diff options
-rw-r--r-- | source3/auth/auth.c | 14 | ||||
-rw-r--r-- | source3/include/auth.h | 5 | ||||
-rw-r--r-- | source3/libsmb/domain_client_validate.c | 25 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_group.c | 4 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_pam.c | 4 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_util.c | 10 | ||||
-rw-r--r-- | source3/rpc_server/srv_netlog_nt.c | 2 | ||||
-rw-r--r-- | source3/smbd/auth.c | 14 |
8 files changed, 70 insertions, 8 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c index e76324213e..4bdbdf5555 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -129,6 +129,7 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user, auth_serversupplied_info server_info; AUTH_STR ourdomain, theirdomain, unix_username, smb_username, wksta_name; + NTSTATUS result; ZERO_STRUCT(user_info); ZERO_STRUCT(ourdomain); @@ -203,7 +204,11 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user, } - return check_password(&user_info, &server_info); + result = check_password(&user_info, &server_info); + + free_serversupplied_info(&server_info); /* No info needed */ + + return result; } NTSTATUS pass_check_smb(char *smb_user, char *unix_user, @@ -255,3 +260,10 @@ BOOL password_ok(char *user, char *password, int pwlen) return False; } + +/* Free a auth_serversupplied_info structure */ + +void free_serversupplied_info(auth_serversupplied_info *server_info) +{ + SAFE_FREE(server_info->group_rids); +} diff --git a/source3/include/auth.h b/source3/include/auth.h index 91230e4b6e..9e99600e98 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -90,6 +90,11 @@ typedef struct serversupplied_info /* This groups info is needed for when we become_user() for this uid */ int n_groups; gid_t *groups; + + /* NT group information taken from the info3 structure */ + + int n_rids; + uint32 *group_rids; uchar session_key[16]; diff --git a/source3/libsmb/domain_client_validate.c b/source3/libsmb/domain_client_validate.c index 26f53f0297..26a727b1f1 100644 --- a/source3/libsmb/domain_client_validate.c +++ b/source3/libsmb/domain_client_validate.c @@ -326,6 +326,7 @@ NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, status = cli_nt_login_network(&cli, user_info, smb_uid_low, &ctr, &info3); + if (!NT_STATUS_IS_OK(status)) { DEBUG(0,("domain_client_validate: unable to validate password " "for user %s in domain %s to Domain controller %s. " @@ -335,8 +336,28 @@ NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, } /* - * Here, if we really want it, we have lots of info about the user in info3. - */ + * Here, if we really want it, we have lots of info about the user + * in info3. + */ + + /* Store the user group information in the server_info returned to + the caller. */ + + if ((server_info->group_rids = malloc(info3.num_groups2 * + sizeof(uint32))) == NULL) { + DEBUG(1, ("out of memory allocating rid group membership\n")); + status = NT_STATUS_NO_MEMORY; + } else { + int i; + + server_info->n_rids = info3.num_groups2; + + for (i = 0; i < server_info->n_rids; i++) { + server_info->group_rids[i] = info3.gids[i].g_rid; + DEBUG(5, ("** adding group rid 0x%x\n", + info3.gids[i].g_rid)); + } + } #if 0 /* diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c index 092651c9a7..e1e4443442 100644 --- a/source3/nsswitch/winbindd_group.c +++ b/source3/nsswitch/winbindd_group.c @@ -107,7 +107,9 @@ static BOOL fill_grent_mem(struct winbindd_domain *domain, DEBUG(10, ("fill_grent_mem(): processing name %s\n", the_name)); - /* Only add domain users */ + /* FIXME: need to cope with groups within groups. These + occur in Universal groups on a Windows 2000 native mode + server. */ if (name_types[i] != SID_NAME_USER) { DEBUG(3, ("fill_grent_mem(): name %s isn't a domain " diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 406b12c9f6..5cf819a19d 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -141,6 +141,8 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) auth_dc, trust_passwd, last_change_time); + free_serversupplied_info(&server_info); /* No info needed */ + return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; } @@ -218,6 +220,8 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) auth_dc, trust_passwd, last_change_time); + free_serversupplied_info(&server_info); /* No info needed */ + return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; } diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c index 614198673b..6a0a5389ef 100644 --- a/source3/nsswitch/winbindd_util.c +++ b/source3/nsswitch/winbindd_util.c @@ -344,6 +344,9 @@ BOOL winbindd_lookup_groupmem(struct winbindd_domain *domain, NTSTATUS result = NT_STATUS_UNSUCCESSFUL; uint32 i, total_names = 0; + /* Step #1: Get a list of user rids that are the members of the + group. */ + if (!(group_hnd = cm_get_sam_group_handle(domain->name, &domain->sid, group_rid))) goto done; @@ -357,9 +360,10 @@ BOOL winbindd_lookup_groupmem(struct winbindd_domain *domain, if (!NT_STATUS_IS_OK(result)) goto done; - /* Convert list of rids into list of names. Do this in bunches of - ~1000 to avoid crashing NT4. It looks like there is a buffer - overflow or something like that lurking around somewhere. */ + /* Step #2: Convert list of rids into list of usernames. Do this + in bunches of ~1000 to avoid crashing NT4. It looks like there + is a buffer overflow or something like that lurking around + somewhere. */ if (!(dom_hnd = cm_get_sam_dom_handle(domain->name, &domain->sid))) goto done; diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index cb54d726b3..0f2b672d38 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -595,6 +595,8 @@ static NTSTATUS _net_logon_any(NET_ID_INFO_CTR *ctr, char *user, char *domain, c DEBUG(5, ("_net_logon_any: exited with status %s\n", get_nt_error_msg(nt_status))); + free_serversupplied_info(&server_info); /* No info needed */ + return nt_status; } diff --git a/source3/smbd/auth.c b/source3/smbd/auth.c index e76324213e..4bdbdf5555 100644 --- a/source3/smbd/auth.c +++ b/source3/smbd/auth.c @@ -129,6 +129,7 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user, auth_serversupplied_info server_info; AUTH_STR ourdomain, theirdomain, unix_username, smb_username, wksta_name; + NTSTATUS result; ZERO_STRUCT(user_info); ZERO_STRUCT(ourdomain); @@ -203,7 +204,11 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user, } - return check_password(&user_info, &server_info); + result = check_password(&user_info, &server_info); + + free_serversupplied_info(&server_info); /* No info needed */ + + return result; } NTSTATUS pass_check_smb(char *smb_user, char *unix_user, @@ -255,3 +260,10 @@ BOOL password_ok(char *user, char *password, int pwlen) return False; } + +/* Free a auth_serversupplied_info structure */ + +void free_serversupplied_info(auth_serversupplied_info *server_info) +{ + SAFE_FREE(server_info->group_rids); +} |