summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2003-02-20 10:50:09 +0000
committerAndrew Bartlett <abartlet@samba.org>2003-02-20 10:50:09 +0000
commit512405321ac60ae8b1d6dd80139ff9a50add8714 (patch)
treeb69973fe93493baf79ca634032a3ea988ab783a7
parent215ff67a039d3dea516d70d538083db8833f7b7e (diff)
downloadsamba-512405321ac60ae8b1d6dd80139ff9a50add8714.tar.gz
samba-512405321ac60ae8b1d6dd80139ff9a50add8714.tar.bz2
samba-512405321ac60ae8b1d6dd80139ff9a50add8714.zip
Like for NTLM logins, lookup the 'winbind' user first, then the 'local' user.
This needs to change, to be a SID->UID lookup from the PAC. Andrew Bartlett (This used to be commit 4071ed06a051f87f27e10510427a69fcdf45ddac)
-rw-r--r--source3/smbd/sesssetup.c32
1 files changed, 14 insertions, 18 deletions
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index e408cc88e9..3a3209f172 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -148,6 +148,7 @@ static int reply_spnego_kerberos(connection_struct *conn,
DATA_BLOB auth_data;
auth_serversupplied_info *server_info = NULL;
ADS_STRUCT *ads;
+ BOOL foreign = False;
if (!spnego_parse_krb5_wrap(*secblob, &ticket)) {
return ERROR_NT(NT_STATUS_LOGON_FAILURE);
@@ -185,12 +186,20 @@ static int reply_spnego_kerberos(connection_struct *conn,
if (!lp_allow_trusted_domains()) {
return ERROR_NT(NT_STATUS_LOGON_FAILURE);
}
- /* this gives a fully qualified user name (ie. with full realm).
- that leads to very long usernames, but what else can we do? */
- asprintf(&user, "%s%s%s", p+1, lp_winbind_separator(), client);
- } else {
- user = strdup(client);
+ foreign = True;
+ }
+
+ /* this gives a fully qualified user name (ie. with full realm).
+ that leads to very long usernames, but what else can we do? */
+ asprintf(&user, "%s%s%s", p+1, lp_winbind_separator(), client);
+
+ pw = Get_Pwnam(user);
+ if (!pw && !foreign) {
+ pw = Get_Pwnam(client);
+ SAFE_FREE(user);
+ user = smb_xstrdup(client);
}
+
ads_destroy(&ads);
/* setup the string used by %U */
@@ -198,19 +207,6 @@ static int reply_spnego_kerberos(connection_struct *conn,
reload_services(True);
- /* the password is good - let them in */
- pw = Get_Pwnam(user);
- if (!pw && !strstr(user, lp_winbind_separator())) {
- char *user2;
- /* try it with a winbind domain prefix */
- asprintf(&user2, "%s%s%s", lp_workgroup(), lp_winbind_separator(), user);
- pw = Get_Pwnam(user2);
- if (pw) {
- free(user);
- user = user2;
- }
- }
-
if (!pw) {
DEBUG(1,("Username %s is invalid on this system\n",user));
return ERROR_NT(NT_STATUS_NO_SUCH_USER);