summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTim Prouty <tprouty@samba.org>2009-02-21 13:57:10 -0800
committerTim Prouty <tprouty@samba.org>2009-02-21 14:00:14 -0800
commit1ff9696306894c136015f83456e4c6e039e31e26 (patch)
tree9acd2bcd41b4f13360de9fc79e5a7ae1cac81901
parent39b508e38e831f826be254391f7f341bc935f792 (diff)
downloadsamba-1ff9696306894c136015f83456e4c6e039e31e26.tar.gz
samba-1ff9696306894c136015f83456e4c6e039e31e26.tar.bz2
samba-1ff9696306894c136015f83456e4c6e039e31e26.zip
Revert "s3 auth: Add parameter that forces every user through an NSS lookup"
After the discussion on samba-technical, it was decided that the best answer for now was to revert this change. The right way to do this is to rewrite the token api to use opaque tokens with pluggable modules. This reverts commit 8e19a288052bca5efdb0277a40c1e0fdd099cc2b.
-rw-r--r--source3/auth/auth_util.c26
-rw-r--r--source3/include/proto.h2
-rw-r--r--source3/param/loadparm.c11
3 files changed, 4 insertions, 35 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 0dab05b97c..1f00e22a3c 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -710,8 +710,6 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info)
NTSTATUS status;
size_t i;
struct dom_sid tmp_sid;
- const char *name_to_use;
- bool force_nss;
/*
* If winbind is not around, we can not make much use of the SIDs the
@@ -719,22 +717,11 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info)
* mapped to some local unix user.
*/
- DEBUG(10, ("creating token for %s (SAM: %s)\n", server_info->unix_name,
- server_info->sam_account->username));
-
- force_nss = lp_force_username_map() && !server_info->nss_token;
if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
- server_info->nss_token || force_nss) {
- if (force_nss)
- name_to_use =
- pdb_get_username(server_info->sam_account);
- else
- name_to_use = server_info->unix_name;
-
+ (server_info->nss_token)) {
status = create_token_from_username(server_info,
- name_to_use,
+ server_info->unix_name,
server_info->guest,
- force_nss,
&server_info->utok.uid,
&server_info->utok.gid,
&server_info->unix_name,
@@ -839,7 +826,6 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info)
NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
bool is_guest,
- bool force_nss,
uid_t *uid, gid_t *gid,
char **found_username,
struct nt_user_token **token)
@@ -855,9 +841,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
size_t num_gids;
size_t i;
- DEBUG(10, ("creating token for %s,%s guest,%s forcing NSS lookup\n",
- username, is_guest ? "" : " not", force_nss ? "" : " not"));
-
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
DEBUG(0, ("talloc_new failed\n"));
@@ -882,7 +865,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
goto done;
}
- if (sid_check_is_in_our_domain(&user_sid) && !force_nss) {
+ if (sid_check_is_in_our_domain(&user_sid)) {
bool ret;
/* This is a passdb user, so ask passdb */
@@ -924,7 +907,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
*found_username = talloc_strdup(mem_ctx,
pdb_get_username(sam_acct));
- } else if (force_nss || sid_check_is_in_unix_users(&user_sid)) {
+ } else if (sid_check_is_in_unix_users(&user_sid)) {
/* This is a unix user not in passdb. We need to ask nss
* directly, without consulting passdb */
@@ -1080,7 +1063,6 @@ bool user_in_group_sid(const char *username, const DOM_SID *group_sid)
}
status = create_token_from_username(mem_ctx, username, False,
- lp_force_username_map(),
&uid, &gid, &found_username,
&token);
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 587bb29042..9dc9719e48 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -110,7 +110,6 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
NTSTATUS create_local_token(auth_serversupplied_info *server_info);
NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
bool is_guest,
- bool force_nss,
uid_t *uid, gid_t *gid,
char **found_username,
struct nt_user_token **token);
@@ -3971,7 +3970,6 @@ const char *lp_afs_username_map(void);
int lp_afs_token_lifetime(void);
char *lp_log_nt_token_command(void);
char *lp_username_map(void);
-bool lp_force_username_map(void);
const char *lp_logon_script(void);
const char *lp_logon_path(void);
const char *lp_logon_drive(void);
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 3d29f3afd9..e50ab929ad 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -144,7 +144,6 @@ struct global {
int iAfsTokenLifetime;
char *szLogNtTokenCommand;
char *szUsernameMap;
- bool bForceUsernameMap;
char *szLogonScript;
char *szLogonPath;
char *szLogonDrive;
@@ -1283,15 +1282,6 @@ static struct parm_struct parm_table[] = {
.flags = FLAG_ADVANCED,
},
{
- .label = "force username map",
- .type = P_BOOL,
- .p_class = P_GLOBAL,
- .ptr = &Globals.bForceUsernameMap,
- .special = NULL,
- .enum_list = NULL,
- .flags = FLAG_ADVANCED,
- },
- {
.label = "password level",
.type = P_INTEGER,
.p_class = P_GLOBAL,
@@ -5246,7 +5236,6 @@ FN_GLOBAL_CONST_STRING(lp_afs_username_map, &Globals.szAfsUsernameMap)
FN_GLOBAL_INTEGER(lp_afs_token_lifetime, &Globals.iAfsTokenLifetime)
FN_GLOBAL_STRING(lp_log_nt_token_command, &Globals.szLogNtTokenCommand)
FN_GLOBAL_STRING(lp_username_map, &Globals.szUsernameMap)
-FN_GLOBAL_BOOL(lp_force_username_map, &Globals.bForceUsernameMap)
FN_GLOBAL_CONST_STRING(lp_logon_script, &Globals.szLogonScript)
FN_GLOBAL_CONST_STRING(lp_logon_path, &Globals.szLogonPath)
FN_GLOBAL_CONST_STRING(lp_logon_drive, &Globals.szLogonDrive)