summaryrefslogtreecommitdiff
path: root/source3/auth
diff options
context:
space:
mode:
authorZach Loafman <zach.loafman@isilon.com>2009-02-14 18:20:33 +0000
committerTim Prouty <tprouty@samba.org>2009-02-16 00:29:21 -0800
commit8e19a288052bca5efdb0277a40c1e0fdd099cc2b (patch)
treea4ce6f232c5b2059a4bcf5dc08757b7aabdf956f /source3/auth
parent57a31ef2030d3146ec1c099c1c4036efa01a3dfa (diff)
downloadsamba-8e19a288052bca5efdb0277a40c1e0fdd099cc2b.tar.gz
samba-8e19a288052bca5efdb0277a40c1e0fdd099cc2b.tar.bz2
samba-8e19a288052bca5efdb0277a40c1e0fdd099cc2b.zip
s3 auth: Add parameter that forces every user through an NSS lookup
When set to yes, "force username map" forces every user, even AD users, through an NSS lookup. This allows the token to be overridden with information from NSS in certain broken environments.
Diffstat (limited to 'source3/auth')
-rw-r--r--source3/auth/auth_util.c26
1 files changed, 22 insertions, 4 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 1f00e22a3c..0dab05b97c 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -710,6 +710,8 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info)
NTSTATUS status;
size_t i;
struct dom_sid tmp_sid;
+ const char *name_to_use;
+ bool force_nss;
/*
* If winbind is not around, we can not make much use of the SIDs the
@@ -717,11 +719,22 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info)
* mapped to some local unix user.
*/
+ DEBUG(10, ("creating token for %s (SAM: %s)\n", server_info->unix_name,
+ server_info->sam_account->username));
+
+ force_nss = lp_force_username_map() && !server_info->nss_token;
if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
- (server_info->nss_token)) {
+ server_info->nss_token || force_nss) {
+ if (force_nss)
+ name_to_use =
+ pdb_get_username(server_info->sam_account);
+ else
+ name_to_use = server_info->unix_name;
+
status = create_token_from_username(server_info,
- server_info->unix_name,
+ name_to_use,
server_info->guest,
+ force_nss,
&server_info->utok.uid,
&server_info->utok.gid,
&server_info->unix_name,
@@ -826,6 +839,7 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info)
NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
bool is_guest,
+ bool force_nss,
uid_t *uid, gid_t *gid,
char **found_username,
struct nt_user_token **token)
@@ -841,6 +855,9 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
size_t num_gids;
size_t i;
+ DEBUG(10, ("creating token for %s,%s guest,%s forcing NSS lookup\n",
+ username, is_guest ? "" : " not", force_nss ? "" : " not"));
+
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
DEBUG(0, ("talloc_new failed\n"));
@@ -865,7 +882,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
goto done;
}
- if (sid_check_is_in_our_domain(&user_sid)) {
+ if (sid_check_is_in_our_domain(&user_sid) && !force_nss) {
bool ret;
/* This is a passdb user, so ask passdb */
@@ -907,7 +924,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
*found_username = talloc_strdup(mem_ctx,
pdb_get_username(sam_acct));
- } else if (sid_check_is_in_unix_users(&user_sid)) {
+ } else if (force_nss || sid_check_is_in_unix_users(&user_sid)) {
/* This is a unix user not in passdb. We need to ask nss
* directly, without consulting passdb */
@@ -1063,6 +1080,7 @@ bool user_in_group_sid(const char *username, const DOM_SID *group_sid)
}
status = create_token_from_username(mem_ctx, username, False,
+ lp_force_username_map(),
&uid, &gid, &found_username,
&token);