diff options
author | Volker Lendecke <vlendec@samba.org> | 2003-06-11 16:36:04 +0000 |
---|---|---|
committer | Volker Lendecke <vlendec@samba.org> | 2003-06-11 16:36:04 +0000 |
commit | a7e1bbbd06a4a7c2cd6ff4fed8bdc8455b9a75d6 (patch) | |
tree | 9da60be10e95849d9b6c8533ffdd5a943e4a67bf | |
parent | 97ef504fd0137bed488641c331633fd59319dd28 (diff) | |
download | samba-a7e1bbbd06a4a7c2cd6ff4fed8bdc8455b9a75d6.tar.gz samba-a7e1bbbd06a4a7c2cd6ff4fed8bdc8455b9a75d6.tar.bz2 samba-a7e1bbbd06a4a7c2cd6ff4fed8bdc8455b9a75d6.zip |
Fix 'security = domain' without winbind. This stores the sid we got
from the PDC as a mapping to the uid we got from getpwnam in the
local idmap.
This should not be worse than the current state, so I decided to
commit it. It is different from abartlet's preliminary patch, but I
believe this is the better solution. Feel free to comment and/or
revert it.
Volker
(This used to be commit 0c16965e6f49a2c0d73b1392e9f8cfc7449e2e59)
-rw-r--r-- | source3/auth/auth_util.c | 92 |
1 files changed, 60 insertions, 32 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d57619942c..ed3ebdbabc 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -842,6 +842,52 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) return nt_status; } +static NTSTATUS fill_sam_account(const char *domain, + const char *username, + const DOM_SID *user_sid, + const DOM_SID *group_sid, + SAM_ACCOUNT **sam_account) +{ + fstring dom_user; + struct passwd *passwd; + NTSTATUS result; + unid_t id; + + fstr_sprintf(dom_user, "%s%s%s", + domain, lp_winbind_separator(), username); + + passwd = Get_Pwnam(dom_user); + + if ( (passwd == NULL) && is_myworkgroup(domain) ) { + /* For our own domain also try unqualified */ + passwd = Get_Pwnam(username); + } + + if (passwd == NULL) + return NT_STATUS_NO_SUCH_USER; + + result = pdb_init_sam_pw(sam_account, passwd); + + if (!NT_STATUS_IS_OK(result)) + return result; + + id.uid = passwd->pw_uid; + result = idmap_set_mapping(user_sid, id, ID_USERID); + if (!NT_STATUS_IS_OK(result)) + return result; + + /* This is currently broken. We have two different sources of + information for the primary group: The info3 and + /etc/passwd. To make this work at all, the info3 sid is + mapped to the user's primary group from /etc/passwd. + This is broken, but it basically works. */ + + id.gid = passwd->pw_gid; + result = idmap_set_mapping(group_sid, id, ID_GROUPID); + + return result; +} + /*************************************************************************** Make a server_info struct from the info3 returned by a domain logon ***************************************************************************/ @@ -910,38 +956,20 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, nt_status = pdb_init_sam_pw(&sam_account, passwd); passwd_free(&passwd); } else { - int try = 0; - while (try < 2) { - char *dom_user; - dom_user = talloc_asprintf(mem_ctx, "%s%s%s", - nt_domain, - lp_winbind_separator(), - internal_username); - - if (!dom_user) { - DEBUG(0, ("talloc_asprintf failed!\n")); - nt_status = NT_STATUS_NO_MEMORY; - } else { - - if (!(passwd = Get_Pwnam(dom_user)) - /* Only lookup local for the local - domain, we don't want this for - trusted domains */ - && strequal(nt_domain, lp_workgroup())) { - passwd = Get_Pwnam(internal_username); - } - - if (!passwd) { - nt_status = NT_STATUS_NO_SUCH_USER; - } else { - nt_status = pdb_init_sam_pw(&sam_account, passwd); - break; - } - } - if (try == 0) { - auth_add_user_script(nt_domain, internal_username); - } - try++; + + nt_status = fill_sam_account(nt_domain, + internal_username, + &user_sid, &group_sid, + &sam_account); + + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { + DEBUG(3,("User %s does not exist, trying to add it\n", + internal_username)); + auth_add_user_script(nt_domain, internal_username); + nt_status = fill_sam_account(nt_domain, + internal_username, + &user_sid, &group_sid, + &sam_account); } } |