From 9421a0a9cd38a39757e805c817c681f2cefe3bf3 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 9 Oct 2006 19:20:21 +0000 Subject: r19207: Properly canonicalize incoming names to the NSS protocols auth, chauthtok, logoff, ccache_ntlm_auth. That way we ensure winbindd only deals with fully qualified names internally. The NSS protocols auth_crap and chng_pswd_auth_crap should be fixed to do the same thing. Jeremy. (This used to be commit dbd2454d3337f64cddbdaf39e9efd6505e6b2590) --- source3/nsswitch/winbindd_pam.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'source3/nsswitch/winbindd_pam.c') diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 1a38b979b9..6a13b38b3a 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -677,7 +677,7 @@ void winbindd_pam_auth(struct winbindd_cli_state *state) /* Parse domain and username */ - if (!parse_domain_user(state->request.data.auth.user, + if (!canonicalize_username(state->request.data.auth.user, name_domain, name_user)) { set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER); DEBUG(5, ("Plain text authentication for %s returned %s " @@ -1806,7 +1806,16 @@ void winbindd_pam_chauthtok(struct winbindd_cli_state *state) /* Setup crap */ - parse_domain_user(state->request.data.chauthtok.user, domain, user); + if (!canonicalize_username(state->request.data.chauthtok.user, domain, user)) { + set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER); + DEBUG(5, ("winbindd_pam_chauthtok: canonicalize_username %s failed with %s" + "(PAM: %d)\n", + state->request.data.auth.user, + state->response.data.auth.nt_status_string, + state->response.data.auth.pam_error)); + request_error(state); + return; + } contact_domain = find_domain_from_name(domain); if (!contact_domain) { @@ -1941,7 +1950,7 @@ void winbindd_pam_logoff(struct winbindd_cli_state *state) state->request.data.logoff.krb5ccname [sizeof(state->request.data.logoff.krb5ccname)-1]='\0'; - if (!parse_domain_user(state->request.data.logoff.user, name_domain, user)) { + if (!canonicalize_username(state->request.data.logoff.user, name_domain, user)) { goto failed; } -- cgit