2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Andrew Tridgell 1992-2000
5 Copyright (C) Luke Kenneth Casson Leighton 1996-2000
6 Copyright (C) Andrew Bartlett 2001-2003
7 Copyright (C) Gerald Carter 2003
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #define DBGC_CLASS DBGC_AUTH
29 static NTSTATUS
auth_sam_ignoredomain_auth(const struct auth_context
*auth_context
,
30 void *my_private_data
,
32 const struct auth_usersupplied_info
*user_info
,
33 struct auth_serversupplied_info
**server_info
)
35 if (!user_info
|| !auth_context
) {
36 return NT_STATUS_UNSUCCESSFUL
;
38 return check_sam_security(&auth_context
->challenge
, mem_ctx
,
39 user_info
, server_info
);
42 /* module initialisation */
43 static NTSTATUS
auth_init_sam_ignoredomain(struct auth_context
*auth_context
, const char *param
, auth_methods
**auth_method
)
45 struct auth_methods
*result
;
47 result
= talloc_zero(auth_context
, struct auth_methods
);
49 return NT_STATUS_NO_MEMORY
;
51 result
->auth
= auth_sam_ignoredomain_auth
;
52 result
->name
= "sam_ignoredomain";
54 *auth_method
= result
;
59 /****************************************************************************
60 Check SAM security (above) but with a few extra checks.
61 ****************************************************************************/
63 static NTSTATUS
auth_samstrict_auth(const struct auth_context
*auth_context
,
64 void *my_private_data
,
66 const struct auth_usersupplied_info
*user_info
,
67 struct auth_serversupplied_info
**server_info
)
69 bool is_local_name
, is_my_domain
;
71 if (!user_info
|| !auth_context
) {
72 return NT_STATUS_LOGON_FAILURE
;
75 DEBUG(10, ("Check auth for: [%s]\n", user_info
->mapped
.account_name
));
77 is_local_name
= is_myname(user_info
->mapped
.domain_name
);
78 is_my_domain
= strequal(user_info
->mapped
.domain_name
, lp_workgroup());
80 /* check whether or not we service this domain/workgroup name */
82 switch ( lp_server_role() ) {
84 case ROLE_DOMAIN_MEMBER
:
85 if ( !is_local_name
) {
86 DEBUG(6,("check_samstrict_security: %s is not one of my local names (%s)\n",
87 user_info
->mapped
.domain_name
, (lp_server_role() == ROLE_DOMAIN_MEMBER
88 ? "ROLE_DOMAIN_MEMBER" : "ROLE_STANDALONE") ));
89 return NT_STATUS_NOT_IMPLEMENTED
;
95 if ( !is_local_name
&& !is_my_domain
) {
96 DEBUG(6,("check_samstrict_security: %s is not one of my local names or domain name (DC)\n",
97 user_info
->mapped
.domain_name
));
98 return NT_STATUS_NOT_IMPLEMENTED
;
102 default: /* name is ok */
106 return check_sam_security(&auth_context
->challenge
, mem_ctx
,
107 user_info
, server_info
);
110 /* module initialisation */
111 static NTSTATUS
auth_init_sam(struct auth_context
*auth_context
, const char *param
, auth_methods
**auth_method
)
113 struct auth_methods
*result
;
115 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC
116 && !lp_parm_bool(-1, "server role check", "inhibit", false)) {
117 DEBUG(0, ("server role = 'active directory domain controller' not compatible with running the auth_sam module. \n"));
118 DEBUGADD(0, ("You should not set 'auth methods' when running the AD DC.\n"));
122 result
= talloc_zero(auth_context
, struct auth_methods
);
123 if (result
== NULL
) {
124 return NT_STATUS_NO_MEMORY
;
126 result
->auth
= auth_samstrict_auth
;
127 result
->name
= "sam";
128 *auth_method
= result
;
132 static NTSTATUS
auth_sam_netlogon3_auth(const struct auth_context
*auth_context
,
133 void *my_private_data
,
135 const struct auth_usersupplied_info
*user_info
,
136 struct auth_serversupplied_info
**server_info
)
140 if (!user_info
|| !auth_context
) {
141 return NT_STATUS_LOGON_FAILURE
;
144 DBG_DEBUG("Check auth for: [%s]\\[%s]\n",
145 user_info
->mapped
.domain_name
,
146 user_info
->mapped
.account_name
);
148 /* check whether or not we service this domain/workgroup name */
150 switch (lp_server_role()) {
151 case ROLE_DOMAIN_PDC
:
152 case ROLE_DOMAIN_BDC
:
155 DBG_ERR("Invalid server role\n");
156 return NT_STATUS_INVALID_SERVER_STATE
;
159 is_my_domain
= strequal(user_info
->mapped
.domain_name
, lp_workgroup());
161 DBG_INFO("%s is not our domain name (DC for %s)\n",
162 user_info
->mapped
.domain_name
, lp_workgroup());
163 return NT_STATUS_NOT_IMPLEMENTED
;
166 return check_sam_security(&auth_context
->challenge
, mem_ctx
,
167 user_info
, server_info
);
170 /* module initialisation */
171 static NTSTATUS
auth_init_sam_netlogon3(struct auth_context
*auth_context
,
172 const char *param
, auth_methods
**auth_method
)
174 struct auth_methods
*result
;
176 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC
177 && !lp_parm_bool(-1, "server role check", "inhibit", false)) {
178 DEBUG(0, ("server role = 'active directory domain controller' "
179 "not compatible with running the auth_sam module.\n"));
180 DEBUGADD(0, ("You should not set 'auth methods' when "
181 "running the AD DC.\n"));
185 result
= talloc_zero(auth_context
, struct auth_methods
);
186 if (result
== NULL
) {
187 return NT_STATUS_NO_MEMORY
;
189 result
->auth
= auth_sam_netlogon3_auth
;
190 result
->name
= "sam_netlogon3";
191 *auth_method
= result
;
195 NTSTATUS
auth_sam_init(TALLOC_CTX
*mem_ctx
)
197 smb_register_auth(AUTH_INTERFACE_VERSION
, "sam", auth_init_sam
);
198 smb_register_auth(AUTH_INTERFACE_VERSION
, "sam_ignoredomain", auth_init_sam_ignoredomain
);
199 smb_register_auth(AUTH_INTERFACE_VERSION
, "sam_netlogon3", auth_init_sam_netlogon3
);
