Machines are people too!

While machine accounts cannot use an NTLM login (NT4 style), they are
otherwise full and valid members of the domain, and expect to be able to
use kerberos to connect to CIFS servers.

This means that the LocalSystem account, used by various services, can
perform things like backups, without the admin needing to enter further
passwords.

This particular issue (bug 722) has started to come up a lot on the lists.

I have only enabled it for winbindd-based systems, as the macros use use
to call the 'add user script' will strip the $ from the username for
security reasons.

Andrew Bartlett
(This used to be commit 6a9bbd1da3bb961d24e74348fa0b68574022855f)

4 files changed, 23 insertions, 34 deletions

diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c
index 90b83bccd0..2f47a6b056 100644
--- a/source3/nsswitch/winbindd_ads.c
+++ b/source3/nsswitch/winbindd_ads.c
@@ -112,7 +112,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
 		goto done;
 	}
 
-	rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
+	rc = ads_search_retry(ads, &res, "(objectClass=user)", attrs);
 	if (!ADS_ERR_OK(rc) || !res) {
 		DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
 		goto done;
diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c
index 180a3db8e2..5352411a6a 100644
--- a/source3/nsswitch/winbindd_group.c
+++ b/source3/nsswitch/winbindd_group.c
@@ -152,15 +152,10 @@ static BOOL fill_grent_mem(struct winbindd_domain *domain,
                    occur in Universal groups on a Windows 2000 native mode
                    server. */
 
-		if (name_types[i] != SID_NAME_USER) {
-			DEBUG(3, ("name %s isn't a domain user\n", the_name));
-			continue;
-		}
+		/* make sure to allow machine accounts */
 
-		/* Don't bother with machine accounts */
-		
-		if (the_name[strlen(the_name) - 1] == '$') {
-			DEBUG(10, ("%s is machine account\n", the_name));
+		if (name_types[i] != SID_NAME_USER && name_types[i] != SID_NAME_COMPUTER) {
+			DEBUG(3, ("name %s isn't a domain user\n", the_name));
 			continue;
 		}
 
diff --git a/source3/nsswitch/winbindd_user.c b/source3/nsswitch/winbindd_user.c
index 903a2a8bfa..29d4ba4c75 100644
--- a/source3/nsswitch/winbindd_user.c
+++ b/source3/nsswitch/winbindd_user.c
@@ -37,7 +37,8 @@ static BOOL winbindd_fill_pwent(char *dom_name, char *user_name,
 				char *full_name, struct winbindd_pw *pw)
 {
 	fstring output_username;
-	pstring homedir;
+	char *homedir;
+	char *shell;
 	fstring sid_string;
 	
 	if (!pw || !dom_name || !user_name)
@@ -72,24 +73,32 @@ static BOOL winbindd_fill_pwent(char *dom_name, char *user_name,
 	   shell. */
 	
 	/* The substitution of %U and %D in the 'template homedir' is done
-	   by lp_string() calling standard_sub_basic(). */
+	   by alloc_sub_specified() below. */
 
-	fstrcpy(current_user_info.smb_name, user_name);
-	sub_set_smb_name(user_name);
 	fstrcpy(current_user_info.domain, dom_name);
 
-	pstrcpy(homedir, lp_template_homedir());
+	homedir = alloc_sub_specified(lp_template_homedir(), user_name, dom_name, pw->pw_uid, pw->pw_gid);
+
+	if (!homedir)
+		return False;
 	
 	safe_strcpy(pw->pw_dir, homedir, sizeof(pw->pw_dir) - 1);
 	
-	safe_strcpy(pw->pw_shell, lp_template_shell(), 
+	SAFE_FREE(homedir);
+	
+	shell = alloc_sub_specified(lp_template_shell(), user_name, dom_name, pw->pw_uid, pw->pw_gid);
+
+	if (!shell)
+		return False;
+
+	safe_strcpy(pw->pw_shell, shell, 
 		    sizeof(pw->pw_shell) - 1);
 	
 	/* Password - set to "x" as we can't generate anything useful here.
 	   Authentication can be done using the pam_winbind module. */
 
 	safe_strcpy(pw->pw_passwd, "x", sizeof(pw->pw_passwd) - 1);
-	
+
 	return True;
 }
 
@@ -149,15 +158,13 @@ enum winbindd_result winbindd_getpwnam(struct winbindd_cli_state *state)
 		return WINBINDD_ERROR;
 	}
 
-	if (name_type != SID_NAME_USER) {
+	if (name_type != SID_NAME_USER && name_type != SID_NAME_COMPUTER) {
 		DEBUG(1, ("name '%s' is not a user name: %d\n", name_user, 
 			  name_type));
 		return WINBINDD_ERROR;
 	}
 	
-	/* Get some user info.  Split the user rid from the sid obtained
-	   from the winbind_lookup_by_name() call and use it in a
-	   winbind_lookup_userinfo() */
+	/* Get some user info. */
     
 	if (!(mem_ctx = talloc_init("winbindd_getpwnam([%s]\\[%s])", 
 					  name_domain, name_user))) {
@@ -530,15 +537,6 @@ enum winbindd_result winbindd_getpwent(struct winbindd_cli_state *state)
 
 		name_list = ent->sam_entries;
 
-		/* Skip machine accounts */
-
-		if (name_list[ent->sam_entry_index].
-		    name[strlen(name_list[ent->sam_entry_index].name) - 1] 
-		    == '$') {
-			ent->sam_entry_index++;
-			continue;
-		}
-
 		/* Lookup user info */
 		
 		result = winbindd_fill_pwent(
diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c
index f29ed37650..18946652e2 100644
--- a/source3/nsswitch/winbindd_util.c
+++ b/source3/nsswitch/winbindd_util.c
@@ -201,7 +201,7 @@ void add_trusted_domains( struct winbindd_domain *domain )
 		return;
 	}
 
-	DEBUG(1, ("scanning trusted domain list\n"));
+	DEBUG(5, ("scanning trusted domain list\n"));
 
 	if (!(mem_ctx = talloc_init("init_domain_list")))
 		return;
@@ -365,10 +365,6 @@ BOOL winbindd_lookup_sid_by_name(struct winbindd_domain *domain,
 {
 	NTSTATUS result;
         TALLOC_CTX *mem_ctx;
-	/* Don't bother with machine accounts */
-
-	if (name[strlen(name) - 1] == '$')
-		return False;
 
 	mem_ctx = talloc_init("lookup_sid_by_name for %s\n", name);
 	if (!mem_ctx)