r22745: Add local groups to the --required-membership-sid test. This needs

merging to 3_0_26 once Michael's net conf changes have been merged. It depends on token_utils.c. (This used to be commit a99ab3a2ed44522054175f03b60e63fa05a0378a)
author: Volker Lendecke <vlendec@samba.org> 2007-05-07 13:56:57 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 12:21:54 -0500
commit: b1e866c3b7c2ef92599b5801ac8c174cfd404319 (patch)
tree: b56f6061038c0211a07e8c1a79cc8fdf64d0735b /source3
parent: f50ff7345d59743669a3a84f6fdd42d4f2f43a43 (diff)
download: samba-b1e866c3b7c2ef92599b5801ac8c174cfd404319.tar.gz
samba-b1e866c3b7c2ef92599b5801ac8c174cfd404319.tar.bz2
samba-b1e866c3b7c2ef92599b5801ac8c174cfd404319.zip
2 files changed, 64 insertions, 91 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in
index aa6dbbf1d3..5ddcaa1401 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -829,7 +829,8 @@ WINBINDD_OBJ1 = \
 		nsswitch/winbindd_async.o \
 		nsswitch/winbindd_creds.o \
 		nsswitch/winbindd_cred_cache.o \
-		nsswitch/winbindd_ccache_access.o
+		nsswitch/winbindd_ccache_access.o \
+		auth/token_util.o
 
 WINBINDD_OBJ = \
 		$(WINBINDD_OBJ1) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 5114b37315..e4acb051b3 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -127,17 +127,12 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
 {
 	DOM_SID *require_membership_of_sid;
 	size_t num_require_membership_of_sid;
-	DOM_SID *all_sids;
-	/* UserSID, GroupSID, Grooup2SIDs, OtherSIDs, WellKnownSIDs */
-	size_t num_all_sids = (2 + 
-			       info3->num_groups2 + 
-			       info3->num_other_sids + 
-			       2 );
-	size_t i, j = 0, k;
-	size_t group_sid_length;
-	const char *search_location;
-	char *single_group_sid;
-	const char *comma;
+	fstring req_sid;
+	const char *p;
+	DOM_SID sid;
+	size_t i;
+	struct nt_user_token *token;
+	NTSTATUS status;
 
 	/* Parse the 'required group' SID */
 	
@@ -146,93 +141,59 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_OK;
 	}
 
-	num_require_membership_of_sid = 1;
-	group_sid_length = strlen(group_sid);
-	for (i = 0; i < group_sid_length; i++) {
-		if (',' == group_sid[i]) {
-			num_require_membership_of_sid++;
-		}
+	if (!(token = TALLOC_ZERO_P(mem_ctx, struct nt_user_token))) {
+		DEBUG(0, ("talloc failed\n"));
+		return NT_STATUS_NO_MEMORY;
 	}
 
-	require_membership_of_sid = TALLOC_ARRAY(mem_ctx, DOM_SID, num_require_membership_of_sid);
-	if (!require_membership_of_sid)
-		return NT_STATUS_NO_MEMORY;
+	num_require_membership_of_sid = 0;
+	require_membership_of_sid = NULL;
 
-	i = 0;
-	search_location = group_sid;
+	p = group_sid;
 
-	if (num_require_membership_of_sid > 1) {
+	while (next_token(&p, req_sid, ",", sizeof(req_sid))) {
+		if (!string_to_sid(&sid, req_sid)) {
+			DEBUG(0, ("check_info3_in_group: could not parse %s "
+				  "as a SID!", req_sid));
+			return NT_STATUS_INVALID_PARAMETER;
+		}
 
-		/* Allocate the maximum possible size */
-		single_group_sid = TALLOC(mem_ctx, group_sid_length);
-		if (!single_group_sid)
+		if (!add_sid_to_array(mem_ctx, &sid,
+				      &require_membership_of_sid,
+				      &num_require_membership_of_sid)) {
+			DEBUG(0, ("add_sid_to_array failed\n"));
 			return NT_STATUS_NO_MEMORY;
-
-		while ( (comma = strstr(search_location, ",")) != NULL ) {
-
-			strncpy(single_group_sid, search_location, comma - search_location);
-			single_group_sid[comma - search_location] = 0;
-
-			if (!string_to_sid(&require_membership_of_sid[i++], single_group_sid)) {
-				DEBUG(0, ("check_info3_in_group: could not parse %s as a SID!", 
-					  single_group_sid));
-			
-				return NT_STATUS_INVALID_PARAMETER;
-			}
-
-			search_location = comma + 1;
 		}
 	}
 
-	if (!string_to_sid(&require_membership_of_sid[i++], search_location)) {
-		DEBUG(0, ("check_info3_in_group: could not parse %s as a SID!", 
-			  search_location));
-
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
-	all_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, num_all_sids);
-	if (!all_sids)
-		return NT_STATUS_NO_MEMORY;
-
-	/* and create (by appending rids) the 'domain' sids */
-	
-	sid_copy(&all_sids[0], &(info3->dom_sid.sid));
-	
-	if (!sid_append_rid(&all_sids[0], info3->user_rid)) {
-		DEBUG(3,("could not append user's primary RID 0x%x\n",
+	if (!sid_compose(&sid, &(info3->dom_sid.sid),
+			 info3->user_rid)
+	    || !add_sid_to_array(mem_ctx, &sid,
+				 &token->user_sids, &token->num_sids)) {
+		DEBUG(3,("could not add user SID from rid 0x%x\n",
 			 info3->user_rid));			
-		
 		return NT_STATUS_INVALID_PARAMETER;
 	}
-	j++;
 
-	sid_copy(&all_sids[1], &(info3->dom_sid.sid));
-		
-	if (!sid_append_rid(&all_sids[1], info3->group_rid)) {
+	if (!sid_compose(&sid, &(info3->dom_sid.sid),
+			 info3->group_rid)
+	    || !add_sid_to_array(mem_ctx, &sid, 
+				 &token->user_sids, &token->num_sids)) {
 		DEBUG(3,("could not append additional group rid 0x%x\n",
 			 info3->group_rid));			
 		
 		return NT_STATUS_INVALID_PARAMETER;
 	}
-	j++;	
 
-	/* Well-Known SIDs */
-
-	sid_copy( &all_sids[j++], &global_sid_World );
-	sid_copy( &all_sids[j++], &global_sid_Authenticated_Users );
-	
 	for (i = 0; i < info3->num_groups2; i++) {
-	
-		sid_copy(&all_sids[j], &(info3->dom_sid.sid));
-		
-		if (!sid_append_rid(&all_sids[j], info3->gids[i].g_rid)) {
+		if (!sid_compose(&sid, &(info3->dom_sid.sid),
+				 info3->gids[i].g_rid)
+		    || !add_sid_to_array(mem_ctx, &sid,
+					 &token->user_sids, &token->num_sids)) {
 			DEBUG(3,("could not append additional group rid 0x%x\n",
-				info3->gids[i].g_rid));			
-				
+				 info3->gids[i].g_rid));	
 			return NT_STATUS_INVALID_PARAMETER;
 		}
-		j++;
 	}
 
 	/* Copy 'other' sids.  We need to do sid filtering here to
@@ -242,21 +203,32 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
          */
 
 	for (i = 0; i < info3->num_other_sids; i++) {
-		sid_copy(&all_sids[info3->num_groups2 + i + 2],
-			 &info3->other_sids[i].sid);
-		j++;
-	}
-
-	for (i = 0; i < j; i++) {
-		fstring sid1, sid2;
-		DEBUG(10, ("User has SID: %s\n", 
-			   sid_to_string(sid1, &all_sids[i])));
-		for (k = 0; k < num_require_membership_of_sid; k++) {
-			if (sid_equal(&require_membership_of_sid[k], &all_sids[i])) {
-				DEBUG(10, ("SID %s matches %s - user permitted to authenticate!\n", 
-					   sid_to_string(sid1, &require_membership_of_sid[k]), sid_to_string(sid2, &all_sids[i])));
-				return NT_STATUS_OK;
-			}
+		if (!add_sid_to_array(mem_ctx, &info3->other_sids[i].sid,
+				      &token->user_sids, &token->num_sids)) {
+			DEBUG(3, ("could not add SID to array: %s\n",
+				  sid_string_static(&info3->other_sids[i].sid)));
+			return NT_STATUS_NO_MEMORY;
+		}
+	}
+
+	if (!NT_STATUS_IS_OK(status = add_aliases(get_global_sam_sid(),
+						  token))
+	    || !NT_STATUS_IS_OK(status = add_aliases(&global_sid_Builtin,
+						     token))) {
+		DEBUG(3, ("could not add aliases: %s\n",
+			  nt_errstr(status)));
+		return status;
+	}
+
+	debug_nt_user_token(DBGC_CLASS, 10, token);
+
+	for (i=0; i<num_require_membership_of_sid; i++) {
+		DEBUG(10, ("Checking SID %s\n", sid_string_static(
+				   &require_membership_of_sid[i])));
+		if (nt_token_check_sid(&require_membership_of_sid[i],
+				       token)) {
+			DEBUG(10, ("Access ok\n"));
+			return NT_STATUS_OK;
 		}
 	}
author	Volker Lendecke <vlendec@samba.org>	2007-05-07 13:56:57 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 12:21:54 -0500
commit	b1e866c3b7c2ef92599b5801ac8c174cfd404319 (patch)
tree	b56f6061038c0211a07e8c1a79cc8fdf64d0735b /source3
parent	f50ff7345d59743669a3a84f6fdd42d4f2f43a43 (diff)
download	samba-b1e866c3b7c2ef92599b5801ac8c174cfd404319.tar.gz samba-b1e866c3b7c2ef92599b5801ac8c174cfd404319.tar.bz2 samba-b1e866c3b7c2ef92599b5801ac8c174cfd404319.zip