svn commit: samba r18062 - in branches/SAMBA_3_0/source/nsswitch: .

jra at samba.org jra at samba.org
Tue Sep 5 05:28:31 GMT 2006 

Author: jra
Date: 2006-09-05 05:28:31 +0000 (Tue, 05 Sep 2006)
New Revision: 18062

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=18062

Log:
Fix to ensure the name used by pam matches the
name that will be returned by winbindd. This
(should) fix the bug where the user logs in
with DOMAIN\user but winbindd returns only
"user" for the username due to 'winbind use
default domain' being set.
Jeremy.

Modified:
   branches/SAMBA_3_0/source/nsswitch/pam_winbind.c
   branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c


Changeset:
Modified: branches/SAMBA_3_0/source/nsswitch/pam_winbind.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/pam_winbind.c	2006-09-05 04:58:23 UTC (rev 18061)
+++ branches/SAMBA_3_0/source/nsswitch/pam_winbind.c	2006-09-05 05:28:31 UTC (rev 18062)
@@ -344,7 +344,8 @@
 				const char *member, 
 				const char *cctype,
 				int process_result,
-				time_t *pwd_last_set)
+				time_t *pwd_last_set,
+				char **user_ret)
 {
 	struct winbindd_request request;
 	struct winbindd_response response;
@@ -388,6 +389,11 @@
 		request.flags |= WBFLAG_PAM_CACHED_LOGIN;
 	}
 
+	if (user_ret) {
+		*user_ret = NULL;
+		request.flags |= WBFLAG_PAM_UNIX_NAME;
+	}
+
 	if (cctype != NULL) {
 		strncpy(request.data.auth.krb5_cc_type, cctype, 
 			sizeof(request.data.auth.krb5_cc_type) - 1);
@@ -526,6 +532,12 @@
 		}
 	}
 
+	/* If winbindd returned a username, return the pointer to it here. */
+	if (user_ret && response.extra_data.data) {
+		/* We have to trust it's a null terminated string. */
+		*user_ret = response.extra_data.data;
+	}
+
 	return ret;
 }
 
@@ -906,6 +918,7 @@
 	const char *cctype = NULL;
 	int retval = PAM_AUTH_ERR;
 	dictionary *d;
+	char *username_ret = NULL;
 
 	/* parse arguments */
 	int ctrl = _pam_parse(argc, argv, &d);
@@ -948,7 +961,8 @@
 	cctype = get_krb5_cc_type_from_config(argc, argv, ctrl, d);
 
 	/* Now use the username to look up password */
-	retval = winbind_auth_request(pamh, ctrl, username, password, member, cctype, True, NULL);
+	retval = winbind_auth_request(pamh, ctrl, username, password, member,
+					cctype, True, NULL, &username_ret);
 
 	if (retval == PAM_NEW_AUTHTOK_REQD ||
 	    retval == PAM_AUTHTOK_EXPIRED) {
@@ -967,6 +981,11 @@
 	}
 
 out:
+	if (username_ret) {
+		pam_set_item (pamh, PAM_USER, username_ret);
+		free(username_ret);
+	}
+
 	if (d) {
 		iniparser_freedict(d);
 	}
@@ -1259,7 +1278,8 @@
 		}
 		/* verify that this is the password for this user */
 		
-		retval = winbind_auth_request(pamh, ctrl, user, pass_old, NULL, NULL, False, &pwdlastset_prelim);
+		retval = winbind_auth_request(pamh, ctrl, user, pass_old,
+					NULL, NULL, False, &pwdlastset_prelim, NULL);
 
 		if (retval != PAM_ACCT_EXPIRED && 
 		    retval != PAM_AUTHTOK_EXPIRED &&
@@ -1354,7 +1374,8 @@
 			const char *member = get_member_from_config(argc, argv, ctrl, d);
 			const char *cctype = get_krb5_cc_type_from_config(argc, argv, ctrl, d);
 
-			retval = winbind_auth_request(pamh, ctrl, user, pass_new, member, cctype, False, NULL);
+			retval = winbind_auth_request(pamh, ctrl, user, pass_new,
+							member, cctype, False, NULL, NULL);
 			_pam_overwrite(pass_new);
 			_pam_overwrite(pass_old);
 			pass_old = pass_new = NULL;

Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c	2006-09-05 04:58:23 UTC (rev 18061)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c	2006-09-05 05:28:31 UTC (rev 18062)
@@ -1306,9 +1306,40 @@
 			DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result)));
 			goto done;
 		}
-	
-	} 
 
+		if (state->request.flags & WBFLAG_PAM_UNIX_NAME) {
+			/* We've been asked to return the unix username, per 
+			   'winbind use default domain' settings and the like */
+
+			fstring username_out;
+			const char *nt_username, *nt_domain;
+
+			if (!(nt_username = unistr2_tdup(state->mem_ctx, &info3->uni_user_name))) {
+				/* If the server didn't give us one, just use the one we sent them */
+				nt_username = name_user;
+			}
+
+			if (!(nt_domain = unistr2_tdup(state->mem_ctx, &info3->uni_logon_dom))) {
+				/* If the server didn't give us one, just use the one we sent them */
+				nt_domain = name_domain;
+			}
+
+			fill_domain_username(username_out, nt_domain, nt_username, True);
+
+			DEBUG(5, ("Setting unix username to [%s]\n", username_out));
+
+			SAFE_FREE(state->response.extra_data.data);
+			state->response.extra_data.data = SMB_STRDUP(username_out);
+			if (!state->response.extra_data.data) {
+				result = NT_STATUS_NO_MEMORY;
+				goto done;
+			}
+			state->response.length +=
+				strlen((const char *)state->response.extra_data.data)+1;
+		}
+	}
+ 
+
 done:
 	/* give us a more useful (more correct?) error code */
 	if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
@@ -1329,7 +1360,7 @@
 	      state->response.data.auth.nt_status_string,
 	      state->response.data.auth.pam_error));	      
 
-	if ( NT_STATUS_IS_OK(result) &&
+	if ( NT_STATUS_IS_OK(result) && info3 &&
 	     (state->request.flags & WBFLAG_PAM_AFS_TOKEN) ) {
 
 		char *afsname = talloc_strdup(state->mem_ctx,
@@ -1389,7 +1420,7 @@
 	no_token:
 		TALLOC_FREE(afsname);
 	}
-
+	
 	return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
 }

More information about the samba-cvs mailing list