winbindd: do not modify credentials in NTLM passthrough

When doing NTLM validation of credentials, do not modify the
credentials - they might be used in the calculation of
the response.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12375

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c
index ffbc322fc0c4703390d7dfd470d8749ee4f6b784..e6a47c867857b739477dbce5a2237f7bdaf2724f 100644 (file)
--- a/source3/winbindd/winbindd_pam_auth_crap.c
+++ b/source3/winbindd/winbindd_pam_auth_crap.c
@@ -37,6 +37,7 @@ struct tevent_req *winbindd_pam_auth_crap_send(
        struct tevent_req *req, *subreq;
        struct winbindd_pam_auth_crap_state *state;
        struct winbindd_domain *domain;
+       const char *auth_domain = NULL;
 
        req = tevent_req_create(mem_ctx, &state,
                                struct winbindd_pam_auth_crap_state);
@@ -77,14 +78,12 @@ struct tevent_req *winbindd_pam_auth_crap_send(
                return tevent_req_post(req, ev);
        }
 
-       if ((request->data.auth_crap.domain[0] == '\0')
-           && lp_winbind_use_default_domain()) {
-               fstrcpy(request->data.auth_crap.domain,
-                       lp_workgroup());
+       auth_domain = request->data.auth_crap.domain;
+       if (auth_domain[0] == '\0') {
+               auth_domain = lp_workgroup();
        }
 
-       domain = find_auth_domain(
-               request->flags, request->data.auth_crap.domain);
+       domain = find_auth_domain(request->flags, auth_domain);
        if (domain == NULL) {
                tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
                return tevent_req_post(req, ev);