diff options
author | Volker Lendecke <vlendec@samba.org> | 2004-06-03 08:31:57 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 10:51:52 -0500 |
commit | b24835c155d90fe9871cfa5d77f9883c8b0de540 (patch) | |
tree | 0d7088001e52baba5b7ca814ccdd1e0c203435e7 | |
parent | ac5f0785c83d971a043cc99369dd491bee2be302 (diff) | |
download | samba-b24835c155d90fe9871cfa5d77f9883c8b0de540.tar.gz samba-b24835c155d90fe9871cfa5d77f9883c8b0de540.tar.bz2 samba-b24835c155d90fe9871cfa5d77f9883c8b0de540.zip |
r988: When adding local aliases' gids to the user token, don't do a idmap_sid_to_gid
on the user sid. This might lead to a user SID entered as a GID in the idmap.
Volker
(This used to be commit 98e10d149710d9b70404e77a4bc0560c2e48aeaf)
-rw-r--r-- | source3/nsswitch/winbindd_group.c | 42 |
1 files changed, 31 insertions, 11 deletions
diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c index 7b4529144e..0e6c98e5d3 100644 --- a/source3/nsswitch/winbindd_group.c +++ b/source3/nsswitch/winbindd_group.c @@ -942,16 +942,14 @@ static void add_gid_to_array_unique(gid_t gid, gid_t **gids, int *num) *num += 1; } -static void add_gids_from_sid(DOM_SID *sid, gid_t **gids, int *num) +static void add_local_gids_from_sid(DOM_SID *sid, gid_t **gids, int *num) { gid_t gid; DOM_SID *aliases; int j, num_aliases; - DEBUG(10, ("Adding gids from SID: %s\n", sid_string_static(sid))); - - if (NT_STATUS_IS_OK(idmap_sid_to_gid(sid, &gid, 0))) - add_gid_to_array_unique(gid, gids, num); + DEBUG(10, ("Adding local gids from SID: %s\n", + sid_string_static(sid))); /* Don't expand aliases if not explicitly activated -- for now -- jerry */ @@ -974,6 +972,27 @@ static void add_gids_from_sid(DOM_SID *sid, gid_t **gids, int *num) SAFE_FREE(aliases); } +static void add_gids_from_user_sid(DOM_SID *sid, gid_t **gids, int *num) +{ + DEBUG(10, ("Adding gids from user SID: %s\n", + sid_string_static(sid))); + + add_local_gids_from_sid(sid, gids, num); +} + +static void add_gids_from_group_sid(DOM_SID *sid, gid_t **gids, int *num) +{ + gid_t gid; + + DEBUG(10, ("Adding gids from group SID: %s\n", + sid_string_static(sid))); + + if (NT_STATUS_IS_OK(idmap_sid_to_gid(sid, &gid, 0))) + add_gid_to_array_unique(gid, gids, num); + + add_local_gids_from_sid(sid, gids, num); +} + /* Get user supplementary groups. This is much quicker than trying to invert the groups database. We merge the groups from the gids and other_sids info3 fields as trusted domain, universal group @@ -1039,7 +1058,7 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state) goto done; } - add_gids_from_sid(&user_sid, &gid_list, &num_gids); + add_gids_from_user_sid(&user_sid, &gid_list, &num_gids); /* Treat the info3 cache as authoritative as the lookup_usergroups() function may return cached data. */ @@ -1083,8 +1102,8 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state) continue; } - add_gids_from_sid(&info3->other_sids[i].sid, - &gid_list, &num_gids); + add_gids_from_group_sid(&info3->other_sids[i].sid, + &gid_list, &num_gids); if (gid_list == NULL) goto done; @@ -1097,7 +1116,8 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state) sid_copy( &group_sid, &domain->sid ); sid_append_rid( &group_sid, info3->gids[i].g_rid ); - add_gids_from_sid(&group_sid, &gid_list, &num_gids); + add_gids_from_group_sid(&group_sid, &gid_list, + &num_gids); if (gid_list == NULL) goto done; @@ -1116,8 +1136,8 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state) goto done; for (i = 0; i < num_groups; i++) { - add_gids_from_sid(user_grpsids[i], - &gid_list, &num_gids); + add_gids_from_group_sid(user_grpsids[i], + &gid_list, &num_gids); if (gid_list == NULL) goto done; |