diff options
author | Gerald Carter <jerry@samba.org> | 2006-03-15 03:46:20 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:15:29 -0500 |
commit | 8723178048f3b98938476c41679d46ed1f809515 (patch) | |
tree | 622b7f5ecb2d8bc69f20156343ad141b6cb8c1eb /source3 | |
parent | a48baaa9351c42a6a9998914e172475b7d3bbf7f (diff) | |
download | samba-8723178048f3b98938476c41679d46ed1f809515.tar.gz samba-8723178048f3b98938476c41679d46ed1f809515.tar.bz2 samba-8723178048f3b98938476c41679d46ed1f809515.zip |
r14421: This does two things
* Automatically creates the BUILTIN\Users group similar to
how BUILTIN\Administrators is done. This code does need to
be cleaned up considerably. I'll continue to work on this.
* The important fix is for getusergroups() when dealing with a
local user and nested groups. Now I can run the following
successfully:
$ su - jerry -c groups
users BUILTIN\users
(This used to be commit f54d911e686ffd68ddc6dbc073987b9d8eb2fa5b)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/auth/auth_util.c | 49 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_async.c | 27 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_group.c | 12 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_passdb.c | 7 |
4 files changed, 86 insertions, 9 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5b88945284..776b2fb3d7 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -688,6 +688,36 @@ static NTSTATUS add_builtin_administrators( TALLOC_CTX *ctx, struct nt_user_toke /******************************************************************* *******************************************************************/ +static NTSTATUS create_builtin_users( void ) +{ + NTSTATUS status; + DOM_SID dom_users; + + status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_USERS ); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(0,("create_builtin_users: Failed to create Users\n")); + return status; + } + + /* add domain users */ + if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) + && secrets_fetch_domain_sid(lp_workgroup(), &dom_users)) + { + sid_append_rid(&dom_users, DOMAIN_GROUP_RID_USERS ); + status = pdb_add_aliasmem( &global_sid_Builtin_Users, &dom_users); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(0,("create_builtin_administrators: Failed to add Domain Users to" + " Users\n")); + return status; + } + } + + return NT_STATUS_OK; +} + +/******************************************************************* +*******************************************************************/ + static NTSTATUS create_builtin_administrators( void ) { NTSTATUS status; @@ -822,6 +852,25 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, } } + /* Deal with the BUILTIN\Users group. If the SID can + be resolved then assume that the add_aliasmem( S-1-5-32 ) + handled it. */ + + if ( !sid_to_gid( &global_sid_Builtin_Users, &gid ) ) { + /* We can only create a mapping if winbind is running + and the nested group functionality has been enabled */ + + if ( lp_winbind_nested_groups() ) { + become_root(); + status = create_builtin_users( ); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(0,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n")); + /* don't fail, just log the message */ + } + unbecome_root(); + } + } + /* Deal with local groups */ if (lp_winbind_nested_groups()) { diff --git a/source3/nsswitch/winbindd_async.c b/source3/nsswitch/winbindd_async.c index 180fd651f5..1581b7c272 100644 --- a/source3/nsswitch/winbindd_async.c +++ b/source3/nsswitch/winbindd_async.c @@ -4,6 +4,7 @@ Async helpers for blocking functions Copyright (C) Volker Lendecke 2005 + Copyright (C) Volker Lendecke 2006 The helpers always consist of three functions: @@ -364,6 +365,10 @@ void idmap_sid2gid_async(TALLOC_CTX *mem_ctx, const DOM_SID *sid, BOOL alloc, ZERO_STRUCT(request); request.cmd = WINBINDD_DUAL_SID2GID; sid_to_string(request.data.dual_sid2id.sid, sid); + + DEBUG(7,("idmap_sid2gid_async: Resolving %s to a gid\n", + request.data.dual_sid2id.sid)); + request.data.dual_sid2id.alloc = alloc; do_async(mem_ctx, idmap_child(), &request, idmap_sid2gid_recv, cont, private_data); @@ -391,6 +396,15 @@ enum winbindd_result winbindd_dual_sid2gid(struct winbindd_domain *domain, state->request.data.dual_sid2id.alloc ? 0 : ID_QUERY_ONLY); + /* If the lookup failed, the perhaps we need to look + at the passdb for local groups */ + + if ( !NT_STATUS_IS_OK(result) ) { + if ( sid_to_gid( &sid, &(state->response.data.gid) ) ) { + result = NT_STATUS_OK; + } + } + return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; } @@ -1013,9 +1027,14 @@ static void gettoken_recvdomgroups(TALLOC_CTX *mem_ctx, BOOL success, sids_str = response->extra_data; if (sids_str == NULL) { - DEBUG(10, ("Received no domain groups\n")); - state->cont(state->private_data, True, NULL, 0); - return; + /* This could be normal if we are dealing with a + local user and local groups */ + + if ( !sid_check_is_in_our_domain( &state->user_sid ) ) { + DEBUG(10, ("Received no domain groups\n")); + state->cont(state->private_data, True, NULL, 0); + return; + } } state->sids = NULL; @@ -1024,7 +1043,7 @@ static void gettoken_recvdomgroups(TALLOC_CTX *mem_ctx, BOOL success, add_sid_to_array(mem_ctx, &state->user_sid, &state->sids, &state->num_sids); - if (!parse_sidlist(mem_ctx, sids_str, &state->sids, + if (sids_str && !parse_sidlist(mem_ctx, sids_str, &state->sids, &state->num_sids)) { DEBUG(0, ("Could not parse sids\n")); state->cont(state->private_data, False, NULL, 0); diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c index 6e7a242379..547f4f2ec8 100644 --- a/source3/nsswitch/winbindd_group.c +++ b/source3/nsswitch/winbindd_group.c @@ -997,8 +997,16 @@ void winbindd_getgroups(struct winbindd_cli_state *state) &s->domname, &s->username)) { DEBUG(5, ("Could not parse domain user: %s\n", state->request.data.username)); - request_error(state); - return; + + /* error out if we do not have nested group support */ + + if ( !lp_winbind_nested_groups() ) { + request_error(state); + return; + } + + s->domname = talloc_strdup( state->mem_ctx, get_global_sam_name() ); + s->username = talloc_strdup( state->mem_ctx, state->request.data.username ); } /* Get info for the domain */ diff --git a/source3/nsswitch/winbindd_passdb.c b/source3/nsswitch/winbindd_passdb.c index 73020cd6bc..6c8dafa118 100644 --- a/source3/nsswitch/winbindd_passdb.c +++ b/source3/nsswitch/winbindd_passdb.c @@ -245,10 +245,11 @@ static NTSTATUS name_to_sid(struct winbindd_domain *domain, { DEBUG(10, ("Finding name %s\n", name)); - if (!pdb_find_alias(name, sid)) + if ( !lookup_name( mem_ctx, name, LOOKUP_NAME_ALL, + NULL, NULL, sid, type ) ) + { return NT_STATUS_NONE_MAPPED; - - *type = SID_NAME_ALIAS; + } return NT_STATUS_OK; } |