124-sesssetup.c.diff [plain text]
Index: samba/source/smbd/sesssetup.c
===================================================================
--- samba/source/smbd/sesssetup.c.orig
+++ samba/source/smbd/sesssetup.c
@@ -247,6 +247,7 @@ static int reply_spnego_kerberos(connect
BOOL map_domainuser_to_guest = False;
BOOL username_was_mapped;
PAC_LOGON_INFO *logon_info = NULL;
+ BOOL trustaccount = False;
ZERO_STRUCT(ticket);
ZERO_STRUCT(pac_data);
@@ -407,6 +408,28 @@ static int reply_spnego_kerberos(connect
pw = smb_getpwnam( mem_ctx, user, real_username, True );
+ if (!pw && lp_opendirectory() && strchr_m(client, '$')) {
+ struct samu *sam_pass = NULL;
+ char *fullname = NULL;
+
+ DEBUG(1,("Lookup trust account via passdb (%s)\n",user));
+
+ sam_pass = samu_new(NULL);
+ trustaccount = pdb_getsampwnam(sam_pass, client);
+
+ /* If this is a trust account, map it to guest because OD
+ * doesn't have a corresponding user account.
+ */
+ if (trustaccount == True) {
+ fullname = pdb_get_fullname (sam_pass);
+ map_domainuser_to_guest = True;
+ fstrcpy(real_username, fullname);
+ DEBUG(1,("trust account found via passdb fullname(%s)\n",fullname));
+ }
+
+ TALLOC_FREE(sam_pass);
+ }
+
if (pw) {
/* if a real user check pam account restrictions */
/* only really perfomed if "obey pam restriction" is true */
@@ -427,7 +450,8 @@ static int reply_spnego_kerberos(connect
did not have a local uid but has been authenticated, then
map them to a guest account */
- if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID){
+ if (map_domainuser_to_guest ||
+ lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID) {
map_domainuser_to_guest = True;
fstrcpy(user,lp_guestaccount());
pw = smb_getpwnam( mem_ctx, user, real_username, True );