summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2007-06-17 19:23:32 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:23:26 -0500
commita4354d399d65e0b0e660b0e41647c0116d51bd37 (patch)
tree80cf28285c6cb9b990cc837ac32db41b0a9063b1
parent5e8a4c12f9617d7e7b2c392eddc1ced613a561fe (diff)
downloadsamba-a4354d399d65e0b0e660b0e41647c0116d51bd37.tar.gz
samba-a4354d399d65e0b0e660b0e41647c0116d51bd37.tar.bz2
samba-a4354d399d65e0b0e660b0e41647c0116d51bd37.zip
r23530: Fix bugs #4678 and #4697 which had the same root cause.
In make_server_info_pw() we assign a user SID in our authoritative SAM, even though this may be from a pure "Unix User" that doesn't exist in the SAM. This causes lookups on "[in]valid users" to fail as they will lookup this name as a "Unix User" SID to check against the user token. Fix this by adding the "Unix User"\unix_username SID to the sid array. The correct fix should probably be changing the server_info->sam_account user SID to be a S-1-22 Unix SID, but this might break old configs where plaintext passwords were used with no SAM backend. Jeremy (This used to be commit 80d1da7e6cce451d3934751feaa6ad60a337e3db)
-rw-r--r--source3/auth/auth_util.c54
1 files changed, 54 insertions, 0 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index f66c500943..7509b5ad1c 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -966,6 +966,10 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info,
NTSTATUS status;
struct samu *sampass = NULL;
gid_t *gids;
+ char *qualified_name = NULL;
+ TALLOC_CTX *mem_ctx = NULL;
+ DOM_SID u_sid;
+ enum lsa_SidType type;
auth_serversupplied_info *result;
if ( !(sampass = samu_new( NULL )) ) {
@@ -999,6 +1003,56 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info,
return status;
}
+ /*
+ * The SID returned in server_info->sam_account is based
+ * on our SAM sid even though for a pure UNIX account this should
+ * not be the case as it doesn't really exist in the SAM db.
+ * This causes lookups on "[in]valid users" to fail as they
+ * will lookup this name as a "Unix User" SID to check against
+ * the user token. Fix this by adding the "Unix User"\unix_username
+ * SID to the sid array. The correct fix should probably be
+ * changing the server_info->sam_account user SID to be a
+ * S-1-22 Unix SID, but this might break old configs where
+ * plaintext passwords were used with no SAM backend.
+ */
+
+ mem_ctx = talloc_init("make_server_info_pw_tmp");
+ if (!mem_ctx) {
+ TALLOC_FREE(result);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
+ unix_users_domain_name(),
+ unix_username );
+ if (!qualified_name) {
+ TALLOC_FREE(result);
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
+ NULL, NULL,
+ &u_sid, &type)) {
+ TALLOC_FREE(result);
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ TALLOC_FREE(mem_ctx);
+
+ if (type != SID_NAME_USER) {
+ TALLOC_FREE(result);
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ if (!add_sid_to_array_unique(result, &u_sid,
+ &result->sids,
+ &result->num_sids)) {
+ TALLOC_FREE(result);
+ return NT_STATUS_NO_MEMORY;
+ }
+
/* For now we throw away the gids and convert via sid_to_gid
* later. This needs fixing, but I'd like to get the code straight and
* simple first. */