5 files changed, 52 insertions, 14 deletions
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index 1d3d17d60d..7607107548 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -80,6 +80,7 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
 	AUTH_NTLMSSP_STATE *auth_ntlmssp_state = ntlmssp_state->auth_context;
 	auth_usersupplied_info *user_info = NULL;
 	NTSTATUS nt_status;
+	BOOL username_was_mapped;
 
 	/* the client has given us its machine name (which we otherwise would not get on port 445).
 	   we need to possibly reload smb.conf if smb.conf includes depend on the machine name */
@@ -110,12 +111,16 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
 	nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context, 
 									  user_info, &auth_ntlmssp_state->server_info); 
 
+	username_was_mapped = user_info->was_mapped;
+
 	free_user_info(&user_info);
 
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
 	}
 
+	auth_ntlmssp_state->server_info->was_mapped |= username_was_mapped;
+
 	nt_status = create_local_token(auth_ntlmssp_state->server_info);
 
 	if (!NT_STATUS_IS_OK(nt_status)) {
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 8822d3358c..06fbe1b7e6 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -152,9 +152,11 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
 			    BOOL encrypted)
 {
 	const char *domain;
+	NTSTATUS result;
+	BOOL was_mapped;
 	fstring internal_username;
 	fstrcpy(internal_username, smb_name);
-	map_username(internal_username); 
+	was_mapped = map_username(internal_username); 
 	
 	DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n",
 	      client_domain, smb_name, wksta_name));
@@ -176,11 +178,15 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
 	
 	/* we know that it is a trusted domain (and we are allowing them) or it is our domain */
 	
-	return make_user_info(user_info, smb_name, internal_username, 
+	result = make_user_info(user_info, smb_name, internal_username, 
 			      client_domain, domain, wksta_name, 
 			      lm_pwd, nt_pwd,
 			      lm_interactive_pwd, nt_interactive_pwd,
 			      plaintext, encrypted);
+	if (NT_STATUS_IS_OK(result)) {
+		(*user_info)->was_mapped = was_mapped;
+	}
+	return result;
 }
 
 /****************************************************************************
@@ -923,15 +929,29 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info)
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	server_info->ptok = create_local_nt_token(
-		server_info,
-		pdb_get_user_sid(server_info->sam_account),
-		pdb_get_group_sid(server_info->sam_account),
-		server_info->guest,
-		server_info->num_sids, server_info->sids);
+	if (server_info->was_mapped) {
+		status = create_token_from_username(server_info,
+						    server_info->unix_name,
+						    server_info->guest,
+						    &server_info->uid,
+						    &server_info->gid,
+						    &server_info->unix_name,
+						    &server_info->ptok);
+		
+	} else {
+		server_info->ptok = create_local_nt_token(
+			server_info,
+			pdb_get_user_sid(server_info->sam_account),
+			pdb_get_group_sid(server_info->sam_account),
+			server_info->guest,
+			server_info->num_sids, server_info->sids);
+		status = server_info->ptok ?
+			NT_STATUS_OK : NT_STATUS_NO_SUCH_USER;
+	}
 
-	if ( !server_info->ptok ) {
-		return NT_STATUS_NO_SUCH_USER;
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(mem_ctx);
+		return status;
 	}
 	
 	/* Convert the SIDs to gids. */
@@ -1366,7 +1386,8 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx,
 				 const char *username,
 				 char **found_username,
 				 uid_t *uid, gid_t *gid,
-				 struct samu *account)
+				 struct samu *account,
+				 BOOL *username_was_mapped)
 {
 	NTSTATUS nt_status;
 	fstring dom_user, lower_username;
@@ -1381,7 +1402,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx,
 
 	/* Get the passwd struct.  Try to create the account is necessary. */
 
-	map_username( dom_user );
+	*username_was_mapped = map_username( dom_user );
 
 	if ( !(passwd = smb_getpwnam( NULL, dom_user, real_username, True )) )
 		return NT_STATUS_NO_SUCH_USER;
@@ -1510,6 +1531,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 	struct samu *sam_account = NULL;
 	DOM_SID user_sid;
 	DOM_SID group_sid;
+	BOOL username_was_mapped;
 
 	uid_t uid;
 	gid_t gid;
@@ -1565,7 +1587,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 	/* this call will try to create the user if necessary */
 
 	nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username,
-				     &found_username, &uid, &gid, sam_account);
+				     &found_username, &uid, &gid, sam_account,
+				     &username_was_mapped);
 
 	
 	/* if we still don't have a valid unix account check for 
@@ -1716,6 +1739,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 			sizeof(info3->lm_sess_key));
 	}
 
+	result->was_mapped = username_was_mapped;
+
 	*server_info = result;
 
 	return NT_STATUS_OK;
diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c
index 2c584f54c2..d8ac348d04 100644
--- a/source3/auth/auth_winbind.c
+++ b/source3/auth/auth_winbind.c
@@ -132,6 +132,9 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
 					server_info, &info3); 
 			}
 			
+			if (NT_STATUS_IS_OK(nt_status)) {
+				(*server_info)->was_mapped |= user_info->was_mapped;
+			}
 		}
 	} else if (NT_STATUS_IS_OK(nt_status)) {
 		nt_status = NT_STATUS_NO_LOGON_SERVERS;
diff --git a/source3/include/auth.h b/source3/include/auth.h
index 465892905a..de75ff68f6 100644
--- a/source3/include/auth.h
+++ b/source3/include/auth.h
@@ -29,6 +29,7 @@ typedef struct auth_usersupplied_info {
 	
 	BOOL encrypted;
 	
+	BOOL was_mapped;	      /* Did the username map actually match? */
 	char *client_domain;          /* domain name string */
 	char *domain;                 /* domain name after mapping */
 	char *internal_username;      /* username after mapping */
@@ -67,6 +68,7 @@ typedef struct auth_serversupplied_info {
 	
 	void *pam_handle;
 
+	BOOL was_mapped;	/* Did the username map match? */
 	char *unix_name;
 	
 } auth_serversupplied_info;
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index b13042074a..b086090bd9 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -176,6 +176,7 @@ static int reply_spnego_kerberos(connection_struct *conn,
 	DATA_BLOB nullblob = data_blob(NULL, 0);
 	fstring real_username;
 	BOOL map_domainuser_to_guest = False;
+	BOOL username_was_mapped;
 	PAC_LOGON_INFO *logon_info = NULL;
 
 	ZERO_STRUCT(ticket);
@@ -288,7 +289,7 @@ static int reply_spnego_kerberos(connection_struct *conn,
 	
 	/* lookup the passwd struct, create a new user if necessary */
 
-	map_username( user );
+	username_was_mapped = map_username( user );
 
 	pw = smb_getpwnam( mem_ctx, user, real_username, True );
 	if (!pw) {
@@ -355,6 +356,8 @@ static int reply_spnego_kerberos(connection_struct *conn,
 			pdb_set_domain(server_info->sam_account, domain, PDB_SET);
 		}
 	}
+
+	server_info->was_mapped |= username_was_mapped;
 	
 	/* we need to build the token for the user. make_server_info_guest()
 	   already does this */