diff options
Diffstat (limited to 'source3/auth')
| -rw-r--r-- | source3/auth/auth_rhosts.c | 19 | ||||
| -rw-r--r-- | source3/auth/auth_sam.c | 46 | ||||
| -rw-r--r-- | source3/auth/auth_util.c | 43 |
3 files changed, 29 insertions, 79 deletions
diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index 3411083116..0875c48280 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -135,20 +135,17 @@ check for a possible hosts equiv or rhosts entry for the user static BOOL check_hosts_equiv(SAM_ACCOUNT *account) { - uid_t uid; - char *fname = NULL; + char *fname = NULL; - fname = lp_hosts_equiv(); - if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(account), &uid))) - return False; + fname = lp_hosts_equiv(); - /* note: don't allow hosts.equiv on root */ - if (fname && *fname && uid != 0) { - if (check_user_equiv(pdb_get_username(account),client_name(),fname)) - return True; - } + /* note: don't allow hosts.equiv on root */ + if (IS_SAM_UNIX_USER(account) && fname && *fname && (pdb_get_uid(account) != 0)) { + if (check_user_equiv(pdb_get_username(account),client_name(),fname)) + return(True); + } - return False; + return(False); } diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 33ea9bc73e..9a619f81f6 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -500,8 +500,6 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context unless it is one of our aliases. */ if (!is_myname(user_info->domain.str)) { - DEBUG(7,("The requested user domain is not the local server name. [%s]\\[%s]\n", - user_info->domain.str,user_info->internal_username.str)); return NT_STATUS_NO_SUCH_USER; } @@ -520,52 +518,8 @@ NTSTATUS auth_init_samstrict(struct auth_context *auth_context, const char *para return NT_STATUS_OK; } -/**************************************************************************** -Check SAM security (above) but with a few extra checks if we're a DC. -****************************************************************************/ - -static NTSTATUS check_samstrict_dc_security(const struct auth_context *auth_context, - void *my_private_data, - TALLOC_CTX *mem_ctx, - const auth_usersupplied_info *user_info, - auth_serversupplied_info **server_info) -{ - - if (!user_info || !auth_context) { - return NT_STATUS_LOGON_FAILURE; - } - - /* If we are a domain member, we must not - attempt to check the password locally, - unless it is one of our aliases, empty - or our domain if we are a logon server.*/ - - - if ((!is_myworkgroup(user_info->domain.str))&& - (!is_myname(user_info->domain.str))) { - DEBUG(7,("The requested user domain is not the local server name or our domain. [%s]\\[%s]\n", - user_info->domain.str,user_info->internal_username.str)); - return NT_STATUS_NO_SUCH_USER; - } - - return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, server_info); -} - -/* module initialisation */ -NTSTATUS auth_init_samstrict_dc(struct auth_context *auth_context, const char *param, auth_methods **auth_method) -{ - if (!make_auth_methods(auth_context, auth_method)) { - return NT_STATUS_NO_MEMORY; - } - - (*auth_method)->auth = check_samstrict_dc_security; - (*auth_method)->name = "samstrict_dc"; - return NT_STATUS_OK; -} - NTSTATUS auth_sam_init(void) { - smb_register_auth(AUTH_INTERFACE_VERSION, "samstrict_dc", auth_init_samstrict_dc); smb_register_auth(AUTH_INTERFACE_VERSION, "samstrict", auth_init_samstrict); smb_register_auth(AUTH_INTERFACE_VERSION, "sam", auth_init_sam); return NT_STATUS_OK; diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index e8f2af41f3..a3ca0b226f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -611,21 +611,21 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, NT_USER_TOKEN *token; int i; - if (NT_STATUS_IS_ERR(uid_to_sid(&user_sid, uid))) { + if (!uid_to_sid(&user_sid, uid)) { return NULL; } - if (NT_STATUS_IS_ERR(gid_to_sid(&group_sid, gid))) { + if (!gid_to_sid(&group_sid, gid)) { return NULL; } - group_sids = malloc(sizeof(DOM_SID) * ngroups); + group_sids = malloc(sizeof(DOM_SID) * ngroups); if (!group_sids) { DEBUG(0, ("create_nt_token: malloc() failed for DOM_SID list!\n")); return NULL; } for (i = 0; i < ngroups; i++) { - if (NT_STATUS_IS_ERR(gid_to_sid(&(group_sids)[i], (groups)[i]))) { + if (!gid_to_sid(&(group_sids)[i], (groups)[i])) { DEBUG(1, ("create_nt_token: failed to convert gid %ld to a sid!\n", (long int)groups[i])); SAFE_FREE(group_sids); return NULL; @@ -648,7 +648,7 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, * If this samba server is a DC of the domain the user belongs to, it returns * both domain groups and local / builtin groups. If the user is in a trusted * domain, or samba is a member server of a domain, then this function returns - * local and builtin groups the user is a member of. + * local and builtin groups the user is a member of. * * currently this is a hack, as there is no sam implementation that is capable * of groups. @@ -661,18 +661,23 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, gid_t gid; int n_unix_groups; int i; + struct passwd *usr; *n_groups = 0; *groups = NULL; - if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sampass), &uid)) || NT_STATUS_IS_ERR(sid_to_gid(pdb_get_group_sid(sampass), &gid))) { - DEBUG(0, ("get_user_groups_from_local_sam: error fetching uid or gid for user!\n")); - return NT_STATUS_UNSUCCESSFUL; + if (!IS_SAM_UNIX_USER(sampass)) { + DEBUG(1, ("user %s does not have a unix identity!\n", pdb_get_username(sampass))); + return NT_STATUS_NO_SUCH_USER; } + + uid = pdb_get_uid(sampass); + gid = pdb_get_gid(sampass); n_unix_groups = groups_max(); if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) { DEBUG(0, ("get_user_groups_from_local_sam: Out of memory allocating unix group list\n")); + passwd_free(&usr); return NT_STATUS_NO_MEMORY; } @@ -681,6 +686,7 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); if (!groups_tmp) { SAFE_FREE(*unix_groups); + passwd_free(&usr); return NT_STATUS_NO_MEMORY; } *unix_groups = groups_tmp; @@ -688,6 +694,7 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) { DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n")); SAFE_FREE(*unix_groups); + passwd_free(&usr); return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ } } @@ -706,7 +713,7 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, *n_groups = n_unix_groups; for (i = 0; i < *n_groups; i++) { - if (NT_STATUS_IS_ERR(gid_to_sid(&(*groups)[i], (*unix_groups)[i]))) { + if (!gid_to_sid(&(*groups)[i], (*unix_groups)[i])) { DEBUG(1, ("get_user_groups_from_local_sam: failed to convert gid %ld to a sid!\n", (long int)(*unix_groups)[i+1])); SAFE_FREE(*groups); SAFE_FREE(*unix_groups); @@ -723,8 +730,6 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, static NTSTATUS make_server_info(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass) { - NTSTATUS ret; - *server_info = malloc(sizeof(**server_info)); if (!*server_info) { DEBUG(0,("make_server_info: malloc failed!\n")); @@ -734,10 +739,6 @@ static NTSTATUS make_server_info(auth_serversupplied_info **server_info, SAM_ACC (*server_info)->sam_fill_level = SAM_FILL_ALL; (*server_info)->sam_account = sampass; - if (NT_STATUS_IS_ERR(ret = sid_to_uid(pdb_get_user_sid(sampass), &((*server_info)->uid)))) - return ret; - if (NT_STATUS_IS_ERR(ret = sid_to_gid(pdb_get_group_sid(sampass), &((*server_info)->gid)))) - return ret; return NT_STATUS_OK; } @@ -868,8 +869,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, struct passwd *passwd; - unid_t u_id, g_id; - int u_type, g_type; + uid_t uid; + gid_t gid; int n_lgroupSIDs; DOM_SID *lgroupSIDs = NULL; @@ -906,11 +907,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, domain = domain; } - u_type = ID_USERID; - g_type = ID_GROUPID; - if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&u_id, &u_type, &user_sid)) - && NT_STATUS_IS_OK(idmap_get_id_from_sid(&g_id, &g_type, &group_sid)) - && ((passwd = getpwuid_alloc(u_id.uid)))) { + if (winbind_sid_to_uid(&uid, &user_sid) + && winbind_sid_to_gid(&gid, &group_sid) + && ((passwd = getpwuid_alloc(uid)))) { nt_status = pdb_init_sam_pw(&sam_account, passwd); passwd_free(&passwd); } else { |