diff options
-rw-r--r-- | source3/auth/auth_util.c | 126 |
1 files changed, 88 insertions, 38 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 789193c610..f7b46465f7 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -650,29 +650,22 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, * of groups. ******************************************************************************/ -static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, +static NTSTATUS get_user_groups_from_local_sam(const char *username, uid_t uid, gid_t gid, int *n_groups, DOM_SID **groups, gid_t **unix_groups) { - uid_t uid; - gid_t gid; int n_unix_groups; int i; *n_groups = 0; *groups = NULL; - if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sampass), &uid)) || NT_STATUS_IS_ERR(sid_to_gid(pdb_get_group_sid(sampass), &gid))) { - DEBUG(0, ("get_user_groups_from_local_sam: error fetching uid or gid for user!\n")); - return NT_STATUS_UNSUCCESSFUL; - } - n_unix_groups = groups_max(); if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) { DEBUG(0, ("get_user_groups_from_local_sam: Out of memory allocating unix group list\n")); return NT_STATUS_NO_MEMORY; } - if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) { + if (sys_getgrouplist(username, gid, *unix_groups, &n_unix_groups) == -1) { gid_t *groups_tmp; groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); if (!groups_tmp) { @@ -681,7 +674,7 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, } *unix_groups = groups_tmp; - if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) { + if (sys_getgrouplist(username, gid, *unix_groups, &n_unix_groups) == -1) { DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n")); SAFE_FREE(*unix_groups); return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ @@ -717,35 +710,26 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, Make a user_info struct ***************************************************************************/ -static NTSTATUS make_server_info(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass) +static NTSTATUS make_server_info(auth_serversupplied_info **server_info) { - NTSTATUS ret; - *server_info = malloc(sizeof(**server_info)); if (!*server_info) { DEBUG(0,("make_server_info: malloc failed!\n")); return NT_STATUS_NO_MEMORY; } ZERO_STRUCTP(*server_info); - - (*server_info)->sam_fill_level = SAM_FILL_ALL; - (*server_info)->sam_account = sampass; - if (NT_STATUS_IS_ERR(ret = sid_to_uid(pdb_get_user_sid(sampass), &((*server_info)->uid)))) - return ret; - if (NT_STATUS_IS_ERR(ret = sid_to_gid(pdb_get_group_sid(sampass), &((*server_info)->gid)))) - return ret; - return NT_STATUS_OK; } /*************************************************************************** - Make (and fill) a user_info struct from a SAM_ACCOUNT +Fill a server_info struct from a SAM_ACCOUNT with their groups ***************************************************************************/ -NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, - SAM_ACCOUNT *sampass) +static NTSTATUS add_user_groups(auth_serversupplied_info **server_info, + SAM_ACCOUNT *sampass, + uid_t uid, gid_t gid) { - NTSTATUS nt_status = NT_STATUS_OK; + NTSTATUS nt_status; const DOM_SID *user_sid = pdb_get_user_sid(sampass); const DOM_SID *group_sid = pdb_get_group_sid(sampass); int n_groupSIDs = 0; @@ -755,14 +739,11 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, BOOL is_guest; uint32 rid; - if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info, sampass))) { - return nt_status; - } - - if (!NT_STATUS_IS_OK(nt_status - = get_user_groups_from_local_sam(sampass, - &n_groupSIDs, &groupSIDs, &unix_groups))) - { + nt_status = get_user_groups_from_local_sam(pdb_get_username(sampass), + uid, gid, + &n_groupSIDs, &groupSIDs, + &unix_groups); + if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(4,("get_user_groups_from_local_sam failed\n")); free_server_info(server_info); return nt_status; @@ -785,9 +766,36 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, (*server_info)->n_groups = n_groupSIDs; (*server_info)->groups = unix_groups; - (*server_info)->ptok = token; - + + return nt_status; +} + +/*************************************************************************** + Make (and fill) a user_info struct from a SAM_ACCOUNT +***************************************************************************/ + +NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, + SAM_ACCOUNT *sampass) +{ + NTSTATUS nt_status; + + if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) + return nt_status; + + (*server_info)->sam_account = sampass; + + if (!NT_STATUS_IS_OK(nt_status = sid_to_uid(pdb_get_user_sid(sampass), &((*server_info)->uid)))) + return nt_status; + + if (!NT_STATUS_IS_OK(nt_status = sid_to_gid(pdb_get_group_sid(sampass), &((*server_info)->gid)))) + return nt_status; + + if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, sampass, + (*server_info)->uid, (*server_info)->gid))) + return nt_status; + + (*server_info)->sam_fill_level = SAM_FILL_ALL; DEBUG(5,("make_server_info_sam: made server info for user %s\n", pdb_get_username((*server_info)->sam_account))); @@ -806,7 +814,20 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, const struc if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sampass, pwd))) { return nt_status; } - return make_server_info_sam(server_info, sampass); + if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) { + return nt_status; + } + + (*server_info)->sam_account = sampass; + + if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, sampass, pwd->pw_uid, pwd->pw_gid))) { + return nt_status; + } + + (*server_info)->sam_fill_level = SAM_FILL_ALL; + (*server_info)->uid = pwd->pw_uid; + (*server_info)->gid = pwd->pw_gid; + return nt_status; } /*************************************************************************** @@ -848,6 +869,7 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) ***************************************************************************/ static NTSTATUS fill_sam_account(const char *domain, const char *username, + uid_t *uid, gid_t *gid, SAM_ACCOUNT **sam_account) { fstring dom_user; @@ -866,6 +888,9 @@ static NTSTATUS fill_sam_account(const char *domain, if (passwd == NULL) return NT_STATUS_NO_SUCH_USER; + *uid = passwd->pw_uid; + *gid = passwd->pw_gid; + return pdb_init_sam_pw(sam_account, passwd); } @@ -892,6 +917,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, struct passwd *passwd; unid_t u_id, g_id; + uid_t uid; + gid_t gid; int u_type, g_type; int n_lgroupSIDs; @@ -931,15 +958,27 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, u_type = ID_USERID; g_type = ID_GROUPID; + + /* we are trying to check that idmap isn't stuffing us over - does this + user actually exist? */ if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&u_id, &u_type, &user_sid)) && NT_STATUS_IS_OK(idmap_get_id_from_sid(&g_id, &g_type, &group_sid)) && ((passwd = getpwuid_alloc(u_id.uid)))) { + nt_status = pdb_init_sam_pw(&sam_account, passwd); + + uid = passwd->pw_uid; + gid = passwd->pw_gid; + + /* we should check this is the same name */ + passwd_free(&passwd); } else { + /* User not from winbind - try and find them by getpwnam() */ nt_status = fill_sam_account(nt_domain, internal_username, + &uid, &gid, &sam_account); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { @@ -948,6 +987,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, auth_add_user_script(nt_domain, internal_username); nt_status = fill_sam_account(nt_domain, internal_username, + &uid, &gid, &sam_account); } } @@ -1002,17 +1042,27 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info, sam_account))) { + /* now that we have a SAM_ACCOUNT that looks real, make a server_info + to wrap it in, and use pass it on down */ + + if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) { DEBUG(4, ("make_server_info failed!\n")); pdb_free_sam(&sam_account); return nt_status; } + /* Fill in the unix info we found on the way */ + + (*server_info)->sam_fill_level = SAM_FILL_ALL; + (*server_info)->uid = uid; + (*server_info)->gid = gid; + /* Store the user group information in the server_info returned to the caller. */ if (!NT_STATUS_IS_OK(nt_status - = get_user_groups_from_local_sam(sam_account, + = get_user_groups_from_local_sam(pdb_get_username(sam_account), + uid, gid, &n_lgroupSIDs, &lgroupSIDs, &unix_groups))) |