diff options
author | Simo Sorce <ssorce@redhat.com> | 2010-05-28 11:14:01 -0400 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2010-06-07 22:53:06 +1000 |
commit | ef942172b9dfe3c30b86161445c7d6290579b6f2 (patch) | |
tree | 8b47cd9858871e7f58df0cb61dded5e83f61669b | |
parent | 1bb0afa662cb65ad8eeec59d40008c6604b791bc (diff) | |
download | samba-ef942172b9dfe3c30b86161445c7d6290579b6f2.tar.gz samba-ef942172b9dfe3c30b86161445c7d6290579b6f2.tar.bz2 samba-ef942172b9dfe3c30b86161445c7d6290579b6f2.zip |
s3:auth check the user is valid first
It makes no sense to go through all the hoops to build samu and
convert it to info3, just to discard them later if the user was
not valid.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r-- | source3/auth/auth_util.c | 82 |
1 files changed, 39 insertions, 43 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 8ea1f410f1..f937a9bb60 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -581,6 +581,45 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info, enum lsa_SidType type; struct auth_serversupplied_info *result; + /* + * The SID returned in server_info->sam_account is based + * on our SAM sid even though for a pure UNIX account this should + * not be the case as it doesn't really exist in the SAM db. + * This causes lookups on "[in]valid users" to fail as they + * will lookup this name as a "Unix User" SID to check against + * the user token. Fix this by adding the "Unix User"\unix_username + * SID to the sid array. The correct fix should probably be + * changing the server_info->sam_account user SID to be a + * S-1-22 Unix SID, but this might break old configs where + * plaintext passwords were used with no SAM backend. + */ + + mem_ctx = talloc_init("make_server_info_pw_tmp"); + if (!mem_ctx) { + return NT_STATUS_NO_MEMORY; + } + + qualified_name = talloc_asprintf(mem_ctx, "%s\\%s", + unix_users_domain_name(), + unix_username ); + if (!qualified_name) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL, + NULL, NULL, + &u_sid, &type)) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_SUCH_USER; + } + + TALLOC_FREE(mem_ctx); + + if (type != SID_NAME_USER) { + return NT_STATUS_NO_SUCH_USER; + } + if ( !(sampass = samu_new( NULL )) ) { return NT_STATUS_NO_MEMORY; } @@ -639,49 +678,6 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info, TALLOC_FREE(sampass); - /* - * The SID returned in server_info->sam_account is based - * on our SAM sid even though for a pure UNIX account this should - * not be the case as it doesn't really exist in the SAM db. - * This causes lookups on "[in]valid users" to fail as they - * will lookup this name as a "Unix User" SID to check against - * the user token. Fix this by adding the "Unix User"\unix_username - * SID to the sid array. The correct fix should probably be - * changing the server_info->sam_account user SID to be a - * S-1-22 Unix SID, but this might break old configs where - * plaintext passwords were used with no SAM backend. - */ - - mem_ctx = talloc_init("make_server_info_pw_tmp"); - if (!mem_ctx) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; - } - - qualified_name = talloc_asprintf(mem_ctx, "%s\\%s", - unix_users_domain_name(), - unix_username ); - if (!qualified_name) { - TALLOC_FREE(result); - TALLOC_FREE(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - - if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL, - NULL, NULL, - &u_sid, &type)) { - TALLOC_FREE(result); - TALLOC_FREE(mem_ctx); - return NT_STATUS_NO_SUCH_USER; - } - - TALLOC_FREE(mem_ctx); - - if (type != SID_NAME_USER) { - TALLOC_FREE(result); - return NT_STATUS_NO_SUCH_USER; - } - /* FIXME: add to info3 too ? */ status = add_sid_to_array_unique(result, &u_sid, &result->sids, |