[SCM] Samba Shared Repository - branch v3-5-test updated

Karolin Seeger Mon, 23 Aug 2010 02:23:12 -0700

The branch, v3-5-test has been updated
       via  c3f2015... Fix bug #7589 - ntlm_auth fails to use cached 
credentials.
      from  3834777... Fix bug 7581 - Users in "admin users" in smb.conf file 
are unable to read/write all files when the acl_xattr vfs module is used.


http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test


- Log -----------------------------------------------------------------
commit c3f2015075ff1e523536cdd242ba0ec5b26f081c
Author: Jeremy Allison <j...@samba.org>
Date:   Thu Jul 29 13:44:35 2010 -0700

    Fix bug #7589 - ntlm_auth fails to use cached credentials.
    
    In handling the WINBINDD_PAM_AUTH message winbindd canonicalizes a *copy*
    of the mapped username, but fails to canonicalize the actual username
    sent to the backend domain process. When "winbind default domain"
    is set this can lead to credentials being cached with an index of
    user: user, not DOMAIN\user. All other code paths that use
    canonicalize_username() (WINBINDD_PAM_CHAUTHTOK, WINBINDD_PAM_LOGOFF)
    correctly canonicalize the data sent to the backend. All calls
    the can cause credentials to be looked up (PAM_CHAUTHTOK etc.)
    correctly call canonicalize_username() to create the credential
    lookup key.
    
    Jeremy.

-----------------------------------------------------------------------

Summary of changes:
 source3/winbindd/winbindd_pam.c |   16 +++++++---------
 1 files changed, 7 insertions(+), 9 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index fab919f..e958a7e 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -801,7 +801,7 @@ NTSTATUS append_auth_data(struct winbindd_cli_state *state,
 void winbindd_pam_auth(struct winbindd_cli_state *state)
 {
        struct winbindd_domain *domain;
-       fstring name_domain, name_user, mapped_user;
+       fstring name_domain, name_user;
        char *mapped = NULL;
        NTSTATUS result;
        NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
@@ -828,17 +828,15 @@ void winbindd_pam_auth(struct winbindd_cli_state *state)
                                               state->request->data.auth.user,
                                               &mapped);
 
-       /* If the name normalization didnt' actually do anything,
-          just use the original name */
+       /* Update the auth name if we did any mapping */
 
-       if (NT_STATUS_IS_OK(name_map_status)
-           ||NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED)) {
-               fstrcpy(mapped_user, mapped);
-       } else {
-               fstrcpy(mapped_user, state->request->data.auth.user);
+       if (NT_STATUS_IS_OK(name_map_status) ||
+           NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
+       {
+               fstrcpy(state->request->data.auth.user, mapped);
        }
 
-       if (!canonicalize_username(mapped_user, name_domain, name_user)) {
+       if (!canonicalize_username(state->request->data.auth.user, name_domain, 
name_user)) {
                result = NT_STATUS_NO_SUCH_USER;
                goto done;
        }


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v3-5-test updated

Reply via email to