Hi Andrew, can you please apply the samstrict_dc only patch.
people who need this can set the 'auth method' paramter and the current behavior isn't changed now. I attached a patch for HEAD and one for 3_0 thanks :-) metze ----------------------------------------------------------------------------- Stefan "metze" Metzmacher <[EMAIL PROTECTED]>
diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=*.so --exclude=.#* --exclude=Makefile --exclude=stamp-h --exclude=configure --exclude=findsmb --exclude=*proto*.h --exclude=build_env.h --exclude=tdbsam2_parse_info.h --exclude=config.* --exclude=bin --exclude=*.configure HEAD/source/auth/auth.c HEAD-fix/source/auth/auth.c --- HEAD/source/auth/auth.c Sun Jan 5 12:16:32 2003 +++ HEAD-fix/source/auth/auth.c Mon Jan 13 09:55:53 2003 @@ -31,6 +31,7 @@ static const struct auth_init_function_e { "hostsequiv", auth_init_hostsequiv }, { "sam", auth_init_sam }, { "samstrict", auth_init_samstrict }, + { "samstrict_dc", auth_init_samstrict_dc }, { "unix", auth_init_unix }, { "smbserver", auth_init_smbserver }, { "ntdomain", auth_init_ntdomain }, diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=*.so --exclude=.#* --exclude=Makefile --exclude=stamp-h --exclude=configure --exclude=findsmb --exclude=*proto*.h --exclude=build_env.h --exclude=tdbsam2_parse_info.h --exclude=config.* --exclude=bin --exclude=*.configure HEAD/source/auth/auth_sam.c HEAD-fix/source/auth/auth_sam.c --- HEAD/source/auth/auth_sam.c Sun Jan 5 12:16:32 2003 +++ HEAD-fix/source/auth/auth_sam.c Mon Jan 13 09:55:06 2003 @@ -480,6 +480,8 @@ static NTSTATUS check_samstrict_security unless it is one of our aliases. */ if (!is_myname(user_info->domain.str)) { + DEBUG(7,("The requested user domain is not the local server name. +[%s]\\[%s]\n", + user_info->domain.str,user_info->internal_username.str)); return NT_STATUS_NO_SUCH_USER; } @@ -498,4 +500,45 @@ NTSTATUS auth_init_samstrict(struct auth return NT_STATUS_OK; } +/**************************************************************************** +Check SAM security (above) but with a few extra checks if we're a DC. +****************************************************************************/ +static NTSTATUS check_samstrict_dc_security(const struct auth_context *auth_context, + void *my_private_data, + TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, + auth_serversupplied_info **server_info) +{ + + if (!user_info || !auth_context) { + return NT_STATUS_LOGON_FAILURE; + } + + /* If we are a domain member, we must not + attempt to check the password locally, + unless it is one of our aliases, empty + or our domain if we are a logon server.*/ + + + if ((!is_myworkgroup(user_info->domain.str))&& + (!is_myname(user_info->domain.str))) { + DEBUG(7,("The requested user domain is not the local server name or +our domain. [%s]\\[%s]\n", + user_info->domain.str,user_info->internal_username.str)); + return NT_STATUS_NO_SUCH_USER; + } + + return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, +server_info); +} + +/* module initialisation */ +NTSTATUS auth_init_samstrict_dc(struct auth_context *auth_context, const char *param, +auth_methods **auth_method) +{ + if (!make_auth_methods(auth_context, auth_method)) { + return NT_STATUS_NO_MEMORY; + } + + (*auth_method)->auth = check_samstrict_dc_security; + (*auth_method)->name = "samstrict_dc"; + return NT_STATUS_OK; +} diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=*.so --exclude=.#* --exclude=Makefile --exclude=stamp-h --exclude=configure --exclude=findsmb --exclude=*proto*.h --exclude=build_env.h --exclude=tdbsam2_parse_info.h --exclude=config.* --exclude=bin --exclude=*.configure HEAD/source/lib/util.c HEAD-fix/source/lib/util.c --- HEAD/source/lib/util.c Sun Jan 5 12:16:33 2003 +++ HEAD-fix/source/lib/util.c Mon Jan 13 09:59:53 2003 @@ -1723,6 +1723,23 @@ BOOL is_myname_or_ipaddr(const char *s) /* no match */ return False; +} + +/******************************************************************* + Is the name specified our workgroup/domain. + Returns true if it is equal, false otherwise. +********************************************************************/ + +BOOL is_myworkgroup(const char *s) +{ + BOOL ret = False; + + if (strequal(s, lp_workgroup())) { + ret=True; + } + + DEBUG(8, ("is_myworkgroup(\"%s\") returns %d\n", s, ret)); + return(ret); } /*******************************************************************
diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=*.so --exclude=.#* --exclude=Makefile --exclude=stamp-h --exclude=configure --exclude=findsmb --exclude=*proto*.h --exclude=build_env.h --exclude=tdbsam2_parse_info.h --exclude=config.* --exclude=bin --exclude=*.configure 3_0/source/auth/auth.c 3_0-fix/source/auth/auth.c --- 3_0/source/auth/auth.c Sun Jan 5 12:20:50 2003 +++ 3_0-fix/source/auth/auth.c Mon Jan 13 10:09:36 2003 @@ -31,6 +31,7 @@ static const struct auth_init_function_e { "hostsequiv", auth_init_hostsequiv }, { "sam", auth_init_sam }, { "samstrict", auth_init_samstrict }, + { "samstrict_dc", auth_init_samstrict_dc }, { "unix", auth_init_unix }, { "smbserver", auth_init_smbserver }, { "ntdomain", auth_init_ntdomain }, diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=*.so --exclude=.#* --exclude=Makefile --exclude=stamp-h --exclude=configure --exclude=findsmb --exclude=*proto*.h --exclude=build_env.h --exclude=tdbsam2_parse_info.h --exclude=config.* --exclude=bin --exclude=*.configure 3_0/source/auth/auth_sam.c 3_0-fix/source/auth/auth_sam.c --- 3_0/source/auth/auth_sam.c Sun Jan 5 12:20:50 2003 +++ 3_0-fix/source/auth/auth_sam.c Mon Jan 13 10:09:06 2003 @@ -480,6 +480,8 @@ static NTSTATUS check_samstrict_security unless it is one of our aliases. */ if (!is_myname(user_info->domain.str)) { + DEBUG(7,("The requested user domain is not the local server name. +[%s]\\[%s]\n", + user_info->domain.str,user_info->internal_username.str)); return NT_STATUS_NO_SUCH_USER; } @@ -499,3 +501,45 @@ NTSTATUS auth_init_samstrict(struct auth } +/**************************************************************************** +Check SAM security (above) but with a few extra checks if we're a DC. +****************************************************************************/ + +static NTSTATUS check_samstrict_dc_security(const struct auth_context *auth_context, + void *my_private_data, + TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, + auth_serversupplied_info **server_info) +{ + + if (!user_info || !auth_context) { + return NT_STATUS_LOGON_FAILURE; + } + + /* If we are a domain member, we must not + attempt to check the password locally, + unless it is one of our aliases, empty + or our domain if we are a logon server.*/ + + + if ((!is_myworkgroup(user_info->domain.str))&& + (!is_myname(user_info->domain.str))) { + DEBUG(7,("The requested user domain is not the local server name or +our domain. [%s]\\[%s]\n", + user_info->domain.str,user_info->internal_username.str)); + return NT_STATUS_NO_SUCH_USER; + } + + return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, +server_info); +} + +/* module initialisation */ +NTSTATUS auth_init_samstrict_dc(struct auth_context *auth_context, const char *param, +auth_methods **auth_method) +{ + if (!make_auth_methods(auth_context, auth_method)) { + return NT_STATUS_NO_MEMORY; + } + + (*auth_method)->auth = check_samstrict_dc_security; + (*auth_method)->name = "samstrict_dc"; + return NT_STATUS_OK; +} diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=*.so --exclude=.#* --exclude=Makefile --exclude=stamp-h --exclude=configure --exclude=findsmb --exclude=*proto*.h --exclude=build_env.h --exclude=tdbsam2_parse_info.h --exclude=config.* --exclude=bin --exclude=*.configure 3_0/source/lib/util.c 3_0-fix/source/lib/util.c --- 3_0/source/lib/util.c Sun Jan 5 12:20:51 2003 +++ 3_0-fix/source/lib/util.c Mon Jan 13 10:05:56 2003 @@ -1726,6 +1726,23 @@ BOOL is_myname_or_ipaddr(const char *s) } /******************************************************************* + Is the name specified our workgroup/domain. + Returns true if it is equal, false otherwise. +********************************************************************/ + +BOOL is_myworkgroup(const char *s) +{ + BOOL ret = False; + + if (strequal(s, lp_workgroup())) { + ret=True; + } + + DEBUG(8, ("is_myworkgroup(\"%s\") returns %d\n", s, ret)); + return(ret); +} + +/******************************************************************* Set the horrid remote_arch string based on an enum. ********************************************************************/