[PATCH] samstrict_dc only patch

Stefan (metze) Metzmacher Mon, 13 Jan 2003 03:35:07 -0800

Hi Andrew,

can you please apply the samstrict_dc only patch.


people who need this can set the 'auth method' paramter
and the current behavior isn't changed now.

I attached a patch for HEAD and one for 3_0

thanks :-)


metze
-----------------------------------------------------------------------------
Stefan "metze" Metzmacher <[EMAIL PROTECTED]>

diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=*.so 
--exclude=.#* --exclude=Makefile --exclude=stamp-h --exclude=configure 
--exclude=findsmb --exclude=*proto*.h --exclude=build_env.h 
--exclude=tdbsam2_parse_info.h --exclude=config.* --exclude=bin --exclude=*.configure 
HEAD/source/auth/auth.c HEAD-fix/source/auth/auth.c
--- HEAD/source/auth/auth.c     Sun Jan  5 12:16:32 2003
+++ HEAD-fix/source/auth/auth.c Mon Jan 13 09:55:53 2003
@@ -31,6 +31,7 @@ static const struct auth_init_function_e
        { "hostsequiv", auth_init_hostsequiv },
        { "sam", auth_init_sam },       
        { "samstrict", auth_init_samstrict },
+       { "samstrict_dc", auth_init_samstrict_dc },
        { "unix", auth_init_unix },
        { "smbserver", auth_init_smbserver },
        { "ntdomain", auth_init_ntdomain },
diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=*.so 
--exclude=.#* --exclude=Makefile --exclude=stamp-h --exclude=configure 
--exclude=findsmb --exclude=*proto*.h --exclude=build_env.h 
--exclude=tdbsam2_parse_info.h --exclude=config.* --exclude=bin --exclude=*.configure 
HEAD/source/auth/auth_sam.c HEAD-fix/source/auth/auth_sam.c
--- HEAD/source/auth/auth_sam.c Sun Jan  5 12:16:32 2003
+++ HEAD-fix/source/auth/auth_sam.c     Mon Jan 13 09:55:06 2003
@@ -480,6 +480,8 @@ static NTSTATUS check_samstrict_security
           unless it is one of our aliases. */
        
        if (!is_myname(user_info->domain.str)) {
+               DEBUG(7,("The requested user domain is not the local server name. 
+[%s]\\[%s]\n",
+                       user_info->domain.str,user_info->internal_username.str));
                return NT_STATUS_NO_SUCH_USER;
        }
        
@@ -498,4 +500,45 @@ NTSTATUS auth_init_samstrict(struct auth
        return NT_STATUS_OK;
 }
 
+/****************************************************************************
+Check SAM security (above) but with a few extra checks if we're a DC.
+****************************************************************************/
 
+static NTSTATUS check_samstrict_dc_security(const struct auth_context *auth_context,
+                                        void *my_private_data, 
+                                        TALLOC_CTX *mem_ctx,
+                                        const auth_usersupplied_info *user_info, 
+                                        auth_serversupplied_info **server_info)
+{
+
+       if (!user_info || !auth_context) {
+               return NT_STATUS_LOGON_FAILURE;
+       }
+
+       /* If we are a domain member, we must not 
+          attempt to check the password locally,
+          unless it is one of our aliases, empty
+          or our domain if we are a logon server.*/
+       
+
+       if ((!is_myworkgroup(user_info->domain.str))&&
+               (!is_myname(user_info->domain.str))) {
+               DEBUG(7,("The requested user domain is not the local server name or 
+our domain. [%s]\\[%s]\n",
+                       user_info->domain.str,user_info->internal_username.str));
+               return NT_STATUS_NO_SUCH_USER;
+       }               
+
+       return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, 
+server_info);
+}
+
+/* module initialisation */
+NTSTATUS auth_init_samstrict_dc(struct auth_context *auth_context, const char *param, 
+auth_methods **auth_method) 
+{
+       if (!make_auth_methods(auth_context, auth_method)) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       (*auth_method)->auth = check_samstrict_dc_security;
+       (*auth_method)->name = "samstrict_dc";
+       return NT_STATUS_OK;
+}
diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=*.so 
--exclude=.#* --exclude=Makefile --exclude=stamp-h --exclude=configure 
--exclude=findsmb --exclude=*proto*.h --exclude=build_env.h 
--exclude=tdbsam2_parse_info.h --exclude=config.* --exclude=bin --exclude=*.configure 
HEAD/source/lib/util.c HEAD-fix/source/lib/util.c
--- HEAD/source/lib/util.c      Sun Jan  5 12:16:33 2003
+++ HEAD-fix/source/lib/util.c  Mon Jan 13 09:59:53 2003
@@ -1723,6 +1723,23 @@ BOOL is_myname_or_ipaddr(const char *s)
        
        /* no match */
        return False;
+}
+
+/*******************************************************************
+ Is the name specified our workgroup/domain.
+ Returns true if it is equal, false otherwise.
+********************************************************************/
+
+BOOL is_myworkgroup(const char *s)
+{
+       BOOL ret = False;
+
+       if (strequal(s, lp_workgroup())) {
+               ret=True;
+       }
+
+       DEBUG(8, ("is_myworkgroup(\"%s\") returns %d\n", s, ret));
+       return(ret);
 }
 
 /*******************************************************************

diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=*.so 
--exclude=.#* --exclude=Makefile --exclude=stamp-h --exclude=configure 
--exclude=findsmb --exclude=*proto*.h --exclude=build_env.h 
--exclude=tdbsam2_parse_info.h --exclude=config.* --exclude=bin --exclude=*.configure 
3_0/source/auth/auth.c 3_0-fix/source/auth/auth.c
--- 3_0/source/auth/auth.c      Sun Jan  5 12:20:50 2003
+++ 3_0-fix/source/auth/auth.c  Mon Jan 13 10:09:36 2003
@@ -31,6 +31,7 @@ static const struct auth_init_function_e
        { "hostsequiv", auth_init_hostsequiv },
        { "sam", auth_init_sam },       
        { "samstrict", auth_init_samstrict },
+       { "samstrict_dc", auth_init_samstrict_dc },
        { "unix", auth_init_unix },
        { "smbserver", auth_init_smbserver },
        { "ntdomain", auth_init_ntdomain },
diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=*.so 
--exclude=.#* --exclude=Makefile --exclude=stamp-h --exclude=configure 
--exclude=findsmb --exclude=*proto*.h --exclude=build_env.h 
--exclude=tdbsam2_parse_info.h --exclude=config.* --exclude=bin --exclude=*.configure 
3_0/source/auth/auth_sam.c 3_0-fix/source/auth/auth_sam.c
--- 3_0/source/auth/auth_sam.c  Sun Jan  5 12:20:50 2003
+++ 3_0-fix/source/auth/auth_sam.c      Mon Jan 13 10:09:06 2003
@@ -480,6 +480,8 @@ static NTSTATUS check_samstrict_security
           unless it is one of our aliases. */
        
        if (!is_myname(user_info->domain.str)) {
+               DEBUG(7,("The requested user domain is not the local server name. 
+[%s]\\[%s]\n",
+                       user_info->domain.str,user_info->internal_username.str));
                return NT_STATUS_NO_SUCH_USER;
        }
        
@@ -499,3 +501,45 @@ NTSTATUS auth_init_samstrict(struct auth
 }
 
 
+/****************************************************************************
+Check SAM security (above) but with a few extra checks if we're a DC.
+****************************************************************************/
+
+static NTSTATUS check_samstrict_dc_security(const struct auth_context *auth_context,
+                                        void *my_private_data, 
+                                        TALLOC_CTX *mem_ctx,
+                                        const auth_usersupplied_info *user_info, 
+                                        auth_serversupplied_info **server_info)
+{
+
+       if (!user_info || !auth_context) {
+               return NT_STATUS_LOGON_FAILURE;
+       }
+
+       /* If we are a domain member, we must not 
+          attempt to check the password locally,
+          unless it is one of our aliases, empty
+          or our domain if we are a logon server.*/
+       
+
+       if ((!is_myworkgroup(user_info->domain.str))&&
+               (!is_myname(user_info->domain.str))) {
+               DEBUG(7,("The requested user domain is not the local server name or 
+our domain. [%s]\\[%s]\n",
+                       user_info->domain.str,user_info->internal_username.str));
+               return NT_STATUS_NO_SUCH_USER;
+       }               
+
+       return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, 
+server_info);
+}
+
+/* module initialisation */
+NTSTATUS auth_init_samstrict_dc(struct auth_context *auth_context, const char *param, 
+auth_methods **auth_method) 
+{
+       if (!make_auth_methods(auth_context, auth_method)) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       (*auth_method)->auth = check_samstrict_dc_security;
+       (*auth_method)->name = "samstrict_dc";
+       return NT_STATUS_OK;
+}
diff -Npur --exclude=CVS --exclude=*.bak --exclude=*.o --exclude=*.po --exclude=*.so 
--exclude=.#* --exclude=Makefile --exclude=stamp-h --exclude=configure 
--exclude=findsmb --exclude=*proto*.h --exclude=build_env.h 
--exclude=tdbsam2_parse_info.h --exclude=config.* --exclude=bin --exclude=*.configure 
3_0/source/lib/util.c 3_0-fix/source/lib/util.c
--- 3_0/source/lib/util.c       Sun Jan  5 12:20:51 2003
+++ 3_0-fix/source/lib/util.c   Mon Jan 13 10:05:56 2003
@@ -1726,6 +1726,23 @@ BOOL is_myname_or_ipaddr(const char *s)
 }
 
 /*******************************************************************
+ Is the name specified our workgroup/domain.
+ Returns true if it is equal, false otherwise.
+********************************************************************/
+
+BOOL is_myworkgroup(const char *s)
+{
+       BOOL ret = False;
+
+       if (strequal(s, lp_workgroup())) {
+               ret=True;
+       }
+
+       DEBUG(8, ("is_myworkgroup(\"%s\") returns %d\n", s, ret));
+       return(ret);
+}
+
+/*******************************************************************
  Set the horrid remote_arch string based on an enum.
 ********************************************************************/

[PATCH] samstrict_dc only patch

Reply via email to