From be4efcf50c69b236d56dd0ad09f1189f95d62e81 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 29 Jul 2010 13:44:35 -0700 Subject: [PATCH] Fix bug #7589 - ntlm_auth fails to use cached credentials. In handling the WINBINDD_PAM_AUTH message winbindd canonicalizes a *copy* of the mapped username, but fails to canonicalize the actual username sent to the backend domain process. When "winbind default domain" is set this can lead to credentials being cached with an index of user: user, not DOMAIN\user. All other code paths that use canonicalize_username() (WINBINDD_PAM_CHAUTHTOK, WINBINDD_PAM_LOGOFF) correctly canonicalize the data sent to the backend. All calls the can cause credentials to be looked up (PAM_CHAUTHTOK etc.) correctly call canonicalize_username() to create the credential lookup key. Jeremy. --- source3/winbindd/winbindd_pam.c | 16 +++++++--------- 1 files changed, 7 insertions(+), 9 deletions(-) diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index fab919f..e958a7e 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -801,7 +801,7 @@ NTSTATUS append_auth_data(struct winbindd_cli_state *state, void winbindd_pam_auth(struct winbindd_cli_state *state) { struct winbindd_domain *domain; - fstring name_domain, name_user, mapped_user; + fstring name_domain, name_user; char *mapped = NULL; NTSTATUS result; NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL; @@ -828,17 +828,15 @@ void winbindd_pam_auth(struct winbindd_cli_state *state) state->request->data.auth.user, &mapped); - /* If the name normalization didnt' actually do anything, - just use the original name */ + /* Update the auth name if we did any mapping */ - if (NT_STATUS_IS_OK(name_map_status) - ||NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED)) { - fstrcpy(mapped_user, mapped); - } else { - fstrcpy(mapped_user, state->request->data.auth.user); + if (NT_STATUS_IS_OK(name_map_status) || + NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED)) + { + fstrcpy(state->request->data.auth.user, mapped); } - if (!canonicalize_username(mapped_user, name_domain, name_user)) { + if (!canonicalize_username(state->request->data.auth.user, name_domain, name_user)) { result = NT_STATUS_NO_SUCH_USER; goto done; } -- 1.7.0.4