From 05ac2de0df78d22ad5afb42ea5c72ba17bef8395 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 3 Dec 2005 18:34:13 +0000 Subject: r12051: Merge across the lookup_name and lookup_sid work. Lets see how the build farm reacts :-) Volker (This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7) --- source3/passdb/passdb.c | 135 +++++++++++++++++++++++++++--------------------- 1 file changed, 76 insertions(+), 59 deletions(-) (limited to 'source3/passdb/passdb.c') diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index e073db3499..3ca26a57c7 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -735,7 +735,7 @@ BOOL algorithmic_pdb_rid_is_user(uint32 rid) Look up a rid in the SAM we're responsible for (i.e. passdb) ********************************************************************/ -BOOL lookup_global_sam_rid(uint32 rid, fstring name, +BOOL lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32 rid, char **name, enum SID_NAME_USE *psid_name_use) { SAM_ACCOUNT *sam_account = NULL; @@ -760,7 +760,7 @@ BOOL lookup_global_sam_rid(uint32 rid, fstring name, become_root(); if (pdb_getsampwsid(sam_account, &sid)) { unbecome_root(); /* -----> EXIT BECOME_ROOT() */ - fstrcpy(name, pdb_get_username(sam_account)); + *name = talloc_strdup(mem_ctx, pdb_get_username(sam_account)); *psid_name_use = SID_NAME_USER; pdb_free_sam(&sam_account); @@ -784,14 +784,14 @@ BOOL lookup_global_sam_rid(uint32 rid, fstring name, map.nt_name)); } - fstrcpy(name, map.nt_name); + *name = talloc_strdup(mem_ctx, map.nt_name); *psid_name_use = map.sid_name_use; return True; } if (rid == DOMAIN_USER_RID_ADMIN) { *psid_name_use = SID_NAME_USER; - fstrcpy(name, "Administrator"); + *name = talloc_strdup(mem_ctx, "Administrator"); return True; } @@ -807,13 +807,15 @@ BOOL lookup_global_sam_rid(uint32 rid, fstring name, DEBUG(5,("lookup_global_sam_rid: looking up uid %u %s\n", (unsigned int)uid, pw ? "succeeded" : "failed" )); - if ( !pw ) - fstr_sprintf(name, "unix_user.%u", (unsigned int)uid); - else - fstrcpy( name, pw->pw_name ); + if ( !pw ) { + *name = talloc_asprintf(mem_ctx, "unix_user.%u", + (unsigned int)uid); + } else { + *name = talloc_strdup(mem_ctx, pw->pw_name ); + } DEBUG(5,("lookup_global_sam_rid: found user %s for rid %u\n", - name, (unsigned int)rid )); + *name, (unsigned int)rid )); *psid_name_use = SID_NAME_USER; @@ -830,13 +832,15 @@ BOOL lookup_global_sam_rid(uint32 rid, fstring name, DEBUG(5,("lookup_global_sam_rid: looking up gid %u %s\n", (unsigned int)gid, gr ? "succeeded" : "failed" )); - if( !gr ) - fstr_sprintf(name, "unix_group.%u", (unsigned int)gid); - else - fstrcpy( name, gr->gr_name); + if( !gr ) { + *name = talloc_asprintf(mem_ctx, "unix_group.%u", + (unsigned int)gid); + } else { + *name = talloc_strdup(mem_ctx, gr->gr_name); + } DEBUG(5,("lookup_global_sam_rid: found group %s for rid %u\n", - name, (unsigned int)rid )); + *name, (unsigned int)rid )); /* assume algorithmic groups are domain global groups */ @@ -850,17 +854,13 @@ BOOL lookup_global_sam_rid(uint32 rid, fstring name, Convert a name into a SID. Used in the lookup name rpc. ********************************************************************/ -BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psid_name_use) +BOOL lookup_global_sam_name(const char *c_user, uint32_t *rid, enum SID_NAME_USE *type) { - DOM_SID local_sid; - DOM_SID sid; fstring user; SAM_ACCOUNT *sam_account = NULL; struct group *grp; GROUP_MAP map; - *psid_name_use = SID_NAME_UNKNOWN; - /* * user may be quoted a const string, and map_username and * friends can modify it. Make a modifiable copy. JRA. @@ -868,17 +868,6 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi fstrcpy(user, c_user); - sid_copy(&local_sid, get_global_sam_sid()); - - if (map_name_to_wellknown_sid(&sid, psid_name_use, user)){ - fstring sid_str; - sid_copy( psid, &sid); - sid_to_string(sid_str, &sid); - DEBUG(10,("lookup_name: name %s = SID %s, type = %u\n", user, sid_str, - (unsigned int)*psid_name_use )); - return True; - } - (void)map_username(user); if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_account))) { @@ -889,10 +878,28 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi become_root(); if (pdb_getsampwnam(sam_account, user)) { + const DOM_SID *user_sid; + unbecome_root(); - sid_copy(psid, pdb_get_user_sid(sam_account)); - *psid_name_use = SID_NAME_USER; - + + user_sid = pdb_get_user_sid(sam_account); + + if (!sid_check_is_in_our_domain(user_sid)) { + DEBUG(0, ("User %s with invalid SID %s in passdb\n", + user, sid_string_static(user_sid))); + return False; + } + + sid_peek_rid(user_sid, rid); + + if (pdb_get_acct_ctrl(sam_account) & + (ACB_DOMTRUST|ACB_WSTRUST|ACB_SVRTRUST)) { + /* We have to filter them out in lsa_lookupnames, + * indicate that this is not a real user. */ + *type = SID_NAME_COMPUTER; + } else { + *type = SID_NAME_USER; + } pdb_free_sam(&sam_account); return True; } @@ -905,41 +912,51 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi /* check if it's a mapped group */ if (pdb_getgrnam(&map, user)) { - /* yes it's a mapped group */ - sid_copy(&local_sid, &map.sid); - *psid_name_use = map.sid_name_use; - } else { - /* it's not a mapped group */ - grp = getgrnam(user); - if(!grp) { - unbecome_root(); /* ---> exit form block */ + + unbecome_root(); + + /* BUILTIN groups are looked up elsewhere */ + if (!sid_check_is_in_our_domain(&map.sid)) { + DEBUG(10, ("Found group %s (%s) not in our domain -- " + "ignoring.", user, + sid_string_static(&map.sid))); return False; } - /* - *check if it's mapped, if it is reply it doesn't exist - * - * that's to prevent this case: - * - * unix group ug is mapped to nt group ng - * someone does a lookup on ug - * we must not reply as it doesn't "exist" anymore - * for NT. For NT only ng exists. - * JFM, 30/11/2001 - */ + /* yes it's a mapped group */ + sid_peek_rid(&map.sid, rid); + *type = map.sid_name_use; + return True; + } + + /* it's not a mapped group */ + grp = getgrnam(user); + if(!grp) { + unbecome_root(); /* ---> exit form block */ + return False; + } - if (pdb_getgrgid(&map, grp->gr_gid)){ - unbecome_root(); /* ---> exit form block */ - return False; - } + /* + *check if it's mapped, if it is reply it doesn't exist + * + * that's to prevent this case: + * + * unix group ug is mapped to nt group ng + * someone does a lookup on ug + * we must not reply as it doesn't "exist" anymore + * for NT. For NT only ng exists. + * JFM, 30/11/2001 + */ - sid_append_rid( &local_sid, pdb_gid_to_group_rid(grp->gr_gid)); - *psid_name_use = SID_NAME_ALIAS; + if (pdb_getgrgid(&map, grp->gr_gid)) { + unbecome_root(); /* ---> exit form block */ + return False; } unbecome_root(); /* END ROOT BLOCK */ - sid_copy( psid, &local_sid); + *rid = pdb_gid_to_group_rid(grp->gr_gid); + *type = SID_NAME_ALIAS; return True; } -- cgit