From d32f47fedcff3fdf46f42926d1cd84433e7ab487 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 4 Jan 2004 11:59:11 +0000 Subject: [PATCH] Commit the translation of the realm to the netbios domain name in the kerberos session setup. After talking to jht and abartlet I made this unconditional, no additional parameter. Jerry: This is a change in behaviour, but I think it is necessary. Volker --- source/nsswitch/wbinfo.c | 44 +++++++++++++++++++++++++++++++++ source/nsswitch/winbindd.c | 1 + source/nsswitch/winbindd_misc.c | 29 ++++++++++++++++++++++ source/nsswitch/winbindd_nss.h | 11 +++++++++ source/smbd/sesssetup.c | 44 ++++++++++++++++++++++++++++++--- 5 files changed, 126 insertions(+), 3 deletions(-) diff --git a/source/nsswitch/wbinfo.c b/source/nsswitch/wbinfo.c index 04233bb85cb..bca1813167b 100644 --- a/source/nsswitch/wbinfo.c +++ b/source/nsswitch/wbinfo.c @@ -247,6 +247,42 @@ static BOOL wbinfo_show_sequence(const char *domain) return True; } +/* Show domain info */ + +static BOOL wbinfo_domain_info(const char *domain_name) +{ + struct winbindd_request request; + struct winbindd_response response; + + ZERO_STRUCT(request); + ZERO_STRUCT(response); + + fstrcpy(request.domain_name, domain_name); + + /* Send request */ + + if (winbindd_request(WINBINDD_DOMAIN_INFO, &request, &response) != + NSS_STATUS_SUCCESS) + return False; + + /* Display response */ + + d_printf("Name : %s\n", response.data.domain_info.name); + d_printf("Alt_Name: %s\n", response.data.domain_info.alt_name); + + d_printf("SID : %s\n", response.data.domain_info.sid); + + d_printf("Native : %s\n", + response.data.domain_info.native_mode ? "Yes" : "No"); + + d_printf("Primary : %s\n", + response.data.domain_info.primary ? "Yes" : "No"); + + d_printf("Sequence: %d\n", response.data.domain_info.sequence_number); + + return True; +} + /* Check trust account password */ static BOOL wbinfo_check_secret(void) @@ -922,6 +958,8 @@ int main(int argc, char **argv) { "check-secret", 't', POPT_ARG_NONE, 0, 't', "Check shared secret" }, { "trusted-domains", 'm', POPT_ARG_NONE, 0, 'm', "List trusted domains" }, { "sequence", 0, POPT_ARG_NONE, 0, OPT_SEQUENCE, "Show sequence numbers of all domains" }, + { "domain-info", 'D', POPT_ARG_STRING, &string_arg, 'D', + "Show all most info we have about the domain" }, { "user-groups", 'r', POPT_ARG_STRING, &string_arg, 'r', "Get user groups", "USER" }, { "authenticate", 'a', POPT_ARG_STRING, &string_arg, 'a', "authenticate user", "user%password" }, { "set-auth-user", 0, POPT_ARG_STRING, &string_arg, OPT_SET_AUTH_USER, "Store user and password used by winbindd (root only)", "user%password" }, @@ -1048,6 +1086,12 @@ int main(int argc, char **argv) goto done; } break; + case 'D': + if (!wbinfo_domain_info(string_arg)) { + d_printf("Could not get domain info\n"); + goto done; + } + break; case 'r': if (!wbinfo_get_usergroups(string_arg)) { d_printf("Could not get groups for user %s\n", diff --git a/source/nsswitch/winbindd.c b/source/nsswitch/winbindd.c index 4b47ac13a2f..b1c0c67d52b 100644 --- a/source/nsswitch/winbindd.c +++ b/source/nsswitch/winbindd.c @@ -262,6 +262,7 @@ static struct dispatch_table dispatch_table[] = { { WINBINDD_INFO, winbindd_info, "INFO" }, { WINBINDD_INTERFACE_VERSION, winbindd_interface_version, "INTERFACE_VERSION" }, { WINBINDD_DOMAIN_NAME, winbindd_domain_name, "DOMAIN_NAME" }, + { WINBINDD_DOMAIN_INFO, winbindd_domain_info, "DOMAIN_INFO" }, { WINBINDD_NETBIOS_NAME, winbindd_netbios_name, "NETBIOS_NAME" }, { WINBINDD_PRIV_PIPE_DIR, winbindd_priv_pipe_dir, "WINBINDD_PRIV_PIPE_DIR" }, diff --git a/source/nsswitch/winbindd_misc.c b/source/nsswitch/winbindd_misc.c index 88fbb5ee006..1a5ecb56c7c 100644 --- a/source/nsswitch/winbindd_misc.c +++ b/source/nsswitch/winbindd_misc.c @@ -202,6 +202,35 @@ enum winbindd_result winbindd_show_sequence(struct winbindd_cli_state *state) return WINBINDD_OK; } +enum winbindd_result winbindd_domain_info(struct winbindd_cli_state *state) +{ + struct winbindd_domain *domain; + + DEBUG(3, ("[%5lu]: domain_info [%s]\n", (unsigned long)state->pid, + state->request.domain_name)); + + domain = find_domain_from_name(state->request.domain_name); + + if (domain == NULL) { + DEBUG(3, ("Did not find domain [%s]\n", + state->request.domain_name)); + return WINBINDD_ERROR; + } + + fstrcpy(state->response.data.domain_info.name, domain->name); + fstrcpy(state->response.data.domain_info.alt_name, domain->alt_name); + fstrcpy(state->response.data.domain_info.sid, + sid_string_static(&domain->sid)); + + state->response.data.domain_info.native_mode = domain->native_mode; + state->response.data.domain_info.primary = domain->primary; + + state->response.data.domain_info.sequence_number = + domain->sequence_number; + + return WINBINDD_OK; +} + enum winbindd_result winbindd_ping(struct winbindd_cli_state *state) { diff --git a/source/nsswitch/winbindd_nss.h b/source/nsswitch/winbindd_nss.h index 41fecd2816c..00d49e7d3ea 100644 --- a/source/nsswitch/winbindd_nss.h +++ b/source/nsswitch/winbindd_nss.h @@ -92,6 +92,9 @@ enum winbindd_cmd { WINBINDD_INFO, /* Various bit of info. Currently just tidbits */ WINBINDD_DOMAIN_NAME, /* The domain this winbind server is a member of (lp_workgroup()) */ + WINBINDD_DOMAIN_INFO, /* Most of what we know from + struct winbindd_domain */ + WINBINDD_SHOW_SEQUENCE, /* display sequence numbers of domains */ /* WINS commands */ @@ -260,6 +263,14 @@ struct winbindd_response { char first_8_lm_hash[8]; } auth; uint32 rid; /* create user or group */ + struct { + fstring name; + fstring alt_name; + fstring sid; + BOOL native_mode; + BOOL primary; + uint32 sequence_number; + } domain_info; } data; /* Variable length return data */ diff --git a/source/smbd/sesssetup.c b/source/smbd/sesssetup.c index e9cfa47d0c6..2c38cd3eb3a 100644 --- a/source/smbd/sesssetup.c +++ b/source/smbd/sesssetup.c @@ -141,7 +141,8 @@ static int reply_spnego_kerberos(connection_struct *conn, DATA_BLOB *secblob) { DATA_BLOB ticket; - char *client, *p; + char *client, *p, *domain; + fstring netbios_domain_name; const struct passwd *pw; char *user; int sess_vuid; @@ -198,8 +199,45 @@ static int reply_spnego_kerberos(connection_struct *conn, /* this gives a fully qualified user name (ie. with full realm). that leads to very long usernames, but what else can we do? */ - - asprintf(&user, "%s%c%s", p+1, *lp_winbind_separator(), client); + + domain = p+1; + + { + /* If we have winbind running, we can (and must) shorten the + username by using the short netbios name. Otherwise we will + have inconsistent user names. With Kerberos, we get the + fully qualified realm, with ntlmssp we get the short + name. And even w2k3 does use ntlmssp if you for example + connect to an ip address. */ + + struct winbindd_request wb_request; + struct winbindd_response wb_response; + NSS_STATUS wb_result; + + ZERO_STRUCT(wb_request); + ZERO_STRUCT(wb_response); + + DEBUG(10, ("Mapping [%s] to short name\n", domain)); + + fstrcpy(wb_request.domain_name, domain); + + wb_result = winbindd_request(WINBINDD_DOMAIN_INFO, + &wb_request, &wb_response); + + if (wb_result == NSS_STATUS_SUCCESS) { + + fstrcpy(netbios_domain_name, + wb_response.data.domain_info.name); + domain = netbios_domain_name; + + DEBUG(10, ("Mapped to [%s]\n", domain)); + } else { + DEBUG(3, ("Could not find short name -- winbind " + "not running?\n")); + } + } + + asprintf(&user, "%s%c%s", domain, *lp_winbind_separator(), client); pw = smb_getpwnam( user ); -- 2.34.1