This is the 'winbind default domain' patch from Alexander Bokovoy

<a.bokovoy@sam-solutions.net>.

The idea is the domain\username is rather harsh for unix systems - people don't
expect to have to FTP, SSH and (in particular) e-mail with a username like
that.

This 'corrects' that - but is not without its own problems.

As you can see from the changes to files like username.c and wb_client.c (smbd's
winbind client code) a lot of assumptions are made in a lot of places about
lp_winbind_seperator determining a users's status as a domain or local user.

The main change I will shortly be making is to investigate and kill off
winbind_initgroups() - as far as I know it was a workaround for an old bug in
winbind itself (and a bug in RH 5.2) and should no longer be relevent.

I am also going to move to using the 'winbind uid' and 'winbind gid' paramaters
to determine a user/groups's 'local' status, rather than the presence of the
seperator.

As such, this functionality is recommended for servers providing unix services,
but is currently less than optimal for windows clients.

(TODO: remove all references to lp_winbind_seperator() and
lp_winbind_use_default_domain() from smbd)

Andrew Bartlett
(This used to be commit 07a21fcd2311d2d9b430b99303e3532a8c1159e4)

1 files changed, 19 insertions, 2 deletions

diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 95f0d527bb..87c5d0fb4b 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -56,7 +56,7 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
 	
 	if (!parse_domain_user(state->request.data.auth.user, name_domain, 
 			       name_user)) {
-		DEBUG(5,("no domain seperator (%s) in username (%s) - failing fauth\n", lp_winbind_separator(), state->request.data.auth.user));
+		DEBUG(5,("no domain seperator (%s) in username (%s) - failing auth\n", lp_winbind_separator(), state->request.data.auth.user));
 		talloc_destroy(mem_ctx);
 		return WINBINDD_ERROR;
 	}
@@ -131,6 +131,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
         NET_USER_INFO_3 info3;
         struct cli_state *cli = NULL;
 	TALLOC_CTX *mem_ctx;
+	const char *domain = NULL;
 
 	DATA_BLOB lm_resp, nt_resp;
 
@@ -144,6 +145,22 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
 		return WINBINDD_ERROR;
 	}
 
+	if (*state->request.data.auth_crap.domain) {
+		domain = talloc_strdup(mem_ctx, state->request.data.auth_crap.domain);
+	} else if (lp_winbind_use_default_domain()) {
+		domain = talloc_strdup(mem_ctx, lp_workgroup());
+	} else {
+		DEBUG(5,("no domain specified with username (%s) - failing auth\n", state->request.data.auth.user));
+		talloc_destroy(mem_ctx);
+		return WINBINDD_ERROR;
+	}
+
+	if (!domain) {
+		DEBUG(0,("winbindd_pam_auth_crap: talloc_strdup failed!\n"));
+		talloc_destroy(mem_ctx);
+		return WINBINDD_ERROR;
+	}
+
 	lm_resp = data_blob_talloc(mem_ctx, state->request.data.auth_crap.lm_resp, state->request.data.auth_crap.lm_resp_len);
 	nt_resp = data_blob_talloc(mem_ctx, state->request.data.auth_crap.nt_resp, state->request.data.auth_crap.nt_resp_len);
 	
@@ -169,7 +186,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
         }
 
 	result = cli_netlogon_sam_network_logon(cli, mem_ctx,
-						state->request.data.auth_crap.user, state->request.data.auth_crap.domain, 
+						state->request.data.auth_crap.user, domain,
 						global_myname, state->request.data.auth_crap.chal, 
 						lm_resp, nt_resp, 
 						&info3);