From 841868d290400272e50bcfb5fadd7b9dba4638b6 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 22 Oct 2004 20:15:24 +0000 Subject: r3140: * try to ensure consistent usage of the username map. Use the fully qualified DOMAIN\user format for 'security = domain|ads' and apply after authentication has succeeded. * also change fill_domain_username() to only lowercase the username and not the domain+username. This was a cosmetic fix only. makes the output more consistent with %D and %U. (This used to be commit 30ee2d5b0906d5cd73a8faf5170e5aebcc6d69c8) --- source3/auth/auth_util.c | 34 +++++++++++++++++++++++----------- source3/nsswitch/winbindd_util.c | 7 ++++--- 2 files changed, 27 insertions(+), 14 deletions(-) (limited to 'source3') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5e8f18881f..9be297818f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -930,18 +930,23 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, uid_t *uid, gid_t *gid, SAM_ACCOUNT **sam_account) { - fstring dom_user; + fstring dom_user, lower_username; fstring real_username; struct passwd *passwd; - fstr_sprintf(dom_user, "%s%s%s", domain, lp_winbind_separator(), - username); + fstrcpy( lower_username, username ); + strlower_m( lower_username ); + + fstr_sprintf(dom_user, "%s%c%s", domain, *lp_winbind_separator(), + lower_username); /* get the passwd struct but don't create the user if he/she does not exist. We were explicitly called from a following a winbindd authentication request so we should assume that nss_winbindd is working */ + map_username( dom_user ); + if ( !(passwd = smb_getpwnam( dom_user, real_username, True )) ) return NT_STATUS_NO_SUCH_USER; @@ -1104,18 +1109,25 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, } /* try to fill the SAM account.. If getpwnam() fails, then try the - add user script (2.2.x behavior) */ + add user script (2.2.x behavior). + + We use the _unmapped_ username here in an attempt to provide + consistent username mapping behavior between kerberos and NTLM[SSP] + authentication in domain mode security. I.E. Username mapping should + be applied to the fully qualified username (e.g. DOMAIN\user) and + no just the login name. Yes this mean swe called map_username() + unnecessarily in make_user_info_map() but that is how the current + code is designed. Making the change here is the least disruptive + place. -- jerry */ - nt_status = fill_sam_account(mem_ctx, nt_domain, internal_username, + nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username, &found_username, &uid, &gid, &sam_account); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { - DEBUG(3,("User %s does not exist, trying to add it\n", - internal_username)); - auth_add_user_script(nt_domain, internal_username); - nt_status = fill_sam_account(mem_ctx, nt_domain, - internal_username, &found_username, - &uid, &gid, &sam_account); + DEBUG(3,("User %s does not exist, trying to add it\n", internal_username)); + auth_add_user_script( nt_domain, sent_nt_username ); + nt_status = fill_sam_account( mem_ctx, nt_domain, sent_nt_username, + &found_username, &uid, &gid, &sam_account ); } if (!NT_STATUS_IS_OK(nt_status)) { diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c index 6600690538..a96f652c61 100644 --- a/source3/nsswitch/winbindd_util.c +++ b/source3/nsswitch/winbindd_util.c @@ -641,14 +641,15 @@ BOOL parse_domain_user(const char *domuser, fstring domain, fstring user) */ void fill_domain_username(fstring name, const char *domain, const char *user) { + strlower_m( name ); + if (assume_domain(domain)) { strlcpy(name, user, sizeof(fstring)); } else { - slprintf(name, sizeof(fstring) - 1, "%s%s%s", - domain, lp_winbind_separator(), + slprintf(name, sizeof(fstring) - 1, "%s%c%s", + domain, *lp_winbind_separator(), user); } - strlower_m(name); } /* -- cgit