2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Andrew Tridgell 1992-2000
5 Copyright (C) Luke Kenneth Casson Leighton 1996-2000
6 Copyright (C) Andrew Bartlett 2001-2003
7 Copyright (C) Gerald Carter 2003
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #define DBGC_CLASS DBGC_AUTH
29 static NTSTATUS
auth_sam_ignoredomain_auth(const struct auth_context
*auth_context
,
30 void *my_private_data
,
32 const struct auth_usersupplied_info
*user_info
,
33 struct auth_serversupplied_info
**server_info
)
35 if (!user_info
|| !auth_context
) {
36 return NT_STATUS_UNSUCCESSFUL
;
39 if (user_info
->mapped
.account_name
== NULL
||
40 user_info
->mapped
.account_name
[0] == '\0')
42 return NT_STATUS_NOT_IMPLEMENTED
;
45 DBG_DEBUG("Check auth for: [%s]\\[%s]\n",
46 user_info
->mapped
.domain_name
,
47 user_info
->mapped
.account_name
);
49 return check_sam_security(&auth_context
->challenge
, mem_ctx
,
50 user_info
, server_info
);
53 /* module initialisation */
54 static NTSTATUS
auth_init_sam_ignoredomain(
55 struct auth_context
*auth_context
,
57 struct auth_methods
**auth_method
)
59 struct auth_methods
*result
;
61 result
= talloc_zero(auth_context
, struct auth_methods
);
63 return NT_STATUS_NO_MEMORY
;
65 result
->auth
= auth_sam_ignoredomain_auth
;
66 result
->name
= "sam_ignoredomain";
68 *auth_method
= result
;
73 /****************************************************************************
74 Check SAM security (above) but with a few extra checks.
75 ****************************************************************************/
77 static NTSTATUS
auth_samstrict_auth(const struct auth_context
*auth_context
,
78 void *my_private_data
,
80 const struct auth_usersupplied_info
*user_info
,
81 struct auth_serversupplied_info
**server_info
)
83 const char *effective_domain
= NULL
;
84 bool is_local_name
, is_my_domain
;
86 if (!user_info
|| !auth_context
) {
87 return NT_STATUS_LOGON_FAILURE
;
89 effective_domain
= user_info
->mapped
.domain_name
;
91 if (user_info
->mapped
.account_name
== NULL
||
92 user_info
->mapped
.account_name
[0] == '\0')
94 return NT_STATUS_NOT_IMPLEMENTED
;
97 if (lp_server_role() == ROLE_DOMAIN_MEMBER
) {
100 p
= strchr_m(user_info
->mapped
.account_name
, '@');
103 * This needs to go to the DC,
104 * even if @ is the last character
106 return NT_STATUS_NOT_IMPLEMENTED
;
110 if (effective_domain
== NULL
) {
111 effective_domain
= "";
114 DBG_DEBUG("Check auth for: [%s]\\[%s]\n",
116 user_info
->mapped
.account_name
);
119 if (strequal(effective_domain
, "") || strequal(effective_domain
, ".")) {
121 * An empty domain name or '.' should be handled
122 * as the local SAM name.
124 effective_domain
= lp_netbios_name();
127 is_local_name
= is_myname(effective_domain
);
128 is_my_domain
= strequal(effective_domain
, lp_workgroup());
130 /* check whether or not we service this domain/workgroup name */
132 switch ( lp_server_role() ) {
133 case ROLE_STANDALONE
:
134 case ROLE_DOMAIN_MEMBER
:
135 if ( !is_local_name
) {
136 DEBUG(6,("check_samstrict_security: %s is not one of my local names (%s)\n",
137 effective_domain
, (lp_server_role() == ROLE_DOMAIN_MEMBER
138 ? "ROLE_DOMAIN_MEMBER" : "ROLE_STANDALONE") ));
139 return NT_STATUS_NOT_IMPLEMENTED
;
143 case ROLE_DOMAIN_PDC
:
144 case ROLE_DOMAIN_BDC
:
145 if ( !is_local_name
&& !is_my_domain
) {
146 DEBUG(6,("check_samstrict_security: %s is not one of my local names or domain name (DC)\n",
148 return NT_STATUS_NOT_IMPLEMENTED
;
152 default: /* name is ok */
156 return check_sam_security(&auth_context
->challenge
, mem_ctx
,
157 user_info
, server_info
);
160 /* module initialisation */
161 static NTSTATUS
auth_init_sam(
162 struct auth_context
*auth_context
,
164 struct auth_methods
**auth_method
)
166 struct auth_methods
*result
;
168 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC
169 && !lp_parm_bool(-1, "server role check", "inhibit", false)) {
170 DEBUG(0, ("server role = 'active directory domain controller' not compatible with running the auth_sam module. \n"));
171 DEBUGADD(0, ("You should not set 'auth methods' when running the AD DC.\n"));
175 result
= talloc_zero(auth_context
, struct auth_methods
);
176 if (result
== NULL
) {
177 return NT_STATUS_NO_MEMORY
;
179 result
->auth
= auth_samstrict_auth
;
180 result
->name
= "sam";
181 *auth_method
= result
;
185 static NTSTATUS
auth_sam_netlogon3_auth(const struct auth_context
*auth_context
,
186 void *my_private_data
,
188 const struct auth_usersupplied_info
*user_info
,
189 struct auth_serversupplied_info
**server_info
)
191 const char *effective_domain
= NULL
;
194 if (!user_info
|| !auth_context
) {
195 return NT_STATUS_LOGON_FAILURE
;
197 effective_domain
= user_info
->mapped
.domain_name
;
199 if (user_info
->mapped
.account_name
== NULL
||
200 user_info
->mapped
.account_name
[0] == '\0')
202 return NT_STATUS_NOT_IMPLEMENTED
;
205 if (effective_domain
== NULL
) {
206 effective_domain
= "";
209 DBG_DEBUG("Check auth for: [%s]\\[%s]\n",
211 user_info
->mapped
.account_name
);
213 /* check whether or not we service this domain/workgroup name */
215 switch (lp_server_role()) {
216 case ROLE_DOMAIN_PDC
:
217 case ROLE_DOMAIN_BDC
:
220 DBG_ERR("Invalid server role\n");
221 return NT_STATUS_INVALID_SERVER_STATE
;
224 if (strequal(effective_domain
, "") || strequal(effective_domain
, ".")) {
226 * An empty domain name or '.' should be handled
227 * as the local SAM name.
229 effective_domain
= lp_workgroup();
232 is_my_domain
= strequal(user_info
->mapped
.domain_name
, lp_workgroup());
234 DBG_INFO("%s is not our domain name (DC for %s)\n",
235 effective_domain
, lp_workgroup());
236 return NT_STATUS_NOT_IMPLEMENTED
;
239 return check_sam_security(&auth_context
->challenge
, mem_ctx
,
240 user_info
, server_info
);
243 /* module initialisation */
244 static NTSTATUS
auth_init_sam_netlogon3(
245 struct auth_context
*auth_context
,
247 struct auth_methods
**auth_method
)
249 struct auth_methods
*result
;
251 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC
252 && !lp_parm_bool(-1, "server role check", "inhibit", false)) {
253 DEBUG(0, ("server role = 'active directory domain controller' "
254 "not compatible with running the auth_sam module.\n"));
255 DEBUGADD(0, ("You should not set 'auth methods' when "
256 "running the AD DC.\n"));
260 result
= talloc_zero(auth_context
, struct auth_methods
);
261 if (result
== NULL
) {
262 return NT_STATUS_NO_MEMORY
;
264 result
->auth
= auth_sam_netlogon3_auth
;
265 result
->name
= "sam_netlogon3";
266 *auth_method
= result
;
270 NTSTATUS
auth_sam_init(TALLOC_CTX
*mem_ctx
)
272 smb_register_auth(AUTH_INTERFACE_VERSION
, "sam", auth_init_sam
);
273 smb_register_auth(AUTH_INTERFACE_VERSION
, "sam_ignoredomain", auth_init_sam_ignoredomain
);
274 smb_register_auth(AUTH_INTERFACE_VERSION
, "sam_netlogon3", auth_init_sam_netlogon3
);