union netr_Validation *validation = NULL;
bool interactive = false;
+ /*
+ * Make sure we start with authoritative=true,
+ * it will only set to false if we don't know the
+ * domain.
+ */
+ r->out.authoritative = true;
+
domain = wb_child_domain();
if (domain == NULL) {
return NT_STATUS_REQUEST_NOT_ACCEPTED;
const char *target_domain_name = NULL;
const char *account_name = NULL;
+ /*
+ * Make sure we start with authoritative=true,
+ * it will only set to false if we don't know the
+ * domain.
+ */
+ req->out.authoritative = true;
+
switch (req->in.logon_level) {
case NetlogonInteractiveInformation:
case NetlogonServiceInformation:
{
fstring name_namespace, name_domain, name_user;
NTSTATUS result;
- uint8_t authoritative = 0;
+ uint8_t authoritative = 1;
uint32_t flags = 0;
uint16_t validation_level = 0;
union netr_Validation *validation = NULL;
result = NT_STATUS_NO_LOGON_SERVERS;
}
+ /*
+ * Here we don't alter
+ * state->response->data.auth.authoritative based
+ * on the servers response
+ * as we don't want a fallback to the local sam
+ * for interactive PAM logons
+ */
set_auth_errors(state->response, result);
DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
const char *name_domain = NULL;
const char *workstation;
uint64_t logon_id = 0;
- uint8_t authoritative = 0;
+ uint8_t authoritative = 1;
uint32_t flags = 0;
uint16_t validation_level;
union netr_Validation *validation = NULL;
&validation_level,
&validation);
if (!NT_STATUS_IS_OK(result)) {
- state->response->data.auth.authoritative = authoritative;
goto done;
}
"from firewalled domain [%s]\n",
info3->base.account_name.string,
info3->base.logon_domain.string);
- state->response->data.auth.authoritative = true;
result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
goto done;
}
}
set_auth_errors(state->response, result);
+ state->response->data.auth.authoritative = authoritative;
+
/*
* Log the winbind pam authentication, the logon_id will tie this to
* any of the logons invoked from this request.
struct winbindd_pam_auth_crap_state {
struct winbindd_response *response;
+ bool authoritative;
uint32_t flags;
};
if (req == NULL) {
return NULL;
}
-
+ state->authoritative = true;
state->flags = request->flags;
if (state->flags & WBFLAG_PAM_AUTH_PAC) {
domain = find_auth_domain(request->flags, auth_domain);
if (domain == NULL) {
+ /*
+ * We don't know the domain so
+ * we're not authoritative
+ */
+ state->authoritative = false;
tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
return tevent_req_post(req, ev);
}
if (tevent_req_is_nterror(req, &status)) {
set_auth_errors(response, status);
+ response->data.auth.authoritative = state->authoritative;
return status;
}
void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
{
+ /*
+ * Make sure we start with authoritative=true,
+ * it will only set to false if we don't know the
+ * domain.
+ */
+ resp->data.auth.authoritative = true;
+
resp->data.auth.nt_status = NT_STATUS_V(result);
fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
projects / thirdparty / samba.git / commitdiff
