diff options
author | Andrew Bartlett <abartlet@samba.org> | 2014-03-27 12:58:05 +1300 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2014-06-11 10:18:26 +0200 |
commit | 597d2a7a29f768f51cbcbc13de56a4dc349e20e4 (patch) | |
tree | 905e3d34a91965eec4d08e77227e2cd9adcdf5a2 /source3/auth | |
parent | 2e961bf598e58178ce0d4ed5e35553acd882e436 (diff) | |
download | samba-597d2a7a29f768f51cbcbc13de56a4dc349e20e4.tar.gz samba-597d2a7a29f768f51cbcbc13de56a4dc349e20e4.tar.xz samba-597d2a7a29f768f51cbcbc13de56a4dc349e20e4.zip |
auth: Provide a way to use the auth stack for winbindd authentication
This adds in flags that allow winbindd to request authentication
without directly calling into the auth_sam module.
That in turn will allow winbindd to call auth_samba4 and so permit
winbindd operation in the AD DC.
Andrew Bartlett
Change-Id: I27d11075eb8e1a54f034ee2fdcb05360b4203567
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'source3/auth')
-rw-r--r-- | source3/auth/auth.c | 10 | ||||
-rw-r--r-- | source3/auth/auth_sam.c | 2 | ||||
-rw-r--r-- | source3/auth/auth_samba4.c | 26 |
3 files changed, 28 insertions, 10 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 7718142fc1..6d1192eded 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -210,6 +210,11 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, TALLOC_CTX *tmp_ctx; NTSTATUS result; + if (user_info->flags & USER_INFO_LOCAL_SAM_ONLY + && !(auth_method->flags & AUTH_METHOD_LOCAL_SAM)) { + continue; + } + tmp_ctx = talloc_named(mem_ctx, 0, "%s authentication for user %s\\%s", @@ -253,7 +258,10 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, if (NT_STATUS_IS_OK(nt_status)) { unix_username = (*pserver_info)->unix_name; - if (!(*pserver_info)->guest) { + + /* We skip doing this step if the caller asked us not to */ + if (!(user_info->flags & USER_INFO_INFO3_AND_NO_AUTHZ) + && !(*pserver_info)->guest) { const char *rhost; if (tsocket_address_is_inet(user_info->remote_host, "ip")) { diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index a34f9a5852..c4100d5a4e 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -121,7 +121,7 @@ static NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *par } result->auth = auth_samstrict_auth; result->name = "sam"; - + result->flags = AUTH_METHOD_LOCAL_SAM; *auth_method = result; return NT_STATUS_OK; } diff --git a/source3/auth/auth_samba4.c b/source3/auth/auth_samba4.c index d9d71512a2..284a91f30b 100644 --- a/source3/auth/auth_samba4.c +++ b/source3/auth/auth_samba4.c @@ -145,14 +145,23 @@ static NTSTATUS check_samba4_security(const struct auth_context *auth_context, goto done; } - nt_status = make_server_info_info3(mem_ctx, user_info->client.account_name, - user_info->mapped.domain_name, server_info, - info3); - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(10, ("make_server_info_info3 failed: %s\n", - nt_errstr(nt_status))); - TALLOC_FREE(frame); - return nt_status; + if (user_info->flags & USER_INFO_INFO3_AND_NO_AUTHZ) { + *server_info = make_server_info(mem_ctx); + if (*server_info == NULL) { + nt_status = NT_STATUS_NO_MEMORY; + goto done; + } + (*server_info)->info3 = talloc_steal(*server_info, info3); + + } else { + nt_status = make_server_info_info3(mem_ctx, user_info->client.account_name, + user_info->mapped.domain_name, server_info, + info3); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(10, ("make_server_info_info3 failed: %s\n", + nt_errstr(nt_status))); + goto done; + } } nt_status = NT_STATUS_OK; @@ -356,6 +365,7 @@ static NTSTATUS auth_init_samba4(struct auth_context *auth_context, result->auth = check_samba4_security; result->prepare_gensec = prepare_gensec; result->make_auth4_context = make_auth4_context_s4; + result->flags = AUTH_METHOD_LOCAL_SAM; if (param && *param) { auth_context->forced_samba4_methods = talloc_strdup(result, param); |