summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/nsswitch/winbindd_nss.h1
-rw-r--r--source3/nsswitch/winbindd_pam.c26
-rw-r--r--source3/utils/ntlm_auth.c36
3 files changed, 52 insertions, 11 deletions
diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h
index 00d49e7d3e..2383db551e 100644
--- a/source3/nsswitch/winbindd_nss.h
+++ b/source3/nsswitch/winbindd_nss.h
@@ -152,6 +152,7 @@ typedef struct winbindd_gr {
#define WBFLAG_PAM_CONTACT_TRUSTDOM 0x0010
#define WBFLAG_QUERY_ONLY 0x0020
#define WBFLAG_ALLOCATE_RID 0x0040
+#define WBFLAG_PAM_UNIX_NAME 0x0080
/* Winbind request structure */
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 9962105787..d58c9dcc38 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -365,6 +365,32 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
if (state->request.flags & WBFLAG_PAM_INFO3_NDR) {
result = append_info3_as_ndr(mem_ctx, state, &info3);
+ } else if (state->request.flags & WBFLAG_PAM_UNIX_NAME) {
+ /* ntlm_auth should return the unix username, per
+ 'winbind use default domain' settings and the like */
+
+ fstring username_out;
+ const char *nt_username, *nt_domain;
+ if (!(nt_username = unistr2_tdup(mem_ctx, &(info3.uni_user_name)))) {
+ /* If the server didn't give us one, just use the one we sent them */
+ nt_username = user;
+ }
+
+ if (!(nt_domain = unistr2_tdup(mem_ctx, &(info3.uni_logon_dom)))) {
+ /* If the server didn't give us one, just use the one we sent them */
+ nt_domain = domain;
+ }
+
+ fill_domain_username(username_out, nt_domain, nt_username);
+
+ DEBUG(5, ("Setting unix username to [%s]\n", username_out));
+
+ /* this interface is in UTF8 */
+ if (push_utf8_allocate((char **)&state->response.extra_data, username_out) == -1) {
+ result = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+ state->response.length += strlen(state->response.extra_data)+1;
}
if (state->request.flags & WBFLAG_PAM_NTKEY) {
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 8e688d9614..cd917f67cd 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -227,7 +227,8 @@ static NTSTATUS contact_winbind_auth_crap(const char *username,
uint32 flags,
uint8 lm_key[8],
uint8 nt_key[16],
- char **error_string)
+ char **error_string,
+ char **unix_name)
{
NTSTATUS nt_status;
NSS_STATUS result;
@@ -302,6 +303,13 @@ static NTSTATUS contact_winbind_auth_crap(const char *username,
memcpy(nt_key, response.data.auth.nt_session_key,
sizeof(response.data.auth.nt_session_key));
}
+
+ if (flags & WBFLAG_PAM_UNIX_NAME) {
+ if (pull_utf8_allocate(unix_name, (char *)response.extra_data) == -1) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
return nt_status;
}
@@ -312,15 +320,16 @@ static NTSTATUS winbind_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB
char *error_string;
uint8 lm_key[8];
uint8 nt_key[16];
-
+ char *unix_name;
+
nt_status = contact_winbind_auth_crap(ntlmssp_state->user, ntlmssp_state->domain,
ntlmssp_state->workstation,
&ntlmssp_state->chal,
&ntlmssp_state->lm_resp,
&ntlmssp_state->nt_resp,
- WBFLAG_PAM_LMKEY | WBFLAG_PAM_NTKEY,
+ WBFLAG_PAM_LMKEY | WBFLAG_PAM_NTKEY | WBFLAG_PAM_UNIX_NAME,
lm_key, nt_key,
- &error_string);
+ &error_string, &unix_name);
if (NT_STATUS_IS_OK(nt_status)) {
if (memcmp(lm_key, zeros, 8) != 0) {
@@ -332,10 +341,13 @@ static NTSTATUS winbind_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB
if (memcmp(nt_key, zeros, 16) != 0) {
*nt_session_key = data_blob(nt_key, 16);
}
+ ntlmssp_state->auth_context = talloc_strdup(ntlmssp_state->mem_ctx, unix_name);
+ SAFE_FREE(unix_name);
} else {
DEBUG(NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED) ? 0 : 3,
("Login for user [%s]\\[%s]@[%s] failed due to [%s]\n",
ntlmssp_state->domain, ntlmssp_state->user, ntlmssp_state->workstation, error_string ? error_string : "unknown error (NULL)"));
+ ntlmssp_state->auth_context = NULL;
}
return nt_status;
}
@@ -369,10 +381,12 @@ static NTSTATUS local_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *n
if (memcmp(nt_key, zeros, 16) != 0) {
*nt_session_key = data_blob(nt_key, 16);
}
+ ntlmssp_state->auth_context = talloc_asprintf(ntlmssp_state->mem_ctx, "%s%c%s", ntlmssp_state->domain, *lp_winbind_separator(), ntlmssp_state->user);
} else {
DEBUG(3, ("Login for user [%s]\\[%s]@[%s] failed due to [%s]\n",
ntlmssp_state->domain, ntlmssp_state->user, ntlmssp_state->workstation,
nt_errstr(nt_status)));
+ ntlmssp_state->auth_context = NULL;
}
return nt_status;
}
@@ -520,7 +534,7 @@ static void manage_squid_ntlmssp_request(enum stdio_helper_mode stdio_helper_mod
x_fprintf(x_stdout, "NA %s\n", nt_errstr(nt_status));
DEBUG(10, ("NTLMSSP %s\n", nt_errstr(nt_status)));
} else {
- x_fprintf(x_stdout, "AF %s\\%s\n", ntlmssp_state->domain, ntlmssp_state->user);
+ x_fprintf(x_stdout, "AF %s\n", (char *)ntlmssp_state->auth_context);
DEBUG(10, ("NTLMSSP OK!\n"));
}
@@ -1368,7 +1382,7 @@ static BOOL check_auth_crap(void)
flags,
(unsigned char *)lm_key,
(unsigned char *)nt_key,
- &error_string);
+ &error_string, NULL);
if (!NT_STATUS_IS_OK(nt_status)) {
x_fprintf(x_stdout, "%s (0x%x)\n",
@@ -1476,7 +1490,7 @@ static BOOL test_lm_ntlm_broken(enum ntlm_break break_which)
flags,
lm_key,
nt_key,
- &error_string);
+ &error_string, NULL);
data_blob_free(&lm_response);
@@ -1575,7 +1589,7 @@ static BOOL test_ntlm_in_lm(void)
flags,
lm_key,
nt_key,
- &error_string);
+ &error_string, NULL);
data_blob_free(&nt_response);
@@ -1646,7 +1660,7 @@ static BOOL test_ntlm_in_both(void)
flags,
(unsigned char *)lm_key,
(unsigned char *)nt_key,
- &error_string);
+ &error_string, NULL);
data_blob_free(&nt_response);
@@ -1737,7 +1751,7 @@ static BOOL test_lmv2_ntlmv2_broken(enum ntlm_break break_which)
flags,
NULL,
nt_key,
- &error_string);
+ &error_string, NULL);
data_blob_free(&lmv2_response);
data_blob_free(&ntlmv2_response);
@@ -1881,7 +1895,7 @@ static BOOL test_plaintext(enum ntlm_break break_which)
flags,
lm_key,
nt_key,
- &error_string);
+ &error_string, NULL);
SAFE_FREE(nt_response.data);
SAFE_FREE(lm_response.data);