{
struct auth_check_password_state *state =
tevent_req_data(req, struct auth_check_password_state);
- NTSTATUS status;
+ NTSTATUS status = NT_STATUS_OK;
*pauthoritative = state->authoritative;
if (tevent_req_is_nterror(req, &status)) {
+ /*
+ * Please try not to change this string, it is probably in use
+ * in audit logging tools
+ */
DEBUG(2,("auth_check_password_recv: "
"%s authentication for user [%s\\%s] "
"FAILED with error %s, authoritative=%u\n",
state->user_info->mapped.domain_name,
state->user_info->mapped.account_name,
nt_errstr(status), state->authoritative));
+
+ log_authentication_event(state->auth_ctx->msg_ctx,
+ state->auth_ctx->lp_ctx,
+ state->user_info, status,
+ NULL, NULL, NULL, NULL);
tevent_req_received(req);
return status;
}
state->user_info_dc->info->domain_name,
state->user_info_dc->info->account_name));
+ log_authentication_event(state->auth_ctx->msg_ctx,
+ state->auth_ctx->lp_ctx,
+ state->user_info, status,
+ state->user_info_dc->info->domain_name,
+ state->user_info_dc->info->account_name,
+ NULL,
+ &state->user_info_dc->sids[0]);
+
*user_info_dc = talloc_move(mem_ctx, &state->user_info_dc);
tevent_req_received(req);
const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx)
{
char **auth_methods = NULL;
+ const char **const_auth_methods = NULL;
+
+ /*
+ * As 'auth methods' is deprecated it will be removed
+ * in future releases again, but for now give
+ * admins the flexibility to configure, the behavior
+ * from Samba 4.6: "auth methods = anonymous sam_ignoredomain",
+ * for a while.
+ */
+ const_auth_methods = lpcfg_auth_methods(lp_ctx);
+ if (const_auth_methods != NULL) {
+ DBG_NOTICE("using deprecated 'auth methods' values.\n");
+ return const_auth_methods;
+ }
switch (lpcfg_server_role(lp_ctx)) {
case ROLE_STANDALONE:
auth_methods = str_list_make(mem_ctx, "anonymous sam_ignoredomain", NULL);
break;
case ROLE_DOMAIN_MEMBER:
- auth_methods = str_list_make(mem_ctx, "anonymous sam winbind", NULL);
+ auth_methods = str_list_make(mem_ctx, "anonymous sam winbind sam_ignoredomain", NULL);
break;
case ROLE_DOMAIN_BDC:
case ROLE_DOMAIN_PDC:
case ROLE_ACTIVE_DIRECTORY_DC:
- auth_methods = str_list_make(mem_ctx, "anonymous sam_ignoredomain winbind", NULL);
+ /*
+ * TODO: we should replace "winbind_rodc sam_failtrusts" with "winbind"
+ * if everything (gensec/auth4) is fully async without nested
+ * event loops!
+ *
+ * But for now we'll fail authentications for trusted
+ * domain consistently with NT_STATUS_NO_TRUST_LSA_SECRET,
+ * instead of silently mapping to local users.
+ */
+ auth_methods = str_list_make(mem_ctx,
+ "anonymous sam "
+ "winbind_rodc sam_failtrusts "
+ "sam_ignoredomain",
+ NULL);
break;
}
return discard_const_p(const char *, auth_methods);