summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/passdb/nispass.c15
-rw-r--r--source3/passdb/passdb.c90
-rw-r--r--source3/passdb/pdb_ldap.c15
-rw-r--r--source3/passdb/pdb_nisplus.c21
-rw-r--r--source3/passdb/pdb_smbpasswd.c31
5 files changed, 143 insertions, 29 deletions
diff --git a/source3/passdb/nispass.c b/source3/passdb/nispass.c
index 79465982ec..0f41b47549 100644
--- a/source3/passdb/nispass.c
+++ b/source3/passdb/nispass.c
@@ -302,9 +302,20 @@ static BOOL make_sam_from_nisp_object(struct sam_passwd *pw_buf, nis_object *obj
sam_logon_in_ssb = True;
get_single_attribute(obj, NPF_GROUP_RID, temp, sizeof(pstring));
- pw_buf->group_rid = (strlen(temp) > 0) ?
- strtol(temp, NULL, 16) : pdb_gid_to_group_rid (pw_buf->smb_grpid);
+ if (strlen(temp) > 0)
+ pw_buf->group_rid = strtol(temp, NULL, 16);
+ else {
+ GROUP_MAP map;
+
+ if (get_group_map_from_gid(pw_buf->smb_grpid, &map)) {
+ free_privileges(&map.priv_set);
+ pw_buf->group_rid = map.rid;
+ }
+ else
+ pw_buf->group_rid = pdb_gid_to_group_rid(pw_buf->smb_grpid);
+ }
+
get_single_attribute(obj, NPF_FULL_NAME, full_name, sizeof(pstring));
#if 1
/* It seems correct to use the global values - but in that case why
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index b07dec7c0d..8555186826 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -119,6 +119,8 @@ BOOL pdb_init_sam(SAM_ACCOUNT **user)
BOOL pdb_init_sam_pw(SAM_ACCOUNT **new_sam_acct, const struct passwd *pwd)
{
pstring str;
+ GROUP_MAP map;
+ uint32 rid;
extern BOOL sam_logon_in_ssb;
extern pstring samlogon_user;
@@ -139,7 +141,14 @@ BOOL pdb_init_sam_pw(SAM_ACCOUNT **new_sam_acct, const struct passwd *pwd)
pdb_set_gid(*new_sam_acct, &pwd->pw_gid);
pdb_set_user_rid(*new_sam_acct, pdb_uid_to_user_rid(pwd->pw_uid));
- pdb_set_group_rid(*new_sam_acct, pdb_gid_to_group_rid(pwd->pw_gid));
+
+ /* call the mapping code here */
+ if(get_group_map_from_gid(pwd->pw_gid, &map)) {
+ free_privilege(&map.priv_set);
+ sid_peek_rid(&map.sid, &rid);
+ } else
+ rid=pdb_gid_to_group_rid(pwd->pw_gid);
+ pdb_set_group_rid(*new_sam_acct, rid);
/* UGLY, UGLY HACK!!! */
pstrcpy(samlogon_user, pwd->pw_name);
@@ -379,6 +388,7 @@ BOOL pdb_gethexpwd(const char *p, unsigned char *pwd)
BOOL pdb_name_to_rid(const char *user_name, uint32 *u_rid, uint32 *g_rid)
{
+ GROUP_MAP map;
struct passwd *pw = Get_Pwnam(user_name);
if (u_rid == NULL || g_rid == NULL || user_name == NULL)
@@ -394,7 +404,12 @@ BOOL pdb_name_to_rid(const char *user_name, uint32 *u_rid, uint32 *g_rid)
*u_rid = pdb_uid_to_user_rid(pw->pw_uid);
/* absolutely no idea what to do about the unix GID to Domain RID mapping */
- *g_rid = pdb_gid_to_group_rid(pw->pw_gid);
+ /* map it ! */
+ if (get_group_map_from_gid(pw->pw_gid, &map)) {
+ free_privilege(&map.priv_set);
+ sid_peek_rid(&map.sid, g_rid);
+ } else
+ *g_rid = pdb_gid_to_group_rid(pw->pw_gid);
return True;
}
@@ -408,14 +423,6 @@ uid_t pdb_user_rid_to_uid(uint32 user_rid)
return (uid_t)(((user_rid & (~USER_RID_TYPE))- 1000)/RID_MULTIPLIER);
}
-/*******************************************************************
- Converts NT user RID to a UNIX gid.
- ********************************************************************/
-
-gid_t pdb_user_rid_to_gid(uint32 user_rid)
-{
- return (uid_t)(((user_rid & (~GROUP_RID_TYPE))- 1000)/RID_MULTIPLIER);
-}
/*******************************************************************
Converts NT group RID to a UNIX gid.
@@ -437,6 +444,10 @@ uint32 pdb_uid_to_user_rid(uid_t uid)
/*******************************************************************
converts NT Group RID to a UNIX uid.
+
+ warning: you must not call that function only
+ you must do a call to the group mapping first.
+ there is not anymore a direct link between the gid and the rid.
********************************************************************/
uint32 pdb_gid_to_group_rid(gid_t gid)
@@ -560,7 +571,7 @@ BOOL local_lookup_rid(uint32 rid, char *name, enum SID_NAME_USE *psid_name_use)
}
}
- gid = pdb_user_rid_to_gid(rid);
+ gid = pdb_group_rid_to_gid(rid);
gr = getgrgid(gid);
*psid_name_use = SID_NAME_ALIAS;
@@ -643,11 +654,32 @@ BOOL local_lookup_name(const char *c_domain, const char *c_user, DOM_SID *psid,
sid_copy(&local_sid, &map.sid);
*psid_name_use = map.sid_name_use;
}
+ else
+ /* it's a correct name but not mapped so it points to nothing*/
+ return False;
} else {
+ /* it's not a mapped group */
grp = getgrnam(user);
if(!grp)
return False;
+ /*
+ *check if it's mapped, if it is reply it doesn't exist
+ *
+ * that's to prevent this case:
+ *
+ * unix group ug is mapped to nt group ng
+ * someone does a lookup on ug
+ * we must not reply as it doesn't "exist" anymore
+ * for NT. For NT only ng exists.
+ * JFM, 30/11/2001
+ */
+
+ if(get_group_map_from_gid(grp->gr_gid, &map)){
+ free_privilege(&map.priv_set);
+ return False;
+ }
+
sid_append_rid( &local_sid, pdb_gid_to_group_rid(grp->gr_gid));
*psid_name_use = SID_NAME_ALIAS;
}
@@ -722,10 +754,18 @@ BOOL local_sid_to_uid(uid_t *puid, DOM_SID *psid, enum SID_NAME_USE *name_type)
DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid)
{
- extern DOM_SID global_sam_sid;
+ extern DOM_SID global_sam_sid;
+ GROUP_MAP map;
sid_copy(psid, &global_sam_sid);
- sid_append_rid(psid, pdb_gid_to_group_rid(gid));
+
+ if (get_group_map_from_gid(gid, &map)) {
+ free_privilege(&map.priv_set);
+ sid_copy(psid, &map.sid);
+ }
+ else {
+ sid_append_rid(psid, pdb_gid_to_group_rid(gid));
+ }
return psid;
}
@@ -736,11 +776,12 @@ DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid)
BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type)
{
- extern DOM_SID global_sam_sid;
+ extern DOM_SID global_sam_sid;
DOM_SID dom_sid;
uint32 rid;
fstring str;
struct group *grp;
+ GROUP_MAP map;
*name_type = SID_NAME_UNKNOWN;
@@ -750,6 +791,8 @@ BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type)
/*
* We can only convert to a gid if this is our local
* Domain SID (ie. we are the controling authority).
+ *
+ * Or in the Builtin SID too. JFM, 11/30/2001
*/
if (!sid_equal(&global_sam_sid, &dom_sid))
@@ -758,7 +801,19 @@ BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type)
if (pdb_rid_is_user(rid))
return False;
- *pgid = pdb_user_rid_to_gid(rid);
+ if (get_group_map_from_sid(*psid, &map)) {
+ free_privilege(&map.priv_set);
+
+ /* the SID is in the mapping table but not mapped */
+ if (map.gid==-1)
+ return False;
+
+ sid_peek_rid(&map.sid, pgid);
+ *name_type = map.sid_name_use;
+ } else {
+ *pgid = pdb_group_rid_to_gid(rid);
+ *name_type = SID_NAME_ALIAS;
+ }
/*
* Ensure this gid really does exist.
@@ -770,8 +825,6 @@ BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type)
DEBUG(10,("local_sid_to_gid: SID %s -> gid (%u) (%s).\n", sid_to_string( str, psid),
(unsigned int)*pgid, grp->gr_name ));
- *name_type = SID_NAME_ALIAS;
-
return True;
}
@@ -918,7 +971,8 @@ account without a valid local system user.\n", user_name);
}
/* set account flags. Note that the default is non-expiring accounts */
- if (!pdb_set_acct_ctrl(sam_pass,((local_flags & LOCAL_TRUST_ACCOUNT) ? ACB_WSTRUST : ACB_NORMAL|ACB_PWNOEXP) )) {
+ /*if (!pdb_set_acct_ctrl(sam_pass,((local_flags & LOCAL_TRUST_ACCOUNT) ? ACB_WSTRUST : ACB_NORMAL|ACB_PWNOEXP) )) {*/
+ if (!pdb_set_acct_ctrl(sam_pass,((local_flags & LOCAL_TRUST_ACCOUNT) ? ACB_WSTRUST : ACB_NORMAL) )) {
slprintf(err_str, err_str_len-1, "Failed to set 'trust account' flags for user %s.\n", user_name);
pdb_free_sam(&sam_pass);
return False;
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index 62c3a1b4a2..d0eebbed89 100644
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -577,13 +577,22 @@ static BOOL init_ldap_from_sam (LDAPMod *** mods, int ldap_state, const SAM_ACCO
make_a_mod(mods, ldap_state, "description", pdb_get_acct_desc(sampass));
make_a_mod(mods, ldap_state, "userWorkstations", pdb_get_workstations(sampass));
- if ( !sampass->user_rid)
+ if ( !sampass->user_rid)
sampass->user_rid = pdb_uid_to_user_rid(pdb_get_uid(sampass));
slprintf(temp, sizeof(temp) - 1, "%i", sampass->user_rid);
make_a_mod(mods, ldap_state, "rid", temp);
- if ( !sampass->group_rid)
- sampass->group_rid = pdb_gid_to_group_rid(pdb_get_gid(sampass));
+ if ( !sampass->group_rid) {
+ GROUP_MAP map;
+
+ if (get_group_map_from_gid(pdb_get_gid(sampass), &map)) {
+ free_privilege(&map.priv_set);
+ sid_peek_rid(&map.sid, &sampass->group_rid);
+ }
+ else
+ sampass->group_rid = pdb_gid_to_group_rid(pdb_get_gid(sampass));
+ }
+
slprintf(temp, sizeof(temp) - 1, "%i", sampass->group_rid);
make_a_mod(mods, ldap_state, "primaryGroupID", temp);
diff --git a/source3/passdb/pdb_nisplus.c b/source3/passdb/pdb_nisplus.c
index 6a97bd02b8..aff0870a8d 100644
--- a/source3/passdb/pdb_nisplus.c
+++ b/source3/passdb/pdb_nisplus.c
@@ -493,9 +493,24 @@ static BOOL init_nisp_from_sam(nis_object *obj, const SAM_ACCOUNT *sampass,
pdb_get_user_rid(sampass)? pdb_get_user_rid(sampass):
pdb_uid_to_user_rid(pdb_get_uid(sampass)));
slprintf(gid, sizeof(gid)-1, "%u", pdb_get_gid(sampass));
- slprintf(group_rid, sizeof(group_rid)-1, "%u",
- pdb_get_group_rid(sampass)? pdb_get_group_rid(sampass):
- pdb_gid_to_group_rid(pdb_get_gid(sampass)));
+
+ {
+ uint32 rid;
+ GROUP_MAP map;
+
+ rid=pdb_get_group_rid(sampass);
+
+ if (rid==0) {
+ if (get_group_map_from_gid(pdb_get_gid(sampass), &map)) {
+ free_privilege(&map.priv_set);
+ sid_peek_rid(&map.sid, &rid);
+ } else
+ rid=pdb_gid_to_group_rid(pdb_get_gid(sampass));
+ }
+
+ slprintf(group_rid, sizeof(group_rid)-1, "%u", rid);
+ }
+
acb = pdb_encode_acct_ctrl(pdb_get_acct_ctrl(sampass),
NEW_PW_FORMAT_SPACE_PADDED_LEN);
pdb_sethexpwd (smb_passwd, pdb_get_lanman_passwd(sampass),
diff --git a/source3/passdb/pdb_smbpasswd.c b/source3/passdb/pdb_smbpasswd.c
index fa2a2a82e7..c189d9a9b7 100644
--- a/source3/passdb/pdb_smbpasswd.c
+++ b/source3/passdb/pdb_smbpasswd.c
@@ -1164,10 +1164,24 @@ static BOOL build_smb_pass (struct smb_passwd *smb_pw, const SAM_ACCOUNT *sampas
return False;
}
+#if 0
+ /*
+ * ifdef'out by JFM on 11/29/2001.
+ * this assertion is no longer valid
+ * and I don't understand the goal
+ * and doing the same thing with the group mapping code
+ * is hairy !
+ *
+ * We just have the RID, in which SID is it valid ?
+ * our domain SID ? well known SID ? local SID ?
+ */
+
if (*gid != pdb_group_rid_to_gid(pdb_get_group_rid(sampass))) {
DEBUG(0,("build_sam_pass: Failing attempt to store user with non-gid based primary group RID. \n"));
+ DEBUG(0,("build_sam_pass: %d %d %d. \n", *gid, pdb_group_rid_to_gid(pdb_get_group_rid(sampass)), pdb_get_group_rid(sampass)));
return False;
}
+#endif
return True;
}
@@ -1207,8 +1221,19 @@ static BOOL build_sam_account(SAM_ACCOUNT *sam_pass, const struct smb_passwd *pw
pdb_set_user_rid(sam_pass, pdb_uid_to_user_rid (pwfile->pw_uid));
- /* should check the group mapping here instead of static mappig. JFM */
- pdb_set_group_rid(sam_pass, pdb_gid_to_group_rid(pwfile->pw_gid));
+ {
+ uint32 rid;
+ GROUP_MAP map;
+
+ if (get_group_map_from_gid(pwfile->pw_gid, &map)) {
+ free_privilege(&map.priv_set);
+ sid_peek_rid(&map.sid, &rid);
+ }
+ else
+ rid=pdb_gid_to_group_rid(pwfile->pw_gid);
+
+ pdb_set_group_rid(sam_pass, rid);
+ }
pdb_set_username (sam_pass, pw_buf->smb_name);
pdb_set_nt_passwd (sam_pass, pw_buf->smb_nt_passwd);
@@ -1249,7 +1274,7 @@ static BOOL build_sam_account(SAM_ACCOUNT *sam_pass, const struct smb_passwd *pw
} else {
/* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here. */
- pdb_set_group_rid (sam_pass, DOMAIN_GROUP_RID_USERS);
+ /*pdb_set_group_rid (sam_pass, DOMAIN_GROUP_RID_USERS); */
}
sam_logon_in_ssb = False;