[PATCH] Correctly handle !authoritative in the rpc-based auth backends
Volker Lendecke
vl at samba.org
Thu Mar 9 12:36:26 UTC 2017
Hi!
This is independently correct, but is quite ineffective so far. The
core auth backend loops don't do this yet, but I want to make the
final patchset smaller.
Review appreciated!
Thanks, Volker
-------------- next part --------------
>From a4c2d981c2a8214d9291b211b48f73b21f2e6c24 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sat, 11 Feb 2017 10:25:44 +0100
Subject: [PATCH 1/3] auth_winbind3: Correctly handle !authoritative
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/auth/auth_winbind.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c
index 2b5c84d..e6a6296 100644
--- a/source3/auth/auth_winbind.c
+++ b/source3/auth/auth_winbind.c
@@ -121,6 +121,15 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
if (wbc_status == WBC_ERR_AUTH_ERROR) {
nt_status = NT_STATUS(err->nt_status);
+
+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) &&
+ (err->authoritative == 0)) {
+ /*
+ * Trigger a fallback to local SAM
+ */
+ nt_status = NT_STATUS_NOT_IMPLEMENTED;
+ }
+
wbcFreeMemory(err);
return nt_status;
}
--
2.1.4
>From 83dcf4e7468f46904d829f187b270dac1954c3d3 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sat, 25 Feb 2017 09:55:28 +0000
Subject: [PATCH 2/3] auth_winbind4: Correctly handle !authoritative
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source4/auth/ntlm/auth_winbind.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c
index 8b9a1ef..6f1976d 100644
--- a/source4/auth/ntlm/auth_winbind.c
+++ b/source4/auth/ntlm/auth_winbind.c
@@ -141,6 +141,11 @@ static NTSTATUS winbind_check_password(struct auth_method_context *ctx,
status = dcerpc_winbind_SamLogon_r(irpc_handle, s, &s->req);
NT_STATUS_NOT_OK_RETURN(status);
+ if (NT_STATUS_EQUAL(s->req.out.result, NT_STATUS_NO_SUCH_USER) &&
+ !s->req.out.authoritative) {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
status = make_user_info_dc_netlogon_validation(mem_ctx,
user_info->client.account_name,
s->req.in.validation_level,
--
2.1.4
>From c303fd74c4ee701155191fa2ab04146212b8102e Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sun, 12 Feb 2017 19:20:07 +0100
Subject: [PATCH 3/3] auth_ntdomain3: Correctly handle !authoritative
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/auth/auth_domain.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index d663923..b3ff518 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -229,6 +229,10 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_UNSUCCESSFUL)) {
nt_status = NT_STATUS_NO_LOGON_SERVERS;
}
+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) &&
+ (authoritative == 0)) {
+ nt_status = NT_STATUS_NOT_IMPLEMENTED;
+ }
} else {
nt_status = make_server_info_info3(mem_ctx,
user_info->client.account_name,
--
2.1.4
More information about the samba-technical
mailing list