From 61116049cabc292c2f2d570af4d68ddc537b91f5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 3 Jul 2003 14:36:42 +0000 Subject: This patch takes the work the jerry did for beta2, and generalises it: - The 'not implmented' checks are now done by all auth modules - the ntdomain/trustdomain/winbind modules are more presise as to what domain names they can and cannot handle - The become_root() calls are now around the winbind pipe opening only, not the entire auth call - The unix username is kept seperate from the NT username, removing the need for 'clean off the domain\' in parse_net.c - All sid->uid translations are now validated with getpwuid() to put a very basic stop to logins with 'half deleted' accounts. Andrew Bartlett (This used to be commit 85f88191b9927cc434645ef4c1eaf5ec0e8af2ec) --- source3/auth/auth_util.c | 79 ++++++++++++++++++++++++++++++++++++------------ 1 file changed, 60 insertions(+), 19 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 4e25d7fd34..ea46d27e9e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -764,6 +764,7 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass) { NTSTATUS nt_status; + struct passwd *pwd; if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) return nt_status; @@ -773,16 +774,35 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, if (!NT_STATUS_IS_OK(nt_status = sid_to_uid(pdb_get_user_sid(sampass), &((*server_info)->uid)))) return nt_status; - if (!NT_STATUS_IS_OK(nt_status = sid_to_gid(pdb_get_group_sid(sampass), &((*server_info)->gid)))) + if (!(pwd = getpwuid_alloc(((*server_info)->uid)))) { + fstring sid; + DEBUG(1, ("User %s in passdb (%s) maps to UID, but getpwuid(%u) fails!\n", + pdb_get_username(sampass), + sid_to_string(sid, pdb_get_user_sid(sampass)), + (unsigned)(*server_info)->uid)); + free_server_info(server_info); + return NT_STATUS_NO_SUCH_USER; + } + (*server_info)->unix_name = smb_xstrdup(pwd->pw_name); + passwd_free(&pwd); + + if (!NT_STATUS_IS_OK(nt_status = sid_to_gid(pdb_get_group_sid(sampass), + &((*server_info)->gid)))) { + free_server_info(server_info); return nt_status; + } if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, sampass, - (*server_info)->uid, (*server_info)->gid))) + (*server_info)->uid, + (*server_info)->gid))) { + free_server_info(server_info); return nt_status; + } (*server_info)->sam_fill_level = SAM_FILL_ALL; - DEBUG(5,("make_server_info_sam: made server info for user %s\n", - pdb_get_username((*server_info)->sam_account))); + DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n", + pdb_get_username(sampass), + (*server_info)->unix_name)); return nt_status; } @@ -809,6 +829,8 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, const struc return nt_status; } + (*server_info)->unix_name = smb_xstrdup(pwd->pw_name); + (*server_info)->sam_fill_level = SAM_FILL_ALL; (*server_info)->uid = pwd->pw_uid; (*server_info)->gid = pwd->pw_gid; @@ -852,8 +874,10 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) Purely internal function for make_server_info_info3 Fill the sam account from getpwnam ***************************************************************************/ -static NTSTATUS fill_sam_account(const char *domain, +static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, + const char *domain, const char *username, + char **found_username, uid_t *uid, gid_t *gid, SAM_ACCOUNT **sam_account) { @@ -878,6 +902,8 @@ static NTSTATUS fill_sam_account(const char *domain, *uid = passwd->pw_uid; *gid = passwd->pw_gid; + *found_username = talloc_strdup(mem_ctx, passwd->pw_name); + return pdb_init_sam_pw(sam_account, passwd); } @@ -893,7 +919,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, NET_USER_INFO_3 *info3) { NTSTATUS nt_status = NT_STATUS_OK; - + char *found_username; const char *nt_domain; const char *nt_username; @@ -958,13 +984,15 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, gid = passwd->pw_gid; /* we should check this is the same name */ - + found_username = talloc_strdup(mem_ctx, passwd->pw_name); + passwd_free(&passwd); } else { /* User not from winbind - try and find them by getpwnam() */ - nt_status = fill_sam_account(nt_domain, + nt_status = fill_sam_account(mem_ctx, nt_domain, internal_username, + &found_username, &uid, &gid, &sam_account); @@ -972,8 +1000,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, DEBUG(3,("User %s does not exist, trying to add it\n", internal_username)); auth_add_user_script(nt_domain, internal_username); - nt_status = fill_sam_account(nt_domain, + nt_status = fill_sam_account(mem_ctx, nt_domain, internal_username, + &found_username, &uid, &gid, &sam_account); } @@ -984,17 +1013,12 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return nt_status; } - if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) { + if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) { pdb_free_sam(&sam_account); - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_NO_MEMORY; } - if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) { - pdb_free_sam(&sam_account); - return NT_STATUS_UNSUCCESSFUL; - } - - if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) { + if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } @@ -1004,7 +1028,18 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - if (!pdb_set_fullname(sam_account, unistr2_static(&(info3->uni_full_name)), PDB_CHANGED)) { + if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) { + pdb_free_sam(&sam_account); + return NT_STATUS_UNSUCCESSFUL; + } + + if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) { + pdb_free_sam(&sam_account); + return NT_STATUS_UNSUCCESSFUL; + } + + if (!pdb_set_fullname(sam_account, unistr2_static(&(info3->uni_full_name)), + PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } @@ -1040,6 +1075,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, (*server_info)->sam_account = sam_account; + (*server_info)->unix_name = smb_xstrdup(found_username); + /* Fill in the unix info we found on the way */ (*server_info)->sam_fill_level = SAM_FILL_ALL; @@ -1050,7 +1087,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, returned to the caller. */ if (!NT_STATUS_IS_OK(nt_status - = get_user_groups_from_local_sam(pdb_get_username(sam_account), + = get_user_groups_from_local_sam((*server_info)->unix_name, uid, gid, &n_lgroupSIDs, &lgroupSIDs, @@ -1070,6 +1107,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, if (!all_group_SIDs) { DEBUG(0, ("malloc() failed for DOM_SID list!\n")); SAFE_FREE(lgroupSIDs); + free_server_info(server_info); return NT_STATUS_NO_MEMORY; } @@ -1085,6 +1123,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, DEBUG(3,("could not append additional group rid 0x%x\n", info3->gids[i].g_rid)); SAFE_FREE(lgroupSIDs); + free_server_info(server_info); return nt_status; } } @@ -1110,6 +1149,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, all_group_SIDs, False, &token))) { DEBUG(4,("create_nt_user_token failed\n")); SAFE_FREE(all_group_SIDs); + free_server_info(server_info); return nt_status; } @@ -1161,6 +1201,7 @@ void free_server_info(auth_serversupplied_info **server_info) /* call pam_end here, unless we know we are keeping it */ delete_nt_token( &(*server_info)->ptok ); SAFE_FREE((*server_info)->groups); + SAFE_FREE((*server_info)->unix_name); ZERO_STRUCT(**server_info); } SAFE_FREE(*server_info); -- cgit