Merge auth changes from HEAD:

- better error codes than NT_STATUS_UNSUCCESSFUL for domain logon errors - make auth_winbind load the ntdomain module if winbind isn't there. - use new trusted domains cache to determine if the domain is valid. Andrew Bartlett (This used to be commit ec8d6524c6b0c70927a2b57aab71d9e3a7f8a150)
author: Andrew Bartlett <abartlet@samba.org> 2003-04-24 11:56:09 +0000
committer: Andrew Bartlett <abartlet@samba.org> 2003-04-24 11:56:09 +0000
commit: 59e0836b7f4221fd002abab083f71f04dffe7648 (patch)
tree: da660ef946a99ed5fc5a74af265d014b73f2e250 /source3/auth
parent: 3f03ecf5627ec0eda7fdbb4314ba804574751ede (diff)
download: samba-59e0836b7f4221fd002abab083f71f04dffe7648.tar.gz
samba-59e0836b7f4221fd002abab083f71f04dffe7648.tar.xz
samba-59e0836b7f4221fd002abab083f71f04dffe7648.zip
5 files changed, 83 insertions, 70 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 71e9ab04281..09e8f5e7225 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -334,6 +334,52 @@ static NTSTATUS make_auth_context(struct auth_context **auth_context)
 	return NT_STATUS_OK;
 }
 
+BOOL load_auth_module(struct auth_context *auth_context, 
+		      const char *module, auth_methods **ret) 
+{
+	static BOOL initialised_static_modules = False;
+
+	struct auth_init_function_entry *entry;
+	char *module_name = smb_xstrdup(module);
+	char *module_params = NULL;
+	char *p;
+	BOOL good = False;
+
+	/* Initialise static modules if not done so yet */
+	if(!initialised_static_modules) {
+		static_init_auth;
+		initialised_static_modules = True;
+	}
+	
+	DEBUG(5,("load_auth_module: Attempting to find an auth method to match %s\n",
+		 module));
+	
+	p = strchr(module_name, ':');
+	if (p) {
+		*p = 0;
+		module_params = p+1;
+		trim_string(module_params, " ", " ");
+	}
+	
+	trim_string(module_name, " ", " ");
+	
+	entry = auth_find_backend_entry(module_name);
+	
+	if(!(entry = auth_find_backend_entry(module_name)) && !smb_probe_module("auth", module_name) && 
+	   !(entry = auth_find_backend_entry(module_name))) {
+		DEBUG(0,("load_auth_module: can't find auth method %s!\n", module_name));
+	} else if (!NT_STATUS_IS_OK(entry->init(auth_context, module_params, ret))) {
+		DEBUG(0,("load_auth_module: auth method %s did not correctly init\n",
+			 module));
+	} else {
+		DEBUG(5,("load_auth_module: auth method %s has a valid init\n",
+			 module));
+		good = True;
+	}
+	SAFE_FREE(module_name);
+	return good;
+}
+
 /***************************************************************************
  Make a auth_info struct for the auth subsystem
 ***************************************************************************/
@@ -344,7 +390,6 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context,
 	auth_methods *t = NULL;
 	auth_methods *tmp;
 	NTSTATUS nt_status;
-	static BOOL initialised_static_modules = False;
 
 	if (!text_list) {
 		DEBUG(2,("make_auth_context_text_list: No auth method list!?\n"));
@@ -354,44 +399,10 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context,
 	if (!NT_STATUS_IS_OK(nt_status = make_auth_context(auth_context)))
 		return nt_status;
 
-	/* Initialise static modules if not done so yet */
-	if(!initialised_static_modules) {
-		static_init_auth;
-		initialised_static_modules = True;
-	}
-	
 	for (;*text_list; text_list++) { 
-			struct auth_init_function_entry *entry;
-			char *module_name = smb_xstrdup(*text_list);
-			char *module_params = NULL;
-			char *p;
-
-			DEBUG(5,("make_auth_context_text_list: Attempting to find an auth method to match %s\n",
-				 *text_list));
-
-			p = strchr(module_name, ':');
-			if (p) {
-				*p = 0;
-				module_params = p+1;
-				trim_string(module_params, " ", " ");
-			}
-
-			trim_string(module_name, " ", " ");
-
-			entry = auth_find_backend_entry(module_name);
-
-			if(!(entry = auth_find_backend_entry(module_name)) && !smb_probe_module("auth", module_name) && 
-			   !(entry = auth_find_backend_entry(module_name))) {
-				DEBUG(0,("make_auth_context_text_list: can't find auth method %s!\n", module_name));
-			} else if (!NT_STATUS_IS_OK(entry->init(*auth_context, module_params, &t))) {
-				DEBUG(0,("make_auth_context_text_list: auth method %s did not correctly init\n",
-							*text_list));
-			} else {
-				DEBUG(5,("make_auth_context_text_list: auth method %s has a valid init\n",
-							*text_list));
-				DLIST_ADD_END(list, t, tmp);
-			}
-			SAFE_FREE(module_name);
+		if (load_auth_module(*auth_context, *text_list, &t)) {
+		    DLIST_ADD_END(list, t, tmp);
+		}
 	}
 	
 	(*auth_context)->auth_method_list = list;
@@ -417,7 +428,7 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context)
 		{
 		case SEC_DOMAIN:
 			DEBUG(5,("Making default auth method list for security=domain\n"));
-			auth_method_list = str_list_make("guest sam winbind ntdomain", NULL);
+			auth_method_list = str_list_make("guest sam winbind:ntdomain", NULL);
 			break;
 		case SEC_SERVER:
 			DEBUG(5,("Making default auth method list for security=server\n"));
@@ -443,7 +454,7 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context)
 			break;
 		case SEC_ADS:
 			DEBUG(5,("Making default auth method list for security=ADS\n"));
-			auth_method_list = str_list_make("guest sam winbind ntdomain", NULL);
+			auth_method_list = str_list_make("guest sam winbind:ntdomain", NULL);
 			break;
 		default:
 			DEBUG(5,("Unknown auth method!\n"));
diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c
index 509a4afba9b..5d72898006c 100644
--- a/source3/auth/auth_builtin.c
+++ b/source3/auth/auth_builtin.c
@@ -50,7 +50,7 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context,
 
 /* Guest modules initialisation */
 
-NTSTATUS auth_init_guest(struct auth_context *auth_context, const char *options, auth_methods **auth_method) 
+static NTSTATUS auth_init_guest(struct auth_context *auth_context, const char *options, auth_methods **auth_method) 
 {
 	if (!make_auth_methods(auth_context, auth_method))
 		return NT_STATUS_NO_MEMORY;
@@ -60,6 +60,7 @@ NTSTATUS auth_init_guest(struct auth_context *auth_context, const char *options,
 	return NT_STATUS_OK;
 }
 
+#ifdef DEVELOPER
 /** 
  * Return an error based on username
  *
@@ -101,7 +102,7 @@ static NTSTATUS check_name_to_ntstatus_security(const struct auth_context *auth_
 
 /** Module initialisation function */
 
-NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, const char *param, auth_methods **auth_method) 
+static NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, const char *param, auth_methods **auth_method) 
 {
 	if (!make_auth_methods(auth_context, auth_method))
 		return NT_STATUS_NO_MEMORY;
@@ -150,7 +151,7 @@ static DATA_BLOB auth_get_fixed_challenge(const struct auth_context *auth_contex
 
 /** Module initailisation function */
 
-NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char *param, auth_methods **auth_method) 
+static NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char *param, auth_methods **auth_method) 
 {
 	if (!make_auth_methods(auth_context, auth_method))
 		return NT_STATUS_NO_MEMORY;
@@ -160,6 +161,7 @@ NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char
 	(*auth_method)->name = "fixed_challenge";
 	return NT_STATUS_OK;
 }
+#endif /* DEVELOPER */
 
 int auth_builtin_init(void)
 {
diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index e49a41763bb..db5f7d82b08 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -175,6 +175,11 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
 				     &dest_ip, 0, "IPC$", "IPC", "", "", "",0, retry);
 
 	if (!NT_STATUS_IS_OK(result)) {
+		/* map to something more useful */
+		if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) {
+			result = NT_STATUS_NO_LOGON_SERVERS;
+		}
+
 		release_server_mutex();
 		return result;
 	}
@@ -272,7 +277,7 @@ static NTSTATUS find_connect_dc(struct cli_state **cli,
 	struct in_addr dc_ip;
 	fstring srv_name;
 
-	if ( !rpc_find_dc(lp_workgroup(), srv_name, &dc_ip) ) {
+	if (!rpc_find_dc(domain, srv_name, &dc_ip)) {
 		DEBUG(0,("find_connect_dc: Failed to find an DCs for %s\n", lp_workgroup()));
 		return NT_STATUS_NO_LOGON_SERVERS;
 	}
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index d0f1fc1e342..a3ca0b226f2 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -219,35 +219,18 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
 		   where it doens't supply a domain for logon script
 		   'net use' commands.
 
-		   The way I do it here is by checking if the fully
-		   qualified username exists. This is rather reliant
-		   on winbind, but until we have a better method this
-		   will have to do 
+		   Finally, we do this by looking up a cache of trusted domains!
 		*/
 
 		domain = client_domain;
 
-		if ((smb_name) && (*smb_name)) { /* Don't do this for guests */
-			char *user = NULL;
-			if (asprintf(&user, "%s%s%s", 
-				 client_domain, lp_winbind_separator(), 
-				 smb_name) < 0) {
-				DEBUG(0, ("make_user_info_map: asprintf() failed!\n"));
-				return NT_STATUS_NO_MEMORY;
-			}
-
-			DEBUG(5, ("make_user_info_map: testing for user %s\n", user));
-			
-			if (Get_Pwnam(user) == NULL) {
-				DEBUG(5, ("make_user_info_map: test for user %s failed\n", user));
-				domain = lp_workgroup();
-				DEBUG(5, ("make_user_info_map: trusted domain %s doesn't appear to exist, using %s\n", 
-					  client_domain, domain));
-			} else {
-				DEBUG(5, ("make_user_info_map: using trusted domain %s\n", domain));
-			}
-			SAFE_FREE(user);
+		if (is_trusted_domain(domain)) {
+			return make_user_info(user_info, smb_name, internal_username,
+			                      client_domain, domain, wksta_name,
+			                      lm_pwd, nt_pwd, plaintext, ntlmssp_flags,
+			                      encrypted);
 		}
+
 	} else {
 		domain = lp_workgroup();
 	}
diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c
index e2a292dd015..df08b6440ac 100644
--- a/source3/auth/auth_winbind.c
+++ b/source3/auth/auth_winbind.c
@@ -103,6 +103,11 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
 	
 	result = winbindd_request(WINBINDD_PAM_AUTH_CRAP, &request, &response);
 
+	if (result == NSS_STATUS_UNAVAIL) {
+		struct auth_methods *auth_method = my_private_data;
+		return auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info);
+	}
+
 	nt_status = NT_STATUS(response.data.auth.nt_status);
 
 	if (result == NSS_STATUS_SUCCESS && response.extra_data) {
@@ -127,11 +132,18 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
 /* module initialisation */
 NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char *param, auth_methods **auth_method) 
 {
-	if (!make_auth_methods(auth_context, auth_method))
-		return NT_STATUS_NO_MEMORY;
 
 	(*auth_method)->name = "winbind";
 	(*auth_method)->auth = check_winbind_security;
+
+	if (param && *param) {
+		/* we load the 'fallback' module - if winbind isn't here, call this
+		   module */
+		if (!load_auth_module(auth_context, param, &(*auth_method)->private_data)) {
+			return NT_STATUS_UNSUCCESSFUL;
+		}
+		
+	}
 	return NT_STATUS_OK;
 }
author	Andrew Bartlett <abartlet@samba.org>	2003-04-24 11:56:09 +0000
committer	Andrew Bartlett <abartlet@samba.org>	2003-04-24 11:56:09 +0000
commit	59e0836b7f4221fd002abab083f71f04dffe7648 (patch)
tree	da660ef946a99ed5fc5a74af265d014b73f2e250 /source3/auth
parent	3f03ecf5627ec0eda7fdbb4314ba804574751ede (diff)
download	samba-59e0836b7f4221fd002abab083f71f04dffe7648.tar.gz samba-59e0836b7f4221fd002abab083f71f04dffe7648.tar.xz samba-59e0836b7f4221fd002abab083f71f04dffe7648.zip