501b5ca080898b42de717b202e7a8037c05ce6b6
[samba.git] / source4 / auth / auth_sam.c
1 /* 
2    Unix SMB/CIFS implementation.
3    Password and authentication handling
4    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2004
5    Copyright (C) Gerald Carter                             2003
6    
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License as published by
9    the Free Software Foundation; either version 2 of the License, or
10    (at your option) any later version.
11    
12    This program is distributed in the hope that it will be useful,
13    but WITHOUT ANY WARRANTY; without even the implied warranty of
14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15    GNU General Public License for more details.
16    
17    You should have received a copy of the GNU General Public License
18    along with this program; if not, write to the Free Software
19    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20 */
21
22 #include "includes.h"
23 #include "librpc/gen_ndr/ndr_samr.h"
24 #include "system/time.h"
25 #include "auth/auth.h"
26 #include "lib/ldb/include/ldb.h"
27
28 #undef DBGC_CLASS
29 #define DBGC_CLASS DBGC_AUTH
30
31 /****************************************************************************
32  Do a specific test for an smb password being correct, given a smb_password and
33  the lanman and NT responses.
34 ****************************************************************************/
35
36 static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
37                                 TALLOC_CTX *mem_ctx,
38                                 const char *username,
39                                 uint16_t acct_flags,
40                                 const struct samr_Password *lm_pwd, 
41                                 const struct samr_Password *nt_pwd,
42                                 const struct auth_usersupplied_info *user_info, 
43                                 DATA_BLOB *user_sess_key, 
44                                 DATA_BLOB *lm_sess_key)
45 {
46         NTSTATUS status;
47
48         if (acct_flags & ACB_PWNOTREQ) {
49                 if (lp_null_passwords()) {
50                         DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", 
51                                  username));
52                         return NT_STATUS_OK;
53                 } else {
54                         DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", 
55                                  username));
56                         return NT_STATUS_LOGON_FAILURE;
57                 }               
58         }
59
60         status = ntlm_password_check(mem_ctx, &auth_context->challenge, 
61                                    &user_info->lm_resp, &user_info->nt_resp, 
62                                    &user_info->lm_interactive_password, 
63                                    &user_info->nt_interactive_password,
64                                    username, 
65                                    user_info->smb_name.str, 
66                                    user_info->client_domain.str, 
67                                    lm_pwd->hash, nt_pwd->hash, user_sess_key, lm_sess_key);
68
69         if (NT_STATUS_IS_OK(status)) {
70                 if (user_sess_key && user_sess_key->data) {
71                         talloc_steal(auth_context, user_sess_key->data);
72                 }
73                 if (lm_sess_key && lm_sess_key->data) {
74                         talloc_steal(auth_context, lm_sess_key->data);
75                 }
76         }
77
78         return status;
79 }
80
81
82 /****************************************************************************
83  Do a specific test for a SAM_ACCOUNT being vaild for this connection 
84  (ie not disabled, expired and the like).
85 ****************************************************************************/
86
87 static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx,
88                                const char *username,
89                                uint16_t acct_flags,
90                                NTTIME *acct_expiry,
91                                NTTIME *must_change_time,
92                                NTTIME *last_set_time,
93                                const char *workstation_list,
94                                const struct auth_usersupplied_info *user_info)
95 {
96         DEBUG(4,("sam_account_ok: Checking SMB password for user %s\n", username));
97
98         /* Quit if the account was disabled. */
99         if (acct_flags & ACB_DISABLED) {
100                 DEBUG(1,("sam_account_ok: Account for user '%s' was disabled.\n", username));
101                 return NT_STATUS_ACCOUNT_DISABLED;
102         }
103
104         /* Quit if the account was locked out. */
105         if (acct_flags & ACB_AUTOLOCK) {
106                 DEBUG(1,("sam_account_ok: Account for user %s was locked out.\n", username));
107                 return NT_STATUS_ACCOUNT_LOCKED_OUT;
108         }
109
110         /* Test account expire time */
111         if ((*acct_expiry) != -1 && time(NULL) > nt_time_to_unix(*acct_expiry)) {
112                 DEBUG(1,("sam_account_ok: Account for user '%s' has expired.\n", username));
113                 DEBUG(3,("sam_account_ok: Account expired at '%s'.\n", 
114                          nt_time_string(mem_ctx, *acct_expiry)));
115                 return NT_STATUS_ACCOUNT_EXPIRED;
116         }
117
118         if (!(acct_flags & ACB_PWNOEXP)) {
119
120                 /* check for immediate expiry "must change at next logon" */
121                 if (*must_change_time == 0 && *last_set_time != 0) {
122                         DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", 
123                                  username));
124                         return NT_STATUS_PASSWORD_MUST_CHANGE;
125                 }
126
127                 /* check for expired password */
128                 if ((*must_change_time) != 0 && nt_time_to_unix(*must_change_time) < time(NULL)) {
129                         DEBUG(1,("sam_account_ok: Account for user '%s' password expired!.\n", 
130                                  username));
131                         DEBUG(1,("sam_account_ok: Password expired at '%s' unix time.\n", 
132                                  nt_time_string(mem_ctx, *must_change_time)));
133                         return NT_STATUS_PASSWORD_EXPIRED;
134                 }
135         }
136
137         /* Test workstation. Workstation list is comma separated. */
138
139         if (workstation_list && *workstation_list) {
140                 BOOL invalid_ws = True;
141                 const char *s = workstation_list;
142                         
143                 fstring tok;
144                         
145                 while (next_token(&s, tok, ",", sizeof(tok))) {
146                         DEBUG(10,("sam_account_ok: checking for workstation match %s and %s (len=%d)\n",
147                                   tok, user_info->wksta_name.str, user_info->wksta_name.len));
148                         
149                         if(strequal(tok, user_info->wksta_name.str)) {
150                                 invalid_ws = False;
151
152                                 break;
153                         }
154                 }
155                 
156                 if (invalid_ws) 
157                         return NT_STATUS_INVALID_WORKSTATION;
158         }
159
160         if (acct_flags & ACB_DOMTRUST) {
161                 DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", username));
162                 return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
163         }
164         
165         if (acct_flags & ACB_SVRTRUST) {
166                 DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", username));
167                 return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
168         }
169         
170         if (acct_flags & ACB_WSTRUST) {
171                 DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", username));
172                 return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
173         }
174         
175         return NT_STATUS_OK;
176 }
177
178 /****************************************************************************
179  Look for the specified user in the sam, return ldb result structures
180 ****************************************************************************/
181
182 static NTSTATUS sam_search_user(const char *username, const char *domain, 
183                                 TALLOC_CTX *mem_ctx, void *sam_ctx, 
184                                 struct ldb_message ***ret_msgs, 
185                                 struct ldb_message ***ret_msgs_domain)
186 {
187         struct ldb_message **msgs;
188         struct ldb_message **msgs_domain;
189
190         uint_t ret;
191         uint_t ret_domain;
192
193         const char *domain_dn = NULL;
194         const char *domain_sid;
195
196         const char *attrs[] = {"unicodePwd", "lmPwdHash", "ntPwdHash", 
197                                "userAccountControl",
198                                "pwdLastSet",
199                                "accountExpires",
200                                "objectSid",
201                                "userWorkstations",
202                                
203                                /* required for server_info, not access control: */
204                                "sAMAccountName",
205                                "displayName",
206                                "scriptPath",
207                                "profilePath",
208                                "homeDirectory",
209                                "homeDrive",
210                                "lastLogon",
211                                "lastLogoff",
212                                "accountExpires",
213                                "badPwdCount",
214                                "logonCount",
215                                "primaryGroupID",
216                                NULL,
217         };
218
219         const char *domain_attrs[] =  {"name", "objectSid"};
220
221         if (domain) {
222                 /* find the domain's DN */
223                 ret_domain = samdb_search(sam_ctx, mem_ctx, NULL, &msgs_domain, domain_attrs,
224                                           "(&(|(realm=%s)(name=%s))(objectclass=domain))", 
225                                           domain, domain);
226                 
227                 if (ret_domain == 0) {
228                         DEBUG(3,("check_sam_security: Couldn't find domain [%s] in passdb file.\n", 
229                                  domain));
230                         return NT_STATUS_NO_SUCH_USER;
231                 }
232                 
233                 if (ret_domain > 1) {
234                         DEBUG(0,("Found %d records matching domain [%s]\n", 
235                                  ret_domain, domain));
236                         return NT_STATUS_INTERNAL_DB_CORRUPTION;
237                 }
238
239                 domain_dn = msgs_domain[0]->dn;
240
241         }
242         /* pull the user attributes */
243         ret = samdb_search(sam_ctx, mem_ctx, domain_dn, &msgs, attrs,
244                            "(&(sAMAccountName=%s)(objectclass=user))", 
245                            username);
246
247         if (ret == 0) {
248                 DEBUG(3,("check_sam_security: Couldn't find user [%s] in passdb file.\n", 
249                          username));
250                 return NT_STATUS_NO_SUCH_USER;
251         }
252
253         if (ret > 1) {
254                 DEBUG(0,("Found %d records matching user [%s]\n", ret, username));
255                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
256         }
257         
258         if (!domain) {
259                 domain_sid = samdb_result_sid_prefix(mem_ctx, msgs[0], "objectSid");
260                 if (!domain_sid) {
261                         return NT_STATUS_INTERNAL_DB_CORRUPTION;
262                 }
263
264                 /* find the domain's DN */
265                 ret_domain = samdb_search(sam_ctx, mem_ctx, NULL, &msgs_domain, domain_attrs,
266                                           "(&(objectSid=%s)(objectclass=domain))", 
267                                           domain_sid);
268                 
269                 if (ret_domain == 0) {
270                         DEBUG(3,("check_sam_security: Couldn't find domain [%s] in passdb file.\n", 
271                                  domain_sid));
272                         return NT_STATUS_NO_SUCH_USER;
273                 }
274                 
275                 if (ret_domain > 1) {
276                         DEBUG(0,("Found %d records matching domain [%s]\n", 
277                                  ret_domain, domain_sid));
278                         return NT_STATUS_INTERNAL_DB_CORRUPTION;
279                 }
280
281                 domain_dn = msgs_domain[0]->dn;
282         }
283         *ret_msgs = msgs;
284         *ret_msgs_domain = msgs_domain;
285         
286         return NT_STATUS_OK;
287 }
288
289 NTSTATUS sam_check_password(const struct auth_context *auth_context, 
290                             const char *username,
291                             TALLOC_CTX *mem_ctx, void *sam_ctx, 
292                             struct ldb_message **msgs,
293                             const char *domain_dn,
294                             const struct auth_usersupplied_info *user_info, 
295                             DATA_BLOB *user_sess_key, DATA_BLOB *lm_sess_key) 
296 {
297
298         uint16_t acct_flags;
299         const char *workstation_list;
300         NTTIME acct_expiry;
301         NTTIME must_change_time;
302         NTTIME last_set_time;
303         struct samr_Password *lm_pwd, *nt_pwd;
304
305         NTSTATUS nt_status;
306
307
308         acct_flags = samdb_result_acct_flags(msgs[0], "sAMAcctFlags");
309         
310         /* Quit if the account was locked out. */
311         if (acct_flags & ACB_AUTOLOCK) {
312                 DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", 
313                          username));
314                 return NT_STATUS_ACCOUNT_LOCKED_OUT;
315         }
316
317         if (!NT_STATUS_IS_OK(nt_status = samdb_result_passwords(mem_ctx, msgs[0], 
318                                                                 &lm_pwd, &nt_pwd))) {
319                 return nt_status;
320         }
321
322         nt_status = sam_password_ok(auth_context, mem_ctx, 
323                                     username, acct_flags, 
324                                     lm_pwd, nt_pwd,
325                                     user_info, user_sess_key, lm_sess_key);
326         
327         if (!NT_STATUS_IS_OK(nt_status)) {
328                 return nt_status;
329         }
330
331         acct_expiry = samdb_result_nttime(msgs[0], "accountExpires", 0);
332         must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx, 
333                                                               domain_dn, msgs[0], 
334                                                               "pwdLastSet");
335         last_set_time = samdb_result_nttime(msgs[0], "pwdLastSet", 0);
336
337         workstation_list = samdb_result_string(msgs[0], "userWorkstations", NULL);
338
339         nt_status = sam_account_ok(mem_ctx, username, acct_flags, 
340                                    &acct_expiry, 
341                                    &must_change_time, 
342                                    &last_set_time, 
343                                    workstation_list,
344                                    user_info);
345
346         return nt_status;
347 }
348
349 NTSTATUS sam_make_server_info(TALLOC_CTX *mem_ctx, void *sam_ctx, 
350                               struct ldb_message **msgs, struct ldb_message **msgs_domain, 
351                               struct auth_serversupplied_info **server_info) 
352 {
353
354         struct ldb_message **group_msgs;
355         int group_ret;
356         const char *group_attrs[3] = { "sAMAccountType", "objectSid", NULL }; 
357         /* find list of sids */
358         struct dom_sid **groupSIDs = NULL;
359         struct dom_sid *user_sid;
360         struct dom_sid *primary_group_sid;
361         const char *sidstr;
362         int i;
363         uint_t rid;
364         
365         NTSTATUS nt_status;
366
367         if (!NT_STATUS_IS_OK(nt_status = make_server_info(mem_ctx, server_info, 
368                                                           samdb_result_string(msgs[0], "sAMAccountName", "")))) {               
369                 DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status)));
370                 return nt_status;
371         }
372         
373         group_ret = samdb_search(sam_ctx,
374                                  mem_ctx, NULL, &group_msgs, group_attrs,
375                                  "(&(member=%s)(sAMAccountType=*))", 
376                                  msgs[0]->dn);
377         if (group_ret == -1) {
378                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
379         }
380         
381         if (group_ret > 0 && 
382             !(groupSIDs = talloc_array_p(*server_info, struct dom_sid *, group_ret))) {
383                 talloc_free(*server_info);
384                 return NT_STATUS_NO_MEMORY;
385         }
386         
387         /* Need to unroll some nested groups, but not aliases */
388         for (i = 0; i < group_ret; i++) {
389                 sidstr = ldb_msg_find_string(group_msgs[i], "objectSid", NULL);
390                 groupSIDs[i] = dom_sid_parse_talloc(*server_info, sidstr);
391         }
392         
393         sidstr = ldb_msg_find_string(msgs[0], "objectSid", NULL);
394         user_sid = dom_sid_parse_talloc(*server_info, sidstr);
395         primary_group_sid = dom_sid_parse_talloc(*server_info, sidstr);
396         rid = samdb_result_uint(msgs[0], "primaryGroupID", ~0);
397         if (rid == ~0) {
398                 if (group_ret > 0) {
399                         primary_group_sid = groupSIDs[0];
400                 } else {
401                         primary_group_sid = NULL;
402                 }
403         } else {
404                 primary_group_sid->sub_auths[primary_group_sid->num_auths-1] = rid;
405         }
406         
407         (*server_info)->user_sid = user_sid;
408         (*server_info)->primary_group_sid = primary_group_sid;
409         
410         (*server_info)->n_domain_groups = group_ret;
411         (*server_info)->domain_groups = groupSIDs;
412
413         (*server_info)->account_name 
414                 = talloc_strdup(*server_info, 
415                                 samdb_result_string(msgs[0], "sAMAccountName", ""));
416
417         (*server_info)->domain
418                 = talloc_strdup(*server_info, 
419                                 samdb_result_string(msgs_domain[0], "name", ""));
420
421         (*server_info)->full_name 
422                 = talloc_strdup(*server_info, 
423                                 samdb_result_string(msgs[0], "displayName", ""));
424
425         (*server_info)->logon_script 
426                 = talloc_strdup(*server_info, 
427                                 samdb_result_string(msgs[0], "scriptPath", ""));
428         (*server_info)->profile_path 
429                 = talloc_strdup(*server_info, 
430                                 samdb_result_string(msgs[0], "profilePath", ""));
431         (*server_info)->home_directory 
432                 = talloc_strdup(*server_info, 
433                                 samdb_result_string(msgs[0], "homeDirectory", ""));
434
435         (*server_info)->home_drive 
436                 = talloc_strdup(*server_info, 
437                                 samdb_result_string(msgs[0], "homeDrive", ""));
438
439         (*server_info)->last_logon = samdb_result_nttime(msgs[0], "lastLogon", 0);
440         (*server_info)->last_logoff = samdb_result_nttime(msgs[0], "lastLogoff", 0);
441         (*server_info)->acct_expiry = samdb_result_nttime(msgs[0], "accountExpires", 0);
442         (*server_info)->last_password_change = samdb_result_nttime(msgs[0], "pwdLastSet", 0);
443         (*server_info)->allow_password_change
444                 = samdb_result_allow_password_change(sam_ctx, mem_ctx, 
445                                                      msgs_domain[0]->dn, msgs[0], "pwdLastSet");
446         (*server_info)->force_password_change
447                 = samdb_result_force_password_change(sam_ctx, mem_ctx, 
448                                                      msgs_domain[0]->dn, msgs[0], "pwdLastSet");
449
450         (*server_info)->logon_count = samdb_result_uint(msgs[0], "logonCount", 0);
451         (*server_info)->bad_password_count = samdb_result_uint(msgs[0], "badPwdCount", 0);
452
453         (*server_info)->acct_flags = samdb_result_acct_flags(msgs[0], "userAccountControl");
454
455         (*server_info)->guest = False;
456
457         if (!(*server_info)->account_name 
458             || !(*server_info)->full_name 
459             || !(*server_info)->logon_script
460             || !(*server_info)->profile_path
461             || !(*server_info)->home_directory
462             || !(*server_info)->home_drive) {
463                 talloc_destroy(*server_info);
464                 return NT_STATUS_NO_MEMORY;
465         }
466
467         return nt_status;
468 }
469
470 NTSTATUS sam_get_server_info(const char *username, const char *domain, TALLOC_CTX *mem_ctx,
471                              struct auth_serversupplied_info **server_info)
472 {
473         NTSTATUS nt_status;
474
475         struct ldb_message **msgs;
476         struct ldb_message **domain_msgs;
477         void *sam_ctx;
478
479         sam_ctx = samdb_connect(mem_ctx);
480         if (sam_ctx == NULL) {
481                 return NT_STATUS_INVALID_SYSTEM_SERVICE;
482         }
483
484         nt_status = sam_search_user(username, domain, mem_ctx, sam_ctx, &msgs, &domain_msgs);
485         if (!NT_STATUS_IS_OK(nt_status)) {
486                 return nt_status;
487         }
488
489         nt_status = sam_make_server_info(mem_ctx, sam_ctx, msgs, domain_msgs, server_info);
490         if (!NT_STATUS_IS_OK(nt_status)) {
491                 return nt_status;
492         }
493
494         return NT_STATUS_OK;
495 }
496
497 static NTSTATUS check_sam_security_internals(const struct auth_context *auth_context,
498                                              const char *domain,
499                                              TALLOC_CTX *mem_ctx,
500                                              const struct auth_usersupplied_info *user_info, 
501                                              struct auth_serversupplied_info **server_info)
502 {
503         NTSTATUS nt_status;
504
505         const char *username = user_info->internal_username.str;
506         struct ldb_message **msgs;
507         struct ldb_message **domain_msgs;
508         void *sam_ctx;
509         DATA_BLOB user_sess_key, lm_sess_key;
510
511         sam_ctx = samdb_connect(mem_ctx);
512         if (sam_ctx == NULL) {
513                 return NT_STATUS_INVALID_SYSTEM_SERVICE;
514         }
515
516         nt_status = sam_search_user(username, domain, mem_ctx, sam_ctx, &msgs, &domain_msgs);
517         if (!NT_STATUS_IS_OK(nt_status)) {
518                 return nt_status;
519         }
520
521         nt_status = sam_check_password(auth_context, username, mem_ctx, sam_ctx, msgs, domain_msgs[0]->dn, user_info,
522                                        &user_sess_key, &lm_sess_key);
523         if (!NT_STATUS_IS_OK(nt_status)) {
524                 return nt_status;
525         }
526         
527         nt_status = sam_make_server_info(mem_ctx, sam_ctx, msgs, domain_msgs, server_info);
528         if (!NT_STATUS_IS_OK(nt_status)) {
529                 return nt_status;
530         }
531
532         talloc_reference(auth_context, *server_info);
533
534         (*server_info)->user_session_key = user_sess_key;
535         (*server_info)->lm_session_key = lm_sess_key;
536         return NT_STATUS_OK;
537 }
538
539 static NTSTATUS check_sam_security(const struct auth_context *auth_context,
540                                    void *my_private_data, 
541                                    TALLOC_CTX *mem_ctx,
542                                    const struct auth_usersupplied_info *user_info, 
543                                    struct auth_serversupplied_info **server_info)
544 {
545         return check_sam_security_internals(auth_context, NULL,
546                                             mem_ctx, user_info, server_info);
547 }
548
549 /* module initialisation */
550 static NTSTATUS auth_init_sam_ignoredomain(struct auth_context *auth_context, 
551                                            const char *param, 
552                                            struct auth_methods **auth_method) 
553 {
554         if (!make_auth_methods(auth_context, auth_method)) {
555                 return NT_STATUS_NO_MEMORY;
556         }
557
558         (*auth_method)->auth = check_sam_security;      
559         (*auth_method)->name = "sam_ignoredomain";
560         return NT_STATUS_OK;
561 }
562
563
564 /****************************************************************************
565 Check SAM security (above) but with a few extra checks.
566 ****************************************************************************/
567
568 static NTSTATUS check_samstrict_security(const struct auth_context *auth_context,
569                                          void *my_private_data, 
570                                          TALLOC_CTX *mem_ctx,
571                                          const struct auth_usersupplied_info *user_info, 
572                                          struct auth_serversupplied_info **server_info)
573 {
574         const char *domain;
575         BOOL is_local_name, is_my_domain;
576
577         if (!user_info || !auth_context) {
578                 return NT_STATUS_LOGON_FAILURE;
579         }
580
581         is_local_name = is_myname(user_info->domain.str);
582         is_my_domain  = strequal(user_info->domain.str, lp_workgroup());
583
584         /* check whether or not we service this domain/workgroup name */
585         
586         switch ( lp_server_role() ) {
587                 case ROLE_STANDALONE:
588                 case ROLE_DOMAIN_MEMBER:
589                         if ( !is_local_name ) {
590                                 DEBUG(6,("check_samstrict_security: %s is not one of my local names (%s)\n",
591                                         user_info->domain.str, (lp_server_role() == ROLE_DOMAIN_MEMBER 
592                                         ? "ROLE_DOMAIN_MEMBER" : "ROLE_STANDALONE") ));
593                                 return NT_STATUS_NOT_IMPLEMENTED;
594                         }
595                         domain = lp_netbios_name();
596                         break;
597                 case ROLE_DOMAIN_PDC:
598                 case ROLE_DOMAIN_BDC:
599                         if ( !is_local_name && !is_my_domain ) {
600                                 DEBUG(6,("check_samstrict_security: %s is not one of my local names or domain name (DC)\n",
601                                         user_info->domain.str));
602                                 return NT_STATUS_NOT_IMPLEMENTED;
603                         }
604                         domain = lp_workgroup();
605                         break;
606                 default: /* name is ok */
607                         domain = user_info->domain.str;
608                         break;
609         }
610         
611         return check_sam_security_internals(auth_context, domain, mem_ctx, user_info, server_info);
612 }
613
614 /* module initialisation */
615 static NTSTATUS auth_init_sam(struct auth_context *auth_context, 
616                               const char *param, 
617                               struct auth_methods **auth_method) 
618 {
619         if (!make_auth_methods(auth_context, auth_method)) {
620                 return NT_STATUS_NO_MEMORY;
621         }
622
623         (*auth_method)->auth = check_samstrict_security;
624         (*auth_method)->name = "sam";
625         return NT_STATUS_OK;
626 }
627
628 NTSTATUS auth_sam_init(void)
629 {
630         NTSTATUS ret;
631         struct auth_operations ops;
632
633         ops.name = "sam";
634         ops.init = auth_init_sam;
635         ret = auth_register(&ops);
636         if (!NT_STATUS_IS_OK(ret)) {
637                 DEBUG(0,("Failed to register '%s' auth backend!\n",
638                         ops.name));
639                 return ret;
640         }
641
642         ops.name = "sam_ignoredomain";
643         ops.init = auth_init_sam_ignoredomain;
644         ret = auth_register(&ops);
645         if (!NT_STATUS_IS_OK(ret)) {
646                 DEBUG(0,("Failed to register '%s' auth backend!\n",
647                         ops.name));
648                 return ret;
649         }
650
651         return ret;
652 }