diff options
-rw-r--r-- | source4/auth/auth.c | 6 | ||||
-rw-r--r-- | source4/auth/auth.h | 9 | ||||
-rw-r--r-- | source4/auth/auth_util.c | 158 | ||||
-rw-r--r-- | source4/include/smb.h | 12 | ||||
-rw-r--r-- | source4/smb_server/password.c | 74 |
5 files changed, 2 insertions, 257 deletions
diff --git a/source4/auth/auth.c b/source4/auth/auth.c index 720b8149bd..83446721e6 100644 --- a/source4/auth/auth.c +++ b/source4/auth/auth.c @@ -231,12 +231,6 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, } } - /* This is one of the few places the *relies* (rather than just sets defaults - on the value of lp_security(). This needs to change. A new paramater - perhaps? */ - if (lp_security() >= SEC_SERVER) - smb_user_control(user_info, *server_info, nt_status); - if (NT_STATUS_IS_OK(nt_status)) { if (NT_STATUS_IS_OK(nt_status)) { DEBUG((*server_info)->guest ? 5 : 2, diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 22738ffc2c..bf6e1b77e1 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -66,10 +66,6 @@ typedef struct auth_serversupplied_info { BOOL guest; - /* This groups info is needed for when we become_user() for this uid */ - int n_groups; - gid_t *groups; - /* NT group information taken from the info3 structure */ NT_USER_TOKEN *ptok; @@ -77,11 +73,6 @@ typedef struct auth_serversupplied_info DATA_BLOB user_session_key; DATA_BLOB lm_session_key; - uint32 sam_fill_level; /* How far is this structure filled? */ - - SAM_ACCOUNT *sam_account; - - void *pam_handle; } auth_serversupplied_info; struct auth_context { diff --git a/source4/auth/auth_util.c b/source4/auth/auth_util.c index db10514c7e..7bb8c8a558 100644 --- a/source4/auth/auth_util.c +++ b/source4/auth/auth_util.c @@ -31,54 +31,6 @@ extern DOM_SID global_sid_Network; extern DOM_SID global_sid_Builtin_Guests; extern DOM_SID global_sid_Authenticated_Users; - -/**************************************************************************** - Create a UNIX user on demand. -****************************************************************************/ - -static int smb_create_user(const char *domain, const char *unix_username, const char *homedir) -{ - pstring add_script; - int ret; - - pstrcpy(add_script, lp_adduser_script()); - if (! *add_script) - return -1; - all_string_sub(add_script, "%u", unix_username, sizeof(pstring)); - if (domain) - all_string_sub(add_script, "%D", domain, sizeof(pstring)); - if (homedir) - all_string_sub(add_script, "%H", homedir, sizeof(pstring)); - ret = smbrun(add_script,NULL); - DEBUG(3,("smb_create_user: Running the command `%s' gave %d\n",add_script,ret)); - return ret; -} - -/**************************************************************************** - Add and Delete UNIX users on demand, based on NTSTATUS codes. -****************************************************************************/ - -void smb_user_control(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info, NTSTATUS nt_status) -{ - struct passwd *pwd=NULL; - - if (NT_STATUS_IS_OK(nt_status)) { - - if (!(server_info->sam_fill_level & SAM_FILL_UNIX)) { - - /* - * User validated ok against Domain controller. - * If the admin wants us to try and create a UNIX - * user on the fly, do so. - */ - - if(lp_adduser_script() && !(pwd = Get_Pwnam(user_info->internal_username.str))) { - smb_create_user(user_info->domain.str, user_info->internal_username.str, NULL); - } - } - } -} - /**************************************************************************** Create a SAM_ACCOUNT - either by looking in the pdb, or by faking it up from unix info. @@ -623,87 +575,6 @@ struct nt_user_token *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t * return token; } -/****************************************************************************** - * this function returns the groups (SIDs) of the local SAM the user is in. - * If this samba server is a DC of the domain the user belongs to, it returns - * both domain groups and local / builtin groups. If the user is in a trusted - * domain, or samba is a member server of a domain, then this function returns - * local and builtin groups the user is a member of. - * - * currently this is a hack, as there is no sam implementation that is capable - * of groups. - ******************************************************************************/ - -static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, - int *n_groups, DOM_SID **groups, gid_t **unix_groups) -{ - uid_t uid; - gid_t gid; - int n_unix_groups; - int i; - struct passwd *usr; - - *n_groups = 0; - *groups = NULL; - - if (!IS_SAM_UNIX_USER(sampass)) { - DEBUG(1, ("user %s does not have a unix identity!\n", pdb_get_username(sampass))); - return NT_STATUS_NO_SUCH_USER; - } - - uid = pdb_get_uid(sampass); - gid = pdb_get_gid(sampass); - - n_unix_groups = groups_max(); - if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) { - DEBUG(0, ("get_user_groups_from_local_sam: Out of memory allocating unix group list\n")); - passwd_free(&usr); - return NT_STATUS_NO_MEMORY; - } - - if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) { - gid_t *groups_tmp; - groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); - if (!groups_tmp) { - SAFE_FREE(*unix_groups); - passwd_free(&usr); - return NT_STATUS_NO_MEMORY; - } - *unix_groups = groups_tmp; - - if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) { - DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n")); - SAFE_FREE(*unix_groups); - passwd_free(&usr); - return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ - } - } - - debug_unix_user_token(DBGC_CLASS, 5, uid, gid, n_unix_groups, *unix_groups); - - if (n_unix_groups > 0) { - *groups = malloc(sizeof(DOM_SID) * n_unix_groups); - if (!*groups) { - DEBUG(0, ("get_user_group_from_local_sam: malloc() failed for DOM_SID list!\n")); - SAFE_FREE(*unix_groups); - return NT_STATUS_NO_MEMORY; - } - } - - *n_groups = n_unix_groups; - - for (i = 0; i < *n_groups; i++) { - if (!gid_to_sid(&(*groups)[i], (*unix_groups)[i])) { - DEBUG(1, ("get_user_groups_from_local_sam: failed to convert gid %ld to a sid!\n", (long int)(*unix_groups)[i+1])); - SAFE_FREE(*groups); - SAFE_FREE(*unix_groups); - return NT_STATUS_NO_SUCH_USER; - } - } - - return NT_STATUS_OK; -} - /*************************************************************************** Make a user_info struct ***************************************************************************/ @@ -717,9 +588,6 @@ static NTSTATUS make_server_info(auth_serversupplied_info **server_info, SAM_ACC } ZERO_STRUCTP(*server_info); - (*server_info)->sam_fill_level = SAM_FILL_ALL; - (*server_info)->sam_account = sampass; - return NT_STATUS_OK; } @@ -733,9 +601,6 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, NTSTATUS nt_status = NT_STATUS_OK; const DOM_SID *user_sid = pdb_get_user_sid(sampass); const DOM_SID *group_sid = pdb_get_group_sid(sampass); - int n_groupSIDs = 0; - DOM_SID *groupSIDs = NULL; - gid_t *unix_groups = NULL; NT_USER_TOKEN *token; BOOL is_guest; uint32 rid; @@ -744,38 +609,19 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, return nt_status; } - if (!NT_STATUS_IS_OK(nt_status - = get_user_groups_from_local_sam(sampass, - &n_groupSIDs, &groupSIDs, &unix_groups))) - { - DEBUG(4,("get_user_groups_from_local_sam failed\n")); - free_server_info(server_info); - return nt_status; - } - is_guest = (sid_peek_rid(user_sid, &rid) && rid == DOMAIN_USER_RID_GUEST); if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token(user_sid, group_sid, - n_groupSIDs, groupSIDs, is_guest, + 0, NULL, is_guest, &token))) { DEBUG(4,("create_nt_user_token failed\n")); - SAFE_FREE(groupSIDs); - SAFE_FREE(unix_groups); free_server_info(server_info); return nt_status; } - - SAFE_FREE(groupSIDs); - - (*server_info)->n_groups = n_groupSIDs; - (*server_info)->groups = unix_groups; (*server_info)->ptok = token; - DEBUG(5,("make_server_info_sam: made server info for user %s\n", - pdb_get_username((*server_info)->sam_account))); - return nt_status; } @@ -866,11 +712,9 @@ void free_server_info(auth_serversupplied_info **server_info) { DEBUG(5,("attempting to free (and zero) a server_info structure\n")); if (*server_info != NULL) { - pdb_free_sam(&(*server_info)->sam_account); /* call pam_end here, unless we know we are keeping it */ delete_nt_token( &(*server_info)->ptok ); - SAFE_FREE((*server_info)->groups); ZERO_STRUCT(**server_info); } SAFE_FREE(*server_info); diff --git a/source4/include/smb.h b/source4/include/smb.h index 6982a0dae0..7988a500fa 100644 --- a/source4/include/smb.h +++ b/source4/include/smb.h @@ -1079,21 +1079,9 @@ typedef struct user_struct { struct user_struct *next, *prev; uint16 vuid; /* Tag for this entry. */ - uid_t uid; /* uid of a validated user */ - gid_t gid; /* gid of a validated user */ - userdom_struct user; - char *homedir; - char *unix_homedir; - char *logon_script; - BOOL guest; - /* following groups stuff added by ih */ - /* This groups info is needed for when we become_user() for this uid */ - int n_groups; - gid_t *groups; - NT_USER_TOKEN *nt_user_token; DATA_BLOB session_key; diff --git a/source4/smb_server/password.c b/source4/smb_server/password.c index 196556819e..61987518b8 100644 --- a/source4/smb_server/password.c +++ b/source4/smb_server/password.c @@ -56,10 +56,6 @@ void invalidate_vuid(struct server_context *smb, uint16 vuid) if (vuser == NULL) return; - SAFE_FREE(vuser->homedir); - SAFE_FREE(vuser->unix_homedir); - SAFE_FREE(vuser->logon_script); - data_blob_free(&vuser->session_key); session_yield(vuser); @@ -72,7 +68,6 @@ void invalidate_vuid(struct server_context *smb, uint16 vuid) from the vuid 'owner' of connections */ /* REWRITE: conn_clear_vuid_cache(smb, vuid); */ - SAFE_FREE(vuser->groups); delete_nt_token(&vuser->nt_user_token); SAFE_FREE(vuser); smb->users.num_validated_vuids--; @@ -141,73 +136,17 @@ int register_vuid(struct server_context *smb, vuser->vuid = smb->users.next_vuid; - /* the next functions should be done by a SID mapping system (SMS) as - * the new real sam db won't have reference to unix uids or gids - */ - if (!IS_SAM_UNIX_USER(server_info->sam_account)) { - DEBUG(0,("Attempted session setup with invalid user. No uid/gid in SAM_ACCOUNT\n")); - free(vuser); - free_server_info(&server_info); - return UID_FIELD_INVALID; - } - - vuser->uid = pdb_get_uid(server_info->sam_account); - vuser->gid = pdb_get_gid(server_info->sam_account); - - vuser->n_groups = server_info->n_groups; - if (vuser->n_groups) { - if (!(vuser->groups = memdup(server_info->groups, sizeof(gid_t) * vuser->n_groups))) { - DEBUG(0,("register_vuid: failed to memdup vuser->groups\n")); - free(vuser); - free_server_info(&server_info); - return UID_FIELD_INVALID; - } - } - vuser->guest = server_info->guest; - fstrcpy(vuser->user.unix_name, pdb_get_username(server_info->sam_account)); - - /* This is a potentially untrusted username */ - alpha_strcpy(vuser->user.smb_name, smb_name, ". _-$", sizeof(vuser->user.smb_name)); - - fstrcpy(vuser->user.domain, pdb_get_domain(server_info->sam_account)); - fstrcpy(vuser->user.full_name, pdb_get_fullname(server_info->sam_account)); - - { - /* Keep the homedir handy */ - const char *homedir = pdb_get_homedir(server_info->sam_account); - const char *unix_homedir = pdb_get_unix_homedir(server_info->sam_account); - const char *logon_script = pdb_get_logon_script(server_info->sam_account); - if (homedir) { - vuser->homedir = smb_xstrdup(homedir); - } - - if (unix_homedir) { - vuser->unix_homedir = smb_xstrdup(unix_homedir); - } - - if (logon_script) { - vuser->logon_script = smb_xstrdup(logon_script); - } - } vuser->session_key = *session_key; - DEBUG(10,("register_vuid: (%u,%u) %s %s %s guest=%d\n", - (unsigned int)vuser->uid, - (unsigned int)vuser->gid, - vuser->user.unix_name, vuser->user.smb_name, vuser->user.domain, vuser->guest )); - - DEBUG(3, ("User name: %s\tReal name: %s\n",vuser->user.unix_name,vuser->user.full_name)); + DEBUG(10,("register_vuid: guest=%d\n", vuser->guest )); if (server_info->ptok) { vuser->nt_user_token = dup_nt_token(server_info->ptok); } else { DEBUG(1, ("server_info does not contain a user_token - cannot continue\n")); free_server_info(&server_info); - SAFE_FREE(vuser->homedir); - SAFE_FREE(vuser->unix_homedir); - SAFE_FREE(vuser->logon_script); SAFE_FREE(vuser); return UID_FIELD_INVALID; @@ -216,8 +155,6 @@ int register_vuid(struct server_context *smb, /* use this to keep tabs on all our info from the authentication */ vuser->server_info = server_info; - DEBUG(3,("UNIX uid %d is UNIX user %s, and will be vuid %u\n",(int)vuser->uid,vuser->user.unix_name, vuser->vuid)); - smb->users.next_vuid++; smb->users.num_validated_vuids++; @@ -229,15 +166,6 @@ int register_vuid(struct server_context *smb, return -1; } - /* Register a home dir service for this user */ - if ((!vuser->guest) && vuser->unix_homedir && *(vuser->unix_homedir)) { - DEBUG(3, ("Adding/updating homes service for user '%s' using home direcotry: '%s'\n", - vuser->user.unix_name, vuser->unix_homedir)); - vuser->homes_snum = add_home_service(vuser->user.unix_name, vuser->user.unix_name, vuser->unix_homedir); - } else { - vuser->homes_snum = -1; - } - return vuser->vuid; } |