winbind: Fix UPN handling in canonicalize_username()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri May 11 12:02:37 CEST 2018 on sn-devel-144

diff --git a/source3/winbindd/winbindd_ccache_access.c b/source3/winbindd/winbindd_ccache_access.c
index 6bcf9a3552cbb6b6a7919132ac2b22bf00de2eea..ddeaf1d99402e75ecca05a0e4b2d58d19561baab 100644 (file)
--- a/source3/winbindd/winbindd_ccache_access.c
+++ b/source3/winbindd/winbindd_ccache_access.c
@@ -199,8 +199,11 @@ void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state)
 
        /* Parse domain and username */
 
-       if (!canonicalize_username(state->request->data.ccache_ntlm_auth.user,
-                               name_domain, name_user)) {
+       ok = canonicalize_username(state->request->data.ccache_ntlm_auth.user,
+                                  name_namespace,
+                                  name_domain,
+                                  name_user);
+       if (!ok) {
                DEBUG(5,("winbindd_ccache_ntlm_auth: cannot parse domain and user from name [%s]\n",
                        state->request->data.ccache_ntlm_auth.user));
                request_error(state);
@@ -316,8 +319,9 @@ void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state)
 void winbindd_ccache_save(struct winbindd_cli_state *state)
 {
        struct winbindd_domain *domain;
-       fstring name_domain, name_user;
+       fstring name_namespace, name_domain, name_user;
        NTSTATUS status;
+       bool ok;
 
        /* Ensure null termination */
        state->request->data.ccache_save.user[
@@ -331,8 +335,11 @@ void winbindd_ccache_save(struct winbindd_cli_state *state)
 
        /* Parse domain and username */
 
-       if (!canonicalize_username(state->request->data.ccache_save.user,
-                                  name_domain, name_user)) {
+       ok = canonicalize_username(state->request->data.ccache_save.user,
+                                  name_namespace,
+                                  name_domain,
+                                  name_user);
+       if (!ok) {
                DEBUG(5,("winbindd_ccache_save: cannot parse domain and user "
                         "from name [%s]\n",
                         state->request->data.ccache_save.user));

diff --git a/source3/winbindd/winbindd_pam_auth.c b/source3/winbindd/winbindd_pam_auth.c
index b35a17cf319b834634b0e2507f564db8461d8bec..95550ba90667b9e8715b9a165487bc8827bc35de 100644 (file)
--- a/source3/winbindd/winbindd_pam_auth.c
+++ b/source3/winbindd/winbindd_pam_auth.c
@@ -36,9 +36,10 @@ struct tevent_req *winbindd_pam_auth_send(TALLOC_CTX *mem_ctx,
        struct tevent_req *req, *subreq;
        struct winbindd_pam_auth_state *state;
        struct winbindd_domain *domain;
-       fstring name_domain, name_user;
+       fstring name_namespace, name_domain, name_user;
        char *mapped = NULL;
        NTSTATUS status;
+       bool ok;
 
        req = tevent_req_create(mem_ctx, &state,
                                struct winbindd_pam_auth_state);
@@ -71,12 +72,16 @@ struct tevent_req *winbindd_pam_auth_send(TALLOC_CTX *mem_ctx,
                fstrcpy(request->data.auth.user, mapped);
        }
 
-       if (!canonicalize_username(request->data.auth.user, name_domain, name_user)) {
+       ok = canonicalize_username(request->data.auth.user,
+                                  name_namespace,
+                                  name_domain,
+                                  name_user);
+       if (!ok) {
                tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
                return tevent_req_post(req, ev);
        }
 
-       domain = find_auth_domain(request->flags, name_domain);
+       domain = find_auth_domain(request->flags, name_namespace);
        if (domain == NULL) {
                tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
                return tevent_req_post(req, ev);

diff --git a/source3/winbindd/winbindd_pam_chauthtok.c b/source3/winbindd/winbindd_pam_chauthtok.c
index 0d749fbcecd578ecca9803b99b0d9953cb2e662d..a6b8b66b9becb9a239bb724c13f2f81aabceb36c 100644 (file)
--- a/source3/winbindd/winbindd_pam_chauthtok.c
+++ b/source3/winbindd/winbindd_pam_chauthtok.c
@@ -36,9 +36,10 @@ struct tevent_req *winbindd_pam_chauthtok_send(
        struct tevent_req *req, *subreq;
        struct winbindd_pam_chauthtok_state *state;
        struct winbindd_domain *contact_domain;
-       fstring domain, user;
+       fstring namespace, domain, user;
        char *mapped_user;
        NTSTATUS status;
+       bool ok;
 
        req = tevent_req_create(mem_ctx, &state,
                                struct winbindd_pam_chauthtok_state);
@@ -62,15 +63,18 @@ struct tevent_req *winbindd_pam_chauthtok_send(
                fstrcpy(request->data.chauthtok.user, mapped_user);
        }
 
-       if (!canonicalize_username(request->data.chauthtok.user, domain,
-                                  user)) {
+       ok = canonicalize_username(request->data.chauthtok.user,
+                                  namespace,
+                                  domain,
+                                  user);
+       if (!ok) {
                DEBUG(10, ("winbindd_pam_chauthtok: canonicalize_username %s "
                           "failed with\n", request->data.chauthtok.user));
                tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
                return tevent_req_post(req, ev);
        }
 
-       contact_domain = find_domain_from_name(domain);
+       contact_domain = find_domain_from_name(namespace);
        if (contact_domain == NULL) {
                DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] "
                          "as %s is not a trusted domain\n",

diff --git a/source3/winbindd/winbindd_pam_logoff.c b/source3/winbindd/winbindd_pam_logoff.c
index b5b7840f99c5fca6005315085eb3a373780f070a..8f2b48825219fb94cc0917c1425bb32bfee31a30 100644 (file)
--- a/source3/winbindd/winbindd_pam_logoff.c
+++ b/source3/winbindd/winbindd_pam_logoff.c
@@ -35,10 +35,11 @@ struct tevent_req *winbindd_pam_logoff_send(TALLOC_CTX *mem_ctx,
        struct tevent_req *req, *subreq;
        struct winbindd_pam_logoff_state *state;
        struct winbindd_domain *domain;
-       fstring name_domain, user;
+       fstring name_namespace, name_domain, user;
        uid_t caller_uid;
        gid_t caller_gid;
        int res;
+       bool ok;
 
        req = tevent_req_create(mem_ctx, &state,
                                struct winbindd_pam_logoff_state);
@@ -60,12 +61,15 @@ struct tevent_req *winbindd_pam_logoff_send(TALLOC_CTX *mem_ctx,
                goto failed;
        }
 
-       if (!canonicalize_username(request->data.logoff.user, name_domain,
-                                  user)) {
+       ok = canonicalize_username(request->data.logoff.user,
+                                  name_namespace,
+                                  name_domain,
+                                  user);
+       if (!ok) {
                goto failed;
        }
 
-       domain = find_auth_domain(request->flags, name_domain);
+       domain = find_auth_domain(request->flags, name_namespace);
        if (domain == NULL) {
                goto failed;
        }

diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 4740d88b744c4f33356b774e52b331ee7ccbfcb2..9b3fadf4c9813aeb251a7d29807dda379f34fec8 100644 (file)
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -481,7 +481,10 @@ bool parse_domain_user(const char *domuser,
                       fstring namespace,
                       fstring domain,
                       fstring user);
-bool canonicalize_username(fstring username_inout, fstring domain, fstring user);
+bool canonicalize_username(fstring username_inout,
+                          fstring namespace,
+                          fstring domain,
+                          fstring user);
 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume);
 char *fill_domain_username_talloc(TALLOC_CTX *ctx,
                                  const char *domain,

diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index fd4d2b1f9dea094100e5db2b57876cdb367c79fe..990c97b55a884ce4b56dc4204547ac44bcf9540d 100644 (file)
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1620,9 +1620,11 @@ bool parse_domain_user(const char *domuser,
    really should be changed to use this instead of doing things
    by hand. JRA. */
 
-bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
+bool canonicalize_username(fstring username_inout,
+                          fstring namespace,
+                          fstring domain,
+                          fstring user)
 {
-       fstring namespace;
        bool ok;
 
        ok = parse_domain_user(username_inout, namespace, domain, user);