diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2004-01-07 23:46:47 +0000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2004-01-07 23:46:47 +0000 |
| commit | 125e7e8e25d306fcba1f56692bf549337792d017 (patch) | |
| tree | 2b0b1e219c896b1089c15f9b831c57daaad60cab /source3/nsswitch/winbindd_user.c | |
| parent | e82bfa5cf6aa61b3b51db4ff2b683657635038f4 (diff) | |
| download | samba-125e7e8e25d306fcba1f56692bf549337792d017.tar.gz samba-125e7e8e25d306fcba1f56692bf549337792d017.tar.bz2 samba-125e7e8e25d306fcba1f56692bf549337792d017.zip | |
Machines are people too!
While machine accounts cannot use an NTLM login (NT4 style), they are
otherwise full and valid members of the domain, and expect to be able to
use kerberos to connect to CIFS servers.
This means that the LocalSystem account, used by various services, can
perform things like backups, without the admin needing to enter further
passwords.
This particular issue (bug 722) has started to come up a lot on the lists.
I have only enabled it for winbindd-based systems, as the macros use use
to call the 'add user script' will strip the $ from the username for
security reasons.
Andrew Bartlett
(This used to be commit 6a9bbd1da3bb961d24e74348fa0b68574022855f)
Diffstat (limited to 'source3/nsswitch/winbindd_user.c')
| -rw-r--r-- | source3/nsswitch/winbindd_user.c | 38 |
1 files changed, 18 insertions, 20 deletions
diff --git a/source3/nsswitch/winbindd_user.c b/source3/nsswitch/winbindd_user.c index 903a2a8bfa..29d4ba4c75 100644 --- a/source3/nsswitch/winbindd_user.c +++ b/source3/nsswitch/winbindd_user.c @@ -37,7 +37,8 @@ static BOOL winbindd_fill_pwent(char *dom_name, char *user_name, char *full_name, struct winbindd_pw *pw) { fstring output_username; - pstring homedir; + char *homedir; + char *shell; fstring sid_string; if (!pw || !dom_name || !user_name) @@ -72,24 +73,32 @@ static BOOL winbindd_fill_pwent(char *dom_name, char *user_name, shell. */ /* The substitution of %U and %D in the 'template homedir' is done - by lp_string() calling standard_sub_basic(). */ + by alloc_sub_specified() below. */ - fstrcpy(current_user_info.smb_name, user_name); - sub_set_smb_name(user_name); fstrcpy(current_user_info.domain, dom_name); - pstrcpy(homedir, lp_template_homedir()); + homedir = alloc_sub_specified(lp_template_homedir(), user_name, dom_name, pw->pw_uid, pw->pw_gid); + + if (!homedir) + return False; safe_strcpy(pw->pw_dir, homedir, sizeof(pw->pw_dir) - 1); - safe_strcpy(pw->pw_shell, lp_template_shell(), + SAFE_FREE(homedir); + + shell = alloc_sub_specified(lp_template_shell(), user_name, dom_name, pw->pw_uid, pw->pw_gid); + + if (!shell) + return False; + + safe_strcpy(pw->pw_shell, shell, sizeof(pw->pw_shell) - 1); /* Password - set to "x" as we can't generate anything useful here. Authentication can be done using the pam_winbind module. */ safe_strcpy(pw->pw_passwd, "x", sizeof(pw->pw_passwd) - 1); - + return True; } @@ -149,15 +158,13 @@ enum winbindd_result winbindd_getpwnam(struct winbindd_cli_state *state) return WINBINDD_ERROR; } - if (name_type != SID_NAME_USER) { + if (name_type != SID_NAME_USER && name_type != SID_NAME_COMPUTER) { DEBUG(1, ("name '%s' is not a user name: %d\n", name_user, name_type)); return WINBINDD_ERROR; } - /* Get some user info. Split the user rid from the sid obtained - from the winbind_lookup_by_name() call and use it in a - winbind_lookup_userinfo() */ + /* Get some user info. */ if (!(mem_ctx = talloc_init("winbindd_getpwnam([%s]\\[%s])", name_domain, name_user))) { @@ -530,15 +537,6 @@ enum winbindd_result winbindd_getpwent(struct winbindd_cli_state *state) name_list = ent->sam_entries; - /* Skip machine accounts */ - - if (name_list[ent->sam_entry_index]. - name[strlen(name_list[ent->sam_entry_index].name) - 1] - == '$') { - ent->sam_entry_index++; - continue; - } - /* Lookup user info */ result = winbindd_fill_pwent( |