[Freeipa-devel] [PATCH] 0056 Support requests for DOMAIN$ account for trusted domain in ipasam module
Alexander Bokovoy
abokovoy at redhat.com
Wed Jun 27 14:36:51 UTC 2012
Hi,
Windows 2008R2 attempts to authenticate as DOMAIN$ with trust password
when trust is established. Change ipasam module to consider DOMAIN$ when
checking for trusted domain accounts as current code only checks for
DOMAIN. (ending with dot).
https://fedorahosted.org/freeipa/ticket/2870
--
/ Alexander Bokovoy
-------------- next part --------------
>From ae96260a95f7dadba400e2051455ed3f92d6627d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Tue, 26 Jun 2012 12:51:17 +0300
Subject: [PATCH 11/13] Support requests for DOMAIN$ account for trusted
domains in ipasam module
https://fedorahosted.org/freeipa/ticket/2870
---
daemons/ipa-sam/ipa_sam.c | 33 ++++++++++++++++++++-------------
1 file changed, 20 insertions(+), 13 deletions(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 851df8c62f0ffb159610ce0ac311463233eea497..f63ea1899e6eb994c1ef03487e0477dac6c7e504 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -2545,22 +2545,18 @@ fn_exit:
static NTSTATUS getsam_interdom_trust_account(struct pdb_methods *methods,
struct samu *user,
- const char *sname)
+ const char *sname, int lastidx)
{
char *dom_name;
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *) methods->private_data;
- int slen;
TALLOC_CTX *tmp_ctx;
struct pdb_trusted_domain *td;
NTSTATUS status;
- slen = strlen(sname);
- if (sname[slen - 1] != '.') {
- DEBUG(5, ("Requested account [%s] is not a inter domain "
- "trust account.\n", sname));
- return NT_STATUS_NO_SUCH_USER;
- }
+ /* The caller must check that (sname[lastidx] == '.') || (sname[lastidx] == '$'))
+ * before calling this function.
+ */
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
@@ -2572,7 +2568,7 @@ static NTSTATUS getsam_interdom_trust_account(struct pdb_methods *methods,
status = NT_STATUS_NO_MEMORY;
goto done;
}
- dom_name[slen - 1] = '\0';
+ dom_name[lastidx] = '\0';
status = ipasam_get_trusted_domain(methods, tmp_ctx, dom_name, &td);
if (!NT_STATUS_IS_OK(status)) {
@@ -2598,7 +2594,7 @@ static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *methods,
{
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *) methods->private_data;
- int slen;
+ int lastidx;
TALLOC_CTX *tmp_ctx;
NTSTATUS status;
char *filter;
@@ -2608,9 +2604,20 @@ static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *methods,
int ret;
int count;
- slen = strlen(sname);
- if (sname[slen - 1] == '.') {
- return getsam_interdom_trust_account(methods, user, sname);
+ lastidx = strlen(sname);
+ if (lastidx > 0) {
+ lastidx--;
+ } else {
+ /* strlen() must return >= 0 so it means we've got an empty name */
+ return NT_STATUS_NO_SUCH_USER;
+ }
+ if ((sname[lastidx] == '.') || (sname[lastidx] == '$')) {
+ status = getsam_interdom_trust_account(methods, user, sname, lastidx);
+ /* If last character was '$', we should ignore failure and continue
+ * as this could still be a machine account */
+ if ((sname[lastidx] == '.') || NT_STATUS_IS_OK(status)) {
+ return status;
+ }
}
tmp_ctx = talloc_new(NULL);
--
1.7.10.4
More information about the Freeipa-devel
mailing list