- netsamlogon_cache_store( client, &logon_info->info3 );
- }
-
- if (!strequal(p+1, lp_realm())) {
- DEBUG(3,("Ticket for foreign realm %s@%s\n", client, p+1));
- if (!lp_allow_trusted_domains()) {
- data_blob_free(&ap_rep);
- data_blob_free(&session_key);
- talloc_destroy(mem_ctx);
- reply_nterror(req, nt_status_squash(
- NT_STATUS_LOGON_FAILURE));
- return;
- }
- }
-
- /* this gives a fully qualified user name (ie. with full realm).
- that leads to very long usernames, but what else can we do? */
-
- domain = p+1;
-
- if (logon_info && logon_info->info3.base.domain.string) {
- fstrcpy(netbios_domain_name,
- logon_info->info3.base.domain.string);
- domain = netbios_domain_name;
- DEBUG(10, ("Mapped to [%s] (using PAC)\n", domain));
-
- } else {
-
- /* If we have winbind running, we can (and must) shorten the
- username by using the short netbios name. Otherwise we will
- have inconsistent user names. With Kerberos, we get the
- fully qualified realm, with ntlmssp we get the short
- name. And even w2k3 does use ntlmssp if you for example
- connect to an ip address. */
-
- wbcErr wbc_status;
- struct wbcDomainInfo *info = NULL;
-
- DEBUG(10, ("Mapping [%s] to short name\n", domain));
-
- wbc_status = wbcDomainInfo(domain, &info);
-
- if (WBC_ERROR_IS_OK(wbc_status)) {
-
- fstrcpy(netbios_domain_name,
- info->short_name);
-
- wbcFreeMemory(info);
- domain = netbios_domain_name;
- DEBUG(10, ("Mapped to [%s] (using Winbind)\n", domain));
- } else {
- DEBUG(3, ("Could not find short name: %s\n",
- wbcErrorString(wbc_status)));
- }
- }
-
- fstr_sprintf(user, "%s%c%s", domain, *lp_winbind_separator(), client);
-
- /* lookup the passwd struct, create a new user if necessary */
-
- username_was_mapped = map_username(user);
-
- pw = smb_getpwnam( mem_ctx, user, real_username, True );
-
- if (pw) {
- /* if a real user check pam account restrictions */
- /* only really perfomed if "obey pam restriction" is true */
- /* do this before an eventual mapping to guest occurs */
- ret = smb_pam_accountcheck(pw->pw_name);
- if ( !NT_STATUS_IS_OK(ret)) {
- DEBUG(1,("PAM account restriction "
- "prevents user login\n"));
- data_blob_free(&ap_rep);
- data_blob_free(&session_key);
- TALLOC_FREE(mem_ctx);
- reply_nterror(req, nt_status_squash(ret));
- return;
- }
- }
-
- if (!pw) {
-
- /* this was originally the behavior of Samba 2.2, if a user
- did not have a local uid but has been authenticated, then
- map them to a guest account */
-
- if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID){
- map_domainuser_to_guest = True;
- fstrcpy(user,lp_guestaccount());
- pw = smb_getpwnam( mem_ctx, user, real_username, True );
- }
-
- /* extra sanity check that the guest account is valid */
-
- if ( !pw ) {
- DEBUG(1,("Username %s is invalid on this system\n",
- user));
- data_blob_free(&ap_rep);
- data_blob_free(&session_key);
- TALLOC_FREE(mem_ctx);
- reply_nterror(req, nt_status_squash(
- NT_STATUS_LOGON_FAILURE));
- return;
- }