auth: let auth4_context->check_ntlm_password() return pauthoritative

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/auth/common_auth.h b/auth/common_auth.h
index d1a775d431a7f2e965b76707b5e3ca6bde7267e8..5d232f4d09b2b61f26384be74c9b96bb0f97ff58 100644 (file)
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -110,6 +110,7 @@ struct auth4_context {
        NTSTATUS (*check_ntlm_password)(struct auth4_context *auth_ctx,
                                        TALLOC_CTX *mem_ctx,
                                        const struct auth_usersupplied_info *user_info,
+                                       uint8_t *pauthoritative,
                                        void **server_returned_info,
                                        DATA_BLOB *nt_session_key, DATA_BLOB *lm_session_key);
 

diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index ddee8756bfe883c4d5b0438110438178fc6a4687..eab8121448eb1a5ee61056b5b1bee03386676eae 100644 (file)
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -726,9 +726,12 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
        user_info->password.response.nt.data = talloc_steal(user_info, ntlmssp_state->nt_resp.data);
 
        if (auth_context->check_ntlm_password) {
+               uint8_t authoritative = 0;
+
                nt_status = auth_context->check_ntlm_password(auth_context,
                                                              gensec_ntlmssp,
                                                              user_info,
+                                                             &authoritative,
                                                              &gensec_ntlmssp->server_returned_info,
                                                              user_session_key, lm_session_key);
        }

diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index 95c70e8f5f5eefbada780877d3333b96ec3e4ca4..875b7ff5949b442ca4632939456044b973180209 100644 (file)
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -389,10 +389,12 @@ NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context,
 {
        NTSTATUS nt_status;
        void *server_info;
+       uint8_t authoritative = 0;
 
        nt_status = auth_context->check_ntlm_password(auth_context,
                                                      talloc_tos(),
                                                      user_info,
+                                                     &authoritative,
                                                      &server_info, NULL, NULL);
 
        if (NT_STATUS_IS_OK(nt_status)) {

diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index 0ff3bdd3439839ef8f927904e205dd9fb802e4f2..a48c44457f3c311230170501761db8c16fc74267 100644 (file)
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -136,6 +136,7 @@ NTSTATUS auth3_set_challenge(struct auth4_context *auth4_context, const uint8_t
 NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
                              TALLOC_CTX *mem_ctx,
                              const struct auth_usersupplied_info *user_info,
+                             uint8_t *pauthoritative,
                              void **server_returned_info,
                              DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
 {
@@ -145,7 +146,11 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
        struct auth_serversupplied_info *server_info;
        NTSTATUS nt_status;
        bool username_was_mapped;
-       uint8_t authoritative = 0;
+
+       /*
+        * Be authoritative by default.
+        */
+       *pauthoritative = 1;
 
        /* The client has given us its machine name (which we only get over NBT transport).
           We need to possibly reload smb.conf if smb.conf includes depend on the machine name. */
@@ -181,7 +186,7 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
                                             auth_context,
                                             mapped_user_info,
                                             &server_info,
-                                            &authoritative);
+                                            pauthoritative);
 
        if (!NT_STATUS_IS_OK(nt_status)) {
                DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: "
@@ -189,7 +194,7 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
                         user_info->client.domain_name,
                         user_info->client.account_name,
                         nt_errstr(nt_status),
-                        authoritative));
+                        *pauthoritative));
        }
 
        username_was_mapped = mapped_user_info->was_mapped;
@@ -203,6 +208,7 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
                                                        user_info->client.domain_name,
                                                        &server_info);
                if (NT_STATUS_IS_OK(nt_status)) {
+                       *pauthoritative = 1;
                        *server_returned_info = talloc_steal(mem_ctx, server_info);
                }
                return nt_status;

diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index ccc284cadcf75f4c181513d0cf4280395ceed017..c5f6ade1ea472a74d421ea9cccfc53e3d14eb486 100644 (file)
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -132,6 +132,7 @@ NTSTATUS auth3_set_challenge(struct auth4_context *auth4_context, const uint8_t
 NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
                              TALLOC_CTX *mem_ctx,
                              const struct auth_usersupplied_info *user_info,
+                             uint8_t *pauthoritative,
                              void **server_returned_info,
                              DATA_BLOB *session_key, DATA_BLOB *lm_session_key);
 

diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 4bfab5ba45bfa063a969bc1a5537c5490d6e1ede..3bd945f53cef3ae7c87027c051f84004fe46844d 100644 (file)
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -947,6 +947,7 @@ static NTSTATUS ntlm_auth_set_challenge(struct auth4_context *auth_ctx, const ui
 static NTSTATUS winbind_pw_check(struct auth4_context *auth4_context, 
                                 TALLOC_CTX *mem_ctx,
                                 const struct auth_usersupplied_info *user_info, 
+                                uint8_t *pauthoritative,
                                 void **server_returned_info,
                                 DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
 {
@@ -955,7 +956,6 @@ static NTSTATUS winbind_pw_check(struct auth4_context *auth4_context,
        uint8_t lm_key[8]; 
        uint8_t user_sess_key[16]; 
        char *unix_name = NULL;
-       uint8_t authoritative = 0;
 
        nt_status = contact_winbind_auth_crap(user_info->client.account_name, user_info->client.domain_name, 
                                              user_info->workstation_name, 
@@ -965,7 +965,7 @@ static NTSTATUS winbind_pw_check(struct auth4_context *auth4_context,
                                              WBFLAG_PAM_LMKEY | WBFLAG_PAM_USER_SESSION_KEY | WBFLAG_PAM_UNIX_NAME,
                                              0,
                                              lm_key, user_sess_key, 
-                                             &authoritative,
+                                             pauthoritative,
                                              &error_string, &unix_name);
 
        if (NT_STATUS_IS_OK(nt_status)) {
@@ -995,7 +995,8 @@ static NTSTATUS winbind_pw_check(struct auth4_context *auth4_context,
 
 static NTSTATUS local_pw_check(struct auth4_context *auth4_context, 
                                TALLOC_CTX *mem_ctx,
-                               const struct auth_usersupplied_info *user_info, 
+                               const struct auth_usersupplied_info *user_info,
+                               uint8_t *pauthoritative,
                                void **server_returned_info,
                                DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
 {
@@ -1004,6 +1005,8 @@ static NTSTATUS local_pw_check(struct auth4_context *auth4_context,
 
        nt_lm_owf_gen (opt_password, nt_pw.hash, lm_pw.hash);
 
+       *pauthoritative = 1;
+
        nt_status = ntlm_password_check(mem_ctx,
                                        true, true, 0,
                                        &auth4_context->challenge.data,

diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 12e26f4c1fa37024af91393b7a5dd3571fcd56ea..0eb22602c7f513931f33b6197fa688e03e46500d 100644 (file)
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -189,15 +189,15 @@ _PUBLIC_ NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
 static NTSTATUS auth_check_password_wrapper(struct auth4_context *auth_ctx,
                                            TALLOC_CTX *mem_ctx,
                                            const struct auth_usersupplied_info *user_info,
+                                           uint8_t *pauthoritative,
                                            void **server_returned_info,
                                            DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
 {
        struct auth_user_info_dc *user_info_dc;
        NTSTATUS status;
-       uint8_t authoritative = 0;
 
        status = auth_check_password(auth_ctx, mem_ctx, user_info,
-                                    &user_info_dc, &authoritative);
+                                    &user_info_dc, pauthoritative);
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }