From f40fdaea7f64bcf7461a53f61fd6ffe8def0c8e9 Mon Sep 17 00:00:00 2001 From: Garming Sam Date: Mon, 3 Apr 2017 15:22:08 +1200 Subject: [PATCH] rodc: Set non-authoritative for RODC bad passwords This requires as a pre-requisite that the auth stack is not run twice. We remove the knownfail introduced in the earlier patch. Signed-off-by: Garming Sam Reviewed-by: Andrew Bartlett --- selftest/knownfail | 1 - source4/auth/ntlm/auth_sam.c | 6 +++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/selftest/knownfail b/selftest/knownfail index 76578c9517a..c6047c85445 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -335,4 +335,3 @@ # We currently don't send referrals for LDAP modify of non-replicated attrs ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.* ^samba4.ldap.rodc_rwdc.python.*.__main__.RodcRwdcTests.test_change_password_reveal_on_demand_kerberos -^samba4.ldap.rodc_rwdc.python.*.__main__.RodcRwdcTests.test_change_password_reveal_on_demand_ntlm diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index cfe7455501b..0b175b5ecc7 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -174,6 +174,7 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con struct ldb_message *dom_msg; struct samr_Password *lm_pwd; struct samr_Password *nt_pwd; + bool am_rodc; tmp_ctx = talloc_new(mem_ctx); if (tmp_ctx == NULL) { @@ -196,7 +197,6 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con } if (lm_pwd == NULL && nt_pwd == NULL) { - bool am_rodc; if (samdb_rodc(auth_context->sam_ctx, &am_rodc) == LDB_SUCCESS && am_rodc) { /* * we don't have passwords for this @@ -458,6 +458,10 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con nt_errstr(nt_status))); } + if (samdb_rodc(auth_context->sam_ctx, &am_rodc) == LDB_SUCCESS && am_rodc) { + *authoritative = false; + } + TALLOC_FREE(tmp_ctx); return NT_STATUS_WRONG_PASSWORD; } -- 2.47.2