summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/nsswitch/wbinfo.c44
-rw-r--r--source3/nsswitch/winbindd.c1
-rw-r--r--source3/nsswitch/winbindd_misc.c29
-rw-r--r--source3/nsswitch/winbindd_nss.h11
-rw-r--r--source3/smbd/sesssetup.c44
5 files changed, 126 insertions, 3 deletions
diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c
index 04233bb85c..bca1813167 100644
--- a/source3/nsswitch/wbinfo.c
+++ b/source3/nsswitch/wbinfo.c
@@ -247,6 +247,42 @@ static BOOL wbinfo_show_sequence(const char *domain)
return True;
}
+/* Show domain info */
+
+static BOOL wbinfo_domain_info(const char *domain_name)
+{
+ struct winbindd_request request;
+ struct winbindd_response response;
+
+ ZERO_STRUCT(request);
+ ZERO_STRUCT(response);
+
+ fstrcpy(request.domain_name, domain_name);
+
+ /* Send request */
+
+ if (winbindd_request(WINBINDD_DOMAIN_INFO, &request, &response) !=
+ NSS_STATUS_SUCCESS)
+ return False;
+
+ /* Display response */
+
+ d_printf("Name : %s\n", response.data.domain_info.name);
+ d_printf("Alt_Name: %s\n", response.data.domain_info.alt_name);
+
+ d_printf("SID : %s\n", response.data.domain_info.sid);
+
+ d_printf("Native : %s\n",
+ response.data.domain_info.native_mode ? "Yes" : "No");
+
+ d_printf("Primary : %s\n",
+ response.data.domain_info.primary ? "Yes" : "No");
+
+ d_printf("Sequence: %d\n", response.data.domain_info.sequence_number);
+
+ return True;
+}
+
/* Check trust account password */
static BOOL wbinfo_check_secret(void)
@@ -922,6 +958,8 @@ int main(int argc, char **argv)
{ "check-secret", 't', POPT_ARG_NONE, 0, 't', "Check shared secret" },
{ "trusted-domains", 'm', POPT_ARG_NONE, 0, 'm', "List trusted domains" },
{ "sequence", 0, POPT_ARG_NONE, 0, OPT_SEQUENCE, "Show sequence numbers of all domains" },
+ { "domain-info", 'D', POPT_ARG_STRING, &string_arg, 'D',
+ "Show all most info we have about the domain" },
{ "user-groups", 'r', POPT_ARG_STRING, &string_arg, 'r', "Get user groups", "USER" },
{ "authenticate", 'a', POPT_ARG_STRING, &string_arg, 'a', "authenticate user", "user%password" },
{ "set-auth-user", 0, POPT_ARG_STRING, &string_arg, OPT_SET_AUTH_USER, "Store user and password used by winbindd (root only)", "user%password" },
@@ -1048,6 +1086,12 @@ int main(int argc, char **argv)
goto done;
}
break;
+ case 'D':
+ if (!wbinfo_domain_info(string_arg)) {
+ d_printf("Could not get domain info\n");
+ goto done;
+ }
+ break;
case 'r':
if (!wbinfo_get_usergroups(string_arg)) {
d_printf("Could not get groups for user %s\n",
diff --git a/source3/nsswitch/winbindd.c b/source3/nsswitch/winbindd.c
index 4b47ac13a2..b1c0c67d52 100644
--- a/source3/nsswitch/winbindd.c
+++ b/source3/nsswitch/winbindd.c
@@ -262,6 +262,7 @@ static struct dispatch_table dispatch_table[] = {
{ WINBINDD_INFO, winbindd_info, "INFO" },
{ WINBINDD_INTERFACE_VERSION, winbindd_interface_version, "INTERFACE_VERSION" },
{ WINBINDD_DOMAIN_NAME, winbindd_domain_name, "DOMAIN_NAME" },
+ { WINBINDD_DOMAIN_INFO, winbindd_domain_info, "DOMAIN_INFO" },
{ WINBINDD_NETBIOS_NAME, winbindd_netbios_name, "NETBIOS_NAME" },
{ WINBINDD_PRIV_PIPE_DIR, winbindd_priv_pipe_dir, "WINBINDD_PRIV_PIPE_DIR" },
diff --git a/source3/nsswitch/winbindd_misc.c b/source3/nsswitch/winbindd_misc.c
index 88fbb5ee00..1a5ecb56c7 100644
--- a/source3/nsswitch/winbindd_misc.c
+++ b/source3/nsswitch/winbindd_misc.c
@@ -202,6 +202,35 @@ enum winbindd_result winbindd_show_sequence(struct winbindd_cli_state *state)
return WINBINDD_OK;
}
+enum winbindd_result winbindd_domain_info(struct winbindd_cli_state *state)
+{
+ struct winbindd_domain *domain;
+
+ DEBUG(3, ("[%5lu]: domain_info [%s]\n", (unsigned long)state->pid,
+ state->request.domain_name));
+
+ domain = find_domain_from_name(state->request.domain_name);
+
+ if (domain == NULL) {
+ DEBUG(3, ("Did not find domain [%s]\n",
+ state->request.domain_name));
+ return WINBINDD_ERROR;
+ }
+
+ fstrcpy(state->response.data.domain_info.name, domain->name);
+ fstrcpy(state->response.data.domain_info.alt_name, domain->alt_name);
+ fstrcpy(state->response.data.domain_info.sid,
+ sid_string_static(&domain->sid));
+
+ state->response.data.domain_info.native_mode = domain->native_mode;
+ state->response.data.domain_info.primary = domain->primary;
+
+ state->response.data.domain_info.sequence_number =
+ domain->sequence_number;
+
+ return WINBINDD_OK;
+}
+
enum winbindd_result winbindd_ping(struct winbindd_cli_state
*state)
{
diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h
index 41fecd2816..00d49e7d3e 100644
--- a/source3/nsswitch/winbindd_nss.h
+++ b/source3/nsswitch/winbindd_nss.h
@@ -92,6 +92,9 @@ enum winbindd_cmd {
WINBINDD_INFO, /* Various bit of info. Currently just tidbits */
WINBINDD_DOMAIN_NAME, /* The domain this winbind server is a member of (lp_workgroup()) */
+ WINBINDD_DOMAIN_INFO, /* Most of what we know from
+ struct winbindd_domain */
+
WINBINDD_SHOW_SEQUENCE, /* display sequence numbers of domains */
/* WINS commands */
@@ -260,6 +263,14 @@ struct winbindd_response {
char first_8_lm_hash[8];
} auth;
uint32 rid; /* create user or group */
+ struct {
+ fstring name;
+ fstring alt_name;
+ fstring sid;
+ BOOL native_mode;
+ BOOL primary;
+ uint32 sequence_number;
+ } domain_info;
} data;
/* Variable length return data */
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index e9cfa47d0c..2c38cd3eb3 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -141,7 +141,8 @@ static int reply_spnego_kerberos(connection_struct *conn,
DATA_BLOB *secblob)
{
DATA_BLOB ticket;
- char *client, *p;
+ char *client, *p, *domain;
+ fstring netbios_domain_name;
const struct passwd *pw;
char *user;
int sess_vuid;
@@ -198,8 +199,45 @@ static int reply_spnego_kerberos(connection_struct *conn,
/* this gives a fully qualified user name (ie. with full realm).
that leads to very long usernames, but what else can we do? */
-
- asprintf(&user, "%s%c%s", p+1, *lp_winbind_separator(), client);
+
+ domain = p+1;
+
+ {
+ /* If we have winbind running, we can (and must) shorten the
+ username by using the short netbios name. Otherwise we will
+ have inconsistent user names. With Kerberos, we get the
+ fully qualified realm, with ntlmssp we get the short
+ name. And even w2k3 does use ntlmssp if you for example
+ connect to an ip address. */
+
+ struct winbindd_request wb_request;
+ struct winbindd_response wb_response;
+ NSS_STATUS wb_result;
+
+ ZERO_STRUCT(wb_request);
+ ZERO_STRUCT(wb_response);
+
+ DEBUG(10, ("Mapping [%s] to short name\n", domain));
+
+ fstrcpy(wb_request.domain_name, domain);
+
+ wb_result = winbindd_request(WINBINDD_DOMAIN_INFO,
+ &wb_request, &wb_response);
+
+ if (wb_result == NSS_STATUS_SUCCESS) {
+
+ fstrcpy(netbios_domain_name,
+ wb_response.data.domain_info.name);
+ domain = netbios_domain_name;
+
+ DEBUG(10, ("Mapped to [%s]\n", domain));
+ } else {
+ DEBUG(3, ("Could not find short name -- winbind "
+ "not running?\n"));
+ }
+ }
+
+ asprintf(&user, "%s%c%s", domain, *lp_winbind_separator(), client);
pw = smb_getpwnam( user );