diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2003-07-03 14:36:42 +0000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2003-07-03 14:36:42 +0000 |
| commit | 61116049cabc292c2f2d570af4d68ddc537b91f5 (patch) | |
| tree | e72d8978e409cd4664c066cc20c83e69e1ebc300 /source3/auth/auth.c | |
| parent | ecb86e5e88579373f3a26f744ae5cdc1a63d9d2d (diff) | |
| download | samba-61116049cabc292c2f2d570af4d68ddc537b91f5.tar.gz samba-61116049cabc292c2f2d570af4d68ddc537b91f5.tar.xz samba-61116049cabc292c2f2d570af4d68ddc537b91f5.zip | |
This patch takes the work the jerry did for beta2, and generalises it:
- The 'not implmented' checks are now done by all auth modules
- the ntdomain/trustdomain/winbind modules are more presise as to
what domain names they can and cannot handle
- The become_root() calls are now around the winbind pipe opening only,
not the entire auth call
- The unix username is kept seperate from the NT username, removing the
need for 'clean off the domain\' in parse_net.c
- All sid->uid translations are now validated with getpwuid() to put a very
basic stop to logins with 'half deleted' accounts.
Andrew Bartlett
(This used to be commit 85f88191b9927cc434645ef4c1eaf5ec0e8af2ec)
Diffstat (limited to 'source3/auth/auth.c')
| -rw-r--r-- | source3/auth/auth.c | 21 |
1 files changed, 11 insertions, 10 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c index d99b00d4a7..9f109dc66e 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -203,8 +203,8 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, const struct auth_usersupplied_info *user_info, struct auth_serversupplied_info **server_info) { - - NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; + /* if all the modules say 'not for me' this is reasonable */ + NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER; const char *pdb_username; auth_methods *auth_method; TALLOC_CTX *mem_ctx; @@ -269,12 +269,8 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, } talloc_destroy(mem_ctx); - - /* this sucks. Somehow we have to know if an authentication module is - authoritative for a user. Fixme!!! --jerry */ - - if ( NT_STATUS_IS_OK(nt_status) || - NT_STATUS_V(nt_status) == NT_STATUS_V(NT_STATUS_WRONG_PASSWORD) ) + + if ( NT_STATUS_IS_OK(nt_status)) { break; } @@ -463,8 +459,13 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) break; case SEC_USER: if (lp_encrypted_passwords()) { - DEBUG(5,("Making default auth method list for security=user, encrypt passwords = yes\n")); - auth_method_list = str_list_make("guest sam", NULL); + if ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role() == ROLE_DOMAIN_BDC)) { + DEBUG(5,("Making default auth method list for DC, security=user, encrypt passwords = yes\n")); + auth_method_list = str_list_make("guest sam winbind:trustdomain", NULL); + } else { + DEBUG(5,("Making default auth method list for standalone security=user, encrypt passwords = yes\n")); + auth_method_list = str_list_make("guest sam", NULL); + } } else { DEBUG(5,("Making default auth method list for security=user, encrypt passwords = no\n")); auth_method_list = str_list_make("guest unix", NULL); |