-^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.ad_member
^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member
^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member
^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc
return NT_STATUS_IS_OK(status);
}
-bool lookup_cached_name(const char *domain_name,
+bool lookup_cached_name(const char *namespace,
+ const char *domain_name,
const char *name,
struct dom_sid *sid,
enum lsa_SidType *type)
NTSTATUS status;
bool original_online_state;
- domain = find_lookup_domain_from_name(domain_name);
+ domain = find_lookup_domain_from_name(namespace);
if (domain == NULL) {
return false;
}
return False;
}
-static NTSTATUS do_ntlm_auth_with_stored_pw(const char *username,
+static NTSTATUS do_ntlm_auth_with_stored_pw(const char *namespace,
const char *domain,
+ const char *username,
const char *password,
const DATA_BLOB initial_msg,
const DATA_BLOB challenge_msg,
void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state)
{
struct winbindd_domain *domain;
- fstring name_domain, name_user;
+ fstring name_namespace, name_domain, name_user;
NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
struct WINBINDD_MEMORY_CREDS *entry;
DATA_BLOB initial, challenge, auth;
uint32_t initial_blob_len, challenge_blob_len, extra_len;
+ bool ok;
/* Ensure null termination */
state->request->data.ccache_ntlm_auth.user[
}
/* Parse domain and username */
- if (!parse_domain_user(state->request->data.ccache_ntlm_auth.user, name_domain, name_user)) {
+ ok = parse_domain_user(state->request->data.ccache_ntlm_auth.user,
+ name_namespace,
+ name_domain,
+ name_user);
+ if (!ok) {
DEBUG(10,("winbindd_dual_ccache_ntlm_auth: cannot parse "
"domain and user from name [%s]\n",
state->request->data.ccache_ntlm_auth.user));
state->request->data.ccache_ntlm_auth.challenge_blob_len);
result = do_ntlm_auth_with_stored_pw(
- name_user, name_domain, entry->pass,
- initial, challenge, talloc_tos(), &auth,
- state->response->data.ccache_ntlm_auth.session_key,
- &state->response->data.ccache_ntlm_auth.new_spnego);
+ name_namespace,
+ name_domain,
+ name_user,
+ entry->pass,
+ initial,
+ challenge,
+ talloc_tos(),
+ &auth,
+ state->response->data.ccache_ntlm_auth.session_key,
+ &state->response->data.ccache_ntlm_auth.new_spnego);
if (!NT_STATUS_IS_OK(result)) {
goto process_result;
enum lsa_SidType type;
- if (!lookup_cached_name(domain->name,
+ if (!lookup_cached_name(domain->name, /* namespace */
+ domain->name,
user,
&cred_sid,
&type)) {
struct winbindd_getgrnam_state {
struct tevent_context *ev;
- fstring name_domain, name_group;
+ fstring name_namespace, name_domain, name_group;
struct dom_sid sid;
const char *domname;
const char *name;
struct winbindd_getgrnam_state *state;
char *tmp;
NTSTATUS nt_status;
+ bool ok;
req = tevent_req_create(mem_ctx, &state,
struct winbindd_getgrnam_state);
/* Parse domain and groupname */
- parse_domain_user(tmp, state->name_domain, state->name_group);
+ ok = parse_domain_user(tmp,
+ state->name_namespace,
+ state->name_domain,
+ state->name_group);
+ if (!ok) {
+ DBG_INFO("Could not parse domain user: %s\n", tmp);
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
/* if no domain or our local domain and no local tdb group, default to
* our local domain for aliases */
}
subreq = wb_lookupname_send(state, ev,
- state->name_domain,
+ state->name_namespace,
state->name_domain,
state->name_group,
0);
struct winbindd_getgroups_state {
struct tevent_context *ev;
+ fstring namespace;
fstring domname;
fstring username;
struct dom_sid sid;
struct winbindd_getgroups_state *state;
char *domuser, *mapped_user;
NTSTATUS status;
+ bool ok;
req = tevent_req_create(mem_ctx, &state,
struct winbindd_getgroups_state);
domuser = mapped_user;
}
- if (!parse_domain_user(domuser, state->domname, state->username)) {
+ ok = parse_domain_user(domuser,
+ state->namespace,
+ state->domname,
+ state->username);
+ if (!ok) {
DEBUG(5, ("Could not parse domain user: %s\n", domuser));
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
return tevent_req_post(req, ev);
}
subreq = wb_lookupname_send(state, ev,
- state->domname,
+ state->namespace,
state->domname,
state->username,
LOOKUP_NAME_NO_NSS);
struct winbindd_getpwnam_state {
struct tevent_context *ev;
+ fstring namespace;
fstring domname;
fstring username;
struct dom_sid sid;
struct winbindd_getpwnam_state *state;
char *domuser, *mapped_user;
NTSTATUS status;
+ bool ok;
req = tevent_req_create(mem_ctx, &state,
struct winbindd_getpwnam_state);
domuser = mapped_user;
}
- if (!parse_domain_user(domuser, state->domname, state->username)) {
+ ok = parse_domain_user(domuser,
+ state->namespace,
+ state->domname,
+ state->username);
+ if (!ok) {
DEBUG(5, ("Could not parse domain user: %s\n", domuser));
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
return tevent_req_post(req, ev);
}
subreq = wb_lookupname_send(state, ev,
- state->domname,
+ state->namespace,
state->domname,
state->username,
LOOKUP_NAME_NO_NSS);
const char *principal_s = NULL;
const char *service = NULL;
char *realm = NULL;
- fstring name_domain, name_user;
+ fstring name_namespace, name_domain, name_user;
time_t ticket_lifetime = 0;
time_t renewal_until = 0;
ADS_STRUCT *ads;
const char *local_service;
uint32_t i;
struct netr_SamInfo6 *info6_copy = NULL;
+ bool ok;
*info6 = NULL;
/* 3rd step:
* do kerberos auth and setup ccache as the user */
- parse_domain_user(user, name_domain, name_user);
+ ok = parse_domain_user(user, name_namespace, name_domain, name_user);
+ if (!ok) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
realm = talloc_strdup(mem_ctx, domain->alt_name);
if (realm == NULL) {
{
NTSTATUS result = NT_STATUS_LOGON_FAILURE;
uint16_t max_allowed_bad_attempts;
- fstring name_domain, name_user;
+ fstring name_namespace, name_domain, name_user;
struct dom_sid sid;
enum lsa_SidType type;
uchar new_nt_pass[NT_HASH_LEN];
/* Parse domain and username */
- parse_domain_user(state->request->data.auth.user, name_domain, name_user);
+ parse_domain_user(state->request->data.auth.user,
+ name_namespace,
+ name_domain,
+ name_user);
- if (!lookup_cached_name(name_domain,
+ if (!lookup_cached_name(name_namespace,
+ name_domain,
name_user,
&sid,
&type)) {
struct netr_SamInfo6 **info6)
{
struct winbindd_domain *contact_domain;
- fstring name_domain, name_user;
+ fstring name_namespace, name_domain, name_user;
NTSTATUS result;
+ bool ok;
DEBUG(10,("winbindd_dual_pam_auth_kerberos\n"));
/* Parse domain and username */
- parse_domain_user(state->request->data.auth.user, name_domain, name_user);
+ ok = parse_domain_user(state->request->data.auth.user,
+ name_namespace,
+ name_domain,
+ name_user);
+ if (!ok) {
+ result = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ }
/* what domain should we contact? */
if ( IS_DC ) {
- if (!(contact_domain = find_domain_from_name(name_domain))) {
+ contact_domain = find_domain_from_name(name_namespace);
+ if (contact_domain == NULL) {
DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
state->request->data.auth.user, name_domain, name_user, name_domain));
result = NT_STATUS_NO_SUCH_USER;
goto done;
}
- contact_domain = find_domain_from_name(name_domain);
+ contact_domain = find_domain_from_name(name_namespace);
if (contact_domain == NULL) {
DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
state->request->data.auth.user, name_domain, name_user, name_domain));
DATA_BLOB lm_resp;
DATA_BLOB nt_resp;
unsigned char local_nt_response[24];
- fstring name_domain, name_user;
+ fstring name_namespace, name_domain, name_user;
NTSTATUS result;
uint8_t authoritative = 0;
uint32_t flags = 0;
uint16_t validation_level;
union netr_Validation *validation = NULL;
struct netr_SamBaseInfo *base_info = NULL;
+ bool ok;
DEBUG(10,("winbindd_dual_pam_auth_samlogon\n"));
/* Parse domain and username */
- parse_domain_user(user, name_domain, name_user);
+ ok = parse_domain_user(user, name_namespace, name_domain, name_user);
+ if (!ok) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
/*
* We check against domain->name instead of
{
NTSTATUS result = NT_STATUS_LOGON_FAILURE;
NTSTATUS krb5_result = NT_STATUS_OK;
- fstring name_domain, name_user;
+ fstring name_namespace, name_domain, name_user;
char *mapped_user;
fstring domain_user;
uint16_t validation_level = UINT16_MAX;
union netr_Validation *validation = NULL;
NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
+ bool ok;
/* Ensure null termination */
state->request->data.auth.user[sizeof(state->request->data.auth.user)-1]='\0';
mapped_user = state->request->data.auth.user;
}
- parse_domain_user(mapped_user, name_domain, name_user);
+ ok = parse_domain_user(mapped_user,
+ name_namespace,
+ name_domain,
+ name_user);
+ if (!ok) {
+ result = NT_STATUS_INVALID_PARAMETER;
+ goto process_result;
+ }
if ( mapped_user != state->request->data.auth.user ) {
fstr_sprintf( domain_user, "%s%c%s", name_domain,
struct samr_DomInfo1 *info = NULL;
struct userPwdChangeFailureInformation *reject = NULL;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
- fstring domain, user;
+ fstring namespace, domain, user;
struct dcerpc_binding_handle *b = NULL;
+ bool ok;
ZERO_STRUCT(dom_pol);
DEBUG(3, ("[%5lu]: dual pam chauthtok %s\n", (unsigned long)state->pid,
state->request->data.auth.user));
- if (!parse_domain_user(state->request->data.chauthtok.user, domain, user)) {
+ ok = parse_domain_user(state->request->data.chauthtok.user,
+ namespace,
+ domain,
+ user);
+ if (!ok) {
goto done;
}
DATA_BLOB old_nt_hash_enc;
DATA_BLOB new_lm_password;
DATA_BLOB old_lm_hash_enc;
- fstring domain,user;
+ fstring namespace, domain, user;
struct policy_handle dom_pol;
struct winbindd_domain *contact_domain = domainSt;
struct rpc_pipe_client *cli = NULL;
sizeof(state->request->data.chng_pswd_auth_crap.user)-1]=0;
state->request->data.chng_pswd_auth_crap.domain[
sizeof(state->request->data.chng_pswd_auth_crap.domain)-1]=0;
- *domain = 0;
- *user = 0;
+ domain[0] = '\0';
+ namespace[0] = '\0';
+ user[0] = '\0';
DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n",
(unsigned long)state->pid,
if (*state->request->data.chng_pswd_auth_crap.domain) {
fstrcpy(domain,state->request->data.chng_pswd_auth_crap.domain);
} else {
- parse_domain_user(state->request->data.chng_pswd_auth_crap.user,
- domain, user);
+ bool ok;
+
+ ok = parse_domain_user(state->request->data.chng_pswd_auth_crap.user,
+ namespace,
+ domain,
+ user);
+ if (!ok) {
+ result = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ }
if(!*domain) {
DEBUG(3,("no domain specified with username (%s) - "
bool lookup_cached_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
char **domain_name, char **name,
enum lsa_SidType *type);
-bool lookup_cached_name(const char *domain_name,
+bool lookup_cached_name(const char *namespace,
+ const char *domain_name,
const char *name,
struct dom_sid *sid,
enum lsa_SidType *type);
struct winbindd_domain *find_default_route_domain(void);
struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid);
struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name);
-bool parse_domain_user(const char *domuser, fstring domain, fstring user);
+bool parse_domain_user(const char *domuser,
+ fstring namespace,
+ fstring domain,
+ fstring user);
bool canonicalize_username(fstring username_inout, fstring domain, fstring user);
void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume);
char *fill_domain_username_talloc(TALLOC_CTX *ctx,
return False;
}
-/* Parse a string of the form DOMAIN\user into a domain and a user */
-
-bool parse_domain_user(const char *domuser, fstring domain, fstring user)
+/* Parse a DOMAIN\user or UPN string into a domain, namespace and a user */
+bool parse_domain_user(const char *domuser,
+ fstring namespace,
+ fstring domain,
+ fstring user)
{
- char *p = strchr(domuser,*lp_winbind_separator());
+ char *p = NULL;
+
+ if (strlen(domuser) == 0) {
+ return false;
+ }
- if ( !p ) {
+ p = strchr(domuser, *lp_winbind_separator());
+ if (p != NULL) {
+ fstrcpy(user, p + 1);
+ fstrcpy(domain, domuser);
+ domain[PTR_DIFF(p, domuser)] = '\0';
+ fstrcpy(namespace, domain);
+ } else {
fstrcpy(user, domuser);
- p = strchr(domuser, '@');
- if ( assume_domain(lp_workgroup()) && p == NULL) {
+ domain[0] = '\0';
+ namespace[0] = '\0';
+ p = strchr(domuser, '@');
+ if (p != NULL) {
+ /* upn */
+ fstrcpy(namespace, p + 1);
+ } else if (assume_domain(lp_workgroup())) {
fstrcpy(domain, lp_workgroup());
- } else if (p != NULL) {
- fstrcpy(domain, p + 1);
- user[PTR_DIFF(p, domuser)] = 0;
- } else {
- return False;
+ fstrcpy(namespace, domain);
}
- } else {
- fstrcpy(user, p+1);
- fstrcpy(domain, domuser);
- domain[PTR_DIFF(p, domuser)] = 0;
}
return strupper_m(domain);
bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
{
- if (!parse_domain_user(username_inout, domain, user)) {
+ fstring namespace;
+ bool ok;
+
+ ok = parse_domain_user(username_inout, namespace, domain, user);
+ if (!ok) {
return False;
}
slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",