summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVolker Lendecke <vlendec@samba.org>2007-05-07 13:56:57 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:21:54 -0500
commitb1e866c3b7c2ef92599b5801ac8c174cfd404319 (patch)
treeb56f6061038c0211a07e8c1a79cc8fdf64d0735b
parentf50ff7345d59743669a3a84f6fdd42d4f2f43a43 (diff)
downloadsamba-b1e866c3b7c2ef92599b5801ac8c174cfd404319.tar.gz
samba-b1e866c3b7c2ef92599b5801ac8c174cfd404319.tar.bz2
samba-b1e866c3b7c2ef92599b5801ac8c174cfd404319.zip
r22745: Add local groups to the --required-membership-sid test. This needs
merging to 3_0_26 once Michael's net conf changes have been merged. It depends on token_utils.c. (This used to be commit a99ab3a2ed44522054175f03b60e63fa05a0378a)
-rw-r--r--source3/Makefile.in3
-rw-r--r--source3/nsswitch/winbindd_pam.c152
2 files changed, 64 insertions, 91 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in
index aa6dbbf1d3..5ddcaa1401 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -829,7 +829,8 @@ WINBINDD_OBJ1 = \
nsswitch/winbindd_async.o \
nsswitch/winbindd_creds.o \
nsswitch/winbindd_cred_cache.o \
- nsswitch/winbindd_ccache_access.o
+ nsswitch/winbindd_ccache_access.o \
+ auth/token_util.o
WINBINDD_OBJ = \
$(WINBINDD_OBJ1) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 5114b37315..e4acb051b3 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -127,17 +127,12 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
{
DOM_SID *require_membership_of_sid;
size_t num_require_membership_of_sid;
- DOM_SID *all_sids;
- /* UserSID, GroupSID, Grooup2SIDs, OtherSIDs, WellKnownSIDs */
- size_t num_all_sids = (2 +
- info3->num_groups2 +
- info3->num_other_sids +
- 2 );
- size_t i, j = 0, k;
- size_t group_sid_length;
- const char *search_location;
- char *single_group_sid;
- const char *comma;
+ fstring req_sid;
+ const char *p;
+ DOM_SID sid;
+ size_t i;
+ struct nt_user_token *token;
+ NTSTATUS status;
/* Parse the 'required group' SID */
@@ -146,93 +141,59 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
- num_require_membership_of_sid = 1;
- group_sid_length = strlen(group_sid);
- for (i = 0; i < group_sid_length; i++) {
- if (',' == group_sid[i]) {
- num_require_membership_of_sid++;
- }
+ if (!(token = TALLOC_ZERO_P(mem_ctx, struct nt_user_token))) {
+ DEBUG(0, ("talloc failed\n"));
+ return NT_STATUS_NO_MEMORY;
}
- require_membership_of_sid = TALLOC_ARRAY(mem_ctx, DOM_SID, num_require_membership_of_sid);
- if (!require_membership_of_sid)
- return NT_STATUS_NO_MEMORY;
+ num_require_membership_of_sid = 0;
+ require_membership_of_sid = NULL;
- i = 0;
- search_location = group_sid;
+ p = group_sid;
- if (num_require_membership_of_sid > 1) {
+ while (next_token(&p, req_sid, ",", sizeof(req_sid))) {
+ if (!string_to_sid(&sid, req_sid)) {
+ DEBUG(0, ("check_info3_in_group: could not parse %s "
+ "as a SID!", req_sid));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
- /* Allocate the maximum possible size */
- single_group_sid = TALLOC(mem_ctx, group_sid_length);
- if (!single_group_sid)
+ if (!add_sid_to_array(mem_ctx, &sid,
+ &require_membership_of_sid,
+ &num_require_membership_of_sid)) {
+ DEBUG(0, ("add_sid_to_array failed\n"));
return NT_STATUS_NO_MEMORY;
-
- while ( (comma = strstr(search_location, ",")) != NULL ) {
-
- strncpy(single_group_sid, search_location, comma - search_location);
- single_group_sid[comma - search_location] = 0;
-
- if (!string_to_sid(&require_membership_of_sid[i++], single_group_sid)) {
- DEBUG(0, ("check_info3_in_group: could not parse %s as a SID!",
- single_group_sid));
-
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- search_location = comma + 1;
}
}
- if (!string_to_sid(&require_membership_of_sid[i++], search_location)) {
- DEBUG(0, ("check_info3_in_group: could not parse %s as a SID!",
- search_location));
-
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- all_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, num_all_sids);
- if (!all_sids)
- return NT_STATUS_NO_MEMORY;
-
- /* and create (by appending rids) the 'domain' sids */
-
- sid_copy(&all_sids[0], &(info3->dom_sid.sid));
-
- if (!sid_append_rid(&all_sids[0], info3->user_rid)) {
- DEBUG(3,("could not append user's primary RID 0x%x\n",
+ if (!sid_compose(&sid, &(info3->dom_sid.sid),
+ info3->user_rid)
+ || !add_sid_to_array(mem_ctx, &sid,
+ &token->user_sids, &token->num_sids)) {
+ DEBUG(3,("could not add user SID from rid 0x%x\n",
info3->user_rid));
-
return NT_STATUS_INVALID_PARAMETER;
}
- j++;
- sid_copy(&all_sids[1], &(info3->dom_sid.sid));
-
- if (!sid_append_rid(&all_sids[1], info3->group_rid)) {
+ if (!sid_compose(&sid, &(info3->dom_sid.sid),
+ info3->group_rid)
+ || !add_sid_to_array(mem_ctx, &sid,
+ &token->user_sids, &token->num_sids)) {
DEBUG(3,("could not append additional group rid 0x%x\n",
info3->group_rid));
return NT_STATUS_INVALID_PARAMETER;
}
- j++;
- /* Well-Known SIDs */
-
- sid_copy( &all_sids[j++], &global_sid_World );
- sid_copy( &all_sids[j++], &global_sid_Authenticated_Users );
-
for (i = 0; i < info3->num_groups2; i++) {
-
- sid_copy(&all_sids[j], &(info3->dom_sid.sid));
-
- if (!sid_append_rid(&all_sids[j], info3->gids[i].g_rid)) {
+ if (!sid_compose(&sid, &(info3->dom_sid.sid),
+ info3->gids[i].g_rid)
+ || !add_sid_to_array(mem_ctx, &sid,
+ &token->user_sids, &token->num_sids)) {
DEBUG(3,("could not append additional group rid 0x%x\n",
- info3->gids[i].g_rid));
-
+ info3->gids[i].g_rid));
return NT_STATUS_INVALID_PARAMETER;
}
- j++;
}
/* Copy 'other' sids. We need to do sid filtering here to
@@ -242,21 +203,32 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
*/
for (i = 0; i < info3->num_other_sids; i++) {
- sid_copy(&all_sids[info3->num_groups2 + i + 2],
- &info3->other_sids[i].sid);
- j++;
- }
-
- for (i = 0; i < j; i++) {
- fstring sid1, sid2;
- DEBUG(10, ("User has SID: %s\n",
- sid_to_string(sid1, &all_sids[i])));
- for (k = 0; k < num_require_membership_of_sid; k++) {
- if (sid_equal(&require_membership_of_sid[k], &all_sids[i])) {
- DEBUG(10, ("SID %s matches %s - user permitted to authenticate!\n",
- sid_to_string(sid1, &require_membership_of_sid[k]), sid_to_string(sid2, &all_sids[i])));
- return NT_STATUS_OK;
- }
+ if (!add_sid_to_array(mem_ctx, &info3->other_sids[i].sid,
+ &token->user_sids, &token->num_sids)) {
+ DEBUG(3, ("could not add SID to array: %s\n",
+ sid_string_static(&info3->other_sids[i].sid)));
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ if (!NT_STATUS_IS_OK(status = add_aliases(get_global_sam_sid(),
+ token))
+ || !NT_STATUS_IS_OK(status = add_aliases(&global_sid_Builtin,
+ token))) {
+ DEBUG(3, ("could not add aliases: %s\n",
+ nt_errstr(status)));
+ return status;
+ }
+
+ debug_nt_user_token(DBGC_CLASS, 10, token);
+
+ for (i=0; i<num_require_membership_of_sid; i++) {
+ DEBUG(10, ("Checking SID %s\n", sid_string_static(
+ &require_membership_of_sid[i])));
+ if (nt_token_check_sid(&require_membership_of_sid[i],
+ token)) {
+ DEBUG(10, ("Access ok\n"));
+ return NT_STATUS_OK;
}
}