From: Uri Simchoni <uri@samba.org>
Date: Sat, 22 Oct 2016 19:40:26 +0000 (+0300)
Subject: winbindd: do not modify credentials in NTLM passthrough
X-Git-Tag: ldb-1.1.28~298
X-Git-Url: http://git.samba.org/?p=samba.git;a=commitdiff_plain;h=8e88b56ebc314a5e3a722d63ca23b4a49b7ac2dc;hp=6e4c66e339d2eb11c5cb981aac2e20fcff464025

winbindd: do not modify credentials in NTLM passthrough

When doing NTLM validation of credentials, do not modify the
credentials - they might be used in the calculation of
the response.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12375

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---

diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c
index ffbc322fc0c..e6a47c86785 100644
--- a/source3/winbindd/winbindd_pam_auth_crap.c
+++ b/source3/winbindd/winbindd_pam_auth_crap.c
@@ -37,6 +37,7 @@ struct tevent_req *winbindd_pam_auth_crap_send(
 	struct tevent_req *req, *subreq;
 	struct winbindd_pam_auth_crap_state *state;
 	struct winbindd_domain *domain;
+	const char *auth_domain = NULL;
 
 	req = tevent_req_create(mem_ctx, &state,
 				struct winbindd_pam_auth_crap_state);
@@ -77,14 +78,12 @@ struct tevent_req *winbindd_pam_auth_crap_send(
 		return tevent_req_post(req, ev);
 	}
 
-	if ((request->data.auth_crap.domain[0] == '\0')
-	    && lp_winbind_use_default_domain()) {
-		fstrcpy(request->data.auth_crap.domain,
-			lp_workgroup());
+	auth_domain = request->data.auth_crap.domain;
+	if (auth_domain[0] == '\0') {
+		auth_domain = lp_workgroup();
 	}
 
-	domain = find_auth_domain(
-		request->flags, request->data.auth_crap.domain);
+	domain = find_auth_domain(request->flags, auth_domain);
 	if (domain == NULL) {
 		tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
 		return tevent_req_post(req, ev);