[samba/f14/master] Fix winbind default domain related: #618201
Guenther Deschner
gd at fedoraproject.org
Thu Aug 19 12:18:11 UTC 2010
commit 4c8be5e976214423ad7ba2734675650c9580a23b
Author: Günther Deschner <gd at samba.org>
Date: Thu Aug 19 13:57:49 2010 +0200
Fix winbind default domain
related: #618201
Guenther
samba-3.5.4-winbind_default_domain.patch | 61 ++++++++++++++++++++++++++++++
samba.spec | 8 +++-
2 files changed, 68 insertions(+), 1 deletions(-)
---
diff --git a/samba-3.5.4-winbind_default_domain.patch b/samba-3.5.4-winbind_default_domain.patch
new file mode 100644
index 0000000..fa332c9
--- /dev/null
+++ b/samba-3.5.4-winbind_default_domain.patch
@@ -0,0 +1,61 @@
+From be4efcf50c69b236d56dd0ad09f1189f95d62e81 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra at samba.org>
+Date: Thu, 29 Jul 2010 13:44:35 -0700
+Subject: [PATCH] Fix bug #7589 - ntlm_auth fails to use cached credentials.
+
+In handling the WINBINDD_PAM_AUTH message winbindd canonicalizes a *copy*
+of the mapped username, but fails to canonicalize the actual username
+sent to the backend domain process. When "winbind default domain"
+is set this can lead to credentials being cached with an index of
+user: user, not DOMAIN\user. All other code paths that use
+canonicalize_username() (WINBINDD_PAM_CHAUTHTOK, WINBINDD_PAM_LOGOFF)
+correctly canonicalize the data sent to the backend. All calls
+the can cause credentials to be looked up (PAM_CHAUTHTOK etc.)
+correctly call canonicalize_username() to create the credential
+lookup key.
+
+Jeremy.
+---
+ source3/winbindd/winbindd_pam.c | 16 +++++++---------
+ 1 files changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
+index fab919f..e958a7e 100644
+--- a/source3/winbindd/winbindd_pam.c
++++ b/source3/winbindd/winbindd_pam.c
+@@ -801,7 +801,7 @@ NTSTATUS append_auth_data(struct winbindd_cli_state *state,
+ void winbindd_pam_auth(struct winbindd_cli_state *state)
+ {
+ struct winbindd_domain *domain;
+- fstring name_domain, name_user, mapped_user;
++ fstring name_domain, name_user;
+ char *mapped = NULL;
+ NTSTATUS result;
+ NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
+@@ -828,17 +828,15 @@ void winbindd_pam_auth(struct winbindd_cli_state *state)
+ state->request->data.auth.user,
+ &mapped);
+
+- /* If the name normalization didnt' actually do anything,
+- just use the original name */
++ /* Update the auth name if we did any mapping */
+
+- if (NT_STATUS_IS_OK(name_map_status)
+- ||NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED)) {
+- fstrcpy(mapped_user, mapped);
+- } else {
+- fstrcpy(mapped_user, state->request->data.auth.user);
++ if (NT_STATUS_IS_OK(name_map_status) ||
++ NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
++ {
++ fstrcpy(state->request->data.auth.user, mapped);
+ }
+
+- if (!canonicalize_username(mapped_user, name_domain, name_user)) {
++ if (!canonicalize_username(state->request->data.auth.user, name_domain, name_user)) {
+ result = NT_STATUS_NO_SUCH_USER;
+ goto done;
+ }
+--
+1.7.0.4
+
diff --git a/samba.spec b/samba.spec
index 8038040..6e01328 100644
--- a/samba.spec
+++ b/samba.spec
@@ -1,4 +1,4 @@
-%define main_release 64
+%define main_release 65
%define samba_version 3.5.4
%define tdb_version 1.2.1
%define talloc_version 2.0.1
@@ -47,6 +47,7 @@ Patch107: samba-3.2.0pre1-grouppwd.patch
Patch200: samba-3.2.5-inotify.patch
Patch201: samba-3.5.4-winbind-schannel.patch
Patch202: samba-3.5.4-offline_cache.patch
+Patch203: samba-3.5.4-winbind_default_domain.patch
Requires(pre): samba-common = %{epoch}:%{samba_version}-%{release}
Requires: pam >= 0:0.64
@@ -205,6 +206,7 @@ cp %{SOURCE11} packaging/Fedora/
%patch200 -p0 -b .inotify
%patch201 -p1 -b .winbind_schannel
%patch202 -p1 -b .offline_cache
+%patch203 -p1 -b .winbind_default_domain
mv %samba_source/VERSION %samba_source/VERSION.orig
sed -e 's/SAMBA_VERSION_VENDOR_SUFFIX=$/&\"%{samba_release}\"/' < %samba_source/VERSION.orig > %samba_source/VERSION
@@ -654,6 +656,10 @@ exit 0
%{_datadir}/pixmaps/samba/logo-small.png
%changelog
+* Thu Aug 19 2010 Guenther Deschner <gdeschner at redhat.com> - 3.5.4-65
+- Fix winbind default domain
+- related: #618201
+
* Wed Aug 18 2010 Guenther Deschner <gdeschner at redhat.com> - 3.5.4-64
- Fix offline authentication
- resolves: #618201
More information about the scm-commits
mailing list