diff options
-rw-r--r-- | source3/nsswitch/winbindd_pam.c | 48 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_util.c | 4 |
2 files changed, 36 insertions, 16 deletions
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index d58c9dcc38..3ca91b1c07 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -95,11 +95,6 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) /* Parse domain and username */ parse_domain_user(state->request.data.auth.user, name_domain, name_user); - if ( !*name_domain ) { - DEBUG(5,("no domain separator (%s) in username (%s) - failing auth\n", lp_winbind_separator(), state->request.data.auth.user)); - result = NT_STATUS_INVALID_PARAMETER; - goto done; - } /* do password magic */ @@ -118,11 +113,23 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) /* what domain should we contact? */ - if ( IS_DC ) + if ( IS_DC ) { + if (!find_domain_from_name(name_domain)) { + DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n", + state->request.data.auth.user, name_domain, name_user, name_domain)); + result = NT_STATUS_NO_SUCH_USER; + goto done; + } contact_domain = name_domain; - else - contact_domain = lp_workgroup(); + } else { + if (is_myname(name_domain)) { + DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain)); + result = NT_STATUS_NO_SUCH_USER; + goto done; + } + contact_domain = lp_workgroup(); + } /* check authentication loop */ do { @@ -304,11 +311,23 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) /* what domain should we contact? */ - if ( IS_DC ) + if ( IS_DC ) { + if (!find_domain_from_name(domain)) { + DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n", + state->request.data.auth.user, domain, user, domain)); + result = NT_STATUS_NO_SUCH_USER; + goto done; + } contact_domain = domain; - else + } else { + if (is_myname(domain)) { + DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", domain)); + result = NT_STATUS_NO_SUCH_USER; + goto done; + } contact_domain = lp_workgroup(); - + } + do { ZERO_STRUCT(info3); ZERO_STRUCT(ret_creds); @@ -446,8 +465,11 @@ enum winbindd_result winbindd_pam_chauthtok(struct winbindd_cli_state *state) return WINBINDD_ERROR; parse_domain_user(state->request.data.chauthtok.user, domain, user); - if ( !*domain ) { - result = NT_STATUS_INVALID_PARAMETER; + + if (!find_domain_from_name(domain)) { + DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n", + state->request.data.chauthtok.user, domain, user, domain)); + result = NT_STATUS_NO_SUCH_USER; goto done; } diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c index 318da4a63a..0f14a7e413 100644 --- a/source3/nsswitch/winbindd_util.c +++ b/source3/nsswitch/winbindd_util.c @@ -525,10 +525,8 @@ BOOL parse_domain_user(const char *domuser, fstring domain, fstring user) if ( assume_domain(lp_workgroup())) { fstrcpy(domain, lp_workgroup()); - } else if (assume_domain(get_global_sam_name())) { - fstrcpy( domain, get_global_sam_name() ); } else { - fstrcpy( domain, ""); + fstrcpy( domain, get_global_sam_name() ); } } else { |