diff options
-rw-r--r-- | source3/include/includes.h | 1 | ||||
-rw-r--r-- | source3/include/proto.h | 7 | ||||
-rw-r--r-- | source3/lib/username.c | 339 | ||||
-rw-r--r-- | source3/param/loadparm.c | 3 | ||||
-rw-r--r-- | source3/rpc_server/srv_util.c | 87 | ||||
-rw-r--r-- | source3/smbd/password.c | 2 |
6 files changed, 201 insertions, 238 deletions
diff --git a/source3/include/includes.h b/source3/include/includes.h index 98854bee82..dae97b121b 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -1219,6 +1219,7 @@ extern char *sys_errlist[]; #endif /* Lists, trees, caching, datbase... */ +#include "ubi_sLinkList.h" #include "ubi_dLinkList.h" #ifndef UBI_BINTREE_H #include "ubi_Cache.h" diff --git a/source3/include/proto.h b/source3/include/proto.h index 9381aacf84..6938be6367 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -200,6 +200,10 @@ void generate_random_buffer( unsigned char *out, int len, BOOL re_seed); char *getsmbpass(char *prompt) ; +/*The following definitions come from groupname.c */ + +void load_groupname_map(void); + /*The following definitions come from interface.c */ void load_interfaces(void); @@ -902,6 +906,7 @@ BOOL api_srvsvc_rpc(pipes_struct *p, prs_struct *data); /*The following definitions come from lib/rpc/server/srv_util.c */ +BOOL lookup_wellknown_sid_from_name(char *windows_name, DOM_SID *psid); int make_dom_gids(char *gids_str, DOM_GID **ppgids); BOOL create_rpc_reply(pipes_struct *p, uint32 data_start, uint32 data_end); @@ -941,6 +946,7 @@ char *lp_passwordserver(void); char *lp_name_resolve_order(void); char *lp_workgroup(void); char *lp_username_map(void); +char *lp_groupname_map(void); char *lp_character_set(void); char *lp_logon_script(void); char *lp_logon_path(void); @@ -1942,7 +1948,6 @@ char *get_home_dir(char *user); BOOL map_username(char *user); struct passwd *Get_Pwnam(char *user,BOOL allow_change); BOOL user_in_list(char *user,char *list); -void load_groupname_map(void); /*The following definitions come from util.c */ diff --git a/source3/lib/username.c b/source3/lib/username.c index 101f2fc4eb..4237a42078 100644 --- a/source3/lib/username.c +++ b/source3/lib/username.c @@ -21,7 +21,6 @@ #include "includes.h" extern int DEBUGLEVEL; -extern DOM_SID global_machine_sid; /* internal functions */ static struct passwd *uname_string_combinations(char *s, struct passwd * (*fn) (char *), int N); @@ -228,7 +227,70 @@ struct passwd *Get_Pwnam(char *user,BOOL allow_change) } /**************************************************************************** -check if a user is in a user list +check if a user is in a netgroup user list +****************************************************************************/ +static BOOL user_in_netgroup_list(char *user,char *ngname) +{ +#ifdef NETGROUP + static char *mydomain = NULL; + if (mydomain == NULL) + yp_get_default_domain(&mydomain); + + if(mydomain == NULL) + { + DEBUG(5,("Unable to get default yp domain\n")); + } + else + { + DEBUG(5,("looking for user %s of domain %s in netgroup %s\n", + user, mydomain, ngname)); + DEBUG(5,("innetgr is %s\n", + innetgr(ngname, NULL, user, mydomain) + ? "TRUE" : "FALSE")); + + if (innetgr(ngname, NULL, user, mydomain)) + return (True); + } +#endif /* NETGROUP */ + return False; +} + +/**************************************************************************** +check if a user is in a UNIX user list +****************************************************************************/ +static BOOL user_in_group_list(char *user,char *gname) +{ +#if HAVE_GETGRNAM + struct group *gptr; + char **member; + struct passwd *pass = Get_Pwnam(user,False); + + if (pass) + { + gptr = getgrgid(pass->pw_gid); + if (gptr && strequal(gptr->gr_name,gname)) + return(True); + } + + gptr = (struct group *)getgrnam(gname); + + if (gptr) + { + member = gptr->gr_mem; + while (member && *member) + { + if (strequal(*member,user)) + return(True); + member++; + } + } +#endif /* HAVE_GETGRNAM */ + return False; +} + +/**************************************************************************** +check if a user is in a user list - can check combinations of UNIX +and netgroup lists. ****************************************************************************/ BOOL user_in_list(char *user,char *list) { @@ -236,65 +298,72 @@ BOOL user_in_list(char *user,char *list) char *p=list; while (next_token(&p,tok,LIST_SEP)) - { - if (strequal(user,tok)) - return(True); - -#ifdef NETGROUP - if (*tok == '@') - { - static char *mydomain = NULL; - if (mydomain == 0) - yp_get_default_domain(&mydomain); - - if(mydomain == 0) - { - DEBUG(5,("Unable to get default yp domain\n")); - } - else - { - - DEBUG(5,("looking for user %s of domain %s in netgroup %s\n", - user, mydomain, &tok[1])); - DEBUG(5,("innetgr is %s\n", - innetgr(&tok[1], (char *) 0, user, mydomain) - ? "TRUE" : "FALSE")); - - if (innetgr(&tok[1], (char *)0, user, mydomain)) - return (True); - } - } -#endif + { + /* + * Check raw username. + */ + if (strequal(user,tok)) + return(True); + /* + * Now check to see if any combination + * of UNIX and netgroups has been specified. + */ -#if HAVE_GETGRNAM - if (*tok == '@') - { - struct group *gptr; - char **member; - struct passwd *pass = Get_Pwnam(user,False); - - if (pass) { - gptr = getgrgid(pass->pw_gid); - if (gptr && strequal(gptr->gr_name,&tok[1])) - return(True); - } - - gptr = (struct group *)getgrnam(&tok[1]); - - if (gptr) - { - member = gptr->gr_mem; - while (member && *member) - { - if (strequal(*member,user)) - return(True); - member++; - } - } - } -#endif + if(*tok == '@') + { + /* + * Old behaviour. Check netgroup list + * followed by UNIX list. + */ + if(user_in_netgroup_list(user,&tok[1])) + return True; + if(user_in_group_list(user,&tok[1])) + return True; + } + else if (*tok == '+') + { + if(tok[1] == '&') + { + /* + * Search UNIX list followed by netgroup. + */ + if(user_in_group_list(user,&tok[2])) + return True; + if(user_in_netgroup_list(user,&tok[2])) + return True; + } + else + { + /* + * Just search UNIX list. + */ + if(user_in_group_list(user,&tok[1])) + return True; + } + } + else if (*tok == '&') + { + if(tok[1] == '&') + { + /* + * Search netgroup list followed by UNIX list. + */ + if(user_in_netgroup_list(user,&tok[2])) + return True; + if(user_in_group_list(user,&tok[2])) + return True; + } + else + { + /* + * Just search netgroup list. + */ + if(user_in_netgroup_list(user,&tok[1])) + return True; + } } + } return(False); } @@ -352,157 +421,3 @@ static struct passwd * uname_string_combinations(char *s,struct passwd * (*fn)(c } return(NULL); } - -#if 0 -/* JRATEST - under construction. */ -/************************************************************************** - Groupname map functionality. The code loads a groupname map file and - (currently) loads it into a linked list. This is slow and memory - hungry, but can be changed into a more efficient storage format - if the demands on it become excessive. -***************************************************************************/ - -typedef struct groupname_map { - ubi_slNode next; - - char *windows_name; - DOM_SID windows_sid; - char *unix_name; - gid_t unix_gid; -} groupname_map_entry; - -static ubi_slList groupname_map_list; - -/************************************************************************** - Delete all the entries in the groupname map list. -***************************************************************************/ - -static void delete_groupname_map_list(void) -{ - groupname_map_entry *gmep; - - while((gmep = (groupname_map_entry *)ubi_slRemHead( groupname_map_list )) != NULL) { - if(gmep->windows_name) - free(gmep->windows_name); - if(gmep->unix_name) - free(gmep->unix_name); - free((char *)gmep); - } -} - -/************************************************************************** - Load a groupname map file. Sets last accessed timestamp. -***************************************************************************/ - -void load_groupname_map(void) -{ - static time_t groupmap_file_last_modified = (time_t)0; - static BOOL initialized = False; - char *groupname_map_file = lp_groupname_map(); - struct stat st; - FILE *fp; - char *s; - pstring buf; - - if(!initialized) { - ubi_slInsert( &groupname_map_list ); - initialized = True; - } - - if (!*groupname_map_file) - return; - - if(stat(groupname_map_file, &st) != 0) { - DEBUG(0, ("load_groupname_map: Unable to stat file %s. Error was %s\n", - groupname_map_file, strerror(errno) )); - return; - } - - /* - * Check if file has changed. - */ - if( st.st_mtime <= groupmap_file_last_modified) - return; - - groupmap_file_last_modified = st.st_mtime; - - /* - * Load the file. - */ - - fp = fopen(groupname_map_file,"r"); - if (!fp) { - DEBUG(0,("load_groupname_map: can't open groupname map %s. Error was %s\n", - mapfile, strerror(errno))); - return; - } - - /* - * Throw away any previous list. - */ - delete_groupname_map_list(); - - DEBUG(4,("load_groupname_map: Scanning groupname map %s\n",groupname_map_file)); - - while((s=fgets_slash(buf,sizeof(buf),fp))!=NULL) { - pstring unixname; - pstring windows_name; - struct group *gptr; - DOM_SID tmp_sid; - - DEBUG(10,("load_groupname_map: Read line |%s|\n", s); - - if (!*s || strchr("#;",*s)) - continue; - - if(!next_token(&s,unixname, "\t\n\r=")) - continue; - - if(!next_token(&s,windows_name, "\t\n\r=")) - continue; - - trim_string(unixname, " ", " "); - trim_string(windows_name, " ", " "); - - if (!*dosname) - continue; - - if(!*unixname) - continue; - - /* - * Attempt to get the unix gid_t for this name. - */ - - DEBUG(5,("load_groupname_map: Attempting to find unix group %s.\n", - unixname )); - - if((gptr = (struct group *)getgrnam(unixname)) == NULL) { - DEBUG(0,("load_groupname_map: getgrnam for group %s failed.\ -Error was %s.\n", unixname, strerror(errno) )); - continue; - } - - /* - * Now map to an NT SID. - */ - - if(!lookup_wellknown_sid_from_name(windows_name, &tmp_sid)) { - /* - * It's not a well known name, convert the UNIX gid_t - * to a rid within this domain SID. - */ - tmp_sid = global_machine_sid; - tmp_sid.sub_auths[tmp_sid.num_auths++] = - pdb_gid_to_group_rid((gid_t)gptr->gr_gid); - } - - /* - * Create the list entry and add it onto the list. - */ - - } - - fclose(fp); -} -#endif /* JRATEST */ diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index e6065ae64b..cf41a75500 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -126,6 +126,7 @@ typedef struct char *szDomainHostsallow; char *szDomainHostsdeny; char *szUsernameMap; + char *szGroupnameMap; char *szCharacterSet; char *szLogonScript; char *szLogonPath; @@ -591,6 +592,7 @@ static struct parm_struct parm_table[] = {"domain guest group",P_STRING, P_GLOBAL, &Globals.szDomainGuestGroup, NULL, NULL, 0}, {"domain admin users",P_STRING, P_GLOBAL, &Globals.szDomainAdminUsers, NULL, NULL, 0}, {"domain guest users",P_STRING, P_GLOBAL, &Globals.szDomainGuestUsers, NULL, NULL, 0}, + {"groupname map", P_STRING, P_GLOBAL, &Globals.szGroupnameMap, NULL, NULL, 0}, {"machine password timeout", P_INTEGER, P_GLOBAL, &Globals.machine_password_timeout, NULL, NULL, 0}, {"Logon Options", P_SEP, P_SEPARATOR}, @@ -967,6 +969,7 @@ FN_GLOBAL_STRING(lp_passwordserver,&Globals.szPasswordServer) FN_GLOBAL_STRING(lp_name_resolve_order,&Globals.szNameResolveOrder) FN_GLOBAL_STRING(lp_workgroup,&Globals.szWorkGroup) FN_GLOBAL_STRING(lp_username_map,&Globals.szUsernameMap) +FN_GLOBAL_STRING(lp_groupname_map,&Globals.szGroupnameMap) FN_GLOBAL_STRING(lp_character_set,&Globals.szCharacterSet) FN_GLOBAL_STRING(lp_logon_script,&Globals.szLogonScript) FN_GLOBAL_STRING(lp_logon_path,&Globals.szLogonPath) diff --git a/source3/rpc_server/srv_util.c b/source3/rpc_server/srv_util.c index e05a964c9f..c316661146 100644 --- a/source3/rpc_server/srv_util.c +++ b/source3/rpc_server/srv_util.c @@ -42,44 +42,83 @@ #include "nterr.h" extern int DEBUGLEVEL; +extern DOM_SID global_machine_sid; /* * A list of the rids of well known BUILTIN and Domain users * and groups. */ -rid_name builtin_alias_rids[] = -{ - { BUILTIN_ALIAS_RID_ADMINS , "Administrators" }, - { BUILTIN_ALIAS_RID_USERS , "Users" }, - { BUILTIN_ALIAS_RID_GUESTS , "Guests" }, - { BUILTIN_ALIAS_RID_POWER_USERS , "Power Users" }, - - { BUILTIN_ALIAS_RID_ACCOUNT_OPS , "Account Operators" }, - { BUILTIN_ALIAS_RID_SYSTEM_OPS , "System Operators" }, - { BUILTIN_ALIAS_RID_PRINT_OPS , "Print Operators" }, - { BUILTIN_ALIAS_RID_BACKUP_OPS , "Backup Operators" }, - { BUILTIN_ALIAS_RID_REPLICATOR , "Replicator" }, - { 0 , NULL } +rid_name builtin_alias_rids[] = +{ + { BUILTIN_ALIAS_RID_ADMINS , "Administrators" }, + { BUILTIN_ALIAS_RID_USERS , "Users" }, + { BUILTIN_ALIAS_RID_GUESTS , "Guests" }, + { BUILTIN_ALIAS_RID_POWER_USERS , "Power Users" }, + + { BUILTIN_ALIAS_RID_ACCOUNT_OPS , "Account Operators" }, + { BUILTIN_ALIAS_RID_SYSTEM_OPS , "System Operators" }, + { BUILTIN_ALIAS_RID_PRINT_OPS , "Print Operators" }, + { BUILTIN_ALIAS_RID_BACKUP_OPS , "Backup Operators" }, + { BUILTIN_ALIAS_RID_REPLICATOR , "Replicator" }, + { 0 , NULL } }; /* array lookup of well-known Domain RID users. */ -rid_name domain_user_rids[] = -{ - { DOMAIN_USER_RID_ADMIN , "Administrator" }, - { DOMAIN_USER_RID_GUEST , "Guest" }, - { 0 , NULL } +rid_name domain_user_rids[] = +{ + { DOMAIN_USER_RID_ADMIN , "Administrator" }, + { DOMAIN_USER_RID_GUEST , "Guest" }, + { 0 , NULL } }; /* array lookup of well-known Domain RID groups. */ -rid_name domain_group_rids[] = -{ - { DOMAIN_GROUP_RID_ADMINS , "Domain Admins" }, - { DOMAIN_GROUP_RID_USERS , "Domain Users" }, - { DOMAIN_GROUP_RID_GUESTS , "Domain Guests" }, - { 0 , NULL } +rid_name domain_group_rids[] = +{ + { DOMAIN_GROUP_RID_ADMINS , "Domain Admins" }, + { DOMAIN_GROUP_RID_USERS , "Domain Users" }, + { DOMAIN_GROUP_RID_GUESTS , "Domain Guests" }, + { 0 , NULL } }; +/************************************************************************** + Check if a name matches any of the well known SID values. +***************************************************************************/ + +BOOL lookup_wellknown_sid_from_name(char *windows_name, DOM_SID *psid) +{ + rid_name *rnp; + int i; + + for( i = 0; builtin_alias_rids[i].name != NULL; i++) { + rnp = &builtin_alias_rids[i]; + if(strequal(rnp->name, windows_name)) { + string_to_sid( psid, "S-1-5-32" ); + psid->sub_auths[psid->num_auths++] = rnp->rid; + return True; + } + } + + for( i = 0; domain_user_rids[i].name != NULL; i++ ) { + rnp = &domain_user_rids[i]; + if(strequal(rnp->name, windows_name)) { + *psid = global_machine_sid; + psid->sub_auths[psid->num_auths++] = rnp->rid; + return True; + } + } + + for( i = 0; domain_group_rids[i].name != NULL; i++ ) { + rnp = &domain_group_rids[i]; + if(strequal(rnp->name, windows_name)) { + *psid = global_machine_sid; + psid->sub_auths[psid->num_auths++] = rnp->rid; + return True; + } + } + + return False; +} int make_dom_gids(char *gids_str, DOM_GID **ppgids) { diff --git a/source3/smbd/password.c b/source3/smbd/password.c index 48fd7cbe24..277e3a592e 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -961,7 +961,7 @@ Hence we make a direct return to avoid a second chance!!! #endif #ifdef HPUX_10_TRUSTED - return(bigcrypt(password,this_salt,this_crypted)); + return(strcmp(bigcrypt(password,this_salt),this_crypted) == 0); #endif #ifdef NO_CRYPT |