svn commit: samba r19207 - in branches/SAMBA_3_0/source/nsswitch: .

[jra at samba.org]

Author: jra
Date: 2006-10-09 19:20:21 +0000 (Mon, 09 Oct 2006)
New Revision: 19207

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=19207

Log:
Properly canonicalize incoming names to the
NSS protocols auth, chauthtok, logoff, ccache_ntlm_auth.
That way we ensure winbindd only deals with fully
qualified names internally. The NSS protocols
auth_crap and chng_pswd_auth_crap should be fixed
to do the same thing.
Jeremy.

Modified:
   branches/SAMBA_3_0/source/nsswitch/winbindd_ccache_access.c
   branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
   branches/SAMBA_3_0/source/nsswitch/winbindd_util.c


Changeset:
Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_ccache_access.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_ccache_access.c	2006-10-09 15:11:37 UTC (rev 19206)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_ccache_access.c	2006-10-09 19:20:21 UTC (rev 19207)
@@ -161,7 +161,7 @@
 
 	/* Parse domain and username */
 
-	if (!parse_domain_user(state->request.data.ccache_ntlm_auth.user,
+	if (!canonicalize_username(state->request.data.ccache_ntlm_auth.user,
 				name_domain, name_user)) {
 		DEBUG(5,("winbindd_ccache_ntlm_auth: cannot parse domain and user from name [%s]\n",
 			state->request.data.ccache_ntlm_auth.user));

Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c	2006-10-09 15:11:37 UTC (rev 19206)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c	2006-10-09 19:20:21 UTC (rev 19207)
@@ -677,7 +677,7 @@
 
 	/* Parse domain and username */
 	
-	if (!parse_domain_user(state->request.data.auth.user,
+	if (!canonicalize_username(state->request.data.auth.user,
 			       name_domain, name_user)) {
 		set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
 		DEBUG(5, ("Plain text authentication for %s returned %s "
@@ -1806,7 +1806,16 @@
 
 	/* Setup crap */
 
-	parse_domain_user(state->request.data.chauthtok.user, domain, user);
+	if (!canonicalize_username(state->request.data.chauthtok.user, domain, user)) {
+		set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
+		DEBUG(5, ("winbindd_pam_chauthtok: canonicalize_username %s failed with %s"
+			  "(PAM: %d)\n",
+			  state->request.data.auth.user, 
+			  state->response.data.auth.nt_status_string,
+			  state->response.data.auth.pam_error));
+		request_error(state);
+		return;
+	}
 
 	contact_domain = find_domain_from_name(domain);
 	if (!contact_domain) {
@@ -1941,7 +1950,7 @@
 	state->request.data.logoff.krb5ccname
 		[sizeof(state->request.data.logoff.krb5ccname)-1]='\0';
 
-	if (!parse_domain_user(state->request.data.logoff.user, name_domain, user)) {
+	if (!canonicalize_username(state->request.data.logoff.user, name_domain, user)) {
 		goto failed;
 	}
 

Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_util.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_util.c	2006-10-09 15:11:37 UTC (rev 19206)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_util.c	2006-10-09 19:20:21 UTC (rev 19207)
@@ -888,6 +888,26 @@
 	return ((*domain != NULL) && (*user != NULL));
 }
 
+/* Ensure an incoming username from NSS is fully qualified. Replace the
+   incoming fstring with DOMAIN <separator> user. Returns the same
+   values as parse_domain_user() but also replaces the incoming username.
+   Used to ensure all names are fully qualified within winbindd.
+   Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
+   The protocol definitions of auth_crap, chng_pswd_auth_crap
+   really should be changed to use this instead of doing things
+   by hand. JRA. */
+
+BOOL canonicalize_username(fstring username_inout, fstring domain, fstring user)
+{
+	if (!parse_domain_user(username_inout, domain, user)) {
+		return False;
+	}
+	slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
+		 domain, *lp_winbind_separator(),
+		 user);
+	return True;
+}
+
 /*
     Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
     'winbind separator' options.