search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
smbd: Fix a typo
[Samba.git] / source4 / auth / ntlm / auth_sam.c
blob6e2dd440f7b73356c16da13e58d14dd07a240a38
1 /*
2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2009
5 Copyright (C) Gerald Carter 2003
6 Copyright (C) Stefan Metzmacher 2005
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "system/time.h"
24 #include <ldb.h>
25 #include "libcli/ldap/ldap_ndr.h"
26 #include "libcli/security/security.h"
27 #include "auth/auth.h"
28 #include "../libcli/auth/ntlm_check.h"
29 #include "auth/ntlm/auth_proto.h"
30 #include "auth/auth_sam.h"
31 #include "dsdb/samdb/samdb.h"
32 #include "dsdb/common/util.h"
33 #include "param/param.h"
34 #include "librpc/gen_ndr/ndr_irpc_c.h"
35 #include "lib/messaging/irpc.h"
36 #include "libcli/auth/libcli_auth.h"
37
38 NTSTATUS auth_sam_init(void);
39
40 extern const char *user_attrs[];
41 extern const char *domain_ref_attrs[];
42
43 /****************************************************************************
44 Look for the specified user in the sam, return ldb result structures
45 ****************************************************************************/
46
47 static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
48 const char *account_name,
49 struct ldb_dn *domain_dn,
50 struct ldb_message **ret_msg)
51 {
52 int ret;
53
54 /* pull the user attributes */
55 ret = dsdb_search_one(sam_ctx, mem_ctx, ret_msg, domain_dn, LDB_SCOPE_SUBTREE,
56 user_attrs,
57 DSDB_SEARCH_SHOW_EXTENDED_DN,
58 "(&(sAMAccountName=%s)(objectclass=user))",
59 ldb_binary_encode_string(mem_ctx, account_name));
60 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
61 DEBUG(3,("sam_search_user: Couldn't find user [%s] in samdb, under %s\n",
62 account_name, ldb_dn_get_linearized(domain_dn)));
63 return NT_STATUS_NO_SUCH_USER;
64 }
65 if (ret != LDB_SUCCESS) {
66 return NT_STATUS_INTERNAL_DB_CORRUPTION;
67 }
68
69 return NT_STATUS_OK;
70 }
71
72 /****************************************************************************
73 Do a specific test for an smb password being correct, given a smb_password and
74 the lanman and NT responses.
75 ****************************************************************************/
76 static NTSTATUS authsam_password_ok(struct auth4_context *auth_context,
77 TALLOC_CTX *mem_ctx,
78 uint16_t acct_flags,
79 const struct samr_Password *lm_pwd,
80 const struct samr_Password *nt_pwd,
81 const struct auth_usersupplied_info *user_info,
82 DATA_BLOB *user_sess_key,
83 DATA_BLOB *lm_sess_key)
84 {
85 NTSTATUS status;
86
87 switch (user_info->password_state) {
88 case AUTH_PASSWORD_PLAIN:
89 {
90 const struct auth_usersupplied_info *user_info_temp;
91 status = encrypt_user_info(mem_ctx, auth_context,
92 AUTH_PASSWORD_HASH,
93 user_info, &user_info_temp);
94 if (!NT_STATUS_IS_OK(status)) {
95 DEBUG(1, ("Failed to convert plaintext password to password HASH: %s\n", nt_errstr(status)));
96 return status;
97 }
98 user_info = user_info_temp;
99
100 /*fall through*/
101 }
102 case AUTH_PASSWORD_HASH:
103 *lm_sess_key = data_blob(NULL, 0);
104 *user_sess_key = data_blob(NULL, 0);
105 status = hash_password_check(mem_ctx,
106 lpcfg_lanman_auth(auth_context->lp_ctx),
107 user_info->password.hash.lanman,
108 user_info->password.hash.nt,
109 user_info->mapped.account_name,
110 lm_pwd, nt_pwd);
111 NT_STATUS_NOT_OK_RETURN(status);
112 break;
113
114 case AUTH_PASSWORD_RESPONSE:
115 status = ntlm_password_check(mem_ctx,
116 lpcfg_lanman_auth(auth_context->lp_ctx),
117 lpcfg_ntlm_auth(auth_context->lp_ctx),
118 user_info->logon_parameters,
119 &auth_context->challenge.data,
120 &user_info->password.response.lanman,
121 &user_info->password.response.nt,
122 user_info->mapped.account_name,
123 user_info->client.account_name,
124 user_info->client.domain_name,
125 lm_pwd, nt_pwd,
126 user_sess_key, lm_sess_key);
127 NT_STATUS_NOT_OK_RETURN(status);
128 break;
129 }
130
131 return NT_STATUS_OK;
132 }
133
134
135 /*
136 send a message to the drepl server telling it to initiate a
137 REPL_SECRET getncchanges extended op to fetch the users secrets
138 */
139 static void auth_sam_trigger_repl_secret(struct auth4_context *auth_context,
140 struct ldb_dn *user_dn)
141 {
142 struct dcerpc_binding_handle *irpc_handle;
143 struct drepl_trigger_repl_secret r;
144 struct tevent_req *req;
145 TALLOC_CTX *tmp_ctx;
146
147 tmp_ctx = talloc_new(auth_context);
148 if (tmp_ctx == NULL) {
149 return;
150 }
151
152 irpc_handle = irpc_binding_handle_by_name(tmp_ctx, auth_context->msg_ctx,
153 "dreplsrv",
154 &ndr_table_irpc);
155 if (irpc_handle == NULL) {
156 DEBUG(1,(__location__ ": Unable to get binding handle for dreplsrv\n"));
157 TALLOC_FREE(tmp_ctx);
158 return;
159 }
160
161 r.in.user_dn = ldb_dn_get_linearized(user_dn);
162
163 /*
164 * This seem to rely on the current IRPC implementation,
165 * which delivers the message in the _send function.
166 *
167 * TODO: we need a ONE_WAY IRPC handle and register
168 * a callback and wait for it to be triggered!
169 */
170 req = dcerpc_drepl_trigger_repl_secret_r_send(tmp_ctx,
171 auth_context->event_ctx,
172 irpc_handle,
173 &r);
174
175 /* we aren't interested in a reply */
176 talloc_free(req);
177 TALLOC_FREE(tmp_ctx);
178 }
179
180
181 /*
182 * Check that a password is OK, and update badPwdCount if required.
183 */
184
185 static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_context,
186 TALLOC_CTX *mem_ctx,
187 struct ldb_dn *domain_dn,
188 struct ldb_message *msg,
189 uint16_t acct_flags,
190 const struct auth_usersupplied_info *user_info,
191 DATA_BLOB *user_sess_key,
192 DATA_BLOB *lm_sess_key)
193 {
194 NTSTATUS nt_status;
195 NTSTATUS auth_status;
196 TALLOC_CTX *tmp_ctx;
197 int i, ret;
198 int history_len = 0;
199 struct ldb_context *sam_ctx = auth_context->sam_ctx;
200 const char * const attrs[] = { "pwdHistoryLength", NULL };
201 struct ldb_message *dom_msg;
202 struct samr_Password *lm_pwd;
203 struct samr_Password *nt_pwd;
204
205 tmp_ctx = talloc_new(mem_ctx);
206 if (tmp_ctx == NULL) {
207 return NT_STATUS_NO_MEMORY;
208 }
209
210 /*
211 * This call does more than what it appears to do, it also
212 * checks for the account lockout.
213 *
214 * It is done here so that all parts of Samba that read the
215 * password refuse to even operate on it if the account is
216 * locked out, to avoid mistakes like CVE-2013-4496.
217 */
218 nt_status = samdb_result_passwords(tmp_ctx, auth_context->lp_ctx,
219 msg, &lm_pwd, &nt_pwd);
220 if (!NT_STATUS_IS_OK(nt_status)) {
221 TALLOC_FREE(tmp_ctx);
222 return nt_status;
223 }
224
225 if (lm_pwd == NULL && nt_pwd == NULL) {
226 bool am_rodc;
227 if (samdb_rodc(auth_context->sam_ctx, &am_rodc) == LDB_SUCCESS && am_rodc) {
228 /*
229 * we don't have passwords for this
230 * account. We are an RODC, and this account
231 * may be one for which we either are denied
232 * REPL_SECRET replication or we haven't yet
233 * done the replication. We return
234 * NT_STATUS_NOT_IMPLEMENTED which tells the
235 * auth code to try the next authentication
236 * mechanism. We also send a message to our
237 * drepl server to tell it to try and
238 * replicate the secrets for this account.
239 */
240 auth_sam_trigger_repl_secret(auth_context, msg->dn);
241 TALLOC_FREE(tmp_ctx);
242 return NT_STATUS_NOT_IMPLEMENTED;
243 }
244 }
245
246 auth_status = authsam_password_ok(auth_context, tmp_ctx,
247 acct_flags,
248 lm_pwd, nt_pwd,
249 user_info,
250 user_sess_key, lm_sess_key);
251 if (NT_STATUS_IS_OK(auth_status)) {
252 if (user_sess_key->data) {
253 talloc_steal(mem_ctx, user_sess_key->data);
254 }
255 if (lm_sess_key->data) {
256 talloc_steal(mem_ctx, lm_sess_key->data);
257 }
258 TALLOC_FREE(tmp_ctx);
259 return NT_STATUS_OK;
260 }
261 *user_sess_key = data_blob_null;
262 *lm_sess_key = data_blob_null;
263
264 if (!NT_STATUS_EQUAL(auth_status, NT_STATUS_WRONG_PASSWORD)) {
265 TALLOC_FREE(tmp_ctx);
266 return auth_status;
267 }
268
269 /*
270 * We only continue if this was a wrong password
271 * and we'll always return NT_STATUS_WRONG_PASSWORD
272 * no matter what error happens.
273 */
274
275 /* pull the domain password property attributes */
276 ret = dsdb_search_one(sam_ctx, tmp_ctx, &dom_msg, domain_dn, LDB_SCOPE_BASE,
277 attrs, 0, "objectClass=domain");
278 if (ret == LDB_SUCCESS) {
279 history_len = ldb_msg_find_attr_as_uint(dom_msg, "pwdHistoryLength", 0);
280 } else if (ret == LDB_ERR_NO_SUCH_OBJECT) {
281 DEBUG(3,("Couldn't find domain %s: %s!\n",
282 ldb_dn_get_linearized(domain_dn),
283 ldb_errstring(sam_ctx)));
284 } else {
285 DEBUG(3,("error finding domain %s: %s!\n",
286 ldb_dn_get_linearized(domain_dn),
287 ldb_errstring(sam_ctx)));
288 }
289
290 for (i = 1; i < MIN(history_len, 3); i++) {
291 static const struct samr_Password zero_hash;
292 struct samr_Password zero_string_hash;
293 struct samr_Password zero_string_des_hash;
294 struct samr_Password *nt_history_pwd = NULL;
295 struct samr_Password *lm_history_pwd = NULL;
296 NTTIME pwdLastSet;
297 NTTIME now;
298 int allowed_period_mins;
299 NTTIME allowed_period;
300
301 nt_status = samdb_result_passwords_from_history(tmp_ctx,
302 auth_context->lp_ctx,
303 msg, i,
304 &lm_history_pwd,
305 &nt_history_pwd);
306 if (!NT_STATUS_IS_OK(nt_status)) {
307 /*
308 * If we don't find element 'i' we won't find
309 * 'i+1' ...
310 */
311 break;
312 }
313
314 /*
315 * We choose to avoid any issues
316 * around different LM and NT history
317 * lengths by only checking the NT
318 * history
319 */
320 if (nt_history_pwd == NULL) {
321 /*
322 * If we don't find element 'i' we won't find
323 * 'i+1' ...
324 */
325 break;
326 }
327
328 /* Skip over all-zero hashes in the history */
329 if (memcmp(nt_history_pwd->hash, zero_hash.hash, 16) == 0) {
330 continue;
331 }
332
333 /*
334 * This looks odd, but the password_hash module writes this in if
335 * (somehow) we didn't have an old NT hash
336 */
337
338 E_md4hash("", zero_string_hash.hash);
339 if (memcmp(nt_history_pwd->hash, zero_string_hash.hash, 16) == 0) {
340 continue;
341 }
342
343 E_deshash("", zero_string_des_hash.hash);
344 if (!lm_history_pwd || memcmp(lm_history_pwd->hash, zero_string_des_hash.hash, 16) == 0) {
345 lm_history_pwd = NULL;
346 }
347
348 auth_status = authsam_password_ok(auth_context, tmp_ctx,
349 acct_flags,
350 lm_history_pwd,
351 nt_history_pwd,
352 user_info,
353 user_sess_key,
354 lm_sess_key);
355 if (!NT_STATUS_IS_OK(auth_status)) {
356 /*
357 * If this was not a correct password, try the next
358 * one from the history
359 */
360 *user_sess_key = data_blob_null;
361 *lm_sess_key = data_blob_null;
362 continue;
363 }
364
365 if (i != 1) {
366 /*
367 * The authentication was OK, but not against
368 * the previous password, which is stored at index 1.
369 *
370 * We just return the original wrong password.
371 * This skips the update of the bad pwd count,
372 * because this is almost certainly user error
373 * (or automatic login on a computer using a cached
374 * password from before the password change),
375 * not an attack.
376 */
377 TALLOC_FREE(tmp_ctx);
378 return NT_STATUS_WRONG_PASSWORD;
379 }
380
381 if (user_info->password_state != AUTH_PASSWORD_RESPONSE) {
382 /*
383 * The authentication was OK against the previous password,
384 * but it's not a NTLM network authentication.
385 *
386 * We just return the original wrong password.
387 * This skips the update of the bad pwd count,
388 * because this is almost certainly user error
389 * (or automatic login on a computer using a cached
390 * password from before the password change),
391 * not an attack.
392 */
393 TALLOC_FREE(tmp_ctx);
394 return NT_STATUS_WRONG_PASSWORD;
395 }
396
397 /*
398 * If the password was OK, it's a NTLM network authentication
399 * and it was the previous password.
400 *
401 * Now we see if it is within the grace period,
402 * so that we don't break cached sessions on other computers
403 * before the user can lock and unlock their other screens
404 * (resetting their cached password).
405 *
406 * See http://support.microsoft.com/kb/906305
407 * OldPasswordAllowedPeriod ("old password allowed period")
408 * is specified in minutes. The default is 60.
409 */
410 allowed_period_mins = lpcfg_old_password_allowed_period(auth_context->lp_ctx);
411 /*
412 * NTTIME uses 100ns units
413 */
414 allowed_period = allowed_period_mins * 60 * 1000*1000*10;
415 pwdLastSet = samdb_result_nttime(msg, "pwdLastSet", 0);
416 unix_to_nt_time(&now, time(NULL));
417
418 if (now < pwdLastSet) {
419 /*
420 * time jump?
421 *
422 * We just return the original wrong password.
423 * This skips the update of the bad pwd count,
424 * because this is almost certainly user error
425 * (or automatic login on a computer using a cached
426 * password from before the password change),
427 * not an attack.
428 */
429 TALLOC_FREE(tmp_ctx);
430 return NT_STATUS_WRONG_PASSWORD;
431 }
432
433 if ((now - pwdLastSet) >= allowed_period) {
434 /*
435 * The allowed period is over.
436 *
437 * We just return the original wrong password.
438 * This skips the update of the bad pwd count,
439 * because this is almost certainly user error
440 * (or automatic login on a computer using a cached
441 * password from before the password change),
442 * not an attack.
443 */
444 TALLOC_FREE(tmp_ctx);
445 return NT_STATUS_WRONG_PASSWORD;
446 }
447
448 /*
449 * We finally allow the authentication with the
450 * previous password within the allowed period.
451 */
452 if (user_sess_key->data) {
453 talloc_steal(mem_ctx, user_sess_key->data);
454 }
455 if (lm_sess_key->data) {
456 talloc_steal(mem_ctx, lm_sess_key->data);
457 }
458
459 TALLOC_FREE(tmp_ctx);
460 return auth_status;
461 }
462
463 /*
464 * If we are not in the allowed period or match an old password,
465 * we didn't return early. Now update the badPwdCount et al.
466 */
467 nt_status = authsam_update_bad_pwd_count(auth_context->sam_ctx,
468 msg, domain_dn);
469 if (!NT_STATUS_IS_OK(nt_status)) {
470 /*
471 * We need to return the original
472 * NT_STATUS_WRONG_PASSWORD error, so there isn't
473 * anything more we can do than write something into
474 * the log
475 */
476 DEBUG(0, ("Failed to note bad password for user [%s]: %s\n",
477 user_info->mapped.account_name,
478 nt_errstr(nt_status)));
479 }
480
481 TALLOC_FREE(tmp_ctx);
482 return NT_STATUS_WRONG_PASSWORD;
483 }
484
485 static NTSTATUS authsam_authenticate(struct auth4_context *auth_context,
486 TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
487 struct ldb_dn *domain_dn,
488 struct ldb_message *msg,
489 const struct auth_usersupplied_info *user_info,
490 DATA_BLOB *user_sess_key, DATA_BLOB *lm_sess_key)
491 {
492 NTSTATUS nt_status;
493 uint16_t acct_flags = samdb_result_acct_flags(msg, NULL);
494 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
495 if (!tmp_ctx) {
496 return NT_STATUS_NO_MEMORY;
497 }
498
499 /* You can only do an interactive login to normal accounts */
500 if (user_info->flags & USER_INFO_INTERACTIVE_LOGON) {
501 if (!(acct_flags & ACB_NORMAL)) {
502 TALLOC_FREE(tmp_ctx);
503 return NT_STATUS_NO_SUCH_USER;
504 }
505 }
506
507 nt_status = authsam_password_check_and_record(auth_context, tmp_ctx,
508 domain_dn, msg, acct_flags,
509 user_info,
510 user_sess_key, lm_sess_key);
511 if (!NT_STATUS_IS_OK(nt_status)) {
512 TALLOC_FREE(tmp_ctx);
513 return nt_status;
514 }
515
516 nt_status = authsam_account_ok(tmp_ctx, auth_context->sam_ctx,
517 user_info->logon_parameters,
518 domain_dn,
519 msg,
520 user_info->workstation_name,
521 user_info->mapped.account_name,
522 false, false);
523 if (!NT_STATUS_IS_OK(nt_status)) {
524 TALLOC_FREE(tmp_ctx);
525 return nt_status;
526 }
527
528 nt_status = authsam_zero_bad_pwd_count(auth_context->sam_ctx, msg);
529 if (!NT_STATUS_IS_OK(nt_status)) {
530 TALLOC_FREE(tmp_ctx);
531 return nt_status;
532 }
533
534 if (user_sess_key && user_sess_key->data) {
535 talloc_steal(mem_ctx, user_sess_key->data);
536 }
537 if (lm_sess_key && lm_sess_key->data) {
538 talloc_steal(mem_ctx, lm_sess_key->data);
539 }
540
541 TALLOC_FREE(tmp_ctx);
542 return nt_status;
543 }
544
545
546
547 static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx,
548 TALLOC_CTX *mem_ctx,
549 const struct auth_usersupplied_info *user_info,
550 struct auth_user_info_dc **user_info_dc)
551 {
552 NTSTATUS nt_status;
553 const char *account_name = user_info->mapped.account_name;
554 struct ldb_message *msg;
555 struct ldb_dn *domain_dn;
556 DATA_BLOB user_sess_key, lm_sess_key;
557 TALLOC_CTX *tmp_ctx;
558
559 if (ctx->auth_ctx->sam_ctx == NULL) {
560 DEBUG(0, ("No SAM available, cannot log in users\n"));
561 return NT_STATUS_INVALID_SYSTEM_SERVICE;
562 }
563
564 if (!account_name || !*account_name) {
565 /* 'not for me' */
566 return NT_STATUS_NOT_IMPLEMENTED;
567 }
568
569 tmp_ctx = talloc_new(mem_ctx);
570 if (!tmp_ctx) {
571 return NT_STATUS_NO_MEMORY;
572 }
573
574 domain_dn = ldb_get_default_basedn(ctx->auth_ctx->sam_ctx);
575 if (domain_dn == NULL) {
576 talloc_free(tmp_ctx);
577 return NT_STATUS_NO_SUCH_DOMAIN;
578 }
579
580 nt_status = authsam_search_account(tmp_ctx, ctx->auth_ctx->sam_ctx, account_name, domain_dn, &msg);
581 if (!NT_STATUS_IS_OK(nt_status)) {
582 talloc_free(tmp_ctx);
583 return nt_status;
584 }
585
586 nt_status = authsam_authenticate(ctx->auth_ctx, tmp_ctx, ctx->auth_ctx->sam_ctx, domain_dn, msg, user_info,
587 &user_sess_key, &lm_sess_key);
588 if (!NT_STATUS_IS_OK(nt_status)) {
589 talloc_free(tmp_ctx);
590 return nt_status;
591 }
592
593 nt_status = authsam_make_user_info_dc(tmp_ctx, ctx->auth_ctx->sam_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx),
594 lpcfg_sam_name(ctx->auth_ctx->lp_ctx),
595 domain_dn,
596 msg,
597 user_sess_key, lm_sess_key,
598 user_info_dc);
599 if (!NT_STATUS_IS_OK(nt_status)) {
600 talloc_free(tmp_ctx);
601 return nt_status;
602 }
603
604 talloc_steal(mem_ctx, *user_info_dc);
605 talloc_free(tmp_ctx);
606
607 return NT_STATUS_OK;
608 }
609
610 static NTSTATUS authsam_ignoredomain_want_check(struct auth_method_context *ctx,
611 TALLOC_CTX *mem_ctx,
612 const struct auth_usersupplied_info *user_info)
613 {
614 if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
615 return NT_STATUS_NOT_IMPLEMENTED;
616 }
617
618 return NT_STATUS_OK;
619 }
620
621 /****************************************************************************
622 Check SAM security (above) but with a few extra checks.
623 ****************************************************************************/
624 static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
625 TALLOC_CTX *mem_ctx,
626 const struct auth_usersupplied_info *user_info)
627 {
628 bool is_local_name, is_my_domain;
629
630 if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
631 return NT_STATUS_NOT_IMPLEMENTED;
632 }
633
634 is_local_name = lpcfg_is_myname(ctx->auth_ctx->lp_ctx,
635 user_info->mapped.domain_name);
636 is_my_domain = lpcfg_is_mydomain(ctx->auth_ctx->lp_ctx,
637 user_info->mapped.domain_name);
638
639 /* check whether or not we service this domain/workgroup name */
640 switch (lpcfg_server_role(ctx->auth_ctx->lp_ctx)) {
641 case ROLE_STANDALONE:
642 return NT_STATUS_OK;
643
644 case ROLE_DOMAIN_MEMBER:
645 if (!is_local_name) {
646 DEBUG(6,("authsam_check_password: %s is not one of my local names (DOMAIN_MEMBER)\n",
647 user_info->mapped.domain_name));
648 return NT_STATUS_NOT_IMPLEMENTED;
649 }
650 return NT_STATUS_OK;
651
652 case ROLE_ACTIVE_DIRECTORY_DC:
653 if (!is_local_name && !is_my_domain) {
654 DEBUG(6,("authsam_check_password: %s is not one of my local names or domain name (DC)\n",
655 user_info->mapped.domain_name));
656 return NT_STATUS_NOT_IMPLEMENTED;
657 }
658 return NT_STATUS_OK;
659 }
660
661 DEBUG(6,("authsam_check_password: lpcfg_server_role() has an undefined value\n"));
662 return NT_STATUS_NOT_IMPLEMENTED;
663 }
664
665
666 /* Wrapper for the auth subsystem pointer */
667 static NTSTATUS authsam_get_user_info_dc_principal_wrapper(TALLOC_CTX *mem_ctx,
668 struct auth4_context *auth_context,
669 const char *principal,
670 struct ldb_dn *user_dn,
671 struct auth_user_info_dc **user_info_dc)
672 {
673 return authsam_get_user_info_dc_principal(mem_ctx, auth_context->lp_ctx, auth_context->sam_ctx,
674 principal, user_dn, user_info_dc);
675 }
676 static const struct auth_operations sam_ignoredomain_ops = {
677 .name = "sam_ignoredomain",
678 .want_check = authsam_ignoredomain_want_check,
679 .check_password = authsam_check_password_internals,
680 .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper,
681 .flags = AUTH_METHOD_LOCAL_SAM
682 };
683
684 static const struct auth_operations sam_ops = {
685 .name = "sam",
686 .want_check = authsam_want_check,
687 .check_password = authsam_check_password_internals,
688 .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper,
689 .flags = AUTH_METHOD_LOCAL_SAM
690 };
691
692 _PUBLIC_ NTSTATUS auth4_sam_init(void);
693 _PUBLIC_ NTSTATUS auth4_sam_init(void)
694 {
695 NTSTATUS ret;
696
697 ret = auth_register(&sam_ops);
698 if (!NT_STATUS_IS_OK(ret)) {
699 DEBUG(0,("Failed to register 'sam' auth backend!\n"));
700 return ret;
701 }
702
703 ret = auth_register(&sam_ignoredomain_ops);
704 if (!NT_STATUS_IS_OK(ret)) {
705 DEBUG(0,("Failed to register 'sam_ignoredomain' auth backend!\n"));
706 return ret;
707 }
708
709 return ret;
710 }
Samba GIT mirror