Another attempt at a patch to allow kerberos upn lookups via
winbind...
McCall, Don (GSE-WTEC-Alpharetta)
don.mccall at hp.com
Thu Feb 8 02:18:24 GMT 2007
Hallo Guenther, and the other Winbindd gurus,
I thought about your hint on LsaLookuName(upn), and being rather an
idiot in the ways of programming lsa requests, thought 'we have to be
already doing this somewhere....'
So I put together the following hack that works for me, by responding to
a failure in msrpc_name_to_sid() with a qualified RE-lookup based on the
actual kerberos upn specified in the login prompt (code follows, diff -u
against the build_farm samba_30 tree).
This, (modified
parse_wbinfo_domain_user(),winbindd_lookupname(),msrpc_name_to_sid(),
and parse_domain_user())along with adding a parameter 'winbind parse
kerberos names = yes' to the loadparm.c module, allows me to telnet into
my HP-UX system as ddmctest at wtec.adapps.hp.com (my samAccountname
associated with this upn is wtec.adapps.hp.com\ddmctset (test spelt
backwards)), do chown, etc.
I can also use wbinfo -n ddmctest at wtec.adapps.hp.com and get back valid
info, and when I touch a file, it's owned by WTEC\ddmctset and
WTEC\domain users...
The main gotcha I have found so far is that you have to precreate the
/home/WTEC/ddmctset directory, and to do that you would have to KNOW
that ddmctest actually has a samAccountname of ddmctset.
Could you possibly give this a look, and point out the holes I know must
be there? I'm just a poor hack, and could really use your input on
this.
Thanks,
Don
**********************************************************************
# /usr/local/bin/diff -u winbindd_rpc.c winbindd_rpc.mccall.c
--- winbindd_rpc.c 2006-12-08 22:49:39.000000000 -0500
+++ winbindd_rpc.mccall.c 2007-02-07 20:27:34.000000000 -0500
@@ -271,6 +271,16 @@
result = rpccli_lsa_lookup_names(cli, mem_ctx, &lsa_policy, 1,
&full_name, NULL, &sids,
&types);
+ /* mccall - try again with kerberos upn */
+ if (!NT_STATUS_IS_OK(result) &&
lp_winbind_parse_kerberos_names())
+ {
+
+ DEBUG(3,("mccall rpc: name_to_sid name=%s\@%s\n", name,
domain_name));
+ full_name = talloc_asprintf(mem_ctx, "%s\@%s", name,
domain_name);
+ result = rpccli_lsa_lookup_names(cli, mem_ctx, &lsa_policy, 1,
+ &full_name, NULL, &sids,
&types);
+ } /* end mccall */
+
if (!NT_STATUS_IS_OK(result))
return result;
************************************************************************
***
--- winbindd_sid.c 2007-01-31 16:20:41.000000000 -0500
+++ winbindd_sid.mccall.c 2007-02-07 20:43:29.000000000 -0500
@@ -94,7 +94,16 @@
*p = 0;
name_domain = state->request.data.name.name;
name_user = p+1;
- } else {
+ } else { /* mccall */
+ p = strstr(state->request.data.name.name, "@");
+ if(p){
+ *p=0;
+ name_domain = p+1;
+ name_user = p;
+ DEBUG(8, ("winbindd_lookupname:
name_domain=%s,name_user=%s\n",
+
name_domain,name_user));
+ /* mccall end */
+ } else {
name_domain = state->request.data.name.dom_name;
name_user = state->request.data.name.name;
}
************************************************************************
*********
--- winbindd_util.c 2006-12-13 11:45:15.000000000 -0500
+++ winbindd_util.mccall.c 2007-02-07 20:51:28.000000000 -0500
@@ -800,8 +800,11 @@
BOOL parse_domain_user(const char *domuser, fstring domain, fstring
user)
{
char *p = strchr(domuser,*lp_winbind_separator());
-
- if ( !p ) {
+ char *q = strchr(domuser,'@');
+ if(!lp_winbind_parse_kerberos_names()){
+ char *q = NULL;
+ }
+ if ( !p && !q ) {
fstrcpy(user, domuser);
if ( assume_domain(lp_workgroup())) {
@@ -810,10 +813,19 @@
return False;
}
} else {
+ if(p){
fstrcpy(user, p+1);
fstrcpy(domain, domuser);
domain[PTR_DIFF(p, domuser)] = 0;
- }
+ }
+ if(q && lp_winbind_parse_kerberos_names()){
+ fstrcpy(user, domuser);
+ fstrcpy(domain, q+1);
+ user[PTR_DIFF(q, domuser)] = 0;
+ DEBUG(10, ("parse_domain_user:
user=%s,domain=%s,domuser=%s\n",
+ user,domain,domuser));
+ }
+ }
strupper_m(domain);
************************************************************************
*********
--- wbinfo.c 2006-11-29 18:45:18.000000000 -0500
+++ wbinfo.mccall.c 2007-02-07 20:58:32.000000000 -0500
@@ -104,16 +104,29 @@
{
char *p = strchr(domuser,winbind_separator());
-
- if (!p) {
+ char *q = strchr(domuser,'@');
+ if(!lp_winbind_parse_kerberos_names()){
+ char *q = NULL;
+ }
+ if (!p && !q) {
fstrcpy(user, domuser);
fstrcpy(domain, get_winbind_domain());
return True;
}
-
- fstrcpy(user, p+1);
- fstrcpy(domain, domuser);
- domain[PTR_DIFF(p, domuser)] = 0;
+ else {
+ if(p){
+ fstrcpy(user, p+1);
+ fstrcpy(domain, domuser);
+ domain[PTR_DIFF(p, domuser)] = 0;
+ }
+ if(q){
+ fstrcpy(user, domuser);
+ fstrcpy(domain, q+1);
+ user[PTR_DIFF(q, domuser)] = 0;
+ DEBUG(10, ("parse_wbinfo_domain_user:
user=%s,domain=%s,
+
domuser=%s\n",user,domain,domuser));
+ }
+ }
strupper_m(domain);
return True;
************************************************************************
*********
More information about the samba-technical
mailing list