sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
Code

s3: Change behavior when seeing an unknown domain.

Browse Source 
After a lot of testing against various Windows servers (W2K, W2K3, W2K8),
within an AD domain it seems that unknown domains will only be translated
to the local account domain, not the netbios name of the member server's
domain.  This makes samba act more like Windows.
This commit is contained in:
Dan Sledz 2009-02-10 15:50:39 -08:00 committed by Steven Danneman
parent 3b8a57e064
commit d8c54fddda
3 changed files with 35 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
source3/auth/auth_util.c
View File

@ -186,13 +186,15 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info,
Create an auth_usersupplied_data structure after appropriate mapping.
****************************************************************************/
NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
const char *wksta_name,
DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd,
DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd,
DATA_BLOB *plaintext,
NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
const char *wksta_name,
DATA_BLOB *lm_pwd,
DATA_BLOB *nt_pwd,
DATA_BLOB *lm_interactive_pwd,
DATA_BLOB *nt_interactive_pwd,
DATA_BLOB *plaintext,
bool encrypted)
{
const char *domain;
@ -200,12 +202,12 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
bool was_mapped;
fstring internal_username;
fstrcpy(internal_username, smb_name);
was_mapped = map_username(internal_username);
DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n",
client_domain, smb_name, wksta_name));
/* don't allow "" as a domain, fixes a Win9X bug
was_mapped = map_username(internal_username);
DEBUG(5, ("Mapping user [%s]\\[%s] from workstation [%s]\n",
client_domain, smb_name, wksta_name));
/* don't allow "" as a domain, fixes a Win9X bug
where it doens't supply a domain for logon script
'net use' commands. */
@ -214,16 +216,27 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
else
domain = lp_workgroup();
/* do what win2k does. Always map unknown domains to our own
and let the "passdb backend" handle unknown users. */
/* If you connect to a Windows domain member using a bogus domain name,
* the Windows box will map the BOGUS\user to SAMNAME\user. Thus, if
* the Windows box is a DC the name will become DOMAIN\user and be
* authenticated against AD, if the Windows box is a member server but
* not a DC the name will become WORKSTATION\user. A standalone
* non-domain member box will also map to WORKSTATION\user. */
if ( !is_trusted_domain(domain) && !strequal(domain, get_global_sam_name()) )
domain = my_sam_name();
/* we know that it is a trusted domain (and we are allowing them) or it is our domain */
result = make_user_info(user_info, smb_name, internal_username,
client_domain, domain, wksta_name,
if (!is_trusted_domain(domain) &&
!strequal(domain, get_global_sam_name()) )
{
domain = get_global_sam_name();
DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] on "
"workstation [%s]\n",
client_domain, domain, smb_name, wksta_name));
}
/* we know that it is a trusted domain (and we are allowing them) or it
* is our domain */
result = make_user_info(user_info, smb_name, internal_username,
client_domain, domain, wksta_name,
lm_pwd, nt_pwd,
lm_interactive_pwd, nt_interactive_pwd,
plaintext, encrypted);

1
source3/include/proto.h
View File

@ -4420,7 +4420,6 @@ bool sid_check_is_in_our_domain(const DOM_SID *sid);
/* The following definitions come from passdb/passdb.c */
const char *my_sam_name(void);
struct samu *samu_new( TALLOC_CTX *ctx );
NTSTATUS samu_set_unix(struct samu *user, const struct passwd *pwd);
NTSTATUS samu_alloc_rid_unix(struct samu *user, const struct passwd *pwd);

19
source3/passdb/passdb.c
View File

@ -27,25 +27,6 @@
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_PASSDB
/******************************************************************
get the default domain/netbios name to be used when
testing authentication. For example, if you connect
to a Windows member server using a bogus domain name, the
Windows box will map the BOGUS\user to DOMAIN\user. A
standalone box will map to WKS\user.
******************************************************************/
const char *my_sam_name(void)
{
/* standalone servers can only use the local netbios name */
if ( lp_server_role() == ROLE_STANDALONE )
return global_myname();
/* Windows domain members default to the DOMAIN
name when not specified */
return lp_workgroup();
}
/**********************************************************************
***********************************************************************/