static PyObject *py_lp_ctx_is_myname(py_talloc_Object *self, PyObject *args)
{
char *name;
if (!PyArg_ParseTuple(args, "s", &name))
return NULL;
return PyBool_FromLong(lpcfg_is_myname(PyLoadparmContext_AsLoadparmContext(self), name));
}
/****************************************************************************
Check SAM security (above) but with a few extra checks.
****************************************************************************/
static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info)
{
bool is_local_name, is_my_domain;
if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
return NT_STATUS_NOT_IMPLEMENTED;
}
is_local_name = lpcfg_is_myname(ctx->auth_ctx->lp_ctx,
user_info->mapped.domain_name);
is_my_domain = lpcfg_is_mydomain(ctx->auth_ctx->lp_ctx,
user_info->mapped.domain_name);
/* check whether or not we service this domain/workgroup name */
switch (lpcfg_server_role(ctx->auth_ctx->lp_ctx)) {
case ROLE_STANDALONE:
return NT_STATUS_OK;
case ROLE_DOMAIN_MEMBER:
if (!is_local_name) {
DEBUG(6,("authsam_check_password: %s is not one of my local names (DOMAIN_MEMBER)\n",
user_info->mapped.domain_name));
return NT_STATUS_NOT_IMPLEMENTED;
}
return NT_STATUS_OK;
case ROLE_DOMAIN_CONTROLLER:
if (!is_local_name && !is_my_domain) {
DEBUG(6,("authsam_check_password: %s is not one of my local names or domain name (DC)\n",
user_info->mapped.domain_name));
return NT_STATUS_NOT_IMPLEMENTED;
}
return NT_STATUS_OK;
}
DEBUG(6,("authsam_check_password: lpcfg_server_role() has an undefined value\n"));
return NT_STATUS_NOT_IMPLEMENTED;
}
/****************************************************************************
Check SAM security (above) but with a few extra checks.
****************************************************************************/
static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info)
{
const char *effective_domain = user_info->mapped.domain_name;
bool is_local_name = false;
bool is_my_domain = false;
const char *p = NULL;
struct dsdb_trust_routing_table *trt = NULL;
const struct lsa_TrustDomainInfoInfoEx *tdo = NULL;
NTSTATUS status;
if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
return NT_STATUS_NOT_IMPLEMENTED;
}
if (effective_domain == NULL) {
effective_domain = "";
}
is_local_name = lpcfg_is_myname(ctx->auth_ctx->lp_ctx,
effective_domain);
/* check whether or not we service this domain/workgroup name */
switch (lpcfg_server_role(ctx->auth_ctx->lp_ctx)) {
case ROLE_STANDALONE:
return NT_STATUS_OK;
case ROLE_DOMAIN_MEMBER:
if (is_local_name) {
return NT_STATUS_OK;
}
DBG_DEBUG("%s is not one of my local names (DOMAIN_MEMBER)\n",
effective_domain);
return NT_STATUS_NOT_IMPLEMENTED;
case ROLE_ACTIVE_DIRECTORY_DC:
/* handled later */
break;
default:
DBG_ERR("lpcfg_server_role() has an undefined value\n");
return NT_STATUS_INVALID_SERVER_STATE;
}
/*
* Now we handle the AD DC case...
*/
is_my_domain = lpcfg_is_my_domain_or_realm(ctx->auth_ctx->lp_ctx,
effective_domain);
if (is_my_domain) {
return NT_STATUS_OK;
}
if (user_info->mapped_state) {
/*
* The caller already did a cracknames call.
*/
DBG_DEBUG("%s is not one domain name (DC)\n",
effective_domain);
return NT_STATUS_NOT_IMPLEMENTED;
}
if (!strequal(effective_domain, "")) {
DBG_DEBUG("%s is not one domain name (DC)\n",
effective_domain);
return NT_STATUS_NOT_IMPLEMENTED;
}
p = strchr_m(user_info->mapped.account_name, '@');
if (p == NULL) {
/*
* An empty to domain name should be handled
* as the local domain name.
*/
return NT_STATUS_OK;
}
effective_domain = p + 1;
is_my_domain = lpcfg_is_my_domain_or_realm(ctx->auth_ctx->lp_ctx,
effective_domain);
if (is_my_domain) {
return NT_STATUS_OK;
}
if (strequal(effective_domain, "")) {
DBG_DEBUG("authsam_check_password: upn without realm (DC)\n");
return NT_STATUS_NOT_IMPLEMENTED;
}
/*
* as last option we check the routing table if the
* domain is within our forest.
*/
status = dsdb_trust_routing_table_load(ctx->auth_ctx->sam_ctx,
mem_ctx, &trt);
if (!NT_STATUS_IS_OK(status)) {
DBG_ERR("authsam_check_password: dsdb_trust_routing_table_load() %s\n",
nt_errstr(status));
return status;
}
tdo = dsdb_trust_routing_by_name(trt, effective_domain);
if (tdo == NULL) {
DBG_DEBUG("%s is not a known TLN (DC)\n",
effective_domain);
TALLOC_FREE(trt);
return NT_STATUS_NOT_IMPLEMENTED;
}
if (!(tdo->trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST)) {
DBG_DEBUG("%s is not a TLN in our forest (DC)\n",
effective_domain);
TALLOC_FREE(trt);
return NT_STATUS_NOT_IMPLEMENTED;
}
/*
* This principal is within our forest.
* we'll later do a crack_name_to_nt4_name()
* to check if it's in our domain.
*/
TALLOC_FREE(trt);
return NT_STATUS_OK;
}
