CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out...

We need to make sure that temporary failures don't trigger a fallback
to the local SAM that silently ignores the domain name part for users.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 1aa2e3b065fce2245161c66a83a06c44cf7e70b3..e0c4436343cd3ea07b713b03b1ee86507bf8aa57 100644 (file)
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -169,6 +169,11 @@ _PUBLIC_ NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
        /*TODO: create a new event context here! */
        ev = auth_ctx->event_ctx;
 
+       /*
+        * We are authoritative by default
+        */
+       *pauthoritative = 1;
+
        subreq = auth_check_password_send(mem_ctx,
                                          ev,
                                          auth_ctx,