[SCM] Samba Shared Repository - branch v3-6-test updated

Jeremy Allison jra at samba.org
Thu Jul 29 13:53:38 MDT 2010

The branch, v3-6-test has been updated
       via  5bc0db4... Fix bug #7589 - ntlm_auth fails to use cached credentials.
      from  749b946... Fix tdb_check() to work with read-only tdb databases. The function tdb_lockall() uses F_WRLCK internally, which doesn't work on a fd opened with O_RDONLY. Use tdb_lockall_read() instead.


- Log -----------------------------------------------------------------
commit 5bc0db425f71ec8b7a570294b04cb2fb6d27be69
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Jul 29 12:44:00 2010 -0700

    Fix bug #7589 - ntlm_auth fails to use cached credentials.
    In handling the WINBINDD_PAM_AUTH message winbindd canonicalizes a *copy*
    of the mapped username, but fails to canonicalize the actual username
    sent to the backend domain process. When "winbind default domain"
    is set this can lead to credentials being cached with an index of
    user: user, not DOMAIN\user. All other code paths that use
    correctly canonicalize the data sent to the backend. All calls
    the can cause credentials to be looked up (PAM_CHAUTHTOK etc.)
    correctly call canonicalize_username() to create the credential
    lookup key.


Summary of changes:
 source3/winbindd/winbindd_pam_auth.c |   12 +++++-------
 1 files changed, 5 insertions(+), 7 deletions(-)

Changeset truncated at 500 lines:

diff --git a/source3/winbindd/winbindd_pam_auth.c b/source3/winbindd/winbindd_pam_auth.c
index 94d98ec..4f963a3 100644
--- a/source3/winbindd/winbindd_pam_auth.c
+++ b/source3/winbindd/winbindd_pam_auth.c
@@ -35,7 +35,7 @@ struct tevent_req *winbindd_pam_auth_send(TALLOC_CTX *mem_ctx,
 	struct tevent_req *req, *subreq;
 	struct winbindd_pam_auth_state *state;
 	struct winbindd_domain *domain;
-	fstring name_domain, name_user, mapped_user;
+	fstring name_domain, name_user;
 	char *mapped = NULL;
 	NTSTATUS status;
@@ -62,17 +62,15 @@ struct tevent_req *winbindd_pam_auth_send(TALLOC_CTX *mem_ctx,
 	status = normalize_name_unmap(state, request->data.auth.user, &mapped);
-	/* If the name normalization didnt' actually do anything,
-	   just use the original name */
+	/* If the name normalization changed something, copy it over the given
+	   name */
 	if (NT_STATUS_IS_OK(status)
-		fstrcpy(mapped_user, mapped);
-	} else {
-		fstrcpy(mapped_user, request->data.auth.user);
+		fstrcpy(request->data.auth.user, mapped);
-	if (!canonicalize_username(mapped_user, name_domain, name_user)) {
+	if (!canonicalize_username(request->data.auth.user, name_domain, name_user)) {
 		tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
 		return tevent_req_post(req, ev);

Samba Shared Repository

More information about the samba-cvs mailing list