(merge from 3.0)

Changes to our PAM code to cope with the fact that we can't handle some
domains (in particular, the domain of the current machine, if it is not a PDC)

By changing the error codes, we now return values that PAM can correctly
use for better stacking of PAM modules - in particular of the password change
module.

This allows pam_winbind to co-exist with other pam modules for password changes.
Andrew Bartlett
(This used to be commit 06b4eb4b9f867998c8faf9a91830ba3181cdf605)

2 files changed, 36 insertions, 16 deletions

diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index d58c9dcc38..3ca91b1c07 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -95,11 +95,6 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
 	/* Parse domain and username */
 	
 	parse_domain_user(state->request.data.auth.user, name_domain, name_user);
-	if ( !*name_domain ) {
-		DEBUG(5,("no domain separator (%s) in username (%s) - failing auth\n", lp_winbind_separator(), state->request.data.auth.user));
-		result = NT_STATUS_INVALID_PARAMETER;
-		goto done;
-	}
 
 	/* do password magic */
 	
@@ -118,11 +113,23 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
 
 	/* what domain should we contact? */
 	
-	if ( IS_DC )
+	if ( IS_DC ) {
+		if (!find_domain_from_name(name_domain)) {
+			DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n", 
+				  state->request.data.auth.user, name_domain, name_user, name_domain)); 
+			result = NT_STATUS_NO_SUCH_USER;
+			goto done;
+		}
 		contact_domain = name_domain;
-	else
-		contact_domain = lp_workgroup();
 		
+	} else {
+		if (is_myname(name_domain)) {
+			DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
+			result =  NT_STATUS_NO_SUCH_USER;
+			goto done;
+		}
+		contact_domain = lp_workgroup();
+	}
 	/* check authentication loop */
 
 	do {
@@ -304,11 +311,23 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
 	
 	/* what domain should we contact? */
 	
-	if ( IS_DC )
+	if ( IS_DC ) {
+		if (!find_domain_from_name(domain)) {
+			DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n", 
+				  state->request.data.auth.user, domain, user, domain)); 
+			result = NT_STATUS_NO_SUCH_USER;
+			goto done;
+		}
 		contact_domain = domain;
-	else
+	} else {
+		if (is_myname(domain)) {
+			DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", domain));
+			result =  NT_STATUS_NO_SUCH_USER;
+			goto done;
+		}
 		contact_domain = lp_workgroup();
-	
+	}
+		
 	do {
 		ZERO_STRUCT(info3);
 		ZERO_STRUCT(ret_creds);
@@ -446,8 +465,11 @@ enum winbindd_result winbindd_pam_chauthtok(struct winbindd_cli_state *state)
 		return WINBINDD_ERROR;
 
 	parse_domain_user(state->request.data.chauthtok.user, domain, user);
-	if ( !*domain ) {
-		result = NT_STATUS_INVALID_PARAMETER;
+
+	if (!find_domain_from_name(domain)) {
+		DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n", 
+			  state->request.data.chauthtok.user, domain, user, domain)); 
+		result = NT_STATUS_NO_SUCH_USER;
 		goto done;
 	}
 
diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c
index 318da4a63a..0f14a7e413 100644
--- a/source3/nsswitch/winbindd_util.c
+++ b/source3/nsswitch/winbindd_util.c
@@ -525,10 +525,8 @@ BOOL parse_domain_user(const char *domuser, fstring domain, fstring user)
 		
 		if ( assume_domain(lp_workgroup())) {
 			fstrcpy(domain, lp_workgroup());
-		} else if (assume_domain(get_global_sam_name())) {
-			fstrcpy( domain, get_global_sam_name() ); 
 		} else {
-			fstrcpy( domain, "");
+			fstrcpy( domain, get_global_sam_name() ); 
 		}
 	} 
 	else {