CVE-2020-25717: s3:auth: no longer let check_account() autocreate local users

So far we autocreated local user accounts based on just the
account_name (just ignoring any domain part).

This only happens via a possible 'add user script',
which is not typically defined on domain members
and on NT4 DCs local users already exist in the
local passdb anyway.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 4de4bc74374bbb0441e648b9826c42c5b3dc59a6..99b85d47a5f0ebbd6ec3463be0335e1bc12213e0 100644 (file)
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1898,7 +1898,7 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
                return NT_STATUS_NO_MEMORY;
        }
 
-       passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, true );
+       passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, false);
        if (!passwd) {
                DEBUG(3, ("Failed to find authenticated user %s via "
                          "getpwnam(), denying access.\n", dom_user));