Revert "s3 auth: Add parameter that forces every user through an NSS lookup"

After the discussion on samba-technical, it was decided that the best
answer for now was to revert this change.  The right way to do this is
to rewrite the token api to use opaque tokens with pluggable modules.

This reverts commit 8e19a288052bca5efdb0277a40c1e0fdd099cc2b.

3 files changed, 4 insertions, 35 deletions

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 0dab05b97c..1f00e22a3c 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -710,8 +710,6 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info)
 	NTSTATUS status;
 	size_t i;
 	struct dom_sid tmp_sid;
-	const char *name_to_use;
-	bool force_nss;
 
 	/*
 	 * If winbind is not around, we can not make much use of the SIDs the
@@ -719,22 +717,11 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info)
 	 * mapped to some local unix user.
 	 */
 
-	DEBUG(10, ("creating token for %s (SAM: %s)\n", server_info->unix_name,
-		server_info->sam_account->username));
-
-	force_nss = lp_force_username_map() && !server_info->nss_token;
 	if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
-	    server_info->nss_token || force_nss) {
-		if (force_nss)
-			name_to_use =
-			    pdb_get_username(server_info->sam_account);
-		else
-			name_to_use = server_info->unix_name;
-
+	    (server_info->nss_token)) {
 		status = create_token_from_username(server_info,
-						    name_to_use,
+						    server_info->unix_name,
 						    server_info->guest,
-						    force_nss,
 						    &server_info->utok.uid,
 						    &server_info->utok.gid,
 						    &server_info->unix_name,
@@ -839,7 +826,6 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info)
 
 NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 				    bool is_guest,
-				    bool force_nss,
 				    uid_t *uid, gid_t *gid,
 				    char **found_username,
 				    struct nt_user_token **token)
@@ -855,9 +841,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 	size_t num_gids;
 	size_t i;
 
-	DEBUG(10, ("creating token for %s,%s guest,%s forcing NSS lookup\n",
-		username, is_guest ? "" : " not", force_nss ? "" : " not"));
-
 	tmp_ctx = talloc_new(NULL);
 	if (tmp_ctx == NULL) {
 		DEBUG(0, ("talloc_new failed\n"));
@@ -882,7 +865,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 		goto done;
 	}
 
-	if (sid_check_is_in_our_domain(&user_sid) && !force_nss) {
+	if (sid_check_is_in_our_domain(&user_sid)) {
 		bool ret;
 
 		/* This is a passdb user, so ask passdb */
@@ -924,7 +907,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 		*found_username = talloc_strdup(mem_ctx,
 						pdb_get_username(sam_acct));
 
-	} else 	if (force_nss || sid_check_is_in_unix_users(&user_sid)) {
+	} else 	if (sid_check_is_in_unix_users(&user_sid)) {
 
 		/* This is a unix user not in passdb. We need to ask nss
 		 * directly, without consulting passdb */
@@ -1080,7 +1063,6 @@ bool user_in_group_sid(const char *username, const DOM_SID *group_sid)
 	}
 
 	status = create_token_from_username(mem_ctx, username, False,
-					    lp_force_username_map(),
 					    &uid, &gid, &found_username,
 					    &token);
 
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 587bb29042..9dc9719e48 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -110,7 +110,6 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
 NTSTATUS create_local_token(auth_serversupplied_info *server_info);
 NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 				    bool is_guest,
-				    bool force_nss,
 				    uid_t *uid, gid_t *gid,
 				    char **found_username,
 				    struct nt_user_token **token);
@@ -3971,7 +3970,6 @@ const char *lp_afs_username_map(void);
 int lp_afs_token_lifetime(void);
 char *lp_log_nt_token_command(void);
 char *lp_username_map(void);
-bool lp_force_username_map(void);
 const char *lp_logon_script(void);
 const char *lp_logon_path(void);
 const char *lp_logon_drive(void);
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 3d29f3afd9..e50ab929ad 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -144,7 +144,6 @@ struct global {
 	int iAfsTokenLifetime;
 	char *szLogNtTokenCommand;
 	char *szUsernameMap;
-	bool bForceUsernameMap;
 	char *szLogonScript;
 	char *szLogonPath;
 	char *szLogonDrive;
@@ -1283,15 +1282,6 @@ static struct parm_struct parm_table[] = {
 		.flags		= FLAG_ADVANCED,
 	},
 	{
-		.label		= "force username map",
-		.type		= P_BOOL,
-		.p_class	= P_GLOBAL,
-		.ptr		= &Globals.bForceUsernameMap,
-		.special	= NULL,
-		.enum_list	= NULL,
-		.flags		= FLAG_ADVANCED,
-	},
-	{
 		.label		= "password level",
 		.type		= P_INTEGER,
 		.p_class	= P_GLOBAL,
@@ -5246,7 +5236,6 @@ FN_GLOBAL_CONST_STRING(lp_afs_username_map, &Globals.szAfsUsernameMap)
 FN_GLOBAL_INTEGER(lp_afs_token_lifetime, &Globals.iAfsTokenLifetime)
 FN_GLOBAL_STRING(lp_log_nt_token_command, &Globals.szLogNtTokenCommand)
 FN_GLOBAL_STRING(lp_username_map, &Globals.szUsernameMap)
-FN_GLOBAL_BOOL(lp_force_username_map, &Globals.bForceUsernameMap)
 FN_GLOBAL_CONST_STRING(lp_logon_script, &Globals.szLogonScript)
 FN_GLOBAL_CONST_STRING(lp_logon_path, &Globals.szLogonPath)
 FN_GLOBAL_CONST_STRING(lp_logon_drive, &Globals.szLogonDrive)