diff options
| -rw-r--r-- | docs/docbook/manpages/smb.conf.5.sgml | 21 | ||||
| -rw-r--r-- | source3/lib/util_sid.c | 17 | ||||
| -rw-r--r-- | source3/param/loadparm.c | 5 | ||||
| -rw-r--r-- | source3/passdb/passdb.c | 44 | ||||
| -rw-r--r-- | source3/passdb/pdb_interface.c | 2 | ||||
| -rw-r--r-- | source3/passdb/pdb_ldap.c | 26 | ||||
| -rw-r--r-- | source3/passdb/pdb_smbpasswd.c | 28 | ||||
| -rw-r--r-- | source3/passdb/pdb_tdb.c | 45 | ||||
| -rw-r--r-- | source3/smbd/uid.c | 5 |
9 files changed, 108 insertions, 85 deletions
diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml index 1567087d9e..87f8a42895 100644 --- a/docs/docbook/manpages/smb.conf.5.sgml +++ b/docs/docbook/manpages/smb.conf.5.sgml @@ -596,6 +596,7 @@ <listitem><para><link linkend="ADDSHARECOMMAND"><parameter>add share command</parameter></link></para></listitem> <listitem><para><link linkend="ADDUSERSCRIPT"><parameter>add user script</parameter></link></para></listitem> <listitem><para><link linkend="ADDMACHINESCRIPT"><parameter>add machine script</parameter></link></para></listitem> + <listitem><para><link linkend="ALGORITHMICRIDBASE"><parameter>algorithmic rid base</parameter></link></para></listitem> <listitem><para><link linkend="ALLOWTRUSTEDDOMAINS"><parameter>allow trusted domains</parameter></link></para></listitem> <listitem><para><link linkend="ANNOUNCEAS"><parameter>announce as</parameter></link></para></listitem> <listitem><para><link linkend="ANNOUNCEVERSION"><parameter>announce version</parameter></link></para></listitem> @@ -1136,8 +1137,28 @@ <parameter>hosts allow</parameter></link>.</para></listitem> </varlistentry> + <varlistentry> + <term><anchor id="ALGORITHMICRIDBASE">algorithmic rid base (G)</term> + <listitem><para>This determines if Samba how will use its + algorithmic mapping from uids/gid to the RIDs needed to construct + NT Security Identifiers.</para> + + <para>Setting this option to a larger value could be useful to sites + transitioning from WinNT and Win2k, as existing user and + group rids would otherwise clash with sytem users etc. + </para> + + <para>All UIDs and GIDs must be able to be resolved into SIDs for + the correct operation of ACLs on the server. As such the algorithmic + mapping can't be 'turned off', but pushing it 'out of the way' should + resolve the issues. Users and groups can then be assigned 'low' RIDs + in arbitary-rid supporting backends. </para> + <para>Default: <command>algorithmic rid base = 1000</command></para> + <para>Example: <command>algorithmic rid base = 100000</command></para> + </varlistentry> + <varlistentry> <term><anchor id="ALLOWTRUSTEDDOMAINS">allow trusted domains (G)</term> <listitem><para>This option only takes effect when the <link diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index cd7b64bb70..100324a047 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -197,7 +197,7 @@ void generate_wellknown_sids(void) Turns a domain SID into a name, returned in the nt_domain argument. ***************************************************************************/ -BOOL map_domain_sid_to_name(DOM_SID *sid, char *nt_domain) +BOOL map_domain_sid_to_name(DOM_SID *sid, fstring nt_domain) { fstring sid_str; int i = 0; @@ -344,11 +344,18 @@ char *sid_to_string(fstring sidstr_out, DOM_SID *sid) { char subauth[16]; int i; + uint32 ia; + + if (!sid) { + fstrcpy(sidstr_out, "(NULL SID)"); + return sidstr_out; + } + /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ - uint32 ia = (sid->id_auth[5]) + - (sid->id_auth[4] << 8 ) + - (sid->id_auth[3] << 16) + - (sid->id_auth[2] << 24); + ia = (sid->id_auth[5]) + + (sid->id_auth[4] << 8 ) + + (sid->id_auth[3] << 16) + + (sid->id_auth[2] << 24); slprintf(sidstr_out, sizeof(fstring) - 1, "S-%u-%lu", (unsigned int)sid->sid_rev_num, (unsigned long)ia); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 462464d68f..39e7ce6e4f 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -151,6 +151,7 @@ typedef struct char *szWinbindUID; char *szWinbindGID; char *szNonUnixAccountRange; + BOOL bAlgorithmicRidBase; char *szTemplateHomedir; char *szTemplateShell; char *szWinbindSeparator; @@ -725,6 +726,7 @@ static struct parm_struct parm_table[] = { {"private dir", P_STRING, P_GLOBAL, &Globals.szPrivateDir, NULL, NULL, 0}, {"passdb backend", P_STRING, P_GLOBAL, &Globals.szPassdbBackend, NULL, NULL, 0}, {"non unix account range", P_STRING, P_GLOBAL, &Globals.szNonUnixAccountRange, handle_non_unix_account_range, NULL, 0}, + {"algorithmic rid base", P_INTEGER, P_GLOBAL, &Globals.bAlgorithmicRidBase, NULL, NULL, 0}, {"root directory", P_STRING, P_GLOBAL, &Globals.szRootdir, NULL, NULL, 0}, {"root dir", P_STRING, P_GLOBAL, &Globals.szRootdir, NULL, NULL, 0}, {"root", P_STRING, P_GLOBAL, &Globals.szRootdir, NULL, NULL, 0}, @@ -1277,6 +1279,8 @@ static void init_globals(void) string_set(&Globals.szNameResolveOrder, "lmhosts wins host bcast"); string_set(&Globals.szPasswordServer, "*"); + Globals.bAlgorithmicRidBase = BASE_RID; + Globals.bLoadPrinters = True; Globals.max_packet = 65535; Globals.mangled_stack = 50; @@ -1796,6 +1800,7 @@ FN_LOCAL_INTEGER(lp_write_cache_size, iWriteCacheSize) FN_LOCAL_CHAR(lp_magicchar, magic_char) FN_GLOBAL_INTEGER(lp_winbind_cache_time, &Globals.winbind_cache_time) FN_GLOBAL_BOOL(lp_hide_local_users, &Globals.bHideLocalUsers) +FN_GLOBAL_BOOL(lp_algorithmic_rid_base, &Globals.bAlgorithmicRidBase) /* local prototypes */ diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index 17aefe1159..d34866fa63 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -436,9 +436,10 @@ BOOL pdb_name_to_rid(const char *user_name, uint32 *u_rid, uint32 *g_rid) Converts NT user RID to a UNIX uid. ********************************************************************/ -static uid_t fallback_pdb_user_rid_to_uid(uint32 user_rid) +uid_t fallback_pdb_user_rid_to_uid(uint32 user_rid) { - return (uid_t)(((user_rid & (~USER_RID_TYPE))- 1000)/RID_MULTIPLIER); + int rid_offset = lp_algorithmic_rid_base(); + return (uid_t)(((user_rid & (~USER_RID_TYPE))- rid_offset)/RID_MULTIPLIER); } @@ -446,9 +447,10 @@ static uid_t fallback_pdb_user_rid_to_uid(uint32 user_rid) converts UNIX uid to an NT User RID. ********************************************************************/ -static uint32 fallback_pdb_uid_to_user_rid(uid_t uid) +uint32 fallback_pdb_uid_to_user_rid(uid_t uid) { - return (((((uint32)uid)*RID_MULTIPLIER) + 1000) | USER_RID_TYPE); + int rid_offset = lp_algorithmic_rid_base(); + return (((((uint32)uid)*RID_MULTIPLIER) + rid_offset) | USER_RID_TYPE); } /******************************************************************* @@ -457,7 +459,8 @@ static uint32 fallback_pdb_uid_to_user_rid(uid_t uid) gid_t pdb_group_rid_to_gid(uint32 group_rid) { - return (gid_t)(((group_rid & (~GROUP_RID_TYPE))- 1000)/RID_MULTIPLIER); + int rid_offset = lp_algorithmic_rid_base(); + return (gid_t)(((group_rid & (~GROUP_RID_TYPE))- rid_offset)/RID_MULTIPLIER); } /******************************************************************* @@ -470,7 +473,8 @@ gid_t pdb_group_rid_to_gid(uint32 group_rid) uint32 pdb_gid_to_group_rid(gid_t gid) { - return (((((uint32)gid)*RID_MULTIPLIER) + 1000) | GROUP_RID_TYPE); + int rid_offset = lp_algorithmic_rid_base(); + return (((((uint32)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE); } /******************************************************************* @@ -479,7 +483,10 @@ uint32 pdb_gid_to_group_rid(gid_t gid) static BOOL pdb_rid_is_well_known(uint32 rid) { - return (rid < 1000); + /* Not using rid_offset here, becouse this is the actual + NT fixed value (1000) */ + + return (rid < BASE_RID); } /******************************************************************* @@ -817,13 +824,14 @@ BOOL local_sid_to_uid(uid_t *puid, DOM_SID *psid, enum SID_NAME_USE *name_type) DEBUG(10,("local_sid_to_uid: SID %s -> uid (%u) (%s).\n", sid_to_string( str, psid), (unsigned int)*puid, pdb_get_username(sam_user))); } else { - if (pdb_rid_is_user(rid)) { + if ((pdb_rid_is_user(rid))) { *puid = fallback_pdb_user_rid_to_uid(rid); DEBUG(10,("local_sid_to_uid: SID %s -> uid (%u) (non-passdb user).\n", sid_to_string( str, psid), (unsigned int)*puid)); } else { + DEBUG(5,("local_sid_to_uid: SID %s not mapped becouse RID isn't a user.\n", sid_to_string( str, psid))); pdb_free_sam(&sam_user); - return False; + return False; } } pdb_free_sam(&sam_user); @@ -846,7 +854,7 @@ DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid) if (get_group_map_from_gid(gid, &map, MAPPING_WITHOUT_PRIV)) { sid_copy(psid, &map.sid); - } + } else { sid_append_rid(psid, pdb_gid_to_group_rid(gid)); } @@ -864,7 +872,6 @@ BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type) DOM_SID dom_sid; uint32 rid; fstring str; - struct group *grp; GROUP_MAP map; *name_type = SID_NAME_UNKNOWN; @@ -891,24 +898,19 @@ BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type) sid_peek_rid(&map.sid, &rid); *pgid = map.gid; *name_type = map.sid_name_use; + DEBUG(10,("local_sid_to_gid: mapped SID %s (%s) -> gid (%u).\n", sid_to_string( str, psid), + map.nt_name, (unsigned int)*pgid)); + } else { if (pdb_rid_is_user(rid)) return False; *pgid = pdb_group_rid_to_gid(rid); *name_type = SID_NAME_ALIAS; + DEBUG(10,("local_sid_to_gid: SID %s -> gid (%u).\n", sid_to_string( str, psid), + (unsigned int)*pgid)); } - /* - * Ensure this gid really does exist. - */ - - if(!(grp = getgrgid(*pgid))) - return False; - - DEBUG(10,("local_sid_to_gid: SID %s -> gid (%u) (%s).\n", sid_to_string( str, psid), - (unsigned int)*pgid, grp->gr_name )); - return True; } diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c index e454bf3c25..a19bf254e7 100644 --- a/source3/passdb/pdb_interface.c +++ b/source3/passdb/pdb_interface.c @@ -240,7 +240,7 @@ static NTSTATUS make_pdb_methods_name(struct pdb_methods **methods, struct pdb_c { DEBUG(5,("Found pdb backend %s (at pos %d)\n", module_name, i)); if (NT_STATUS_IS_OK(nt_status - = builtin_pdb_init_functions[i].init(context, methods, module_location))) { + = builtin_pdb_init_functions[i].init(context, methods, module_location))) { DEBUG(5,("pdb backend %s has a valid init\n", selected)); } else { DEBUG(0,("pdb backend %s did not correctly init (error was %s)\n", selected, nt_errstr(nt_status))); diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c index dc6b9f97ff..d0280269aa 100644 --- a/source3/passdb/pdb_ldap.c +++ b/source3/passdb/pdb_ldap.c @@ -72,24 +72,6 @@ struct ldapsam_privates { static uint32 ldapsam_get_next_available_nua_rid(struct ldapsam_privates *ldap_state); /******************************************************************* - Converts NT user RID to a UNIX uid. - ********************************************************************/ - -static uid_t pdb_user_rid_to_uid(uint32 user_rid) -{ - return (uid_t)(((user_rid & (~USER_RID_TYPE))- 1000)/RID_MULTIPLIER); -} - -/******************************************************************* - converts UNIX uid to an NT User RID. - ********************************************************************/ - -static uint32 pdb_uid_to_user_rid(uid_t uid) -{ - return (((((uint32)uid)*RID_MULTIPLIER) + 1000) | USER_RID_TYPE); -} - -/******************************************************************* find the ldap password ******************************************************************/ static BOOL fetch_ldapsam_pw(char *dn, char* pw, int len) @@ -347,7 +329,7 @@ static int ldapsam_search_one_user_by_rid (struct ldapsam_privates *ldap_state, if (rc != LDAP_SUCCESS) rc = ldapsam_search_one_user_by_uid(ldap_state, ldap_struct, - pdb_user_rid_to_uid(rid), + fallback_user_rid_to_uid(rid), result); return rc; @@ -754,7 +736,7 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state, if ( pdb_get_user_rid(sampass) ) { rid = pdb_get_user_rid(sampass); } else if (IS_SAM_SET(sampass, FLAG_SAM_UID)) { - rid = pdb_uid_to_user_rid(pdb_get_uid(sampass)); + rid = fallback_uid_to_user_rid(pdb_get_uid(sampass)); } else if (ldap_state->permit_non_unix_accounts) { rid = ldapsam_get_next_available_nua_rid(ldap_state); if (rid == 0) { @@ -1511,9 +1493,9 @@ NTSTATUS pdb_init_ldapsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method return NT_STATUS_UNSUCCESSFUL; } - ldap_state->low_nua_rid=pdb_uid_to_user_rid(low_nua_uid); + ldap_state->low_nua_rid=fallback_uid_to_user_rid(low_nua_uid); - ldap_state->high_nua_rid=pdb_uid_to_user_rid(high_nua_uid); + ldap_state->high_nua_rid=fallback_uid_to_user_rid(high_nua_uid); return NT_STATUS_OK; } diff --git a/source3/passdb/pdb_smbpasswd.c b/source3/passdb/pdb_smbpasswd.c index 18c949c592..9f37cadfe8 100644 --- a/source3/passdb/pdb_smbpasswd.c +++ b/source3/passdb/pdb_smbpasswd.c @@ -69,24 +69,6 @@ struct smbpasswd_privates enum pwf_access_type { PWF_READ, PWF_UPDATE, PWF_CREATE }; -/******************************************************************* - Converts NT user RID to a UNIX uid. - ********************************************************************/ - -static uid_t pdb_user_rid_to_uid(uint32 user_rid) -{ - return (uid_t)(((user_rid & (~USER_RID_TYPE))- 1000)/RID_MULTIPLIER); -} - -/******************************************************************* - converts UNIX uid to an NT User RID. - ********************************************************************/ - -static uint32 pdb_uid_to_user_rid(uid_t uid) -{ - return (((((uint32)uid)*RID_MULTIPLIER) + 1000) | USER_RID_TYPE); -} - /*************************************************************** Lock an fd. Abandon after waitsecs seconds. ****************************************************************/ @@ -1195,7 +1177,7 @@ static BOOL build_smb_pass (struct smb_passwd *smb_pw, const SAM_ACCOUNT *sampas uid = pdb_get_uid(sampass); /* If the user specified a RID, make sure its able to be both stored and retreived */ - if (rid && uid != pdb_user_rid_to_uid(rid)) { + if (rid && uid != fallback_pdb_user_rid_to_uid(rid)) { DEBUG(0,("build_sam_pass: Failing attempt to store user with non-uid based user RID. \n")); return False; } @@ -1249,7 +1231,7 @@ static BOOL build_sam_account(struct smbpasswd_privates *smbpasswd_state, SAM_AC && (pw_buf->smb_userid >= smbpasswd_state->low_nua_userid) && (pw_buf->smb_userid <= smbpasswd_state->high_nua_userid)) { - pdb_set_user_rid(sam_pass, pdb_uid_to_user_rid (pw_buf->smb_userid)); + pdb_set_user_rid(sam_pass, fallback_pdb_uid_to_user_rid (pw_buf->smb_userid)); /* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here. @@ -1269,7 +1251,7 @@ static BOOL build_sam_account(struct smbpasswd_privates *smbpasswd_state, SAM_AC --jerry */ pwfile = getpwnam_alloc(pw_buf->smb_name); if (pwfile == NULL) { - DEBUG(0,("build_sam_account: smbpasswd database is corrupt! username %s not in unix passwd database!\n", pw_buf->smb_name)); + DEBUG(0,("build_sam_account: smbpasswd database is corrupt! username %s with uid %u is not in unix passwd database!\n", pw_buf->smb_name, pw_buf->smb_userid)); return False; } @@ -1278,7 +1260,7 @@ static BOOL build_sam_account(struct smbpasswd_privates *smbpasswd_state, SAM_AC pdb_set_fullname(sam_pass, pwfile->pw_gecos); - pdb_set_user_rid(sam_pass, pdb_uid_to_user_rid (pwfile->pw_uid)); + pdb_set_user_rid(sam_pass, fallback_pdb_uid_to_user_rid (pwfile->pw_uid)); if (get_group_map_from_gid(pwfile->pw_gid, &map, MAPPING_WITHOUT_PRIV)) { sid_peek_rid(&map.sid, &grid); @@ -1505,7 +1487,7 @@ static BOOL smbpasswd_getsampwrid(struct pdb_methods *my_methods, SAM_ACCOUNT *s return False; } - while ( ((smb_pw=getsmbfilepwent(smbpasswd_state, fp)) != NULL) && (pdb_uid_to_user_rid(smb_pw->smb_userid) != rid) ) + while ( ((smb_pw=getsmbfilepwent(smbpasswd_state, fp)) != NULL) && (fallback_pdb_uid_to_user_rid(smb_pw->smb_userid) != rid) ) /* do nothing */ ; endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth)); diff --git a/source3/passdb/pdb_tdb.c b/source3/passdb/pdb_tdb.c index 7092caa15e..3a9bc894bb 100644 --- a/source3/passdb/pdb_tdb.c +++ b/source3/passdb/pdb_tdb.c @@ -41,8 +41,10 @@ struct tdbsam_privates { BOOL permit_non_unix_accounts; -/* uint32 low_nua_rid; - uint32 high_nua_rid; */ + BOOL algorithmic_rids; + + uint32 low_nua_rid; + uint32 high_nua_rid; }; /********************************************************************** @@ -717,7 +719,7 @@ static BOOL tdb_update_sam(struct pdb_methods *my_methods, const SAM_ACCOUNT* ne fstring name; BOOL ret = True; uint32 user_rid; - int32 tdb_ret; + BOOL tdb_ret; /* invalidate the existing TDB iterator if it is open */ if (tdb_state->passwd_tdb) { @@ -736,13 +738,32 @@ static BOOL tdb_update_sam(struct pdb_methods *my_methods, const SAM_ACCOUNT* ne /* if flag == TDB_INSERT then make up a new RID else throw an error. */ if (!(user_rid = pdb_get_user_rid(newpwd))) { if (flag & TDB_INSERT) { - user_rid = BASE_RID; - tdb_ret = tdb_change_int32_atomic(pwd_tdb, "RID_COUNTER", &user_rid, RID_MULTIPLIER); - if (tdb_ret == -1) { - ret = False; - goto done; + if (IS_SAM_UNIX_USER(newpwd)) { + if (tdb_state->algorithmic_rids) { + user_rid = fallback_pdb_uid_to_user_rid(pdb_get_uid(newpwd)); + } else { + user_rid = BASE_RID; + tdb_ret = tdb_change_uint32_atomic(pwd_tdb, "RID_COUNTER", &user_rid, RID_MULTIPLIER); + if (!tdb_ret) { + ret = False; + goto done; + } + } + pdb_set_user_rid(newpwd, user_rid); + } else { + user_rid = tdb_state->low_nua_rid; + tdb_ret = tdb_change_uint32_atomic(pwd_tdb, "NUA_RID_COUNTER", &user_rid, RID_MULTIPLIER); + if (!tdb_ret) { + ret = False; + goto done; + } + if (user_rid > tdb_state->high_nua_rid) { + DEBUG(0, ("tdbsam: no NUA rids available, cannot add user %s!\n", pdb_get_username(newpwd))); + ret = False; + goto done; + } + pdb_set_user_rid(newpwd, user_rid); } - pdb_set_user_rid(newpwd, user_rid); } else { DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a RID\n",pdb_get_username(newpwd))); ret = False; @@ -884,6 +905,8 @@ NTSTATUS pdb_init_tdbsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, con tdb_state->tdbsam_location = talloc_strdup(pdb_context->mem_ctx, tdbfile); } + tdb_state->algorithmic_rids = True; + (*pdb_method)->private_data = tdb_state; (*pdb_method)->free_private_data = free_private_data; @@ -912,10 +935,10 @@ NTSTATUS pdb_init_tdbsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, return NT_STATUS_UNSUCCESSFUL; } -/* tdb_state->low_nua_rid=fallback_pdb_uid_to_user_rid(low_nua_uid); + tdb_state->low_nua_rid=fallback_pdb_uid_to_user_rid(low_nua_uid); tdb_state->high_nua_rid=fallback_pdb_uid_to_user_rid(high_nua_uid); -*/ + return NT_STATUS_OK; } diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index ac0b535c13..8b0ffbd73f 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -521,7 +521,7 @@ BOOL lookup_sid(DOM_SID *sid, fstring dom_name, fstring name, enum SID_NAME_USE sid_copy(&tmp_sid, sid); sid_split_rid(&tmp_sid, &rid); return map_domain_sid_to_name(&tmp_sid, dom_name) && - lookup_known_rid(&tmp_sid, rid, name, name_type); + lookup_known_rid(&tmp_sid, rid, name, name_type); } return True; } @@ -578,7 +578,8 @@ DOM_SID *gid_to_sid(DOM_SID *psid, gid_t gid) } } - local_gid_to_sid(psid, gid); + /* Make sure we report failure, (when psid == NULL) */ + psid = local_gid_to_sid(psid, gid); DEBUG(10,("gid_to_sid: local %u -> %s\n", (unsigned int)gid, sid_to_string(sid, psid))); |