diff options
author | Volker Lendecke <vlendec@samba.org> | 2005-02-11 10:32:46 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 10:55:37 -0500 |
commit | aa9132cc55d43d9d197e3196fc7098eec6e8615a (patch) | |
tree | 265f77ad172f521c464011b60232aee5a02e7b68 | |
parent | fbd9e4098333e7d121207ae6991e525768d411e0 (diff) | |
download | samba-aa9132cc55d43d9d197e3196fc7098eec6e8615a.tar.gz samba-aa9132cc55d43d9d197e3196fc7098eec6e8615a.tar.bz2 samba-aa9132cc55d43d9d197e3196fc7098eec6e8615a.zip |
r5331: Support SIDs as %s replacements in the afs username map parameter.
Add 'log nt token command' parameter. If set, %s is replaced with the user
sid, and %t takes all the group sids.
Volker
(This used to be commit e7dc9fde45c750013ad07f584599dd51f8eb8a54)
-rw-r--r-- | source3/auth/auth_util.c | 33 | ||||
-rw-r--r-- | source3/lib/afs.c | 4 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_pam.c | 12 | ||||
-rw-r--r-- | source3/param/loadparm.c | 3 |
4 files changed, 52 insertions, 0 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 30902a8dad..5c933e90c9 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -592,6 +592,39 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro debug_nt_user_token(DBGC_AUTH, 10, ptoken); + if ((lp_log_nt_token_command() != NULL) && + (strlen(lp_log_nt_token_command()) > 0)) { + TALLOC_CTX *mem_ctx; + char *command; + fstring sidstr; + char *user_sidstr, *group_sidstr; + + mem_ctx = talloc_init("setnttoken"); + if (mem_ctx == NULL) + return NT_STATUS_NO_MEMORY; + + sid_to_string(sidstr, &ptoken->user_sids[0]); + user_sidstr = talloc_strdup(mem_ctx, sidstr); + + group_sidstr = talloc_strdup(mem_ctx, ""); + for (i=1; i<ptoken->num_sids; i++) { + sid_to_string(sidstr, &ptoken->user_sids[i]); + group_sidstr = talloc_asprintf(mem_ctx, "%s %s", + group_sidstr, sidstr); + } + + command = strdup(lp_log_nt_token_command()); + command = realloc_string_sub(command, "%s", user_sidstr); + command = realloc_string_sub(command, "%t", group_sidstr); + DEBUG(8, ("running command: [%s]\n", command)); + if (smbrun(command, NULL) != 0) { + DEBUG(0, ("Could not log NT token\n")); + nt_status = NT_STATUS_ACCESS_DENIED; + } + talloc_destroy(mem_ctx); + SAFE_FREE(command); + } + *token = ptoken; return nt_status; diff --git a/source3/lib/afs.c b/source3/lib/afs.c index 5ff027ee01..7f79429b9e 100644 --- a/source3/lib/afs.c +++ b/source3/lib/afs.c @@ -214,12 +214,16 @@ BOOL afs_login(connection_struct *conn) char *cell; BOOL result; char *ticket_str; + DOM_SID user_sid; struct ClearToken ct; pstrcpy(afs_username, lp_afs_username_map()); standard_sub_conn(conn, afs_username, sizeof(afs_username)); + if (NT_STATUS_IS_OK(uid_to_sid(&user_sid, conn->uid))) + pstring_sub(afs_username, "%s", sid_string_static(&user_sid)); + /* The pts command always generates completely lower-case user * names. */ strlower_m(afs_username); diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index cb44ec98d7..9061391118 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -372,10 +372,22 @@ done: afsname = realloc_string_sub(afsname, "%u", name_user); afsname = realloc_string_sub(afsname, "%U", name_user); + { + DOM_SID user_sid; + fstring sidstr; + + sid_copy(&user_sid, &info3.dom_sid.sid); + sid_append_rid(&user_sid, info3.user_rid); + sid_to_string(sidstr, &user_sid); + afsname = realloc_string_sub(afsname, "%s", sidstr); + } + if (afsname == NULL) goto no_token; strlower_m(afsname); + DEBUG(10, ("Generating token for user %s\n", afsname)); + cell = strchr(afsname, '@'); if (cell == NULL) goto no_token; diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 01213a8fb3..45245e2cfe 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -128,6 +128,7 @@ typedef struct char *szRealm; char *szAfsUsernameMap; int iAfsTokenLifetime; + char *szLogNtTokenCommand; char *szUsernameMap; char *szLogonScript; char *szLogonPath; @@ -1130,6 +1131,7 @@ static struct parm_struct parm_table[] = { {"homedir map", P_STRING, P_GLOBAL, &Globals.szNISHomeMapName, NULL, NULL, FLAG_ADVANCED}, {"afs username map", P_STRING, P_GLOBAL, &Globals.szAfsUsernameMap, NULL, NULL, FLAG_ADVANCED}, {"afs token lifetime", P_INTEGER, P_GLOBAL, &Globals.iAfsTokenLifetime, NULL, NULL, FLAG_ADVANCED}, + {"log nt token command", P_STRING, P_GLOBAL, &Globals.szLogNtTokenCommand, NULL, NULL, FLAG_ADVANCED}, {"time offset", P_INTEGER, P_GLOBAL, &extra_time_offset, NULL, NULL, FLAG_ADVANCED}, {"NIS homedir", P_BOOL, P_GLOBAL, &Globals.bNISHomeMap, NULL, NULL, FLAG_ADVANCED}, {"-valid", P_BOOL, P_LOCAL, &sDefault.valid, NULL, NULL, FLAG_HIDE}, @@ -1664,6 +1666,7 @@ FN_GLOBAL_STRING(lp_name_resolve_order, &Globals.szNameResolveOrder) FN_GLOBAL_STRING(lp_realm, &Globals.szRealm) FN_GLOBAL_CONST_STRING(lp_afs_username_map, &Globals.szAfsUsernameMap) FN_GLOBAL_INTEGER(lp_afs_token_lifetime, &Globals.iAfsTokenLifetime) +FN_GLOBAL_STRING(lp_log_nt_token_command, &Globals.szLogNtTokenCommand) FN_GLOBAL_STRING(lp_username_map, &Globals.szUsernameMap) FN_GLOBAL_CONST_STRING(lp_logon_script, &Globals.szLogonScript) FN_GLOBAL_CONST_STRING(lp_logon_path, &Globals.szLogonPath) |