From 2c6f626ea7824a2b9907bcbaea80945690afe73c Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 13 Nov 2012 13:03:37 +0100 Subject: [PATCH] Use workaround for winbind default domain only when set. --- ...c6-winbind_default_domain_workaround.patch | 48 +++++++++++++++++++ samba.spec | 7 ++- 2 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 samba-4.0.0rc6-winbind_default_domain_workaround.patch diff --git a/samba-4.0.0rc6-winbind_default_domain_workaround.patch b/samba-4.0.0rc6-winbind_default_domain_workaround.patch new file mode 100644 index 0000000..68ea6c7 --- /dev/null +++ b/samba-4.0.0rc6-winbind_default_domain_workaround.patch @@ -0,0 +1,48 @@ +commit 3bbe690c50a5d4e2ff81ff1eeeaa728990b73637 +Author: Sumit Bose +AuthorDate: Mon Oct 29 12:09:22 2012 +0100 +Commit: Andreas Schneider +CommitDate: Mon Nov 12 15:54:15 2012 +0100 + + Use work around for 'winbind use default domain' only if it is set + + Currently in smb_getpwnam() the NetBIOS domain name and the winbind separator + character is always added to the user name returned by Get_Pwnam_alloc() if it + does not contain the winbind separator character. As comments in the code + indicates this is done as a work around if 'winbind use default domain' is set + to yes in the samba configuration. + + This make sense if the option is set because otherwise the domain information is + lost from the user name. But it causes errors if other services than winbind are + used for user lookup, e.g. sssd. sssd can handle different kind of fully + qualified user names as input, e.g. user@domain.name or DOM\user, but returns a + canonical name, by default user@domain.name. + + While it would be possible to get around this issue with a special configuration + either on the sssd or samba side I think the cleaner solution is to use the work + around only if 'winbind use default domain' is set to yes which is what this + patch does. + + Reviewed-by: Andreas Schneider + Reviewed-by: Alexander Bokovoy + + Autobuild-User(master): Andreas Schneider + Autobuild-Date(master): Mon Nov 12 15:54:15 CET 2012 on sn-devel-104 +--- + source3/auth/auth_util.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c +index a08d094..83c95a9 100644 +--- a/source3/auth/auth_util.c ++++ b/source3/auth/auth_util.c +@@ -1331,7 +1331,8 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser, + /* make sure we get the case of the username correct */ + /* work around 'winbind use default domain = yes' */ + +- if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) { ++ if ( lp_winbind_use_default_domain() && ++ !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) { + char *domain; + + /* split the domain and username into 2 strings */ diff --git a/samba.spec b/samba.spec index 9afc3fd..c88e828 100644 --- a/samba.spec +++ b/samba.spec @@ -1,4 +1,4 @@ -%define main_release 166 +%define main_release 167 %define samba_version 4.0.0 %define talloc_version 2.0.7 @@ -62,6 +62,7 @@ Source200: README.dc Source201: README.downgrade Patch0: samba-4.0.0rc6-LogonSamLogon_failover.patch +Patch1: samba-4.0.0rc6-winbind_default_domain_workaround.patch BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) @@ -405,6 +406,7 @@ the local kerberos library to use the same KDC as samba and winbind use %setup -q -n samba-%{version}%{pre_release} %patch0 -p1 -b .samlogon_failover +%patch1 -p1 -b .winbind_default_domain_workaround %build %global _talloc_lib ,talloc,pytalloc,pytalloc-util @@ -1298,6 +1300,9 @@ rm -rf %{buildroot} %{_mandir}/man7/winbind_krb5_locator.7* %changelog +* Tue Nov 13 2012 - Andreas Schneider - 2:4.0.0-167.rc5 +- Use workaround for winbind default domain only when set. + * Tue Nov 13 2012 - Andreas Schneider - 2:4.0.0-166.rc5 - Update to Samba 4.0.0rc5.