing the user.
+ *
+ * @param pauthoritative Indicates if the result should be treated as final
+ *                       result.
  *
  * @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
  *
  **/
-
 NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
 				  const struct auth_context *auth_context,
 				  const struct auth_usersupplied_info *user_info,
-				  struct auth_serversupplied_info **pserver_info)
+				  struct auth_serversupplied_info **pserver_info,
+				  uint8_t *pauthoritative)
 {
 	TALLOC_CTX *frame;
 	const char *auth_method_name = "";
 	/* if all the modules say 'not for me' this is reasonable */
-	NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
+	NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
 	const char *unix_username;
 	auth_methods *auth_method;
 	struct auth_serversupplied_info *server_info;
@@ -179,6 +182,8 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
 
 	frame = talloc_stackframe();
 
+	*pauthoritative = 1;
+
 	DEBUG(3, ("check_ntlm_password:  Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", 
 		  user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));
 
@@ -236,23 +241,18 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
 		DBG_DEBUG("%s had nothing to say\n", auth_method->name);
 	}
 
-	/* check if the module did anything */
-	if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED) &&
-	    ((user_info->flags & USER_INFO_LOCAL_SAM_ONLY) == 0)) {
-		/*
-		 * we don't expose the NT_STATUS_NOT_IMPLEMENTED
-		 * internals, except when the caller is only probing
-		 * one method, as they may do the fallback
-		 */
+	if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
+		*pauthoritative = 0;
 		nt_status = NT_STATUS_NO_SUCH_USER;
 	}
 
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DBG_INFO("%s authentication for user [%s] FAILED with "
-			 "error %s\n",
+			 "error %s, authoritative=%u\n",
 			 auth_method_name,
 			 user_info->client.account_name,
-			 nt_errstr(nt_status));
+			 nt_errstr(nt_status),
+			 *pauthoritative);
 		goto fail;
 	}
 
@@ -313,9 +313,10 @@ fail:
 
 	/* failed authentication; check for guest lapping */
 
-	DEBUG(2, ("check_ntlm_password:  Authentication for user [%s] -> [%s] FAILED with error %s\n",
+	DEBUG(2, ("check_ntlm_password:  Authentication for user "
+		  "[%s] -> [%s] FAILED with error %s, authoritative=%u\n",
 		  user_info->client.account_name, user_info->mapped.account_name,
-		  nt_errstr(nt_status)));
+		  nt_errstr(nt_status), *pauthoritative));
 	ZERO_STRUCTP(pserver_info);
 
 	TALLOC_FREE(frame);
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index a0e4902..0ff3bdd 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -145,6 +145,7 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
 	struct auth_serversupplied_info *server_info;
 	NTSTATUS nt_status;
 	bool username_was_mapped;
+	uint8_t authoritative = 0;
 
 	/* The client has given us its machine name (which we only get over NBT transport).
 	   We need to possibly reload smb.conf if smb.conf includes depend on the machine name. */
@@ -179,13 +180,16 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
 	nt_status = auth_check_ntlm_password(mem_ctx,
 					     auth_context,
 					     mapped_user_info,
-					     &server_info);
+					     &server_info,
+					     &authoritative);
 
 	if (!NT_STATUS_IS_OK(nt_status)) {
-		DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: %s\n",
+		DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: "
+			 "%s, authoritative=%u\n",
 			 user_info->client.domain_name,
 			 user_info->client.account_name,
-			 nt_errstr(nt_status)));
+			 nt_errstr(nt_status),
+			 authoritative));
 	}
 
 	username_was_mapped = mapped_user_info->was_mapped;
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 1101346..ccc284c 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -78,8 +78,11 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
  *                  filled in, either at creation or by calling the challenge geneation 
  *                  function auth_get_challenge().  
  *
- * @param server_info If successful, contains information about the authentication, 
- *                    including a struct samu struct describing the user.
+ * @param pserver_info If successful, contains information about the authentication,
+ *                     including a struct samu struct describing the user.
+ *
+ * @param pauthoritative Indicates if the result should be treated as final
+ *                       result.
  *
  * @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
  *
@@ -87,7 +90,8 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
 NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
 				  const struct auth_context *auth_context,
 				  const struct auth_usersupplied_info *user_info,
-				  struct auth_serversupplied_info **server_info);
+				  struct auth_serversupplied_info **pserver_info,
+				  uint8_t *pauthoritative);
 
 /* The following definitions come from auth/auth_builtin.c  */
 
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 4c43802..38d7bda 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1682,7 +1682,8 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
 		status = auth_check_ntlm_password(p->mem_ctx,
 						  auth_context,
 						  user_info,
-						  &server_info);
+						  &server_info,
+						  r->out.authoritative);
 	}
 
 	TALLOC_FREE(auth_context);
@@ -1694,15 +1695,6 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
 	/* Check account and password */
 
 	if (!NT_STATUS_IS_OK(status)) {
-		/* If we don't know what this domain is, we need to
-		   indicate that we are not authoritative.  This
-		   allows the client to decide if it needs to try
-		   a local user.  Fix by jpjanosi at us.ibm.com, #2976 */
-                if ( NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)
-		     && !strequal(nt_domain, get_global_sam_name())
-		     && !is_trusted_domain(nt_domain) )
-			*r->out.authoritative = false; /* We are not authoritative */
-
 		TALLOC_FREE(server_info);
 		return status;
 	}
diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c
index 0003566..b442883 100644
--- a/source3/torture/pdbtest.c
+++ b/source3/torture/pdbtest.c
@@ -269,7 +269,8 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
 	struct auth_serversupplied_info *server_info;
 	NTSTATUS status;
 	bool ok;
-	
+	uint8_t authoritative = 0;
+
 	SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8,
 		      local_nt_response);
 	SMBsesskeygen_ntv1(pdb_get_nt_passwd(pdb_entry), local_nt_session_key);
@@ -316,10 +317,13 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
 	status = auth_check_ntlm_password(mem_ctx,
 					  auth_context,
 					  user_info,
-					  &server_info);
+					  &server_info,
+					  &authoritative);
 
 	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0, ("Failed to test authentication with auth module: %s\n", nt_errstr(status)));
+		DEBUG(0, ("Failed to test authentication with auth module: "
+			  "%s authoritative[%u].\n",
+			  nt_errstr(status), authoritative));
 		return False;
 	}
 	
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 2bac9ec..74941c7 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1293,12 +1293,9 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
 	status = auth_check_ntlm_password(mem_ctx,
 					  auth_context,
 					  user_info,
-					  &server_info);
-
+					  &server_info,
+					  pauthoritative);
 	if (!NT_STATUS_IS_OK(status)) {
-		if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
-			*pauthoritative = 0;
-		}
 		TALLOC_FREE(frame);
 		return status;
 	}
-- 
1.9.1


From 7fbaf17a3c4fe15e0d7aef7766524e627e78fe00 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 11:16:36 +0100
Subject: [PATCH 22/30] auth4: let auth_check_password* return pauthoritative

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/auth/auth_samba4.c                    | 11 +++++++--
 source4/auth/auth.h                           |  6 +++--
 source4/auth/ntlm/auth.c                      | 32 ++++++++++++++++-----------
 source4/auth/ntlm/auth_simple.c               |  4 +++-
 source4/rpc_server/netlogon/dcerpc_netlogon.c |  4 ++--
 source4/smb_server/smb/sesssetup.c            |  9 +++++---
 6 files changed, 43 insertions(+), 23 deletions(-)

diff --git a/source3/auth/auth_samba4.c b/source3/auth/auth_samba4.c
index a0d6afd3..138c6cd 100644
--- a/source3/auth/auth_samba4.c
+++ b/source3/auth/auth_samba4.c
@@ -118,6 +118,7 @@ static NTSTATUS check_samba4_security(const struct auth_context *auth_context,
 	NTSTATUS nt_status;
 	struct auth_user_info_dc *user_info_dc;
 	struct auth4_context *auth4_context;
+	uint8_t authoritative = 0;
 
 	nt_status = make_auth4_context_s4(auth_context, mem_ctx, &auth4_context);
 	if (!NT_STATUS_IS_OK(nt_status)) {
@@ -132,13 +133,19 @@ static NTSTATUS check_samba4_security(const struct auth_context *auth_context,
 		return nt_status;
 	}
 
-	nt_status = auth_check_password(auth4_context, auth4_context, user_info, &user_info_dc);
+	nt_status = auth_check_password(auth4_context, auth4_context, user_info,
+					&user_info_dc, &authoritative);
 	if (!NT_STATUS_IS_OK(nt_status)) {
+		if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) &&
+				    authoritative == 0)
+		{
+			nt_status = NT_STATUS_NOT_IMPLEMENTED;
+		}
 		TALLOC_FREE(auth4_context);
 		TALLOC_FREE(frame);
 		return nt_status;
 	}
-	
+
 	nt_status = auth_convert_user_info_dc_saminfo3(mem_ctx,
 						       user_info_dc,
 						       &info3);
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 95aacfe..7358f40 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -153,7 +153,8 @@ NTSTATUS auth_context_create_for_netlogon(TALLOC_CTX *mem_ctx,
 NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
 			     TALLOC_CTX *mem_ctx,
 			     const struct auth_usersupplied_info *user_info, 
-			     struct auth_user_info_dc **user_info_dc);
+			     struct auth_user_info_dc **user_info_dc,
+			     uint8_t *pauthoritative);
 NTSTATUS auth4_init(void);
 NTSTATUS auth_register(const struct auth_operations *ops);
 NTSTATUS server_service_auth_init(void);
@@ -173,7 +174,8 @@ struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx,
 					    const struct auth_usersupplied_info *user_info);
 NTSTATUS auth_check_password_recv(struct tevent_req *req,
 				  TALLOC_CTX *mem_ctx,
-				  struct auth_user_info_dc **user_info_dc);
+				  struct auth_user_info_dc **user_info_dc,
+				  uint8_t *pauthoritative);
 
 bool auth_challenge_may_be_modified(struct auth4_context *auth_ctx);
 NTSTATUS auth_context_set_challenge(struct auth4_context *auth_ctx, const uint8_t chal[8], const char *set_by);
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 926bf48..12e26f4 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -155,7 +155,8 @@ static NTSTATUS auth_generate_session_info_principal(struct auth4_context *auth_
 _PUBLIC_ NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
 			     TALLOC_CTX *mem_ctx,
 			     const struct auth_usersupplied_info *user_info, 
-			     struct auth_user_info_dc **user_info_dc)
+			     struct auth_user_info_dc **user_info_dc,
+			     uint8_t *pauthoritative)
 {
 	struct tevent_req *subreq;
 	struct tevent_context *ev;
@@ -178,7 +179,8 @@ _PUBLIC_ NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
 		return NT_STATUS_INTERNAL_ERROR;
 	}
 
-	status = auth_check_password_recv(subreq, mem_ctx, user_info_dc);
+	status = auth_check_password_recv(subreq, mem_ctx,
+					  user_info_dc, pauthoritative);
 	TALLOC_FREE(subreq);
 
 	return status;
@@ -192,9 +194,10 @@ static NTSTATUS auth_check_password_wrapper(struct auth4_context *auth_ctx,
 {
 	struct auth_user_info_dc *user_info_dc;
 	NTSTATUS status;
+	uint8_t authoritative = 0;
 
 	status = auth_check_password(auth_ctx, mem_ctx, user_info,
-				     &user_info_dc);
+				     &user_info_dc, &authoritative);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
@@ -225,6 +228,7 @@ struct auth_check_password_state {
 	const struct auth_usersupplied_info *user_info;
 	struct auth_user_info_dc *user_info_dc;
 	struct auth_method_context *method;
+	uint8_t authoritative;
 };
 
 static void auth_check_password_async_trigger(struct tevent_context *ev,
@@ -279,6 +283,10 @@ _PUBLIC_ struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx,
 		return NULL;
 	}
 
+	/*
+	 * We are authoritative by default.
+	 */
+	state->authoritative	= 1;
 	state->auth_ctx		= auth_ctx;
 	state->user_info	= user_info;
 
@@ -386,13 +394,8 @@ static void auth_check_password_async_trigger(struct tevent_context *ev,
 	}
 
 	if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
-		if (!(state->user_info->flags & USER_INFO_LOCAL_SAM_ONLY)) {
-			/* don't expose the NT_STATUS_NOT_IMPLEMENTED
-			 * internals, except when the caller is only probing
-			 * one method, as they may do the fallback 
-			 */
-			status = NT_STATUS_NO_SUCH_USER;
-		}
+		state->authoritative = 0;
+		status = NT_STATUS_NO_SUCH_USER;
 	}
 
 	if (tevent_req_nterror(req, status)) {
@@ -424,20 +427,23 @@ static void auth_check_password_async_trigger(struct tevent_context *ev,
 
 _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
 				  TALLOC_CTX *mem_ctx,
-				  struct auth_user_info_dc **user_info_dc)
+				  struct auth_user_info_dc **user_info_dc,
+				  uint8_t *pauthoritative)
 {
 	struct auth_check_password_state *state =
 		tevent_req_data(req, struct auth_check_password_state);
 	NTSTATUS status;
 
+	*pauthoritative = state->authoritative;
+
 	if (tevent_req_is_nterror(req, &status)) {
 		DEBUG(2,("auth_check_password_recv: "
 			 "%s authentication for user [%s\\%s] "
-			 "FAILED with error %s\n",
+			 "FAILED with error %s, authoritative=%u\n",
 			 (state->method ? state->method->ops->name : "NO_METHOD"),
 			 state->user_info->mapped.domain_name,
 			 state->user_info->mapped.account_name,
-			 nt_errstr(status)));
+			 nt_errstr(status), state->authoritative));
 		tevent_req_received(req);
 		return status;
 	}
diff --git a/source4/auth/ntlm/auth_simple.c b/source4/auth/ntlm/auth_simple.c
index f6dd9d0..be2ff5e 100644
--- a/source4/auth/ntlm/auth_simple.c
+++ b/source4/auth/ntlm/auth_simple.c
@@ -42,6 +42,7 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx,
 	struct auth_usersupplied_info *user_info;
 	struct auth_user_info_dc *user_info_dc;
 	NTSTATUS nt_status;
+	uint8_t authoritative = 0;
 	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
 
 	if (!tmp_ctx) {
@@ -83,7 +84,8 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx,
 		MSV1_0_CLEARTEXT_PASSWORD_ALLOWED |
 		MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED;
 
-	nt_status = auth_check_password(auth_context, tmp_ctx, user_info, &user_info_dc);
+	nt_status = auth_check_password(auth_context, tmp_ctx, user_info,
+					&user_info_dc, &authoritative);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(tmp_ctx);
 		return nt_status;
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 332afd3..0f59a96 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -982,8 +982,8 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
-	nt_status = auth_check_password(auth_context, mem_ctx, user_info, &user_info_dc);
-	/* TODO: set *r->out.authoritative = 0 on specific errors */
+	nt_status = auth_check_password(auth_context, mem_ctx, user_info,
+					&user_info_dc, r->out.authoritative);
 	NT_STATUS_NOT_OK_RETURN(nt_status);
 
 	switch (r->in.validation_level) {
diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c
index e06853a..e3bfcb3 100644
--- a/source4/smb_server/smb/sesssetup.c
+++ b/source4/smb_server/smb/sesssetup.c
@@ -72,9 +72,11 @@ static void sesssetup_old_send(struct tevent_req *subreq)
 	struct auth_session_info *session_info;
 	struct smbsrv_session *smb_sess;
 	NTSTATUS status;
+	uint8_t authoritative = 0;
 	uint32_t flags;
 
-	status = auth_check_password_recv(subreq, req, &user_info_dc);
+	status = auth_check_password_recv(subreq, req, &user_info_dc,
+					  &authoritative);
 	TALLOC_FREE(subreq);
 	if (!NT_STATUS_IS_OK(status)) goto failed;
 
@@ -202,11 +204,12 @@ static void sesssetup_nt1_send(struct tevent_req *subreq)
 	struct auth_user_info_dc *user_info_dc = NULL;
 	struct auth_session_info *session_info;
 	struct smbsrv_session *smb_sess;
-
+	uint8_t authoritative = 0;
 	uint32_t flags;
 	NTSTATUS status;
 
-	status = auth_check_password_recv(subreq, req, &user_info_dc);
+	status = auth_check_password_recv(subreq, req, &user_info_dc,
+					  &authoritative);
 	TALLOC_FREE(subreq);
 	if (!NT_STATUS_IS_OK(status)) goto failed;
 
-- 
1.9.1


From d2cc7d9f583186c26adefddbbdd267bdcd79b5ff Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 11:49:40 +0100
Subject: [PATCH 23/30] ntlm_auth3: let contact_winbind_auth_crap() return
 pauthoritative

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/utils/ntlm_auth.c             | 11 +++++++++++
 source3/utils/ntlm_auth_diagnostics.c | 15 ++++++++++-----
 source3/utils/ntlm_auth_proto.h       |  1 +
 3 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 829eb8f..4bfab5b 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -528,6 +528,7 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
 				   uint32_t extra_logon_parameters,
 				   uint8_t lm_key[8],
 				   uint8_t user_session_key[16],
+				   uint8_t *pauthoritative,
 				   char **error_string,
 				   char **unix_name)
 {
@@ -536,6 +537,8 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
 	struct winbindd_request request;
 	struct winbindd_response response;
 
+	*pauthoritative = 1;
+
 	if (!get_require_membership_sid()) {
 		return NT_STATUS_INVALID_PARAMETER;
 	}
@@ -605,6 +608,7 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		if (error_string) 
 			*error_string = smb_xstrdup(response.data.auth.error_string);
+		*pauthoritative = response.data.auth.authoritative;
 		winbindd_free_response(&response);
 		return nt_status;
 	}
@@ -951,6 +955,7 @@ static NTSTATUS winbind_pw_check(struct auth4_context *auth4_context,
 	uint8_t lm_key[8]; 
 	uint8_t user_sess_key[16]; 
 	char *unix_name = NULL;
+	uint8_t authoritative = 0;
 
 	nt_status = contact_winbind_auth_crap(user_info->client.account_name, user_info->client.domain_name, 
 					      user_info->workstation_name, 
@@ -960,6 +965,7 @@ static NTSTATUS winbind_pw_check(struct auth4_context *auth4_context,
 					      WBFLAG_PAM_LMKEY | WBFLAG_PAM_USER_SESSION_KEY | WBFLAG_PAM_UNIX_NAME,
 					      0,
 					      lm_key, user_sess_key, 
+					      &authoritative,
 					      &error_string, &unix_name);
 
 	if (NT_STATUS_IS_OK(nt_status)) {
@@ -1719,6 +1725,8 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
 				TALLOC_FREE(mem_ctx);
 
 			} else {
+				uint8_t authoritative = 0;
+
 				if (!domain) {
 					domain = smb_xstrdup(get_winbind_domain());
 				}
@@ -1738,6 +1746,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
 								      flags, 0,
 								      lm_key,
 								      user_session_key,
+								      &authoritative,
 								      &error_string,
 								      NULL);
 			}
@@ -2185,6 +2194,7 @@ static bool check_auth_crap(void)
 	char *hex_lm_key;
 	char *hex_user_session_key;
 	char *error_string;
+	uint8_t authoritative = 0;
 
 	setbuf(stdout, NULL);
 
@@ -2204,6 +2214,7 @@ static bool check_auth_crap(void)
 					      flags, 0,
 					      (unsigned char *)lm_key, 
 					      (unsigned char *)user_session_key, 
+					      &authoritative,
 					      &error_string, NULL);
 
 	if (!NT_STATUS_IS_OK(nt_status)) {
diff --git a/source3/utils/ntlm_auth_diagnostics.c b/source3/utils/ntlm_auth_diagnostics.c
index 5533fd2..41591a8 100644
--- a/source3/utils/ntlm_auth_diagnostics.c
+++ b/source3/utils/ntlm_auth_diagnostics.c
@@ -54,7 +54,7 @@ static bool test_lm_ntlm_broken(enum ntlm_break break_which)
 	DATA_BLOB lm_response = data_blob(NULL, 24);
 	DATA_BLOB nt_response = data_blob(NULL, 24);
 	DATA_BLOB session_key = data_blob(NULL, 16);
-
+	uint8_t authoritative = 0;
 	uchar lm_key[8];
 	uchar user_session_key[16];
 	uchar lm_hash[16];
@@ -101,6 +101,7 @@ static bool test_lm_ntlm_broken(enum ntlm_break break_which)
 					      flags, 0,
 					      lm_key, 
 					      user_session_key,
+					      &authoritative,
 					      &error_string, NULL);
 	
 	data_blob_free(&lm_response);
@@ -176,7 +177,7 @@ static bool test_ntlm_in_lm(void)
 	NTSTATUS nt_status;
 	uint32_t flags = 0;
 	DATA_BLOB nt_response = data_blob(NULL, 24);
-
+	uint8_t authoritative = 0;
 	uchar lm_key[8];
 	uchar lm_hash[16];
 	uchar user_session_key[16];
@@ -200,6 +201,7 @@ static bool test_ntlm_in_lm(void)
 					      flags, 0,
 					      lm_key,
 					      user_session_key,
+					      &authoritative,
 					      &error_string, NULL);
 	
 	data_blob_free(&nt_response);
@@ -243,7 +245,7 @@ static bool test_ntlm_in_both(void)
 	uint32_t flags = 0;
 	DATA_BLOB nt_response = data_blob(NULL, 24);
 	DATA_BLOB session_key = data_blob(NULL, 16);
-
+	uint8_t authoritative = 0;
 	uint8_t lm_key[8];
 	uint8_t lm_hash[16];
 	uint8_t user_session_key[16];
@@ -271,6 +273,7 @@ static bool test_ntlm_in_both(void)
 					      flags, 0,
 					      lm_key,
 					      user_session_key,
+					      &authoritative,
 					      &error_string, NULL);
 	
 	data_blob_free(&nt_response);
@@ -319,7 +322,7 @@ static bool test_lmv2_ntlmv2_broken(enum ntlm_break break_which)
 	DATA_BLOB lmv2_response = data_blob_null;
 	DATA_BLOB ntlmv2_session_key = data_blob_null;
 	DATA_BLOB names_blob = NTLMv2_generate_names_blob(NULL, get_winbind_netbios_name(), get_winbind_domain());
-
+	uint8_t authoritative = 0;
 	uchar user_session_key[16];
 	DATA_BLOB chall = get_challenge();
 	char *error_string;
@@ -362,6 +365,7 @@ static bool test_lmv2_ntlmv2_broken(enum ntlm_break break_which)
 					      flags, 0,
 					      NULL, 
 					      user_session_key,
+					      &authoritative,
 					      &error_string, NULL);
 	
 	data_blob_free(&lmv2_response);
@@ -448,7 +452,7 @@ static bool test_plaintext(enum ntlm_break break_which)
 	char *password;
 	smb_ucs2_t *nt_response_ucs2;
 	size_t converted_size;
-
+	uint8_t authoritative = 0;
 	uchar user_session_key[16];
 	uchar lm_key[16];
 	static const uchar zeros[8] = { 0, };
@@ -513,6 +517,7 @@ static bool test_plaintext(enum ntlm_break break_which)
 					      flags, MSV1_0_CLEARTEXT_PASSWORD_ALLOWED,
 					      lm_key,
 					      user_session_key,
+					      &authoritative,
 					      &error_string, NULL);
 	
 	TALLOC_FREE(nt_response.data);
diff --git a/source3/utils/ntlm_auth_proto.h b/source3/utils/ntlm_auth_proto.h
index 367fd79..63c4763 100644
--- a/source3/utils/ntlm_auth_proto.h
+++ b/source3/utils/ntlm_auth_proto.h
@@ -39,6 +39,7 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
 				   uint32_t extra_logon_parameters,
 				   uint8_t lm_key[8],
 				   uint8_t user_session_key[16],
+				   uint8_t *pauthoritative,
 				   char **error_string,
 				   char **unix_name);
 
-- 
1.9.1


From fb59e342db1e5dfd1634165a3716a134e50dd0b4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 11:52:51 +0100
Subject: [PATCH 24/30] auth: let auth4_context->check_ntlm_password() return
 pauthoritative

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 auth/common_auth.h            |  1 +
 auth/ntlmssp/ntlmssp_server.c |  3 +++
 source3/auth/auth_generic.c   |  2 ++
 source3/auth/auth_ntlmssp.c   | 12 +++++++++---
 source3/auth/proto.h          |  1 +
 source3/utils/ntlm_auth.c     |  9 ++++++---
 source4/auth/ntlm/auth.c      |  4 ++--
 7 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/auth/common_auth.h b/auth/common_auth.h
index d1a775d..5d232f4 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -110,6 +110,7 @@ struct auth4_context {
 	NTSTATUS (*check_ntlm_password)(struct auth4_context *auth_ctx,
 					TALLOC_CTX *mem_ctx,
 					const struct auth_usersupplied_info *user_info,
+					uint8_t *pauthoritative,
 					void **server_returned_info,
 					DATA_BLOB *nt_session_key, DATA_BLOB *lm_session_key);
 
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index ddee875..eab8121 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -726,9 +726,12 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
 	user_info->password.response.nt.data = talloc_steal(user_info, ntlmssp_state->nt_resp.data);
 
 	if (auth_context->check_ntlm_password) {
+		uint8_t authoritative = 0;
+
 		nt_status = auth_context->check_ntlm_password(auth_context,
 							      gensec_ntlmssp,
 							      user_info,
+							      &authoritative,
 							      &gensec_ntlmssp->server_returned_info,
 							      user_session_key, lm_session_key);
 	}
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index 95c70e8..875b7ff 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -389,10 +389,12 @@ NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context,
 {
 	NTSTATUS nt_status;
 	void *server_info;
+	uint8_t authoritative = 0;
 
 	nt_status = auth_context->check_ntlm_password(auth_context,
 						      talloc_tos(),
 						      user_info,
+						      &authoritative,
 						      &server_info, NULL, NULL);
 
 	if (NT_STATUS_IS_OK(nt_status)) {
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index 0ff3bdd..a48c444 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -136,6 +136,7 @@ NTSTATUS auth3_set_challenge(struct auth4_context *auth4_context, const uint8_t
 NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
 			      TALLOC_CTX *mem_ctx,
 			      const struct auth_usersupplied_info *user_info,
+			      uint8_t *pauthoritative,
 			      void **server_returned_info,
 			      DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
 {
@@ -145,7 +146,11 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
 	struct auth_serversupplied_info *server_info;
 	NTSTATUS nt_status;
 	bool username_was_mapped;
-	uint8_t authoritative = 0;
+
+	/*
+	 * Be authoritative by default.
+	 */
+	*pauthoritative = 1;
 
 	/* The client has given us its machine name (which we only get over NBT transport).
 	   We need to possibly reload smb.conf if smb.conf includes depend on the machine name. */
@@ -181,7 +186,7 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
 					     auth_context,
 					     mapped_user_info,
 					     &server_info,
-					     &authoritative);
+					     pauthoritative);
 
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: "
@@ -189,7 +194,7 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
 			 user_info->client.domain_name,
 			 user_info->client.account_name,
 			 nt_errstr(nt_status),
-			 authoritative));
+			 *pauthoritative));
 	}
 
 	username_was_mapped = mapped_user_info->was_mapped;
@@ -203,6 +208,7 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
 							user_info->client.domain_name,
 							&server_info);
 		if (NT_STATUS_IS_OK(nt_status)) {
+			*pauthoritative = 1;
 			*server_returned_info = talloc_steal(mem_ctx, server_info);
 		}
 		return nt_status;
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index ccc284c..c5f6ade 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -132,6 +132,7 @@ NTSTATUS auth3_set_challenge(struct auth4_context *auth4_context, const uint8_t
 NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
 			      TALLOC_CTX *mem_ctx,
 			      const struct auth_usersupplied_info *user_info,
+			      uint8_t *pauthoritative,
 			      void **server_returned_info,
 			      DATA_BLOB *session_key, DATA_BLOB *lm_session_key);
 
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 4bfab5b..3bd945f 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -947,6 +947,7 @@ static NTSTATUS ntlm_auth_set_challenge(struct auth4_context *auth_ctx, const ui
 static NTSTATUS winbind_pw_check(struct auth4_context *auth4_context, 
 				 TALLOC_CTX *mem_ctx,
 				 const struct auth_usersupplied_info *user_info, 
+				 uint8_t *pauthoritative,
 				 void **server_returned_info,
 				 DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
 {
@@ -955,7 +956,6 @@ static NTSTATUS winbind_pw_check(struct auth4_context *auth4_context,
 	uint8_t lm_key[8]; 
 	uint8_t user_sess_key[16]; 
 	char *unix_name = NULL;
-	uint8_t authoritative = 0;
 
 	nt_status = contact_winbind_auth_crap(user_info->client.account_name, user_info->client.domain_name, 
 					      user_info->workstation_name, 
@@ -965,7 +965,7 @@ static NTSTATUS winbind_pw_check(struct auth4_context *auth4_context,
 					      WBFLAG_PAM_LMKEY | WBFLAG_PAM_USER_SESSION_KEY | WBFLAG_PAM_UNIX_NAME,
 					      0,
 					      lm_key, user_sess_key, 
-					      &authoritative,
+					      pauthoritative,
 					      &error_string, &unix_name);
 
 	if (NT_STATUS_IS_OK(nt_status)) {
@@ -995,7 +995,8 @@ static NTSTATUS winbind_pw_check(struct auth4_context *auth4_context,
 
 static NTSTATUS local_pw_check(struct auth4_context *auth4_context, 
 				TALLOC_CTX *mem_ctx,
-				const struct auth_usersupplied_info *user_info, 
+				const struct auth_usersupplied_info *user_info,
+				uint8_t *pauthoritative,
 				void **server_returned_info,
 				DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
 {
@@ -1004,6 +1005,8 @@ static NTSTATUS local_pw_check(struct auth4_context *auth4_context,
 
 	nt_lm_owf_gen (opt_password, nt_pw.hash, lm_pw.hash);
 
+	*pauthoritative = 1;
+
 	nt_status = ntlm_password_check(mem_ctx,
 					true, true, 0,
 					&auth4_context->challenge.data,
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 12e26f4..0eb2260 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -189,15 +189,15 @@ _PUBLIC_ NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
 static NTSTATUS auth_check_password_wrapper(struct auth4_context *auth_ctx,
 					    TALLOC_CTX *mem_ctx,
 					    const struct auth_usersupplied_info *user_info,
+					    uint8_t *pauthoritative,
 					    void **server_returned_info,
 					    DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
 {
 	struct auth_user_info_dc *user_info_dc;
 	NTSTATUS status;
-	uint8_t authoritative = 0;
 
 	status = auth_check_password(auth_ctx, mem_ctx, user_info,
-				     &user_info_dc, &authoritative);
+				     &user_info_dc, pauthoritative);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
-- 
1.9.1


From ee731cd48e087e20b0ce56443b5555cb578ebd07 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 16 Mar 2017 16:47:15 +0100
Subject: [PATCH 25/30] auth4: debug if method->ops->check_password() gives
 NOT_IMPLEMENTED

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source4/auth/ntlm/auth.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 0eb2260..5d3fbef 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -374,7 +374,7 @@ static void auth_check_password_async_trigger(struct tevent_context *ev,
 		status = method->ops->want_check(method, req, state->user_info);
 		if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
 			DEBUG(11,("auth_check_password_send: "
-				  "%s had nothing to say\n",
+				  "%s doesn't want to check\n",
 				  method->ops->name));
 			continue;
 		}
@@ -387,10 +387,15 @@ static void auth_check_password_async_trigger(struct tevent_context *ev,
 						     state,
 						     state->user_info,
 						     &state->user_info_dc);
-		if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
-			/* the backend has handled the request */
-			break;
+		if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
+			DEBUG(11,("auth_check_password_send: "
+				  "%s passes to the next method\n",
+				  method->ops->name));
+			continue;
 		}
+
+		/* the backend has handled the request */
+		break;
 	}
 
 	if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
-- 
1.9.1


From 2951bf0d744785d11ca65e62d1f89585534774bb Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 16:46:38 +0100
Subject: [PATCH 26/30] auth3: only use "[samba4:]sam" in
 make_auth3_context_for_winbind()

This makes the USER_INFO_LOCAL_SAM_ONLY and AUTH_METHOD_LOCAL_SAM
interaction obsolete.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/auth/auth.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index cd490fb..b57dfe6 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -544,7 +544,24 @@ NTSTATUS make_auth3_context_for_netlogon(TALLOC_CTX *mem_ctx,
 NTSTATUS make_auth3_context_for_winbind(TALLOC_CTX *mem_ctx,
 				        struct auth_context **auth_context)
 {
-	return make_auth_context_subsystem(mem_ctx, auth_context);
+	const char *methods = NULL;
+
+	switch (lp_server_role()) {
+	case ROLE_STANDALONE:
+	case ROLE_DOMAIN_MEMBER:
+	case ROLE_DOMAIN_BDC:
+	case ROLE_DOMAIN_PDC:
+		methods = "sam";
+		break;
+	case ROLE_ACTIVE_DIRECTORY_DC:
+		methods = "samba4:sam";
+		break;
+	default:
+		DEBUG(5,("Unknown auth method!\n"));
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	return make_auth_context_specific(mem_ctx, auth_context, methods);
 }
 
 bool auth3_context_set_challenge(struct auth_context *ctx, uint8_t chal[8],
-- 
1.9.1


From a693141a0c75889f8e36da18ec2a6257bca30b39 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 21 Mar 2017 08:31:29 +0100
Subject: [PATCH 27/30] winbindd: no longer use USER_INFO_LOCAL_SAM_ONLY

make_auth3_context_for_winbind() restricts the used auth backends now.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/winbindd/winbindd_pam.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 74941c7..c04367e 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1269,7 +1269,7 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
 	user_info->mapped_state = True;
 
 	/* We don't want to come back to winbindd or to do PAM account checks */
-	user_info->flags |= USER_INFO_LOCAL_SAM_ONLY | USER_INFO_INFO3_AND_NO_AUTHZ;
+	user_info->flags |= USER_INFO_INFO3_AND_NO_AUTHZ;
 
 	if (interactive) {
 		user_info->flags |= USER_INFO_INTERACTIVE_LOGON;
-- 
1.9.1


From 3eef34a7456cdaac840560260f62fea539e65890 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 21 Mar 2017 08:32:27 +0100
Subject: [PATCH 28/30] auth3: remove unused
 USER_INFO_LOCAL_SAM_ONLY/AUTH_METHOD_LOCAL_SAM handling

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/auth/auth.c        | 5 -----
 source3/auth/auth_sam.c    | 3 +--
 source3/auth/auth_samba4.c | 1 -
 3 files changed, 1 insertion(+), 8 deletions(-)

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index b57dfe6..6efb54f 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -223,11 +223,6 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
 
 		auth_method_name = auth_method->name;
 
-		if (user_info->flags & USER_INFO_LOCAL_SAM_ONLY
-		    && !(auth_method->flags & AUTH_METHOD_LOCAL_SAM)) {
-			continue;
-		}
-
 		nt_status = auth_method->auth(auth_context,
 					      auth_method->private_data,
 					      talloc_tos(),
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index c4100d5..5b53bca 100644
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -121,8 +121,7 @@ static NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *par
 	}
 	result->auth = auth_samstrict_auth;
 	result->name = "sam";
-	result->flags = AUTH_METHOD_LOCAL_SAM;
-        *auth_method = result;
+	*auth_method = result;
 	return NT_STATUS_OK;
 }
 
diff --git a/source3/auth/auth_samba4.c b/source3/auth/auth_samba4.c
index 138c6cd..4c83c2a 100644
--- a/source3/auth/auth_samba4.c
+++ b/source3/auth/auth_samba4.c
@@ -379,7 +379,6 @@ static NTSTATUS auth_init_samba4(struct auth_context *auth_context,
 	result->auth = check_samba4_security;
 	result->prepare_gensec = prepare_gensec;
 	result->make_auth4_context = make_auth4_context_s4;
-	result->flags = AUTH_METHOD_LOCAL_SAM;
 
 	if (param && *param) {
 		auth_context->forced_samba4_methods = talloc_strdup(result, param);
-- 
1.9.1


From 1352a6c688b85a6cba81f1acf5e21c981a64aad1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 21 Mar 2017 08:32:27 +0100
Subject: [PATCH 29/30] auth4: remove unused
 USER_INFO_LOCAL_SAM_ONLY/AUTH_METHOD_LOCAL_SAM handling

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source4/auth/ntlm/auth.c     | 5 -----
 source4/auth/ntlm/auth_sam.c | 2 --
 2 files changed, 7 deletions(-)

diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 5d3fbef..1b7faee 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -361,11 +361,6 @@ static void auth_check_password_async_trigger(struct tevent_context *ev,
 
 	for (method=state->auth_ctx->methods; method; method = method->next) {
 
-		if (state->user_info->flags & USER_INFO_LOCAL_SAM_ONLY
-		    && !(method->ops->flags & AUTH_METHOD_LOCAL_SAM)) {
-			continue;
-		}
-
 		/* we fill in state->method here so debug messages in
 		   the callers know which method failed */
 		state->method = method;
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index 90eabca..086f9af 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -700,7 +700,6 @@ static const struct auth_operations sam_ignoredomain_ops = {
 	.want_check	           = authsam_ignoredomain_want_check,
 	.check_password	           = authsam_check_password_internals,
 	.get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper,
-	.flags                     = AUTH_METHOD_LOCAL_SAM
 };
 
 static const struct auth_operations sam_ops = {
@@ -708,7 +707,6 @@ static const struct auth_operations sam_ops = {
 	.want_check	           = authsam_want_check,
 	.check_password	           = authsam_check_password_internals,
 	.get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper,
-	.flags                     = AUTH_METHOD_LOCAL_SAM
 };
 
 _PUBLIC_ NTSTATUS auth4_sam_init(void);
-- 
1.9.1


From 2a7674e7bd42ec8b634f12e8fba1ee6936666cd8 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 21 Mar 2017 08:32:27 +0100
Subject: [PATCH 30/30] auth: remove unused
 USER_INFO_LOCAL_SAM_ONLY/AUTH_METHOD_LOCAL_SAM defines

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 auth/common_auth.h | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/auth/common_auth.h b/auth/common_auth.h
index 5d232f4..8cbfc54 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -26,7 +26,7 @@
 #define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */
 #define USER_INFO_DONT_CHECK_UNIX_ACCOUNT   0x04 /* don't check unix account status */
 #define USER_INFO_INTERACTIVE_LOGON         0x08 /* Interactive logon */
-#define USER_INFO_LOCAL_SAM_ONLY            0x10 /* Only authenticate against the local SAM, do not map missing passwords to NO_SUCH_USER */
+/*unused #define USER_INFO_LOCAL_SAM_ONLY   0x10    Only authenticate against the local SAM, do not map missing passwords to NO_SUCH_USER */
 #define USER_INFO_INFO3_AND_NO_AUTHZ        0x20 /* Only fill in server_info->info3 and do not do any authorization steps */
 
 enum auth_password_state {
@@ -79,8 +79,6 @@ struct loadparm_context;
 struct ldb_context;
 struct smb_krb5_context;
 
-#define AUTH_METHOD_LOCAL_SAM 0x01
-
 struct auth4_context {
 	struct {
 		/* Who set this up in the first place? */
-- 
1.9.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170322/d95878bc/signature.sig>


More information about the samba-technical mailing list