summaryrefslogtreecommitdiff
path: root/source3/rpc_server
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2003-02-17 12:27:34 +0000
committerAndrew Bartlett <abartlet@samba.org>2003-02-17 12:27:34 +0000
commitcc0202884b1023059769450a4a052431ab362e78 (patch)
tree38df576fcbb01e20dfff0fac3e11bd9b399d3131 /source3/rpc_server
parentaf249535bd8c17e38d5de05352d36747da67e551 (diff)
downloadsamba-cc0202884b1023059769450a4a052431ab362e78.tar.gz
samba-cc0202884b1023059769450a4a052431ab362e78.tar.bz2
samba-cc0202884b1023059769450a4a052431ab362e78.zip
This patch fixes one of my longest-standing pet hates with Samba :-).
When we look see if a user is in a list, and we try to 'expand' an @group, we should lookup the user's own list of groups, rather than looking for all the members of a group. I'm sure this will fix some nasty performance issues, particularly on large domains etc. In particular, this avoids contacting winbind at all, if the group is not a winbind group. (This caused a deadlock on my winbind-on-PDC setup). The groups list always includes the user's primary group, as per the getgrouplist manpage, and my recent changes to our implementation. Andrew Bartlett (This used to be commit 9be21976f7662ebe6eb92fff7cecbdb352eca334)
Diffstat (limited to 'source3/rpc_server')
-rw-r--r--source3/rpc_server/srv_samr_nt.c20
-rw-r--r--source3/rpc_server/srv_spoolss_nt.c4
2 files changed, 12 insertions, 12 deletions
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 2896fd79e4..d766e9c19e 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -3427,7 +3427,7 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD
fstrcpy(grp_name, grp->gr_name);
/* if the user is already in the group */
- if(user_in_group_list(pwd->pw_name, grp_name)) {
+ if(user_in_unix_group_list(pwd->pw_name, grp_name)) {
passwd_free(&pwd);
return NT_STATUS_MEMBER_IN_ALIAS;
}
@@ -3439,7 +3439,7 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD
smb_add_user_group(grp_name, pwd->pw_name);
/* check if the user has been added then ... */
- if(!user_in_group_list(pwd->pw_name, grp_name)) {
+ if(!user_in_unix_group_list(pwd->pw_name, grp_name)) {
passwd_free(&pwd);
return NT_STATUS_MEMBER_NOT_IN_ALIAS; /* don't know what to reply else */
}
@@ -3485,7 +3485,7 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE
if ((grp=getgrgid(map.gid)) == NULL)
return NT_STATUS_NO_SUCH_ALIAS;
- /* we need to copy the name otherwise it's overloaded in user_in_group_list */
+ /* we need to copy the name otherwise it's overloaded in user_in_unix_group_list */
fstrcpy(grp_name, grp->gr_name);
/* check if the user exists before trying to remove it from the group */
@@ -3497,7 +3497,7 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE
}
/* if the user is not in the group */
- if(!user_in_group_list(pdb_get_username(sam_pass), grp_name)) {
+ if(!user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) {
pdb_free_sam(&sam_pass);
return NT_STATUS_MEMBER_IN_ALIAS;
}
@@ -3505,7 +3505,7 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE
smb_delete_user_group(grp_name, pdb_get_username(sam_pass));
/* check if the user has been removed then ... */
- if(user_in_group_list(pdb_get_username(sam_pass), grp_name)) {
+ if(user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) {
pdb_free_sam(&sam_pass);
return NT_STATUS_MEMBER_NOT_IN_ALIAS; /* don't know what to reply else */
}
@@ -3583,11 +3583,11 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD
return NT_STATUS_NO_SUCH_GROUP;
}
- /* we need to copy the name otherwise it's overloaded in user_in_group_list */
+ /* we need to copy the name otherwise it's overloaded in user_in_unix_group_list */
fstrcpy(grp_name, grp->gr_name);
/* if the user is already in the group */
- if(user_in_group_list(pwd->pw_name, grp_name)) {
+ if(user_in_unix_group_list(pwd->pw_name, grp_name)) {
passwd_free(&pwd);
return NT_STATUS_MEMBER_IN_GROUP;
}
@@ -3601,7 +3601,7 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD
smb_add_user_group(grp_name, pwd->pw_name);
/* check if the user has been added then ... */
- if(!user_in_group_list(pwd->pw_name, grp_name)) {
+ if(!user_in_unix_group_list(pwd->pw_name, grp_name)) {
passwd_free(&pwd);
return NT_STATUS_MEMBER_NOT_IN_GROUP; /* don't know what to reply else */
}
@@ -3662,7 +3662,7 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE
}
/* if the user is not in the group */
- if (!user_in_group_list(pdb_get_username(sam_pass), grp_name)) {
+ if (!user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) {
pdb_free_sam(&sam_pass);
return NT_STATUS_MEMBER_NOT_IN_GROUP;
}
@@ -3670,7 +3670,7 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE
smb_delete_user_group(grp_name, pdb_get_username(sam_pass));
/* check if the user has been removed then ... */
- if (user_in_group_list(pdb_get_username(sam_pass), grp_name)) {
+ if (user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) {
pdb_free_sam(&sam_pass);
return NT_STATUS_ACCESS_DENIED; /* don't know what to reply else */
}
diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c
index 0bcc3c5a30..3a7ced7725 100644
--- a/source3/rpc_server/srv_spoolss_nt.c
+++ b/source3/rpc_server/srv_spoolss_nt.c
@@ -1606,7 +1606,7 @@ Can't find printer handle we created for printer %s\n", name ));
/* if the user is not root and not a printer admin, then fail */
if ( user.uid != 0
- && !user_in_list(uidtoname(user.uid), lp_printer_admin(snum)) )
+ && !user_in_list(uidtoname(user.uid), lp_printer_admin(snum), user.groups, user.ngroups) )
{
close_printer_handle(p, handle);
return WERR_ACCESS_DENIED;
@@ -1653,7 +1653,7 @@ Can't find printer handle we created for printer %s\n", name ));
/* check smb.conf parameters and the the sec_desc */
- if (!user_ok(uidtoname(user.uid), snum) || !print_access_check(&user, snum, printer_default->access_required)) {
+ if (!user_ok(uidtoname(user.uid), snum, user.groups, user.ngroups) || !print_access_check(&user, snum, printer_default->access_required)) {
DEBUG(3, ("access DENIED for printer open\n"));
close_printer_handle(p, handle);
return WERR_ACCESS_DENIED;