r16865: This is a proposal to fix bug 3915. Before sending patches around, this is

what svn is for.

The idea is that we fall back to a pure unix user with S-1-22 SIDs in the
token in case anything weird is going on with the 'force user'.

Volker
(This used to be commit 9ec5ccfe851ac8a1f88b88c8c8461a5cf75b4c57)

3 files changed, 24 insertions, 8 deletions

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 1c629bca82..493d7393d0 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1081,14 +1081,13 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 		if (!pdb_getsampwsid(sam_acct, &user_sid)) {
 			DEBUG(1, ("pdb_getsampwsid(%s) for user %s failed\n",
 				  sid_string_static(&user_sid), username));
-			result = NT_STATUS_NO_SUCH_USER;
-			goto done;
+			DEBUGADD(1, ("Fall back to unix user %s\n", username));
+			goto unix_user;
 		}
 
 		gr_sid = pdb_get_group_sid(sam_acct);
 		if (!gr_sid) {
-			result = NT_STATUS_NO_MEMORY;
-			goto done;
+			goto unix_user;
 		}
 
 		sid_copy(&primary_group_sid, gr_sid);
@@ -1096,7 +1095,8 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 		if (!sid_to_gid(&primary_group_sid, gid)) {
 			DEBUG(1, ("sid_to_gid(%s) failed\n",
 				  sid_string_static(&primary_group_sid)));
-			goto done;
+			DEBUGADD(1, ("Fall back to unix user %s\n", username));
+			goto unix_user;
 		}
 
 		result = pdb_enum_group_memberships(tmp_ctx, sam_acct,
@@ -1105,7 +1105,8 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 		if (!NT_STATUS_IS_OK(result)) {
 			DEBUG(10, ("enum_group_memberships failed for %s\n",
 				   username));
-			goto done;
+			DEBUGADD(1, ("Fall back to unix user %s\n", username));
+			goto unix_user;
 		}
 
 		*found_username = talloc_strdup(mem_ctx,
@@ -1119,6 +1120,16 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 		struct passwd *pass;
 		size_t i;
 
+		/*
+		 * This goto target is used as a fallback for the passdb
+		 * case. The concrete bug report is when passdb gave us an
+		 * unmapped gid.
+		 */
+
+	unix_user:
+
+		uid_to_unix_users_sid(*uid, &user_sid);
+
 		pass = getpwuid_alloc(tmp_ctx, *uid);
 		if (pass == NULL) {
 			DEBUG(1, ("getpwuid(%d) for user %s failed\n",
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index 38ca51eaa8..29b83e4faa 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -1074,8 +1074,7 @@ void uid_to_sid(DOM_SID *psid, uid_t uid)
 		sid_append_rid(psid, algorithmic_pdb_uid_to_user_rid(uid));
 		goto done;
 	} else {
-		sid_copy(psid, &global_sid_Unix_Users);
-		sid_append_rid(psid, uid);
+		uid_to_unix_users_sid(psid, uid);
 		goto done;
 	}
 
diff --git a/source3/passdb/util_unixsids.c b/source3/passdb/util_unixsids.c
index 2a4818e3ae..d3f0999d6a 100644
--- a/source3/passdb/util_unixsids.c
+++ b/source3/passdb/util_unixsids.c
@@ -36,6 +36,12 @@ BOOL sid_check_is_in_unix_users(const DOM_SID *sid)
 	return sid_check_is_unix_users(&dom_sid);
 }
 
+BOOL uid_to_unix_users_sid(uid_t uid, DOM_SID *sid)
+{
+	sid_copy(sid, &global_sid_Unix_Users);
+	return sid_append_rid(sid, uid);
+}
+
 const char *unix_users_domain_name(void)
 {
 	return "Unix User";