From: Günther Deschner <gd@samba.org>
Date: Tue, 24 Jun 2008 10:11:06 +0000 (+0200)
Subject: libads: add ADS_AUTH_USER_CREDS to avoid magic overwriting of usernames.
X-Git-Tag: samba-3.3.0pre1~788
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b5aaf5aa0f280f69e05b613271c96473a79b812e;p=thirdparty%2Fsamba.git

libads: add ADS_AUTH_USER_CREDS to avoid magic overwriting of usernames.

Guenther
---

diff --git a/source/include/ads.h b/source/include/ads.h
index d5ce88babe5..d4551765aa0 100644
--- a/source/include/ads.h
+++ b/source/include/ads.h
@@ -320,14 +320,15 @@ typedef void **ADS_MODLIST;
 #define ADS_DNS_FOREST     0x80000000  /* DnsForestName is a DNS name */
 
 /* ads auth control flags */
-#define ADS_AUTH_DISABLE_KERBEROS 0x01
-#define ADS_AUTH_NO_BIND          0x02
-#define ADS_AUTH_ANON_BIND        0x04
-#define ADS_AUTH_SIMPLE_BIND      0x08
-#define ADS_AUTH_ALLOW_NTLMSSP    0x10
-#define ADS_AUTH_SASL_SIGN        0x20
-#define ADS_AUTH_SASL_SEAL        0x40
-#define ADS_AUTH_SASL_FORCE       0x80
+#define ADS_AUTH_DISABLE_KERBEROS 0x0001
+#define ADS_AUTH_NO_BIND          0x0002
+#define ADS_AUTH_ANON_BIND        0x0004
+#define ADS_AUTH_SIMPLE_BIND      0x0008
+#define ADS_AUTH_ALLOW_NTLMSSP    0x0010
+#define ADS_AUTH_SASL_SIGN        0x0020
+#define ADS_AUTH_SASL_SEAL        0x0040
+#define ADS_AUTH_SASL_FORCE       0x0080
+#define ADS_AUTH_USER_CREDS       0x0100
 
 /* Kerberos environment variable names */
 #define KRB5_ENV_CCNAME "KRB5CCNAME"
diff --git a/source/libads/kerberos.c b/source/libads/kerberos.c
index c4135f24a1c..31e5af4224f 100644
--- a/source/libads/kerberos.c
+++ b/source/libads/kerberos.c
@@ -323,6 +323,11 @@ int ads_kinit_password(ADS_STRUCT *ads)
 	const char *account_name;
 	fstring acct_name;
 
+	if (ads->auth.flags & ADS_AUTH_USER_CREDS) {
+		account_name = ads->auth.user_name;
+		goto got_accountname;
+	}
+
 	if ( IS_DC ) {
 		/* this will end up getting a ticket for DOMAIN@RUSTED.REA.LM */
 		account_name = lp_workgroup();
@@ -338,6 +343,7 @@ int ads_kinit_password(ADS_STRUCT *ads)
 			account_name = ads->auth.user_name;
 	}
 
+ got_accountname:
 	if (asprintf(&s, "%s@%s", account_name, ads->auth.realm) == -1) {
 		return KRB5_CC_NOMEM;
 	}