diff options
| author | Volker Lendecke <vlendec@samba.org> | 2004-11-12 15:49:47 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 10:53:15 -0500 |
| commit | f9e87b9ba65f37bafa45eacb1a6c9b8c5483d46b (patch) | |
| tree | 226655c957de8578b3c3e0c854930b03e90d37a1 /source3/rpc_server/srv_samr_nt.c | |
| parent | 69ddbbf97b4c37cba879f7dd9ce8cb5f4d336857 (diff) | |
| download | samba-f9e87b9ba65f37bafa45eacb1a6c9b8c5483d46b.tar.gz samba-f9e87b9ba65f37bafa45eacb1a6c9b8c5483d46b.tar.bz2 samba-f9e87b9ba65f37bafa45eacb1a6c9b8c5483d46b.zip | |
r3705: Nobody has commented, so I'll take this as an ack...
abartlet, I'd like to ask you to take a severe look at this!
We have solved the problem to find the global groups a user is in twice: Once
in auth_util.c and another time for the corresponding samr call. The attached
patch unifies these and sends them through the passdb backend (new function
pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further
optimize the corresponding call if the samba and posix accounts are unified by
issuing a specialized ldap query.
The parameter to activate this ldapsam behaviour is
ldapsam:trusted = yes
Volker
(This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
Diffstat (limited to 'source3/rpc_server/srv_samr_nt.c')
| -rw-r--r-- | source3/rpc_server/srv_samr_nt.c | 49 |
1 files changed, 44 insertions, 5 deletions
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index f4348fc83e..0c52e859ca 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1943,11 +1943,16 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAMR_R_QUERY_USERGROUPS *r_u) { SAM_ACCOUNT *sam_pass=NULL; + struct passwd *passwd; DOM_SID sid; + DOM_SID *sids; DOM_GID *gids = NULL; int num_groups = 0; + gid_t *unix_gids; + int i, num_gids, num_sids; uint32 acc_granted; BOOL ret; + NTSTATUS result; /* * from the SID in the request: @@ -1986,19 +1991,53 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S pdb_free_sam(&sam_pass); return NT_STATUS_NO_SUCH_USER; } - - if(!get_domain_user_groups(p->mem_ctx, &num_groups, &gids, sam_pass)) { + + passwd = getpwnam_alloc(pdb_get_username(sam_pass)); + if (passwd == NULL) { pdb_free_sam(&sam_pass); - return NT_STATUS_NO_SUCH_GROUP; + return NT_STATUS_NO_SUCH_USER; } + + sids = NULL; + num_sids = 0; + + become_root(); + result = pdb_enum_group_memberships(pdb_get_username(sam_pass), + passwd->pw_gid, + &sids, &unix_gids, &num_groups); + unbecome_root(); + + pdb_free_sam(&sam_pass); + passwd_free(&passwd); + + if (!NT_STATUS_IS_OK(result)) + return result; + + SAFE_FREE(unix_gids); + + gids = NULL; + num_gids = 0; + + for (i=0; i<num_groups; i++) { + uint32 rid; + + if (!sid_peek_check_rid(get_global_sam_sid(), + &(sids[i]), &rid)) + continue; + + gids = talloc_realloc(p->mem_ctx, gids, + sizeof(*gids) * (num_gids+1)); + gids[num_gids].attr=7; + gids[num_gids].g_rid = rid; + num_gids += 1; + } + SAFE_FREE(sids); /* construct the response. lkclXXXX: gids are not copied! */ init_samr_r_query_usergroups(r_u, num_groups, gids, r_u->status); DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); - pdb_free_sam(&sam_pass); - return r_u->status; } |