Started to canonicalize our handling of uid -> sid code in order to

get ready and fix se_access_check().
Added cannonical lookup_name(), lookup_sid(), uid_to_sid(), gid_to_sid()
functions that look via winbind first the fall back on local lookup.

All Samba should use these rather than trying to call winbindd code
directly.

Added NT_USER_TOKEN struct in user_struct, contains list of NT sids
associated with this user.

se_access_check() should use this (cached) value rather than attempting
to do the same thing itself when given a uid/gid pair.

More work needs to be done to preserve these things accross security
context changes (especially with the tricky pipe problem) but I'm
beginning to see how this will be done..... probably by registering
a new vuid for an authenticated RPC pipe and not treating the
pipe calls specially.

More thoughts needed - but we're almost there...

Jeremy.
(This used to be commit 5e5cc6efe2e4687be59085f562caea1e2e05d0a8)

2 files changed, 25 insertions, 15 deletions

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 85ea676736..321f3098e9 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1278,8 +1278,12 @@ void expire_workgroups_and_servers(time_t t);
 BOOL winbind_lookup_name(char *name, DOM_SID *sid, uint8 *name_type);
 BOOL winbind_lookup_sid(DOM_SID *sid, fstring dom_name, fstring name, 
 			uint8 *name_type);
-BOOL winbind_uid_to_sid(uid_t uid, DOM_SID *sid);
-BOOL winbind_gid_to_sid(gid_t gid, DOM_SID *sid);
+BOOL winbind_uid_to_sid(DOM_SID *sid, uid_t uid);
+BOOL winbind_gid_to_sid(DOM_SID *sid, gid_t gid);
+BOOL lookup_name(char *name, DOM_SID *psid, uint8 *name_type);
+BOOL lookup_sid(DOM_SID *sid, fstring dom_name, fstring name, uint8 *name_type);
+DOM_SID *uid_to_sid(DOM_SID *psid, uid_t uid);
+DOM_SID *gid_to_sid(DOM_SID *psid, gid_t gid);
 
 /*The following definitions come from  nsswitch/wb_common.c  */
 
@@ -1622,9 +1626,10 @@ gid_t pdb_user_rid_to_gid(uint32 user_rid);
 uint32 pdb_uid_to_user_rid(uid_t uid);
 uint32 pdb_gid_to_group_rid(gid_t gid);
 BOOL pdb_rid_is_user(uint32 rid);
-BOOL lookup_local_rid(uint32 rid, char *name, uint8 *psid_name_use);
-BOOL lookup_local_name(char *domain, char *user, DOM_SID *psid, uint8 *psid_name_use);
-BOOL setup_user_sids(user_struct *vuser);
+BOOL local_lookup_rid(uint32 rid, char *name, uint8 *psid_name_use);
+BOOL local_lookup_name(char *domain, char *user, DOM_SID *psid, uint8 *psid_name_use);
+DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid);
+DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid);
 
 /*The following definitions come from  passdb/secrets.c  */
 
@@ -3540,8 +3545,8 @@ user_struct *get_valid_user_struct(uint16 vuid);
 void invalidate_vuid(uint16 vuid);
 char *validated_username(uint16 vuid);
 char *validated_domain(uint16 vuid);
-int setup_groups(char *user, char *domain, 
-		 uid_t uid, gid_t gid, int *p_ngroups, gid_t **p_groups);
+int initialize_groups(char *user, uid_t uid, gid_t gid);
+void setup_nt_token(NT_USER_TOKEN *token, uid_t uid, gid_t gid, int ngroups, gid_t *groups);
 uint16 register_vuid(uid_t uid,gid_t gid, char *unix_name, char *requested_name, 
 		     char *domain,BOOL guest);
 void add_session_user(char *user);
@@ -3667,6 +3672,7 @@ int reply_getattrE(connection_struct *conn, char *inbuf,char *outbuf, int size,
 
 /*The following definitions come from  smbd/sec_ctx.c  */
 
+int get_current_groups(int *p_ngroups, gid_t **p_groups);
 BOOL push_sec_ctx(void);
 void set_sec_ctx(uid_t uid, gid_t gid, int ngroups, gid_t *groups);
 void set_root_sec_ctx(void);
diff --git a/source3/include/smb.h b/source3/include/smb.h
index bc9f17544c..aaebe56f33 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -399,6 +399,15 @@ typedef struct sid_info
 
 } DOM_SID;
 
+/*
+ * The complete list of SIDS belonging to this user.
+ * Created when a vuid is registered.
+ */
+
+typedef struct _nt_user_token {
+	size_t num_sids;
+	DOM_SID *user_sids;
+} NT_USER_TOKEN;
 
 /*** query a local group, get a list of these: shows who is in that group ***/
 
@@ -556,8 +565,8 @@ typedef struct connection_struct
 	char *connectpath;
 	char *origpath;
 
-        struct vfs_ops vfs_ops;                   /* Filesystem operations */
-        struct vfs_connection_struct *vfs_conn;   /* VFS specific connection stuff */
+	struct vfs_ops vfs_ops;                   /* Filesystem operations */
+	struct vfs_connection_struct *vfs_conn;   /* VFS specific connection stuff */
 
 	char *user; /* name of user who *opened* this connection */
 	uid_t uid; /* uid of user who *opened* this connection */
@@ -1663,12 +1672,7 @@ typedef struct
 	int n_groups;
 	gid_t *groups;
 
-#if 0
-	NET_USER_INFO_3 usr; /* This should not be here. */
-#else
-	DOM_SID user_sid;
-	DOM_SID *group_sids;
-#endif
+	NT_USER_TOKEN nt_user_token;
 
 	/* per-user authentication information on NT RPCs */
 	/* lkclXXXX - THIS SHOULD NOT BE HERE! */