diff options
| -rw-r--r-- | source3/auth/auth_util.c | 4 | ||||
| -rw-r--r-- | source3/passdb/lookup_sid.c | 50 | ||||
| -rw-r--r-- | source3/smbd/service.c | 4 |
3 files changed, 54 insertions, 4 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 90ec3ecaab..45b3bcccef 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1053,9 +1053,9 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, return NT_STATUS_NO_MEMORY; } - if (!lookup_name(tmp_ctx, username, LOOKUP_NAME_ALL, + if (!lookup_name_smbconf(tmp_ctx, username, LOOKUP_NAME_ALL, NULL, NULL, &user_sid, &type)) { - DEBUG(1, ("lookup_name for %s failed\n", username)); + DEBUG(1, ("lookup_name_smbconf for %s failed\n", username)); goto done; } diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c index 31bd4ab762..97cac87984 100644 --- a/source3/passdb/lookup_sid.c +++ b/source3/passdb/lookup_sid.c @@ -378,6 +378,56 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx, return True; } +/************************************************************************ + Names from smb.conf can be unqualified. eg. valid users = foo + These names should never map to a remote name. Try lp_workgroup()\foo, + and then "Unix Users"\foo (or "Unix Groups"\foo). +************************************************************************/ + +BOOL lookup_name_smbconf(TALLOC_CTX *mem_ctx, + const char *full_name, int flags, + const char **ret_domain, const char **ret_name, + DOM_SID *ret_sid, enum SID_NAME_USE *ret_type) +{ + char *qualified_name; + + /* NB. No winbindd_separator here as lookup_name needs \\' */ + if (strchr_m(full_name, '\\')) { + /* The name is already qualified with a domain. */ + return lookup_name(mem_ctx, full_name, flags, + ret_domain, ret_name, + ret_sid, ret_type); + } + + /* Try with our own domain name. */ + qualified_name = talloc_asprintf(mem_ctx, "%s\\%s", + lp_workgroup(), + full_name ); + if (!qualified_name) { + return False; + } + + if (lookup_name(mem_ctx, qualified_name, flags, + ret_domain, ret_name, + ret_sid, ret_type)) { + return True; + } + + /* Finally try with "Unix Users" or "Unix Group" */ + qualified_name = talloc_asprintf(mem_ctx, "%s\\%s", + flags & LOOKUP_NAME_GROUP ? + unix_groups_domain_name() : + unix_users_domain_name(), + full_name ); + if (!qualified_name) { + return False; + } + + return lookup_name(mem_ctx, qualified_name, flags, + ret_domain, ret_name, + ret_sid, ret_type); +} + static BOOL wb_lookup_rids(TALLOC_CTX *mem_ctx, const DOM_SID *domain_sid, int num_rids, uint32 *rids, diff --git a/source3/smbd/service.c b/source3/smbd/service.c index 395114592a..d0ad6fa7e6 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -446,10 +446,10 @@ static NTSTATUS find_forced_group(BOOL force_user, groupname = talloc_string_sub(mem_ctx, groupname, "%S", lp_servicename(snum)); - if (!lookup_name(mem_ctx, groupname, + if (!lookup_name_smbconf(mem_ctx, groupname, LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP, NULL, NULL, &group_sid, &type)) { - DEBUG(10, ("lookup_name(%s) failed\n", + DEBUG(10, ("lookup_name_smbconf(%s) failed\n", groupname)); goto done; } |