Andrew's change to make 'security = domain' work again. Leave the user and group

that has been authenticated unmapped.

We need to make sure that every caller of idmap handles failure gracefully.

Volker
(This used to be commit 902d607b668b2e997778a0ca676ea689943c2817)

1 files changed, 88 insertions, 38 deletions

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 789193c610..f7b46465f7 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -650,29 +650,22 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups,
  * of groups.
  ******************************************************************************/
 
-static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass,
+static NTSTATUS get_user_groups_from_local_sam(const char *username, uid_t uid, gid_t gid,
 					       int *n_groups, DOM_SID **groups,	gid_t **unix_groups)
 {
-	uid_t             uid;
-	gid_t             gid;
 	int               n_unix_groups;
 	int               i;
 
 	*n_groups = 0;
 	*groups   = NULL;
 
-	if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sampass), &uid)) || NT_STATUS_IS_ERR(sid_to_gid(pdb_get_group_sid(sampass), &gid))) {
-		DEBUG(0, ("get_user_groups_from_local_sam: error fetching uid or gid for user!\n"));
-		return NT_STATUS_UNSUCCESSFUL;
-	}
-	
 	n_unix_groups = groups_max();
 	if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) {
 		DEBUG(0, ("get_user_groups_from_local_sam: Out of memory allocating unix group list\n"));
 		return NT_STATUS_NO_MEMORY;
 	}
 	
-	if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) {
+	if (sys_getgrouplist(username, gid, *unix_groups, &n_unix_groups) == -1) {
 		gid_t *groups_tmp;
 		groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups);
 		if (!groups_tmp) {
@@ -681,7 +674,7 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass,
 		}
 		*unix_groups = groups_tmp;
 
-		if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) {
+		if (sys_getgrouplist(username, gid, *unix_groups, &n_unix_groups) == -1) {
 			DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n"));
 			SAFE_FREE(*unix_groups);
 			return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */
@@ -717,35 +710,26 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass,
  Make a user_info struct
 ***************************************************************************/
 
-static NTSTATUS make_server_info(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass)
+static NTSTATUS make_server_info(auth_serversupplied_info **server_info)
 {
-	NTSTATUS ret;
-
 	*server_info = malloc(sizeof(**server_info));
 	if (!*server_info) {
 		DEBUG(0,("make_server_info: malloc failed!\n"));
 		return NT_STATUS_NO_MEMORY;
 	}
 	ZERO_STRUCTP(*server_info);
-
-	(*server_info)->sam_fill_level = SAM_FILL_ALL;
-	(*server_info)->sam_account    = sampass;
-	if (NT_STATUS_IS_ERR(ret = sid_to_uid(pdb_get_user_sid(sampass), &((*server_info)->uid))))
-		return ret;
-	if (NT_STATUS_IS_ERR(ret = sid_to_gid(pdb_get_group_sid(sampass), &((*server_info)->gid))))
-		return ret;
-
 	return NT_STATUS_OK;
 }
 
 /***************************************************************************
- Make (and fill) a user_info struct from a SAM_ACCOUNT
+Fill a server_info struct from a SAM_ACCOUNT with their groups
 ***************************************************************************/
 
-NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, 
-			      SAM_ACCOUNT *sampass)
+static NTSTATUS add_user_groups(auth_serversupplied_info **server_info, 
+				SAM_ACCOUNT *sampass,
+				uid_t uid, gid_t gid)
 {
-	NTSTATUS nt_status = NT_STATUS_OK;
+	NTSTATUS nt_status;
 	const DOM_SID *user_sid = pdb_get_user_sid(sampass);
 	const DOM_SID *group_sid = pdb_get_group_sid(sampass);
 	int       n_groupSIDs = 0;
@@ -755,14 +739,11 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
 	BOOL is_guest;
 	uint32 rid;
 
-	if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info, sampass))) {
-		return nt_status;
-	}
-	
-	if (!NT_STATUS_IS_OK(nt_status 
-			     = get_user_groups_from_local_sam(sampass, 
-		&n_groupSIDs, &groupSIDs, &unix_groups)))
-	{
+	nt_status = get_user_groups_from_local_sam(pdb_get_username(sampass),
+						   uid, gid, 
+						   &n_groupSIDs, &groupSIDs,
+						   &unix_groups);
+	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(4,("get_user_groups_from_local_sam failed\n"));
 		free_server_info(server_info);
 		return nt_status;
@@ -785,9 +766,36 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
 
 	(*server_info)->n_groups = n_groupSIDs;
 	(*server_info)->groups = unix_groups;
-
 	(*server_info)->ptok = token;
-	
+
+	return nt_status;
+}
+
+/***************************************************************************
+ Make (and fill) a user_info struct from a SAM_ACCOUNT
+***************************************************************************/
+
+NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, 
+			      SAM_ACCOUNT *sampass)
+{
+	NTSTATUS nt_status;
+
+	if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info)))
+		return nt_status;
+
+	(*server_info)->sam_account    = sampass;
+
+	if (!NT_STATUS_IS_OK(nt_status = sid_to_uid(pdb_get_user_sid(sampass), &((*server_info)->uid))))
+		return nt_status;
+
+	if (!NT_STATUS_IS_OK(nt_status = sid_to_gid(pdb_get_group_sid(sampass), &((*server_info)->gid))))
+		return nt_status;
+
+	if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, sampass, 
+							 (*server_info)->uid, (*server_info)->gid)))
+		return nt_status;
+
+	(*server_info)->sam_fill_level = SAM_FILL_ALL;
 	DEBUG(5,("make_server_info_sam: made server info for user %s\n",
 		 pdb_get_username((*server_info)->sam_account)));
 
@@ -806,7 +814,20 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, const struc
 	if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sampass, pwd))) {		
 		return nt_status;
 	}
-	return make_server_info_sam(server_info, sampass);
+	if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) {
+		return nt_status;
+	}
+
+	(*server_info)->sam_account    = sampass;
+
+	if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, sampass, pwd->pw_uid, pwd->pw_gid))) {
+		return nt_status;
+	}
+
+	(*server_info)->sam_fill_level = SAM_FILL_ALL;
+	(*server_info)->uid = pwd->pw_uid;
+	(*server_info)->gid = pwd->pw_gid;
+	return nt_status;
 }
 
 /***************************************************************************
@@ -848,6 +869,7 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info)
 ***************************************************************************/
 static NTSTATUS fill_sam_account(const char *domain,
 				 const char *username,
+				 uid_t *uid, gid_t *gid,
 				 SAM_ACCOUNT **sam_account)
 {
 	fstring dom_user;
@@ -866,6 +888,9 @@ static NTSTATUS fill_sam_account(const char *domain,
 	if (passwd == NULL)
 		return NT_STATUS_NO_SUCH_USER;
 
+	*uid = passwd->pw_uid;
+	*gid = passwd->pw_gid;
+
 	return pdb_init_sam_pw(sam_account, passwd);
 }
 
@@ -892,6 +917,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 	struct passwd *passwd;
 
 	unid_t u_id, g_id;
+	uid_t uid;
+	gid_t gid;
 	int u_type, g_type;
 
 	int n_lgroupSIDs;
@@ -931,15 +958,27 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 
 	u_type = ID_USERID;
 	g_type = ID_GROUPID;
+ 
+ 	/* we are trying to check that idmap isn't stuffing us over - does this
+ 	   user actually exist? */
 	if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&u_id, &u_type, &user_sid))
 	    && NT_STATUS_IS_OK(idmap_get_id_from_sid(&g_id, &g_type, &group_sid))
 	    && ((passwd = getpwuid_alloc(u_id.uid)))) {
+
 		nt_status = pdb_init_sam_pw(&sam_account, passwd);
+
+ 		uid = passwd->pw_uid;
+ 		gid = passwd->pw_gid;
+ 
+ 		/* we should check this is the same name */
+
 		passwd_free(&passwd);
 	} else {
 
+ 		/* User not from winbind - try and find them by getpwnam() */
 		nt_status = fill_sam_account(nt_domain,
 					     internal_username,
+					     &uid, &gid,
 					     &sam_account);
 
 		if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) {
@@ -948,6 +987,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 			auth_add_user_script(nt_domain, internal_username);
 			nt_status = fill_sam_account(nt_domain,
 						     internal_username,
+						     &uid, &gid,
 						     &sam_account);
 		}
 	}
@@ -1002,17 +1042,27 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info, sam_account))) {
+	/* now that we have a SAM_ACCOUNT that looks real, make a server_info
+	   to wrap it in, and use pass it on down */
+
+	if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) {
 		DEBUG(4, ("make_server_info failed!\n"));
 		pdb_free_sam(&sam_account);
 		return nt_status;
 	}
 
+	/* Fill in the unix info we found on the way */
+
+	(*server_info)->sam_fill_level = SAM_FILL_ALL;
+	(*server_info)->uid = uid;
+	(*server_info)->gid = gid;
+
 	/* Store the user group information in the server_info 
 	   returned to the caller. */
 	
 	if (!NT_STATUS_IS_OK(nt_status 
-			     = get_user_groups_from_local_sam(sam_account, 
+			     = get_user_groups_from_local_sam(pdb_get_username(sam_account), 
+							      uid, gid, 
 							      &n_lgroupSIDs, 
 							      &lgroupSIDs, 
 							      &unix_groups)))