summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/smbd/sesssetup.c32
1 files changed, 14 insertions, 18 deletions
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index e408cc88e9..3a3209f172 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -148,6 +148,7 @@ static int reply_spnego_kerberos(connection_struct *conn,
DATA_BLOB auth_data;
auth_serversupplied_info *server_info = NULL;
ADS_STRUCT *ads;
+ BOOL foreign = False;
if (!spnego_parse_krb5_wrap(*secblob, &ticket)) {
return ERROR_NT(NT_STATUS_LOGON_FAILURE);
@@ -185,12 +186,20 @@ static int reply_spnego_kerberos(connection_struct *conn,
if (!lp_allow_trusted_domains()) {
return ERROR_NT(NT_STATUS_LOGON_FAILURE);
}
- /* this gives a fully qualified user name (ie. with full realm).
- that leads to very long usernames, but what else can we do? */
- asprintf(&user, "%s%s%s", p+1, lp_winbind_separator(), client);
- } else {
- user = strdup(client);
+ foreign = True;
+ }
+
+ /* this gives a fully qualified user name (ie. with full realm).
+ that leads to very long usernames, but what else can we do? */
+ asprintf(&user, "%s%s%s", p+1, lp_winbind_separator(), client);
+
+ pw = Get_Pwnam(user);
+ if (!pw && !foreign) {
+ pw = Get_Pwnam(client);
+ SAFE_FREE(user);
+ user = smb_xstrdup(client);
}
+
ads_destroy(&ads);
/* setup the string used by %U */
@@ -198,19 +207,6 @@ static int reply_spnego_kerberos(connection_struct *conn,
reload_services(True);
- /* the password is good - let them in */
- pw = Get_Pwnam(user);
- if (!pw && !strstr(user, lp_winbind_separator())) {
- char *user2;
- /* try it with a winbind domain prefix */
- asprintf(&user2, "%s%s%s", lp_workgroup(), lp_winbind_separator(), user);
- pw = Get_Pwnam(user2);
- if (pw) {
- free(user);
- user = user2;
- }
- }
-
if (!pw) {
DEBUG(1,("Username %s is invalid on this system\n",user));
return ERROR_NT(NT_STATUS_NO_SUCH_USER);