* filled in, either at creation or by calling the challenge geneation
* function auth_get_challenge().
*
- * @param server_info If successful, contains information about the authentication,
- * including a struct samu struct describing the user.
+ * @param pserver_info If successful, contains information about the authentication,
+ * including a struct samu struct describing the user.
+ *
+ * @param pauthoritative Indicates if the result should be treated as final
+ * result.
*
* @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
*
**/
-
NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
const struct auth_context *auth_context,
const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **pserver_info)
+ struct auth_serversupplied_info **pserver_info,
+ uint8_t *pauthoritative)
{
TALLOC_CTX *frame;
const char *auth_method_name = "";
/* if all the modules say 'not for me' this is reasonable */
- NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
+ NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
const char *unix_username;
auth_methods *auth_method;
struct auth_serversupplied_info *server_info;
frame = talloc_stackframe();
+ *pauthoritative = 1;
+
DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n",
user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));
DBG_DEBUG("%s had nothing to say\n", auth_method->name);
}
- /* check if the module did anything */
- if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED) &&
- ((user_info->flags & USER_INFO_LOCAL_SAM_ONLY) == 0)) {
- /*
- * we don't expose the NT_STATUS_NOT_IMPLEMENTED
- * internals, except when the caller is only probing
- * one method, as they may do the fallback
- */
+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
+ *pauthoritative = 0;
nt_status = NT_STATUS_NO_SUCH_USER;
}
if (!NT_STATUS_IS_OK(nt_status)) {
DBG_INFO("%s authentication for user [%s] FAILED with "
- "error %s\n",
+ "error %s, authoritative=%u\n",
auth_method_name,
user_info->client.account_name,
- nt_errstr(nt_status));
+ nt_errstr(nt_status),
+ *pauthoritative);
goto fail;
}
/* failed authentication; check for guest lapping */
- DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n",
+ DEBUG(2, ("check_ntlm_password: Authentication for user "
+ "[%s] -> [%s] FAILED with error %s, authoritative=%u\n",
user_info->client.account_name, user_info->mapped.account_name,
- nt_errstr(nt_status)));
+ nt_errstr(nt_status), *pauthoritative));
ZERO_STRUCTP(pserver_info);
TALLOC_FREE(frame);
struct auth_serversupplied_info *server_info;
NTSTATUS nt_status;
bool username_was_mapped;
+ uint8_t authoritative = 0;
/* The client has given us its machine name (which we only get over NBT transport).
We need to possibly reload smb.conf if smb.conf includes depend on the machine name. */
nt_status = auth_check_ntlm_password(mem_ctx,
auth_context,
mapped_user_info,
- &server_info);
+ &server_info,
+ &authoritative);
if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: %s\n",
+ DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: "
+ "%s, authoritative=%u\n",
user_info->client.domain_name,
user_info->client.account_name,
- nt_errstr(nt_status)));
+ nt_errstr(nt_status),
+ authoritative));
}
username_was_mapped = mapped_user_info->was_mapped;
* filled in, either at creation or by calling the challenge geneation
* function auth_get_challenge().
*
- * @param server_info If successful, contains information about the authentication,
- * including a struct samu struct describing the user.
+ * @param pserver_info If successful, contains information about the authentication,
+ * including a struct samu struct describing the user.
+ *
+ * @param pauthoritative Indicates if the result should be treated as final
+ * result.
*
* @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
*
NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
const struct auth_context *auth_context,
const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **server_info);
+ struct auth_serversupplied_info **pserver_info,
+ uint8_t *pauthoritative);
/* The following definitions come from auth/auth_builtin.c */
status = auth_check_ntlm_password(p->mem_ctx,
auth_context,
user_info,
- &server_info);
+ &server_info,
+ r->out.authoritative);
}
TALLOC_FREE(auth_context);
/* Check account and password */
if (!NT_STATUS_IS_OK(status)) {
- /* If we don't know what this domain is, we need to
- indicate that we are not authoritative. This
- allows the client to decide if it needs to try
- a local user. Fix by jpjanosi@us.ibm.com, #2976 */
- if ( NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)
- && !strequal(nt_domain, get_global_sam_name())
- && !is_trusted_domain(nt_domain) )
- *r->out.authoritative = false; /* We are not authoritative */
-
TALLOC_FREE(server_info);
return status;
}
struct auth_serversupplied_info *server_info;
NTSTATUS status;
bool ok;
-
+ uint8_t authoritative = 0;
+
SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8,
local_nt_response);
SMBsesskeygen_ntv1(pdb_get_nt_passwd(pdb_entry), local_nt_session_key);
status = auth_check_ntlm_password(mem_ctx,
auth_context,
user_info,
- &server_info);
+ &server_info,
+ &authoritative);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("Failed to test authentication with auth module: %s\n", nt_errstr(status)));
+ DEBUG(0, ("Failed to test authentication with auth module: "
+ "%s authoritative[%u].\n",
+ nt_errstr(status), authoritative));
return False;
}
status = auth_check_ntlm_password(mem_ctx,
auth_context,
user_info,
- &server_info);
-
+ &server_info,
+ pauthoritative);
if (!NT_STATUS_IS_OK(status)) {
- if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
- *pauthoritative = 0;
- }
TALLOC_FREE(frame);
return status;
}