diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2004-05-09 13:42:02 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:51:51 -0500 |
| commit | c041077856badf5fa3f52e47267a24e6f5a11e3d (patch) | |
| tree | 5972f0399bcf374e736ff46270eb9ee8357d1c3d /source4 | |
| parent | 5ae9bd7535140e65b6c4e0b73f7a9504db3d0e47 (diff) | |
| download | samba-c041077856badf5fa3f52e47267a24e6f5a11e3d.tar.gz samba-c041077856badf5fa3f52e47267a24e6f5a11e3d.tar.bz2 samba-c041077856badf5fa3f52e47267a24e6f5a11e3d.zip | |
r614: Clean out the POSIX assumptions from the Samba4 auth subsystem.
This removes the code that tried to lookup posix groups, as well as
the code that was tied to the SAM_ACCOUNT.
This should make auth_ldb much easier to write :-)
Andrew Bartlett
(This used to be commit e096ee2112adecaa69b6b3eb155a4e8f80dfc0f7)
Diffstat (limited to 'source4')
| -rw-r--r-- | source4/auth/auth.c | 6 | ||||
| -rw-r--r-- | source4/auth/auth.h | 9 | ||||
| -rw-r--r-- | source4/auth/auth_util.c | 158 | ||||
| -rw-r--r-- | source4/include/smb.h | 12 | ||||
| -rw-r--r-- | source4/smb_server/password.c | 74 |
5 files changed, 2 insertions, 257 deletions
diff --git a/source4/auth/auth.c b/source4/auth/auth.c index 720b8149bd..83446721e6 100644 --- a/source4/auth/auth.c +++ b/source4/auth/auth.c @@ -231,12 +231,6 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, } } - /* This is one of the few places the *relies* (rather than just sets defaults - on the value of lp_security(). This needs to change. A new paramater - perhaps? */ - if (lp_security() >= SEC_SERVER) - smb_user_control(user_info, *server_info, nt_status); - if (NT_STATUS_IS_OK(nt_status)) { if (NT_STATUS_IS_OK(nt_status)) { DEBUG((*server_info)->guest ? 5 : 2, diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 22738ffc2c..bf6e1b77e1 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -66,10 +66,6 @@ typedef struct auth_serversupplied_info { BOOL guest; - /* This groups info is needed for when we become_user() for this uid */ - int n_groups; - gid_t *groups; - /* NT group information taken from the info3 structure */ NT_USER_TOKEN *ptok; @@ -77,11 +73,6 @@ typedef struct auth_serversupplied_info DATA_BLOB user_session_key; DATA_BLOB lm_session_key; - uint32 sam_fill_level; /* How far is this structure filled? */ - - SAM_ACCOUNT *sam_account; - - void *pam_handle; } auth_serversupplied_info; struct auth_context { diff --git a/source4/auth/auth_util.c b/source4/auth/auth_util.c index db10514c7e..7bb8c8a558 100644 --- a/source4/auth/auth_util.c +++ b/source4/auth/auth_util.c @@ -31,54 +31,6 @@ extern DOM_SID global_sid_Network; extern DOM_SID global_sid_Builtin_Guests; extern DOM_SID global_sid_Authenticated_Users; - -/**************************************************************************** - Create a UNIX user on demand. -****************************************************************************/ - -static int smb_create_user(const char *domain, const char *unix_username, const char *homedir) -{ - pstring add_script; - int ret; - - pstrcpy(add_script, lp_adduser_script()); - if (! *add_script) - return -1; - all_string_sub(add_script, "%u", unix_username, sizeof(pstring)); - if (domain) - all_string_sub(add_script, "%D", domain, sizeof(pstring)); - if (homedir) - all_string_sub(add_script, "%H", homedir, sizeof(pstring)); - ret = smbrun(add_script,NULL); - DEBUG(3,("smb_create_user: Running the command `%s' gave %d\n",add_script,ret)); - return ret; -} - -/**************************************************************************** - Add and Delete UNIX users on demand, based on NTSTATUS codes. -****************************************************************************/ - -void smb_user_control(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info, NTSTATUS nt_status) -{ - struct passwd *pwd=NULL; - - if (NT_STATUS_IS_OK(nt_status)) { - - if (!(server_info->sam_fill_level & SAM_FILL_UNIX)) { - - /* - * User validated ok against Domain controller. - * If the admin wants us to try and create a UNIX - * user on the fly, do so. - */ - - if(lp_adduser_script() && !(pwd = Get_Pwnam(user_info->internal_username.str))) { - smb_create_user(user_info->domain.str, user_info->internal_username.str, NULL); - } - } - } -} - /**************************************************************************** Create a SAM_ACCOUNT - either by looking in the pdb, or by faking it up from unix info. @@ -623,87 +575,6 @@ struct nt_user_token *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t * return token; } -/****************************************************************************** - * this function returns the groups (SIDs) of the local SAM the user is in. - * If this samba server is a DC of the domain the user belongs to, it returns - * both domain groups and local / builtin groups. If the user is in a trusted - * domain, or samba is a member server of a domain, then this function returns - * local and builtin groups the user is a member of. - * - * currently this is a hack, as there is no sam implementation that is capable - * of groups. - ******************************************************************************/ - -static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, - int *n_groups, DOM_SID **groups, gid_t **unix_groups) -{ - uid_t uid; - gid_t gid; - int n_unix_groups; - int i; - struct passwd *usr; - - *n_groups = 0; - *groups = NULL; - - if (!IS_SAM_UNIX_USER(sampass)) { - DEBUG(1, ("user %s does not have a unix identity!\n", pdb_get_username(sampass))); - return NT_STATUS_NO_SUCH_USER; - } - - uid = pdb_get_uid(sampass); - gid = pdb_get_gid(sampass); - - n_unix_groups = groups_max(); - if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) { - DEBUG(0, ("get_user_groups_from_local_sam: Out of memory allocating unix group list\n")); - passwd_free(&usr); - return NT_STATUS_NO_MEMORY; - } - - if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) { - gid_t *groups_tmp; - groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); - if (!groups_tmp) { - SAFE_FREE(*unix_groups); - passwd_free(&usr); - return NT_STATUS_NO_MEMORY; - } - *unix_groups = groups_tmp; - - if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) { - DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n")); - SAFE_FREE(*unix_groups); - passwd_free(&usr); - return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ - } - } - - debug_unix_user_token(DBGC_CLASS, 5, uid, gid, n_unix_groups, *unix_groups); - - if (n_unix_groups > 0) { - *groups = malloc(sizeof(DOM_SID) * n_unix_groups); - if (!*groups) { - DEBUG(0, ("get_user_group_from_local_sam: malloc() failed for DOM_SID list!\n")); - SAFE_FREE(*unix_groups); - return NT_STATUS_NO_MEMORY; - } - } - - *n_groups = n_unix_groups; - - for (i = 0; i < *n_groups; i++) { - if (!gid_to_sid(&(*groups)[i], (*unix_groups)[i])) { - DEBUG(1, ("get_user_groups_from_local_sam: failed to convert gid %ld to a sid!\n", (long int)(*unix_groups)[i+1])); - SAFE_FREE(*groups); - SAFE_FREE(*unix_groups); - return NT_STATUS_NO_SUCH_USER; - } - } - - return NT_STATUS_OK; -} - /*************************************************************************** Make a user_info struct ***************************************************************************/ @@ -717,9 +588,6 @@ static NTSTATUS make_server_info(auth_serversupplied_info **server_info, SAM_ACC } ZERO_STRUCTP(*server_info); - (*server_info)->sam_fill_level = SAM_FILL_ALL; - (*server_info)->sam_account = sampass; - return NT_STATUS_OK; } @@ -733,9 +601,6 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, NTSTATUS nt_status = NT_STATUS_OK; const DOM_SID *user_sid = pdb_get_user_sid(sampass); const DOM_SID *group_sid = pdb_get_group_sid(sampass); - int n_groupSIDs = 0; - DOM_SID *groupSIDs = NULL; - gid_t *unix_groups = NULL; NT_USER_TOKEN *token; BOOL is_guest; uint32 rid; @@ -744,38 +609,19 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, return nt_status; } - if (!NT_STATUS_IS_OK(nt_status - = get_user_groups_from_local_sam(sampass, - &n_groupSIDs, &groupSIDs, &unix_groups))) - { - DEBUG(4,("get_user_groups_from_local_sam failed\n")); - free_server_info(server_info); - return nt_status; - } - is_guest = (sid_peek_rid(user_sid, &rid) && rid == DOMAIN_USER_RID_GUEST); if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token(user_sid, group_sid, - n_groupSIDs, groupSIDs, is_guest, + 0, NULL, is_guest, &token))) { DEBUG(4,("create_nt_user_token failed\n")); - SAFE_FREE(groupSIDs); - SAFE_FREE(unix_groups); free_server_info(server_info); return nt_status; } - - SAFE_FREE(groupSIDs); - - (*server_info)->n_groups = n_groupSIDs; - (*server_info)->groups = unix_groups; (*server_info)->ptok = token; - DEBUG(5,("make_server_info_sam: made server info for user %s\n", - pdb_get_username((*server_info)->sam_account))); - return nt_status; } @@ -866,11 +712,9 @@ void free_server_info(auth_serversupplied_info **server_info) { DEBUG(5,("attempting to free (and zero) a server_info structure\n")); if (*server_info != NULL) { - pdb_free_sam(&(*server_info)->sam_account); /* call pam_end here, unless we know we are keeping it */ delete_nt_token( &(*server_info)->ptok ); - SAFE_FREE((*server_info)->groups); ZERO_STRUCT(**server_info); } SAFE_FREE(*server_info); diff --git a/source4/include/smb.h b/source4/include/smb.h index 6982a0dae0..7988a500fa 100644 --- a/source4/include/smb.h +++ b/source4/include/smb.h @@ -1079,21 +1079,9 @@ typedef struct user_struct { struct user_struct *next, *prev; uint16 vuid; /* Tag for this entry. */ - uid_t uid; /* uid of a validated user */ - gid_t gid; /* gid of a validated user */ - userdom_struct user; - char *homedir; - char *unix_homedir; - char *logon_script; - BOOL guest; - /* following groups stuff added by ih */ - /* This groups info is needed for when we become_user() for this uid */ - int n_groups; - gid_t *groups; - NT_USER_TOKEN *nt_user_token; DATA_BLOB session_key; diff --git a/source4/smb_server/password.c b/source4/smb_server/password.c index 196556819e..61987518b8 100644 --- a/source4/smb_server/password.c +++ b/source4/smb_server/password.c @@ -56,10 +56,6 @@ void invalidate_vuid(struct server_context *smb, uint16 vuid) if (vuser == NULL) return; - SAFE_FREE(vuser->homedir); - SAFE_FREE(vuser->unix_homedir); - SAFE_FREE(vuser->logon_script); - data_blob_free(&vuser->session_key); session_yield(vuser); @@ -72,7 +68,6 @@ void invalidate_vuid(struct server_context *smb, uint16 vuid) from the vuid 'owner' of connections */ /* REWRITE: conn_clear_vuid_cache(smb, vuid); */ - SAFE_FREE(vuser->groups); delete_nt_token(&vuser->nt_user_token); SAFE_FREE(vuser); smb->users.num_validated_vuids--; @@ -141,73 +136,17 @@ int register_vuid(struct server_context *smb, vuser->vuid = smb->users.next_vuid; - /* the next functions should be done by a SID mapping system (SMS) as - * the new real sam db won't have reference to unix uids or gids - */ - if (!IS_SAM_UNIX_USER(server_info->sam_account)) { - DEBUG(0,("Attempted session setup with invalid user. No uid/gid in SAM_ACCOUNT\n")); - free(vuser); - free_server_info(&server_info); - return UID_FIELD_INVALID; - } - - vuser->uid = pdb_get_uid(server_info->sam_account); - vuser->gid = pdb_get_gid(server_info->sam_account); - - vuser->n_groups = server_info->n_groups; - if (vuser->n_groups) { - if (!(vuser->groups = memdup(server_info->groups, sizeof(gid_t) * vuser->n_groups))) { - DEBUG(0,("register_vuid: failed to memdup vuser->groups\n")); - free(vuser); - free_server_info(&server_info); - return UID_FIELD_INVALID; - } - } - vuser->guest = server_info->guest; - fstrcpy(vuser->user.unix_name, pdb_get_username(server_info->sam_account)); - - /* This is a potentially untrusted username */ - alpha_strcpy(vuser->user.smb_name, smb_name, ". _-$", sizeof(vuser->user.smb_name)); - - fstrcpy(vuser->user.domain, pdb_get_domain(server_info->sam_account)); - fstrcpy(vuser->user.full_name, pdb_get_fullname(server_info->sam_account)); - - { - /* Keep the homedir handy */ - const char *homedir = pdb_get_homedir(server_info->sam_account); - const char *unix_homedir = pdb_get_unix_homedir(server_info->sam_account); - const char *logon_script = pdb_get_logon_script(server_info->sam_account); - if (homedir) { - vuser->homedir = smb_xstrdup(homedir); - } - - if (unix_homedir) { - vuser->unix_homedir = smb_xstrdup(unix_homedir); - } - - if (logon_script) { - vuser->logon_script = smb_xstrdup(logon_script); - } - } vuser->session_key = *session_key; - DEBUG(10,("register_vuid: (%u,%u) %s %s %s guest=%d\n", - (unsigned int)vuser->uid, - (unsigned int)vuser->gid, - vuser->user.unix_name, vuser->user.smb_name, vuser->user.domain, vuser->guest )); - - DEBUG(3, ("User name: %s\tReal name: %s\n",vuser->user.unix_name,vuser->user.full_name)); + DEBUG(10,("register_vuid: guest=%d\n", vuser->guest )); if (server_info->ptok) { vuser->nt_user_token = dup_nt_token(server_info->ptok); } else { DEBUG(1, ("server_info does not contain a user_token - cannot continue\n")); free_server_info(&server_info); - SAFE_FREE(vuser->homedir); - SAFE_FREE(vuser->unix_homedir); - SAFE_FREE(vuser->logon_script); SAFE_FREE(vuser); return UID_FIELD_INVALID; @@ -216,8 +155,6 @@ int register_vuid(struct server_context *smb, /* use this to keep tabs on all our info from the authentication */ vuser->server_info = server_info; - DEBUG(3,("UNIX uid %d is UNIX user %s, and will be vuid %u\n",(int)vuser->uid,vuser->user.unix_name, vuser->vuid)); - smb->users.next_vuid++; smb->users.num_validated_vuids++; @@ -229,15 +166,6 @@ int register_vuid(struct server_context *smb, return -1; } - /* Register a home dir service for this user */ - if ((!vuser->guest) && vuser->unix_homedir && *(vuser->unix_homedir)) { - DEBUG(3, ("Adding/updating homes service for user '%s' using home direcotry: '%s'\n", - vuser->user.unix_name, vuser->unix_homedir)); - vuser->homes_snum = add_home_service(vuser->user.unix_name, vuser->user.unix_name, vuser->unix_homedir); - } else { - vuser->homes_snum = -1; - } - return vuser->vuid; } |