mirror of
https://github.com/samba-team/samba.git
synced 2025-02-01 05:47:28 +03:00
Commit the translation of the realm to the netbios domain name in the kerberos
session setup. After talking to jht and abartlet I made this unconditional, no additional parameter. Jerry: This is a change in behaviour, but I think it is necessary. Volker (This used to be commit 3ce6c9f27368cfb278007fe660a0e44a84d67f8f)
This commit is contained in:
Volker Lendecke
parent
cc02d8690c
commit
fd35232584
@ -278,6 +278,42 @@ static BOOL wbinfo_show_sequence(const char *domain)
|
||||
return True;
|
||||
}
|
||||
|
||||
/* Show domain info */
|
||||
|
||||
static BOOL wbinfo_domain_info(const char *domain_name)
|
||||
{
|
||||
struct winbindd_request request;
|
||||
struct winbindd_response response;
|
||||
|
||||
ZERO_STRUCT(request);
|
||||
ZERO_STRUCT(response);
|
||||
|
||||
fstrcpy(request.domain_name, domain_name);
|
||||
|
||||
/* Send request */
|
||||
|
||||
if (winbindd_request(WINBINDD_DOMAIN_INFO, &request, &response) !=
|
||||
NSS_STATUS_SUCCESS)
|
||||
return False;
|
||||
|
||||
/* Display response */
|
||||
|
||||
d_printf("Name : %s\n", response.data.domain_info.name);
|
||||
d_printf("Alt_Name: %s\n", response.data.domain_info.alt_name);
|
||||
|
||||
d_printf("SID : %s\n", response.data.domain_info.sid);
|
||||
|
||||
d_printf("Native : %s\n",
|
||||
response.data.domain_info.native_mode ? "Yes" : "No");
|
||||
|
||||
d_printf("Primary : %s\n",
|
||||
response.data.domain_info.primary ? "Yes" : "No");
|
||||
|
||||
d_printf("Sequence: %d\n", response.data.domain_info.sequence_number);
|
||||
|
||||
return True;
|
||||
}
|
||||
|
||||
/* Check trust account password */
|
||||
|
||||
static BOOL wbinfo_check_secret(void)
|
||||
@ -954,6 +990,8 @@ int main(int argc, char **argv)
|
||||
{ "check-secret", 't', POPT_ARG_NONE, 0, 't', "Check shared secret" },
|
||||
{ "trusted-domains", 'm', POPT_ARG_NONE, 0, 'm', "List trusted domains" },
|
||||
{ "sequence", 0, POPT_ARG_NONE, 0, OPT_SEQUENCE, "Show sequence numbers of all domains" },
|
||||
{ "domain-info", 'D', POPT_ARG_STRING, &string_arg, 'D',
|
||||
"Show all most info we have about the domain" },
|
||||
{ "user-groups", 'r', POPT_ARG_STRING, &string_arg, 'r', "Get user groups", "USER" },
|
||||
{ "user-sids", 0, POPT_ARG_STRING, &string_arg, OPT_USERSIDS, "Get user group sids for user SID", "SID" },
|
||||
{ "authenticate", 'a', POPT_ARG_STRING, &string_arg, 'a', "authenticate user", "user%password" },
|
||||
@ -1081,6 +1119,12 @@ int main(int argc, char **argv)
|
||||
goto done;
|
||||
}
|
||||
break;
|
||||
case 'D':
|
||||
if (!wbinfo_domain_info(string_arg)) {
|
||||
d_printf("Could not get domain info\n");
|
||||
goto done;
|
||||
}
|
||||
break;
|
||||
case 'r':
|
||||
if (!wbinfo_get_usergroups(string_arg)) {
|
||||
d_printf("Could not get groups for user %s\n",
|
||||
|
||||
@ -264,6 +264,7 @@ static struct dispatch_table dispatch_table[] = {
|
||||
{ WINBINDD_INFO, winbindd_info, "INFO" },
|
||||
{ WINBINDD_INTERFACE_VERSION, winbindd_interface_version, "INTERFACE_VERSION" },
|
||||
{ WINBINDD_DOMAIN_NAME, winbindd_domain_name, "DOMAIN_NAME" },
|
||||
{ WINBINDD_DOMAIN_INFO, winbindd_domain_info, "DOMAIN_INFO" },
|
||||
{ WINBINDD_NETBIOS_NAME, winbindd_netbios_name, "NETBIOS_NAME" },
|
||||
{ WINBINDD_PRIV_PIPE_DIR, winbindd_priv_pipe_dir, "WINBINDD_PRIV_PIPE_DIR" },
|
||||
|
||||
|
||||
@ -203,6 +203,35 @@ enum winbindd_result winbindd_show_sequence(struct winbindd_cli_state *state)
|
||||
return WINBINDD_OK;
|
||||
}
|
||||
|
||||
enum winbindd_result winbindd_domain_info(struct winbindd_cli_state *state)
|
||||
{
|
||||
struct winbindd_domain *domain;
|
||||
|
||||
DEBUG(3, ("[%5lu]: domain_info [%s]\n", (unsigned long)state->pid,
|
||||
state->request.domain_name));
|
||||
|
||||
domain = find_domain_from_name(state->request.domain_name);
|
||||
|
||||
if (domain == NULL) {
|
||||
DEBUG(3, ("Did not find domain [%s]\n",
|
||||
state->request.domain_name));
|
||||
return WINBINDD_ERROR;
|
||||
}
|
||||
|
||||
fstrcpy(state->response.data.domain_info.name, domain->name);
|
||||
fstrcpy(state->response.data.domain_info.alt_name, domain->alt_name);
|
||||
fstrcpy(state->response.data.domain_info.sid,
|
||||
sid_string_static(&domain->sid));
|
||||
|
||||
state->response.data.domain_info.native_mode = domain->native_mode;
|
||||
state->response.data.domain_info.primary = domain->primary;
|
||||
|
||||
state->response.data.domain_info.sequence_number =
|
||||
domain->sequence_number;
|
||||
|
||||
return WINBINDD_OK;
|
||||
}
|
||||
|
||||
enum winbindd_result winbindd_ping(struct winbindd_cli_state
|
||||
*state)
|
||||
{
|
||||
|
||||
@ -92,6 +92,9 @@ enum winbindd_cmd {
|
||||
WINBINDD_INFO, /* Various bit of info. Currently just tidbits */
|
||||
WINBINDD_DOMAIN_NAME, /* The domain this winbind server is a member of (lp_workgroup()) */
|
||||
|
||||
WINBINDD_DOMAIN_INFO, /* Most of what we know from
|
||||
struct winbindd_domain */
|
||||
|
||||
WINBINDD_SHOW_SEQUENCE, /* display sequence numbers of domains */
|
||||
|
||||
/* WINS commands */
|
||||
@ -264,6 +267,14 @@ struct winbindd_response {
|
||||
char first_8_lm_hash[8];
|
||||
} auth;
|
||||
uint32 rid; /* create user or group */
|
||||
struct {
|
||||
fstring name;
|
||||
fstring alt_name;
|
||||
fstring sid;
|
||||
BOOL native_mode;
|
||||
BOOL primary;
|
||||
uint32 sequence_number;
|
||||
} domain_info;
|
||||
} data;
|
||||
|
||||
/* Variable length return data */
|
||||
|
||||
@ -141,7 +141,8 @@ static int reply_spnego_kerberos(connection_struct *conn,
|
||||
DATA_BLOB *secblob)
|
||||
{
|
||||
DATA_BLOB ticket;
|
||||
char *client, *p;
|
||||
char *client, *p, *domain;
|
||||
fstring netbios_domain_name;
|
||||
const struct passwd *pw;
|
||||
char *user;
|
||||
int sess_vuid;
|
||||
@ -198,8 +199,45 @@ static int reply_spnego_kerberos(connection_struct *conn,
|
||||
|
||||
/* this gives a fully qualified user name (ie. with full realm).
|
||||
that leads to very long usernames, but what else can we do? */
|
||||
|
||||
asprintf(&user, "%s%c%s", p+1, *lp_winbind_separator(), client);
|
||||
|
||||
domain = p+1;
|
||||
|
||||
{
|
||||
/* If we have winbind running, we can (and must) shorten the
|
||||
username by using the short netbios name. Otherwise we will
|
||||
have inconsistent user names. With Kerberos, we get the
|
||||
fully qualified realm, with ntlmssp we get the short
|
||||
name. And even w2k3 does use ntlmssp if you for example
|
||||
connect to an ip address. */
|
||||
|
||||
struct winbindd_request wb_request;
|
||||
struct winbindd_response wb_response;
|
||||
NSS_STATUS wb_result;
|
||||
|
||||
ZERO_STRUCT(wb_request);
|
||||
ZERO_STRUCT(wb_response);
|
||||
|
||||
DEBUG(10, ("Mapping [%s] to short name\n", domain));
|
||||
|
||||
fstrcpy(wb_request.domain_name, domain);
|
||||
|
||||
wb_result = winbindd_request(WINBINDD_DOMAIN_INFO,
|
||||
&wb_request, &wb_response);
|
||||
|
||||
if (wb_result == NSS_STATUS_SUCCESS) {
|
||||
|
||||
fstrcpy(netbios_domain_name,
|
||||
wb_response.data.domain_info.name);
|
||||
domain = netbios_domain_name;
|
||||
|
||||
DEBUG(10, ("Mapped to [%s]\n", domain));
|
||||
} else {
|
||||
DEBUG(3, ("Could not find short name -- winbind "
|
||||
"not running?\n"));
|
||||
}
|
||||
}
|
||||
|
||||
asprintf(&user, "%s%c%s", domain, *lp_winbind_separator(), client);
|
||||
|
||||
pw = smb_getpwnam( user );
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user