diff options
-rw-r--r-- | source3/passdb/passdb.c | 31 | ||||
-rw-r--r-- | source3/passdb/pdb_smbpasswd.c | 41 | ||||
-rw-r--r-- | source3/utils/testparm.c | 10 |
3 files changed, 58 insertions, 24 deletions
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index 04786b59e5..4ce5b93abd 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -500,9 +500,32 @@ BOOL pdb_gethexpwd(const char *p, unsigned char *pwd) Converts NT user RID to a UNIX uid. ********************************************************************/ +static int algorithmic_rid_base(void) +{ + static int rid_offset = 0; + + if (rid_offset != 0) + return rid_offset; + + rid_offset = lp_algorithmic_rid_base(); + + if (rid_offset < BASE_RID) { + /* Try to prevent admin foot-shooting, we can't put algorithmic + rids below 1000, that's the 'well known RIDs' on NT */ + DEBUG(0, ("'algorithmic rid base' must be equal to or above %ld\n", BASE_RID)); + rid_offset = BASE_RID; + } + if (rid_offset & 1) { + DEBUG(0, ("algorithmic rid base must be even\n")); + rid_offset += 1; + } + return rid_offset; +} + + uid_t fallback_pdb_user_rid_to_uid(uint32 user_rid) { - int rid_offset = lp_algorithmic_rid_base(); + int rid_offset = algorithmic_rid_base(); return (uid_t)(((user_rid & (~USER_RID_TYPE))- rid_offset)/RID_MULTIPLIER); } @@ -513,7 +536,7 @@ uid_t fallback_pdb_user_rid_to_uid(uint32 user_rid) uint32 fallback_pdb_uid_to_user_rid(uid_t uid) { - int rid_offset = lp_algorithmic_rid_base(); + int rid_offset = algorithmic_rid_base(); return (((((uint32)uid)*RID_MULTIPLIER) + rid_offset) | USER_RID_TYPE); } @@ -523,7 +546,7 @@ uint32 fallback_pdb_uid_to_user_rid(uid_t uid) gid_t pdb_group_rid_to_gid(uint32 group_rid) { - int rid_offset = lp_algorithmic_rid_base(); + int rid_offset = algorithmic_rid_base(); return (gid_t)(((group_rid & (~GROUP_RID_TYPE))- rid_offset)/RID_MULTIPLIER); } @@ -537,7 +560,7 @@ gid_t pdb_group_rid_to_gid(uint32 group_rid) uint32 pdb_gid_to_group_rid(gid_t gid) { - int rid_offset = lp_algorithmic_rid_base(); + int rid_offset = algorithmic_rid_base(); return (((((uint32)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE); } diff --git a/source3/passdb/pdb_smbpasswd.c b/source3/passdb/pdb_smbpasswd.c index 3ab524f488..abfe016e8a 100644 --- a/source3/passdb/pdb_smbpasswd.c +++ b/source3/passdb/pdb_smbpasswd.c @@ -1200,28 +1200,29 @@ static BOOL build_sam_account(struct smbpasswd_privates *smbpasswd_state, return False; } - if ((smbpasswd_state->permit_non_unix_accounts) - && (pw_buf->smb_userid >= smbpasswd_state->low_nua_userid) - && (pw_buf->smb_userid <= smbpasswd_state->high_nua_userid)) { - - pdb_set_user_sid_from_rid(sam_pass, fallback_pdb_uid_to_user_rid (pw_buf->smb_userid), PDB_SET); - - /* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here. - - This was down the bottom for machines, but it looks pretty good as - a general default for non-unix users. --abartlet 2002-01-08 - */ - pdb_set_group_sid_from_rid (sam_pass, DOMAIN_GROUP_RID_USERS, PDB_SET); - pdb_set_username (sam_pass, pw_buf->smb_name, PDB_SET); - pdb_set_domain (sam_pass, lp_workgroup(), PDB_DEFAULT); - } else { - - pwfile = getpwnam_alloc(pw_buf->smb_name); - if (pwfile == NULL) { + pwfile = getpwnam_alloc(pw_buf->smb_name); + if (pwfile == NULL) { + if ((smbpasswd_state->permit_non_unix_accounts) + && (pw_buf->smb_userid >= smbpasswd_state->low_nua_userid) + && (pw_buf->smb_userid <= smbpasswd_state->high_nua_userid)) { + + pdb_set_user_sid_from_rid(sam_pass, fallback_pdb_uid_to_user_rid (pw_buf->smb_userid), PDB_SET); + + /* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here. + + This was down the bottom for machines, but it looks pretty good as + a general default for non-unix users. --abartlet 2002-01-08 + */ + pdb_set_group_sid_from_rid (sam_pass, DOMAIN_GROUP_RID_USERS, PDB_SET); + pdb_set_username (sam_pass, pw_buf->smb_name, PDB_SET); + pdb_set_domain (sam_pass, lp_workgroup(), PDB_DEFAULT); + + } else { DEBUG(0,("build_sam_account: smbpasswd database is corrupt! username %s with uid %u is not in unix passwd database!\n", pw_buf->smb_name, pw_buf->smb_userid)); return False; } - + } else { + if (!NT_STATUS_IS_OK(pdb_fill_sam_pw(sam_pass, pwfile))) { return False; } @@ -1386,7 +1387,7 @@ static NTSTATUS smbpasswd_getsampwrid(struct pdb_methods *my_methods, SAM_ACCOUN struct smb_passwd *smb_pw; void *fp = NULL; - DEBUG(10, ("pdb_getsampwrid: search by rid: %d\n", rid)); + DEBUG(10, ("smbpasswd_getsampwrid: search by rid: %d\n", rid)); /* More special case 'guest account' hacks... */ if (rid == DOMAIN_USER_RID_GUEST) { diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c index c81d6e72e4..c92692fda2 100644 --- a/source3/utils/testparm.c +++ b/source3/utils/testparm.c @@ -168,6 +168,16 @@ via the %%o substitution. With encrypted passwords this is not possible.\n", lp_ printf("'winbind separator = +' might cause problems with group membership.\n"); } + if (lp_algorithmic_rid_base() < BASE_RID) { + /* Try to prevent admin foot-shooting, we can't put algorithmic + rids below 1000, that's the 'well known RIDs' on NT */ + printf("'algorithmic rid base' must be equal to or above %lu\n", BASE_RID); + } + + if (lp_algorithmic_rid_base() & 1) { + printf("'algorithmic rid base' must be even.\n"); + } + return ret; } |