(merge from 3.0)

Try to gain a bit more consistancy in the output of usernames from ntlm_auth:

Instead of returning a name in DOMAIN\user format, we now return it in the
same way that nsswtich does - following the rules of 'winbind use default
domain', in the correct case and with the correct seperator.

This should help sites who are using Squid or the new SASL code I'm working
on, to match back to their unix usernames.

--

Get the DOMAIN\username around the right way (I had username\domain...)

Push the unix username into utf8 for it's trip across the socket.

Andrew Bartlett
(This used to be commit 4c2e1189ff84d254f19b604999d011fdb17e538d)

3 files changed, 52 insertions, 11 deletions

diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h
index 00d49e7d3e..2383db551e 100644
--- a/source3/nsswitch/winbindd_nss.h
+++ b/source3/nsswitch/winbindd_nss.h
@@ -152,6 +152,7 @@ typedef struct winbindd_gr {
 #define WBFLAG_PAM_CONTACT_TRUSTDOM 	0x0010
 #define WBFLAG_QUERY_ONLY		0x0020
 #define WBFLAG_ALLOCATE_RID		0x0040
+#define WBFLAG_PAM_UNIX_NAME            0x0080
 
 /* Winbind request structure */
 
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 9962105787..d58c9dcc38 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -365,6 +365,32 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
 		
 		if (state->request.flags & WBFLAG_PAM_INFO3_NDR) {
 			result = append_info3_as_ndr(mem_ctx, state, &info3);
+		} else if (state->request.flags & WBFLAG_PAM_UNIX_NAME) {
+			/* ntlm_auth should return the unix username, per 
+			   'winbind use default domain' settings and the like */
+			
+			fstring username_out;
+			const char *nt_username, *nt_domain;
+			if (!(nt_username = unistr2_tdup(mem_ctx, &(info3.uni_user_name)))) {
+				/* If the server didn't give us one, just use the one we sent them */
+				nt_username = user;
+			}
+			
+			if (!(nt_domain = unistr2_tdup(mem_ctx, &(info3.uni_logon_dom)))) {
+				/* If the server didn't give us one, just use the one we sent them */
+				nt_domain = domain;
+			}
+
+			fill_domain_username(username_out, nt_domain, nt_username);
+
+			DEBUG(5, ("Setting unix username to [%s]\n", username_out));
+
+			/* this interface is in UTF8 */
+			if (push_utf8_allocate((char **)&state->response.extra_data, username_out) == -1) {
+				result = NT_STATUS_NO_MEMORY;
+				goto done;
+			}
+			state->response.length +=  strlen(state->response.extra_data)+1;
 		}
 		
 		if (state->request.flags & WBFLAG_PAM_NTKEY) {
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 8e688d9614..cd917f67cd 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -227,7 +227,8 @@ static NTSTATUS contact_winbind_auth_crap(const char *username,
 					  uint32 flags, 
 					  uint8 lm_key[8], 
 					  uint8 nt_key[16], 
-					  char **error_string) 
+					  char **error_string, 
+					  char **unix_name) 
 {
 	NTSTATUS nt_status;
         NSS_STATUS result;
@@ -302,6 +303,13 @@ static NTSTATUS contact_winbind_auth_crap(const char *username,
 		memcpy(nt_key, response.data.auth.nt_session_key, 
 			sizeof(response.data.auth.nt_session_key));
 	}
+
+	if (flags & WBFLAG_PAM_UNIX_NAME) {
+		if (pull_utf8_allocate(unix_name, (char *)response.extra_data) == -1) {
+			return NT_STATUS_NO_MEMORY;
+		}
+	}
+
 	return nt_status;
 }
 				   
@@ -312,15 +320,16 @@ static NTSTATUS winbind_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB
 	char *error_string;
 	uint8 lm_key[8]; 
 	uint8 nt_key[16]; 
-	
+	char *unix_name;
+
 	nt_status = contact_winbind_auth_crap(ntlmssp_state->user, ntlmssp_state->domain,
 					      ntlmssp_state->workstation,
 					      &ntlmssp_state->chal,
 					      &ntlmssp_state->lm_resp,
 					      &ntlmssp_state->nt_resp, 
-					      WBFLAG_PAM_LMKEY | WBFLAG_PAM_NTKEY,
+					      WBFLAG_PAM_LMKEY | WBFLAG_PAM_NTKEY | WBFLAG_PAM_UNIX_NAME,
 					      lm_key, nt_key, 
-					      &error_string);
+					      &error_string, &unix_name);
 
 	if (NT_STATUS_IS_OK(nt_status)) {
 		if (memcmp(lm_key, zeros, 8) != 0) {
@@ -332,10 +341,13 @@ static NTSTATUS winbind_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB
 		if (memcmp(nt_key, zeros, 16) != 0) {
 			*nt_session_key = data_blob(nt_key, 16);
 		}
+		ntlmssp_state->auth_context = talloc_strdup(ntlmssp_state->mem_ctx, unix_name);
+		SAFE_FREE(unix_name);
 	} else {
 		DEBUG(NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED) ? 0 : 3, 
 		      ("Login for user [%s]\\[%s]@[%s] failed due to [%s]\n", 
 		       ntlmssp_state->domain, ntlmssp_state->user, ntlmssp_state->workstation, error_string ? error_string : "unknown error (NULL)"));
+		ntlmssp_state->auth_context = NULL;
 	}
 	return nt_status;
 }
@@ -369,10 +381,12 @@ static NTSTATUS local_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *n
 		if (memcmp(nt_key, zeros, 16) != 0) {
 			*nt_session_key = data_blob(nt_key, 16);
 		}
+		ntlmssp_state->auth_context = talloc_asprintf(ntlmssp_state->mem_ctx, "%s%c%s", ntlmssp_state->domain, *lp_winbind_separator(), ntlmssp_state->user);
 	} else {
 		DEBUG(3, ("Login for user [%s]\\[%s]@[%s] failed due to [%s]\n", 
 			  ntlmssp_state->domain, ntlmssp_state->user, ntlmssp_state->workstation, 
 			  nt_errstr(nt_status)));
+		ntlmssp_state->auth_context = NULL;
 	}
 	return nt_status;
 }
@@ -520,7 +534,7 @@ static void manage_squid_ntlmssp_request(enum stdio_helper_mode stdio_helper_mod
 		x_fprintf(x_stdout, "NA %s\n", nt_errstr(nt_status));
 		DEBUG(10, ("NTLMSSP %s\n", nt_errstr(nt_status)));
 	} else {
-		x_fprintf(x_stdout, "AF %s\\%s\n", ntlmssp_state->domain, ntlmssp_state->user);
+		x_fprintf(x_stdout, "AF %s\n", (char *)ntlmssp_state->auth_context);
 		DEBUG(10, ("NTLMSSP OK!\n"));
 	}
 
@@ -1368,7 +1382,7 @@ static BOOL check_auth_crap(void)
 					      flags,
 					      (unsigned char *)lm_key, 
 					      (unsigned char *)nt_key, 
-					      &error_string);
+					      &error_string, NULL);
 
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		x_fprintf(x_stdout, "%s (0x%x)\n", 
@@ -1476,7 +1490,7 @@ static BOOL test_lm_ntlm_broken(enum ntlm_break break_which)
 					      flags,
 					      lm_key, 
 					      nt_key,
-					      &error_string);
+					      &error_string, NULL);
 	
 	data_blob_free(&lm_response);
 
@@ -1575,7 +1589,7 @@ static BOOL test_ntlm_in_lm(void)
 					      flags,
 					      lm_key,
 					      nt_key,
-					      &error_string);
+					      &error_string, NULL);
 	
 	data_blob_free(&nt_response);
 
@@ -1646,7 +1660,7 @@ static BOOL test_ntlm_in_both(void)
 					      flags,
 					      (unsigned char *)lm_key,
 					      (unsigned char *)nt_key,
-					      &error_string);
+					      &error_string, NULL);
 	
 	data_blob_free(&nt_response);
 
@@ -1737,7 +1751,7 @@ static BOOL test_lmv2_ntlmv2_broken(enum ntlm_break break_which)
 					      flags,
 					      NULL, 
 					      nt_key,
-					      &error_string);
+					      &error_string, NULL);
 	
 	data_blob_free(&lmv2_response);
 	data_blob_free(&ntlmv2_response);
@@ -1881,7 +1895,7 @@ static BOOL test_plaintext(enum ntlm_break break_which)
 					      flags,
 					      lm_key,
 					      nt_key,
-					      &error_string);
+					      &error_string, NULL);
 	
 	SAFE_FREE(nt_response.data);
 	SAFE_FREE(lm_response.data);