Author: jerry Date: 2007-08-28 22:49:43 +0000 (Tue, 28 Aug 2007) New Revision: 24756
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24756 Log: Merge svn r24722 from SAMBA_3_2 (upn logon support) Modified: branches/SAMBA_3_2_0/source/nsswitch/pam_winbind.c branches/SAMBA_3_2_0/source/nsswitch/wbinfo.c branches/SAMBA_3_2_0/source/nsswitch/winbindd_cache.c branches/SAMBA_3_2_0/source/nsswitch/winbindd_util.c Changeset: Modified: branches/SAMBA_3_2_0/source/nsswitch/pam_winbind.c =================================================================== --- branches/SAMBA_3_2_0/source/nsswitch/pam_winbind.c 2007-08-28 19:03:08 UTC (rev 24755) +++ branches/SAMBA_3_2_0/source/nsswitch/pam_winbind.c 2007-08-28 22:49:43 UTC (rev 24756) @@ -1614,6 +1614,89 @@ return ret; } +/** + * Retrieve the winbind separator. + * + * @param pamh PAM handle + * @param ctrl PAM winbind options. + * + * @return string separator character. NULL on failure. + */ + +static char winbind_get_separator(pam_handle_t *pamh, int ctrl) +{ + struct winbindd_request request; + struct winbindd_response response; + + ZERO_STRUCT(request); + ZERO_STRUCT(response); + + if (pam_winbind_request_log(pamh, ctrl, WINBINDD_INFO, &request, &response, NULL)) { + return '\0'; + } + + return response.data.info.winbind_separator; +} + +/** + * Convert a upn to a name. + * + * @param pamh PAM handle + * @param ctrl PAM winbind options. + * @param upn USer UPN to be trabslated. + * + * @return converted name. NULL pointer on failure. Caller needs to free. + */ + +static char* winbind_upn_to_username(pam_handle_t *pamh, int ctrl, const char *upn) +{ + struct winbindd_request req; + struct winbindd_response resp; + int retval; + char *account_name; + int account_name_len; + char sep; + + /* This cannot work when the winbind separator = @ */ + + sep = winbind_get_separator(pamh, ctrl); + if (!sep || sep == '@') { + return NULL; + } + + /* Convert the UPN to a SID */ + + ZERO_STRUCT(req); + ZERO_STRUCT(resp); + + strncpy(req.data.name.dom_name, "", + sizeof(req.data.name.dom_name) - 1); + strncpy(req.data.name.name, upn, + sizeof(req.data.name.name) - 1); + retval = pam_winbind_request_log(pamh, ctrl, WINBINDD_LOOKUPNAME, + &req, &resp, upn); + if ( retval != PAM_SUCCESS ) { + return NULL; + } + + /* Convert the the SID back to the sAMAccountName */ + + ZERO_STRUCT(req); + strncpy(req.data.sid, resp.data.sid.sid, sizeof(req.data.sid)-1); + ZERO_STRUCT(resp); + retval = pam_winbind_request_log(pamh, ctrl, WINBINDD_LOOKUPSID, + &req, &resp, upn); + if ( retval != PAM_SUCCESS ) { + return NULL; + } + + account_name_len = asprintf(&account_name, "%s\\%s", + resp.data.name.dom_name, + resp.data.name.name); + + return account_name; +} + PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) @@ -1646,6 +1729,7 @@ goto out; } + #if defined(AIX) /* Decode the user name since AIX does not support logn user names by default. The name is encoded as _#uid. */ @@ -1670,6 +1754,19 @@ } } + /* Maybe this was a UPN */ + + if (strchr(real_username, '@') != NULL) { + char *samaccountname = NULL; + + samaccountname = winbind_upn_to_username(pamh, ctrl, + real_username); + if (samaccountname) { + free(real_username); + real_username = samaccountname; + } + } + retval = _winbind_read_password(pamh, ctrl, NULL, "Password: ", NULL, &password); @@ -1697,8 +1794,8 @@ ctrl, d); /* Now use the username to look up password */ - retval = winbind_auth_request(pamh, ctrl, username, password, member, - cctype, warn_pwd_expire, NULL, NULL, + retval = winbind_auth_request(pamh, ctrl, real_username, password, member, + cctype, warn_pwd_expire, NULL, NULL, &username_ret); if (retval == PAM_NEW_AUTHTOK_REQD || Modified: branches/SAMBA_3_2_0/source/nsswitch/wbinfo.c =================================================================== --- branches/SAMBA_3_2_0/source/nsswitch/wbinfo.c 2007-08-28 19:03:08 UTC (rev 24755) +++ branches/SAMBA_3_2_0/source/nsswitch/wbinfo.c 2007-08-28 22:49:43 UTC (rev 24756) @@ -105,6 +105,13 @@ char *p = strchr(domuser,winbind_separator()); if (!p) { + /* Maybe it was a UPN? */ + if ((p = strchr(domuser, '@')) != NULL) { + fstrcpy(domain, ""); + fstrcpy(user, domuser); + return True; + } + fstrcpy(user, domuser); fstrcpy(domain, get_winbind_domain()); return True; Modified: branches/SAMBA_3_2_0/source/nsswitch/winbindd_cache.c =================================================================== --- branches/SAMBA_3_2_0/source/nsswitch/winbindd_cache.c 2007-08-28 19:03:08 UTC (rev 24755) +++ branches/SAMBA_3_2_0/source/nsswitch/winbindd_cache.c 2007-08-28 22:49:43 UTC (rev 24756) @@ -1411,7 +1411,8 @@ wcache_save_name_to_sid(domain, status, domain_name, name, sid, *type); } - if (NT_STATUS_IS_OK(status)) { + /* Only save the reverse mapping if this was not a UPN */ + if (NT_STATUS_IS_OK(status) && !strchr(name, '@')) { strupper_m(CONST_DISCARD(char *,domain_name)); strlower_m(CONST_DISCARD(char *,name)); wcache_save_sid_to_name(domain, status, sid, domain_name, name, *type); Modified: branches/SAMBA_3_2_0/source/nsswitch/winbindd_util.c =================================================================== --- branches/SAMBA_3_2_0/source/nsswitch/winbindd_util.c 2007-08-28 19:03:08 UTC (rev 24755) +++ branches/SAMBA_3_2_0/source/nsswitch/winbindd_util.c 2007-08-28 22:49:43 UTC (rev 24756) @@ -1077,6 +1077,8 @@ if ( assume_domain(lp_workgroup())) { fstrcpy(domain, lp_workgroup()); + } else if ((p = strchr(domuser, '@')) != NULL) { + fstrcpy(domain, ""); } else { return False; } @@ -1310,6 +1312,23 @@ } } + /* Add any Universal groups in the other_sids list */ + + for (i=0; i<info3->num_other_sids; i++) { + /* Skip Domain local groups outside our domain. + We'll get these from the getsidaliases() RPC call. */ + if (info3->other_sids_attrib[i] & SE_GROUP_RESOURCE) + continue; + + if (!add_sid_to_array(mem_ctx, &info3->other_sids[i].sid, + user_sids, &num_groups)) + { + TALLOC_FREE(info3); + return NT_STATUS_NO_MEMORY; + } + } + + TALLOC_FREE(info3); *p_num_groups = num_groups; status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;