more 2.2.x compatibility fixes - allow user looksup in the kerb5

sesssetup to fall back to 'user' instaed of failing is REA.LM\user
doesn't exist.

also fix include line in smb_acls.h as requested by metze
(This used to be commit 5ccf6baad7ffb1f992aaf24b41ef5c83362cf613)

3 files changed, 36 insertions, 15 deletions

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 3803741466..71634f08ed 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -942,7 +942,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx,
 
 	/* This is pointless -- there is no suport for differeing 
 	   unix and windows names.  Make sure to always store the 
-	   one we actuall looked up and succeeded. Have I mentioned
+	   one we actually looked up and succeeded. Have I mentioned
 	   why I hate the 'winbind use default domain' parameter?   
 	                                 --jerry              */
 	   
@@ -951,6 +951,30 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx,
 	return pdb_init_sam_pw(sam_account, passwd);
 }
 
+/****************************************************************************
+ Wrapper to allow the getpwnam() call to styrip the domain name and 
+ try again in case a local UNIX user is already there.
+ ****************************************************************************/
+ 
+struct passwd *smb_getpwnam( char *domuser )
+{
+	struct passwd *pw;
+	char *p;
+
+	pw = Get_Pwnam( domuser );
+	if ( pw )
+		return pw;
+
+	/* fallback to looking up just the username */
+
+	p = strchr( domuser, *lp_winbind_separator() );
+
+	if ( p )
+		return Get_Pwnam(p+1);
+
+	return NULL;
+}
+
 /***************************************************************************
  Make a server_info struct from the info3 returned by a domain logon 
 ***************************************************************************/
diff --git a/source3/include/smb_acls.h b/source3/include/smb_acls.h
index e7edb62bde..2bde6caeda 100644
--- a/source3/include/smb_acls.h
+++ b/source3/include/smb_acls.h
@@ -195,7 +195,7 @@ typedef struct SMB_ACL_T {
 
 /* Donated by Medha Date, mdate@austin.ibm.com, for IBM */
 
-#include "/usr/include/acl.h"
+#include <acl.h>
 
 typedef uint                        *SMB_ACL_PERMSET_T;
  
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 427caa3ba1..945855b832 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -198,28 +198,25 @@ static int reply_spnego_kerberos(connection_struct *conn,
 
 	/* this gives a fully qualified user name (ie. with full realm).
 	   that leads to very long usernames, but what else can we do? */
-	asprintf(&user, "%s%s%s", p+1, lp_winbind_separator(), client);
+	   
+	asprintf(&user, "%s%c%s", p+1, *lp_winbind_separator(), client);
 	
-	pw = Get_Pwnam(user);
-	if (!pw && !foreign) {
-		pw = Get_Pwnam(client);
-		SAFE_FREE(user);
-		user = smb_xstrdup(client);
-	}
-
+	pw = smb_getpwnam( user );
+	
+	SAFE_FREE(user);
 	SAFE_FREE(client);
 
-	/* setup the string used by %U */
-	sub_set_smb_name(user);
-
-	reload_services(True);
-
 	if (!pw) {
 		DEBUG(1,("Username %s is invalid on this system\n",user));
 		data_blob_free(&ap_rep);
 		return ERROR_NT(NT_STATUS_LOGON_FAILURE);
 	}
 
+	/* setup the string used by %U */
+	
+	sub_set_smb_name(pw->pw_name);
+	reload_services(True);
+	
 	if (!NT_STATUS_IS_OK(ret = make_server_info_pw(&server_info,pw))) {
 		DEBUG(1,("make_server_info_from_pw failed!\n"));
 		data_blob_free(&ap_rep);