From 4f4c976e9b169176ef1ec353504be0ae97e274d8 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 7 May 2018 16:20:30 +0200 Subject: [PATCH 01/10] selftest: Make sure we have correct group mappings BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 9bc2b922bbc6539341a2056f33f117ac350e61f1) --- selftest/target/Samba3.pm | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 1f80f86945b..52c7d3e07cc 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -2425,6 +2425,9 @@ sub wait_for_start($$$$$) $netcmd .= "NSS_WRAPPER_GROUP='$envvars->{NSS_WRAPPER_GROUP}' "; $netcmd .= Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} "; + $cmd = $netcmd . "groupmap delete ntgroup=domusers"; + $ret = system($cmd); + $cmd = $netcmd . "groupmap add rid=513 unixgroup=domusers type=domain"; $ret = system($cmd); if ($ret != 0) { @@ -2432,6 +2435,9 @@ sub wait_for_start($$$$$) return 1; } + $cmd = $netcmd . "groupmap delete ntgroup=domadmins"; + $ret = system($cmd); + $cmd = $netcmd . "groupmap add rid=512 unixgroup=domadmins type=domain"; $ret = system($cmd); if ($ret != 0) { @@ -2439,6 +2445,9 @@ sub wait_for_start($$$$$) return 1; } + $cmd = $netcmd . "groupmap delete ntgroup=everyone"; + $ret = system($cmd); + $cmd = $netcmd . "groupmap add sid=S-1-1-0 unixgroup=everyone type=builtin"; $ret = system($cmd); if ($ret != 0) { -- 2.16.3 From 85a6b507805162d12ad4c09e044cee4aa890141a Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 20 Apr 2018 11:24:30 +0200 Subject: [PATCH 02/10] nsswitch: Add a test looking up the user using the upn BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 0d2f743d826b87b369e25fc6bb9ff61f2b0896aa) --- nsswitch/tests/test_wbinfo_name_lookup.sh | 9 +++++++-- source3/selftest/tests.py | 2 +- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/nsswitch/tests/test_wbinfo_name_lookup.sh b/nsswitch/tests/test_wbinfo_name_lookup.sh index 696e25b3a2a..a8fd5ec4d99 100755 --- a/nsswitch/tests/test_wbinfo_name_lookup.sh +++ b/nsswitch/tests/test_wbinfo_name_lookup.sh @@ -8,8 +8,9 @@ exit 1; fi DOMAIN=$1 -DC_USERNAME=$2 -shift 2 +REALM=$2 +DC_USERNAME=$3 +shift 3 failed=0 sambabindir="$BINDIR" @@ -22,6 +23,10 @@ testit "name-to-sid.single-separator" \ $wbinfo -n $DOMAIN/$DC_USERNAME || \ failed=$(expr $failed + 1) +testit "name-to-sid.upn" \ + $wbinfo -n $DC_USERNAME@$REALM || \ + failed=$(expr $failed + 1) + # Two separator characters should fail testit_expect_failure "name-to-sid.double-separator" \ $wbinfo -n $DOMAIN//$DC_USERNAME || \ diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index 172d3300463..a5acab2792a 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -210,7 +210,7 @@ plantestsuite("samba3.wbinfo_simple.(%s:local).%s" % (env, t), "%s:local" % env, plantestsuite("samba3.wbinfo_name_lookup", env, [ os.path.join(srcdir(), "nsswitch/tests/test_wbinfo_name_lookup.sh"), - '$DOMAIN', '$DC_USERNAME' ]) + '$DOMAIN', '$REALM', '$DC_USERNAME' ]) t = "WBCLIENT-MULTI-PING" plantestsuite("samba3.smbtorture_s3.%s" % t, env, [os.path.join(samba3srcdir, "script/tests/test_smbtorture_s3.sh"), t, '//foo/bar', '""', '""', smbtorture3, ""]) plantestsuite("samba3.substitutions", env, [os.path.join(samba3srcdir, "script/tests/test_substitutions.sh"), "$SERVER", "alice", "Secret007", "$PREFIX"]) -- 2.16.3 From 66c3f73186acabc8d463a18044bc8ce53bda4ddc Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 4 May 2018 12:43:05 +0200 Subject: [PATCH 03/10] nsswitch: Add a test looking up domain sid BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 0aceca6a94e868f9c01a66f79624ca10d80560ab) --- nsswitch/tests/test_wbinfo_name_lookup.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nsswitch/tests/test_wbinfo_name_lookup.sh b/nsswitch/tests/test_wbinfo_name_lookup.sh index a8fd5ec4d99..c1d39c1a602 100755 --- a/nsswitch/tests/test_wbinfo_name_lookup.sh +++ b/nsswitch/tests/test_wbinfo_name_lookup.sh @@ -23,6 +23,10 @@ testit "name-to-sid.single-separator" \ $wbinfo -n $DOMAIN/$DC_USERNAME || \ failed=$(expr $failed + 1) +testit "name-to-sid.at_domain" \ + $wbinfo -n $DOMAIN/ || \ + failed=$(expr $failed + 1) + testit "name-to-sid.upn" \ $wbinfo -n $DC_USERNAME@$REALM || \ failed=$(expr $failed + 1) -- 2.16.3 From c3c3c9f38f6a7db853d98a32b9b10e5add88c63d Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 7 May 2018 13:23:42 +0200 Subject: [PATCH 04/10] nsswitch: Lookup the domain in tests with the wb seperator Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 4fa811ec7bc301e96f5e40ba281e8d4e8709b94f) --- nsswitch/tests/test_idmap_ad.sh | 2 +- nsswitch/tests/test_idmap_nss.sh | 4 ++-- nsswitch/tests/test_idmap_rid.sh | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/nsswitch/tests/test_idmap_ad.sh b/nsswitch/tests/test_idmap_ad.sh index 2f4ee3293b2..7450ae06059 100755 --- a/nsswitch/tests/test_idmap_ad.sh +++ b/nsswitch/tests/test_idmap_ad.sh @@ -20,7 +20,7 @@ failed=0 . `dirname $0`/../../testprogs/blackbox/subunit.sh -DOMAIN_SID=$($wbinfo -n "@$DOMAIN" | cut -f 1 -d " ") +DOMAIN_SID=$($wbinfo -n "$DOMAIN/" | cut -f 1 -d " ") if [ $? -ne 0 ] ; then echo "Could not find domain SID" | subunit_fail_test "test_idmap_ad" exit 1 diff --git a/nsswitch/tests/test_idmap_nss.sh b/nsswitch/tests/test_idmap_nss.sh index 5072a0df72c..1bbc177774d 100755 --- a/nsswitch/tests/test_idmap_nss.sh +++ b/nsswitch/tests/test_idmap_nss.sh @@ -13,8 +13,8 @@ failed=0 . `dirname $0`/../../testprogs/blackbox/subunit.sh -testit "wbinfo returns domain SID" $wbinfo -n "@$DOMAIN" || exit 1 -DOMAIN_SID=$($wbinfo -n "@$DOMAIN" | cut -f 1 -d " ") +testit "wbinfo returns domain SID" $wbinfo -n "$DOMAIN/" || exit 1 +DOMAIN_SID=$($wbinfo -n "$DOMAIN/" | cut -f 1 -d " ") echo "Domain $DOMAIN has SID $DOMAIN_SID" # Find an unused uid and SID diff --git a/nsswitch/tests/test_idmap_rid.sh b/nsswitch/tests/test_idmap_rid.sh index 7fb59852cf5..8209a50a4fc 100755 --- a/nsswitch/tests/test_idmap_rid.sh +++ b/nsswitch/tests/test_idmap_rid.sh @@ -16,7 +16,7 @@ failed=0 . `dirname $0`/../../testprogs/blackbox/subunit.sh -DOMAIN_SID=$($wbinfo -n "@$DOMAIN" | cut -f 1 -d " ") +DOMAIN_SID=$($wbinfo -n "$DOMAIN/" | cut -f 1 -d " ") if [ $? -ne 0 ] ; then echo "Could not find domain SID" | subunit_fail_test "test_idmap_rid" exit 1 -- 2.16.3 From 8cd657265b2789aea38dae09c5580d93575553d0 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 20 Apr 2018 09:38:24 +0200 Subject: [PATCH 05/10] selftest: Add a user with a different userPrincipalName BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 5319cae00096dcecc29aa9fa675a983352ad64d8) --- selftest/target/Samba4.pm | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index c161ee082a0..d6d67f5a5ab 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -847,7 +847,7 @@ userPrincipalName: testdenied_upn\@$ctx->{realm}.upn } # Create to users alice and bob! - my $user_account_array = ["alice", "bob"]; + my $user_account_array = ["alice", "bob", "jane"]; foreach my $user_account (@{$user_account_array}) { my $samba_tool_cmd = ""; @@ -862,6 +862,23 @@ userPrincipalName: testdenied_upn\@$ctx->{realm}.upn } } + my $ldbmodify = ""; + $ldbmodify .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; + $ldbmodify .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; + $ldbmodify .= Samba::bindir_path($self, "ldbmodify"); + + my $base_dn = "DC=".join(",DC=", split(/\./, $ctx->{realm})); + my $user_dn = "cn=jane,cn=users,$base_dn"; + + open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb"); + print LDIF "dn: $user_dn +changetype: modify +replace: userPrincipalName +userPrincipalName: jane.doe\@$ctx->{realm} +- +"; + close(LDIF); + return $ret; } -- 2.16.3 From c643fe5d2664dbac75600f5838ec53145bd9f98a Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 20 Apr 2018 11:20:44 +0200 Subject: [PATCH 06/10] nsswitch:tests: Add test for wbinfo --user-info BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 2715f52f54e66a73131a92d752a8c2447da1fd33) --- nsswitch/tests/test_wbinfo_user_info.sh | 83 +++++++++++++++++++++++++++++++++ selftest/knownfail.d/upn_handling | 11 +++++ source3/selftest/tests.py | 14 ++++++ 3 files changed, 108 insertions(+) create mode 100755 nsswitch/tests/test_wbinfo_user_info.sh create mode 100644 selftest/knownfail.d/upn_handling diff --git a/nsswitch/tests/test_wbinfo_user_info.sh b/nsswitch/tests/test_wbinfo_user_info.sh new file mode 100755 index 00000000000..2803ac1408b --- /dev/null +++ b/nsswitch/tests/test_wbinfo_user_info.sh @@ -0,0 +1,83 @@ +#!/bin/sh +# Blackbox test for wbinfo lookup for account name and upn +# Copyright (c) 2018 Andreas Schneider + +if [ $# -lt 5 ]; then +cat < Date: Thu, 22 Feb 2018 14:10:28 +0100 Subject: [PATCH 07/10] winbind: Pass upn unmodified to lookup names BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369 Pair-Programmed-With: Andreas Schneider Signed-off-by: Stefan Metzmacher Signed-off-by: Andreas Schneider (cherry picked from commit 789c89e6ecb7d388fb5acdd5abc8fe99c58524f0) --- selftest/knownfail.d/upn_handling | 2 -- source3/winbindd/wb_lookupname.c | 8 +++++--- source3/winbindd/wb_xids2sids.c | 1 + source3/winbindd/winbindd_getgrnam.c | 5 ++++- source3/winbindd/winbindd_getgroups.c | 5 ++++- source3/winbindd/winbindd_getpwnam.c | 5 ++++- source3/winbindd/winbindd_irpc.c | 7 +++++-- source3/winbindd/winbindd_lookupname.c | 17 ++++++++++------- source3/winbindd/winbindd_proto.h | 4 +++- 9 files changed, 36 insertions(+), 18 deletions(-) diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling index 308c2948e8d..0fa2aa35f30 100644 --- a/selftest/knownfail.d/upn_handling +++ b/selftest/knownfail.d/upn_handling @@ -1,10 +1,8 @@ -^samba3\.wbinfo_user_info\.name_to_sid\.upn\.jane\.doe.ad_member ^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.ad_member ^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member ^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member ^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc ^samba3\.wbinfo_user_info\.user_info\.upn\.alice.fl2008r2dc -^samba3\.wbinfo_user_info\.name_to_sid\.upn\.jane\.doe.fl2008r2dc ^samba3\.wbinfo_user_info\.user_info\.domain\.jane.fl2008r2dc ^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.fl2008r2dc ^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.fl2008r2dc diff --git a/source3/winbindd/wb_lookupname.c b/source3/winbindd/wb_lookupname.c index 1dd6b68334e..c7b027be801 100644 --- a/source3/winbindd/wb_lookupname.c +++ b/source3/winbindd/wb_lookupname.c @@ -35,7 +35,9 @@ static void wb_lookupname_done(struct tevent_req *subreq); struct tevent_req *wb_lookupname_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, - const char *dom_name, const char *name, + const char *namespace, + const char *dom_name, + const char *name, uint32_t flags) { struct tevent_req *req, *subreq; @@ -61,9 +63,9 @@ struct tevent_req *wb_lookupname_send(TALLOC_CTX *mem_ctx, return tevent_req_post(req, ev); } - domain = find_lookup_domain_from_name(state->dom_name); + domain = find_lookup_domain_from_name(namespace); if (domain == NULL) { - DEBUG(5, ("Could not find domain for %s\n", state->dom_name)); + DEBUG(5, ("Could not find domain for %s\n", namespace)); tevent_req_nterror(req, NT_STATUS_NONE_MAPPED); return tevent_req_post(req, ev); } diff --git a/source3/winbindd/wb_xids2sids.c b/source3/winbindd/wb_xids2sids.c index a2a4493bde8..0d21e55c25d 100644 --- a/source3/winbindd/wb_xids2sids.c +++ b/source3/winbindd/wb_xids2sids.c @@ -185,6 +185,7 @@ static void wb_xids2sids_init_dom_maps_lookupname_next( subreq = wb_lookupname_send(state, state->ev, dom_maps[state->dom_idx].name, + dom_maps[state->dom_idx].name, "", LOOKUP_NAME_NO_NSS); if (tevent_req_nomem(subreq, state->req)) { diff --git a/source3/winbindd/winbindd_getgrnam.c b/source3/winbindd/winbindd_getgrnam.c index 02d9abc28a2..1d9a8b94d48 100644 --- a/source3/winbindd/winbindd_getgrnam.c +++ b/source3/winbindd/winbindd_getgrnam.c @@ -76,7 +76,10 @@ struct tevent_req *winbindd_getgrnam_send(TALLOC_CTX *mem_ctx, fstrcpy(state->name_domain, get_global_sam_name()); } - subreq = wb_lookupname_send(state, ev, state->name_domain, state->name_group, + subreq = wb_lookupname_send(state, ev, + state->name_domain, + state->name_domain, + state->name_group, 0); if (tevent_req_nomem(subreq, req)) { return tevent_req_post(req, ev); diff --git a/source3/winbindd/winbindd_getgroups.c b/source3/winbindd/winbindd_getgroups.c index 8bf670654e1..68b470d6dad 100644 --- a/source3/winbindd/winbindd_getgroups.c +++ b/source3/winbindd/winbindd_getgroups.c @@ -75,7 +75,10 @@ struct tevent_req *winbindd_getgroups_send(TALLOC_CTX *mem_ctx, return tevent_req_post(req, ev); } - subreq = wb_lookupname_send(state, ev, state->domname, state->username, + subreq = wb_lookupname_send(state, ev, + state->domname, + state->domname, + state->username, LOOKUP_NAME_NO_NSS); if (tevent_req_nomem(subreq, req)) { return tevent_req_post(req, ev); diff --git a/source3/winbindd/winbindd_getpwnam.c b/source3/winbindd/winbindd_getpwnam.c index 73d3b3317ad..26686bf9f0f 100644 --- a/source3/winbindd/winbindd_getpwnam.c +++ b/source3/winbindd/winbindd_getpwnam.c @@ -71,7 +71,10 @@ struct tevent_req *winbindd_getpwnam_send(TALLOC_CTX *mem_ctx, return tevent_req_post(req, ev); } - subreq = wb_lookupname_send(state, ev, state->domname, state->username, + subreq = wb_lookupname_send(state, ev, + state->domname, + state->domname, + state->username, LOOKUP_NAME_NO_NSS); if (tevent_req_nomem(subreq, req)) { return tevent_req_post(req, ev); diff --git a/source3/winbindd/winbindd_irpc.c b/source3/winbindd/winbindd_irpc.c index e03312ec7af..c9765cccd3c 100644 --- a/source3/winbindd/winbindd_irpc.c +++ b/source3/winbindd/winbindd_irpc.c @@ -464,6 +464,7 @@ static void wb_irpc_lsa_LookupSids3_done(struct tevent_req *subreq) struct wb_irpc_lsa_LookupNames4_name { void *state; uint32_t idx; + const char *namespace; const char *domain; char *name; struct dom_sid sid; @@ -551,11 +552,12 @@ static NTSTATUS wb_irpc_lsa_LookupNames4_call(struct irpc_message *msg, if (p != NULL) { *p = 0; nstate->domain = nstate->name; + nstate->namespace = nstate->domain; nstate->name = p+1; } else if ((p = strchr(nstate->name, '@')) != NULL) { /* upn */ - nstate->domain = p + 1; - *p = 0; + nstate->domain = ""; + nstate->namespace = p + 1; } else { /* * TODO: select the domain based on @@ -570,6 +572,7 @@ static NTSTATUS wb_irpc_lsa_LookupNames4_call(struct irpc_message *msg, subreq = wb_lookupname_send(msg, server_event_context(), + nstate->namespace, nstate->domain, nstate->name, LOOKUP_NAME_NO_NSS); diff --git a/source3/winbindd/winbindd_lookupname.c b/source3/winbindd/winbindd_lookupname.c index b02269155f1..c5a7c135973 100644 --- a/source3/winbindd/winbindd_lookupname.c +++ b/source3/winbindd/winbindd_lookupname.c @@ -35,8 +35,10 @@ struct tevent_req *winbindd_lookupname_send(TALLOC_CTX *mem_ctx, { struct tevent_req *req, *subreq; struct winbindd_lookupname_state *state; - const char *domname = NULL, *name = NULL; char *p = NULL; + const char *domname = NULL; + const char *name = NULL; + const char *namespace = NULL; req = tevent_req_create(mem_ctx, &state, struct winbindd_lookupname_state); @@ -56,28 +58,29 @@ struct tevent_req *winbindd_lookupname_send(TALLOC_CTX *mem_ctx, if (p != NULL) { *p = '\0'; domname = request->data.name.name; + namespace = domname; name = p + 1; } else { p = strchr(request->data.name.name, '@'); if (p != NULL) { /* upn */ - domname = p + 1; - *p = '\0'; - name = request->data.name.name; + namespace = p + 1; } else { - domname = ""; - name = request->data.name.name; + namespace = ""; } + domname = ""; + name = request->data.name.name; } } else { domname = request->data.name.dom_name; + namespace = domname; name = request->data.name.name; } DEBUG(3, ("lookupname %s%s%s\n", domname, lp_winbind_separator(), name)); - subreq = wb_lookupname_send(state, ev, domname, name, 0); + subreq = wb_lookupname_send(state, ev, namespace, domname, name, 0); if (tevent_req_nomem(subreq, req)) { return tevent_req_post(req, ev); } diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index 302ed1c0a23..e3091da0e40 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -568,7 +568,9 @@ NTSTATUS winbindd_lookupsids_recv(struct tevent_req *req, struct tevent_req *wb_lookupname_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, - const char *dom_name, const char *name, + const char *namespace, + const char *dom_name, + const char *name, uint32_t flags); NTSTATUS wb_lookupname_recv(struct tevent_req *req, struct dom_sid *sid, enum lsa_SidType *type); -- 2.16.3 From a3b4095e345d08f7717c5ea73b617a7663032052 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 26 Apr 2018 17:23:41 +0200 Subject: [PATCH 08/10] winbind: Remove unused function parse_domain_user_talloc() Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 32770e929ace8fe3f2469037ed887be14b3c5503) --- source3/winbindd/winbindd_proto.h | 2 -- source3/winbindd/winbindd_util.c | 12 ------------ 2 files changed, 14 deletions(-) diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index e3091da0e40..0cbcbad2a96 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -477,8 +477,6 @@ struct winbindd_domain *find_default_route_domain(void); struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid); struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name); bool parse_domain_user(const char *domuser, fstring domain, fstring user); -bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser, - char **domain, char **user); bool canonicalize_username(fstring username_inout, fstring domain, fstring user); void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume); char *fill_domain_username_talloc(TALLOC_CTX *ctx, diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index b19c42f626b..1317dfe422d 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -1602,18 +1602,6 @@ bool parse_domain_user(const char *domuser, fstring domain, fstring user) return strupper_m(domain); } -bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser, - char **domain, char **user) -{ - fstring fstr_domain, fstr_user; - if (!parse_domain_user(domuser, fstr_domain, fstr_user)) { - return False; - } - *domain = talloc_strdup(mem_ctx, fstr_domain); - *user = talloc_strdup(mem_ctx, fstr_user); - return ((*domain != NULL) && (*user != NULL)); -} - /* Ensure an incoming username from NSS is fully qualified. Replace the incoming fstring with DOMAIN user. Returns the same values as parse_domain_user() but also replaces the incoming username. -- 2.16.3 From 7728d791bcae614e3406d6ea2109e2440a86bf19 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 26 Apr 2018 12:17:12 +0200 Subject: [PATCH 09/10] winbind: Fix UPN handling in parse_domain_user() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Andreas Schneider Signed-off-by: Stefan Metzmacher (cherry picked from commit a05b63db627fdbe0bdea4d144dfaeedb39025592) --- selftest/knownfail.d/upn_handling | 1 - source3/winbindd/winbindd_cache.c | 5 +- source3/winbindd/winbindd_ccache_access.c | 26 +++++++--- source3/winbindd/winbindd_creds.c | 3 +- source3/winbindd/winbindd_getgrnam.c | 15 ++++-- source3/winbindd/winbindd_getgroups.c | 10 +++- source3/winbindd/winbindd_getpwnam.c | 10 +++- source3/winbindd/winbindd_pam.c | 83 +++++++++++++++++++++++-------- source3/winbindd/winbindd_proto.h | 8 ++- source3/winbindd/winbindd_util.c | 47 ++++++++++------- 10 files changed, 151 insertions(+), 57 deletions(-) diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling index 0fa2aa35f30..bcbedb4f903 100644 --- a/selftest/knownfail.d/upn_handling +++ b/selftest/knownfail.d/upn_handling @@ -1,4 +1,3 @@ -^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.ad_member ^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member ^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member ^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c index 9f9e8781c21..2778e27374f 100644 --- a/source3/winbindd/winbindd_cache.c +++ b/source3/winbindd/winbindd_cache.c @@ -3221,7 +3221,8 @@ bool lookup_cached_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, return NT_STATUS_IS_OK(status); } -bool lookup_cached_name(const char *domain_name, +bool lookup_cached_name(const char *namespace, + const char *domain_name, const char *name, struct dom_sid *sid, enum lsa_SidType *type) @@ -3230,7 +3231,7 @@ bool lookup_cached_name(const char *domain_name, NTSTATUS status; bool original_online_state; - domain = find_lookup_domain_from_name(domain_name); + domain = find_lookup_domain_from_name(namespace); if (domain == NULL) { return false; } diff --git a/source3/winbindd/winbindd_ccache_access.c b/source3/winbindd/winbindd_ccache_access.c index 039e6534013..6bcf9a3552c 100644 --- a/source3/winbindd/winbindd_ccache_access.c +++ b/source3/winbindd/winbindd_ccache_access.c @@ -43,8 +43,9 @@ static bool client_can_access_ccache_entry(uid_t client_uid, return False; } -static NTSTATUS do_ntlm_auth_with_stored_pw(const char *username, +static NTSTATUS do_ntlm_auth_with_stored_pw(const char *namespace, const char *domain, + const char *username, const char *password, const DATA_BLOB initial_msg, const DATA_BLOB challenge_msg, @@ -182,11 +183,12 @@ static bool check_client_uid(struct winbindd_cli_state *state, uid_t uid) void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state) { struct winbindd_domain *domain; - fstring name_domain, name_user; + fstring name_namespace, name_domain, name_user; NTSTATUS result = NT_STATUS_NOT_SUPPORTED; struct WINBINDD_MEMORY_CREDS *entry; DATA_BLOB initial, challenge, auth; uint32_t initial_blob_len, challenge_blob_len, extra_len; + bool ok; /* Ensure null termination */ state->request->data.ccache_ntlm_auth.user[ @@ -238,7 +240,11 @@ void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state) } /* Parse domain and username */ - if (!parse_domain_user(state->request->data.ccache_ntlm_auth.user, name_domain, name_user)) { + ok = parse_domain_user(state->request->data.ccache_ntlm_auth.user, + name_namespace, + name_domain, + name_user); + if (!ok) { DEBUG(10,("winbindd_dual_ccache_ntlm_auth: cannot parse " "domain and user from name [%s]\n", state->request->data.ccache_ntlm_auth.user)); @@ -273,10 +279,16 @@ void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state) state->request->data.ccache_ntlm_auth.challenge_blob_len); result = do_ntlm_auth_with_stored_pw( - name_user, name_domain, entry->pass, - initial, challenge, talloc_tos(), &auth, - state->response->data.ccache_ntlm_auth.session_key, - &state->response->data.ccache_ntlm_auth.new_spnego); + name_namespace, + name_domain, + name_user, + entry->pass, + initial, + challenge, + talloc_tos(), + &auth, + state->response->data.ccache_ntlm_auth.session_key, + &state->response->data.ccache_ntlm_auth.new_spnego); if (!NT_STATUS_IS_OK(result)) { goto process_result; diff --git a/source3/winbindd/winbindd_creds.c b/source3/winbindd/winbindd_creds.c index 15cca554d45..2d7aacf36a9 100644 --- a/source3/winbindd/winbindd_creds.c +++ b/source3/winbindd/winbindd_creds.c @@ -76,7 +76,8 @@ NTSTATUS winbindd_store_creds(struct winbindd_domain *domain, enum lsa_SidType type; - if (!lookup_cached_name(domain->name, + if (!lookup_cached_name(domain->name, /* namespace */ + domain->name, user, &cred_sid, &type)) { diff --git a/source3/winbindd/winbindd_getgrnam.c b/source3/winbindd/winbindd_getgrnam.c index 1d9a8b94d48..37c205ddba4 100644 --- a/source3/winbindd/winbindd_getgrnam.c +++ b/source3/winbindd/winbindd_getgrnam.c @@ -22,7 +22,7 @@ struct winbindd_getgrnam_state { struct tevent_context *ev; - fstring name_domain, name_group; + fstring name_namespace, name_domain, name_group; struct dom_sid sid; const char *domname; const char *name; @@ -42,6 +42,7 @@ struct tevent_req *winbindd_getgrnam_send(TALLOC_CTX *mem_ctx, struct winbindd_getgrnam_state *state; char *tmp; NTSTATUS nt_status; + bool ok; req = tevent_req_create(mem_ctx, &state, struct winbindd_getgrnam_state); @@ -66,7 +67,15 @@ struct tevent_req *winbindd_getgrnam_send(TALLOC_CTX *mem_ctx, /* Parse domain and groupname */ - parse_domain_user(tmp, state->name_domain, state->name_group); + ok = parse_domain_user(tmp, + state->name_namespace, + state->name_domain, + state->name_group); + if (!ok) { + DBG_INFO("Could not parse domain user: %s\n", tmp); + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); + return tevent_req_post(req, ev); + } /* if no domain or our local domain and no local tdb group, default to * our local domain for aliases */ @@ -77,7 +86,7 @@ struct tevent_req *winbindd_getgrnam_send(TALLOC_CTX *mem_ctx, } subreq = wb_lookupname_send(state, ev, - state->name_domain, + state->name_namespace, state->name_domain, state->name_group, 0); diff --git a/source3/winbindd/winbindd_getgroups.c b/source3/winbindd/winbindd_getgroups.c index 68b470d6dad..f7f2df5f7b1 100644 --- a/source3/winbindd/winbindd_getgroups.c +++ b/source3/winbindd/winbindd_getgroups.c @@ -23,6 +23,7 @@ struct winbindd_getgroups_state { struct tevent_context *ev; + fstring namespace; fstring domname; fstring username; struct dom_sid sid; @@ -46,6 +47,7 @@ struct tevent_req *winbindd_getgroups_send(TALLOC_CTX *mem_ctx, struct winbindd_getgroups_state *state; char *domuser, *mapped_user; NTSTATUS status; + bool ok; req = tevent_req_create(mem_ctx, &state, struct winbindd_getgroups_state); @@ -69,14 +71,18 @@ struct tevent_req *winbindd_getgroups_send(TALLOC_CTX *mem_ctx, domuser = mapped_user; } - if (!parse_domain_user(domuser, state->domname, state->username)) { + ok = parse_domain_user(domuser, + state->namespace, + state->domname, + state->username); + if (!ok) { DEBUG(5, ("Could not parse domain user: %s\n", domuser)); tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); return tevent_req_post(req, ev); } subreq = wb_lookupname_send(state, ev, - state->domname, + state->namespace, state->domname, state->username, LOOKUP_NAME_NO_NSS); diff --git a/source3/winbindd/winbindd_getpwnam.c b/source3/winbindd/winbindd_getpwnam.c index 26686bf9f0f..8da66c25141 100644 --- a/source3/winbindd/winbindd_getpwnam.c +++ b/source3/winbindd/winbindd_getpwnam.c @@ -23,6 +23,7 @@ struct winbindd_getpwnam_state { struct tevent_context *ev; + fstring namespace; fstring domname; fstring username; struct dom_sid sid; @@ -42,6 +43,7 @@ struct tevent_req *winbindd_getpwnam_send(TALLOC_CTX *mem_ctx, struct winbindd_getpwnam_state *state; char *domuser, *mapped_user; NTSTATUS status; + bool ok; req = tevent_req_create(mem_ctx, &state, struct winbindd_getpwnam_state); @@ -65,14 +67,18 @@ struct tevent_req *winbindd_getpwnam_send(TALLOC_CTX *mem_ctx, domuser = mapped_user; } - if (!parse_domain_user(domuser, state->domname, state->username)) { + ok = parse_domain_user(domuser, + state->namespace, + state->domname, + state->username); + if (!ok) { DEBUG(5, ("Could not parse domain user: %s\n", domuser)); tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); return tevent_req_post(req, ev); } subreq = wb_lookupname_send(state, ev, - state->domname, + state->namespace, state->domname, state->username, LOOKUP_NAME_NO_NSS); diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 8403d7d57b6..9c66c6bdb82 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -645,7 +645,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, const char *principal_s = NULL; const char *service = NULL; char *realm = NULL; - fstring name_domain, name_user; + fstring name_namespace, name_domain, name_user; time_t ticket_lifetime = 0; time_t renewal_until = 0; ADS_STRUCT *ads; @@ -658,6 +658,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, const char *local_service; uint32_t i; struct netr_SamInfo6 *info6_copy = NULL; + bool ok; *info6 = NULL; @@ -693,7 +694,10 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, /* 3rd step: * do kerberos auth and setup ccache as the user */ - parse_domain_user(user, name_domain, name_user); + ok = parse_domain_user(user, name_namespace, name_domain, name_user); + if (!ok) { + return NT_STATUS_INVALID_PARAMETER; + } realm = talloc_strdup(mem_ctx, domain->alt_name); if (realm == NULL) { @@ -975,7 +979,7 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, { NTSTATUS result = NT_STATUS_LOGON_FAILURE; uint16_t max_allowed_bad_attempts; - fstring name_domain, name_user; + fstring name_namespace, name_domain, name_user; struct dom_sid sid; enum lsa_SidType type; uchar new_nt_pass[NT_HASH_LEN]; @@ -996,10 +1000,14 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, /* Parse domain and username */ - parse_domain_user(state->request->data.auth.user, name_domain, name_user); + parse_domain_user(state->request->data.auth.user, + name_namespace, + name_domain, + name_user); - if (!lookup_cached_name(name_domain, + if (!lookup_cached_name(name_namespace, + name_domain, name_user, &sid, &type)) { @@ -1244,19 +1252,28 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain, struct netr_SamInfo6 **info6) { struct winbindd_domain *contact_domain; - fstring name_domain, name_user; + fstring name_namespace, name_domain, name_user; NTSTATUS result; + bool ok; DEBUG(10,("winbindd_dual_pam_auth_kerberos\n")); /* Parse domain and username */ - parse_domain_user(state->request->data.auth.user, name_domain, name_user); + ok = parse_domain_user(state->request->data.auth.user, + name_namespace, + name_domain, + name_user); + if (!ok) { + result = NT_STATUS_INVALID_PARAMETER; + goto done; + } /* what domain should we contact? */ if ( IS_DC ) { - if (!(contact_domain = find_domain_from_name(name_domain))) { + contact_domain = find_domain_from_name(name_namespace); + if (contact_domain == NULL) { DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n", state->request->data.auth.user, name_domain, name_user, name_domain)); result = NT_STATUS_NO_SUCH_USER; @@ -1270,7 +1287,7 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain, goto done; } - contact_domain = find_domain_from_name(name_domain); + contact_domain = find_domain_from_name(name_namespace); if (contact_domain == NULL) { DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n", state->request->data.auth.user, name_domain, name_user, name_domain)); @@ -1662,19 +1679,23 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon( DATA_BLOB lm_resp; DATA_BLOB nt_resp; unsigned char local_nt_response[24]; - fstring name_domain, name_user; + fstring name_namespace, name_domain, name_user; NTSTATUS result; uint8_t authoritative = 0; uint32_t flags = 0; uint16_t validation_level; union netr_Validation *validation = NULL; struct netr_SamBaseInfo *base_info = NULL; + bool ok; DEBUG(10,("winbindd_dual_pam_auth_samlogon\n")); /* Parse domain and username */ - parse_domain_user(user, name_domain, name_user); + ok = parse_domain_user(user, name_namespace, name_domain, name_user); + if (!ok) { + return NT_STATUS_INVALID_PARAMETER; + } /* * We check against domain->name instead of @@ -1869,12 +1890,13 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain, { NTSTATUS result = NT_STATUS_LOGON_FAILURE; NTSTATUS krb5_result = NT_STATUS_OK; - fstring name_domain, name_user; + fstring name_namespace, name_domain, name_user; char *mapped_user; fstring domain_user; uint16_t validation_level = UINT16_MAX; union netr_Validation *validation = NULL; NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL; + bool ok; /* Ensure null termination */ state->request->data.auth.user[sizeof(state->request->data.auth.user)-1]='\0'; @@ -1900,7 +1922,14 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain, mapped_user = state->request->data.auth.user; } - parse_domain_user(mapped_user, name_domain, name_user); + ok = parse_domain_user(mapped_user, + name_namespace, + name_domain, + name_user); + if (!ok) { + result = NT_STATUS_INVALID_PARAMETER; + goto process_result; + } if ( mapped_user != state->request->data.auth.user ) { fstr_sprintf( domain_user, "%s%c%s", name_domain, @@ -2490,15 +2519,20 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact struct samr_DomInfo1 *info = NULL; struct userPwdChangeFailureInformation *reject = NULL; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - fstring domain, user; + fstring namespace, domain, user; struct dcerpc_binding_handle *b = NULL; + bool ok; ZERO_STRUCT(dom_pol); DEBUG(3, ("[%5lu]: dual pam chauthtok %s\n", (unsigned long)state->pid, state->request->data.auth.user)); - if (!parse_domain_user(state->request->data.chauthtok.user, domain, user)) { + ok = parse_domain_user(state->request->data.chauthtok.user, + namespace, + domain, + user); + if (!ok) { goto done; } @@ -2707,7 +2741,7 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai DATA_BLOB old_nt_hash_enc; DATA_BLOB new_lm_password; DATA_BLOB old_lm_hash_enc; - fstring domain,user; + fstring namespace, domain, user; struct policy_handle dom_pol; struct winbindd_domain *contact_domain = domainSt; struct rpc_pipe_client *cli = NULL; @@ -2720,8 +2754,9 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai sizeof(state->request->data.chng_pswd_auth_crap.user)-1]=0; state->request->data.chng_pswd_auth_crap.domain[ sizeof(state->request->data.chng_pswd_auth_crap.domain)-1]=0; - *domain = 0; - *user = 0; + domain[0] = '\0'; + namespace[0] = '\0'; + user[0] = '\0'; DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n", (unsigned long)state->pid, @@ -2738,8 +2773,16 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai if (*state->request->data.chng_pswd_auth_crap.domain) { fstrcpy(domain,state->request->data.chng_pswd_auth_crap.domain); } else { - parse_domain_user(state->request->data.chng_pswd_auth_crap.user, - domain, user); + bool ok; + + ok = parse_domain_user(state->request->data.chng_pswd_auth_crap.user, + namespace, + domain, + user); + if (!ok) { + result = NT_STATUS_INVALID_PARAMETER; + goto done; + } if(!*domain) { DEBUG(3,("no domain specified with username (%s) - " diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index 0cbcbad2a96..c4b27575b32 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -134,7 +134,8 @@ void close_winbindd_cache(void); bool lookup_cached_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, char **domain_name, char **name, enum lsa_SidType *type); -bool lookup_cached_name(const char *domain_name, +bool lookup_cached_name(const char *namespace, + const char *domain_name, const char *name, struct dom_sid *sid, enum lsa_SidType *type); @@ -476,7 +477,10 @@ struct winbindd_domain *find_our_domain(void); struct winbindd_domain *find_default_route_domain(void); struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid); struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name); -bool parse_domain_user(const char *domuser, fstring domain, fstring user); +bool parse_domain_user(const char *domuser, + fstring namespace, + fstring domain, + fstring user); bool canonicalize_username(fstring username_inout, fstring domain, fstring user); void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume); char *fill_domain_username_talloc(TALLOC_CTX *ctx, diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index 1317dfe422d..068be91dca5 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -1575,28 +1575,37 @@ static bool assume_domain(const char *domain) return False; } -/* Parse a string of the form DOMAIN\user into a domain and a user */ - -bool parse_domain_user(const char *domuser, fstring domain, fstring user) +/* Parse a DOMAIN\user or UPN string into a domain, namespace and a user */ +bool parse_domain_user(const char *domuser, + fstring namespace, + fstring domain, + fstring user) { - char *p = strchr(domuser,*lp_winbind_separator()); + char *p = NULL; + + if (strlen(domuser) == 0) { + return false; + } - if ( !p ) { + p = strchr(domuser, *lp_winbind_separator()); + if (p != NULL) { + fstrcpy(user, p + 1); + fstrcpy(domain, domuser); + domain[PTR_DIFF(p, domuser)] = '\0'; + fstrcpy(namespace, domain); + } else { fstrcpy(user, domuser); - p = strchr(domuser, '@'); - if ( assume_domain(lp_workgroup()) && p == NULL) { + domain[0] = '\0'; + namespace[0] = '\0'; + p = strchr(domuser, '@'); + if (p != NULL) { + /* upn */ + fstrcpy(namespace, p + 1); + } else if (assume_domain(lp_workgroup())) { fstrcpy(domain, lp_workgroup()); - } else if (p != NULL) { - fstrcpy(domain, p + 1); - user[PTR_DIFF(p, domuser)] = 0; - } else { - return False; + fstrcpy(namespace, domain); } - } else { - fstrcpy(user, p+1); - fstrcpy(domain, domuser); - domain[PTR_DIFF(p, domuser)] = 0; } return strupper_m(domain); @@ -1613,7 +1622,11 @@ bool parse_domain_user(const char *domuser, fstring domain, fstring user) bool canonicalize_username(fstring username_inout, fstring domain, fstring user) { - if (!parse_domain_user(username_inout, domain, user)) { + fstring namespace; + bool ok; + + ok = parse_domain_user(username_inout, namespace, domain, user); + if (!ok) { return False; } slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s", -- 2.16.3 From c8f68cc0a9b1f5cf1c2467146e861aa5080aea9a Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 26 Apr 2018 17:32:42 +0200 Subject: [PATCH 10/10] winbind: Fix UPN handling in canonicalize_username() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Fri May 11 12:02:37 CEST 2018 on sn-devel-144 (cherry picked from commit 1766f77493c5a76e4d7d1e5eedcaa150cc9ea552) --- source3/winbindd/winbindd_ccache_access.c | 17 ++++++++++++----- source3/winbindd/winbindd_pam_auth.c | 11 ++++++++--- source3/winbindd/winbindd_pam_chauthtok.c | 12 ++++++++---- source3/winbindd/winbindd_pam_logoff.c | 12 ++++++++---- source3/winbindd/winbindd_proto.h | 5 ++++- source3/winbindd/winbindd_util.c | 6 ++++-- 6 files changed, 44 insertions(+), 19 deletions(-) diff --git a/source3/winbindd/winbindd_ccache_access.c b/source3/winbindd/winbindd_ccache_access.c index 6bcf9a3552c..ddeaf1d9940 100644 --- a/source3/winbindd/winbindd_ccache_access.c +++ b/source3/winbindd/winbindd_ccache_access.c @@ -199,8 +199,11 @@ void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state) /* Parse domain and username */ - if (!canonicalize_username(state->request->data.ccache_ntlm_auth.user, - name_domain, name_user)) { + ok = canonicalize_username(state->request->data.ccache_ntlm_auth.user, + name_namespace, + name_domain, + name_user); + if (!ok) { DEBUG(5,("winbindd_ccache_ntlm_auth: cannot parse domain and user from name [%s]\n", state->request->data.ccache_ntlm_auth.user)); request_error(state); @@ -316,8 +319,9 @@ void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state) void winbindd_ccache_save(struct winbindd_cli_state *state) { struct winbindd_domain *domain; - fstring name_domain, name_user; + fstring name_namespace, name_domain, name_user; NTSTATUS status; + bool ok; /* Ensure null termination */ state->request->data.ccache_save.user[ @@ -331,8 +335,11 @@ void winbindd_ccache_save(struct winbindd_cli_state *state) /* Parse domain and username */ - if (!canonicalize_username(state->request->data.ccache_save.user, - name_domain, name_user)) { + ok = canonicalize_username(state->request->data.ccache_save.user, + name_namespace, + name_domain, + name_user); + if (!ok) { DEBUG(5,("winbindd_ccache_save: cannot parse domain and user " "from name [%s]\n", state->request->data.ccache_save.user)); diff --git a/source3/winbindd/winbindd_pam_auth.c b/source3/winbindd/winbindd_pam_auth.c index b35a17cf319..95550ba9066 100644 --- a/source3/winbindd/winbindd_pam_auth.c +++ b/source3/winbindd/winbindd_pam_auth.c @@ -36,9 +36,10 @@ struct tevent_req *winbindd_pam_auth_send(TALLOC_CTX *mem_ctx, struct tevent_req *req, *subreq; struct winbindd_pam_auth_state *state; struct winbindd_domain *domain; - fstring name_domain, name_user; + fstring name_namespace, name_domain, name_user; char *mapped = NULL; NTSTATUS status; + bool ok; req = tevent_req_create(mem_ctx, &state, struct winbindd_pam_auth_state); @@ -71,12 +72,16 @@ struct tevent_req *winbindd_pam_auth_send(TALLOC_CTX *mem_ctx, fstrcpy(request->data.auth.user, mapped); } - if (!canonicalize_username(request->data.auth.user, name_domain, name_user)) { + ok = canonicalize_username(request->data.auth.user, + name_namespace, + name_domain, + name_user); + if (!ok) { tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER); return tevent_req_post(req, ev); } - domain = find_auth_domain(request->flags, name_domain); + domain = find_auth_domain(request->flags, name_namespace); if (domain == NULL) { tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER); return tevent_req_post(req, ev); diff --git a/source3/winbindd/winbindd_pam_chauthtok.c b/source3/winbindd/winbindd_pam_chauthtok.c index 0d749fbcecd..a6b8b66b9be 100644 --- a/source3/winbindd/winbindd_pam_chauthtok.c +++ b/source3/winbindd/winbindd_pam_chauthtok.c @@ -36,9 +36,10 @@ struct tevent_req *winbindd_pam_chauthtok_send( struct tevent_req *req, *subreq; struct winbindd_pam_chauthtok_state *state; struct winbindd_domain *contact_domain; - fstring domain, user; + fstring namespace, domain, user; char *mapped_user; NTSTATUS status; + bool ok; req = tevent_req_create(mem_ctx, &state, struct winbindd_pam_chauthtok_state); @@ -62,15 +63,18 @@ struct tevent_req *winbindd_pam_chauthtok_send( fstrcpy(request->data.chauthtok.user, mapped_user); } - if (!canonicalize_username(request->data.chauthtok.user, domain, - user)) { + ok = canonicalize_username(request->data.chauthtok.user, + namespace, + domain, + user); + if (!ok) { DEBUG(10, ("winbindd_pam_chauthtok: canonicalize_username %s " "failed with\n", request->data.chauthtok.user)); tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER); return tevent_req_post(req, ev); } - contact_domain = find_domain_from_name(domain); + contact_domain = find_domain_from_name(namespace); if (contact_domain == NULL) { DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] " "as %s is not a trusted domain\n", diff --git a/source3/winbindd/winbindd_pam_logoff.c b/source3/winbindd/winbindd_pam_logoff.c index b5b7840f99c..8f2b4882521 100644 --- a/source3/winbindd/winbindd_pam_logoff.c +++ b/source3/winbindd/winbindd_pam_logoff.c @@ -35,10 +35,11 @@ struct tevent_req *winbindd_pam_logoff_send(TALLOC_CTX *mem_ctx, struct tevent_req *req, *subreq; struct winbindd_pam_logoff_state *state; struct winbindd_domain *domain; - fstring name_domain, user; + fstring name_namespace, name_domain, user; uid_t caller_uid; gid_t caller_gid; int res; + bool ok; req = tevent_req_create(mem_ctx, &state, struct winbindd_pam_logoff_state); @@ -60,12 +61,15 @@ struct tevent_req *winbindd_pam_logoff_send(TALLOC_CTX *mem_ctx, goto failed; } - if (!canonicalize_username(request->data.logoff.user, name_domain, - user)) { + ok = canonicalize_username(request->data.logoff.user, + name_namespace, + name_domain, + user); + if (!ok) { goto failed; } - domain = find_auth_domain(request->flags, name_domain); + domain = find_auth_domain(request->flags, name_namespace); if (domain == NULL) { goto failed; } diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index c4b27575b32..95f24d2c279 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -481,7 +481,10 @@ bool parse_domain_user(const char *domuser, fstring namespace, fstring domain, fstring user); -bool canonicalize_username(fstring username_inout, fstring domain, fstring user); +bool canonicalize_username(fstring username_inout, + fstring namespace, + fstring domain, + fstring user); void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume); char *fill_domain_username_talloc(TALLOC_CTX *ctx, const char *domain, diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index 068be91dca5..c2ec164e143 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -1620,9 +1620,11 @@ bool parse_domain_user(const char *domuser, really should be changed to use this instead of doing things by hand. JRA. */ -bool canonicalize_username(fstring username_inout, fstring domain, fstring user) +bool canonicalize_username(fstring username_inout, + fstring namespace, + fstring domain, + fstring user) { - fstring namespace; bool ok; ok = parse_domain_user(username_inout, namespace, domain, user); -- 2.16.3