auth4: Only use CrackNames if we're a DC

DsCrackNameOneName on a member does not really have a big user database. We
should delegate as much responsibility as possible to our DC.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index eeb23367e7ec3bdc4f752d16bb519293dd625de5..656d4bc74d2afb779f8e2409aa834ee891ca7360 100644 (file)
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -280,8 +280,14 @@ _PUBLIC_ struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx,
        state->user_info        = user_info;
 
        if (!user_info->mapped_state) {
-               nt_status = map_user_info(auth_ctx->sam_ctx, req, lpcfg_workgroup(auth_ctx->lp_ctx),
-                                         user_info, &user_info_tmp);
+               int server_role = lpcfg_server_role(auth_ctx->lp_ctx);
+
+               nt_status = map_user_info(
+                       auth_ctx->sam_ctx, req,
+                       server_role == ROLE_ACTIVE_DIRECTORY_DC,
+                       lpcfg_workgroup(auth_ctx->lp_ctx),
+                       user_info, &user_info_tmp);
+
                if (tevent_req_nterror(req, nt_status)) {
                        return tevent_req_post(req, ev);
                }

diff --git a/source4/auth/ntlm/auth_util.c b/source4/auth/ntlm/auth_util.c
index f7b01eb6ece165cffb6cd51fc69b44b32ee245f2..e3d196c245390cd109a771421a88ea76bdad0472 100644 (file)
--- a/source4/auth/ntlm/auth_util.c
+++ b/source4/auth/ntlm/auth_util.c
@@ -221,6 +221,7 @@ static NTSTATUS map_user_info_cracknames(struct ldb_context *sam_ctx,
 ****************************************************************************/
 NTSTATUS map_user_info(struct ldb_context *sam_ctx,
                       TALLOC_CTX *mem_ctx,
+                      bool is_ad_dc,
                       const char *default_domain,
                       const struct auth_usersupplied_info *user_info,
                       struct auth_usersupplied_info **user_info_mapped)
@@ -230,7 +231,7 @@ NTSTATUS map_user_info(struct ldb_context *sam_ctx,
        char *d;
        TALLOC_CTX *tmp_ctx;
 
-       if (sam_ctx != NULL) {
+       if (is_ad_dc) {
                /* if possible, use cracknames to parse the
                   domain/account */
                return map_user_info_cracknames(sam_ctx, mem_ctx, default_domain, user_info, user_info_mapped);