diff options
| author | Andreas Schneider <asn@samba.org> | 2018-04-26 17:32:42 +0200 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2018-05-24 11:29:23 +0200 |
| commit | 682a2e265690c3ff8ad52d5ddb24f13b636d31b6 (patch) | |
| tree | 220a27e660fe542f448bc1ba99ca3effe00cce87 /source3 | |
| parent | 124f0e4bdaabd082cffc403b747a8f5eb2b2a4ef (diff) | |
| download | samba-682a2e265690c3ff8ad52d5ddb24f13b636d31b6.tar.gz | |
winbind: Fix UPN handling in canonicalize_username()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri May 11 12:02:37 CEST 2018 on sn-devel-144
(cherry picked from commit 1766f77493c5a76e4d7d1e5eedcaa150cc9ea552)
Diffstat (limited to 'source3')
| -rw-r--r-- | source3/winbindd/winbindd_ccache_access.c | 17 | ||||
| -rw-r--r-- | source3/winbindd/winbindd_pam_auth.c | 11 | ||||
| -rw-r--r-- | source3/winbindd/winbindd_pam_chauthtok.c | 12 | ||||
| -rw-r--r-- | source3/winbindd/winbindd_pam_logoff.c | 12 | ||||
| -rw-r--r-- | source3/winbindd/winbindd_proto.h | 5 | ||||
| -rw-r--r-- | source3/winbindd/winbindd_util.c | 6 |
6 files changed, 44 insertions, 19 deletions
diff --git a/source3/winbindd/winbindd_ccache_access.c b/source3/winbindd/winbindd_ccache_access.c index 6bcf9a3552c..ddeaf1d9940 100644 --- a/source3/winbindd/winbindd_ccache_access.c +++ b/source3/winbindd/winbindd_ccache_access.c @@ -199,8 +199,11 @@ void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state) /* Parse domain and username */ - if (!canonicalize_username(state->request->data.ccache_ntlm_auth.user, - name_domain, name_user)) { + ok = canonicalize_username(state->request->data.ccache_ntlm_auth.user, + name_namespace, + name_domain, + name_user); + if (!ok) { DEBUG(5,("winbindd_ccache_ntlm_auth: cannot parse domain and user from name [%s]\n", state->request->data.ccache_ntlm_auth.user)); request_error(state); @@ -316,8 +319,9 @@ void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state) void winbindd_ccache_save(struct winbindd_cli_state *state) { struct winbindd_domain *domain; - fstring name_domain, name_user; + fstring name_namespace, name_domain, name_user; NTSTATUS status; + bool ok; /* Ensure null termination */ state->request->data.ccache_save.user[ @@ -331,8 +335,11 @@ void winbindd_ccache_save(struct winbindd_cli_state *state) /* Parse domain and username */ - if (!canonicalize_username(state->request->data.ccache_save.user, - name_domain, name_user)) { + ok = canonicalize_username(state->request->data.ccache_save.user, + name_namespace, + name_domain, + name_user); + if (!ok) { DEBUG(5,("winbindd_ccache_save: cannot parse domain and user " "from name [%s]\n", state->request->data.ccache_save.user)); diff --git a/source3/winbindd/winbindd_pam_auth.c b/source3/winbindd/winbindd_pam_auth.c index b35a17cf319..95550ba9066 100644 --- a/source3/winbindd/winbindd_pam_auth.c +++ b/source3/winbindd/winbindd_pam_auth.c @@ -36,9 +36,10 @@ struct tevent_req *winbindd_pam_auth_send(TALLOC_CTX *mem_ctx, struct tevent_req *req, *subreq; struct winbindd_pam_auth_state *state; struct winbindd_domain *domain; - fstring name_domain, name_user; + fstring name_namespace, name_domain, name_user; char *mapped = NULL; NTSTATUS status; + bool ok; req = tevent_req_create(mem_ctx, &state, struct winbindd_pam_auth_state); @@ -71,12 +72,16 @@ struct tevent_req *winbindd_pam_auth_send(TALLOC_CTX *mem_ctx, fstrcpy(request->data.auth.user, mapped); } - if (!canonicalize_username(request->data.auth.user, name_domain, name_user)) { + ok = canonicalize_username(request->data.auth.user, + name_namespace, + name_domain, + name_user); + if (!ok) { tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER); return tevent_req_post(req, ev); } - domain = find_auth_domain(request->flags, name_domain); + domain = find_auth_domain(request->flags, name_namespace); if (domain == NULL) { tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER); return tevent_req_post(req, ev); diff --git a/source3/winbindd/winbindd_pam_chauthtok.c b/source3/winbindd/winbindd_pam_chauthtok.c index 0d749fbcecd..a6b8b66b9be 100644 --- a/source3/winbindd/winbindd_pam_chauthtok.c +++ b/source3/winbindd/winbindd_pam_chauthtok.c @@ -36,9 +36,10 @@ struct tevent_req *winbindd_pam_chauthtok_send( struct tevent_req *req, *subreq; struct winbindd_pam_chauthtok_state *state; struct winbindd_domain *contact_domain; - fstring domain, user; + fstring namespace, domain, user; char *mapped_user; NTSTATUS status; + bool ok; req = tevent_req_create(mem_ctx, &state, struct winbindd_pam_chauthtok_state); @@ -62,15 +63,18 @@ struct tevent_req *winbindd_pam_chauthtok_send( fstrcpy(request->data.chauthtok.user, mapped_user); } - if (!canonicalize_username(request->data.chauthtok.user, domain, - user)) { + ok = canonicalize_username(request->data.chauthtok.user, + namespace, + domain, + user); + if (!ok) { DEBUG(10, ("winbindd_pam_chauthtok: canonicalize_username %s " "failed with\n", request->data.chauthtok.user)); tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER); return tevent_req_post(req, ev); } - contact_domain = find_domain_from_name(domain); + contact_domain = find_domain_from_name(namespace); if (contact_domain == NULL) { DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] " "as %s is not a trusted domain\n", diff --git a/source3/winbindd/winbindd_pam_logoff.c b/source3/winbindd/winbindd_pam_logoff.c index b5b7840f99c..8f2b4882521 100644 --- a/source3/winbindd/winbindd_pam_logoff.c +++ b/source3/winbindd/winbindd_pam_logoff.c @@ -35,10 +35,11 @@ struct tevent_req *winbindd_pam_logoff_send(TALLOC_CTX *mem_ctx, struct tevent_req *req, *subreq; struct winbindd_pam_logoff_state *state; struct winbindd_domain *domain; - fstring name_domain, user; + fstring name_namespace, name_domain, user; uid_t caller_uid; gid_t caller_gid; int res; + bool ok; req = tevent_req_create(mem_ctx, &state, struct winbindd_pam_logoff_state); @@ -60,12 +61,15 @@ struct tevent_req *winbindd_pam_logoff_send(TALLOC_CTX *mem_ctx, goto failed; } - if (!canonicalize_username(request->data.logoff.user, name_domain, - user)) { + ok = canonicalize_username(request->data.logoff.user, + name_namespace, + name_domain, + user); + if (!ok) { goto failed; } - domain = find_auth_domain(request->flags, name_domain); + domain = find_auth_domain(request->flags, name_namespace); if (domain == NULL) { goto failed; } diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index c4b27575b32..95f24d2c279 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -481,7 +481,10 @@ bool parse_domain_user(const char *domuser, fstring namespace, fstring domain, fstring user); -bool canonicalize_username(fstring username_inout, fstring domain, fstring user); +bool canonicalize_username(fstring username_inout, + fstring namespace, + fstring domain, + fstring user); void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume); char *fill_domain_username_talloc(TALLOC_CTX *ctx, const char *domain, diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index 068be91dca5..c2ec164e143 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -1620,9 +1620,11 @@ bool parse_domain_user(const char *domuser, really should be changed to use this instead of doing things by hand. JRA. */ -bool canonicalize_username(fstring username_inout, fstring domain, fstring user) +bool canonicalize_username(fstring username_inout, + fstring namespace, + fstring domain, + fstring user) { - fstring namespace; bool ok; ok = parse_domain_user(username_inout, namespace, domain, user); |