From f9e87b9ba65f37bafa45eacb1a6c9b8c5483d46b Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 12 Nov 2004 15:49:47 +0000 Subject: r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989) --- source3/auth/auth_util.c | 52 +++++++++++++++--------------------------------- 1 file changed, 16 insertions(+), 36 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 96a229f0dc..1ef64ab845 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -657,47 +657,27 @@ static NTSTATUS get_user_groups(const char *username, uid_t uid, gid_t gid, *n_groups = 0; *groups = NULL; - - /* Try winbind first */ - if ( strchr(username, *lp_winbind_separator()) ) { - n_unix_groups = winbind_getgroups( username, unix_groups ); + if (strchr(username, *lp_winbind_separator()) == NULL) { + NTSTATUS result; - DEBUG(10,("get_user_groups: winbind_getgroups(%s): result = %s\n", username, - n_unix_groups == -1 ? "FAIL" : "SUCCESS")); - - if ( n_unix_groups == -1 ) - return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ + become_root(); + result = pdb_enum_group_memberships(username, gid, groups, + unix_groups, n_groups); + unbecome_root(); + return result; } - else { - /* fallback to getgrouplist() */ - - n_unix_groups = groups_max(); - - if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) { - DEBUG(0, ("get_user_groups: Out of memory allocating unix group list\n")); - return NT_STATUS_NO_MEMORY; - } + + /* We have the separator, this must be winbind */ - if (sys_getgrouplist(username, gid, *unix_groups, &n_unix_groups) == -1) { - - gid_t *groups_tmp; - - groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); - - if (!groups_tmp) { - SAFE_FREE(*unix_groups); - return NT_STATUS_NO_MEMORY; - } - *unix_groups = groups_tmp; + n_unix_groups = winbind_getgroups( username, unix_groups ); - if (sys_getgrouplist(username, gid, *unix_groups, &n_unix_groups) == -1) { - DEBUG(0, ("get_user_groups: failed to get the unix group list\n")); - SAFE_FREE(*unix_groups); - return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ - } - } - } + DEBUG(10,("get_user_groups: winbind_getgroups(%s): result = %s\n", + username, n_unix_groups == -1 ? "FAIL" : "SUCCESS")); + + if ( n_unix_groups == -1 ) + return NT_STATUS_NO_SUCH_USER; /* what should this return + * value be? */ debug_unix_user_token(DBGC_CLASS, 5, uid, gid, n_unix_groups, *unix_groups); -- cgit