From a7e1bbbd06a4a7c2cd6ff4fed8bdc8455b9a75d6 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 11 Jun 2003 16:36:04 +0000 Subject: Fix 'security = domain' without winbind. This stores the sid we got from the PDC as a mapping to the uid we got from getpwnam in the local idmap. This should not be worse than the current state, so I decided to commit it. It is different from abartlet's preliminary patch, but I believe this is the better solution. Feel free to comment and/or revert it. Volker (This used to be commit 0c16965e6f49a2c0d73b1392e9f8cfc7449e2e59) --- source3/auth/auth_util.c | 92 +++++++++++++++++++++++++++++++----------------- 1 file changed, 60 insertions(+), 32 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d57619942c..ed3ebdbabc 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -842,6 +842,52 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) return nt_status; } +static NTSTATUS fill_sam_account(const char *domain, + const char *username, + const DOM_SID *user_sid, + const DOM_SID *group_sid, + SAM_ACCOUNT **sam_account) +{ + fstring dom_user; + struct passwd *passwd; + NTSTATUS result; + unid_t id; + + fstr_sprintf(dom_user, "%s%s%s", + domain, lp_winbind_separator(), username); + + passwd = Get_Pwnam(dom_user); + + if ( (passwd == NULL) && is_myworkgroup(domain) ) { + /* For our own domain also try unqualified */ + passwd = Get_Pwnam(username); + } + + if (passwd == NULL) + return NT_STATUS_NO_SUCH_USER; + + result = pdb_init_sam_pw(sam_account, passwd); + + if (!NT_STATUS_IS_OK(result)) + return result; + + id.uid = passwd->pw_uid; + result = idmap_set_mapping(user_sid, id, ID_USERID); + if (!NT_STATUS_IS_OK(result)) + return result; + + /* This is currently broken. We have two different sources of + information for the primary group: The info3 and + /etc/passwd. To make this work at all, the info3 sid is + mapped to the user's primary group from /etc/passwd. + This is broken, but it basically works. */ + + id.gid = passwd->pw_gid; + result = idmap_set_mapping(group_sid, id, ID_GROUPID); + + return result; +} + /*************************************************************************** Make a server_info struct from the info3 returned by a domain logon ***************************************************************************/ @@ -910,38 +956,20 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, nt_status = pdb_init_sam_pw(&sam_account, passwd); passwd_free(&passwd); } else { - int try = 0; - while (try < 2) { - char *dom_user; - dom_user = talloc_asprintf(mem_ctx, "%s%s%s", - nt_domain, - lp_winbind_separator(), - internal_username); - - if (!dom_user) { - DEBUG(0, ("talloc_asprintf failed!\n")); - nt_status = NT_STATUS_NO_MEMORY; - } else { - - if (!(passwd = Get_Pwnam(dom_user)) - /* Only lookup local for the local - domain, we don't want this for - trusted domains */ - && strequal(nt_domain, lp_workgroup())) { - passwd = Get_Pwnam(internal_username); - } - - if (!passwd) { - nt_status = NT_STATUS_NO_SUCH_USER; - } else { - nt_status = pdb_init_sam_pw(&sam_account, passwd); - break; - } - } - if (try == 0) { - auth_add_user_script(nt_domain, internal_username); - } - try++; + + nt_status = fill_sam_account(nt_domain, + internal_username, + &user_sid, &group_sid, + &sam_account); + + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { + DEBUG(3,("User %s does not exist, trying to add it\n", + internal_username)); + auth_add_user_script(nt_domain, internal_username); + nt_status = fill_sam_account(nt_domain, + internal_username, + &user_sid, &group_sid, + &sam_account); } } -- cgit