From 829188b34fd46644ea65316943a0d61ce717b8e9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 30 Dec 2003 13:20:39 +0000 Subject: Try to gain a bit more consistancy in the output of usernames from ntlm_auth: Instead of returning a name in DOMAIN\user format, we now return it in the same way that nsswtich does - following the rules of 'winbind use default domain', in the correct case and with the correct seperator. This should help sites who are using Squid or the new SASL code I'm working on, to match back to their unix usernames. Andrew Bartlett (This used to be commit 7a3a5a63612b2698a39f784859496c395505a79b) --- source3/nsswitch/winbindd_nss.h | 1 + source3/nsswitch/winbindd_pam.c | 26 ++++++++++++++++++++++++++ source3/utils/ntlm_auth.c | 34 +++++++++++++++++++++++----------- 3 files changed, 50 insertions(+), 11 deletions(-) diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h index 76243c57ef..77384a7748 100644 --- a/source3/nsswitch/winbindd_nss.h +++ b/source3/nsswitch/winbindd_nss.h @@ -152,6 +152,7 @@ typedef struct winbindd_gr { #define WBFLAG_PAM_CONTACT_TRUSTDOM 0x0010 #define WBFLAG_QUERY_ONLY 0x0020 #define WBFLAG_ALLOCATE_RID 0x0040 +#define WBFLAG_PAM_UNIX_NAME 0x0080 /* Winbind request structure */ diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 6e386760b4..7c4cb53dbf 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -366,6 +366,32 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) if (state->request.flags & WBFLAG_PAM_INFO3_NDR) { result = append_info3_as_ndr(mem_ctx, state, &info3); + } else if (state->request.flags & WBFLAG_PAM_UNIX_NAME) { + /* ntlm_auth should return the unix username, per + 'winbind use default domain' settings and the like */ + + fstring username_out; + const char *nt_username, *nt_domain; + if (!(nt_username = unistr2_tdup(mem_ctx, &(info3.uni_user_name)))) { + /* If the server didn't give us one, just use the one we sent them */ + nt_username = user; + } + + if (!(nt_domain = unistr2_tdup(mem_ctx, &(info3.uni_logon_dom)))) { + /* If the server didn't give us one, just use the one we sent them */ + nt_domain = domain; + } + + fill_domain_username(username_out, nt_username, nt_domain); + + DEBUG(5, ("Setting unix username to [%s]\n", username_out)); + + state->response.extra_data = strdup(username_out); + if (!state->response.extra_data) { + result = NT_STATUS_NO_MEMORY; + goto done; + } + state->response.length += strlen(state->response.extra_data)+1; } if (state->request.flags & WBFLAG_PAM_NTKEY) { diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index 87239117bd..bef10b52b3 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -227,7 +227,8 @@ static NTSTATUS contact_winbind_auth_crap(const char *username, uint32 flags, uint8 lm_key[8], uint8 nt_key[16], - char **error_string) + char **error_string, + char **unix_name) { NTSTATUS nt_status; NSS_STATUS result; @@ -302,6 +303,11 @@ static NTSTATUS contact_winbind_auth_crap(const char *username, memcpy(nt_key, response.data.auth.nt_session_key, sizeof(response.data.auth.nt_session_key)); } + + if (flags & WBFLAG_PAM_UNIX_NAME) { + *unix_name = response.extra_data; + } + return nt_status; } @@ -312,15 +318,16 @@ static NTSTATUS winbind_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB char *error_string; uint8 lm_key[8]; uint8 nt_key[16]; - + char *unix_name; + nt_status = contact_winbind_auth_crap(ntlmssp_state->user, ntlmssp_state->domain, ntlmssp_state->workstation, &ntlmssp_state->chal, &ntlmssp_state->lm_resp, &ntlmssp_state->nt_resp, - WBFLAG_PAM_LMKEY | WBFLAG_PAM_NTKEY, + WBFLAG_PAM_LMKEY | WBFLAG_PAM_NTKEY | WBFLAG_PAM_UNIX_NAME, lm_key, nt_key, - &error_string); + &error_string, &unix_name); if (NT_STATUS_IS_OK(nt_status)) { if (memcmp(lm_key, zeros, 8) != 0) { @@ -332,10 +339,13 @@ static NTSTATUS winbind_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB if (memcmp(nt_key, zeros, 16) != 0) { *nt_session_key = data_blob(nt_key, 16); } + ntlmssp_state->auth_context = talloc_strdup(ntlmssp_state->mem_ctx, unix_name); + SAFE_FREE(unix_name); } else { DEBUG(NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED) ? 0 : 3, ("Login for user [%s]\\[%s]@[%s] failed due to [%s]\n", ntlmssp_state->domain, ntlmssp_state->user, ntlmssp_state->workstation, error_string ? error_string : "unknown error (NULL)")); + ntlmssp_state->auth_context = NULL; } return nt_status; } @@ -369,10 +379,12 @@ static NTSTATUS local_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *n if (memcmp(nt_key, zeros, 16) != 0) { *nt_session_key = data_blob(nt_key, 16); } + ntlmssp_state->auth_context = talloc_asprintf(ntlmssp_state->mem_ctx, "%s%c%s", ntlmssp_state->domain, *lp_winbind_separator(), ntlmssp_state->user); } else { DEBUG(3, ("Login for user [%s]\\[%s]@[%s] failed due to [%s]\n", ntlmssp_state->domain, ntlmssp_state->user, ntlmssp_state->workstation, nt_errstr(nt_status))); + ntlmssp_state->auth_context = NULL; } return nt_status; } @@ -520,7 +532,7 @@ static void manage_squid_ntlmssp_request(enum stdio_helper_mode stdio_helper_mod x_fprintf(x_stdout, "NA %s\n", nt_errstr(nt_status)); DEBUG(10, ("NTLMSSP %s\n", nt_errstr(nt_status))); } else { - x_fprintf(x_stdout, "AF %s\\%s\n", ntlmssp_state->domain, ntlmssp_state->user); + x_fprintf(x_stdout, "AF %s\n", (char *)ntlmssp_state->auth_context); DEBUG(10, ("NTLMSSP OK!\n")); } @@ -1368,7 +1380,7 @@ static BOOL check_auth_crap(void) flags, (unsigned char *)lm_key, (unsigned char *)nt_key, - &error_string); + &error_string, NULL); if (!NT_STATUS_IS_OK(nt_status)) { x_fprintf(x_stdout, "%s (0x%x)\n", @@ -1476,7 +1488,7 @@ static BOOL test_lm_ntlm_broken(enum ntlm_break break_which) flags, lm_key, nt_key, - &error_string); + &error_string, NULL); data_blob_free(&lm_response); @@ -1575,7 +1587,7 @@ static BOOL test_ntlm_in_lm(void) flags, lm_key, nt_key, - &error_string); + &error_string, NULL); data_blob_free(&nt_response); @@ -1646,7 +1658,7 @@ static BOOL test_ntlm_in_both(void) flags, (unsigned char *)lm_key, (unsigned char *)nt_key, - &error_string); + &error_string, NULL); data_blob_free(&nt_response); @@ -1737,7 +1749,7 @@ static BOOL test_lmv2_ntlmv2_broken(enum ntlm_break break_which) flags, NULL, nt_key, - &error_string); + &error_string, NULL); data_blob_free(&lmv2_response); data_blob_free(&ntlmv2_response); @@ -1881,7 +1893,7 @@ static BOOL test_plaintext(enum ntlm_break break_which) flags, lm_key, nt_key, - &error_string); + &error_string, NULL); SAFE_FREE(nt_response.data); SAFE_FREE(lm_response.data); -- cgit