From 7264b9df8fd2cfae2db4aca82ac737f47fdd5936 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 1 May 2003 14:08:00 +0000 Subject: proper wellknown sids initialization at startup (This used to be commit 568feee8977ee1be210344c8ab1896512894cba2) --- source3/sam/idmap_util.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) (limited to 'source3/sam') diff --git a/source3/sam/idmap_util.c b/source3/sam/idmap_util.c index 5d089d3baf..92cbb103db 100644 --- a/source3/sam/idmap_util.c +++ b/source3/sam/idmap_util.c @@ -298,3 +298,49 @@ NTSTATUS sid_to_gid(const DOM_SID *sid, gid_t *gid) return ret; } + +/* Initialize idmap withWellknown SIDs like Guest, that are necessary + * to make samba run properly */ +BOOL idmap_init_wellknown_sids(void) +{ + const char *guest_account = lp_guestaccount(); + struct passwd *pass; + DOM_SID sid; + unid_t id; + int flags; + + if (!(guest_account && *guest_account)) { + DEBUG(1, ("NULL guest account!?!?\n")); + return False; + } + + pass = getpwnam_alloc(guest_account); + if (!pass) { + return False; + } + + flags = ID_USERID; + id.uid = pass->pw_uid; + sid_copy(&sid, get_global_sam_sid()); + sid_append_rid(&sid, DOMAIN_USER_RID_GUEST); + if (NT_STATUS_IS_ERR(idmap_set_mapping(&sid, id, flags))) { + passwd_free(&pass); + return False; + } + + /* check if DOMAIN_GROUP_RID_GUESTS SID is set, if not store the + * guest account gid as mapping */ + flags = ID_GROUPID | ID_NOMAP; + sid_copy(&sid, get_global_sam_sid()); + sid_append_rid(&sid, DOMAIN_GROUP_RID_GUESTS); + if (NT_STATUS_IS_ERR(idmap_get_id_from_sid(&id, &flags, &sid))) { + flags = ID_GROUPID; + id.gid = pass->pw_gid; + if (NT_STATUS_IS_ERR(idmap_set_mapping(&sid, id, flags))) { + passwd_free(&pass); + return False; + } + } + + return True; +} -- cgit From 6a10e99fb1a7333f4897170e1f99c2a35aba43ed Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 1 May 2003 14:32:24 +0000 Subject: init wellknown in pdbedit too add group mapping mappings to idmap at startup (This used to be commit 62365023db61d5a4fa32845af3db73bce6cb94ea) --- source3/sam/idmap_util.c | 44 ++++++++++++++++++++------------------------ 1 file changed, 20 insertions(+), 24 deletions(-) (limited to 'source3/sam') diff --git a/source3/sam/idmap_util.c b/source3/sam/idmap_util.c index 92cbb103db..1508523ea6 100644 --- a/source3/sam/idmap_util.c +++ b/source3/sam/idmap_util.c @@ -172,12 +172,8 @@ NTSTATUS gid_to_sid(DOM_SID *sid, gid_t gid) if (NT_STATUS_IS_ERR(ret = idmap_get_sid_from_id(sid, id, flags))) { DEBUG(10, ("gid_to_sid: Failed to map sid = [%s]\n", sid_string_static(sid))); if (flags & ID_NOMAP) { - if (pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) { - sid_copy(sid, &map.sid); - } else { - sid_copy(sid, get_global_sam_sid()); - sid_append_rid(sid, pdb_gid_to_group_rid(gid)); - } + sid_copy(sid, get_global_sam_sid()); + sid_append_rid(sid, pdb_gid_to_group_rid(gid)); DEBUG(10,("gid_to_sid: Fall back to algorithmic mapping: %u -> %s\n", (unsigned int)gid, sid_string_static(sid))); ret = NT_STATUS_OK; @@ -274,25 +270,13 @@ NTSTATUS sid_to_gid(const DOM_SID *sid, gid_t *gid) DEBUG(10,("sid_to_gid: Fall back to algorithmic mapping\n")); - /* the group mapping code should register mappings in idmap - * and have the following if() eliminated */ - if (pdb_getgrsid(&map, *sid, MAPPING_WITHOUT_PRIV)) { - /* the SID is in the mapping table but not mapped */ - if (map.gid==(gid_t)-1) { - ret = NT_STATUS_UNSUCCESSFUL; - } else { - *gid = map.gid; - ret = NT_STATUS_OK; - } + if (fallback_pdb_rid_is_user(rid)) { + DEBUG(3, ("sid_to_gid: SID %s is *NOT* a group\n", sid_string_static(sid))); + ret = NT_STATUS_UNSUCCESSFUL; } else { - if (fallback_pdb_rid_is_user(rid)) { - DEBUG(3, ("sid_to_gid: SID %s is *NOT* a group\n", sid_string_static(sid))); - ret = NT_STATUS_UNSUCCESSFUL; - } else { - *gid = pdb_group_rid_to_gid(rid); - DEBUG(10,("sid_to_gid: mapping: %s -> %u\n", sid_string_static(sid), (unsigned int)(*gid))); - ret = NT_STATUS_OK; - } + *gid = pdb_group_rid_to_gid(rid); + DEBUG(10,("sid_to_gid: mapping: %s -> %u\n", sid_string_static(sid), (unsigned int)(*gid))); + ret = NT_STATUS_OK; } } @@ -305,6 +289,8 @@ BOOL idmap_init_wellknown_sids(void) { const char *guest_account = lp_guestaccount(); struct passwd *pass; + GROUP_MAP *map=NULL; + int num_entries=0; DOM_SID sid; unid_t id; int flags; @@ -328,6 +314,16 @@ BOOL idmap_init_wellknown_sids(void) return False; } + /* now fill in group mappings */ + if(pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV)) { + int i; + + for (i = 0; i < num_entries; i++) { + id.gid = map[i].gid; + idmap_set_mapping(&(map[i].sid), id, ID_GROUPID); + } + } + /* check if DOMAIN_GROUP_RID_GUESTS SID is set, if not store the * guest account gid as mapping */ flags = ID_GROUPID | ID_NOMAP; -- cgit From e492cdb4e4deb9bba714272caed8772b8b25e4be Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 1 May 2003 16:02:55 +0000 Subject: fix wrong debug messages in idmap_util.c correctly handle allocated rids in tdbsam (This used to be commit 7ae6162e1dd668897628c4f7edff508616644d21) --- source3/sam/idmap_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/sam') diff --git a/source3/sam/idmap_util.c b/source3/sam/idmap_util.c index 1508523ea6..ff581d91bc 100644 --- a/source3/sam/idmap_util.c +++ b/source3/sam/idmap_util.c @@ -133,7 +133,7 @@ NTSTATUS uid_to_sid(DOM_SID *sid, uid_t uid) id.uid = uid; if (NT_STATUS_IS_ERR(ret = idmap_get_sid_from_id(sid, id, flags))) { - DEBUG(10, ("uid_to_sid: Failed to map sid = [%s]\n", sid_string_static(sid))); + DEBUG(10, ("uid_to_sid: Failed to map uid = [%s]\n", (unsigned int)uid)); if (flags & ID_NOMAP) { sid_copy(sid, get_global_sam_sid()); sid_append_rid(sid, fallback_pdb_uid_to_user_rid(uid)); @@ -170,7 +170,7 @@ NTSTATUS gid_to_sid(DOM_SID *sid, gid_t gid) id.gid = gid; if (NT_STATUS_IS_ERR(ret = idmap_get_sid_from_id(sid, id, flags))) { - DEBUG(10, ("gid_to_sid: Failed to map sid = [%s]\n", sid_string_static(sid))); + DEBUG(10, ("gid_to_sid: Failed to map gid = [%u]\n", (unsigned int)gid)); if (flags & ID_NOMAP) { sid_copy(sid, get_global_sam_sid()); sid_append_rid(sid, pdb_gid_to_group_rid(gid)); -- cgit From e87f9a29b7e695a15a6cedb36e4a48821086d3e8 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 2 May 2003 08:03:25 +0000 Subject: shouldn't wellknown group be well.. ..WKN_GRP ? make a new sam_Account contain our domain by default, windows will complain on logon otherwise. fix stupid typo in idmap_util.c (This used to be commit 21701876dc6c59ebfc51be708a98226a00a764e0) --- source3/sam/idmap_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/sam') diff --git a/source3/sam/idmap_util.c b/source3/sam/idmap_util.c index ff581d91bc..5d7adcdc04 100644 --- a/source3/sam/idmap_util.c +++ b/source3/sam/idmap_util.c @@ -133,7 +133,7 @@ NTSTATUS uid_to_sid(DOM_SID *sid, uid_t uid) id.uid = uid; if (NT_STATUS_IS_ERR(ret = idmap_get_sid_from_id(sid, id, flags))) { - DEBUG(10, ("uid_to_sid: Failed to map uid = [%s]\n", (unsigned int)uid)); + DEBUG(10, ("uid_to_sid: Failed to map uid = [%u]\n", (unsigned int)uid)); if (flags & ID_NOMAP) { sid_copy(sid, get_global_sam_sid()); sid_append_rid(sid, fallback_pdb_uid_to_user_rid(uid)); -- cgit From 8b232cbb3e44179bb48fe000c9236678f65b8c25 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sat, 3 May 2003 01:29:18 +0000 Subject: fixes to *_util.c files add winbindd_passdb backend this makes it possible to have nua accounts on security = user servers to show up in unic through nss_winbind.so the problem is that we do not have group support, so nss group support is not very good at this time (read: totally absent) we NEED group support in passdb (This used to be commit 921215cf4bfbd4d7457f81e181bb1a74a4531ca1) --- source3/sam/idmap_util.c | 61 +++++++++++++++++++++++++++++++++++++----------- 1 file changed, 48 insertions(+), 13 deletions(-) (limited to 'source3/sam') diff --git a/source3/sam/idmap_util.c b/source3/sam/idmap_util.c index 5d7adcdc04..e0c492542b 100644 --- a/source3/sam/idmap_util.c +++ b/source3/sam/idmap_util.c @@ -62,6 +62,24 @@ BOOL idmap_check_rid_is_in_free_range(uint32 rid) return True; } +/* if it is a foreign SID or if the SID is in the free range, return true */ + +BOOL idmap_check_sid_is_in_free_range(const DOM_SID *sid) +{ + if (sid_compare_domain(get_global_sam_sid(), sid) == 0) { + + uint32 rid; + + if (sid_peek_rid(sid, &rid)) { + return idmap_check_rid_is_in_free_range(rid); + } + + return False; + } + + return True; +} + /****************************************************************** * Get the the non-algorithmic RID range if idmap range are defined ******************************************************************/ @@ -196,7 +214,6 @@ NTSTATUS sid_to_uid(const DOM_SID *sid, uid_t *uid) { NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; BOOL fallback = False; - uint32 rid; unid_t id; int flags; @@ -204,20 +221,30 @@ NTSTATUS sid_to_uid(const DOM_SID *sid, uid_t *uid) flags = ID_USERID; if (!lp_idmap_only()) { - if (sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) { - if (!idmap_check_rid_is_in_free_range(rid)) { - flags |= ID_NOMAP; - fallback = True; - } + if (!idmap_check_sid_is_in_free_range(sid)) { + flags |= ID_NOMAP; + fallback = True; } } if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&id, &flags, sid))) { + DEBUG(10,("sid_to_uid: uid = [%d]\n", id.uid)); + *uid = id.uid; ret = NT_STATUS_OK; + } else if (fallback) { + uint32 rid; + + if (!sid_peek_rid(sid, &rid)) { + DEBUG(10,("sid_to_uid: invalid SID!\n")); + ret = NT_STATUS_INVALID_PARAMETER; + goto done; + } + DEBUG(10,("sid_to_uid: Fall back to algorithmic mapping\n")); + if (!fallback_pdb_rid_is_user(rid)) { DEBUG(3, ("sid_to_uid: SID %s is *NOT* a user\n", sid_string_static(sid))); ret = NT_STATUS_UNSUCCESSFUL; @@ -228,6 +255,7 @@ NTSTATUS sid_to_uid(const DOM_SID *sid, uid_t *uid) } } +done: return ret; } @@ -252,21 +280,26 @@ NTSTATUS sid_to_gid(const DOM_SID *sid, gid_t *gid) flags = ID_GROUPID; if (!lp_idmap_only()) { - if (sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) { - if (!idmap_check_rid_is_in_free_range(rid)) { - flags |= ID_NOMAP; - fallback = True; - } + if (!idmap_check_sid_is_in_free_range(sid)) { + flags |= ID_NOMAP; + fallback = True; } } if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&id, &flags, sid))) { + DEBUG(10,("sid_to_gid: gid = [%d]\n", id.gid)); *gid = id.gid; ret = NT_STATUS_OK; + } else if (fallback) { - GROUP_MAP map; - BOOL result; + uint32 rid; + + if (!sid_peek_rid(sid, &rid)) { + DEBUG(10,("sid_to_uid: invalid SID!\n")); + ret = NT_STATUS_INVALID_PARAMETER; + goto done; + } DEBUG(10,("sid_to_gid: Fall back to algorithmic mapping\n")); @@ -280,6 +313,7 @@ NTSTATUS sid_to_gid(const DOM_SID *sid, gid_t *gid) } } +done: return ret; } @@ -338,5 +372,6 @@ BOOL idmap_init_wellknown_sids(void) } } + passwd_free(&pass); return True; } -- cgit