Author: metze Date: 2006-07-27 11:24:18 +0000 (Thu, 27 Jul 2006) New Revision: 17270
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=17270 Log: split the logic of saying this auth backend wants to handle this request from the password checking. This will help to make the password checking hook async later metze Modified: branches/SAMBA_4_0/source/auth/auth.c branches/SAMBA_4_0/source/auth/auth.h branches/SAMBA_4_0/source/auth/auth_anonymous.c branches/SAMBA_4_0/source/auth/auth_developer.c branches/SAMBA_4_0/source/auth/auth_sam.c branches/SAMBA_4_0/source/auth/auth_unix.c branches/SAMBA_4_0/source/auth/auth_winbind.c Changeset: Modified: branches/SAMBA_4_0/source/auth/auth.c =================================================================== --- branches/SAMBA_4_0/source/auth/auth.c 2006-07-27 10:32:12 UTC (rev 17269) +++ branches/SAMBA_4_0/source/auth/auth.c 2006-07-27 11:24:18 UTC (rev 17270) @@ -174,16 +174,20 @@ for (method = auth_ctx->methods; method; method = method->next) { NTSTATUS result; - result = method->ops->check_password(method, mem_ctx, user_info, server_info); - - /* check if the module did anything */ - if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) { - method_name = method->ops->name; - nt_status = result; - break; + /* check if the module wants to chek the password */ + result = method->ops->want_check(method, mem_ctx, user_info); + if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) { + DEBUG(11,("auth_check_password: %s had nothing to say\n", method->ops->name)); + continue; } - DEBUG(11,("auth_check_password: %s had nothing to say\n", method->ops->name)); + method_name = method->ops->name; + nt_status = result; + + if (!NT_STATUS_IS_OK(nt_status)) break; + + nt_status = method->ops->check_password(method, mem_ctx, user_info, server_info); + break; } if (!NT_STATUS_IS_OK(nt_status)) { Modified: branches/SAMBA_4_0/source/auth/auth.h =================================================================== --- branches/SAMBA_4_0/source/auth/auth.h 2006-07-27 10:32:12 UTC (rev 17269) +++ branches/SAMBA_4_0/source/auth/auth.h 2006-07-27 11:24:18 UTC (rev 17270) @@ -35,7 +35,8 @@ /* version 2 - initial samba4 version - metze */ /* version 3 - subsequent samba4 version - abartlet */ /* version 4 - subsequent samba4 version - metze */ -#define AUTH_INTERFACE_VERSION 4 +/* version 0 - till samba4 is stable - metze */ +#define AUTH_INTERFACE_VERSION 0 #define USER_INFO_CASE_INSENSITIVE_USERNAME 0x01 /* username may be in any case */ #define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */ @@ -134,6 +135,11 @@ NTSTATUS (*get_challenge)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, DATA_BLOB *challenge); + /* Given the user supplied info, check if this backend want to handle the password checking */ + + NTSTATUS (*want_check)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info); + /* Given the user supplied info, check a password */ NTSTATUS (*check_password)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, Modified: branches/SAMBA_4_0/source/auth/auth_anonymous.c =================================================================== --- branches/SAMBA_4_0/source/auth/auth_anonymous.c 2006-07-27 10:32:12 UTC (rev 17269) +++ branches/SAMBA_4_0/source/auth/auth_anonymous.c 2006-07-27 11:24:18 UTC (rev 17270) @@ -30,21 +30,36 @@ * anonymou logons to be dealt with in one place. Non-anonymou logons 'fail' * and pass onto the next module. **/ +static NTSTATUS anonymous_want_check(struct auth_method_context *ctx, + TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info) +{ + if (user_info->client.account_name && *user_info->client.account_name) { + return NT_STATUS_NOT_IMPLEMENTED; + } + + return NT_STATUS_OK; +} + +/** + * Return a anonymous logon for anonymous users (username = "") + * + * Typically used as the first module in the auth chain, this allows + * anonymou logons to be dealt with in one place. Non-anonymou logons 'fail' + * and pass onto the next module. + **/ static NTSTATUS anonymous_check_password(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, struct auth_serversupplied_info **_server_info) { - if (user_info->client.account_name && *user_info->client.account_name) { - return NT_STATUS_NOT_IMPLEMENTED; - } - return auth_anonymous_server_info(mem_ctx, _server_info); } static struct auth_operations anonymous_auth_ops = { .name = "anonymous", .get_challenge = auth_get_challenge_not_implemented, + .want_check = anonymous_want_check, .check_password = anonymous_check_password }; Modified: branches/SAMBA_4_0/source/auth/auth_developer.c =================================================================== --- branches/SAMBA_4_0/source/auth/auth_developer.c 2006-07-27 10:32:12 UTC (rev 17269) +++ branches/SAMBA_4_0/source/auth/auth_developer.c 2006-07-27 11:24:18 UTC (rev 17270) @@ -24,6 +24,13 @@ #include "auth/auth.h" #include "libcli/security/security.h" +static NTSTATUS name_to_ntstatus_want_check(struct auth_method_context *ctx, + TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info) +{ + return NT_STATUS_OK; +} + /** * Return an error based on username * @@ -56,11 +63,8 @@ DEBUG(5,("name_to_ntstatus_check_password: Error for user %s was 0x%08X\n", user, error_num)); nt_status = NT_STATUS(error_num); } + NT_STATUS_NOT_OK_RETURN(nt_status); - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } - server_info = talloc(mem_ctx, struct auth_serversupplied_info); NT_STATUS_HAVE_NO_MEMORY(server_info); @@ -128,6 +132,7 @@ static struct auth_operations name_to_ntstatus_auth_ops = { .name = "name_to_ntstatus", .get_challenge = auth_get_challenge_not_implemented, + .want_check = name_to_ntstatus_want_check, .check_password = name_to_ntstatus_check_password }; @@ -157,18 +162,27 @@ return NT_STATUS_OK; } +static NTSTATUS fixed_challenge_want_check(struct auth_method_context *ctx, + TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info) +{ + /* don't handle any users */ + return NT_STATUS_NOT_IMPLEMENTED; +} + static NTSTATUS fixed_challenge_check_password(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, struct auth_serversupplied_info **_server_info) { /* don't handle any users */ - return NT_STATUS_NOT_IMPLEMENTED; + return NT_STATUS_NO_SUCH_USER; } static struct auth_operations fixed_challenge_auth_ops = { .name = "fixed_challenge", .get_challenge = fixed_challenge_get_challenge, + .want_check = fixed_challenge_want_check, .check_password = fixed_challenge_check_password }; Modified: branches/SAMBA_4_0/source/auth/auth_sam.c =================================================================== --- branches/SAMBA_4_0/source/auth/auth_sam.c 2006-07-27 10:32:12 UTC (rev 17269) +++ branches/SAMBA_4_0/source/auth/auth_sam.c 2006-07-27 11:24:18 UTC (rev 17270) @@ -334,6 +334,17 @@ return NT_STATUS_OK; } +static NTSTATUS authsam_ignoredomain_want_check(struct auth_method_context *ctx, + TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info) +{ + if (!user_info->mapped.account_name || !*user_info->mapped.account_name) { + return NT_STATUS_NOT_IMPLEMENTED; + } + + return NT_STATUS_OK; +} + static NTSTATUS authsam_ignoredomain_check_password(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, @@ -345,31 +356,32 @@ /**************************************************************************** Check SAM security (above) but with a few extra checks. ****************************************************************************/ -static NTSTATUS authsam_check_password(struct auth_method_context *ctx, - TALLOC_CTX *mem_ctx, - const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **server_info) +static NTSTATUS authsam_want_check(struct auth_method_context *ctx, + TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info) { - const char *domain; BOOL is_local_name, is_my_domain; + if (!user_info->mapped.account_name || !*user_info->mapped.account_name) { + return NT_STATUS_NOT_IMPLEMENTED; + } + is_local_name = is_myname(user_info->mapped.domain_name); is_my_domain = strequal(user_info->mapped.domain_name, lp_workgroup()); /* check whether or not we service this domain/workgroup name */ switch (lp_server_role()) { case ROLE_STANDALONE: - domain = lp_netbios_name(); - break; + return NT_STATUS_OK; + case ROLE_DOMAIN_MEMBER: if (!is_local_name) { - DEBUG(6,("authsam_check_password: %s is not one of my local names (%s)\n", - user_info->mapped.domain_name, (lp_server_role() == ROLE_DOMAIN_MEMBER - ? "ROLE_DOMAIN_MEMBER" : "ROLE_STANDALONE") )); + DEBUG(6,("authsam_check_password: %s is not one of my local names (DOMAIN_MEMBER)\n", + user_info->mapped.domain_name)); return NT_STATUS_NOT_IMPLEMENTED; } - domain = lp_netbios_name(); - break; + return NT_STATUS_OK; + case ROLE_DOMAIN_PDC: case ROLE_DOMAIN_BDC: if (!is_local_name && !is_my_domain) { @@ -377,11 +389,37 @@ user_info->mapped.domain_name)); return NT_STATUS_NOT_IMPLEMENTED; } + return NT_STATUS_OK; + } + + DEBUG(6,("authsam_check_password: lp_server_role() has an undefined value\n")); + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************************** +Check SAM security (above) but with a few extra checks. +****************************************************************************/ +static NTSTATUS authsam_check_password(struct auth_method_context *ctx, + TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info, + struct auth_serversupplied_info **server_info) +{ + const char *domain; + + /* check whether or not we service this domain/workgroup name */ + switch (lp_server_role()) { + case ROLE_STANDALONE: + case ROLE_DOMAIN_MEMBER: + domain = lp_netbios_name(); + break; + + case ROLE_DOMAIN_PDC: + case ROLE_DOMAIN_BDC: domain = lp_workgroup(); break; + default: - DEBUG(6,("authsam_check_password: lp_server_role() has an undefined value\n")); - return NT_STATUS_NOT_IMPLEMENTED; + return NT_STATUS_NO_SUCH_USER; } return authsam_check_password_internals(ctx, mem_ctx, domain, user_info, server_info); @@ -390,12 +428,14 @@ static const struct auth_operations sam_ignoredomain_ops = { .name = "sam_ignoredomain", .get_challenge = auth_get_challenge_not_implemented, + .want_check = authsam_ignoredomain_want_check, .check_password = authsam_ignoredomain_check_password }; static const struct auth_operations sam_ops = { .name = "sam", .get_challenge = auth_get_challenge_not_implemented, + .want_check = authsam_want_check, .check_password = authsam_check_password }; Modified: branches/SAMBA_4_0/source/auth/auth_unix.c =================================================================== --- branches/SAMBA_4_0/source/auth/auth_unix.c 2006-07-27 10:32:12 UTC (rev 17269) +++ branches/SAMBA_4_0/source/auth/auth_unix.c 2006-07-27 11:24:18 UTC (rev 17270) @@ -773,20 +773,26 @@ * **/ +static NTSTATUS authunix_want_check(struct auth_method_context *ctx, + TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info) +{ + if (!user_info->mapped.account_name || !*user_info->mapped.account_name) { + return NT_STATUS_NOT_IMPLEMENTED; + } + + return NT_STATUS_OK; +} + static NTSTATUS authunix_check_password(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **server_info) + struct auth_serversupplied_info **server_info) { TALLOC_CTX *check_ctx; NTSTATUS nt_status; struct passwd *pwd; - if (! user_info->mapped.account_name || ! *user_info->mapped.account_name) { - /* 'not for me' */ - return NT_STATUS_NOT_IMPLEMENTED; - } - if (user_info->password_state != AUTH_PASSWORD_PLAIN) { return NT_STATUS_INVALID_PARAMETER; } @@ -797,13 +803,13 @@ } nt_status = check_unix_password(check_ctx, user_info, &pwd); - if ( ! NT_STATUS_IS_OK(nt_status)) { + if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(check_ctx); return nt_status; } nt_status = authunix_make_server_info(mem_ctx, user_info, pwd, server_info); - if ( ! NT_STATUS_IS_OK(nt_status)) { + if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(check_ctx); return nt_status; } @@ -815,7 +821,8 @@ static const struct auth_operations unix_ops = { .name = "unix", .get_challenge = auth_get_challenge_not_implemented, - .check_password = authunix_check_password + .want_check = authunix_want_check, + .check_password = authunix_check_password }; NTSTATUS auth_unix_init(void) Modified: branches/SAMBA_4_0/source/auth/auth_winbind.c =================================================================== --- branches/SAMBA_4_0/source/auth/auth_winbind.c 2006-07-27 10:32:12 UTC (rev 17269) +++ branches/SAMBA_4_0/source/auth/auth_winbind.c 2006-07-27 11:24:18 UTC (rev 17270) @@ -46,6 +46,18 @@ } } +static NTSTATUS winbind_want_check(struct auth_method_context *ctx, + TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info) +{ + if (!user_info->mapped.account_name || !*user_info->mapped.account_name) { + return NT_STATUS_NOT_IMPLEMENTED; + } + + /* TODO: maybe limit the user scope to remote users only */ + return NT_STATUS_OK; +} + /* Authenticate a user with a challenge/response */ static NTSTATUS winbind_check_password(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, @@ -129,6 +141,7 @@ static const struct auth_operations winbind_ops = { .name = "winbind", .get_challenge = auth_get_challenge_not_implemented, + .want_check = winbind_want_check, .check_password = winbind_check_password };