diff options
author | Jeremy Allison <jra@samba.org> | 2007-06-17 19:23:32 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:23:26 -0500 |
commit | a4354d399d65e0b0e660b0e41647c0116d51bd37 (patch) | |
tree | 80cf28285c6cb9b990cc837ac32db41b0a9063b1 | |
parent | 5e8a4c12f9617d7e7b2c392eddc1ced613a561fe (diff) | |
download | samba-a4354d399d65e0b0e660b0e41647c0116d51bd37.tar.gz samba-a4354d399d65e0b0e660b0e41647c0116d51bd37.tar.bz2 samba-a4354d399d65e0b0e660b0e41647c0116d51bd37.zip |
r23530: Fix bugs #4678 and #4697 which had the same root cause.
In make_server_info_pw() we assign a user SID in our
authoritative SAM, even though this may be from a
pure "Unix User" that doesn't exist in the SAM.
This causes lookups on "[in]valid users" to fail as they
will lookup this name as a "Unix User" SID to check against
the user token. Fix this by adding the "Unix User"\unix_username
SID to the sid array. The correct fix should probably be
changing the server_info->sam_account user SID to be a
S-1-22 Unix SID, but this might break old configs where
plaintext passwords were used with no SAM backend.
Jeremy
(This used to be commit 80d1da7e6cce451d3934751feaa6ad60a337e3db)
-rw-r--r-- | source3/auth/auth_util.c | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index f66c500943..7509b5ad1c 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -966,6 +966,10 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, NTSTATUS status; struct samu *sampass = NULL; gid_t *gids; + char *qualified_name = NULL; + TALLOC_CTX *mem_ctx = NULL; + DOM_SID u_sid; + enum lsa_SidType type; auth_serversupplied_info *result; if ( !(sampass = samu_new( NULL )) ) { @@ -999,6 +1003,56 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, return status; } + /* + * The SID returned in server_info->sam_account is based + * on our SAM sid even though for a pure UNIX account this should + * not be the case as it doesn't really exist in the SAM db. + * This causes lookups on "[in]valid users" to fail as they + * will lookup this name as a "Unix User" SID to check against + * the user token. Fix this by adding the "Unix User"\unix_username + * SID to the sid array. The correct fix should probably be + * changing the server_info->sam_account user SID to be a + * S-1-22 Unix SID, but this might break old configs where + * plaintext passwords were used with no SAM backend. + */ + + mem_ctx = talloc_init("make_server_info_pw_tmp"); + if (!mem_ctx) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + qualified_name = talloc_asprintf(mem_ctx, "%s\\%s", + unix_users_domain_name(), + unix_username ); + if (!qualified_name) { + TALLOC_FREE(result); + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL, + NULL, NULL, + &u_sid, &type)) { + TALLOC_FREE(result); + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_SUCH_USER; + } + + TALLOC_FREE(mem_ctx); + + if (type != SID_NAME_USER) { + TALLOC_FREE(result); + return NT_STATUS_NO_SUCH_USER; + } + + if (!add_sid_to_array_unique(result, &u_sid, + &result->sids, + &result->num_sids)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + /* For now we throw away the gids and convert via sid_to_gid * later. This needs fixing, but I'd like to get the code straight and * simple first. */ |