summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/nsswitch/winbindd_pam.c48
-rw-r--r--source3/nsswitch/winbindd_util.c4
2 files changed, 36 insertions, 16 deletions
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index d58c9dcc38..3ca91b1c07 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -95,11 +95,6 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
/* Parse domain and username */
parse_domain_user(state->request.data.auth.user, name_domain, name_user);
- if ( !*name_domain ) {
- DEBUG(5,("no domain separator (%s) in username (%s) - failing auth\n", lp_winbind_separator(), state->request.data.auth.user));
- result = NT_STATUS_INVALID_PARAMETER;
- goto done;
- }
/* do password magic */
@@ -118,11 +113,23 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
/* what domain should we contact? */
- if ( IS_DC )
+ if ( IS_DC ) {
+ if (!find_domain_from_name(name_domain)) {
+ DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n",
+ state->request.data.auth.user, name_domain, name_user, name_domain));
+ result = NT_STATUS_NO_SUCH_USER;
+ goto done;
+ }
contact_domain = name_domain;
- else
- contact_domain = lp_workgroup();
+ } else {
+ if (is_myname(name_domain)) {
+ DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
+ result = NT_STATUS_NO_SUCH_USER;
+ goto done;
+ }
+ contact_domain = lp_workgroup();
+ }
/* check authentication loop */
do {
@@ -304,11 +311,23 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
/* what domain should we contact? */
- if ( IS_DC )
+ if ( IS_DC ) {
+ if (!find_domain_from_name(domain)) {
+ DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n",
+ state->request.data.auth.user, domain, user, domain));
+ result = NT_STATUS_NO_SUCH_USER;
+ goto done;
+ }
contact_domain = domain;
- else
+ } else {
+ if (is_myname(domain)) {
+ DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", domain));
+ result = NT_STATUS_NO_SUCH_USER;
+ goto done;
+ }
contact_domain = lp_workgroup();
-
+ }
+
do {
ZERO_STRUCT(info3);
ZERO_STRUCT(ret_creds);
@@ -446,8 +465,11 @@ enum winbindd_result winbindd_pam_chauthtok(struct winbindd_cli_state *state)
return WINBINDD_ERROR;
parse_domain_user(state->request.data.chauthtok.user, domain, user);
- if ( !*domain ) {
- result = NT_STATUS_INVALID_PARAMETER;
+
+ if (!find_domain_from_name(domain)) {
+ DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n",
+ state->request.data.chauthtok.user, domain, user, domain));
+ result = NT_STATUS_NO_SUCH_USER;
goto done;
}
diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c
index 318da4a63a..0f14a7e413 100644
--- a/source3/nsswitch/winbindd_util.c
+++ b/source3/nsswitch/winbindd_util.c
@@ -525,10 +525,8 @@ BOOL parse_domain_user(const char *domuser, fstring domain, fstring user)
if ( assume_domain(lp_workgroup())) {
fstrcpy(domain, lp_workgroup());
- } else if (assume_domain(get_global_sam_name())) {
- fstrcpy( domain, get_global_sam_name() );
} else {
- fstrcpy( domain, "");
+ fstrcpy( domain, get_global_sam_name() );
}
}
else {