summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2008-06-24 12:11:06 +0200
committerGünther Deschner <gd@samba.org>2008-06-24 23:37:40 +0200
commit6b4b76c40e965c7544097aa652eb6455af2ae8c1 (patch)
treebc5fd49635410cf2d361405e4a0d8e998b0dfeb7
parent640a2972c555a456ea9a083bdc7aae8ea283492a (diff)
downloadsamba-6b4b76c40e965c7544097aa652eb6455af2ae8c1.tar.gz
samba-6b4b76c40e965c7544097aa652eb6455af2ae8c1.tar.bz2
samba-6b4b76c40e965c7544097aa652eb6455af2ae8c1.zip
libads: add ADS_AUTH_USER_CREDS to avoid magic overwriting of usernames.
Guenther (This used to be commit b5aaf5aa0f280f69e05b613271c96473a79b812e)
-rw-r--r--source3/include/ads.h17
-rw-r--r--source3/libads/kerberos.c6
2 files changed, 15 insertions, 8 deletions
diff --git a/source3/include/ads.h b/source3/include/ads.h
index d5ce88babe..d4551765aa 100644
--- a/source3/include/ads.h
+++ b/source3/include/ads.h
@@ -320,14 +320,15 @@ typedef void **ADS_MODLIST;
#define ADS_DNS_FOREST 0x80000000 /* DnsForestName is a DNS name */
/* ads auth control flags */
-#define ADS_AUTH_DISABLE_KERBEROS 0x01
-#define ADS_AUTH_NO_BIND 0x02
-#define ADS_AUTH_ANON_BIND 0x04
-#define ADS_AUTH_SIMPLE_BIND 0x08
-#define ADS_AUTH_ALLOW_NTLMSSP 0x10
-#define ADS_AUTH_SASL_SIGN 0x20
-#define ADS_AUTH_SASL_SEAL 0x40
-#define ADS_AUTH_SASL_FORCE 0x80
+#define ADS_AUTH_DISABLE_KERBEROS 0x0001
+#define ADS_AUTH_NO_BIND 0x0002
+#define ADS_AUTH_ANON_BIND 0x0004
+#define ADS_AUTH_SIMPLE_BIND 0x0008
+#define ADS_AUTH_ALLOW_NTLMSSP 0x0010
+#define ADS_AUTH_SASL_SIGN 0x0020
+#define ADS_AUTH_SASL_SEAL 0x0040
+#define ADS_AUTH_SASL_FORCE 0x0080
+#define ADS_AUTH_USER_CREDS 0x0100
/* Kerberos environment variable names */
#define KRB5_ENV_CCNAME "KRB5CCNAME"
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index c4135f24a1..31e5af4224 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -323,6 +323,11 @@ int ads_kinit_password(ADS_STRUCT *ads)
const char *account_name;
fstring acct_name;
+ if (ads->auth.flags & ADS_AUTH_USER_CREDS) {
+ account_name = ads->auth.user_name;
+ goto got_accountname;
+ }
+
if ( IS_DC ) {
/* this will end up getting a ticket for DOMAIN@RUSTED.REA.LM */
account_name = lp_workgroup();
@@ -338,6 +343,7 @@ int ads_kinit_password(ADS_STRUCT *ads)
account_name = ads->auth.user_name;
}
+ got_accountname:
if (asprintf(&s, "%s@%s", account_name, ads->auth.realm) == -1) {
return KRB5_CC_NOMEM;
}