From 922eb763d7365716fd3c20aa069746fc9bfb8ab3 Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Tue, 4 Dec 2001 21:53:47 +0000 Subject: added a boolean to the group mapping functions to specify if we need or not the privileges. Usually we don't need them, so the memory is free early. lib/util_sid.c: added some helper functions to check an SID. passdb/passdb.c: renamed local_lookup_rid() to local_lookup_sid() and pass an RID all the way. If the group doesn't exist on the domain SID, don't return a faked one as it can collide with a builtin one. Some rpc structures have been badly designed, they return only rids and force the client to do subsequent lsa_lookup_sid() on the domain sid and the builtin sid ! rpc_server/srv_util.c: wrote a new version of get_domain_user_groups(). Only the samr code uses it atm. It uses the group mapping code instead of a bloody hard coded crap. The netlogon code will use it too, but I have to do some test first. J.F. (This used to be commit 6c87e96149101995b7d049657d5c26eefef37d8c) --- source3/passdb/nispass.c | 3 +-- source3/passdb/passdb.c | 46 +++++++++++++++++------------------------- source3/passdb/pdb_ldap.c | 3 +-- source3/passdb/pdb_nisplus.c | 3 +-- source3/passdb/pdb_smbpasswd.c | 3 +-- 5 files changed, 23 insertions(+), 35 deletions(-) (limited to 'source3/passdb') diff --git a/source3/passdb/nispass.c b/source3/passdb/nispass.c index 0f41b47549..3b7b90307d 100644 --- a/source3/passdb/nispass.c +++ b/source3/passdb/nispass.c @@ -308,8 +308,7 @@ static BOOL make_sam_from_nisp_object(struct sam_passwd *pw_buf, nis_object *obj else { GROUP_MAP map; - if (get_group_map_from_gid(pw_buf->smb_grpid, &map)) { - free_privileges(&map.priv_set); + if (get_group_map_from_gid(pw_buf->smb_grpid, &map, MAPPING_WITHOUT_PRIV)) { pw_buf->group_rid = map.rid; } else diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index e469718b5c..f54121cf63 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -143,8 +143,7 @@ BOOL pdb_init_sam_pw(SAM_ACCOUNT **new_sam_acct, const struct passwd *pwd) pdb_set_user_rid(*new_sam_acct, pdb_uid_to_user_rid(pwd->pw_uid)); /* call the mapping code here */ - if(get_group_map_from_gid(pwd->pw_gid, &map)) { - free_privilege(&map.priv_set); + if(get_group_map_from_gid(pwd->pw_gid, &map, MAPPING_WITHOUT_PRIV)) { sid_peek_rid(&map.sid, &rid); } else rid=pdb_gid_to_group_rid(pwd->pw_gid); @@ -405,8 +404,7 @@ BOOL pdb_name_to_rid(const char *user_name, uint32 *u_rid, uint32 *g_rid) /* absolutely no idea what to do about the unix GID to Domain RID mapping */ /* map it ! */ - if (get_group_map_from_gid(pw->pw_gid, &map)) { - free_privilege(&map.priv_set); + if (get_group_map_from_gid(pw->pw_gid, &map, MAPPING_WITHOUT_PRIV)) { sid_peek_rid(&map.sid, g_rid); } else *g_rid = pdb_gid_to_group_rid(pw->pw_gid); @@ -491,13 +489,16 @@ BOOL pdb_rid_is_user(uint32 rid) Convert a rid into a name. Used in the lookup SID rpc. ********************************************************************/ -BOOL local_lookup_rid(uint32 rid, char *name, enum SID_NAME_USE *psid_name_use) +BOOL local_lookup_sid(DOM_SID *sid, char *name, enum SID_NAME_USE *psid_name_use) { - BOOL is_user = pdb_rid_is_user(rid); + uint32 rid; + BOOL is_user; + sid_peek_rid(sid, &rid); + is_user = pdb_rid_is_user(rid); *psid_name_use = SID_NAME_UNKNOWN; - DEBUG(5,("local_lookup_rid: looking up %s RID %u.\n", is_user ? "user" : + DEBUG(5,("local_lookup_sid: looking up %s RID %u.\n", is_user ? "user" : "group", (unsigned int)rid)); if(is_user) { @@ -529,7 +530,7 @@ BOOL local_lookup_rid(uint32 rid, char *name, enum SID_NAME_USE *psid_name_use) *psid_name_use = SID_NAME_USER; - DEBUG(5,("local_lookup_rid: looking up uid %u %s\n", (unsigned int)uid, + DEBUG(5,("local_lookup_sid: looking up uid %u %s\n", (unsigned int)uid, pass ? "succeeded" : "failed" )); if(!pass) { @@ -539,7 +540,7 @@ BOOL local_lookup_rid(uint32 rid, char *name, enum SID_NAME_USE *psid_name_use) fstrcpy(name, pass->pw_name); - DEBUG(5,("local_lookup_rid: found user %s for rid %u\n", name, + DEBUG(5,("local_lookup_sid: found user %s for rid %u\n", name, (unsigned int)rid )); } @@ -547,11 +548,7 @@ BOOL local_lookup_rid(uint32 rid, char *name, enum SID_NAME_USE *psid_name_use) gid_t gid; struct group *gr; GROUP_MAP map; - DOM_SID local_sid; - sid_copy(&local_sid, &global_sam_sid); - sid_append_rid(&local_sid, rid); - /* * Don't try to convert the rid to a name if running * in appliance mode @@ -561,10 +558,9 @@ BOOL local_lookup_rid(uint32 rid, char *name, enum SID_NAME_USE *psid_name_use) return False; /* check if it's a mapped group */ - if (get_group_map_from_sid(local_sid, &map)) { - free_privilege(&map.priv_set); + if (get_group_map_from_sid(*sid, &map, MAPPING_WITHOUT_PRIV)) { if (map.gid!=-1) { - DEBUG(5,("local_local_rid: mapped group %s to gid %u\n", map.nt_name, (unsigned int)map.gid)); + DEBUG(5,("local_lookup_sid: mapped group %s to gid %u\n", map.nt_name, (unsigned int)map.gid)); fstrcpy(name, map.nt_name); *psid_name_use = map.sid_name_use; return True; @@ -576,17 +572,17 @@ BOOL local_lookup_rid(uint32 rid, char *name, enum SID_NAME_USE *psid_name_use) *psid_name_use = SID_NAME_ALIAS; - DEBUG(5,("local_local_rid: looking up gid %u %s\n", (unsigned int)gid, + DEBUG(5,("local_lookup_sid: looking up gid %u %s\n", (unsigned int)gid, gr ? "succeeded" : "failed" )); if(!gr) { slprintf(name, sizeof(fstring)-1, "unix_group.%u", (unsigned int)gid); - return True; + return False; } fstrcpy( name, gr->gr_name); - DEBUG(5,("local_lookup_rid: found group %s for rid %u\n", name, + DEBUG(5,("local_lookup_sid: found group %s for rid %u\n", name, (unsigned int)rid )); } @@ -647,8 +643,7 @@ BOOL local_lookup_name(const char *c_domain, const char *c_user, DOM_SID *psid, GROUP_MAP map; /* check if it's a mapped group */ - if (get_group_map_from_ntname(user, &map)) { - free_privilege(&map.priv_set); + if (get_group_map_from_ntname(user, &map, MAPPING_WITHOUT_PRIV)) { if (map.gid!=-1) { /* yes it's a mapped group to a valid unix group */ sid_copy(&local_sid, &map.sid); @@ -675,8 +670,7 @@ BOOL local_lookup_name(const char *c_domain, const char *c_user, DOM_SID *psid, * JFM, 30/11/2001 */ - if(get_group_map_from_gid(grp->gr_gid, &map)){ - free_privilege(&map.priv_set); + if(get_group_map_from_gid(grp->gr_gid, &map, MAPPING_WITHOUT_PRIV)){ return False; } @@ -759,8 +753,7 @@ DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid) sid_copy(psid, &global_sam_sid); - if (get_group_map_from_gid(gid, &map)) { - free_privilege(&map.priv_set); + if (get_group_map_from_gid(gid, &map, MAPPING_WITHOUT_PRIV)) { sid_copy(psid, &map.sid); } else { @@ -801,8 +794,7 @@ BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type) if (pdb_rid_is_user(rid)) return False; - if (get_group_map_from_sid(*psid, &map)) { - free_privilege(&map.priv_set); + if (get_group_map_from_sid(*psid, &map, MAPPING_WITHOUT_PRIV)) { /* the SID is in the mapping table but not mapped */ if (map.gid==-1) diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c index d0eebbed89..f426f926b1 100644 --- a/source3/passdb/pdb_ldap.c +++ b/source3/passdb/pdb_ldap.c @@ -585,8 +585,7 @@ static BOOL init_ldap_from_sam (LDAPMod *** mods, int ldap_state, const SAM_ACCO if ( !sampass->group_rid) { GROUP_MAP map; - if (get_group_map_from_gid(pdb_get_gid(sampass), &map)) { - free_privilege(&map.priv_set); + if (get_group_map_from_gid(pdb_get_gid(sampass), &map, MAPPING_WITHOUT_PRIV)) { sid_peek_rid(&map.sid, &sampass->group_rid); } else diff --git a/source3/passdb/pdb_nisplus.c b/source3/passdb/pdb_nisplus.c index aff0870a8d..9fc4a0a65a 100644 --- a/source3/passdb/pdb_nisplus.c +++ b/source3/passdb/pdb_nisplus.c @@ -501,8 +501,7 @@ static BOOL init_nisp_from_sam(nis_object *obj, const SAM_ACCOUNT *sampass, rid=pdb_get_group_rid(sampass); if (rid==0) { - if (get_group_map_from_gid(pdb_get_gid(sampass), &map)) { - free_privilege(&map.priv_set); + if (get_group_map_from_gid(pdb_get_gid(sampass), &map, MAPPING_WITHOUT_PRIV)) { sid_peek_rid(&map.sid, &rid); } else rid=pdb_gid_to_group_rid(pdb_get_gid(sampass)); diff --git a/source3/passdb/pdb_smbpasswd.c b/source3/passdb/pdb_smbpasswd.c index c189d9a9b7..e5b1ec97f7 100644 --- a/source3/passdb/pdb_smbpasswd.c +++ b/source3/passdb/pdb_smbpasswd.c @@ -1225,8 +1225,7 @@ static BOOL build_sam_account(SAM_ACCOUNT *sam_pass, const struct smb_passwd *pw uint32 rid; GROUP_MAP map; - if (get_group_map_from_gid(pwfile->pw_gid, &map)) { - free_privilege(&map.priv_set); + if (get_group_map_from_gid(pwfile->pw_gid, &map, MAPPING_WITHOUT_PRIV)) { sid_peek_rid(&map.sid, &rid); } else -- cgit