mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
r19207: Properly canonicalize incoming names to the
NSS protocols auth, chauthtok, logoff, ccache_ntlm_auth. That way we ensure winbindd only deals with fully qualified names internally. The NSS protocols auth_crap and chng_pswd_auth_crap should be fixed to do the same thing. Jeremy.
This commit is contained in:
parent
2bdf9f140f
commit
dbd2454d33
@ -161,7 +161,7 @@ void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state)
|
||||
|
||||
/* Parse domain and username */
|
||||
|
||||
if (!parse_domain_user(state->request.data.ccache_ntlm_auth.user,
|
||||
if (!canonicalize_username(state->request.data.ccache_ntlm_auth.user,
|
||||
name_domain, name_user)) {
|
||||
DEBUG(5,("winbindd_ccache_ntlm_auth: cannot parse domain and user from name [%s]\n",
|
||||
state->request.data.ccache_ntlm_auth.user));
|
||||
|
@ -677,7 +677,7 @@ void winbindd_pam_auth(struct winbindd_cli_state *state)
|
||||
|
||||
/* Parse domain and username */
|
||||
|
||||
if (!parse_domain_user(state->request.data.auth.user,
|
||||
if (!canonicalize_username(state->request.data.auth.user,
|
||||
name_domain, name_user)) {
|
||||
set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
|
||||
DEBUG(5, ("Plain text authentication for %s returned %s "
|
||||
@ -1806,7 +1806,16 @@ void winbindd_pam_chauthtok(struct winbindd_cli_state *state)
|
||||
|
||||
/* Setup crap */
|
||||
|
||||
parse_domain_user(state->request.data.chauthtok.user, domain, user);
|
||||
if (!canonicalize_username(state->request.data.chauthtok.user, domain, user)) {
|
||||
set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
|
||||
DEBUG(5, ("winbindd_pam_chauthtok: canonicalize_username %s failed with %s"
|
||||
"(PAM: %d)\n",
|
||||
state->request.data.auth.user,
|
||||
state->response.data.auth.nt_status_string,
|
||||
state->response.data.auth.pam_error));
|
||||
request_error(state);
|
||||
return;
|
||||
}
|
||||
|
||||
contact_domain = find_domain_from_name(domain);
|
||||
if (!contact_domain) {
|
||||
@ -1941,7 +1950,7 @@ void winbindd_pam_logoff(struct winbindd_cli_state *state)
|
||||
state->request.data.logoff.krb5ccname
|
||||
[sizeof(state->request.data.logoff.krb5ccname)-1]='\0';
|
||||
|
||||
if (!parse_domain_user(state->request.data.logoff.user, name_domain, user)) {
|
||||
if (!canonicalize_username(state->request.data.logoff.user, name_domain, user)) {
|
||||
goto failed;
|
||||
}
|
||||
|
||||
|
@ -888,6 +888,26 @@ BOOL parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
|
||||
return ((*domain != NULL) && (*user != NULL));
|
||||
}
|
||||
|
||||
/* Ensure an incoming username from NSS is fully qualified. Replace the
|
||||
incoming fstring with DOMAIN <separator> user. Returns the same
|
||||
values as parse_domain_user() but also replaces the incoming username.
|
||||
Used to ensure all names are fully qualified within winbindd.
|
||||
Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
|
||||
The protocol definitions of auth_crap, chng_pswd_auth_crap
|
||||
really should be changed to use this instead of doing things
|
||||
by hand. JRA. */
|
||||
|
||||
BOOL canonicalize_username(fstring username_inout, fstring domain, fstring user)
|
||||
{
|
||||
if (!parse_domain_user(username_inout, domain, user)) {
|
||||
return False;
|
||||
}
|
||||
slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
|
||||
domain, *lp_winbind_separator(),
|
||||
user);
|
||||
return True;
|
||||
}
|
||||
|
||||
/*
|
||||
Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
|
||||
'winbind separator' options.
|
||||
|
Loading…
Reference in New Issue
Block a user