Use workaround for winbind default domain only when set.

This commit is contained in:
Andreas Schneider 2012-11-13 13:03:37 +01:00
parent b9c801614f
commit 2c6f626ea7
2 changed files with 54 additions and 1 deletions

View File

@ -0,0 +1,48 @@
commit 3bbe690c50a5d4e2ff81ff1eeeaa728990b73637
Author: Sumit Bose <sbose@redhat.com>
AuthorDate: Mon Oct 29 12:09:22 2012 +0100
Commit: Andreas Schneider <asn@cryptomilk.org>
CommitDate: Mon Nov 12 15:54:15 2012 +0100
Use work around for 'winbind use default domain' only if it is set
Currently in smb_getpwnam() the NetBIOS domain name and the winbind separator
character is always added to the user name returned by Get_Pwnam_alloc() if it
does not contain the winbind separator character. As comments in the code
indicates this is done as a work around if 'winbind use default domain' is set
to yes in the samba configuration.
This make sense if the option is set because otherwise the domain information is
lost from the user name. But it causes errors if other services than winbind are
used for user lookup, e.g. sssd. sssd can handle different kind of fully
qualified user names as input, e.g. user@domain.name or DOM\user, but returns a
canonical name, by default user@domain.name.
While it would be possible to get around this issue with a special configuration
either on the sssd or samba side I think the cleaner solution is to use the work
around only if 'winbind use default domain' is set to yes which is what this
patch does.
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Nov 12 15:54:15 CET 2012 on sn-devel-104
---
source3/auth/auth_util.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index a08d094..83c95a9 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1331,7 +1331,8 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser,
/* make sure we get the case of the username correct */
/* work around 'winbind use default domain = yes' */
- if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
+ if ( lp_winbind_use_default_domain() &&
+ !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
char *domain;
/* split the domain and username into 2 strings */

View File

@ -1,4 +1,4 @@
%define main_release 166
%define main_release 167
%define samba_version 4.0.0
%define talloc_version 2.0.7
@ -62,6 +62,7 @@ Source200: README.dc
Source201: README.downgrade
Patch0: samba-4.0.0rc6-LogonSamLogon_failover.patch
Patch1: samba-4.0.0rc6-winbind_default_domain_workaround.patch
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
@ -405,6 +406,7 @@ the local kerberos library to use the same KDC as samba and winbind use
%setup -q -n samba-%{version}%{pre_release}
%patch0 -p1 -b .samlogon_failover
%patch1 -p1 -b .winbind_default_domain_workaround
%build
%global _talloc_lib ,talloc,pytalloc,pytalloc-util
@ -1298,6 +1300,9 @@ rm -rf %{buildroot}
%{_mandir}/man7/winbind_krb5_locator.7*
%changelog
* Tue Nov 13 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-167.rc5
- Use workaround for winbind default domain only when set.
* Tue Nov 13 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-166.rc5
- Update to Samba 4.0.0rc5.