auth4: Add authoritative flag to check_password

author Garming Sam <garming@catalyst.net.nz>

Mon, 3 Apr 2017 03:21:29 +0000 (15:21 +1200)

committer Andrew Bartlett <abartlet@samba.org>

Tue, 30 May 2017 06:06:06 +0000 (08:06 +0200)
author Garming Sam <garming@catalyst.net.nz>
Mon, 3 Apr 2017 03:21:29 +0000 (15:21 +1200)
committer Andrew Bartlett <abartlet@samba.org>
Tue, 30 May 2017 06:06:06 +0000 (08:06 +0200)
diff --git a/source4/auth/auth.h b/source4/auth/auth.h

index e1b642eb92d963925d8b60ceedede7562a1f69cb..c12e233219f7c68f9aad6f7c4e3ccb332e7287fe 100644 (file)
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -63,7 +63,9 @@ struct auth_operations {
  
         NTSTATUS (*check_password)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx,
                                    const struct auth_usersupplied_info *user_info,
-                                  struct auth_user_info_dc **interim_info);
+                                  struct auth_user_info_dc **interim_info,
+                                  bool *authoritative);
+
  
         /* Lookup a 'session info interim' return based only on the principal or DN */
         NTSTATUS (*get_user_info_dc_principal)(TALLOC_CTX *mem_ctx,
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c

index c8c3e11e5b35ce5798e5eef366c8bac29bf3db50..51d1ed399bf7d7c08535b34a636d0900cb1f6637 100644 (file)
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -371,10 +371,12 @@ static void auth_check_password_async_trigger(struct tevent_context *ev,
                 tevent_req_data(req, struct auth_check_password_state);
         NTSTATUS status;
         struct auth_method_context *method;
+       bool authoritative = true;
  
         status = NT_STATUS_OK;
  
         for (method=state->auth_ctx->methods; method; method = method->next) {
+               authoritative = true;
  
                 /* we fill in state->method here so debug messages in
                    the callers know which method failed */
@@ -396,8 +398,10 @@ static void auth_check_password_async_trigger(struct tevent_context *ev,
                 status = method->ops->check_password(method,
                                                      state,
                                                      state->user_info,
-                                                    &state->user_info_dc);
-               if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
+                                                    &state->user_info_dc,
+                                                    &authoritative);
+               if (!authoritative ||
+                   NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
                         DEBUG(11,("auth_check_password_send: "
                                   "%s passes to the next method\n",
                                   method->ops->name));
@@ -408,7 +412,8 @@ static void auth_check_password_async_trigger(struct tevent_context *ev,
                 break;
         }
  
-       if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
+       if (!authoritative ||
+           NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
                 state->authoritative = 0;
                 status = NT_STATUS_NO_SUCH_USER;
         }
diff --git a/source4/auth/ntlm/auth_anonymous.c b/source4/auth/ntlm/auth_anonymous.c

index 6d3d0ace82c8ea938c6868c6eff10f52ca32830f..e8a9ed3b225b011b8b013e046de2da73f5f80088 100644 (file)
--- a/source4/auth/ntlm/auth_anonymous.c
+++ b/source4/auth/ntlm/auth_anonymous.c
@@ -84,7 +84,8 @@ static NTSTATUS anonymous_want_check(struct auth_method_context *ctx,
  static NTSTATUS anonymous_check_password(struct auth_method_context *ctx,
                                          TALLOC_CTX *mem_ctx,
                                          const struct auth_usersupplied_info *user_info, 
-                                        struct auth_user_info_dc **_user_info_dc)
+                                        struct auth_user_info_dc **_user_info_dc,
+                                        bool *authoritative)
  {
         return auth_anonymous_user_info_dc(mem_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx), _user_info_dc);
  }
diff --git a/source4/auth/ntlm/auth_developer.c b/source4/auth/ntlm/auth_developer.c

index e7e4be96ae8cde22d45cae1cc8ff614ac0d7761b..870357795f6907e5625f47d1780f42b7dd2b54ca 100644 (file)
--- a/source4/auth/ntlm/auth_developer.c
+++ b/source4/auth/ntlm/auth_developer.c
@@ -49,7 +49,8 @@ static NTSTATUS name_to_ntstatus_want_check(struct auth_method_context *ctx,
  static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx,
                                                 TALLOC_CTX *mem_ctx,
                                                 const struct auth_usersupplied_info *user_info, 
-                                               struct auth_user_info_dc **_user_info_dc)
+                                               struct auth_user_info_dc **_user_info_dc,
+                                               bool *authoritative)
  {
         NTSTATUS nt_status;
         struct auth_user_info_dc *user_info_dc;
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c

index f7da04e657375afbe98b15ce4bd09ddc4d5970e1..54cc64375954139515069513afe7a7df6be06a64 100644 (file)
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -190,7 +190,8 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
                                                   uint16_t acct_flags,
                                                   const struct auth_usersupplied_info *user_info,
                                                   DATA_BLOB *user_sess_key,
-                                                 DATA_BLOB *lm_sess_key)
+                                                 DATA_BLOB *lm_sess_key,
+                                                 bool *authoritative)
  {
         NTSTATUS nt_status;
         NTSTATUS auth_status;
@@ -495,7 +496,8 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context,
                                      struct ldb_dn *domain_dn,
                                      struct ldb_message *msg,
                                      const struct auth_usersupplied_info *user_info,
-                                    DATA_BLOB *user_sess_key, DATA_BLOB *lm_sess_key)
+                                    DATA_BLOB *user_sess_key, DATA_BLOB *lm_sess_key,
+                                    bool *authoritative)
  {
         NTSTATUS nt_status;
         bool interactive = (user_info->password_state == AUTH_PASSWORD_HASH);
@@ -530,7 +532,8 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context,
         nt_status = authsam_password_check_and_record(auth_context, tmp_ctx,
                                                       domain_dn, msg, acct_flags,
                                                       user_info,
-                                                     user_sess_key, lm_sess_key);
+                                                     user_sess_key, lm_sess_key,
+                                                     authoritative);
         if (!NT_STATUS_IS_OK(nt_status)) {
                 TALLOC_FREE(tmp_ctx);
                 return nt_status;
@@ -572,7 +575,8 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context,
  static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx,
                                                  TALLOC_CTX *mem_ctx,
                                                  const struct auth_usersupplied_info *user_info, 
-                                                struct auth_user_info_dc **user_info_dc)
+                                                struct auth_user_info_dc **user_info_dc,
+                                                bool *authoritative)
  {
         NTSTATUS nt_status;
         const char *account_name = user_info->mapped.account_name;
@@ -647,7 +651,7 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx
         }
  
         nt_status = authsam_authenticate(ctx->auth_ctx, tmp_ctx, ctx->auth_ctx->sam_ctx, domain_dn, msg, user_info,
-                                        &user_sess_key, &lm_sess_key);
+                                        &user_sess_key, &lm_sess_key, authoritative);
         if (!NT_STATUS_IS_OK(nt_status)) {
                 talloc_free(tmp_ctx);
                 return nt_status;
@@ -882,7 +886,8 @@ static NTSTATUS authsam_failtrusts_want_check(struct auth_method_context *ctx,
  static NTSTATUS authsam_failtrusts_check_password(struct auth_method_context *ctx,
                                                   TALLOC_CTX *mem_ctx,
                                                   const struct auth_usersupplied_info *user_info,
-                                                 struct auth_user_info_dc **user_info_dc)
+                                                 struct auth_user_info_dc **user_info_dc,
+                                                 bool *authoritative)
  {
         /*
          * This should a good error for now,
diff --git a/source4/auth/ntlm/auth_unix.c b/source4/auth/ntlm/auth_unix.c

index ad780bafc826b6ac6efa28c49d5a94cb905d3097..c01ec35e14c60880bcedb57db8697cb3744c59d7 100644 (file)
--- a/source4/auth/ntlm/auth_unix.c
+++ b/source4/auth/ntlm/auth_unix.c
@@ -713,7 +713,8 @@ static NTSTATUS authunix_want_check(struct auth_method_context *ctx,
  static NTSTATUS authunix_check_password(struct auth_method_context *ctx,
                                         TALLOC_CTX *mem_ctx,
                                         const struct auth_usersupplied_info *user_info,
-                                       struct auth_user_info_dc **user_info_dc)
+                                       struct auth_user_info_dc **user_info_dc,
+                                       bool *authoritative)
  {
         TALLOC_CTX *check_ctx;
         NTSTATUS nt_status;
diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c

index f5bd22acef6c07846fef33abe181120b5a8d912c..7c815fc020e2c7a77c9597d47ab76529cf2fc6a7 100644 (file)
--- a/source4/auth/ntlm/auth_winbind.c
+++ b/source4/auth/ntlm/auth_winbind.c
@@ -99,7 +99,8 @@ struct winbind_check_password_state {
  static NTSTATUS winbind_check_password(struct auth_method_context *ctx,
                                        TALLOC_CTX *mem_ctx,
                                        const struct auth_usersupplied_info *user_info, 
-                                      struct auth_user_info_dc **user_info_dc)
+                                      struct auth_user_info_dc **user_info_dc,
+                                      bool *authoritative)
  {
         NTSTATUS status;
         struct dcerpc_binding_handle *irpc_handle;
@@ -207,7 +208,8 @@ static NTSTATUS winbind_check_password(struct auth_method_context *ctx,
  static NTSTATUS winbind_check_password_wbclient(struct auth_method_context *ctx,
                                                 TALLOC_CTX *mem_ctx,
                                                 const struct auth_usersupplied_info *user_info,
-                                               struct auth_user_info_dc **user_info_dc)
+                                               struct auth_user_info_dc **user_info_dc,
+                                               bool *authoritative)
  {
         struct wbcAuthUserParams params;
         struct wbcAuthUserInfo *info = NULL;
author	Garming Sam <garming@catalyst.net.nz>
	Mon, 3 Apr 2017 03:21:29 +0000 (15:21 +1200)
committer	Andrew Bartlett <abartlet@samba.org>
	Tue, 30 May 2017 06:06:06 +0000 (08:06 +0200)
source4/auth/auth.h		patch \| blob \| history
source4/auth/ntlm/auth.c		patch \| blob \| history
source4/auth/ntlm/auth_anonymous.c		patch \| blob \| history
source4/auth/ntlm/auth_developer.c		patch \| blob \| history
source4/auth/ntlm/auth_sam.c		patch \| blob \| history
source4/auth/ntlm/auth_unix.c		patch \| blob \| history
source4/auth/ntlm/auth_winbind.c		patch \| blob \| history