[Freeipa-devel] [PATCH] 0056 Support requests for DOMAIN$ account for trusted domain in ipasam module

[Alexander Bokovoy]

Hi,

Windows 2008R2 attempts to authenticate as DOMAIN$ with trust password
when trust is established. Change ipasam module to consider DOMAIN$ when
checking for trusted domain accounts as current code only checks for
DOMAIN. (ending with dot). 

https://fedorahosted.org/freeipa/ticket/2870
-- 
/ Alexander Bokovoy
-------------- next part --------------
>From ae96260a95f7dadba400e2051455ed3f92d6627d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Tue, 26 Jun 2012 12:51:17 +0300
Subject: [PATCH 11/13] Support requests for DOMAIN$ account for trusted
 domains in ipasam module

https://fedorahosted.org/freeipa/ticket/2870
---
 daemons/ipa-sam/ipa_sam.c |   33 ++++++++++++++++++++-------------
 1 file changed, 20 insertions(+), 13 deletions(-)

diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 851df8c62f0ffb159610ce0ac311463233eea497..f63ea1899e6eb994c1ef03487e0477dac6c7e504 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -2545,22 +2545,18 @@ fn_exit:
 
 static NTSTATUS getsam_interdom_trust_account(struct pdb_methods *methods,
 					      struct samu *user,
-					      const char *sname)
+					      const char *sname, int lastidx)
 {
 	char *dom_name;
 	struct ldapsam_privates *ldap_state =
 			(struct ldapsam_privates *) methods->private_data;
-	int slen;
 	TALLOC_CTX *tmp_ctx;
 	struct pdb_trusted_domain *td;
 	NTSTATUS status;
 
-	slen = strlen(sname);
-	if (sname[slen - 1] != '.') {
-		DEBUG(5, ("Requested account [%s] is not a inter domain "
-			  "trust account.\n", sname));
-		return NT_STATUS_NO_SUCH_USER;
-	}
+	/* The caller must check that (sname[lastidx] == '.') || (sname[lastidx] == '$'))
+	 * before calling this function.
+	 */
 
 	tmp_ctx = talloc_new(NULL);
 	if (tmp_ctx == NULL) {
@@ -2572,7 +2568,7 @@ static NTSTATUS getsam_interdom_trust_account(struct pdb_methods *methods,
 		status = NT_STATUS_NO_MEMORY;
 		goto done;
 	}
-	dom_name[slen - 1] = '\0';
+	dom_name[lastidx] = '\0';
 
 	status = ipasam_get_trusted_domain(methods, tmp_ctx, dom_name, &td);
 	if (!NT_STATUS_IS_OK(status)) {
@@ -2598,7 +2594,7 @@ static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *methods,
 {
 	struct ldapsam_privates *ldap_state =
 			(struct ldapsam_privates *) methods->private_data;
-	int slen;
+	int lastidx;
 	TALLOC_CTX *tmp_ctx;
 	NTSTATUS status;
 	char *filter;
@@ -2608,9 +2604,20 @@ static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *methods,
 	int ret;
 	int count;
 
-	slen = strlen(sname);
-	if (sname[slen - 1] == '.') {
-		return getsam_interdom_trust_account(methods, user, sname);
+	lastidx = strlen(sname);
+	if (lastidx > 0) {
+		lastidx--;
+	} else {
+		/* strlen() must return >= 0 so it means we've got an empty name */
+		return NT_STATUS_NO_SUCH_USER;
+	}
+	if ((sname[lastidx] == '.') || (sname[lastidx] == '$')) {
+		status = getsam_interdom_trust_account(methods, user, sname, lastidx);
+		/* If last character was '$', we should ignore failure and continue 
+		 * as this could still be a machine account */
+		if ((sname[lastidx] == '.') || NT_STATUS_IS_OK(status)) {
+			return status;
+		}
 	}
 
 	tmp_ctx = talloc_new(NULL);
-- 
1.7.10.4