diff options
author | Gerald Carter <jerry@samba.org> | 2006-04-02 06:25:11 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:15:51 -0500 |
commit | 6c9eaa6880897aabbc56ad3d7bd73dfc69f926f9 (patch) | |
tree | d2c7e1efb628d346284f0777b461e32f54607029 | |
parent | 872d3cea871264eed0159f49fba8621dd357ef1d (diff) | |
download | samba-6c9eaa6880897aabbc56ad3d7bd73dfc69f926f9.tar.gz samba-6c9eaa6880897aabbc56ad3d7bd73dfc69f926f9.tar.bz2 samba-6c9eaa6880897aabbc56ad3d7bd73dfc69f926f9.zip |
r14855: Various fixes:
* depreacte 'acl group control' after discussion with Jeremy
and implement functionality as part of 'dos filemode'
* fix winbindd on a non-member server to expand local groups
* prevent code previously only used by smbd from blindly
turning _NO_WINBINDD back on
(This used to be commit 4ab372f4cab22225716b5c9a9a08f0c1dbc9928d)
-rw-r--r-- | source3/VERSION | 2 | ||||
-rw-r--r-- | source3/lib/system_smbd.c | 10 | ||||
-rw-r--r-- | source3/nsswitch/wb_common.c | 15 | ||||
-rw-r--r-- | source3/nsswitch/winbindd.c | 5 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_passdb.c | 23 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_util.c | 27 | ||||
-rw-r--r-- | source3/param/loadparm.c | 2 | ||||
-rw-r--r-- | source3/passdb/pdb_interface.c | 18 | ||||
-rw-r--r-- | source3/smbd/posix_acls.c | 16 |
9 files changed, 72 insertions, 46 deletions
diff --git a/source3/VERSION b/source3/VERSION index 5119a95401..e083b5d930 100644 --- a/source3/VERSION +++ b/source3/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=3 SAMBA_VERSION_MINOR=0 -SAMBA_VERSION_RELEASE=22 +SAMBA_VERSION_RELEASE=23 ######################################################## # If a official release has a serious bug # diff --git a/source3/lib/system_smbd.c b/source3/lib/system_smbd.c index c627ae6270..ac7a096295 100644 --- a/source3/lib/system_smbd.c +++ b/source3/lib/system_smbd.c @@ -120,14 +120,19 @@ static int getgrouplist_internals(const char *user, gid_t gid, gid_t *groups, static int sys_getgrouplist(const char *user, gid_t gid, gid_t *groups, int *grpcnt) { int retval; + char *winbindd_env; DEBUG(10,("sys_getgrouplist: user [%s]\n", user)); + + /* Save the winbindd state and not just blindly turn it back on */ + + winbindd_env = getenv(WINBINDD_DONT_ENV); /* This is only ever called for Unix users, remote memberships are * always determined by the info3 coming back from auth3 or the * PAC. */ - if ( !winbind_off() ) { + if ( !winbind_putenv("0") ) { DEBUG(0,("sys_getgroup_list: Insufficient environment space " "for %s\n", WINBINDD_DONT_ENV)); } else { @@ -144,7 +149,8 @@ static int sys_getgrouplist(const char *user, gid_t gid, gid_t *groups, int *grp #endif /* allow winbindd lookups */ - winbind_on(); + + winbind_putenv( winbindd_env ? winbindd_env : "1" ); return retval; } diff --git a/source3/nsswitch/wb_common.c b/source3/nsswitch/wb_common.c index dfefeb9f75..05f080e73a 100644 --- a/source3/nsswitch/wb_common.c +++ b/source3/nsswitch/wb_common.c @@ -618,16 +618,15 @@ NSS_STATUS winbindd_request_response(int req_type, /* Use putenv() instead of setenv() in these functions as not all environments have the latter. */ -BOOL winbind_off( void ) +BOOL winbind_putenv( const char *s ) { - static char *s = CONST_DISCARD(char *, WINBINDD_DONT_ENV "=1"); + fstring env; - return putenv(s) != -1; -} + if ( !s ) { + return False; + } -BOOL winbind_on( void ) -{ - static char *s = CONST_DISCARD(char *, WINBINDD_DONT_ENV "=0"); + snprintf( env, sizeof(env), "%s=%s", WINBINDD_DONT_ENV, s ); - return putenv(s) != -1; + return putenv(env) != -1; } diff --git a/source3/nsswitch/winbindd.c b/source3/nsswitch/winbindd.c index 72dd39373b..51a7c1f6b0 100644 --- a/source3/nsswitch/winbindd.c +++ b/source3/nsswitch/winbindd.c @@ -945,7 +945,10 @@ int main(int argc, char **argv) /* Set environment variable so we don't recursively call ourselves. This may also be useful interactively. */ - setenv(WINBINDD_DONT_ENV, "1", 1); + if ( !winbind_putenv("0") ) { + DEBUG(0,("Failed to disable recusive winbindd calls. Exiting.\n")); + exit(1); + } /* Initialise samba/rpc client stuff */ diff --git a/source3/nsswitch/winbindd_passdb.c b/source3/nsswitch/winbindd_passdb.c index 6c8dafa118..64d811464b 100644 --- a/source3/nsswitch/winbindd_passdb.c +++ b/source3/nsswitch/winbindd_passdb.c @@ -301,7 +301,28 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, const DOM_SID *user_sid, uint32 *num_groups, DOM_SID **user_gids) { - return NT_STATUS_NO_SUCH_USER; + NTSTATUS result; + DOM_SID *groups = NULL; + gid_t *gids = NULL; + size_t ngroups = 0; + struct samu *user; + + if ( (user = samu_new(mem_ctx)) == NULL ) { + return NT_STATUS_NO_MEMORY; + } + + if ( !pdb_getsampwsid( user, user_sid ) ) { + return NT_STATUS_NO_SUCH_USER; + } + + result = pdb_enum_group_memberships( mem_ctx, user, &groups, &gids, &ngroups ); + + TALLOC_FREE( user ); + + *num_groups = (uint32)ngroups; + *user_gids = groups; + + return result; } static NTSTATUS lookup_useraliases(struct winbindd_domain *domain, diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c index 367f319987..16fab6d7e5 100644 --- a/source3/nsswitch/winbindd_util.c +++ b/source3/nsswitch/winbindd_util.c @@ -504,18 +504,14 @@ BOOL init_domain_list(void) extern struct winbindd_methods cache_methods; extern struct winbindd_methods passdb_methods; struct winbindd_domain *domain; + int role = lp_server_role(); /* Free existing list */ free_domain_list(); /* Add ourselves as the first entry. */ - if (IS_DC) { - domain = add_trusted_domain(get_global_sam_name(), NULL, - &passdb_methods, - get_global_sam_sid()); - } else { - + if ( role == ROLE_DOMAIN_MEMBER ) { DOM_SID our_sid; if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) { @@ -525,24 +521,25 @@ BOOL init_domain_list(void) domain = add_trusted_domain( lp_workgroup(), lp_realm(), &cache_methods, &our_sid); + domain->primary = True; + setup_domain_child(domain, &domain->child, NULL); } - domain->primary = True; + /* Local SAM */ + + domain = add_trusted_domain(get_global_sam_name(), NULL, + &passdb_methods, get_global_sam_sid()); + if ( role != ROLE_DOMAIN_MEMBER ) { + domain->primary = True; + } setup_domain_child(domain, &domain->child, NULL); - /* Add our local SAM domains */ + /* BUILTIN domain */ domain = add_trusted_domain("BUILTIN", NULL, &passdb_methods, &global_sid_Builtin); setup_domain_child(domain, &domain->child, NULL); - if (!IS_DC) { - domain = add_trusted_domain(get_global_sam_name(), NULL, - &passdb_methods, - get_global_sam_sid()); - setup_domain_child(domain, &domain->child, NULL); - } - return True; } diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index a80eda7a4e..7644843fc5 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -916,7 +916,7 @@ static struct parm_struct parm_table[] = { {"writable", P_BOOLREV, P_LOCAL, &sDefault.bRead_only, NULL, NULL, FLAG_HIDE}, {"acl check permissions", P_BOOL, P_LOCAL, &sDefault.bAclCheckPermissions, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE}, - {"acl group control", P_BOOL, P_LOCAL, &sDefault.bAclGroupControl, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE}, + {"acl group control", P_BOOL, P_LOCAL, &sDefault.bAclGroupControl, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE | FLAG_DEPRECATED }, {"acl map full control", P_BOOL, P_LOCAL, &sDefault.bAclMapFullControl, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE}, {"create mask", P_OCTAL, P_LOCAL, &sDefault.iCreate_mask, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE}, {"create mode", P_OCTAL, P_LOCAL, &sDefault.iCreate_mask, NULL, NULL, FLAG_HIDE}, diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c index bd58dba702..88cf387838 100644 --- a/source3/passdb/pdb_interface.c +++ b/source3/passdb/pdb_interface.c @@ -1501,16 +1501,20 @@ static BOOL get_memberuids(TALLOC_CTX *mem_ctx, gid_t gid, uid_t **pp_uids, size struct group *grp; char **gr; struct passwd *pwd; + char *winbindd_env; *pp_uids = NULL; *p_num = 0; /* We only look at our own sam, so don't care about imported stuff */ - winbind_off(); + winbindd_env = getenv(WINBINDD_DONT_ENV); + winbind_putenv("0"); if ((grp = getgrgid(gid)) == NULL) { - winbind_on(); + /* allow winbindd lookups */ + winbind_putenv( winbindd_env ? winbindd_env : "1" ); + return False; } @@ -1535,7 +1539,8 @@ static BOOL get_memberuids(TALLOC_CTX *mem_ctx, gid_t gid, uid_t **pp_uids, size add_uid_to_array_unique(mem_ctx, pw->pw_uid, pp_uids, p_num); } - winbind_on(); + /* allow winbindd lookups */ + winbind_putenv( winbindd_env ? winbindd_env : "1" ); return True; } @@ -1595,15 +1600,9 @@ NTSTATUS pdb_default_enum_group_memberships(struct pdb_methods *methods, const char *username = pdb_get_username(user); -#if 0 /* Ignore the primary group SID. Honor the real Unix primary group. The primary group SID is only of real use to Windows clients */ - if (!sid_to_gid(pdb_get_group_sid(user), &gid)) { - DEBUG(10, ("sid_to_gid failed\n")); - return NT_STATUS_NO_SUCH_USER; - } -#else if ( !(pw = getpwnam_alloc(mem_ctx, username)) ) { return NT_STATUS_NO_SUCH_USER; } @@ -1611,7 +1610,6 @@ NTSTATUS pdb_default_enum_group_memberships(struct pdb_methods *methods, gid = pw->pw_gid; TALLOC_FREE( pw ); -#endif if (!getgroups_unix_user(mem_ctx, username, gid, pp_gids, p_num_groups)) { return NT_STATUS_NO_SUCH_USER; diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index ca0c51b1ea..40cb6698a0 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -2250,18 +2250,20 @@ static BOOL current_user_in_group(gid_t gid) } /**************************************************************************** - Should we override a deny ? + Should we override a deny ? Check deprecated 'acl group control' + and 'dos filemode' ****************************************************************************/ static BOOL acl_group_override(connection_struct *conn, gid_t prim_gid) { - if ((errno == EACCES || errno == EPERM) && - lp_acl_group_control(SNUM(conn)) && - current_user_in_group(prim_gid)) { + if ( (errno == EACCES || errno == EPERM) + && (lp_acl_group_control(SNUM(conn) || lp_dos_filemode(SNUM(conn)))) + && current_user_in_group(prim_gid) ) + { return True; - } else { - return False; - } + } + + return False; } /**************************************************************************** |