summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2001-12-19 09:53:30 +0000
committerAndrew Tridgell <tridge@samba.org>2001-12-19 09:53:30 +0000
commit9126a40e2c33e0eb4cd57ab381634e08fa59e7a7 (patch)
tree3e3d6b90df016a7bf98225d49269977e88f1cb0f /source3
parenta062e58d9e47f95ac7c66668b3cfe1f72386f6e0 (diff)
downloadsamba-9126a40e2c33e0eb4cd57ab381634e08fa59e7a7.tar.gz
samba-9126a40e2c33e0eb4cd57ab381634e08fa59e7a7.tar.bz2
samba-9126a40e2c33e0eb4cd57ab381634e08fa59e7a7.zip
added trusted realm support to ADS authentication
the method used for checking if a domain is a trusted domain is very crude, we should really call a backend fn of some sort. For now I'm using winbindd to do the dirty work. (This used to be commit adf44a9bd0d997ba4dcfadc564a29149531525af)
Diffstat (limited to 'source3')
-rw-r--r--source3/auth/auth.c28
-rw-r--r--source3/auth/auth_util.c21
-rw-r--r--source3/libsmb/clikrb5.c4
-rw-r--r--source3/nsswitch/winbindd.h1
-rw-r--r--source3/nsswitch/winbindd_ads.c2
-rw-r--r--source3/nsswitch/winbindd_util.c6
-rw-r--r--source3/smbd/sesssetup.c15
7 files changed, 55 insertions, 22 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index fc5a88ad64..710b5f27fb 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -29,19 +29,21 @@
static BOOL check_domain_match(char *user, char *domain)
{
- /*
- * If we aren't serving to trusted domains, we must make sure that
- * the validation request comes from an account in the same domain
- * as the Samba server
- */
-
- if (!lp_allow_trusted_domains() &&
- !(strequal("", domain) || strequal(lp_workgroup(), domain) || is_netbios_alias_or_name(domain))) {
- DEBUG(1, ("check_domain_match: Attempt to connect as user %s from domain %s denied.\n", user, domain));
- return False;
- } else {
- return True;
- }
+ /*
+ * If we aren't serving to trusted domains, we must make sure that
+ * the validation request comes from an account in the same domain
+ * as the Samba server
+ */
+
+ if (!lp_allow_trusted_domains() &&
+ !(strequal("", domain) ||
+ strequal(lp_workgroup(), domain) ||
+ is_netbios_alias_or_name(domain))) {
+ DEBUG(1, ("check_domain_match: Attempt to connect as user %s from domain %s denied.\n", user, domain));
+ return False;
+ } else {
+ return True;
+ }
}
/****************************************************************************
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 60495ad23b..3e480b4fd1 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -215,7 +215,26 @@ BOOL make_user_info_map(auth_usersupplied_info **user_info,
map_username(internal_username);
if (lp_allow_trusted_domains()) {
- domain = client_domain;
+ char *user;
+ /* the client could have given us a workstation name
+ or other crap for the workgroup - we really need a
+ way of telling if this domain name is one of our
+ trusted domain names
+
+ The way I do it here is by checking if the fully
+ qualified username exists. This is rather reliant
+ on winbind, but until we have a better method this
+ will have to do
+ */
+ asprintf(&user, "%s%s%s",
+ client_domain, lp_winbind_separator(),
+ smb_name);
+ if (Get_Pwnam(user) != NULL) {
+ domain = client_domain;
+ } else {
+ domain = lp_workgroup();
+ }
+ free(user);
} else {
domain = lp_workgroup();
}
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index 03fb6a5669..cc77c08d26 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -60,8 +60,8 @@ static krb5_error_code krb5_mk_req2(krb5_context context,
if ((retval = krb5_get_credentials(context, 0,
ccache, &creds, &credsp))) {
- DEBUG(1,("krb5_get_credentials failed (%s)\n",
- error_message(retval)));
+ DEBUG(1,("krb5_get_credentials failed for %s (%s)\n",
+ principal, error_message(retval)));
goto cleanup_creds;
}
diff --git a/source3/nsswitch/winbindd.h b/source3/nsswitch/winbindd.h
index 2a6fa22961..74206da9ef 100644
--- a/source3/nsswitch/winbindd.h
+++ b/source3/nsswitch/winbindd.h
@@ -153,6 +153,7 @@ struct winbindd_methods {
/* Structures to hold per domain information */
struct winbindd_domain {
fstring name; /* Domain name */
+ fstring full_name; /* full Domain name (realm) */
DOM_SID sid; /* SID for this domain */
struct winbindd_methods *methods; /* lookup methods for
this domain (LDAP or
diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c
index 4ce0894ab3..c988e697ee 100644
--- a/source3/nsswitch/winbindd_ads.c
+++ b/source3/nsswitch/winbindd_ads.c
@@ -147,6 +147,8 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
primary_realm = strdup(ads->realm);
}
+ fstrcpy(domain->full_name, ads->server_realm);
+
domain->private = (void *)ads;
return ads;
}
diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c
index f760b635d6..2f21f81ea8 100644
--- a/source3/nsswitch/winbindd_util.c
+++ b/source3/nsswitch/winbindd_util.c
@@ -55,7 +55,8 @@ struct winbindd_domain *find_domain_from_name(char *domain_name)
/* Search through list */
for (tmp = domain_list; tmp != NULL; tmp = tmp->next) {
- if (strcasecmp(domain_name, tmp->name) == 0)
+ if (strcasecmp(domain_name, tmp->name) == 0 ||
+ strcasecmp(domain_name, tmp->full_name) == 0)
return tmp;
}
@@ -164,6 +165,9 @@ BOOL get_domain_info(void)
DEBUG(1,("Added domain %s (%s)\n",
domain->name,
sid_string_static(&domain->sid)));
+
+ /* this primes the connection */
+ cache_methods.domain_sid(domain, &domain->sid);
}
}
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 4c26bda4db..60c9cd30e5 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -107,14 +107,18 @@ static int reply_spnego_kerberos(connection_struct *conn,
*p = 0;
if (strcasecmp(p+1, ads->realm) != 0) {
- DEBUG(3,("Ticket for incorrect realm %s\n", p+1));
- ads_destroy(&ads);
- return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+ DEBUG(3,("Ticket for foreign realm %s@%s\n", client, p+1));
+ if (!lp_allow_trusted_domains()) {
+ return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+ }
+ /* this gives a fully qualified user name (ie. with full realm).
+ that leads to very long usernames, but what else can we do? */
+ asprintf(&user, "%s%s%s", p+1, lp_winbind_separator(), client);
+ } else {
+ user = strdup(client);
}
ads_destroy(&ads);
- user = client;
-
/* the password is good - let them in */
pw = smb_getpwnam(user,False);
if (!pw) {
@@ -129,6 +133,7 @@ static int reply_spnego_kerberos(connection_struct *conn,
sess_vuid = register_vuid(server_info, user);
+ free(user);
free_server_info(&server_info);
if (sess_vuid == -1) {