auth4: avoid map_user_info() in auth_check_password_send()
authorStefan Metzmacher <metze@samba.org>
Fri, 17 Mar 2017 15:19:10 +0000 (16:19 +0100)
committerAndrew Bartlett <abartlet@samba.org>
Sun, 9 Apr 2017 23:11:20 +0000 (01:11 +0200)
The cracknames call is done in the "sam" backend now.

In order to support trusted domains correctly, the backends
need to get the raw values from the client.

This is the important change in order to no longer
silently map users from trusted domains to local users.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
selftest/knownfail
source4/auth/ntlm/auth.c

index 0df493da665e8823952c73988b97d1c4b4eedc86..98c9708ae542010b98461d9ff03f73a793a32fa1 100644 (file)
 ^samba4.blackbox.trust_ntlm.Test08.*client.*with.ADDOM.SAMBA.EXAMPLE.COM\\Administrator%locDCpass1\(fl2003dc:local\)
 ^samba4.blackbox.trust_ntlm.Test09.*client.*with.Administrator@ADDOMAIN%locDCpass1\(fl2003dc:local\)
 ^samba4.blackbox.trust_ntlm.Test10.*client.*with.Administrator@ADDOM.SAMBA.EXAMPLE.COM%locDCpass1\(fl2003dc:local\)
-#
-# The following should work once we don't map trusts to our domain
-^samba4.blackbox.trust_ntlm.Fail06.*client.*with.ADDOMAIN\\Administrator%locDCpass7\(fl2008r2dc:local\)
-^samba4.blackbox.trust_ntlm.Fail06.*client.*with.ADDOMAIN\\Administrator%locDCpass6\(fl2003dc:local\)
index 078b08b112535f46cc264ea46a6579f48681af8d..0843f4a561b625c6e8c26cd6c40ff46d84c22fd7 100644 (file)
@@ -291,24 +291,39 @@ _PUBLIC_ struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx,
        state->user_info        = user_info;
 
        if (!user_info->mapped_state) {
-               int server_role = lpcfg_server_role(auth_ctx->lp_ctx);
                struct auth_usersupplied_info *user_info_tmp;
 
-               nt_status = map_user_info(
-                       auth_ctx->sam_ctx, req,
-                       server_role == ROLE_ACTIVE_DIRECTORY_DC,
-                       lpcfg_workgroup(auth_ctx->lp_ctx),
-                       user_info, &user_info_tmp);
-
-               if (tevent_req_nterror(req, nt_status)) {
-                       return tevent_req_post(req, ev);
+               /*
+                * We don't really do any mapping here.
+                *
+                * So we don't set user_info->mapped_state,
+                * but we set mapped.domain_name and
+                * mapped.account_name to the client
+                * provided values.
+                *
+                * It's up to the backends to do mappings
+                * for their authentication.
+                */
+               user_info_tmp = talloc_zero(state, struct auth_usersupplied_info);
+               if (tevent_req_nomem(user_info_tmp, req)) {
+                       return tevent_req_post(req, ev);;
                }
+
+               /*
+                * The lifetime of user_info is longer than
+                * user_info_tmp, so we don't need to copy the
+                * strings.
+                */
+               *user_info_tmp = *user_info;
+               user_info_tmp->mapped.domain_name = user_info->client.domain_name;
+               user_info_tmp->mapped.account_name = user_info->client.account_name;
+
                user_info = user_info_tmp;
                state->user_info = user_info_tmp;
        }
 
        DEBUGADD(3,("auth_check_password_send: "
-                   "mapped user is: [%s]\\[%s]@[%s]\n",
+                   "user is: [%s]\\[%s]@[%s]\n",
                    user_info->mapped.domain_name,
                    user_info->mapped.account_name,
                    user_info->workstation_name));