Attachment #67208 for bug #149021

View | Details | Raw Unified | Return to bug 149021
Collapse All | Expand All




	return True;
}

/* Parse a string of the form DOMAIN\user into a domain and a user */

BOOL parse_valid_domain_user(const char *domuser, fstring domain, fstring user)
{
	char *p = strchr(domuser,*lp_winbind_separator());

	if ( !p ) {

		if (!lp_winbind_use_default_domain() || 
		    !lp_winbind_trusted_domains_only()) {
			return False;
		}
		
		fstrcpy(user, domuser);
		
		if ( assume_domain(lp_workgroup())) {
			fstrcpy(domain, lp_workgroup());
		} else {
			fstrcpy( domain, get_global_sam_name() ); 
		}
	} 
	else {
		fstrcpy(user, p+1);
		fstrcpy(domain, domuser);
		domain[PTR_DIFF(p, domuser)] = 0;
	}
	
	strupper_m(domain);
	
	return True;
}
BOOL parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
			      char **domain, char **user)
{

Lines 335-342 Link Here

(-)nsswitch/winbindd_user.c (-2 / +2 lines)
335	DEBUG(3, ("[%5lu]: getpwnam %s\n", (unsigned long)state->pid,	335	DEBUG(3, ("[%5lu]: getpwnam %s\n", (unsigned long)state->pid,
336	state->request.data.username));	336	state->request.data.username));
337		337
338	if (!parse_domain_user(state->request.data.username, domname,	338	if (!parse_valid_domain_user(state->request.data.username, domname,
339	username)) {	339	username)) {
340	DEBUG(0, ("Could not parse domain user: %s\n",	340	DEBUG(0, ("Could not parse domain user: %s\n",
341	state->request.data.username));	341	state->request.data.username));
342	request_error(state);	342	request_error(state);




 *	 0  = OK
 * 	-1  = System error
 */
static int valid_user(const char *user, pam_handle_t *pamh, int ctrl)
{
	/* check not only if the user is available over NSS calls, also make
	 * sure it's really a winbind user, this is important when stacking PAM
	 * modules in the 'account' or 'password' facility. */

	struct passwd *pwd = NULL;
	struct winbindd_request request;
	struct winbindd_response response;
	int ret;

	ZERO_STRUCT(request);
	ZERO_STRUCT(response);

	pwd = getpwnam(user);
	if (pwd == NULL) {
		return 1;
	}

	fstrcpy(request.data.username, user);

	ret = pam_winbind_request_log(pamh, ctrl, WINBINDD_GETPWNAM, &request, &response, user);

	switch (ret) {
		case PAM_USER_UNKNOWN:
			return 1;
		case PAM_SUCCESS:
			return 0;
		default:
			break;
	}
	return -1;
}

static char *_pam_delete(register char *xx)

	}

	/* Verify the username */
	retval = valid_user(username, pamh, ctrl);
	switch (retval) {
	case -1:
		/* some sort of system error. The log was already printed */

		return retval;
	}

	/* check if this is really a user in winbindd, not only in NSS */
	retval = valid_user(user, pamh, ctrl);
	switch (retval) {
		case 1:
			return PAM_USER_UNKNOWN;
		case -1:
			return PAM_SYSTEM_ERR;
		default:
			break;
	}
		
	/*
	 * obtain and verify the current password (OLDAUTHTOK) for
	 * the user.





	/* Parse domain and username */
	
	if (!parse_valid_domain_user(state->request.data.auth.user,
				     name_domain, name_user)) {
		set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
		DEBUG(5, ("Plain text authentication for %s returned %s "
			  "(PAM: %d)\n",
			  state->request.data.auth.user, 
			  state->response.data.auth.nt_status_string,
			  state->response.data.auth.pam_error));
		request_error(state);
		return;
	}

	domain = find_auth_domain(state, name_domain);


Return to bug 149021

Lines 849-854 Link Here

(-)nsswitch/winbindd_util.c (+31 lines)
849	return True;	849	return True;
850	}	850	}
851		851
		852	/* Parse a string of the form DOMAIN\user into a domain and a user */
		853
		854	BOOL parse_valid_domain_user(const char *domuser, fstring domain, fstring user)
		855	{
		856	char p = strchr(domuser,lp_winbind_separator());
		857
		858	if ( !p ) {
		859
		860	if (!lp_winbind_use_default_domain() \|\|
		861	!lp_winbind_trusted_domains_only()) {
		862	return False;
		863	}
		864
		865	fstrcpy(user, domuser);
		866
		867	if ( assume_domain(lp_workgroup())) {
		868	fstrcpy(domain, lp_workgroup());
		869	} else {
		870	fstrcpy( domain, get_global_sam_name() );
		871	}
		872	}
		873	else {
		874	fstrcpy(user, p+1);
		875	fstrcpy(domain, domuser);
		876	domain[PTR_DIFF(p, domuser)] = 0;
		877	}
		878
		879	strupper_m(domain);
		880
		881	return True;
		882	}
852	BOOL parse_domain_user_talloc(TALLOC_CTX mem_ctx, const char domuser,	883	BOOL parse_domain_user_talloc(TALLOC_CTX mem_ctx, const char domuser,
853	char domain, char user)	884	char domain, char user)
854	{	885	{

Lines 566-575 Link Here

(-)nsswitch/pam_winbind.c (-4 / +43 lines)
566	* 0 = OK	569	* 0 = OK
567	* -1 = System error	570	* -1 = System error
568	*/	571	*/
569	static int valid_user(const char *user)	572	static int valid_user(const char user, pam_handle_t pamh, int ctrl)
570	{	573	{
571	if (getpwnam(user)) return 0;	574	/* check not only if the user is available over NSS calls, also make
572	return 1;	575	* sure it's really a winbind user, this is important when stacking PAM
		576	* modules in the 'account' or 'password' facility. */
		577
		578	struct passwd *pwd = NULL;
		579	struct winbindd_request request;
		580	struct winbindd_response response;
		581	int ret;
		582
		583	ZERO_STRUCT(request);
		584	ZERO_STRUCT(response);
		585
		586	pwd = getpwnam(user);
		587	if (pwd == NULL) {
		588	return 1;
		589	}
		590
		591	fstrcpy(request.data.username, user);
		592
		593	ret = pam_winbind_request_log(pamh, ctrl, WINBINDD_GETPWNAM, &request, &response, user);
		594
		595	switch (ret) {
		596	case PAM_USER_UNKNOWN:
		597	return 1;
		598	case PAM_SUCCESS:
		599	return 0;
		600	default:
		601	break;
		602	}
		603	return -1;
573	}	604	}
574		605
575	static char _pam_delete(register char xx)	606	static char _pam_delete(register char xx)
Lines 897-903 Link Here
897	}	972	}
898		973
899	/* Verify the username */	974	/* Verify the username */
900	retval = valid_user(username);	975	retval = valid_user(username, pamh, ctrl);
901	switch (retval) {	976	switch (retval) {
902	case -1:	977	case -1:
903	/* some sort of system error. The log was already printed */	978	/* some sort of system error. The log was already printed */
Lines 1123-1128 Link Here
1123	return retval;	1198	return retval;
1124	}	1199	}
1125		1200
		1201	/* check if this is really a user in winbindd, not only in NSS */
		1202	retval = valid_user(user, pamh, ctrl);
		1203	switch (retval) {
		1204	case 1:
		1205	return PAM_USER_UNKNOWN;
		1206	case -1:
		1207	return PAM_SYSTEM_ERR;
		1208	default:
		1209	break;
		1210	}
		1211
1126	/*	1212	/*
1127	* obtain and verify the current password (OLDAUTHTOK) for	1213	* obtain and verify the current password (OLDAUTHTOK) for
1128	* the user.	1214	* the user.

Lines 633-640 Link Here

(-)nsswitch/winbindd_pam.c (-2 / +11 lines)
633		633
634	/* Parse domain and username */	634	/* Parse domain and username */
635		635
636	parse_domain_user(state->request.data.auth.user,	636	if (!parse_valid_domain_user(state->request.data.auth.user,
637	name_domain, name_user);	637	name_domain, name_user)) {
		638	set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
		639	DEBUG(5, ("Plain text authentication for %s returned %s "
		640	"(PAM: %d)\n",
		641	state->request.data.auth.user,
		642	state->response.data.auth.nt_status_string,
		643	state->response.data.auth.pam_error));
		644	request_error(state);
		645	return;
		646	}
638		647
639	domain = find_auth_domain(state, name_domain);	648	domain = find_auth_domain(state, name_domain);
640		649