summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2006-04-02 06:25:11 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 11:15:51 -0500
commit6c9eaa6880897aabbc56ad3d7bd73dfc69f926f9 (patch)
treed2c7e1efb628d346284f0777b461e32f54607029
parent872d3cea871264eed0159f49fba8621dd357ef1d (diff)
downloadsamba-6c9eaa6880897aabbc56ad3d7bd73dfc69f926f9.tar.gz
samba-6c9eaa6880897aabbc56ad3d7bd73dfc69f926f9.tar.bz2
samba-6c9eaa6880897aabbc56ad3d7bd73dfc69f926f9.zip
r14855: Various fixes:
* depreacte 'acl group control' after discussion with Jeremy and implement functionality as part of 'dos filemode' * fix winbindd on a non-member server to expand local groups * prevent code previously only used by smbd from blindly turning _NO_WINBINDD back on (This used to be commit 4ab372f4cab22225716b5c9a9a08f0c1dbc9928d)
-rw-r--r--source3/VERSION2
-rw-r--r--source3/lib/system_smbd.c10
-rw-r--r--source3/nsswitch/wb_common.c15
-rw-r--r--source3/nsswitch/winbindd.c5
-rw-r--r--source3/nsswitch/winbindd_passdb.c23
-rw-r--r--source3/nsswitch/winbindd_util.c27
-rw-r--r--source3/param/loadparm.c2
-rw-r--r--source3/passdb/pdb_interface.c18
-rw-r--r--source3/smbd/posix_acls.c16
9 files changed, 72 insertions, 46 deletions
diff --git a/source3/VERSION b/source3/VERSION
index 5119a95401..e083b5d930 100644
--- a/source3/VERSION
+++ b/source3/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=3
SAMBA_VERSION_MINOR=0
-SAMBA_VERSION_RELEASE=22
+SAMBA_VERSION_RELEASE=23
########################################################
# If a official release has a serious bug #
diff --git a/source3/lib/system_smbd.c b/source3/lib/system_smbd.c
index c627ae6270..ac7a096295 100644
--- a/source3/lib/system_smbd.c
+++ b/source3/lib/system_smbd.c
@@ -120,14 +120,19 @@ static int getgrouplist_internals(const char *user, gid_t gid, gid_t *groups,
static int sys_getgrouplist(const char *user, gid_t gid, gid_t *groups, int *grpcnt)
{
int retval;
+ char *winbindd_env;
DEBUG(10,("sys_getgrouplist: user [%s]\n", user));
+
+ /* Save the winbindd state and not just blindly turn it back on */
+
+ winbindd_env = getenv(WINBINDD_DONT_ENV);
/* This is only ever called for Unix users, remote memberships are
* always determined by the info3 coming back from auth3 or the
* PAC. */
- if ( !winbind_off() ) {
+ if ( !winbind_putenv("0") ) {
DEBUG(0,("sys_getgroup_list: Insufficient environment space "
"for %s\n", WINBINDD_DONT_ENV));
} else {
@@ -144,7 +149,8 @@ static int sys_getgrouplist(const char *user, gid_t gid, gid_t *groups, int *grp
#endif
/* allow winbindd lookups */
- winbind_on();
+
+ winbind_putenv( winbindd_env ? winbindd_env : "1" );
return retval;
}
diff --git a/source3/nsswitch/wb_common.c b/source3/nsswitch/wb_common.c
index dfefeb9f75..05f080e73a 100644
--- a/source3/nsswitch/wb_common.c
+++ b/source3/nsswitch/wb_common.c
@@ -618,16 +618,15 @@ NSS_STATUS winbindd_request_response(int req_type,
/* Use putenv() instead of setenv() in these functions as not all
environments have the latter. */
-BOOL winbind_off( void )
+BOOL winbind_putenv( const char *s )
{
- static char *s = CONST_DISCARD(char *, WINBINDD_DONT_ENV "=1");
+ fstring env;
- return putenv(s) != -1;
-}
+ if ( !s ) {
+ return False;
+ }
-BOOL winbind_on( void )
-{
- static char *s = CONST_DISCARD(char *, WINBINDD_DONT_ENV "=0");
+ snprintf( env, sizeof(env), "%s=%s", WINBINDD_DONT_ENV, s );
- return putenv(s) != -1;
+ return putenv(env) != -1;
}
diff --git a/source3/nsswitch/winbindd.c b/source3/nsswitch/winbindd.c
index 72dd39373b..51a7c1f6b0 100644
--- a/source3/nsswitch/winbindd.c
+++ b/source3/nsswitch/winbindd.c
@@ -945,7 +945,10 @@ int main(int argc, char **argv)
/* Set environment variable so we don't recursively call ourselves.
This may also be useful interactively. */
- setenv(WINBINDD_DONT_ENV, "1", 1);
+ if ( !winbind_putenv("0") ) {
+ DEBUG(0,("Failed to disable recusive winbindd calls. Exiting.\n"));
+ exit(1);
+ }
/* Initialise samba/rpc client stuff */
diff --git a/source3/nsswitch/winbindd_passdb.c b/source3/nsswitch/winbindd_passdb.c
index 6c8dafa118..64d811464b 100644
--- a/source3/nsswitch/winbindd_passdb.c
+++ b/source3/nsswitch/winbindd_passdb.c
@@ -301,7 +301,28 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
const DOM_SID *user_sid,
uint32 *num_groups, DOM_SID **user_gids)
{
- return NT_STATUS_NO_SUCH_USER;
+ NTSTATUS result;
+ DOM_SID *groups = NULL;
+ gid_t *gids = NULL;
+ size_t ngroups = 0;
+ struct samu *user;
+
+ if ( (user = samu_new(mem_ctx)) == NULL ) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if ( !pdb_getsampwsid( user, user_sid ) ) {
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ result = pdb_enum_group_memberships( mem_ctx, user, &groups, &gids, &ngroups );
+
+ TALLOC_FREE( user );
+
+ *num_groups = (uint32)ngroups;
+ *user_gids = groups;
+
+ return result;
}
static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c
index 367f319987..16fab6d7e5 100644
--- a/source3/nsswitch/winbindd_util.c
+++ b/source3/nsswitch/winbindd_util.c
@@ -504,18 +504,14 @@ BOOL init_domain_list(void)
extern struct winbindd_methods cache_methods;
extern struct winbindd_methods passdb_methods;
struct winbindd_domain *domain;
+ int role = lp_server_role();
/* Free existing list */
free_domain_list();
/* Add ourselves as the first entry. */
- if (IS_DC) {
- domain = add_trusted_domain(get_global_sam_name(), NULL,
- &passdb_methods,
- get_global_sam_sid());
- } else {
-
+ if ( role == ROLE_DOMAIN_MEMBER ) {
DOM_SID our_sid;
if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
@@ -525,24 +521,25 @@ BOOL init_domain_list(void)
domain = add_trusted_domain( lp_workgroup(), lp_realm(),
&cache_methods, &our_sid);
+ domain->primary = True;
+ setup_domain_child(domain, &domain->child, NULL);
}
- domain->primary = True;
+ /* Local SAM */
+
+ domain = add_trusted_domain(get_global_sam_name(), NULL,
+ &passdb_methods, get_global_sam_sid());
+ if ( role != ROLE_DOMAIN_MEMBER ) {
+ domain->primary = True;
+ }
setup_domain_child(domain, &domain->child, NULL);
- /* Add our local SAM domains */
+ /* BUILTIN domain */
domain = add_trusted_domain("BUILTIN", NULL, &passdb_methods,
&global_sid_Builtin);
setup_domain_child(domain, &domain->child, NULL);
- if (!IS_DC) {
- domain = add_trusted_domain(get_global_sam_name(), NULL,
- &passdb_methods,
- get_global_sam_sid());
- setup_domain_child(domain, &domain->child, NULL);
- }
-
return True;
}
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index a80eda7a4e..7644843fc5 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -916,7 +916,7 @@ static struct parm_struct parm_table[] = {
{"writable", P_BOOLREV, P_LOCAL, &sDefault.bRead_only, NULL, NULL, FLAG_HIDE},
{"acl check permissions", P_BOOL, P_LOCAL, &sDefault.bAclCheckPermissions, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE},
- {"acl group control", P_BOOL, P_LOCAL, &sDefault.bAclGroupControl, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE},
+ {"acl group control", P_BOOL, P_LOCAL, &sDefault.bAclGroupControl, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE | FLAG_DEPRECATED },
{"acl map full control", P_BOOL, P_LOCAL, &sDefault.bAclMapFullControl, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE},
{"create mask", P_OCTAL, P_LOCAL, &sDefault.iCreate_mask, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE},
{"create mode", P_OCTAL, P_LOCAL, &sDefault.iCreate_mask, NULL, NULL, FLAG_HIDE},
diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c
index bd58dba702..88cf387838 100644
--- a/source3/passdb/pdb_interface.c
+++ b/source3/passdb/pdb_interface.c
@@ -1501,16 +1501,20 @@ static BOOL get_memberuids(TALLOC_CTX *mem_ctx, gid_t gid, uid_t **pp_uids, size
struct group *grp;
char **gr;
struct passwd *pwd;
+ char *winbindd_env;
*pp_uids = NULL;
*p_num = 0;
/* We only look at our own sam, so don't care about imported stuff */
- winbind_off();
+ winbindd_env = getenv(WINBINDD_DONT_ENV);
+ winbind_putenv("0");
if ((grp = getgrgid(gid)) == NULL) {
- winbind_on();
+ /* allow winbindd lookups */
+ winbind_putenv( winbindd_env ? winbindd_env : "1" );
+
return False;
}
@@ -1535,7 +1539,8 @@ static BOOL get_memberuids(TALLOC_CTX *mem_ctx, gid_t gid, uid_t **pp_uids, size
add_uid_to_array_unique(mem_ctx, pw->pw_uid, pp_uids, p_num);
}
- winbind_on();
+ /* allow winbindd lookups */
+ winbind_putenv( winbindd_env ? winbindd_env : "1" );
return True;
}
@@ -1595,15 +1600,9 @@ NTSTATUS pdb_default_enum_group_memberships(struct pdb_methods *methods,
const char *username = pdb_get_username(user);
-#if 0
/* Ignore the primary group SID. Honor the real Unix primary group.
The primary group SID is only of real use to Windows clients */
- if (!sid_to_gid(pdb_get_group_sid(user), &gid)) {
- DEBUG(10, ("sid_to_gid failed\n"));
- return NT_STATUS_NO_SUCH_USER;
- }
-#else
if ( !(pw = getpwnam_alloc(mem_ctx, username)) ) {
return NT_STATUS_NO_SUCH_USER;
}
@@ -1611,7 +1610,6 @@ NTSTATUS pdb_default_enum_group_memberships(struct pdb_methods *methods,
gid = pw->pw_gid;
TALLOC_FREE( pw );
-#endif
if (!getgroups_unix_user(mem_ctx, username, gid, pp_gids, p_num_groups)) {
return NT_STATUS_NO_SUCH_USER;
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index ca0c51b1ea..40cb6698a0 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -2250,18 +2250,20 @@ static BOOL current_user_in_group(gid_t gid)
}
/****************************************************************************
- Should we override a deny ?
+ Should we override a deny ? Check deprecated 'acl group control'
+ and 'dos filemode'
****************************************************************************/
static BOOL acl_group_override(connection_struct *conn, gid_t prim_gid)
{
- if ((errno == EACCES || errno == EPERM) &&
- lp_acl_group_control(SNUM(conn)) &&
- current_user_in_group(prim_gid)) {
+ if ( (errno == EACCES || errno == EPERM)
+ && (lp_acl_group_control(SNUM(conn) || lp_dos_filemode(SNUM(conn))))
+ && current_user_in_group(prim_gid) )
+ {
return True;
- } else {
- return False;
- }
+ }
+
+ return False;
}
/****************************************************************************