static PyObject *py_lp_ctx_is_mydomain(py_talloc_Object *self, PyObject *args)
{
char *name;
if (!PyArg_ParseTuple(args, "s", &name))
return NULL;
return PyBool_FromLong(lpcfg_is_mydomain(PyLoadparmContext_AsLoadparmContext(self), name));
}
/****************************************************************************
Check SAM security (above) but with a few extra checks.
****************************************************************************/
static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info)
{
bool is_local_name, is_my_domain;
if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
return NT_STATUS_NOT_IMPLEMENTED;
}
is_local_name = lpcfg_is_myname(ctx->auth_ctx->lp_ctx,
user_info->mapped.domain_name);
is_my_domain = lpcfg_is_mydomain(ctx->auth_ctx->lp_ctx,
user_info->mapped.domain_name);
/* check whether or not we service this domain/workgroup name */
switch (lpcfg_server_role(ctx->auth_ctx->lp_ctx)) {
case ROLE_STANDALONE:
return NT_STATUS_OK;
case ROLE_DOMAIN_MEMBER:
if (!is_local_name) {
DEBUG(6,("authsam_check_password: %s is not one of my local names (DOMAIN_MEMBER)\n",
user_info->mapped.domain_name));
return NT_STATUS_NOT_IMPLEMENTED;
}
return NT_STATUS_OK;
case ROLE_DOMAIN_CONTROLLER:
if (!is_local_name && !is_my_domain) {
DEBUG(6,("authsam_check_password: %s is not one of my local names or domain name (DC)\n",
user_info->mapped.domain_name));
return NT_STATUS_NOT_IMPLEMENTED;
}
return NT_STATUS_OK;
}
DEBUG(6,("authsam_check_password: lpcfg_server_role() has an undefined value\n"));
return NT_STATUS_NOT_IMPLEMENTED;
}
static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
struct auth_user_info_dc **user_info_dc,
bool *authoritative)
{
NTSTATUS nt_status;
const char *account_name = user_info->mapped.account_name;
struct ldb_message *msg;
struct ldb_dn *domain_dn;
DATA_BLOB user_sess_key, lm_sess_key;
TALLOC_CTX *tmp_ctx;
const char *p = NULL;
if (ctx->auth_ctx->sam_ctx == NULL) {
DEBUG(0, ("No SAM available, cannot log in users\n"));
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
if (!account_name || !*account_name) {
/* 'not for me' */
return NT_STATUS_NOT_IMPLEMENTED;
}
tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) {
return NT_STATUS_NO_MEMORY;
}
domain_dn = ldb_get_default_basedn(ctx->auth_ctx->sam_ctx);
if (domain_dn == NULL) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_SUCH_DOMAIN;
}
p = strchr_m(account_name, '@');
if (p != NULL) {
const char *nt4_domain = NULL;
const char *nt4_account = NULL;
bool is_my_domain = false;
nt_status = crack_name_to_nt4_name(mem_ctx,
ctx->auth_ctx->sam_ctx,
/*
* DRSUAPI_DS_NAME_FORMAT_UPN_FOR_LOGON ?
*/
DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL,
account_name,
&nt4_domain, &nt4_account);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_SUCH_USER;
}
is_my_domain = lpcfg_is_mydomain(ctx->auth_ctx->lp_ctx, nt4_domain);
if (!is_my_domain) {
/*
* This is a user within our forest,
* but in a different domain,
* we're not authoritative
*/
talloc_free(tmp_ctx);
return NT_STATUS_NOT_IMPLEMENTED;
}
/*
* Let's use the NT4 account name for the lookup.
*/
account_name = nt4_account;
}
nt_status = authsam_search_account(tmp_ctx, ctx->auth_ctx->sam_ctx, account_name, domain_dn, &msg);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
}
nt_status = authsam_authenticate(ctx->auth_ctx, tmp_ctx, ctx->auth_ctx->sam_ctx, domain_dn, msg, user_info,
&user_sess_key, &lm_sess_key, authoritative);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
}
nt_status = authsam_make_user_info_dc(tmp_ctx, ctx->auth_ctx->sam_ctx,
lpcfg_netbios_name(ctx->auth_ctx->lp_ctx),
lpcfg_sam_name(ctx->auth_ctx->lp_ctx),
lpcfg_sam_dnsname(ctx->auth_ctx->lp_ctx),
domain_dn,
msg,
user_sess_key, lm_sess_key,
user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
}
talloc_steal(mem_ctx, *user_info_dc);
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
