diff options
| author | Tim Potter <tpot@samba.org> | 2001-10-31 06:20:58 +0000 |
|---|---|---|
| committer | Tim Potter <tpot@samba.org> | 2001-10-31 06:20:58 +0000 |
| commit | 6f0b8a38ec036a0027e9f938834e241b41db40c5 (patch) | |
| tree | 3ed3e06329649d6843ed9b3f43f18e4cdf1d60f2 | |
| parent | eab05eac3998eeb9fb6fb635771370d645b5ff06 (diff) | |
| download | samba-6f0b8a38ec036a0027e9f938834e241b41db40c5.tar.gz samba-6f0b8a38ec036a0027e9f938834e241b41db40c5.tar.bz2 samba-6f0b8a38ec036a0027e9f938834e241b41db40c5.zip | |
Added some extra fields to the auth_serversupplied_info structure.
To obtain the full group membership of a user (i.e nested groups on a
win2k native mode server) it is necessary to merge this list of groups
with the groups returned by winbindd when creating an nt access token.
This breaks winbindd linking while AB and I sync up our changes to the
authentication subsystem.
(This used to be commit 4eeb7bcd783d7cfb3ac232f1faa035773007401d)
| -rw-r--r-- | source3/auth/auth.c | 14 | ||||
| -rw-r--r-- | source3/include/auth.h | 5 | ||||
| -rw-r--r-- | source3/libsmb/domain_client_validate.c | 25 | ||||
| -rw-r--r-- | source3/nsswitch/winbindd_group.c | 4 | ||||
| -rw-r--r-- | source3/nsswitch/winbindd_pam.c | 4 | ||||
| -rw-r--r-- | source3/nsswitch/winbindd_util.c | 10 | ||||
| -rw-r--r-- | source3/rpc_server/srv_netlog_nt.c | 2 | ||||
| -rw-r--r-- | source3/smbd/auth.c | 14 |
8 files changed, 70 insertions, 8 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c index e76324213e..4bdbdf5555 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -129,6 +129,7 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user, auth_serversupplied_info server_info; AUTH_STR ourdomain, theirdomain, unix_username, smb_username, wksta_name; + NTSTATUS result; ZERO_STRUCT(user_info); ZERO_STRUCT(ourdomain); @@ -203,7 +204,11 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user, } - return check_password(&user_info, &server_info); + result = check_password(&user_info, &server_info); + + free_serversupplied_info(&server_info); /* No info needed */ + + return result; } NTSTATUS pass_check_smb(char *smb_user, char *unix_user, @@ -255,3 +260,10 @@ BOOL password_ok(char *user, char *password, int pwlen) return False; } + +/* Free a auth_serversupplied_info structure */ + +void free_serversupplied_info(auth_serversupplied_info *server_info) +{ + SAFE_FREE(server_info->group_rids); +} diff --git a/source3/include/auth.h b/source3/include/auth.h index 91230e4b6e..9e99600e98 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -90,6 +90,11 @@ typedef struct serversupplied_info /* This groups info is needed for when we become_user() for this uid */ int n_groups; gid_t *groups; + + /* NT group information taken from the info3 structure */ + + int n_rids; + uint32 *group_rids; uchar session_key[16]; diff --git a/source3/libsmb/domain_client_validate.c b/source3/libsmb/domain_client_validate.c index 26f53f0297..26a727b1f1 100644 --- a/source3/libsmb/domain_client_validate.c +++ b/source3/libsmb/domain_client_validate.c @@ -326,6 +326,7 @@ NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, status = cli_nt_login_network(&cli, user_info, smb_uid_low, &ctr, &info3); + if (!NT_STATUS_IS_OK(status)) { DEBUG(0,("domain_client_validate: unable to validate password " "for user %s in domain %s to Domain controller %s. " @@ -335,8 +336,28 @@ NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, } /* - * Here, if we really want it, we have lots of info about the user in info3. - */ + * Here, if we really want it, we have lots of info about the user + * in info3. + */ + + /* Store the user group information in the server_info returned to + the caller. */ + + if ((server_info->group_rids = malloc(info3.num_groups2 * + sizeof(uint32))) == NULL) { + DEBUG(1, ("out of memory allocating rid group membership\n")); + status = NT_STATUS_NO_MEMORY; + } else { + int i; + + server_info->n_rids = info3.num_groups2; + + for (i = 0; i < server_info->n_rids; i++) { + server_info->group_rids[i] = info3.gids[i].g_rid; + DEBUG(5, ("** adding group rid 0x%x\n", + info3.gids[i].g_rid)); + } + } #if 0 /* diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c index 092651c9a7..e1e4443442 100644 --- a/source3/nsswitch/winbindd_group.c +++ b/source3/nsswitch/winbindd_group.c @@ -107,7 +107,9 @@ static BOOL fill_grent_mem(struct winbindd_domain *domain, DEBUG(10, ("fill_grent_mem(): processing name %s\n", the_name)); - /* Only add domain users */ + /* FIXME: need to cope with groups within groups. These + occur in Universal groups on a Windows 2000 native mode + server. */ if (name_types[i] != SID_NAME_USER) { DEBUG(3, ("fill_grent_mem(): name %s isn't a domain " diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 406b12c9f6..5cf819a19d 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -141,6 +141,8 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) auth_dc, trust_passwd, last_change_time); + free_serversupplied_info(&server_info); /* No info needed */ + return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; } @@ -218,6 +220,8 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) auth_dc, trust_passwd, last_change_time); + free_serversupplied_info(&server_info); /* No info needed */ + return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; } diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c index 614198673b..6a0a5389ef 100644 --- a/source3/nsswitch/winbindd_util.c +++ b/source3/nsswitch/winbindd_util.c @@ -344,6 +344,9 @@ BOOL winbindd_lookup_groupmem(struct winbindd_domain *domain, NTSTATUS result = NT_STATUS_UNSUCCESSFUL; uint32 i, total_names = 0; + /* Step #1: Get a list of user rids that are the members of the + group. */ + if (!(group_hnd = cm_get_sam_group_handle(domain->name, &domain->sid, group_rid))) goto done; @@ -357,9 +360,10 @@ BOOL winbindd_lookup_groupmem(struct winbindd_domain *domain, if (!NT_STATUS_IS_OK(result)) goto done; - /* Convert list of rids into list of names. Do this in bunches of - ~1000 to avoid crashing NT4. It looks like there is a buffer - overflow or something like that lurking around somewhere. */ + /* Step #2: Convert list of rids into list of usernames. Do this + in bunches of ~1000 to avoid crashing NT4. It looks like there + is a buffer overflow or something like that lurking around + somewhere. */ if (!(dom_hnd = cm_get_sam_dom_handle(domain->name, &domain->sid))) goto done; diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index cb54d726b3..0f2b672d38 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -595,6 +595,8 @@ static NTSTATUS _net_logon_any(NET_ID_INFO_CTR *ctr, char *user, char *domain, c DEBUG(5, ("_net_logon_any: exited with status %s\n", get_nt_error_msg(nt_status))); + free_serversupplied_info(&server_info); /* No info needed */ + return nt_status; } diff --git a/source3/smbd/auth.c b/source3/smbd/auth.c index e76324213e..4bdbdf5555 100644 --- a/source3/smbd/auth.c +++ b/source3/smbd/auth.c @@ -129,6 +129,7 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user, auth_serversupplied_info server_info; AUTH_STR ourdomain, theirdomain, unix_username, smb_username, wksta_name; + NTSTATUS result; ZERO_STRUCT(user_info); ZERO_STRUCT(ourdomain); @@ -203,7 +204,11 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user, } - return check_password(&user_info, &server_info); + result = check_password(&user_info, &server_info); + + free_serversupplied_info(&server_info); /* No info needed */ + + return result; } NTSTATUS pass_check_smb(char *smb_user, char *unix_user, @@ -255,3 +260,10 @@ BOOL password_ok(char *user, char *password, int pwlen) return False; } + +/* Free a auth_serversupplied_info structure */ + +void free_serversupplied_info(auth_serversupplied_info *server_info) +{ + SAFE_FREE(server_info->group_rids); +} |