summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/passdb/passdb.c31
-rw-r--r--source3/passdb/pdb_smbpasswd.c41
-rw-r--r--source3/utils/testparm.c10
3 files changed, 58 insertions, 24 deletions
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index 04786b59e5..4ce5b93abd 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -500,9 +500,32 @@ BOOL pdb_gethexpwd(const char *p, unsigned char *pwd)
Converts NT user RID to a UNIX uid.
********************************************************************/
+static int algorithmic_rid_base(void)
+{
+ static int rid_offset = 0;
+
+ if (rid_offset != 0)
+ return rid_offset;
+
+ rid_offset = lp_algorithmic_rid_base();
+
+ if (rid_offset < BASE_RID) {
+ /* Try to prevent admin foot-shooting, we can't put algorithmic
+ rids below 1000, that's the 'well known RIDs' on NT */
+ DEBUG(0, ("'algorithmic rid base' must be equal to or above %ld\n", BASE_RID));
+ rid_offset = BASE_RID;
+ }
+ if (rid_offset & 1) {
+ DEBUG(0, ("algorithmic rid base must be even\n"));
+ rid_offset += 1;
+ }
+ return rid_offset;
+}
+
+
uid_t fallback_pdb_user_rid_to_uid(uint32 user_rid)
{
- int rid_offset = lp_algorithmic_rid_base();
+ int rid_offset = algorithmic_rid_base();
return (uid_t)(((user_rid & (~USER_RID_TYPE))- rid_offset)/RID_MULTIPLIER);
}
@@ -513,7 +536,7 @@ uid_t fallback_pdb_user_rid_to_uid(uint32 user_rid)
uint32 fallback_pdb_uid_to_user_rid(uid_t uid)
{
- int rid_offset = lp_algorithmic_rid_base();
+ int rid_offset = algorithmic_rid_base();
return (((((uint32)uid)*RID_MULTIPLIER) + rid_offset) | USER_RID_TYPE);
}
@@ -523,7 +546,7 @@ uint32 fallback_pdb_uid_to_user_rid(uid_t uid)
gid_t pdb_group_rid_to_gid(uint32 group_rid)
{
- int rid_offset = lp_algorithmic_rid_base();
+ int rid_offset = algorithmic_rid_base();
return (gid_t)(((group_rid & (~GROUP_RID_TYPE))- rid_offset)/RID_MULTIPLIER);
}
@@ -537,7 +560,7 @@ gid_t pdb_group_rid_to_gid(uint32 group_rid)
uint32 pdb_gid_to_group_rid(gid_t gid)
{
- int rid_offset = lp_algorithmic_rid_base();
+ int rid_offset = algorithmic_rid_base();
return (((((uint32)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE);
}
diff --git a/source3/passdb/pdb_smbpasswd.c b/source3/passdb/pdb_smbpasswd.c
index 3ab524f488..abfe016e8a 100644
--- a/source3/passdb/pdb_smbpasswd.c
+++ b/source3/passdb/pdb_smbpasswd.c
@@ -1200,28 +1200,29 @@ static BOOL build_sam_account(struct smbpasswd_privates *smbpasswd_state,
return False;
}
- if ((smbpasswd_state->permit_non_unix_accounts)
- && (pw_buf->smb_userid >= smbpasswd_state->low_nua_userid)
- && (pw_buf->smb_userid <= smbpasswd_state->high_nua_userid)) {
-
- pdb_set_user_sid_from_rid(sam_pass, fallback_pdb_uid_to_user_rid (pw_buf->smb_userid), PDB_SET);
-
- /* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here.
-
- This was down the bottom for machines, but it looks pretty good as
- a general default for non-unix users. --abartlet 2002-01-08
- */
- pdb_set_group_sid_from_rid (sam_pass, DOMAIN_GROUP_RID_USERS, PDB_SET);
- pdb_set_username (sam_pass, pw_buf->smb_name, PDB_SET);
- pdb_set_domain (sam_pass, lp_workgroup(), PDB_DEFAULT);
- } else {
-
- pwfile = getpwnam_alloc(pw_buf->smb_name);
- if (pwfile == NULL) {
+ pwfile = getpwnam_alloc(pw_buf->smb_name);
+ if (pwfile == NULL) {
+ if ((smbpasswd_state->permit_non_unix_accounts)
+ && (pw_buf->smb_userid >= smbpasswd_state->low_nua_userid)
+ && (pw_buf->smb_userid <= smbpasswd_state->high_nua_userid)) {
+
+ pdb_set_user_sid_from_rid(sam_pass, fallback_pdb_uid_to_user_rid (pw_buf->smb_userid), PDB_SET);
+
+ /* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here.
+
+ This was down the bottom for machines, but it looks pretty good as
+ a general default for non-unix users. --abartlet 2002-01-08
+ */
+ pdb_set_group_sid_from_rid (sam_pass, DOMAIN_GROUP_RID_USERS, PDB_SET);
+ pdb_set_username (sam_pass, pw_buf->smb_name, PDB_SET);
+ pdb_set_domain (sam_pass, lp_workgroup(), PDB_DEFAULT);
+
+ } else {
DEBUG(0,("build_sam_account: smbpasswd database is corrupt! username %s with uid %u is not in unix passwd database!\n", pw_buf->smb_name, pw_buf->smb_userid));
return False;
}
-
+ } else {
+
if (!NT_STATUS_IS_OK(pdb_fill_sam_pw(sam_pass, pwfile))) {
return False;
}
@@ -1386,7 +1387,7 @@ static NTSTATUS smbpasswd_getsampwrid(struct pdb_methods *my_methods, SAM_ACCOUN
struct smb_passwd *smb_pw;
void *fp = NULL;
- DEBUG(10, ("pdb_getsampwrid: search by rid: %d\n", rid));
+ DEBUG(10, ("smbpasswd_getsampwrid: search by rid: %d\n", rid));
/* More special case 'guest account' hacks... */
if (rid == DOMAIN_USER_RID_GUEST) {
diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
index c81d6e72e4..c92692fda2 100644
--- a/source3/utils/testparm.c
+++ b/source3/utils/testparm.c
@@ -168,6 +168,16 @@ via the %%o substitution. With encrypted passwords this is not possible.\n", lp_
printf("'winbind separator = +' might cause problems with group membership.\n");
}
+ if (lp_algorithmic_rid_base() < BASE_RID) {
+ /* Try to prevent admin foot-shooting, we can't put algorithmic
+ rids below 1000, that's the 'well known RIDs' on NT */
+ printf("'algorithmic rid base' must be equal to or above %lu\n", BASE_RID);
+ }
+
+ if (lp_algorithmic_rid_base() & 1) {
+ printf("'algorithmic rid base' must be even.\n");
+ }
+
return ret;
}