1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00

r19207: Properly canonicalize incoming names to the

NSS protocols auth, chauthtok, logoff, ccache_ntlm_auth.
That way we ensure winbindd only deals with fully
qualified names internally. The NSS protocols
auth_crap and chng_pswd_auth_crap should be fixed
to do the same thing.
Jeremy.
This commit is contained in:
Jeremy Allison 2006-10-09 19:20:21 +00:00 committed by Gerald (Jerry) Carter
parent 2bdf9f140f
commit dbd2454d33
3 changed files with 33 additions and 4 deletions

View File

@ -161,7 +161,7 @@ void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state)
/* Parse domain and username */
if (!parse_domain_user(state->request.data.ccache_ntlm_auth.user,
if (!canonicalize_username(state->request.data.ccache_ntlm_auth.user,
name_domain, name_user)) {
DEBUG(5,("winbindd_ccache_ntlm_auth: cannot parse domain and user from name [%s]\n",
state->request.data.ccache_ntlm_auth.user));

View File

@ -677,7 +677,7 @@ void winbindd_pam_auth(struct winbindd_cli_state *state)
/* Parse domain and username */
if (!parse_domain_user(state->request.data.auth.user,
if (!canonicalize_username(state->request.data.auth.user,
name_domain, name_user)) {
set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
DEBUG(5, ("Plain text authentication for %s returned %s "
@ -1806,7 +1806,16 @@ void winbindd_pam_chauthtok(struct winbindd_cli_state *state)
/* Setup crap */
parse_domain_user(state->request.data.chauthtok.user, domain, user);
if (!canonicalize_username(state->request.data.chauthtok.user, domain, user)) {
set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
DEBUG(5, ("winbindd_pam_chauthtok: canonicalize_username %s failed with %s"
"(PAM: %d)\n",
state->request.data.auth.user,
state->response.data.auth.nt_status_string,
state->response.data.auth.pam_error));
request_error(state);
return;
}
contact_domain = find_domain_from_name(domain);
if (!contact_domain) {
@ -1941,7 +1950,7 @@ void winbindd_pam_logoff(struct winbindd_cli_state *state)
state->request.data.logoff.krb5ccname
[sizeof(state->request.data.logoff.krb5ccname)-1]='\0';
if (!parse_domain_user(state->request.data.logoff.user, name_domain, user)) {
if (!canonicalize_username(state->request.data.logoff.user, name_domain, user)) {
goto failed;
}

View File

@ -888,6 +888,26 @@ BOOL parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
return ((*domain != NULL) && (*user != NULL));
}
/* Ensure an incoming username from NSS is fully qualified. Replace the
incoming fstring with DOMAIN <separator> user. Returns the same
values as parse_domain_user() but also replaces the incoming username.
Used to ensure all names are fully qualified within winbindd.
Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
The protocol definitions of auth_crap, chng_pswd_auth_crap
really should be changed to use this instead of doing things
by hand. JRA. */
BOOL canonicalize_username(fstring username_inout, fstring domain, fstring user)
{
if (!parse_domain_user(username_inout, domain, user)) {
return False;
}
slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
domain, *lp_winbind_separator(),
user);
return True;
}
/*
Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
'winbind separator' options.