diff options
Diffstat (limited to 'source3')
-rw-r--r-- | source3/include/smb.h | 6 | ||||
-rw-r--r-- | source3/passdb/lookup_sid.c | 42 | ||||
-rw-r--r-- | source3/smbd/conn.c | 1 | ||||
-rw-r--r-- | source3/smbd/service.c | 8 | ||||
-rw-r--r-- | source3/smbd/uid.c | 11 |
5 files changed, 47 insertions, 21 deletions
diff --git a/source3/include/smb.h b/source3/include/smb.h index 59c3c32346..a0140fe081 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -573,6 +573,12 @@ typedef struct connection_struct { */ struct auth_serversupplied_info *server_info; + /* + * If the "force group" parameter is set, this is the primary gid that + * may be used in the users token, depending on the vuid using this tid. + */ + gid_t force_group_gid; + char client_address[INET6_ADDRSTRLEN]; /* String version of client IP address. */ uint16 vuid; /* vuid of user who *opened* this connection, or UID_FIELD_INVALID */ diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c index 10ff36d51b..9c20042a62 100644 --- a/source3/passdb/lookup_sid.c +++ b/source3/passdb/lookup_sid.c @@ -1309,15 +1309,18 @@ void uid_to_sid(DOM_SID *psid, uid_t uid) /* Not in cache. Ask winbindd. */ if (!winbind_uid_to_sid(psid, uid)) { /* - * We shouldn't return the NULL SID - * here if winbind was running and - * couldn't map, as winbind will have - * added a negative entry that will - * cause us to go though the - * legacy_uid_to_sid() - * function anyway in the case above - * the next time we ask. - */ + * We shouldn't return the NULL SID + * here if winbind was running and + * couldn't map, as winbind will have + * added a negative entry that will + * cause us to go though the + * legacy_uid_to_sid() + * function anyway in the case above + * the next time we ask. + */ + DEBUG(5, ("uid_to_sid: winbind failed to find a sid " + "for uid %u\n", uid)); + legacy_uid_to_sid(psid, uid); return; } @@ -1359,15 +1362,18 @@ void gid_to_sid(DOM_SID *psid, gid_t gid) /* Not in cache. Ask winbindd. */ if (!winbind_gid_to_sid(psid, gid)) { /* - * We shouldn't return the NULL SID - * here if winbind was running and - * couldn't map, as winbind will have - * added a negative entry that will - * cause us to go though the - * legacy_gid_to_sid() - * function anyway in the case above - * the next time we ask. - */ + * We shouldn't return the NULL SID + * here if winbind was running and + * couldn't map, as winbind will have + * added a negative entry that will + * cause us to go though the + * legacy_gid_to_sid() + * function anyway in the case above + * the next time we ask. + */ + DEBUG(5, ("gid_to_sid: winbind failed to find a sid " + "for gid %u\n", gid)); + legacy_gid_to_sid(psid, gid); return; } diff --git a/source3/smbd/conn.c b/source3/smbd/conn.c index 4b467b0312..a52f2d2e96 100644 --- a/source3/smbd/conn.c +++ b/source3/smbd/conn.c @@ -140,6 +140,7 @@ find_again: return NULL; } conn->cnum = i; + conn->force_group_gid = (gid_t)-1; bitmap_set(bmap, i); diff --git a/source3/smbd/service.c b/source3/smbd/service.c index dcdd69f997..eb16a2601e 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -833,6 +833,14 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, *pstatus = status; return NULL; } + + /* + * We need to cache this gid, to use within + * change_to_user() separately from the conn->server_info + * struct. We only use conn->server_info directly if + * "force_user" was set. + */ + conn->force_group_gid = conn->server_info->utok.gid; } conn->vuid = (vuser != NULL) ? vuser->vuid : UID_FIELD_INVALID; diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index 4f059bdb59..f8c55b1b8f 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -254,6 +254,8 @@ bool change_to_user(connection_struct *conn, uint16 vuid) if((group_c = *lp_force_group(snum))) { + SMB_ASSERT(conn->force_group_gid != (gid_t)-1); + if(group_c == '+') { /* @@ -266,15 +268,18 @@ bool change_to_user(connection_struct *conn, uint16 vuid) int i; for (i = 0; i < num_groups; i++) { if (group_list[i] - == conn->server_info->utok.gid) { - gid = conn->server_info->utok.gid; + == conn->force_group_gid) { + conn->server_info->utok.gid = + conn->force_group_gid; + gid = conn->force_group_gid; gid_to_sid(&conn->server_info->ptok ->user_sids[1], gid); break; } } } else { - gid = conn->server_info->utok.gid; + conn->server_info->utok.gid = conn->force_group_gid; + gid = conn->force_group_gid; gid_to_sid(&conn->server_info->ptok->user_sids[1], gid); } |