summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSimo Sorce <ssorce@redhat.com>2010-05-28 11:14:01 -0400
committerAndrew Bartlett <abartlet@samba.org>2010-06-07 22:53:06 +1000
commitef942172b9dfe3c30b86161445c7d6290579b6f2 (patch)
tree8b47cd9858871e7f58df0cb61dded5e83f61669b
parent1bb0afa662cb65ad8eeec59d40008c6604b791bc (diff)
downloadsamba-ef942172b9dfe3c30b86161445c7d6290579b6f2.tar.gz
samba-ef942172b9dfe3c30b86161445c7d6290579b6f2.tar.bz2
samba-ef942172b9dfe3c30b86161445c7d6290579b6f2.zip
s3:auth check the user is valid first
It makes no sense to go through all the hoops to build samu and convert it to info3, just to discard them later if the user was not valid. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r--source3/auth/auth_util.c82
1 files changed, 39 insertions, 43 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 8ea1f410f1..f937a9bb60 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -581,6 +581,45 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
enum lsa_SidType type;
struct auth_serversupplied_info *result;
+ /*
+ * The SID returned in server_info->sam_account is based
+ * on our SAM sid even though for a pure UNIX account this should
+ * not be the case as it doesn't really exist in the SAM db.
+ * This causes lookups on "[in]valid users" to fail as they
+ * will lookup this name as a "Unix User" SID to check against
+ * the user token. Fix this by adding the "Unix User"\unix_username
+ * SID to the sid array. The correct fix should probably be
+ * changing the server_info->sam_account user SID to be a
+ * S-1-22 Unix SID, but this might break old configs where
+ * plaintext passwords were used with no SAM backend.
+ */
+
+ mem_ctx = talloc_init("make_server_info_pw_tmp");
+ if (!mem_ctx) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
+ unix_users_domain_name(),
+ unix_username );
+ if (!qualified_name) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
+ NULL, NULL,
+ &u_sid, &type)) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ TALLOC_FREE(mem_ctx);
+
+ if (type != SID_NAME_USER) {
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
if ( !(sampass = samu_new( NULL )) ) {
return NT_STATUS_NO_MEMORY;
}
@@ -639,49 +678,6 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
TALLOC_FREE(sampass);
- /*
- * The SID returned in server_info->sam_account is based
- * on our SAM sid even though for a pure UNIX account this should
- * not be the case as it doesn't really exist in the SAM db.
- * This causes lookups on "[in]valid users" to fail as they
- * will lookup this name as a "Unix User" SID to check against
- * the user token. Fix this by adding the "Unix User"\unix_username
- * SID to the sid array. The correct fix should probably be
- * changing the server_info->sam_account user SID to be a
- * S-1-22 Unix SID, but this might break old configs where
- * plaintext passwords were used with no SAM backend.
- */
-
- mem_ctx = talloc_init("make_server_info_pw_tmp");
- if (!mem_ctx) {
- TALLOC_FREE(result);
- return NT_STATUS_NO_MEMORY;
- }
-
- qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
- unix_users_domain_name(),
- unix_username );
- if (!qualified_name) {
- TALLOC_FREE(result);
- TALLOC_FREE(mem_ctx);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
- NULL, NULL,
- &u_sid, &type)) {
- TALLOC_FREE(result);
- TALLOC_FREE(mem_ctx);
- return NT_STATUS_NO_SUCH_USER;
- }
-
- TALLOC_FREE(mem_ctx);
-
- if (type != SID_NAME_USER) {
- TALLOC_FREE(result);
- return NT_STATUS_NO_SUCH_USER;
- }
-
/* FIXME: add to info3 too ? */
status = add_sid_to_array_unique(result, &u_sid,
&result->sids,