diff options
author | Andrew Bartlett <abartlet@samba.org> | 2003-05-26 02:04:23 +0000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2003-05-26 02:04:23 +0000 |
commit | 54e2ac64b7291d9c88d1525e7498e7750adbfbe0 (patch) | |
tree | cfb52c6d24ef8f95d3eb15e2bfcad688cbb7248c /source3/auth | |
parent | 6ace723c44f61c1166b90666ca6f5b2546ced46b (diff) | |
download | samba-54e2ac64b7291d9c88d1525e7498e7750adbfbe0.tar.gz samba-54e2ac64b7291d9c88d1525e7498e7750adbfbe0.tar.xz samba-54e2ac64b7291d9c88d1525e7498e7750adbfbe0.zip |
Add samstrict_dc from metze (been sitting in HEAD for way to long waiting for
me to review it).
This patch works well for a DC running with trusted domains, becouse it lets
you check the local SAM first, but only for this domain's users.
Andrew Bartlett
(This used to be commit e0bd4d2844e6073a83b72925bca1aec007a8dd0b)
Diffstat (limited to 'source3/auth')
-rw-r--r-- | source3/auth/auth_sam.c | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index d46d362a92b..13612db86e3 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -501,6 +501,8 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context unless it is one of our aliases. */ if (!is_myname(user_info->domain.str)) { + DEBUG(7,("The requested user domain is not the local server name. [%s]\\[%s]\n", + user_info->domain.str,user_info->internal_username.str)); return NT_STATUS_NO_SUCH_USER; } @@ -519,8 +521,52 @@ NTSTATUS auth_init_samstrict(struct auth_context *auth_context, const char *para return NT_STATUS_OK; } +/**************************************************************************** +Check SAM security (above) but with a few extra checks if we're a DC. +****************************************************************************/ + +static NTSTATUS check_samstrict_dc_security(const struct auth_context *auth_context, + void *my_private_data, + TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, + auth_serversupplied_info **server_info) +{ + + if (!user_info || !auth_context) { + return NT_STATUS_LOGON_FAILURE; + } + + /* If we are a PDC we must not check the password here + unless it is one of our aliases, empty + or equal to our domain name. Other names may be + Trusted domains. + */ + + if ((!is_myworkgroup(user_info->domain.str))&& + (!is_myname(user_info->domain.str))) { + DEBUG(7,("The requested user domain is not the local server name or our domain. [%s]\\[%s]\n", + user_info->domain.str,user_info->internal_username.str)); + return NT_STATUS_NO_SUCH_USER; + } + + return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, server_info); +} + +/* module initialisation */ +NTSTATUS auth_init_samstrict_dc(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +{ + if (!make_auth_methods(auth_context, auth_method)) { + return NT_STATUS_NO_MEMORY; + } + + (*auth_method)->auth = check_samstrict_dc_security; + (*auth_method)->name = "samstrict_dc"; + return NT_STATUS_OK; +} + NTSTATUS auth_sam_init(void) { + smb_register_auth(AUTH_INTERFACE_VERSION, "samstrict_dc", auth_init_samstrict_dc); smb_register_auth(AUTH_INTERFACE_VERSION, "samstrict", auth_init_samstrict); smb_register_auth(AUTH_INTERFACE_VERSION, "sam", auth_init_sam); return NT_STATUS_OK; |