diff options
| -rw-r--r-- | source3/nsswitch/winbindd_nss.h | 1 | ||||
| -rw-r--r-- | source3/nsswitch/winbindd_pam.c | 26 | ||||
| -rw-r--r-- | source3/utils/ntlm_auth.c | 34 |
3 files changed, 50 insertions, 11 deletions
diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h index 76243c57ef..77384a7748 100644 --- a/source3/nsswitch/winbindd_nss.h +++ b/source3/nsswitch/winbindd_nss.h @@ -152,6 +152,7 @@ typedef struct winbindd_gr { #define WBFLAG_PAM_CONTACT_TRUSTDOM 0x0010 #define WBFLAG_QUERY_ONLY 0x0020 #define WBFLAG_ALLOCATE_RID 0x0040 +#define WBFLAG_PAM_UNIX_NAME 0x0080 /* Winbind request structure */ diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 6e386760b4..7c4cb53dbf 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -366,6 +366,32 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) if (state->request.flags & WBFLAG_PAM_INFO3_NDR) { result = append_info3_as_ndr(mem_ctx, state, &info3); + } else if (state->request.flags & WBFLAG_PAM_UNIX_NAME) { + /* ntlm_auth should return the unix username, per + 'winbind use default domain' settings and the like */ + + fstring username_out; + const char *nt_username, *nt_domain; + if (!(nt_username = unistr2_tdup(mem_ctx, &(info3.uni_user_name)))) { + /* If the server didn't give us one, just use the one we sent them */ + nt_username = user; + } + + if (!(nt_domain = unistr2_tdup(mem_ctx, &(info3.uni_logon_dom)))) { + /* If the server didn't give us one, just use the one we sent them */ + nt_domain = domain; + } + + fill_domain_username(username_out, nt_username, nt_domain); + + DEBUG(5, ("Setting unix username to [%s]\n", username_out)); + + state->response.extra_data = strdup(username_out); + if (!state->response.extra_data) { + result = NT_STATUS_NO_MEMORY; + goto done; + } + state->response.length += strlen(state->response.extra_data)+1; } if (state->request.flags & WBFLAG_PAM_NTKEY) { diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index 87239117bd..bef10b52b3 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -227,7 +227,8 @@ static NTSTATUS contact_winbind_auth_crap(const char *username, uint32 flags, uint8 lm_key[8], uint8 nt_key[16], - char **error_string) + char **error_string, + char **unix_name) { NTSTATUS nt_status; NSS_STATUS result; @@ -302,6 +303,11 @@ static NTSTATUS contact_winbind_auth_crap(const char *username, memcpy(nt_key, response.data.auth.nt_session_key, sizeof(response.data.auth.nt_session_key)); } + + if (flags & WBFLAG_PAM_UNIX_NAME) { + *unix_name = response.extra_data; + } + return nt_status; } @@ -312,15 +318,16 @@ static NTSTATUS winbind_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB char *error_string; uint8 lm_key[8]; uint8 nt_key[16]; - + char *unix_name; + nt_status = contact_winbind_auth_crap(ntlmssp_state->user, ntlmssp_state->domain, ntlmssp_state->workstation, &ntlmssp_state->chal, &ntlmssp_state->lm_resp, &ntlmssp_state->nt_resp, - WBFLAG_PAM_LMKEY | WBFLAG_PAM_NTKEY, + WBFLAG_PAM_LMKEY | WBFLAG_PAM_NTKEY | WBFLAG_PAM_UNIX_NAME, lm_key, nt_key, - &error_string); + &error_string, &unix_name); if (NT_STATUS_IS_OK(nt_status)) { if (memcmp(lm_key, zeros, 8) != 0) { @@ -332,10 +339,13 @@ static NTSTATUS winbind_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB if (memcmp(nt_key, zeros, 16) != 0) { *nt_session_key = data_blob(nt_key, 16); } + ntlmssp_state->auth_context = talloc_strdup(ntlmssp_state->mem_ctx, unix_name); + SAFE_FREE(unix_name); } else { DEBUG(NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED) ? 0 : 3, ("Login for user [%s]\\[%s]@[%s] failed due to [%s]\n", ntlmssp_state->domain, ntlmssp_state->user, ntlmssp_state->workstation, error_string ? error_string : "unknown error (NULL)")); + ntlmssp_state->auth_context = NULL; } return nt_status; } @@ -369,10 +379,12 @@ static NTSTATUS local_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *n if (memcmp(nt_key, zeros, 16) != 0) { *nt_session_key = data_blob(nt_key, 16); } + ntlmssp_state->auth_context = talloc_asprintf(ntlmssp_state->mem_ctx, "%s%c%s", ntlmssp_state->domain, *lp_winbind_separator(), ntlmssp_state->user); } else { DEBUG(3, ("Login for user [%s]\\[%s]@[%s] failed due to [%s]\n", ntlmssp_state->domain, ntlmssp_state->user, ntlmssp_state->workstation, nt_errstr(nt_status))); + ntlmssp_state->auth_context = NULL; } return nt_status; } @@ -520,7 +532,7 @@ static void manage_squid_ntlmssp_request(enum stdio_helper_mode stdio_helper_mod x_fprintf(x_stdout, "NA %s\n", nt_errstr(nt_status)); DEBUG(10, ("NTLMSSP %s\n", nt_errstr(nt_status))); } else { - x_fprintf(x_stdout, "AF %s\\%s\n", ntlmssp_state->domain, ntlmssp_state->user); + x_fprintf(x_stdout, "AF %s\n", (char *)ntlmssp_state->auth_context); DEBUG(10, ("NTLMSSP OK!\n")); } @@ -1368,7 +1380,7 @@ static BOOL check_auth_crap(void) flags, (unsigned char *)lm_key, (unsigned char *)nt_key, - &error_string); + &error_string, NULL); if (!NT_STATUS_IS_OK(nt_status)) { x_fprintf(x_stdout, "%s (0x%x)\n", @@ -1476,7 +1488,7 @@ static BOOL test_lm_ntlm_broken(enum ntlm_break break_which) flags, lm_key, nt_key, - &error_string); + &error_string, NULL); data_blob_free(&lm_response); @@ -1575,7 +1587,7 @@ static BOOL test_ntlm_in_lm(void) flags, lm_key, nt_key, - &error_string); + &error_string, NULL); data_blob_free(&nt_response); @@ -1646,7 +1658,7 @@ static BOOL test_ntlm_in_both(void) flags, (unsigned char *)lm_key, (unsigned char *)nt_key, - &error_string); + &error_string, NULL); data_blob_free(&nt_response); @@ -1737,7 +1749,7 @@ static BOOL test_lmv2_ntlmv2_broken(enum ntlm_break break_which) flags, NULL, nt_key, - &error_string); + &error_string, NULL); data_blob_free(&lmv2_response); data_blob_free(&ntlmv2_response); @@ -1881,7 +1893,7 @@ static BOOL test_plaintext(enum ntlm_break break_which) flags, lm_key, nt_key, - &error_string); + &error_string, NULL); SAFE_FREE(nt_response.data); SAFE_FREE(lm_response.data); |