svn commit: samba r19207 - in branches/SAMBA_3_0/source/nsswitch: .
jra at samba.org
jra at samba.org
Mon Oct 9 19:20:23 GMT 2006
Author: jra
Date: 2006-10-09 19:20:21 +0000 (Mon, 09 Oct 2006)
New Revision: 19207
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=19207
Log:
Properly canonicalize incoming names to the
NSS protocols auth, chauthtok, logoff, ccache_ntlm_auth.
That way we ensure winbindd only deals with fully
qualified names internally. The NSS protocols
auth_crap and chng_pswd_auth_crap should be fixed
to do the same thing.
Jeremy.
Modified:
branches/SAMBA_3_0/source/nsswitch/winbindd_ccache_access.c
branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
branches/SAMBA_3_0/source/nsswitch/winbindd_util.c
Changeset:
Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_ccache_access.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_ccache_access.c 2006-10-09 15:11:37 UTC (rev 19206)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_ccache_access.c 2006-10-09 19:20:21 UTC (rev 19207)
@@ -161,7 +161,7 @@
/* Parse domain and username */
- if (!parse_domain_user(state->request.data.ccache_ntlm_auth.user,
+ if (!canonicalize_username(state->request.data.ccache_ntlm_auth.user,
name_domain, name_user)) {
DEBUG(5,("winbindd_ccache_ntlm_auth: cannot parse domain and user from name [%s]\n",
state->request.data.ccache_ntlm_auth.user));
Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c 2006-10-09 15:11:37 UTC (rev 19206)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c 2006-10-09 19:20:21 UTC (rev 19207)
@@ -677,7 +677,7 @@
/* Parse domain and username */
- if (!parse_domain_user(state->request.data.auth.user,
+ if (!canonicalize_username(state->request.data.auth.user,
name_domain, name_user)) {
set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
DEBUG(5, ("Plain text authentication for %s returned %s "
@@ -1806,7 +1806,16 @@
/* Setup crap */
- parse_domain_user(state->request.data.chauthtok.user, domain, user);
+ if (!canonicalize_username(state->request.data.chauthtok.user, domain, user)) {
+ set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
+ DEBUG(5, ("winbindd_pam_chauthtok: canonicalize_username %s failed with %s"
+ "(PAM: %d)\n",
+ state->request.data.auth.user,
+ state->response.data.auth.nt_status_string,
+ state->response.data.auth.pam_error));
+ request_error(state);
+ return;
+ }
contact_domain = find_domain_from_name(domain);
if (!contact_domain) {
@@ -1941,7 +1950,7 @@
state->request.data.logoff.krb5ccname
[sizeof(state->request.data.logoff.krb5ccname)-1]='\0';
- if (!parse_domain_user(state->request.data.logoff.user, name_domain, user)) {
+ if (!canonicalize_username(state->request.data.logoff.user, name_domain, user)) {
goto failed;
}
Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_util.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_util.c 2006-10-09 15:11:37 UTC (rev 19206)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_util.c 2006-10-09 19:20:21 UTC (rev 19207)
@@ -888,6 +888,26 @@
return ((*domain != NULL) && (*user != NULL));
}
+/* Ensure an incoming username from NSS is fully qualified. Replace the
+ incoming fstring with DOMAIN <separator> user. Returns the same
+ values as parse_domain_user() but also replaces the incoming username.
+ Used to ensure all names are fully qualified within winbindd.
+ Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
+ The protocol definitions of auth_crap, chng_pswd_auth_crap
+ really should be changed to use this instead of doing things
+ by hand. JRA. */
+
+BOOL canonicalize_username(fstring username_inout, fstring domain, fstring user)
+{
+ if (!parse_domain_user(username_inout, domain, user)) {
+ return False;
+ }
+ slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
+ domain, *lp_winbind_separator(),
+ user);
+ return True;
+}
+
/*
Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
'winbind separator' options.
More information about the samba-cvs
mailing list