diff options
Diffstat (limited to 'source3/nsswitch/winbindd_group.c')
| -rw-r--r-- | source3/nsswitch/winbindd_group.c | 62 |
1 files changed, 28 insertions, 34 deletions
diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c index 180a3db8e2..b31dc92b38 100644 --- a/source3/nsswitch/winbindd_group.c +++ b/source3/nsswitch/winbindd_group.c @@ -106,7 +106,7 @@ static BOOL fill_grent_mem(struct winbindd_domain *domain, *num_gr_mem = 0; if ( !((group_name_type==SID_NAME_DOM_GRP) || - ((group_name_type==SID_NAME_ALIAS) && strequal(lp_workgroup(), domain->name))) ) + ((group_name_type==SID_NAME_ALIAS) && domain->primary)) ) { DEBUG(1, ("SID %s in domain %s isn't a domain group (%d)\n", sid_to_string(sid_string, group_sid), domain->name, @@ -152,15 +152,10 @@ static BOOL fill_grent_mem(struct winbindd_domain *domain, occur in Universal groups on a Windows 2000 native mode server. */ - if (name_types[i] != SID_NAME_USER) { - DEBUG(3, ("name %s isn't a domain user\n", the_name)); - continue; - } + /* make sure to allow machine accounts */ - /* Don't bother with machine accounts */ - - if (the_name[strlen(the_name) - 1] == '$') { - DEBUG(10, ("%s is machine account\n", the_name)); + if (name_types[i] != SID_NAME_USER && name_types[i] != SID_NAME_COMPUTER) { + DEBUG(3, ("name %s isn't a domain user\n", the_name)); continue; } @@ -265,22 +260,20 @@ enum winbindd_result winbindd_getgrnam(struct winbindd_cli_state *state) return WINBINDD_OK; } - /* should we deal with users for our domain? */ - - if ( lp_winbind_trusted_domains_only() && strequal(name_domain, lp_workgroup())) { - DEBUG(7,("winbindd_getgrnam: My domain -- rejecting getgrnam() for %s\\%s.\n", - name_domain, name_group)); - return WINBINDD_ERROR; - } - - /* Get info for the domain */ if ((domain = find_domain_from_name(name_domain)) == NULL) { - DEBUG(0, ("could not get domain sid for domain %s\n", + DEBUG(3, ("could not get domain sid for domain %s\n", name_domain)); return WINBINDD_ERROR; } + /* should we deal with users for our domain? */ + + if ( lp_winbind_trusted_domains_only() && domain->primary) { + DEBUG(7,("winbindd_getgrnam: My domain -- rejecting getgrnam() for %s\\%s.\n", + name_domain, name_group)); + return WINBINDD_ERROR; + } /* Get rid and name type from name */ @@ -292,7 +285,7 @@ enum winbindd_result winbindd_getgrnam(struct winbindd_cli_state *state) } if ( !((name_type==SID_NAME_DOM_GRP) || - ((name_type==SID_NAME_ALIAS) && strequal(lp_workgroup(), domain->name))) ) + ((name_type==SID_NAME_ALIAS) && domain->primary)) ) { DEBUG(1, ("name '%s' is not a local or domain group: %d\n", name_group, name_type)); @@ -383,7 +376,7 @@ enum winbindd_result winbindd_getgrgid(struct winbindd_cli_state *state) } if ( !((name_type==SID_NAME_DOM_GRP) || - ((name_type==SID_NAME_ALIAS) && strequal(lp_workgroup(), domain->name))) ) + ((name_type==SID_NAME_ALIAS) && domain->primary) )) { DEBUG(1, ("name '%s' is not a local or domain group: %d\n", group_name, name_type)); @@ -441,7 +434,7 @@ enum winbindd_result winbindd_setgrent(struct winbindd_cli_state *state) are a member of a Samba domain */ if ( (IS_DC || lp_winbind_trusted_domains_only()) - && strequal(domain->name, lp_workgroup()) ) + && domain->primary ) { continue; } @@ -547,7 +540,7 @@ static BOOL get_sam_group_entries(struct getent_state *ent) and are not using LDAP to get the groups */ if ( lp_security() != SEC_ADS && domain->native_mode - && strequal(lp_workgroup(), domain->name) ) + && domain->primary ) { DEBUG(4,("get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well\n")); @@ -887,7 +880,7 @@ enum winbindd_result winbindd_list_groups(struct winbindd_cli_state *state) extra_data[extra_data_len++] = ','; } - free(groups.sam_entries); + SAFE_FREE(groups.sam_entries); } /* Assign extra_data fields in response structure */ @@ -938,21 +931,22 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state) /* Parse domain and username */ parse_domain_user(state->request.data.username, - name_domain, name_user); - - /* bail if there is no domain */ + name_domain, name_user); - if ( !*name_domain ) - goto done; - /* Get info for the domain */ if ((domain = find_domain_from_name(name_domain)) == NULL) { - DEBUG(0, ("could not find domain entry for domain %s\n", + DEBUG(7, ("could not find domain entry for domain %s\n", name_domain)); goto done; } + if ( domain->primary && lp_winbind_trusted_domains_only()) { + DEBUG(7,("winbindd_getpwnam: My domain -- rejecting getgroups() for %s\\%s.\n", + name_domain, name_user)); + return WINBINDD_ERROR; + } + /* Get rid and name type from name. The following costs 1 packet */ if (!winbindd_lookup_sid_by_name(domain, name_user, &user_sid, @@ -961,7 +955,7 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state) goto done; } - if (name_type != SID_NAME_USER) { + if (name_type != SID_NAME_USER && name_type != SID_NAME_COMPUTER) { DEBUG(1, ("name '%s' is not a user name: %d\n", name_user, name_type)); goto done; @@ -1000,7 +994,7 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state) in a win2k native mode domain. */ if ( !((sid_type==SID_NAME_DOM_GRP) || - ((sid_type==SID_NAME_ALIAS) && strequal(lp_workgroup(), domain->name))) ) + ((sid_type==SID_NAME_ALIAS) && domain->primary)) ) { DEBUG(10, ("winbindd_getgroups: sid type %d " "for %s is not a domain group\n", @@ -1127,7 +1121,7 @@ enum winbindd_result winbindd_getusersids(struct winbindd_cli_state *state) sid_string_static(&user_sid))); goto done; } - + status = domain->methods->lookup_usergroups(domain, mem_ctx, &user_sid, &num_groups, &user_grpsids); |