From 236b24dfd29f1343c6de9a1e8c8baf3d2991244e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 17 Mar 2017 16:19:10 +0100 Subject: [PATCH] auth4: avoid map_user_info() in auth_check_password_send() The cracknames call is done in the "sam" backend now. In order to support trusted domains correctly, the backends need to get the raw values from the client. This is the important change in order to no longer silently map users from trusted domains to local users. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- selftest/knownfail | 4 ---- source4/auth/ntlm/auth.c | 35 +++++++++++++++++++++++++---------- 2 files changed, 25 insertions(+), 14 deletions(-) diff --git a/selftest/knownfail b/selftest/knownfail index 0df493da665..98c9708ae54 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -327,7 +327,3 @@ ^samba4.blackbox.trust_ntlm.Test08.*client.*with.ADDOM.SAMBA.EXAMPLE.COM\\Administrator%locDCpass1\(fl2003dc:local\) ^samba4.blackbox.trust_ntlm.Test09.*client.*with.Administrator@ADDOMAIN%locDCpass1\(fl2003dc:local\) ^samba4.blackbox.trust_ntlm.Test10.*client.*with.Administrator@ADDOM.SAMBA.EXAMPLE.COM%locDCpass1\(fl2003dc:local\) -# -# The following should work once we don't map trusts to our domain -^samba4.blackbox.trust_ntlm.Fail06.*client.*with.ADDOMAIN\\Administrator%locDCpass7\(fl2008r2dc:local\) -^samba4.blackbox.trust_ntlm.Fail06.*client.*with.ADDOMAIN\\Administrator%locDCpass6\(fl2003dc:local\) diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c index 078b08b1125..0843f4a561b 100644 --- a/source4/auth/ntlm/auth.c +++ b/source4/auth/ntlm/auth.c @@ -291,24 +291,39 @@ _PUBLIC_ struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx, state->user_info = user_info; if (!user_info->mapped_state) { - int server_role = lpcfg_server_role(auth_ctx->lp_ctx); struct auth_usersupplied_info *user_info_tmp; - nt_status = map_user_info( - auth_ctx->sam_ctx, req, - server_role == ROLE_ACTIVE_DIRECTORY_DC, - lpcfg_workgroup(auth_ctx->lp_ctx), - user_info, &user_info_tmp); - - if (tevent_req_nterror(req, nt_status)) { - return tevent_req_post(req, ev); + /* + * We don't really do any mapping here. + * + * So we don't set user_info->mapped_state, + * but we set mapped.domain_name and + * mapped.account_name to the client + * provided values. + * + * It's up to the backends to do mappings + * for their authentication. + */ + user_info_tmp = talloc_zero(state, struct auth_usersupplied_info); + if (tevent_req_nomem(user_info_tmp, req)) { + return tevent_req_post(req, ev);; } + + /* + * The lifetime of user_info is longer than + * user_info_tmp, so we don't need to copy the + * strings. + */ + *user_info_tmp = *user_info; + user_info_tmp->mapped.domain_name = user_info->client.domain_name; + user_info_tmp->mapped.account_name = user_info->client.account_name; + user_info = user_info_tmp; state->user_info = user_info_tmp; } DEBUGADD(3,("auth_check_password_send: " - "mapped user is: [%s]\\[%s]@[%s]\n", + "user is: [%s]\\[%s]@[%s]\n", user_info->mapped.domain_name, user_info->mapped.account_name, user_info->workstation_name)); -- 2.34.1