summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/auth/auth_util.c126
1 files changed, 88 insertions, 38 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 789193c610..f7b46465f7 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -650,29 +650,22 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups,
* of groups.
******************************************************************************/
-static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass,
+static NTSTATUS get_user_groups_from_local_sam(const char *username, uid_t uid, gid_t gid,
int *n_groups, DOM_SID **groups, gid_t **unix_groups)
{
- uid_t uid;
- gid_t gid;
int n_unix_groups;
int i;
*n_groups = 0;
*groups = NULL;
- if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sampass), &uid)) || NT_STATUS_IS_ERR(sid_to_gid(pdb_get_group_sid(sampass), &gid))) {
- DEBUG(0, ("get_user_groups_from_local_sam: error fetching uid or gid for user!\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
n_unix_groups = groups_max();
if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) {
DEBUG(0, ("get_user_groups_from_local_sam: Out of memory allocating unix group list\n"));
return NT_STATUS_NO_MEMORY;
}
- if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) {
+ if (sys_getgrouplist(username, gid, *unix_groups, &n_unix_groups) == -1) {
gid_t *groups_tmp;
groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups);
if (!groups_tmp) {
@@ -681,7 +674,7 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass,
}
*unix_groups = groups_tmp;
- if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) {
+ if (sys_getgrouplist(username, gid, *unix_groups, &n_unix_groups) == -1) {
DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n"));
SAFE_FREE(*unix_groups);
return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */
@@ -717,35 +710,26 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass,
Make a user_info struct
***************************************************************************/
-static NTSTATUS make_server_info(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass)
+static NTSTATUS make_server_info(auth_serversupplied_info **server_info)
{
- NTSTATUS ret;
-
*server_info = malloc(sizeof(**server_info));
if (!*server_info) {
DEBUG(0,("make_server_info: malloc failed!\n"));
return NT_STATUS_NO_MEMORY;
}
ZERO_STRUCTP(*server_info);
-
- (*server_info)->sam_fill_level = SAM_FILL_ALL;
- (*server_info)->sam_account = sampass;
- if (NT_STATUS_IS_ERR(ret = sid_to_uid(pdb_get_user_sid(sampass), &((*server_info)->uid))))
- return ret;
- if (NT_STATUS_IS_ERR(ret = sid_to_gid(pdb_get_group_sid(sampass), &((*server_info)->gid))))
- return ret;
-
return NT_STATUS_OK;
}
/***************************************************************************
- Make (and fill) a user_info struct from a SAM_ACCOUNT
+Fill a server_info struct from a SAM_ACCOUNT with their groups
***************************************************************************/
-NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
- SAM_ACCOUNT *sampass)
+static NTSTATUS add_user_groups(auth_serversupplied_info **server_info,
+ SAM_ACCOUNT *sampass,
+ uid_t uid, gid_t gid)
{
- NTSTATUS nt_status = NT_STATUS_OK;
+ NTSTATUS nt_status;
const DOM_SID *user_sid = pdb_get_user_sid(sampass);
const DOM_SID *group_sid = pdb_get_group_sid(sampass);
int n_groupSIDs = 0;
@@ -755,14 +739,11 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
BOOL is_guest;
uint32 rid;
- if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info, sampass))) {
- return nt_status;
- }
-
- if (!NT_STATUS_IS_OK(nt_status
- = get_user_groups_from_local_sam(sampass,
- &n_groupSIDs, &groupSIDs, &unix_groups)))
- {
+ nt_status = get_user_groups_from_local_sam(pdb_get_username(sampass),
+ uid, gid,
+ &n_groupSIDs, &groupSIDs,
+ &unix_groups);
+ if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(4,("get_user_groups_from_local_sam failed\n"));
free_server_info(server_info);
return nt_status;
@@ -785,9 +766,36 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
(*server_info)->n_groups = n_groupSIDs;
(*server_info)->groups = unix_groups;
-
(*server_info)->ptok = token;
-
+
+ return nt_status;
+}
+
+/***************************************************************************
+ Make (and fill) a user_info struct from a SAM_ACCOUNT
+***************************************************************************/
+
+NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
+ SAM_ACCOUNT *sampass)
+{
+ NTSTATUS nt_status;
+
+ if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info)))
+ return nt_status;
+
+ (*server_info)->sam_account = sampass;
+
+ if (!NT_STATUS_IS_OK(nt_status = sid_to_uid(pdb_get_user_sid(sampass), &((*server_info)->uid))))
+ return nt_status;
+
+ if (!NT_STATUS_IS_OK(nt_status = sid_to_gid(pdb_get_group_sid(sampass), &((*server_info)->gid))))
+ return nt_status;
+
+ if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, sampass,
+ (*server_info)->uid, (*server_info)->gid)))
+ return nt_status;
+
+ (*server_info)->sam_fill_level = SAM_FILL_ALL;
DEBUG(5,("make_server_info_sam: made server info for user %s\n",
pdb_get_username((*server_info)->sam_account)));
@@ -806,7 +814,20 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, const struc
if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sampass, pwd))) {
return nt_status;
}
- return make_server_info_sam(server_info, sampass);
+ if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) {
+ return nt_status;
+ }
+
+ (*server_info)->sam_account = sampass;
+
+ if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, sampass, pwd->pw_uid, pwd->pw_gid))) {
+ return nt_status;
+ }
+
+ (*server_info)->sam_fill_level = SAM_FILL_ALL;
+ (*server_info)->uid = pwd->pw_uid;
+ (*server_info)->gid = pwd->pw_gid;
+ return nt_status;
}
/***************************************************************************
@@ -848,6 +869,7 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info)
***************************************************************************/
static NTSTATUS fill_sam_account(const char *domain,
const char *username,
+ uid_t *uid, gid_t *gid,
SAM_ACCOUNT **sam_account)
{
fstring dom_user;
@@ -866,6 +888,9 @@ static NTSTATUS fill_sam_account(const char *domain,
if (passwd == NULL)
return NT_STATUS_NO_SUCH_USER;
+ *uid = passwd->pw_uid;
+ *gid = passwd->pw_gid;
+
return pdb_init_sam_pw(sam_account, passwd);
}
@@ -892,6 +917,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
struct passwd *passwd;
unid_t u_id, g_id;
+ uid_t uid;
+ gid_t gid;
int u_type, g_type;
int n_lgroupSIDs;
@@ -931,15 +958,27 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
u_type = ID_USERID;
g_type = ID_GROUPID;
+
+ /* we are trying to check that idmap isn't stuffing us over - does this
+ user actually exist? */
if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&u_id, &u_type, &user_sid))
&& NT_STATUS_IS_OK(idmap_get_id_from_sid(&g_id, &g_type, &group_sid))
&& ((passwd = getpwuid_alloc(u_id.uid)))) {
+
nt_status = pdb_init_sam_pw(&sam_account, passwd);
+
+ uid = passwd->pw_uid;
+ gid = passwd->pw_gid;
+
+ /* we should check this is the same name */
+
passwd_free(&passwd);
} else {
+ /* User not from winbind - try and find them by getpwnam() */
nt_status = fill_sam_account(nt_domain,
internal_username,
+ &uid, &gid,
&sam_account);
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) {
@@ -948,6 +987,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
auth_add_user_script(nt_domain, internal_username);
nt_status = fill_sam_account(nt_domain,
internal_username,
+ &uid, &gid,
&sam_account);
}
}
@@ -1002,17 +1042,27 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info, sam_account))) {
+ /* now that we have a SAM_ACCOUNT that looks real, make a server_info
+ to wrap it in, and use pass it on down */
+
+ if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) {
DEBUG(4, ("make_server_info failed!\n"));
pdb_free_sam(&sam_account);
return nt_status;
}
+ /* Fill in the unix info we found on the way */
+
+ (*server_info)->sam_fill_level = SAM_FILL_ALL;
+ (*server_info)->uid = uid;
+ (*server_info)->gid = gid;
+
/* Store the user group information in the server_info
returned to the caller. */
if (!NT_STATUS_IS_OK(nt_status
- = get_user_groups_from_local_sam(sam_account,
+ = get_user_groups_from_local_sam(pdb_get_username(sam_account),
+ uid, gid,
&n_lgroupSIDs,
&lgroupSIDs,
&unix_groups)))