summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLuke Leighton <lkcl@samba.org>1998-11-24 16:47:49 +0000
committerLuke Leighton <lkcl@samba.org>1998-11-24 16:47:49 +0000
commitced486c8415c7ece457edecb3246f7277a57d60b (patch)
tree578a345157409d97841c8c2c6fe2539226377c43
parent0c9df3c61007eb170ae17282d7b31bea6899a656 (diff)
downloadsamba-ced486c8415c7ece457edecb3246f7277a57d60b.tar.gz
samba-ced486c8415c7ece457edecb3246f7277a57d60b.tar.bz2
samba-ced486c8415c7ece457edecb3246f7277a57d60b.zip
sorting out difference between aliases and groups in the cases where
unix groups are not explicitly mapped. i.e as a PDC or BDC you can have domain groups, as a member of a domain you cannot. as a member of a domain, unmapped unix groups are assumed to be aliases, and as a PDC or BDC, unmapped unix groups are assumed to be unix groups. there is _one_ other check needed with aliases to be added: unmapped unix groups that have the same name as an NT group on the PDC (for which i will need to write an LsaLookupNames call) should be assumed to be domain groups on the PDC. (This used to be commit 53b49b44e13a4ca9818ebc947372b1374831b568)
-rw-r--r--source3/groupdb/aliasunix.c47
-rw-r--r--source3/groupdb/groupunix.c24
-rw-r--r--source3/lib/util_sid.c5
3 files changed, 55 insertions, 21 deletions
diff --git a/source3/groupdb/aliasunix.c b/source3/groupdb/aliasunix.c
index cda53570f5..7d6cafd386 100644
--- a/source3/groupdb/aliasunix.c
+++ b/source3/groupdb/aliasunix.c
@@ -66,7 +66,7 @@ static BOOL setalsunixpwpos(void *vp, SMB_BIG_UINT tok)
}
/*************************************************************************
- maps a unix alias to a rid, domain sid and an nt alias name.
+ maps a unix group to a rid, domain sid and an nt alias name.
*************************************************************************/
static void map_unix_als_to_nt_als(struct group *unix_als, char *nt_name, DOM_SID *sid, uint32 *rid)
{
@@ -74,7 +74,7 @@ static void map_unix_als_to_nt_als(struct group *unix_als, char *nt_name, DOM_SI
{
/*
* find the NT name represented by this UNIX gid.
- * then, only accept NT aliass that are in our domain
+ * then, only accept NT aliases that are in our domain
*/
sid_split_rid(sid, rid);
@@ -150,6 +150,18 @@ BOOL get_unixalias_members(struct group *als,
/*************************************************************************
Routine to return the next entry in the domain alias list.
+
+ when we are a PDC or BDC, then unix groups that are explicitly NOT mapped
+ to aliases (map_alias_gid) are treated as DOMAIN groups (see groupunix.c).
+
+ when we are a member of a domain (not a PDC or BDC) then unix groups
+ that are explicitly NOT mapped to aliases (map_alias_gid) are treated
+ as LOCAL groups.
+
+ the reasoning behind this is to make it as simple as possible (not an easy
+ task) for people to set up a domain-aware samba server, in each role that
+ the server can take.
+
*************************************************************************/
static LOCAL_GRP *getalsunixpwent(void *vp, LOCAL_GRP_MEMBER **mem, int *num_mem)
{
@@ -157,13 +169,11 @@ static LOCAL_GRP *getalsunixpwent(void *vp, LOCAL_GRP_MEMBER **mem, int *num_mem
static LOCAL_GRP gp_buf;
struct group *unix_grp;
- if (lp_server_role() == ROLE_DOMAIN_NONE ||
- lp_server_role() == ROLE_DOMAIN_MEMBER)
+ if (lp_server_role() == ROLE_DOMAIN_NONE)
{
/*
- * only PDC and BDC have domain aliass in the SAM.
- * (however as member of domain you can have LOCAL aliass,
- * but that's dealt with in the aliasdb...)
+ * no domain role, no domain aliases (or domain groups,
+ * but that's dealt with by groupdb...).
*/
return NULL;
@@ -173,7 +183,7 @@ static LOCAL_GRP *getalsunixpwent(void *vp, LOCAL_GRP_MEMBER **mem, int *num_mem
fstrcpy(gp_buf.comment, "");
- /* cycle through unix aliass */
+ /* cycle through unix groups */
while ((unix_grp = getgrent()) != NULL)
{
DOM_SID sid;
@@ -181,7 +191,7 @@ static LOCAL_GRP *getalsunixpwent(void *vp, LOCAL_GRP_MEMBER **mem, int *num_mem
{
/*
* find the NT name represented by this UNIX gid.
- * then, only accept NT aliass that are in our domain
+ * then, only accept NT aliases that are in our domain
*/
sid_split_rid(&sid, &gp_buf.rid);
@@ -190,9 +200,10 @@ static LOCAL_GRP *getalsunixpwent(void *vp, LOCAL_GRP_MEMBER **mem, int *num_mem
break; /* hooray. */
}
}
- else
+ else if (lp_server_role() == ROLE_DOMAIN_MEMBER)
{
/*
+ * if we are a member of a domain,
* assume that the UNIX alias is an NT alias with
* the same name. convert gid to a alias rid.
*/
@@ -207,7 +218,7 @@ static LOCAL_GRP *getalsunixpwent(void *vp, LOCAL_GRP_MEMBER **mem, int *num_mem
return NULL;
}
- /* get the user's domain aliass. there are a maximum of 32 */
+ /* get the user's domain aliases. there are a maximum of 32 */
if (mem != NULL && num_mem != NULL)
{
@@ -217,13 +228,11 @@ static LOCAL_GRP *getalsunixpwent(void *vp, LOCAL_GRP_MEMBER **mem, int *num_mem
get_unixalias_members(unix_grp, num_mem, mem);
}
-#if 0
{
pstring linebuf;
make_alias_line(linebuf, sizeof(linebuf), &gp_buf, mem, num_mem);
DEBUG(10,("line: '%s'\n", linebuf));
}
-#endif
return &gp_buf;
}
@@ -232,9 +241,9 @@ static LOCAL_GRP *getalsunixpwent(void *vp, LOCAL_GRP_MEMBER **mem, int *num_mem
Routine to add an entry to the alspasswd file.
*************************************************************************/
-static BOOL add_alsunixals_entry(LOCAL_GRP *newals)
+static BOOL add_alsunixgrp_entry(LOCAL_GRP *newals)
{
- DEBUG(0, ("add_alsunixals_entry: NOT IMPLEMENTED\n"));
+ DEBUG(0, ("add_alsunixgrp_entry: NOT IMPLEMENTED\n"));
return False;
}
@@ -247,9 +256,9 @@ static BOOL add_alsunixals_entry(LOCAL_GRP *newals)
override = True, override XXXXXXXX'd out alias or NO PASS
************************************************************************/
-static BOOL mod_alsunixals_entry(LOCAL_GRP* als)
+static BOOL mod_alsunixgrp_entry(LOCAL_GRP* als)
{
- DEBUG(0, ("mod_alsunixals_entry: NOT IMPLEMENTED\n"));
+ DEBUG(0, ("mod_alsunixgrp_entry: NOT IMPLEMENTED\n"));
return False;
}
@@ -266,8 +275,8 @@ static struct aliasdb_ops unix_ops =
iterate_getaliasrid, /* In aliasdb.c */
getalsunixpwent,
- add_alsunixals_entry,
- mod_alsunixals_entry,
+ add_alsunixgrp_entry,
+ mod_alsunixgrp_entry,
iterate_getuseraliasnam /* in aliasdb.c */
};
diff --git a/source3/groupdb/groupunix.c b/source3/groupdb/groupunix.c
index 0f850f347c..89406fe139 100644
--- a/source3/groupdb/groupunix.c
+++ b/source3/groupdb/groupunix.c
@@ -154,6 +154,14 @@ BOOL get_unixgroup_members(struct group *grp,
/*************************************************************************
Routine to return the next entry in the domain group list.
+
+ if we are not a PDC or BDC, then we do NOT support Domain groups, only
+ aliases. try running MUSRMGR.EXE or running USRMGR.EXE selected on a
+ workstation, you will find that no Domain groups are listed: only aliases.
+
+ so, as a PDC or BDC, all unix groups not explicitly mapped using
+ map_group_gid() are treated as Domain groups.
+
*************************************************************************/
static DOMAIN_GRP *getgrpunixpwent(void *vp, DOMAIN_GRP_MEMBER **mem, int *num_mem)
{
@@ -182,8 +190,17 @@ static DOMAIN_GRP *getgrpunixpwent(void *vp, DOMAIN_GRP_MEMBER **mem, int *num_m
while ((unix_grp = getgrent()) != NULL)
{
DOM_SID sid;
+ BOOL is_alias;
+
DEBUG(10,("getgrpunixpwent: enum unix group entry %s\n",
unix_grp->gr_name));
+ is_alias = map_alias_gid(unix_grp->gr_gid, &sid, NULL, NULL);
+ if (is_alias)
+ {
+ sid_split_rid(&sid, NULL);
+ is_alias = sid_equal(&sid, &global_sam_sid);
+ }
+
if (map_group_gid(unix_grp->gr_gid, &sid, gp_buf.name, NULL))
{
/*
@@ -194,7 +211,12 @@ static DOMAIN_GRP *getgrpunixpwent(void *vp, DOMAIN_GRP_MEMBER **mem, int *num_m
sid_split_rid(&sid, &gp_buf.rid);
if (sid_equal(&sid, &global_sam_sid))
{
- break; /* hooray. */
+ if (!is_alias)
+ {
+ break; /* hooray. */
+ }
+ DEBUG(0,("configuration mistake: unix group %s is mapped to both an NT alias and an NT group\n",
+ gp_buf.name));
}
}
else
diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
index cce360f4c1..a483f85b84 100644
--- a/source3/lib/util_sid.c
+++ b/source3/lib/util_sid.c
@@ -134,7 +134,10 @@ BOOL sid_split_rid(DOM_SID *sid, uint32 *rid)
if (sid->num_auths > 0)
{
sid->num_auths--;
- (*rid) = sid->sub_auths[sid->num_auths];
+ if (rid != NULL)
+ {
+ (*rid) = sid->sub_auths[sid->num_auths];
+ }
return True;
}
return False;