r17270: split the logic of saying this auth backend wants to handle this
authorStefan Metzmacher <metze@samba.org>
Thu, 27 Jul 2006 11:24:18 +0000 (11:24 +0000)
committerGerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 19:10:25 +0000 (14:10 -0500)
request from the password checking. This will help to make
the password checking hook async later

metze
(This used to be commit 5b26cbc3428b4c186235cc08c9ace1c23f59dd7f)

source4/auth/auth.c
source4/auth/auth.h
source4/auth/auth_anonymous.c
source4/auth/auth_developer.c
source4/auth/auth_sam.c
source4/auth/auth_unix.c
source4/auth/auth_winbind.c

index dfef0c8c4d6cc76983b6b2ca4542e02a81cebd1c..0b044af495eb52328212186ff928e52757bec43d 100644 (file)
@@ -174,16 +174,20 @@ NTSTATUS auth_check_password(struct auth_context *auth_ctx,
        for (method = auth_ctx->methods; method; method = method->next) {
                NTSTATUS result;
 
-               result = method->ops->check_password(method, mem_ctx, user_info, server_info);
-
-               /* check if the module did anything */
-               if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
-                       method_name = method->ops->name;
-                       nt_status = result;
-                       break;
+               /* check if the module wants to chek the password */
+               result = method->ops->want_check(method, mem_ctx, user_info);
+               if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
+                       DEBUG(11,("auth_check_password: %s had nothing to say\n", method->ops->name));
+                       continue;
                }
 
-               DEBUG(11,("auth_check_password: %s had nothing to say\n", method->ops->name));
+               method_name = method->ops->name;
+               nt_status = result;
+
+               if (!NT_STATUS_IS_OK(nt_status)) break;
+
+               nt_status = method->ops->check_password(method, mem_ctx, user_info, server_info);
+               break;
        }
 
        if (!NT_STATUS_IS_OK(nt_status)) {
index 724ccf91cae6daee7a1e09122ee103cb575ca785..20a91efc1007553de505e3fc758835464672ec12 100644 (file)
@@ -35,7 +35,8 @@
 /* version 2 - initial samba4 version - metze */
 /* version 3 - subsequent samba4 version - abartlet */
 /* version 4 - subsequent samba4 version - metze */
-#define AUTH_INTERFACE_VERSION 4
+/* version 0 - till samba4 is stable - metze */
+#define AUTH_INTERFACE_VERSION 0
 
 #define USER_INFO_CASE_INSENSITIVE_USERNAME 0x01 /* username may be in any case */
 #define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */
@@ -134,6 +135,11 @@ struct auth_operations {
 
        NTSTATUS (*get_challenge)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, DATA_BLOB *challenge);
 
+       /* Given the user supplied info, check if this backend want to handle the password checking */
+
+       NTSTATUS (*want_check)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx,
+                              const struct auth_usersupplied_info *user_info);
+
        /* Given the user supplied info, check a password */
 
        NTSTATUS (*check_password)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx,
index ce960062ebf1fdfa5754a94398c2177cb1d4fca8..45c5f9a7f6a76152c37f31afd0985eaf014cb6e7 100644 (file)
  * anonymou logons to be dealt with in one place.  Non-anonymou logons 'fail'
  * and pass onto the next module.
  **/
-static NTSTATUS anonymous_check_password(struct auth_method_context *ctx,
-                                        TALLOC_CTX *mem_ctx,
-                                        const struct auth_usersupplied_info *user_info, 
-                                        struct auth_serversupplied_info **_server_info)
+static NTSTATUS anonymous_want_check(struct auth_method_context *ctx,
+                                    TALLOC_CTX *mem_ctx,
+                                    const struct auth_usersupplied_info *user_info)
 {
        if (user_info->client.account_name && *user_info->client.account_name) {
                return NT_STATUS_NOT_IMPLEMENTED;
        }
 
+       return NT_STATUS_OK;
+}
+
+/**
+ * Return a anonymous logon for anonymous users (username = "")
+ *
+ * Typically used as the first module in the auth chain, this allows
+ * anonymou logons to be dealt with in one place.  Non-anonymou logons 'fail'
+ * and pass onto the next module.
+ **/
+static NTSTATUS anonymous_check_password(struct auth_method_context *ctx,
+                                        TALLOC_CTX *mem_ctx,
+                                        const struct auth_usersupplied_info *user_info, 
+                                        struct auth_serversupplied_info **_server_info)
+{
        return auth_anonymous_server_info(mem_ctx, _server_info);
 }
 
 static struct auth_operations anonymous_auth_ops = {
        .name           = "anonymous",
        .get_challenge  = auth_get_challenge_not_implemented,
+       .want_check     = anonymous_want_check,
        .check_password = anonymous_check_password
 };
 
index 25c828c2a17d2a48024342958803c6152fb078a5..76044d436145637bacd318fb591b3d65ddc91c99 100644 (file)
 #include "auth/auth.h"
 #include "libcli/security/security.h"
 
+static NTSTATUS name_to_ntstatus_want_check(struct auth_method_context *ctx,
+                                           TALLOC_CTX *mem_ctx,
+                                           const struct auth_usersupplied_info *user_info)
+{
+       return NT_STATUS_OK;
+}
+
 /** 
  * Return an error based on username
  *
@@ -56,10 +63,7 @@ static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx,
                DEBUG(5,("name_to_ntstatus_check_password: Error for user %s was 0x%08X\n", user, error_num));
                nt_status = NT_STATUS(error_num);
        }
-
-       if (!NT_STATUS_IS_OK(nt_status)) {
-               return nt_status;
-       }
+       NT_STATUS_NOT_OK_RETURN(nt_status);
 
        server_info = talloc(mem_ctx, struct auth_serversupplied_info);
        NT_STATUS_HAVE_NO_MEMORY(server_info);
@@ -128,6 +132,7 @@ static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx,
 static struct auth_operations name_to_ntstatus_auth_ops = {
        .name           = "name_to_ntstatus",
        .get_challenge  = auth_get_challenge_not_implemented,
+       .want_check     = name_to_ntstatus_want_check,
        .check_password = name_to_ntstatus_check_password
 };
 
@@ -157,18 +162,27 @@ static NTSTATUS fixed_challenge_get_challenge(struct auth_method_context *ctx, T
        return NT_STATUS_OK;
 }
 
+static NTSTATUS fixed_challenge_want_check(struct auth_method_context *ctx,
+                                          TALLOC_CTX *mem_ctx,
+                                          const struct auth_usersupplied_info *user_info)
+{
+       /* don't handle any users */
+       return NT_STATUS_NOT_IMPLEMENTED;
+}
+
 static NTSTATUS fixed_challenge_check_password(struct auth_method_context *ctx,
                                               TALLOC_CTX *mem_ctx,
                                               const struct auth_usersupplied_info *user_info,
                                               struct auth_serversupplied_info **_server_info)
 {
        /* don't handle any users */
-       return NT_STATUS_NOT_IMPLEMENTED;
+       return NT_STATUS_NO_SUCH_USER;
 }
 
 static struct auth_operations fixed_challenge_auth_ops = {
        .name           = "fixed_challenge",
        .get_challenge  = fixed_challenge_get_challenge,
+       .want_check     = fixed_challenge_want_check,
        .check_password = fixed_challenge_check_password
 };
 
index 96d8a0d40a0fa7a035b905451fee08d1599dfd7c..7ce2cabbf972fae0e1d1606c75d4ddef0fd081ed 100644 (file)
@@ -334,6 +334,17 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx
        return NT_STATUS_OK;
 }
 
+static NTSTATUS authsam_ignoredomain_want_check(struct auth_method_context *ctx,
+                                               TALLOC_CTX *mem_ctx,
+                                               const struct auth_usersupplied_info *user_info)
+{
+       if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
+               return NT_STATUS_NOT_IMPLEMENTED;
+       }
+
+       return NT_STATUS_OK;
+}
+
 static NTSTATUS authsam_ignoredomain_check_password(struct auth_method_context *ctx,
                                                    TALLOC_CTX *mem_ctx,
                                                    const struct auth_usersupplied_info *user_info, 
@@ -345,31 +356,32 @@ static NTSTATUS authsam_ignoredomain_check_password(struct auth_method_context *
 /****************************************************************************
 Check SAM security (above) but with a few extra checks.
 ****************************************************************************/
-static NTSTATUS authsam_check_password(struct auth_method_context *ctx,
-                                      TALLOC_CTX *mem_ctx,
-                                      const struct auth_usersupplied_info *user_info, 
-                                      struct auth_serversupplied_info **server_info)
+static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
+                                  TALLOC_CTX *mem_ctx,
+                                  const struct auth_usersupplied_info *user_info)
 {
-       const char *domain;
        BOOL is_local_name, is_my_domain;
 
+       if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
+               return NT_STATUS_NOT_IMPLEMENTED;
+       }
+
        is_local_name = is_myname(user_info->mapped.domain_name);
        is_my_domain  = strequal(user_info->mapped.domain_name, lp_workgroup());
 
        /* check whether or not we service this domain/workgroup name */
        switch (lp_server_role()) {
                case ROLE_STANDALONE:
-                       domain = lp_netbios_name();
-                       break;
+                       return NT_STATUS_OK;
+
                case ROLE_DOMAIN_MEMBER:
                        if (!is_local_name) {
-                               DEBUG(6,("authsam_check_password: %s is not one of my local names (%s)\n",
-                                       user_info->mapped.domain_name, (lp_server_role() == ROLE_DOMAIN_MEMBER 
-                                       ? "ROLE_DOMAIN_MEMBER" : "ROLE_STANDALONE") ));
+                               DEBUG(6,("authsam_check_password: %s is not one of my local names (DOMAIN_MEMBER)\n",
+                                       user_info->mapped.domain_name));
                                return NT_STATUS_NOT_IMPLEMENTED;
                        }
-                       domain = lp_netbios_name();
-                       break;
+                       return NT_STATUS_OK;
+
                case ROLE_DOMAIN_PDC:
                case ROLE_DOMAIN_BDC:
                        if (!is_local_name && !is_my_domain) {
@@ -377,11 +389,37 @@ static NTSTATUS authsam_check_password(struct auth_method_context *ctx,
                                        user_info->mapped.domain_name));
                                return NT_STATUS_NOT_IMPLEMENTED;
                        }
+                       return NT_STATUS_OK;
+       }
+
+       DEBUG(6,("authsam_check_password: lp_server_role() has an undefined value\n"));
+       return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+/****************************************************************************
+Check SAM security (above) but with a few extra checks.
+****************************************************************************/
+static NTSTATUS authsam_check_password(struct auth_method_context *ctx,
+                                      TALLOC_CTX *mem_ctx,
+                                      const struct auth_usersupplied_info *user_info, 
+                                      struct auth_serversupplied_info **server_info)
+{
+       const char *domain;
+
+       /* check whether or not we service this domain/workgroup name */
+       switch (lp_server_role()) {
+               case ROLE_STANDALONE:
+               case ROLE_DOMAIN_MEMBER:
+                       domain = lp_netbios_name();
+                       break;
+
+               case ROLE_DOMAIN_PDC:
+               case ROLE_DOMAIN_BDC:
                        domain = lp_workgroup();
                        break;
+
                default:
-                       DEBUG(6,("authsam_check_password: lp_server_role() has an undefined value\n"));
-                       return NT_STATUS_NOT_IMPLEMENTED;
+                       return NT_STATUS_NO_SUCH_USER;
        }
 
        return authsam_check_password_internals(ctx, mem_ctx, domain, user_info, server_info);
@@ -390,12 +428,14 @@ static NTSTATUS authsam_check_password(struct auth_method_context *ctx,
 static const struct auth_operations sam_ignoredomain_ops = {
        .name           = "sam_ignoredomain",
        .get_challenge  = auth_get_challenge_not_implemented,
+       .want_check     = authsam_ignoredomain_want_check,
        .check_password = authsam_ignoredomain_check_password
 };
 
 static const struct auth_operations sam_ops = {
        .name           = "sam",
        .get_challenge  = auth_get_challenge_not_implemented,
+       .want_check     = authsam_want_check,
        .check_password = authsam_check_password
 };
 
index 959eb6703ccdddf72509c776417b0992d64f592f..635c45b399b87fd4f5ec08bbce3d8f0618a77a8b 100644 (file)
@@ -773,20 +773,26 @@ static NTSTATUS check_unix_password(TALLOC_CTX *ctx, const struct auth_usersuppl
  *
  **/
 
+static NTSTATUS authunix_want_check(struct auth_method_context *ctx,
+                                   TALLOC_CTX *mem_ctx,
+                                   const struct auth_usersupplied_info *user_info)
+{
+       if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
+               return NT_STATUS_NOT_IMPLEMENTED;
+       }
+
+       return NT_STATUS_OK;
+}
+
 static NTSTATUS authunix_check_password(struct auth_method_context *ctx,
                                        TALLOC_CTX *mem_ctx,
                                        const struct auth_usersupplied_info *user_info,
-                                       struct  auth_serversupplied_info **server_info)
+                                       struct auth_serversupplied_info **server_info)
 {
        TALLOC_CTX *check_ctx;
        NTSTATUS nt_status;
        struct passwd *pwd;
 
-       if (! user_info->mapped.account_name || ! *user_info->mapped.account_name) {
-               /* 'not for me' */
-               return NT_STATUS_NOT_IMPLEMENTED;
-       }
-
        if (user_info->password_state != AUTH_PASSWORD_PLAIN) {
                return NT_STATUS_INVALID_PARAMETER;
        }
@@ -797,13 +803,13 @@ static NTSTATUS authunix_check_password(struct auth_method_context *ctx,
        }
 
        nt_status = check_unix_password(check_ctx, user_info, &pwd);
-       if ( ! NT_STATUS_IS_OK(nt_status)) {
+       if (!NT_STATUS_IS_OK(nt_status)) {
                talloc_free(check_ctx);
                return nt_status;
        }
 
        nt_status = authunix_make_server_info(mem_ctx, user_info, pwd, server_info);
-       if ( ! NT_STATUS_IS_OK(nt_status)) {
+       if (!NT_STATUS_IS_OK(nt_status)) {
                talloc_free(check_ctx);
                return nt_status;
        }
@@ -815,7 +821,8 @@ static NTSTATUS authunix_check_password(struct auth_method_context *ctx,
 static const struct auth_operations unix_ops = {
        .name           = "unix",
        .get_challenge  = auth_get_challenge_not_implemented,
-       .check_password = authunix_check_password
+       .want_check     = authunix_want_check,
+       .check_password = authunix_check_password
 };
 
 NTSTATUS auth_unix_init(void)
index 4a031e6b94bd5183bf76e9e8bb8cc68cbdfe70b2..3783d0f9750c031f48b88a39211725c3a0757e2f 100644 (file)
@@ -46,6 +46,18 @@ static NTSTATUS get_info3_from_ndr(TALLOC_CTX *mem_ctx, struct winbindd_response
        }
 }
 
+static NTSTATUS winbind_want_check(struct auth_method_context *ctx,
+                                  TALLOC_CTX *mem_ctx,
+                                  const struct auth_usersupplied_info *user_info)
+{
+       if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
+               return NT_STATUS_NOT_IMPLEMENTED;
+       }
+
+       /* TODO: maybe limit the user scope to remote users only */
+       return NT_STATUS_OK;
+}
+
 /* Authenticate a user with a challenge/response */
 static NTSTATUS winbind_check_password(struct auth_method_context *ctx,
                                       TALLOC_CTX *mem_ctx,
@@ -129,6 +141,7 @@ static NTSTATUS winbind_check_password(struct auth_method_context *ctx,
 static const struct auth_operations winbind_ops = {
        .name           = "winbind",
        .get_challenge  = auth_get_challenge_not_implemented,
+       .want_check     = winbind_want_check,
        .check_password = winbind_check_password
 };