From a4354d399d65e0b0e660b0e41647c0116d51bd37 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sun, 17 Jun 2007 19:23:32 +0000 Subject: r23530: Fix bugs #4678 and #4697 which had the same root cause. In make_server_info_pw() we assign a user SID in our authoritative SAM, even though this may be from a pure "Unix User" that doesn't exist in the SAM. This causes lookups on "[in]valid users" to fail as they will lookup this name as a "Unix User" SID to check against the user token. Fix this by adding the "Unix User"\unix_username SID to the sid array. The correct fix should probably be changing the server_info->sam_account user SID to be a S-1-22 Unix SID, but this might break old configs where plaintext passwords were used with no SAM backend. Jeremy (This used to be commit 80d1da7e6cce451d3934751feaa6ad60a337e3db) --- source3/auth/auth_util.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index f66c500943..7509b5ad1c 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -966,6 +966,10 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, NTSTATUS status; struct samu *sampass = NULL; gid_t *gids; + char *qualified_name = NULL; + TALLOC_CTX *mem_ctx = NULL; + DOM_SID u_sid; + enum lsa_SidType type; auth_serversupplied_info *result; if ( !(sampass = samu_new( NULL )) ) { @@ -999,6 +1003,56 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, return status; } + /* + * The SID returned in server_info->sam_account is based + * on our SAM sid even though for a pure UNIX account this should + * not be the case as it doesn't really exist in the SAM db. + * This causes lookups on "[in]valid users" to fail as they + * will lookup this name as a "Unix User" SID to check against + * the user token. Fix this by adding the "Unix User"\unix_username + * SID to the sid array. The correct fix should probably be + * changing the server_info->sam_account user SID to be a + * S-1-22 Unix SID, but this might break old configs where + * plaintext passwords were used with no SAM backend. + */ + + mem_ctx = talloc_init("make_server_info_pw_tmp"); + if (!mem_ctx) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + qualified_name = talloc_asprintf(mem_ctx, "%s\\%s", + unix_users_domain_name(), + unix_username ); + if (!qualified_name) { + TALLOC_FREE(result); + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL, + NULL, NULL, + &u_sid, &type)) { + TALLOC_FREE(result); + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_SUCH_USER; + } + + TALLOC_FREE(mem_ctx); + + if (type != SID_NAME_USER) { + TALLOC_FREE(result); + return NT_STATUS_NO_SUCH_USER; + } + + if (!add_sid_to_array_unique(result, &u_sid, + &result->sids, + &result->num_sids)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + /* For now we throw away the gids and convert via sid_to_gid * later. This needs fixing, but I'd like to get the code straight and * simple first. */ -- cgit