summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/groupdb/mapping.c2
-rw-r--r--source3/include/smb.h2
-rw-r--r--source3/passdb/lookup_sid.c101
-rw-r--r--source3/passdb/passdb.c2
-rw-r--r--source3/passdb/pdb_interface.c2
-rw-r--r--source3/passdb/util_unixsids.c6
-rw-r--r--source3/utils/net_groupmap.c11
7 files changed, 30 insertions, 96 deletions
diff --git a/source3/groupdb/mapping.c b/source3/groupdb/mapping.c
index c701ef165d..b1c5275bc1 100644
--- a/source3/groupdb/mapping.c
+++ b/source3/groupdb/mapping.c
@@ -195,7 +195,7 @@ NTSTATUS map_unix_group(const struct group *grp, GROUP_MAP *pmap)
fstrcpy(map.nt_name, grpname);
if (pdb_rid_algorithm()) {
- rid = pdb_gid_to_group_rid( grp->gr_gid );
+ rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
} else {
if (!pdb_new_rid(&rid)) {
DEBUG(3, ("Could not get a new RID for %s\n",
diff --git a/source3/include/smb.h b/source3/include/smb.h
index 92228ec3d4..9aa8be437c 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -269,7 +269,7 @@ enum SID_NAME_USE {
#define LOOKUP_NAME_REMOTE 2 /* Ask others */
#define LOOKUP_NAME_ALL (LOOKUP_NAME_ISOLATED|LOOKUP_NAME_REMOTE)
-#define LOOKUP_NAME_GROUP 4 /* This is a NASTY hack for valid users = @foo
+#define LOOKUP_NAME_GROUP 4 /* (unused) This is a NASTY hack for valid users = @foo
* where foo also exists in as user. */
/**
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index f612cff092..48f6d666ce 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -43,7 +43,6 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx,
DOM_SID sid;
enum SID_NAME_USE type;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
- struct group *grp;
if (tmp_ctx == NULL) {
DEBUG(0, ("talloc_new failed\n"));
@@ -126,63 +125,6 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx,
return False;
}
- /*
- * Nasty hack necessary for too common scenarios:
- *
- * For 'valid users = +users' we know "users" is most probably not
- * BUILTIN\users but the unix group users. This hack requires the
- * admin to explicitly qualify BUILTIN if BUILTIN\users is meant.
- *
- * Please note that LOOKUP_NAME_GROUP can not be requested via for
- * example lsa_lookupnames, it only comes into this routine via
- * the expansion of group names coming in from smb.conf
- */
-
- if ((flags & LOOKUP_NAME_GROUP) && ((grp = getgrnam(name)) != NULL)) {
-
- GROUP_MAP map;
-
- if (pdb_getgrgid(&map, grp->gr_gid)) {
- /* The hack gets worse. Handle the case where we have
- * 'force group = +unixgroup' but "unixgroup" has a
- * group mapping */
-
- if (sid_check_is_in_builtin(&map.sid)) {
- domain = talloc_strdup(
- tmp_ctx, builtin_domain_name());
- } else {
- domain = talloc_strdup(
- tmp_ctx, get_global_sam_name());
- }
-
- sid_copy(&sid, &map.sid);
- type = map.sid_name_use;
- goto ok;
- }
-
- /* If we are using the smbpasswd backend, we need to use the
- * algorithmic mapping for the unix group we find. This is
- * necessary because when creating the NT token from the unix
- * gid list we got from initgroups() we use gid_to_sid() that
- * uses algorithmic mapping if pdb_rid_algorithm() is true. */
-
- if (pdb_rid_algorithm() &&
- (grp->gr_gid < max_algorithmic_gid())) {
- domain = talloc_strdup(tmp_ctx, get_global_sam_name());
- sid_compose(&sid, get_global_sam_sid(),
- pdb_gid_to_group_rid(grp->gr_gid));
- type = SID_NAME_DOM_GRP;
- goto ok;
- }
-
- if (lookup_unix_group_name(name, &sid)) {
- domain = talloc_strdup(tmp_ctx,
- unix_groups_domain_name());
- type = SID_NAME_DOM_GRP;
- goto ok;
- }
- }
-
/* Now the guesswork begins, we haven't been given an explicit
* domain. Try the sequence as documented on
* http://msdn.microsoft.com/library/en-us/secmgmt/security/lsalookupnames.asp
@@ -1186,14 +1128,9 @@ void uid_to_sid(DOM_SID *psid, uid_t uid)
goto done;
}
- if (pdb_rid_algorithm() && (uid < max_algorithmic_uid())) {
- sid_copy(psid, get_global_sam_sid());
- sid_append_rid(psid, algorithmic_pdb_uid_to_user_rid(uid));
- goto done;
- } else {
- uid_to_unix_users_sid(uid, psid);
- goto done;
- }
+ /* This is an unmapped user */
+
+ uid_to_unix_users_sid(uid, psid);
done:
DEBUG(10,("uid_to_sid: local %u -> %s\n", (unsigned int)uid,
@@ -1228,16 +1165,10 @@ void gid_to_sid(DOM_SID *psid, gid_t gid)
/* This is a mapped group */
goto done;
}
+
+ /* This is an unmapped group */
- if (pdb_rid_algorithm() && (gid < max_algorithmic_gid())) {
- sid_copy(psid, get_global_sam_sid());
- sid_append_rid(psid, pdb_gid_to_group_rid(gid));
- goto done;
- } else {
- sid_copy(psid, &global_sid_Unix_Groups);
- sid_append_rid(psid, gid);
- goto done;
- }
+ uid_to_unix_groups_sid(gid, psid);
done:
DEBUG(10,("gid_to_sid: local %u -> %s\n", (unsigned int)gid,
@@ -1283,14 +1214,9 @@ BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid)
*puid = id.uid;
goto done;
}
- if (pdb_rid_algorithm() &&
- algorithmic_pdb_rid_is_user(rid)) {
- *puid = algorithmic_pdb_user_rid_to_uid(rid);
- goto done;
- }
- /* This was ours, but it was neither mapped nor
- * algorithmic. Fail */
+ /* This was ours, but it was not mapped. Fail */
+
return False;
}
@@ -1371,14 +1297,9 @@ BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid)
*pgid = id.gid;
goto done;
}
- if (pdb_rid_algorithm() &&
- !algorithmic_pdb_rid_is_user(rid)) {
- /* This must be a group, presented as alias */
- *pgid = pdb_group_rid_to_gid(rid);
- goto done;
- }
- /* This was ours, but it was neither mapped nor
- * algorithmic. Fail. */
+
+ /* This was ours, but it was not mapped. Fail */
+
return False;
}
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index f74b1fbe3b..bfa0430af4 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -505,7 +505,7 @@ gid_t max_algorithmic_gid(void)
there is not anymore a direct link between the gid and the rid.
********************************************************************/
-uint32 pdb_gid_to_group_rid(gid_t gid)
+uint32 algorithmic_pdb_gid_to_group_rid(gid_t gid)
{
int rid_offset = algorithmic_rid_base();
return (((((uint32)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE);
diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c
index 7f2a8f25b3..4baddb3a93 100644
--- a/source3/passdb/pdb_interface.c
+++ b/source3/passdb/pdb_interface.c
@@ -604,7 +604,7 @@ static NTSTATUS pdb_default_create_dom_group(struct pdb_methods *methods,
}
if (pdb_rid_algorithm()) {
- *rid = pdb_gid_to_group_rid( grp->gr_gid );
+ *rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
} else {
if (!pdb_new_rid(rid)) {
return NT_STATUS_ACCESS_DENIED;
diff --git a/source3/passdb/util_unixsids.c b/source3/passdb/util_unixsids.c
index d3f0999d6a..80d22a314f 100644
--- a/source3/passdb/util_unixsids.c
+++ b/source3/passdb/util_unixsids.c
@@ -42,6 +42,12 @@ BOOL uid_to_unix_users_sid(uid_t uid, DOM_SID *sid)
return sid_append_rid(sid, uid);
}
+BOOL uid_to_unix_groups_sid(gid_t gid, DOM_SID *sid)
+{
+ sid_copy(sid, &global_sid_Unix_Groups);
+ return sid_append_rid(sid, gid);
+}
+
const char *unix_users_domain_name(void)
{
return "Unix User";
diff --git a/source3/utils/net_groupmap.c b/source3/utils/net_groupmap.c
index df13a93de6..4708efa908 100644
--- a/source3/utils/net_groupmap.c
+++ b/source3/utils/net_groupmap.c
@@ -289,7 +289,7 @@ static int net_groupmap_add(int argc, const char **argv)
if ( (rid == 0) && (string_sid[0] == '\0') ) {
d_printf("No rid or sid specified, choosing a RID\n");
if (pdb_rid_algorithm()) {
- rid = pdb_gid_to_group_rid(gid);
+ rid = algorithmic_pdb_gid_to_group_rid(gid);
} else {
if (!pdb_new_rid(&rid)) {
d_printf("Could not get new RID\n");
@@ -573,7 +573,14 @@ static int net_groupmap_set(int argc, const char **argv)
map.gid = grp->gr_gid;
if (opt_rid == 0) {
- opt_rid = pdb_gid_to_group_rid(map.gid);
+ if ( pdb_rid_algorithm() )
+ opt_rid = algorithmic_pdb_gid_to_group_rid(map.gid);
+ else {
+ if ( !pdb_new_rid((uint32*)&opt_rid) ) {
+ d_fprintf( stderr, "Could not allocate new RID\n");
+ return -1;
+ }
+ }
}
sid_copy(&map.sid, get_global_sam_sid());