diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2003-07-03 14:36:42 +0000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2003-07-03 14:36:42 +0000 |
| commit | 61116049cabc292c2f2d570af4d68ddc537b91f5 (patch) | |
| tree | e72d8978e409cd4664c066cc20c83e69e1ebc300 /source3/auth/auth_winbind.c | |
| parent | ecb86e5e88579373f3a26f744ae5cdc1a63d9d2d (diff) | |
| download | samba-61116049cabc292c2f2d570af4d68ddc537b91f5.tar.gz samba-61116049cabc292c2f2d570af4d68ddc537b91f5.tar.xz samba-61116049cabc292c2f2d570af4d68ddc537b91f5.zip | |
This patch takes the work the jerry did for beta2, and generalises it:
- The 'not implmented' checks are now done by all auth modules
- the ntdomain/trustdomain/winbind modules are more presise as to
what domain names they can and cannot handle
- The become_root() calls are now around the winbind pipe opening only,
not the entire auth call
- The unix username is kept seperate from the NT username, removing the
need for 'clean off the domain\' in parse_net.c
- All sid->uid translations are now validated with getpwuid() to put a very
basic stop to logins with 'half deleted' accounts.
Andrew Bartlett
(This used to be commit 85f88191b9927cc434645ef4c1eaf5ec0e8af2ec)
Diffstat (limited to 'source3/auth/auth_winbind.c')
| -rw-r--r-- | source3/auth/auth_winbind.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 6ae8685b113..856b8f5a82b 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -72,9 +72,14 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, if (!auth_context) { DEBUG(3,("Password for user %s cannot be checked because we have no auth_info to get the challenge from.\n", user_info->internal_username.str)); - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_INVALID_PARAMETER; } + if (strequal(user_info->domain.str, get_global_sam_name())) { + DEBUG(3,("check_winbind_security: Not using winbind, requested domain was for this SAM.\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + /* Send off request */ ZERO_STRUCT(request); @@ -100,8 +105,11 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, request.data.auth_crap.lm_resp_len); memcpy(request.data.auth_crap.nt_resp, user_info->nt_resp.data, request.data.auth_crap.nt_resp_len); - + + /* we are contacting the privileged pipe */ + become_root(); result = winbindd_request(WINBINDD_PAM_AUTH_CRAP, &request, &response); + unbecome_root(); if ( result == NSS_STATUS_UNAVAIL ) { struct auth_methods *auth_method = my_private_data; @@ -129,7 +137,7 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, } } } else if (NT_STATUS_IS_OK(nt_status)) { - nt_status = NT_STATUS_UNSUCCESSFUL; + nt_status = NT_STATUS_NO_LOGON_SERVERS; } return nt_status; |