diff options
| author | Andrew Tridgell <tridge@samba.org> | 2001-12-19 09:53:30 +0000 |
|---|---|---|
| committer | Andrew Tridgell <tridge@samba.org> | 2001-12-19 09:53:30 +0000 |
| commit | adf44a9bd0d997ba4dcfadc564a29149531525af (patch) | |
| tree | 36f68b5ee8f140ce88c21672f2f6e471bcb368e7 /source/auth | |
| parent | ee1c3e1f044b4ef62169ad74c5cac40eef81bfda (diff) | |
| download | samba-adf44a9bd0d997ba4dcfadc564a29149531525af.tar.gz samba-adf44a9bd0d997ba4dcfadc564a29149531525af.tar.xz samba-adf44a9bd0d997ba4dcfadc564a29149531525af.zip | |
added trusted realm support to ADS authentication
the method used for checking if a domain is a trusted domain is very
crude, we should really call a backend fn of some sort. For now I'm
using winbindd to do the dirty work.
Diffstat (limited to 'source/auth')
| -rw-r--r-- | source/auth/auth.c | 28 | ||||
| -rw-r--r-- | source/auth/auth_util.c | 21 |
2 files changed, 35 insertions, 14 deletions
diff --git a/source/auth/auth.c b/source/auth/auth.c index fc5a88ad64a..710b5f27fbf 100644 --- a/source/auth/auth.c +++ b/source/auth/auth.c @@ -29,19 +29,21 @@ static BOOL check_domain_match(char *user, char *domain) { - /* - * If we aren't serving to trusted domains, we must make sure that - * the validation request comes from an account in the same domain - * as the Samba server - */ - - if (!lp_allow_trusted_domains() && - !(strequal("", domain) || strequal(lp_workgroup(), domain) || is_netbios_alias_or_name(domain))) { - DEBUG(1, ("check_domain_match: Attempt to connect as user %s from domain %s denied.\n", user, domain)); - return False; - } else { - return True; - } + /* + * If we aren't serving to trusted domains, we must make sure that + * the validation request comes from an account in the same domain + * as the Samba server + */ + + if (!lp_allow_trusted_domains() && + !(strequal("", domain) || + strequal(lp_workgroup(), domain) || + is_netbios_alias_or_name(domain))) { + DEBUG(1, ("check_domain_match: Attempt to connect as user %s from domain %s denied.\n", user, domain)); + return False; + } else { + return True; + } } /**************************************************************************** diff --git a/source/auth/auth_util.c b/source/auth/auth_util.c index 60495ad23b8..3e480b4fd18 100644 --- a/source/auth/auth_util.c +++ b/source/auth/auth_util.c @@ -215,7 +215,26 @@ BOOL make_user_info_map(auth_usersupplied_info **user_info, map_username(internal_username); if (lp_allow_trusted_domains()) { - domain = client_domain; + char *user; + /* the client could have given us a workstation name + or other crap for the workgroup - we really need a + way of telling if this domain name is one of our + trusted domain names + + The way I do it here is by checking if the fully + qualified username exists. This is rather reliant + on winbind, but until we have a better method this + will have to do + */ + asprintf(&user, "%s%s%s", + client_domain, lp_winbind_separator(), + smb_name); + if (Get_Pwnam(user) != NULL) { + domain = client_domain; + } else { + domain = lp_workgroup(); + } + free(user); } else { domain = lp_workgroup(); } |