Another attempt at a patch to allow kerberos upn lookups via winbind...

McCall, Don (GSE-WTEC-Alpharetta) don.mccall at hp.com
Thu Feb 8 02:18:24 GMT 2007 

Hallo Guenther, and the other Winbindd gurus,
I thought about your hint on LsaLookuName(upn), and being rather an
idiot in the ways of programming lsa requests, thought 'we have to be
already doing this somewhere....'
So I put together the following hack that works for me, by responding to
a failure in msrpc_name_to_sid() with a qualified RE-lookup based on the
actual kerberos upn specified in the login prompt (code follows, diff -u
against the build_farm samba_30 tree).

This, (modified
parse_wbinfo_domain_user(),winbindd_lookupname(),msrpc_name_to_sid(),
and parse_domain_user())along with adding a parameter 'winbind parse
kerberos names = yes' to the loadparm.c module, allows me to telnet into
my HP-UX system as ddmctest at wtec.adapps.hp.com (my samAccountname
associated with this upn is wtec.adapps.hp.com\ddmctset  (test spelt
backwards)), do chown, etc.
I can also use wbinfo -n ddmctest at wtec.adapps.hp.com and get back valid
info, and when I touch a file, it's owned by WTEC\ddmctset and
WTEC\domain users...
The main gotcha I have found so far is that you have to precreate the
/home/WTEC/ddmctset directory, and to do that you would have to KNOW
that ddmctest actually has a samAccountname of ddmctset.

Could you possibly give this a look, and point out the holes I know must
be there?    I'm just a poor hack, and could really use your input on
this.
Thanks,
Don


**********************************************************************

# /usr/local/bin/diff -u winbindd_rpc.c winbindd_rpc.mccall.c
--- winbindd_rpc.c      2006-12-08 22:49:39.000000000 -0500
+++ winbindd_rpc.mccall.c       2007-02-07 20:27:34.000000000 -0500
@@ -271,6 +271,16 @@
        result = rpccli_lsa_lookup_names(cli, mem_ctx, &lsa_policy, 1,
                                         &full_name, NULL, &sids,
&types);

+       /* mccall - try again with kerberos upn */
+       if (!NT_STATUS_IS_OK(result) &&
lp_winbind_parse_kerberos_names())
+        {
+
+         DEBUG(3,("mccall rpc: name_to_sid name=%s\@%s\n", name,
domain_name));

+         full_name = talloc_asprintf(mem_ctx, "%s\@%s", name,
domain_name);
+         result = rpccli_lsa_lookup_names(cli, mem_ctx, &lsa_policy, 1,
+                                       &full_name, NULL, &sids,
&types);
+        } /* end mccall */
+
        if (!NT_STATUS_IS_OK(result))
                return result;

************************************************************************
***


--- winbindd_sid.c      2007-01-31 16:20:41.000000000 -0500
+++ winbindd_sid.mccall.c       2007-02-07 20:43:29.000000000 -0500
@@ -94,7 +94,16 @@
                *p = 0;
                name_domain = state->request.data.name.name;
                name_user = p+1;
-       } else {
+       } else { /* mccall */
+                p = strstr(state->request.data.name.name, "@");
+               if(p){
+                *p=0;
+                name_domain = p+1;
+                name_user = p;
+                DEBUG(8, ("winbindd_lookupname:
name_domain=%s,name_user=%s\n",

+
name_domain,name_user));

+               /* mccall end */
+        } else {
                name_domain = state->request.data.name.dom_name;
                name_user = state->request.data.name.name;
        }

************************************************************************
*********

--- winbindd_util.c     2006-12-13 11:45:15.000000000 -0500
+++ winbindd_util.mccall.c      2007-02-07 20:51:28.000000000 -0500
@@ -800,8 +800,11 @@
 BOOL parse_domain_user(const char *domuser, fstring domain, fstring
user)
 {
        char *p = strchr(domuser,*lp_winbind_separator());
-
-       if ( !p ) {
+        char *q = strchr(domuser,'@');
+        if(!lp_winbind_parse_kerberos_names()){
+                char *q = NULL;
+                }
+       if ( !p && !q ) {
                fstrcpy(user, domuser);
                if ( assume_domain(lp_workgroup())) {
@@ -810,10 +813,19 @@
                        return False;
                }
        } else {
+               if(p){
                fstrcpy(user, p+1);
                fstrcpy(domain, domuser);
                domain[PTR_DIFF(p, domuser)] = 0;
-       }
+               }
+               if(q && lp_winbind_parse_kerberos_names()){
+                fstrcpy(user, domuser);
+                fstrcpy(domain, q+1);
+                user[PTR_DIFF(q, domuser)] = 0;
+                DEBUG(10, ("parse_domain_user:
user=%s,domain=%s,domuser=%s\n",

+                   user,domain,domuser));
+                }
+        }

        strupper_m(domain);

************************************************************************
*********

--- wbinfo.c    2006-11-29 18:45:18.000000000 -0500
+++ wbinfo.mccall.c     2007-02-07 20:58:32.000000000 -0500
@@ -104,16 +104,29 @@
 {

        char *p = strchr(domuser,winbind_separator());
-
-       if (!p) {
+        char *q = strchr(domuser,'@');
+        if(!lp_winbind_parse_kerberos_names()){
+                char *q = NULL;
+                }
+       if (!p && !q) {
                fstrcpy(user, domuser);
                fstrcpy(domain, get_winbind_domain());
                return True;
        }
-
-       fstrcpy(user, p+1);
-       fstrcpy(domain, domuser);
-       domain[PTR_DIFF(p, domuser)] = 0;
+       else {
+                if(p){
+                fstrcpy(user, p+1);
+                fstrcpy(domain, domuser);
+                domain[PTR_DIFF(p, domuser)] = 0;
+                }
+                if(q){
+                fstrcpy(user, domuser);
+                fstrcpy(domain, q+1);
+                user[PTR_DIFF(q, domuser)] = 0;
+                DEBUG(10, ("parse_wbinfo_domain_user:
user=%s,domain=%s,
+
domuser=%s\n",user,domain,domuser));
+                }
+        }
        strupper_m(domain);

        return True;

************************************************************************
*********

More information about the samba-technical mailing list