The Samba-Bugzilla – Attachment 5877 Details for
Bug 7589
ntlm_auth fails to use cached credentials
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Fix for 3.5.x
0001-Fix-bug-7589-ntlm_auth-fails-to-use-cached-credentia.patch (text/plain), 2.33 KB, created by
Jeremy Allison
on 2010-07-29 15:47:26 UTC
(
hide
)
Description:
Fix for 3.5.x
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2010-07-29 15:47:26 UTC
Size:
2.33 KB
patch
obsolete
>From be4efcf50c69b236d56dd0ad09f1189f95d62e81 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 29 Jul 2010 13:44:35 -0700 >Subject: [PATCH] Fix bug #7589 - ntlm_auth fails to use cached credentials. > >In handling the WINBINDD_PAM_AUTH message winbindd canonicalizes a *copy* >of the mapped username, but fails to canonicalize the actual username >sent to the backend domain process. When "winbind default domain" >is set this can lead to credentials being cached with an index of >user: user, not DOMAIN\user. All other code paths that use >canonicalize_username() (WINBINDD_PAM_CHAUTHTOK, WINBINDD_PAM_LOGOFF) >correctly canonicalize the data sent to the backend. All calls >the can cause credentials to be looked up (PAM_CHAUTHTOK etc.) >correctly call canonicalize_username() to create the credential >lookup key. > >Jeremy. >--- > source3/winbindd/winbindd_pam.c | 16 +++++++--------- > 1 files changed, 7 insertions(+), 9 deletions(-) > >diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c >index fab919f..e958a7e 100644 >--- a/source3/winbindd/winbindd_pam.c >+++ b/source3/winbindd/winbindd_pam.c >@@ -801,7 +801,7 @@ NTSTATUS append_auth_data(struct winbindd_cli_state *state, > void winbindd_pam_auth(struct winbindd_cli_state *state) > { > struct winbindd_domain *domain; >- fstring name_domain, name_user, mapped_user; >+ fstring name_domain, name_user; > char *mapped = NULL; > NTSTATUS result; > NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL; >@@ -828,17 +828,15 @@ void winbindd_pam_auth(struct winbindd_cli_state *state) > state->request->data.auth.user, > &mapped); > >- /* If the name normalization didnt' actually do anything, >- just use the original name */ >+ /* Update the auth name if we did any mapping */ > >- if (NT_STATUS_IS_OK(name_map_status) >- ||NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED)) { >- fstrcpy(mapped_user, mapped); >- } else { >- fstrcpy(mapped_user, state->request->data.auth.user); >+ if (NT_STATUS_IS_OK(name_map_status) || >+ NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED)) >+ { >+ fstrcpy(state->request->data.auth.user, mapped); > } > >- if (!canonicalize_username(mapped_user, name_domain, name_user)) { >+ if (!canonicalize_username(state->request->data.auth.user, name_domain, name_user)) { > result = NT_STATUS_NO_SUCH_USER; > goto done; > } >-- >1.7.0.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=5877">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
gd
:
review+
Actions:
View
Attachments on
bug 7589
: 5877 |
6899