diff options
author | Dan Sledz <dsledz@isilon.com> | 2009-02-10 15:50:39 -0800 |
---|---|---|
committer | Steven Danneman <steven.danneman@isilon.com> | 2009-02-11 19:39:18 -0800 |
commit | d8c54fddda2dba3cbc5fc13e93431b152813892e (patch) | |
tree | a82478e640ba05c12b8026cf6f65ccc1485ee24f | |
parent | 3b8a57e064250c6e46458e69ba156aa5d8c22059 (diff) | |
download | samba-d8c54fddda2dba3cbc5fc13e93431b152813892e.tar.gz samba-d8c54fddda2dba3cbc5fc13e93431b152813892e.tar.bz2 samba-d8c54fddda2dba3cbc5fc13e93431b152813892e.zip |
s3: Change behavior when seeing an unknown domain.
After a lot of testing against various Windows servers (W2K, W2K3, W2K8),
within an AD domain it seems that unknown domains will only be translated
to the local account domain, not the netbios name of the member server's
domain. This makes samba act more like Windows.
-rw-r--r-- | source3/auth/auth_util.c | 57 | ||||
-rw-r--r-- | source3/include/proto.h | 1 | ||||
-rw-r--r-- | source3/passdb/passdb.c | 19 |
3 files changed, 35 insertions, 42 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 502d06fad3..f942b2e50a 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -186,13 +186,15 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, Create an auth_usersupplied_data structure after appropriate mapping. ****************************************************************************/ -NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, - const char *smb_name, - const char *client_domain, - const char *wksta_name, - DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd, - DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd, - DATA_BLOB *plaintext, +NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, + const char *smb_name, + const char *client_domain, + const char *wksta_name, + DATA_BLOB *lm_pwd, + DATA_BLOB *nt_pwd, + DATA_BLOB *lm_interactive_pwd, + DATA_BLOB *nt_interactive_pwd, + DATA_BLOB *plaintext, bool encrypted) { const char *domain; @@ -200,12 +202,12 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, bool was_mapped; fstring internal_username; fstrcpy(internal_username, smb_name); - was_mapped = map_username(internal_username); - - DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n", - client_domain, smb_name, wksta_name)); - - /* don't allow "" as a domain, fixes a Win9X bug + was_mapped = map_username(internal_username); + + DEBUG(5, ("Mapping user [%s]\\[%s] from workstation [%s]\n", + client_domain, smb_name, wksta_name)); + + /* don't allow "" as a domain, fixes a Win9X bug where it doens't supply a domain for logon script 'net use' commands. */ @@ -214,16 +216,27 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, else domain = lp_workgroup(); - /* do what win2k does. Always map unknown domains to our own - and let the "passdb backend" handle unknown users. */ + /* If you connect to a Windows domain member using a bogus domain name, + * the Windows box will map the BOGUS\user to SAMNAME\user. Thus, if + * the Windows box is a DC the name will become DOMAIN\user and be + * authenticated against AD, if the Windows box is a member server but + * not a DC the name will become WORKSTATION\user. A standalone + * non-domain member box will also map to WORKSTATION\user. */ - if ( !is_trusted_domain(domain) && !strequal(domain, get_global_sam_name()) ) - domain = my_sam_name(); - - /* we know that it is a trusted domain (and we are allowing them) or it is our domain */ - - result = make_user_info(user_info, smb_name, internal_username, - client_domain, domain, wksta_name, + if (!is_trusted_domain(domain) && + !strequal(domain, get_global_sam_name()) ) + { + domain = get_global_sam_name(); + DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] on " + "workstation [%s]\n", + client_domain, domain, smb_name, wksta_name)); + } + + /* we know that it is a trusted domain (and we are allowing them) or it + * is our domain */ + + result = make_user_info(user_info, smb_name, internal_username, + client_domain, domain, wksta_name, lm_pwd, nt_pwd, lm_interactive_pwd, nt_interactive_pwd, plaintext, encrypted); diff --git a/source3/include/proto.h b/source3/include/proto.h index 6246be6b1c..3478ea4f85 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -4420,7 +4420,6 @@ bool sid_check_is_in_our_domain(const DOM_SID *sid); /* The following definitions come from passdb/passdb.c */ -const char *my_sam_name(void); struct samu *samu_new( TALLOC_CTX *ctx ); NTSTATUS samu_set_unix(struct samu *user, const struct passwd *pwd); NTSTATUS samu_alloc_rid_unix(struct samu *user, const struct passwd *pwd); diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index d26a667f44..c526a175f2 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -27,25 +27,6 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_PASSDB -/****************************************************************** - get the default domain/netbios name to be used when - testing authentication. For example, if you connect - to a Windows member server using a bogus domain name, the - Windows box will map the BOGUS\user to DOMAIN\user. A - standalone box will map to WKS\user. -******************************************************************/ - -const char *my_sam_name(void) -{ - /* standalone servers can only use the local netbios name */ - if ( lp_server_role() == ROLE_STANDALONE ) - return global_myname(); - - /* Windows domain members default to the DOMAIN - name when not specified */ - return lp_workgroup(); -} - /********************************************************************** ***********************************************************************/ |