[samba/f14/master] Fix winbind default domain related: #618201

Guenther Deschner gd at fedoraproject.org
Thu Aug 19 12:18:11 UTC 2010 

commit 4c8be5e976214423ad7ba2734675650c9580a23b
Author: Günther Deschner <gd at samba.org>
Date:   Thu Aug 19 13:57:49 2010 +0200

    Fix winbind default domain
    related: #618201
    
    Guenther

 samba-3.5.4-winbind_default_domain.patch |   61 ++++++++++++++++++++++++++++++
 samba.spec                               |    8 +++-
 2 files changed, 68 insertions(+), 1 deletions(-)
---
diff --git a/samba-3.5.4-winbind_default_domain.patch b/samba-3.5.4-winbind_default_domain.patch
new file mode 100644
index 0000000..fa332c9
--- /dev/null
+++ b/samba-3.5.4-winbind_default_domain.patch
@@ -0,0 +1,61 @@
+From be4efcf50c69b236d56dd0ad09f1189f95d62e81 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra at samba.org>
+Date: Thu, 29 Jul 2010 13:44:35 -0700
+Subject: [PATCH] Fix bug #7589 - ntlm_auth fails to use cached credentials.
+
+In handling the WINBINDD_PAM_AUTH message winbindd canonicalizes a *copy*
+of the mapped username, but fails to canonicalize the actual username
+sent to the backend domain process. When "winbind default domain"
+is set this can lead to credentials being cached with an index of
+user: user, not DOMAIN\user. All other code paths that use
+canonicalize_username() (WINBINDD_PAM_CHAUTHTOK, WINBINDD_PAM_LOGOFF)
+correctly canonicalize the data sent to the backend. All calls
+the can cause credentials to be looked up (PAM_CHAUTHTOK etc.)
+correctly call canonicalize_username() to create the credential
+lookup key.
+
+Jeremy.
+---
+ source3/winbindd/winbindd_pam.c |   16 +++++++---------
+ 1 files changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
+index fab919f..e958a7e 100644
+--- a/source3/winbindd/winbindd_pam.c
++++ b/source3/winbindd/winbindd_pam.c
+@@ -801,7 +801,7 @@ NTSTATUS append_auth_data(struct winbindd_cli_state *state,
+ void winbindd_pam_auth(struct winbindd_cli_state *state)
+ {
+ 	struct winbindd_domain *domain;
+-	fstring name_domain, name_user, mapped_user;
++	fstring name_domain, name_user;
+ 	char *mapped = NULL;
+ 	NTSTATUS result;
+ 	NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
+@@ -828,17 +828,15 @@ void winbindd_pam_auth(struct winbindd_cli_state *state)
+ 					       state->request->data.auth.user,
+ 					       &mapped);
+ 
+-	/* If the name normalization didnt' actually do anything,
+-	   just use the original name */
++	/* Update the auth name if we did any mapping */
+ 
+-	if (NT_STATUS_IS_OK(name_map_status)
+-	    ||NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED)) {
+-		fstrcpy(mapped_user, mapped);
+-	} else {
+-		fstrcpy(mapped_user, state->request->data.auth.user);
++	if (NT_STATUS_IS_OK(name_map_status) ||
++	    NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
++	{
++		fstrcpy(state->request->data.auth.user, mapped);
+ 	}
+ 
+-	if (!canonicalize_username(mapped_user, name_domain, name_user)) {
++	if (!canonicalize_username(state->request->data.auth.user, name_domain, name_user)) {
+ 		result = NT_STATUS_NO_SUCH_USER;
+ 		goto done;
+ 	}
+-- 
+1.7.0.4
+
diff --git a/samba.spec b/samba.spec
index 8038040..6e01328 100644
--- a/samba.spec
+++ b/samba.spec
@@ -1,4 +1,4 @@
-%define main_release 64
+%define main_release 65
 %define samba_version 3.5.4
 %define tdb_version 1.2.1
 %define talloc_version 2.0.1
@@ -47,6 +47,7 @@ Patch107: samba-3.2.0pre1-grouppwd.patch
 Patch200: samba-3.2.5-inotify.patch
 Patch201: samba-3.5.4-winbind-schannel.patch
 Patch202: samba-3.5.4-offline_cache.patch
+Patch203: samba-3.5.4-winbind_default_domain.patch
 
 Requires(pre): samba-common = %{epoch}:%{samba_version}-%{release}
 Requires: pam >= 0:0.64
@@ -205,6 +206,7 @@ cp %{SOURCE11} packaging/Fedora/
 %patch200 -p0 -b .inotify
 %patch201 -p1 -b .winbind_schannel
 %patch202 -p1 -b .offline_cache
+%patch203 -p1 -b .winbind_default_domain
 
 mv %samba_source/VERSION %samba_source/VERSION.orig
 sed -e 's/SAMBA_VERSION_VENDOR_SUFFIX=$/&\"%{samba_release}\"/' < %samba_source/VERSION.orig > %samba_source/VERSION
@@ -654,6 +656,10 @@ exit 0
 %{_datadir}/pixmaps/samba/logo-small.png
 
 %changelog
+* Thu Aug 19 2010 Guenther Deschner <gdeschner at redhat.com> - 3.5.4-65
+- Fix winbind default domain
+- related: #618201
+
 * Wed Aug 18 2010 Guenther Deschner <gdeschner at redhat.com> - 3.5.4-64
 - Fix offline authentication
 - resolves: #618201

More information about the scm-commits mailing list