From 7264b9df8fd2cfae2db4aca82ac737f47fdd5936 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 1 May 2003 14:08:00 +0000 Subject: proper wellknown sids initialization at startup (This used to be commit 568feee8977ee1be210344c8ab1896512894cba2) --- source3/nsswitch/winbindd.c | 3 ++ source3/passdb/passdb.c | 6 ++-- source3/passdb/pdb_guest.c | 70 ++++++++++++++++++++++----------------------- source3/sam/idmap_util.c | 46 +++++++++++++++++++++++++++++ source3/smbd/server.c | 5 +++- 5 files changed, 90 insertions(+), 40 deletions(-) (limited to 'source3') diff --git a/source3/nsswitch/winbindd.c b/source3/nsswitch/winbindd.c index 1be5a18c7c..da2540f5d9 100644 --- a/source3/nsswitch/winbindd.c +++ b/source3/nsswitch/winbindd.c @@ -757,6 +757,9 @@ BOOL winbind_setup_common(void) if (!idmap_init()) return False; + if (!idmap_init_wellknown_sids()) + return False; + /* Unblock all signals we are interested in as they may have been blocked by the parent process. */ diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index 8631888faf..bb40e38d0b 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -37,7 +37,7 @@ Fill the SAM_ACCOUNT with default values. ***********************************************************/ -static void pdb_fill_default_sam(SAM_ACCOUNT *user) +void pdb_fill_default_sam(SAM_ACCOUNT *user) { ZERO_STRUCT(user->private); /* Don't touch the talloc context */ @@ -296,7 +296,7 @@ NTSTATUS pdb_init_sam_new(SAM_ACCOUNT **new_sam_acct, const char *username) /* set Domain Users by default ! */ sid_copy(&g_sid, get_global_sam_sid()); - sid_append_rid(&g_sid, DOMAIN_GROUP_RID_USERS); + sid_append_rid(&g_sid, DOMAIN_GROUP_RID_USERS); pdb_set_group_sid(*new_sam_acct, &g_sid, PDB_SET); } return NT_STATUS_OK; @@ -671,7 +671,7 @@ BOOL local_lookup_sid(DOM_SID *sid, char *name, enum SID_NAME_USE *psid_name_use GROUP_MAP map; if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)){ - DEBUG(0,("local_sid_to_gid: sid_peek_check_rid return False! SID: %s\n", + DEBUG(0,("local_lookup_sid: sid_peek_check_rid return False! SID: %s\n", sid_string_static(&map.sid))); return False; } diff --git a/source3/passdb/pdb_guest.c b/source3/passdb/pdb_guest.c index 7ecfa7d4c3..9bcdccc7e7 100644 --- a/source3/passdb/pdb_guest.c +++ b/source3/passdb/pdb_guest.c @@ -24,11 +24,16 @@ Lookup a name in the SAM database ******************************************************************/ -static NTSTATUS guestsam_getsampwnam (struct pdb_methods *methods, SAM_ACCOUNT *user, const char *sname) +static NTSTATUS guestsam_getsampwnam (struct pdb_methods *methods, SAM_ACCOUNT *sam_account, const char *sname) { NTSTATUS nt_status; - struct passwd *pass; const char *guest_account = lp_guestaccount(); + + if (!sam_account || !sname) { + DEBUG(0,("invalid name specified")); + return NT_STATUS_UNSUCCESSFUL; + } + if (!(guest_account && *guest_account)) { DEBUG(1, ("NULL guest account!?!?\n")); return NT_STATUS_UNSUCCESSFUL; @@ -38,21 +43,31 @@ static NTSTATUS guestsam_getsampwnam (struct pdb_methods *methods, SAM_ACCOUNT * DEBUG(0,("invalid methods\n")); return NT_STATUS_UNSUCCESSFUL; } - if (!sname) { - DEBUG(0,("invalid name specified")); - return NT_STATUS_UNSUCCESSFUL; - } - if (!strequal(guest_account, sname)) { return NT_STATUS_NO_SUCH_USER; } - pass = getpwnam_alloc(guest_account); - - nt_status = pdb_fill_sam_pw(user, pass); + pdb_fill_default_sam(sam_account); + + if (!pdb_set_username(sam_account, guest_account, PDB_SET)) + return NT_STATUS_UNSUCCESSFUL; + + if (!pdb_set_fullname(sam_account, guest_account, PDB_SET)) + return NT_STATUS_UNSUCCESSFUL; + + if (!pdb_set_domain(sam_account, lp_workgroup(), PDB_DEFAULT)) + return NT_STATUS_UNSUCCESSFUL; + + if (!pdb_set_acct_ctrl(sam_account, ACB_NORMAL, PDB_DEFAULT)) + return NT_STATUS_UNSUCCESSFUL; + + if (!pdb_set_user_sid_from_rid(sam_account, DOMAIN_USER_RID_GUEST, PDB_DEFAULT)) + return NT_STATUS_UNSUCCESSFUL; + + if (!pdb_set_group_sid_from_rid(sam_account, DOMAIN_GROUP_RID_GUESTS, PDB_DEFAULT)) + return NT_STATUS_UNSUCCESSFUL; - passwd_free(&pass); - return nt_status; + return NT_STATUS_OK; } @@ -61,35 +76,17 @@ static NTSTATUS guestsam_getsampwnam (struct pdb_methods *methods, SAM_ACCOUNT * **************************************************************************/ static NTSTATUS guestsam_getsampwrid (struct pdb_methods *methods, - SAM_ACCOUNT *user, uint32 rid) + SAM_ACCOUNT *sam_account, uint32 rid) { - NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; - struct passwd *pass = NULL; - const char *guest_account = lp_guestaccount(); - if (!(guest_account && *guest_account)) { - DEBUG(1, ("NULL guest account!?!?\n")); - return nt_status; - } - - if (!methods) { - DEBUG(0,("invalid methods\n")); - return nt_status; - } - - if (rid == DOMAIN_USER_RID_GUEST) { - pass = getpwnam_alloc(guest_account); - if (!pass) { - DEBUG(1, ("guest account %s does not seem to exist...\n", guest_account)); - return NT_STATUS_NO_SUCH_USER; - } - } else { + if (rid != DOMAIN_USER_RID_GUEST) { return NT_STATUS_NO_SUCH_USER; } - nt_status = pdb_fill_sam_pw(user, pass); - passwd_free(&pass); + if (!sam_account) { + return NT_STATUS_INVALID_PARAMETER; + } - return nt_status; + return guestsam_getsampwnam (methods, sam_account, lp_guestaccount()); } static NTSTATUS guestsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid) @@ -97,6 +94,7 @@ static NTSTATUS guestsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT uint32 rid; if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) return NT_STATUS_NO_SUCH_USER; + return guestsam_getsampwrid(my_methods, user, rid); } diff --git a/source3/sam/idmap_util.c b/source3/sam/idmap_util.c index 5d089d3baf..92cbb103db 100644 --- a/source3/sam/idmap_util.c +++ b/source3/sam/idmap_util.c @@ -298,3 +298,49 @@ NTSTATUS sid_to_gid(const DOM_SID *sid, gid_t *gid) return ret; } + +/* Initialize idmap withWellknown SIDs like Guest, that are necessary + * to make samba run properly */ +BOOL idmap_init_wellknown_sids(void) +{ + const char *guest_account = lp_guestaccount(); + struct passwd *pass; + DOM_SID sid; + unid_t id; + int flags; + + if (!(guest_account && *guest_account)) { + DEBUG(1, ("NULL guest account!?!?\n")); + return False; + } + + pass = getpwnam_alloc(guest_account); + if (!pass) { + return False; + } + + flags = ID_USERID; + id.uid = pass->pw_uid; + sid_copy(&sid, get_global_sam_sid()); + sid_append_rid(&sid, DOMAIN_USER_RID_GUEST); + if (NT_STATUS_IS_ERR(idmap_set_mapping(&sid, id, flags))) { + passwd_free(&pass); + return False; + } + + /* check if DOMAIN_GROUP_RID_GUESTS SID is set, if not store the + * guest account gid as mapping */ + flags = ID_GROUPID | ID_NOMAP; + sid_copy(&sid, get_global_sam_sid()); + sid_append_rid(&sid, DOMAIN_GROUP_RID_GUESTS); + if (NT_STATUS_IS_ERR(idmap_get_id_from_sid(&id, &flags, &sid))) { + flags = ID_GROUPID; + id.gid = pass->pw_gid; + if (NT_STATUS_IS_ERR(idmap_set_mapping(&sid, id, flags))) { + passwd_free(&pass); + return False; + } + } + + return True; +} diff --git a/source3/smbd/server.c b/source3/smbd/server.c index b1b9192c09..ef27f0b7a4 100644 --- a/source3/smbd/server.c +++ b/source3/smbd/server.c @@ -833,10 +833,13 @@ static BOOL init_structs(void ) if (!init_registry()) exit(1); + if(!initialize_password_db(False)) + exit(1); + if (!idmap_init()) exit(1); - if(!initialize_password_db(False)) + if (!idmap_init_wellknown_sids()) exit(1); static_init_rpc; -- cgit From 6a10e99fb1a7333f4897170e1f99c2a35aba43ed Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 1 May 2003 14:32:24 +0000 Subject: init wellknown in pdbedit too add group mapping mappings to idmap at startup (This used to be commit 62365023db61d5a4fa32845af3db73bce6cb94ea) --- source3/sam/idmap_util.c | 44 ++++++++++++++++++++------------------------ source3/utils/pdbedit.c | 6 ++++++ 2 files changed, 26 insertions(+), 24 deletions(-) (limited to 'source3') diff --git a/source3/sam/idmap_util.c b/source3/sam/idmap_util.c index 92cbb103db..1508523ea6 100644 --- a/source3/sam/idmap_util.c +++ b/source3/sam/idmap_util.c @@ -172,12 +172,8 @@ NTSTATUS gid_to_sid(DOM_SID *sid, gid_t gid) if (NT_STATUS_IS_ERR(ret = idmap_get_sid_from_id(sid, id, flags))) { DEBUG(10, ("gid_to_sid: Failed to map sid = [%s]\n", sid_string_static(sid))); if (flags & ID_NOMAP) { - if (pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) { - sid_copy(sid, &map.sid); - } else { - sid_copy(sid, get_global_sam_sid()); - sid_append_rid(sid, pdb_gid_to_group_rid(gid)); - } + sid_copy(sid, get_global_sam_sid()); + sid_append_rid(sid, pdb_gid_to_group_rid(gid)); DEBUG(10,("gid_to_sid: Fall back to algorithmic mapping: %u -> %s\n", (unsigned int)gid, sid_string_static(sid))); ret = NT_STATUS_OK; @@ -274,25 +270,13 @@ NTSTATUS sid_to_gid(const DOM_SID *sid, gid_t *gid) DEBUG(10,("sid_to_gid: Fall back to algorithmic mapping\n")); - /* the group mapping code should register mappings in idmap - * and have the following if() eliminated */ - if (pdb_getgrsid(&map, *sid, MAPPING_WITHOUT_PRIV)) { - /* the SID is in the mapping table but not mapped */ - if (map.gid==(gid_t)-1) { - ret = NT_STATUS_UNSUCCESSFUL; - } else { - *gid = map.gid; - ret = NT_STATUS_OK; - } + if (fallback_pdb_rid_is_user(rid)) { + DEBUG(3, ("sid_to_gid: SID %s is *NOT* a group\n", sid_string_static(sid))); + ret = NT_STATUS_UNSUCCESSFUL; } else { - if (fallback_pdb_rid_is_user(rid)) { - DEBUG(3, ("sid_to_gid: SID %s is *NOT* a group\n", sid_string_static(sid))); - ret = NT_STATUS_UNSUCCESSFUL; - } else { - *gid = pdb_group_rid_to_gid(rid); - DEBUG(10,("sid_to_gid: mapping: %s -> %u\n", sid_string_static(sid), (unsigned int)(*gid))); - ret = NT_STATUS_OK; - } + *gid = pdb_group_rid_to_gid(rid); + DEBUG(10,("sid_to_gid: mapping: %s -> %u\n", sid_string_static(sid), (unsigned int)(*gid))); + ret = NT_STATUS_OK; } } @@ -305,6 +289,8 @@ BOOL idmap_init_wellknown_sids(void) { const char *guest_account = lp_guestaccount(); struct passwd *pass; + GROUP_MAP *map=NULL; + int num_entries=0; DOM_SID sid; unid_t id; int flags; @@ -328,6 +314,16 @@ BOOL idmap_init_wellknown_sids(void) return False; } + /* now fill in group mappings */ + if(pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV)) { + int i; + + for (i = 0; i < num_entries; i++) { + id.gid = map[i].gid; + idmap_set_mapping(&(map[i].sid), id, ID_GROUPID); + } + } + /* check if DOMAIN_GROUP_RID_GUESTS SID is set, if not store the * guest account gid as mapping */ flags = ID_GROUPID | ID_NOMAP; diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c index 4cb3db52b7..13f35e8880 100644 --- a/source3/utils/pdbedit.c +++ b/source3/utils/pdbedit.c @@ -610,6 +610,12 @@ int main (int argc, char **argv) if (!init_names()) exit(1); + if (!idmap_init()) + exit(1); + + if (!idmap_init_wellknown_sids()) + exit(1); + setparms = (backend ? BIT_BACKEND : 0) + (verbose ? BIT_VERBOSE : 0) + (spstyle ? BIT_SPSTYLE : 0) + -- cgit From e492cdb4e4deb9bba714272caed8772b8b25e4be Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 1 May 2003 16:02:55 +0000 Subject: fix wrong debug messages in idmap_util.c correctly handle allocated rids in tdbsam (This used to be commit 7ae6162e1dd668897628c4f7edff508616644d21) --- source3/passdb/pdb_tdb.c | 11 ++++++++--- source3/sam/idmap_util.c | 4 ++-- 2 files changed, 10 insertions(+), 5 deletions(-) (limited to 'source3') diff --git a/source3/passdb/pdb_tdb.c b/source3/passdb/pdb_tdb.c index 3ed5d2d4d6..74437cba6f 100644 --- a/source3/passdb/pdb_tdb.c +++ b/source3/passdb/pdb_tdb.c @@ -640,7 +640,7 @@ static NTSTATUS tdbsam_getsampwrid (struct pdb_methods *my_methods, SAM_ACCOUNT return nt_status; } - fstrcpy (name, data.dptr); + fstrcpy(name, data.dptr); SAFE_FREE(data.dptr); tdb_close (pwd_tdb); @@ -771,6 +771,11 @@ static BOOL tdb_update_sam(struct pdb_methods *my_methods, SAM_ACCOUNT* newpwd, ret = False; goto done; } + if (!pdb_set_user_sid_from_rid(newpwd, user_rid, PDB_CHANGED)) { + DEBUG(0, ("tdbsam: not able to set new allocated user RID into sam account!\n")); + ret = False; + goto done; + } } else { DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a RID\n",pdb_get_username(newpwd))); ret = False; @@ -794,7 +799,7 @@ static BOOL tdb_update_sam(struct pdb_methods *my_methods, SAM_ACCOUNT* newpwd, /* setup the USER index key */ slprintf(keystr, sizeof(keystr)-1, "%s%s", USERPREFIX, name); key.dptr = keystr; - key.dsize = strlen (keystr) + 1; + key.dsize = strlen(keystr) + 1; /* add the account */ if (tdb_store(pwd_tdb, key, data, flag) != TDB_SUCCESS) { @@ -806,7 +811,7 @@ static BOOL tdb_update_sam(struct pdb_methods *my_methods, SAM_ACCOUNT* newpwd, } /* setup RID data */ - data.dsize = sizeof(fstring); + data.dsize = strlen(name) + 1; data.dptr = name; /* setup the RID index key */ diff --git a/source3/sam/idmap_util.c b/source3/sam/idmap_util.c index 1508523ea6..ff581d91bc 100644 --- a/source3/sam/idmap_util.c +++ b/source3/sam/idmap_util.c @@ -133,7 +133,7 @@ NTSTATUS uid_to_sid(DOM_SID *sid, uid_t uid) id.uid = uid; if (NT_STATUS_IS_ERR(ret = idmap_get_sid_from_id(sid, id, flags))) { - DEBUG(10, ("uid_to_sid: Failed to map sid = [%s]\n", sid_string_static(sid))); + DEBUG(10, ("uid_to_sid: Failed to map uid = [%s]\n", (unsigned int)uid)); if (flags & ID_NOMAP) { sid_copy(sid, get_global_sam_sid()); sid_append_rid(sid, fallback_pdb_uid_to_user_rid(uid)); @@ -170,7 +170,7 @@ NTSTATUS gid_to_sid(DOM_SID *sid, gid_t gid) id.gid = gid; if (NT_STATUS_IS_ERR(ret = idmap_get_sid_from_id(sid, id, flags))) { - DEBUG(10, ("gid_to_sid: Failed to map sid = [%s]\n", sid_string_static(sid))); + DEBUG(10, ("gid_to_sid: Failed to map gid = [%u]\n", (unsigned int)gid)); if (flags & ID_NOMAP) { sid_copy(sid, get_global_sam_sid()); sid_append_rid(sid, pdb_gid_to_group_rid(gid)); -- cgit From 731eba7dedbad1756cad9bd89186ce83e2d1002a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 1 May 2003 17:48:07 +0000 Subject: Fix for bugid 51 from Dragan Krnic. Jeremy. (This used to be commit aeba1fcab2fa61859fc1052af4752512a33bd801) --- source3/smbd/open.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3') diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 5e4f3caca7..906c4b40d9 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -168,17 +168,17 @@ static BOOL open_file(files_struct *fsp,connection_struct *conn, /* Actually do the open */ fsp->fd = fd_open(conn, fname, local_flags, mode); - - /* Inherit the ACL if the file was created. */ - if ((local_flags & O_CREAT) && !VALID_STAT(*psbuf)) - inherit_access_acl(conn, fname, mode); - if (fsp->fd == -1) { DEBUG(3,("Error opening file %s (%s) (local_flags=%d) (flags=%d)\n", fname,strerror(errno),local_flags,flags)); check_for_pipe(fname); return False; } + + /* Inherit the ACL if the file was created. */ + if ((local_flags & O_CREAT) && !VALID_STAT(*psbuf)) + inherit_access_acl(conn, fname, mode); + } else fsp->fd = -1; /* What we used to call a stat open. */ -- cgit From a5e8ba3c76c8a340d29299d43529ea9fef2dad59 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 1 May 2003 18:11:59 +0000 Subject: Fix uninitialized blobs reported by Luke Howard. Jeremy. (This used to be commit e954ca2ce8ec6b36794585c3bc948140cf9e7947) --- source3/smbd/sesssetup.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'source3') diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 3fa3fa411f..a9842424a5 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -153,6 +153,12 @@ static int reply_spnego_kerberos(connection_struct *conn, uint8 tok_id[2]; BOOL foreign = False; + ZERO_STRUCT(ticket); + ZERO_STRUCT(auth_data); + ZERO_STRUCT(ap_rep); + ZERO_STRUCT(ap_rep_wrapped); + ZERO_STRUCT(response); + if (!spnego_parse_krb5_wrap(*secblob, &ticket, tok_id)) { return ERROR_NT(NT_STATUS_LOGON_FAILURE); } -- cgit From e87f9a29b7e695a15a6cedb36e4a48821086d3e8 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 2 May 2003 08:03:25 +0000 Subject: shouldn't wellknown group be well.. ..WKN_GRP ? make a new sam_Account contain our domain by default, windows will complain on logon otherwise. fix stupid typo in idmap_util.c (This used to be commit 21701876dc6c59ebfc51be708a98226a00a764e0) --- source3/groupdb/mapping.c | 25 +++++++++++++------------ source3/passdb/passdb.c | 3 +-- source3/sam/idmap_util.c | 2 +- 3 files changed, 15 insertions(+), 15 deletions(-) (limited to 'source3') diff --git a/source3/groupdb/mapping.c b/source3/groupdb/mapping.c index b718f42f93..27ec4237ee 100644 --- a/source3/groupdb/mapping.c +++ b/source3/groupdb/mapping.c @@ -170,17 +170,17 @@ static BOOL default_group_mapping(void) /* Add the Wellknown groups */ - add_initial_entry(-1, "S-1-5-32-544", SID_NAME_ALIAS, "Administrators", "", privilege_all, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); - add_initial_entry(-1, "S-1-5-32-545", SID_NAME_ALIAS, "Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); - add_initial_entry(-1, "S-1-5-32-546", SID_NAME_ALIAS, "Guests", "", privilege_none, PR_ACCESS_FROM_NETWORK); - add_initial_entry(-1, "S-1-5-32-547", SID_NAME_ALIAS, "Power Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); + add_initial_entry(-1, "S-1-5-32-544", SID_NAME_WKN_GRP, "Administrators", "", privilege_all, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); + add_initial_entry(-1, "S-1-5-32-545", SID_NAME_WKN_GRP, "Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); + add_initial_entry(-1, "S-1-5-32-546", SID_NAME_WKN_GRP, "Guests", "", privilege_none, PR_ACCESS_FROM_NETWORK); + add_initial_entry(-1, "S-1-5-32-547", SID_NAME_WKN_GRP, "Power Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); - add_initial_entry(-1, "S-1-5-32-548", SID_NAME_ALIAS, "Account Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); - add_initial_entry(-1, "S-1-5-32-549", SID_NAME_ALIAS, "System Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); - add_initial_entry(-1, "S-1-5-32-550", SID_NAME_ALIAS, "Print Operators", "", privilege_print_op, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); - add_initial_entry(-1, "S-1-5-32-551", SID_NAME_ALIAS, "Backup Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); + add_initial_entry(-1, "S-1-5-32-548", SID_NAME_WKN_GRP, "Account Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); + add_initial_entry(-1, "S-1-5-32-549", SID_NAME_WKN_GRP, "System Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); + add_initial_entry(-1, "S-1-5-32-550", SID_NAME_WKN_GRP, "Print Operators", "", privilege_print_op, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); + add_initial_entry(-1, "S-1-5-32-551", SID_NAME_WKN_GRP, "Backup Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); - add_initial_entry(-1, "S-1-5-32-552", SID_NAME_ALIAS, "Replicators", "", privilege_none, PR_ACCESS_FROM_NETWORK); + add_initial_entry(-1, "S-1-5-32-552", SID_NAME_WKN_GRP, "Replicators", "", privilege_none, PR_ACCESS_FROM_NETWORK); /* Add the defaults domain groups */ @@ -763,7 +763,7 @@ static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, if (strncmp(kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0) continue; - + dbuf = tdb_fetch(tdb, kbuf); if (!dbuf.dptr) continue; @@ -796,14 +796,14 @@ static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, free_privilege(set); continue; } - +DEBUG(0, ("sid_name_use = %d, map.sid_name_use = %d",sid_name_use, map.sid_name_use)); /* list only the type or everything if UNKNOWN */ if (sid_name_use!=SID_NAME_UNKNOWN && sid_name_use!=map.sid_name_use) { DEBUG(11,("enum_group_mapping: group %s is not of the requested type\n", map.nt_name)); free_privilege(set); continue; } - + if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1) { DEBUG(11,("enum_group_mapping: group %s is non mapped\n", map.nt_name)); free_privilege(set); @@ -838,6 +838,7 @@ static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, free_privilege(&(mapt[entries].priv_set)); entries++; + } *num_entries=entries; diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index bb40e38d0b..aa378ecd6e 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -291,8 +291,7 @@ NTSTATUS pdb_init_sam_new(SAM_ACCOUNT **new_sam_acct, const char *username) return nt_status; } - /* this is a hack this thing should not be set - here --SSS */ + pdb_set_domain (*new_sam_acct, lp_workgroup(), PDB_DEFAULT); /* set Domain Users by default ! */ sid_copy(&g_sid, get_global_sam_sid()); diff --git a/source3/sam/idmap_util.c b/source3/sam/idmap_util.c index ff581d91bc..5d7adcdc04 100644 --- a/source3/sam/idmap_util.c +++ b/source3/sam/idmap_util.c @@ -133,7 +133,7 @@ NTSTATUS uid_to_sid(DOM_SID *sid, uid_t uid) id.uid = uid; if (NT_STATUS_IS_ERR(ret = idmap_get_sid_from_id(sid, id, flags))) { - DEBUG(10, ("uid_to_sid: Failed to map uid = [%s]\n", (unsigned int)uid)); + DEBUG(10, ("uid_to_sid: Failed to map uid = [%u]\n", (unsigned int)uid)); if (flags & ID_NOMAP) { sid_copy(sid, get_global_sam_sid()); sid_append_rid(sid, fallback_pdb_uid_to_user_rid(uid)); -- cgit From c11e23227c36007a65f1b7b81f280f21c4fba421 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 2 May 2003 17:31:30 +0000 Subject: remove testing debug line (This used to be commit 08d4c2fa85ceaa9d5ff16e7e615bb29e0cde3022) --- source3/groupdb/mapping.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3') diff --git a/source3/groupdb/mapping.c b/source3/groupdb/mapping.c index 27ec4237ee..2b7a852688 100644 --- a/source3/groupdb/mapping.c +++ b/source3/groupdb/mapping.c @@ -796,7 +796,7 @@ static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, free_privilege(set); continue; } -DEBUG(0, ("sid_name_use = %d, map.sid_name_use = %d",sid_name_use, map.sid_name_use)); + /* list only the type or everything if UNKNOWN */ if (sid_name_use!=SID_NAME_UNKNOWN && sid_name_use!=map.sid_name_use) { DEBUG(11,("enum_group_mapping: group %s is not of the requested type\n", map.nt_name)); -- cgit From 7474488713843d59a7ddd3fca51a924f1a482393 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 2 May 2003 17:44:59 +0000 Subject: fix pam_smbpass typos (This used to be commit 7e28ee1cf8db065f2518b4543f2e54da97cc19e2) --- source3/pam_smbpass/pam_smb_passwd.c | 4 ++-- source3/pam_smbpass/support.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'source3') diff --git a/source3/pam_smbpass/pam_smb_passwd.c b/source3/pam_smbpass/pam_smb_passwd.c index 3d82927e16..78b89c60b7 100644 --- a/source3/pam_smbpass/pam_smb_passwd.c +++ b/source3/pam_smbpass/pam_smb_passwd.c @@ -298,8 +298,8 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, uid_t uid; /* password updated */ - if (NT_STATUS_IS_ERR(sid_to_uid(sampass, &uid))) { - _log_err( LOG_NOTICE "Unable to get uid for user %s", + if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sampass), &uid))) { + _log_err( LOG_NOTICE, "Unable to get uid for user %s", pdb_get_username(sampass)); _log_err( LOG_NOTICE, "password for (%s) changed by (%s/%d)", user, uidtoname(getuid()), getuid()); diff --git a/source3/pam_smbpass/support.c b/source3/pam_smbpass/support.c index 32aba7dd5b..62cc866fae 100644 --- a/source3/pam_smbpass/support.c +++ b/source3/pam_smbpass/support.c @@ -399,7 +399,7 @@ int _smb_verify_password( pam_handle_t * pamh, SAM_ACCOUNT *sampass, service ? service : "**unknown**", name); new->count = 1; } - if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sampass, &(new->id), &type)))) { + if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sampass), &(new->id)))) { _log_err(LOG_NOTICE, "failed auth request by %s for service %s as %s", uidtoname(getuid()), -- cgit From 8caaebf56e02c0c4754e79145819c89b66b552cc Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 2 May 2003 18:24:30 +0000 Subject: exclude tdbsam2.h generation until it will be used (This used to be commit 28b73a39219fd717c60eba207143fb40d5ff123a) --- source3/Makefile.in | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) (limited to 'source3') diff --git a/source3/Makefile.in b/source3/Makefile.in index c3380eaf28..f9e4ee8038 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -1251,8 +1251,8 @@ modules_clean: # afterwards. proto_exists: include/proto.h include/wrepld_proto.h include/build_env.h \ nsswitch/winbindd_proto.h web/swat_proto.h \ - client/client_proto.h utils/net_proto.h \ - include/tdbsam2_parse_info.h + client/client_proto.h utils/net_proto.h +# include/tdbsam2_parse_info.h delheaders: @echo Removing prototype headers @@ -1264,8 +1264,8 @@ delheaders: @/bin/rm -f include/proto.h include/build_env.h include/wrepld_proto.h \ nsswitch/winbindd_proto.h web/swat_proto.h \ - client/client_proto.h utils/net_proto.h \ - include/tdbsam2_parse_info.h + client/client_proto.h utils/net_proto.h +# include/tdbsam2_parse_info.h include/proto.h: @echo Building include/proto.h @@ -1303,14 +1303,15 @@ utils/net_proto.h: -h _CLIENT_PROTO_H_ utils/net_proto.h \ $(NET_OBJ1) -include/tdbsam2_parse_info.h: - @if test -n "$(PERL)"; then \ - cd $(srcdir) && @PERL@ -w script/genstruct.pl \ - -o include/tdbsam2_parse_info.h $(CC) -E -O2 -g \ - include/tdbsam2.h; \ - else \ - echo Unable to build $@, continuing; \ - fi +# not used yet an perl dependent +#include/tdbsam2_parse_info.h: +# @if test -n "$(PERL)"; then \ +# cd $(srcdir) && @PERL@ -w script/genstruct.pl \ +# -o include/tdbsam2_parse_info.h $(CC) -E -O2 -g \ +# include/tdbsam2.h; \ +# else \ +# echo Unable to build $@, continuing; \ +# fi # "make headers" or "make proto" calls a subshell because we need to # make sure these commands are executed in sequence even for a @@ -1323,8 +1324,8 @@ headers: $(MAKE) nsswitch/winbindd_proto.h; \ $(MAKE) web/swat_proto.h; \ $(MAKE) client/client_proto.h; \ - $(MAKE) utils/net_proto.h; \ - $(MAKE) include/tdbsam2_parse_info.h + $(MAKE) utils/net_proto.h; +# $(MAKE) include/tdbsam2_parse_info.h proto: headers -- cgit From 8b232cbb3e44179bb48fe000c9236678f65b8c25 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sat, 3 May 2003 01:29:18 +0000 Subject: fixes to *_util.c files add winbindd_passdb backend this makes it possible to have nua accounts on security = user servers to show up in unic through nss_winbind.so the problem is that we do not have group support, so nss group support is not very good at this time (read: totally absent) we NEED group support in passdb (This used to be commit 921215cf4bfbd4d7457f81e181bb1a74a4531ca1) --- source3/Makefile.in | 3 +- source3/nsswitch/winbindd_cache.c | 7 +- source3/nsswitch/winbindd_passdb.c | 360 +++++++++++++++++++++++++++++++++++++ source3/sam/idmap_util.c | 61 +++++-- 4 files changed, 416 insertions(+), 15 deletions(-) create mode 100644 source3/nsswitch/winbindd_passdb.c (limited to 'source3') diff --git a/source3/Makefile.in b/source3/Makefile.in index f9e4ee8038..5e28f6eb4f 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -600,7 +600,8 @@ WINBINDD_OBJ1 = \ nsswitch/winbindd_wins.o \ nsswitch/winbindd_rpc.o \ nsswitch/winbindd_ads.o \ - nsswitch/winbindd_dual.o + nsswitch/winbindd_dual.o \ + nsswitch/winbindd_passdb.o WINBINDD_OBJ = \ $(WINBINDD_OBJ1) $(PASSDB_OBJ) $(GROUPDB_OBJ) \ diff --git a/source3/nsswitch/winbindd_cache.c b/source3/nsswitch/winbindd_cache.c index 5eabcfca20..27e168b6f9 100644 --- a/source3/nsswitch/winbindd_cache.c +++ b/source3/nsswitch/winbindd_cache.c @@ -100,7 +100,12 @@ static struct winbind_cache *get_cache(struct winbindd_domain *domain) ret = smb_xmalloc(sizeof(*ret)); ZERO_STRUCTP(ret); - switch (lp_security()) { + + if (!strcmp(domain->name, lp_workgroup()) && (lp_security() == SEC_USER)) { + extern struct winbindd_methods passdb_methods; + ret->backend = &passdb_methods; + + } else switch (lp_security()) { #ifdef HAVE_ADS case SEC_ADS: { extern struct winbindd_methods ads_methods; diff --git a/source3/nsswitch/winbindd_passdb.c b/source3/nsswitch/winbindd_passdb.c new file mode 100644 index 0000000000..503b97899c --- /dev/null +++ b/source3/nsswitch/winbindd_passdb.c @@ -0,0 +1,360 @@ +/* + Unix SMB/CIFS implementation. + + Winbind rpc backend functions + + Copyright (C) Tim Potter 2000-2001,2003 + Copyright (C) Simo Sorce 2003 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "winbindd.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_WINBIND + + +/* Query display info for a domain. This returns enough information plus a + bit extra to give an overview of domain users for the User Manager + application. */ +static NTSTATUS query_user_list(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32 *num_entries, + WINBIND_USERINFO **info) +{ + SAM_ACCOUNT *sam_account = NULL; + NTSTATUS result; + uint32 i; + + DEBUG(3,("pdb: query_user_list\n")); + + if (NT_STATUS_IS_ERR(result = pdb_init_sam(&sam_account))) { + return result; + } + + i = 0; + *info = NULL; + + if (pdb_setsampwent(False)) { + + while (pdb_getsampwent(sam_account)) { + + /* we return only nua accounts, or we will have duplicates */ + if (!idmap_check_sid_is_in_free_range(pdb_get_user_sid(sam_account))) { + continue; + } + + *info = talloc_realloc(mem_ctx, *info, (i + 1) * sizeof(WINBIND_USERINFO)); + if (!(*info)) { + DEBUG(0,("query_user_list: out of memory!\n")); + result = NT_STATUS_NO_MEMORY; + break; + } + + (*info)[i].user_sid = talloc(mem_ctx, sizeof(DOM_SID)); + (*info)[i].group_sid = talloc(mem_ctx, sizeof(DOM_SID)); + if (!((*info)[i].user_sid) || !((*info)[i].group_sid)) { + DEBUG(0,("query_user_list: out of memory!\n")); + result = NT_STATUS_NO_MEMORY; + break; + } + sid_copy((*info)[i].user_sid, pdb_get_user_sid(sam_account)); + sid_copy((*info)[i].group_sid, pdb_get_group_sid(sam_account)); + + (*info)[i].acct_name = talloc_strdup(mem_ctx, pdb_get_username(sam_account)); + (*info)[i].full_name = talloc_strdup(mem_ctx, pdb_get_fullname(sam_account)); + if (!((*info)[i].acct_name) || !((*info)[i].full_name)) { + DEBUG(0,("query_user_list: out of memory!\n")); + result = NT_STATUS_NO_MEMORY; + break; + } + + i++; + + if (NT_STATUS_IS_ERR(pdb_reset_sam(sam_account))) { + result = NT_STATUS_UNSUCCESSFUL; + break; + } + } + + *num_entries = i; + result = NT_STATUS_OK; + + } else { + result = NT_STATUS_UNSUCCESSFUL; + } + + pdb_free_sam(&sam_account); + return result; +} + +/* list all domain groups */ +static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32 *num_entries, + struct acct_info **info) +{ + NTSTATUS result = NT_STATUS_OK; + + DEBUG(3,("pdb: enum_dom_groups (group support not implemented)\n")); + + *num_entries = 0; + *info = 0; + + return result; +} + +/* List all domain groups */ + +static NTSTATUS enum_local_groups(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32 *num_entries, + struct acct_info **info) +{ + NTSTATUS result = NT_STATUS_OK; + + DEBUG(3,("pdb: enum_local_groups (group support not implemented)\n")); + + *num_entries = 0; + *info = 0; + + return result; +} + +/* convert a single name to a sid in a domain */ +static NTSTATUS name_to_sid(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + const char *name, + DOM_SID *sid, + enum SID_NAME_USE *type) +{ + SAM_ACCOUNT *sam_account = NULL; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + + DEBUG(3,("pdb: name_to_sid name=%s (group support not implemented)\n", name)); + + if (NT_STATUS_IS_OK(pdb_init_sam(&sam_account))) { + if (!pdb_getsampwnam(sam_account, name)) { + result = NT_STATUS_UNSUCCESSFUL; + } else { /* it is a sam user */ + sid_copy(sid, pdb_get_user_sid(sam_account)); + *type = SID_NAME_USER; + result = NT_STATUS_OK; + } + } + + pdb_free_sam(&sam_account); + return result; +} + +/* + convert a domain SID to a user or group name +*/ +static NTSTATUS sid_to_name(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + DOM_SID *sid, + char **name, + enum SID_NAME_USE *type) +{ + SAM_ACCOUNT *sam_account = NULL; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + uint32 id; + + DEBUG(3,("pdb: sid_to_name sid=%s\n", sid_string_static(sid))); + + if (NT_STATUS_IS_OK(sid_to_uid(sid, &id))) { /* this is a user */ + + if (NT_STATUS_IS_ERR(result = pdb_init_sam(&sam_account))) { + return result; + } + + if (!pdb_getsampwsid(sam_account, sid)) { + pdb_free_sam(&sam_account); + return NT_STATUS_UNSUCCESSFUL; + } + + *name = talloc_strdup(mem_ctx, pdb_get_username(sam_account)); + if (!(*name)) { + DEBUG(0,("query_user: out of memory!\n")); + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + pdb_free_sam(&sam_account); + *type = SID_NAME_USER; + result = NT_STATUS_OK; + + } else if (NT_STATUS_IS_OK(sid_to_gid(sid, &id))) { /* this is a group */ + + DEBUG(3,("pdb: sid_to_name: group support not implemented\n")); + result = NT_STATUS_UNSUCCESSFUL; + } + + return result; +} + +/* Lookup user information from a rid or username. */ +static NTSTATUS query_user(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + DOM_SID *user_sid, + WINBIND_USERINFO *user_info) +{ + SAM_ACCOUNT *sam_account = NULL; + NTSTATUS result; + + DEBUG(3,("pdb: query_user sid=%s\n", sid_string_static(user_sid))); + + if (NT_STATUS_IS_ERR(result = pdb_init_sam(&sam_account))) { + return result; + } + + if (!pdb_getsampwsid(sam_account, user_sid)) { + pdb_free_sam(&sam_account); + return NT_STATUS_UNSUCCESSFUL; + } + + /* we return only nua accounts, or we will have duplicates */ + if (!idmap_check_sid_is_in_free_range(user_sid)) { + pdb_free_sam(&sam_account); + return NT_STATUS_UNSUCCESSFUL; + } + + user_info->user_sid = talloc(mem_ctx, sizeof(DOM_SID)); + user_info->group_sid = talloc(mem_ctx, sizeof(DOM_SID)); + if (!(user_info->user_sid) || !(user_info->group_sid)) { + DEBUG(0,("query_user: out of memory!\n")); + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + sid_copy(user_info->user_sid, pdb_get_user_sid(sam_account)); + sid_copy(user_info->group_sid, pdb_get_group_sid(sam_account)); + + user_info->acct_name = talloc_strdup(mem_ctx, pdb_get_username(sam_account)); + user_info->full_name = talloc_strdup(mem_ctx, pdb_get_fullname(sam_account)); + if (!(user_info->acct_name) || !(user_info->full_name)) { + DEBUG(0,("query_user: out of memory!\n")); + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + pdb_free_sam(&sam_account); + return NT_STATUS_OK; +} + +/* Lookup groups a user is a member of. I wish Unix had a call like this! */ +static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + DOM_SID *user_sid, + uint32 *num_groups, DOM_SID ***user_gids) +{ + NTSTATUS result = NT_STATUS_OK; + + DEBUG(3,("pdb: lookup_usergroups (group support not implemented)\n")); + + num_groups = 0; + user_gids = 0; + + return result; +} + + +/* Lookup group membership given a rid. */ +static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + DOM_SID *group_sid, uint32 *num_names, + DOM_SID ***sid_mem, char ***names, + uint32 **name_types) +{ + NTSTATUS result = NT_STATUS_NOT_IMPLEMENTED; + + DEBUG(3,("pdb: lookup_groupmem (group support not implemented)\n")); + + num_names = 0; + sid_mem = 0; + names = 0; + name_types = 0; + + return result; +} + +/* find the sequence number for a domain */ +static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq) +{ + /* FIXME: we fake up the seq_num untill our passdb support it */ + static uint32 seq_num; + + DEBUG(3,("pdb: sequence_number\n")); + + *seq = seq_num++; + + return NT_STATUS_OK; +} + +/* get a list of trusted domains */ +static NTSTATUS trusted_domains(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32 *num_domains, + char ***names, + char ***alt_names, + DOM_SID **dom_sids) +{ + NTSTATUS result = NT_STATUS_NOT_IMPLEMENTED; + + DEBUG(3,("pdb: trusted_domains (todo!)\n")); + + return result; +} + +/* find the domain sid for a domain */ +static NTSTATUS domain_sid(struct winbindd_domain *domain, DOM_SID *sid) +{ + DEBUG(3,("pdb: domain_sid\n")); + + if (strcmp(domain->name, lp_workgroup())) { + return NT_STATUS_INVALID_PARAMETER; + } else { + sid_copy(sid, get_global_sam_sid()); + return NT_STATUS_OK; + } +} + +/* find alternate names list for the domain + * should we look for netbios aliases?? + SSS */ +static NTSTATUS alternate_name(struct winbindd_domain *domain) +{ + DEBUG(3,("pdb: alternate_name\n")); + + return NT_STATUS_OK; +} + + +/* the rpc backend methods are exposed via this structure */ +struct winbindd_methods passdb_methods = { + False, + query_user_list, + enum_dom_groups, + enum_local_groups, + name_to_sid, + sid_to_name, + query_user, + lookup_usergroups, + lookup_groupmem, + sequence_number, + trusted_domains, + domain_sid, + alternate_name +}; diff --git a/source3/sam/idmap_util.c b/source3/sam/idmap_util.c index 5d7adcdc04..e0c492542b 100644 --- a/source3/sam/idmap_util.c +++ b/source3/sam/idmap_util.c @@ -62,6 +62,24 @@ BOOL idmap_check_rid_is_in_free_range(uint32 rid) return True; } +/* if it is a foreign SID or if the SID is in the free range, return true */ + +BOOL idmap_check_sid_is_in_free_range(const DOM_SID *sid) +{ + if (sid_compare_domain(get_global_sam_sid(), sid) == 0) { + + uint32 rid; + + if (sid_peek_rid(sid, &rid)) { + return idmap_check_rid_is_in_free_range(rid); + } + + return False; + } + + return True; +} + /****************************************************************** * Get the the non-algorithmic RID range if idmap range are defined ******************************************************************/ @@ -196,7 +214,6 @@ NTSTATUS sid_to_uid(const DOM_SID *sid, uid_t *uid) { NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; BOOL fallback = False; - uint32 rid; unid_t id; int flags; @@ -204,20 +221,30 @@ NTSTATUS sid_to_uid(const DOM_SID *sid, uid_t *uid) flags = ID_USERID; if (!lp_idmap_only()) { - if (sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) { - if (!idmap_check_rid_is_in_free_range(rid)) { - flags |= ID_NOMAP; - fallback = True; - } + if (!idmap_check_sid_is_in_free_range(sid)) { + flags |= ID_NOMAP; + fallback = True; } } if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&id, &flags, sid))) { + DEBUG(10,("sid_to_uid: uid = [%d]\n", id.uid)); + *uid = id.uid; ret = NT_STATUS_OK; + } else if (fallback) { + uint32 rid; + + if (!sid_peek_rid(sid, &rid)) { + DEBUG(10,("sid_to_uid: invalid SID!\n")); + ret = NT_STATUS_INVALID_PARAMETER; + goto done; + } + DEBUG(10,("sid_to_uid: Fall back to algorithmic mapping\n")); + if (!fallback_pdb_rid_is_user(rid)) { DEBUG(3, ("sid_to_uid: SID %s is *NOT* a user\n", sid_string_static(sid))); ret = NT_STATUS_UNSUCCESSFUL; @@ -228,6 +255,7 @@ NTSTATUS sid_to_uid(const DOM_SID *sid, uid_t *uid) } } +done: return ret; } @@ -252,21 +280,26 @@ NTSTATUS sid_to_gid(const DOM_SID *sid, gid_t *gid) flags = ID_GROUPID; if (!lp_idmap_only()) { - if (sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) { - if (!idmap_check_rid_is_in_free_range(rid)) { - flags |= ID_NOMAP; - fallback = True; - } + if (!idmap_check_sid_is_in_free_range(sid)) { + flags |= ID_NOMAP; + fallback = True; } } if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&id, &flags, sid))) { + DEBUG(10,("sid_to_gid: gid = [%d]\n", id.gid)); *gid = id.gid; ret = NT_STATUS_OK; + } else if (fallback) { - GROUP_MAP map; - BOOL result; + uint32 rid; + + if (!sid_peek_rid(sid, &rid)) { + DEBUG(10,("sid_to_uid: invalid SID!\n")); + ret = NT_STATUS_INVALID_PARAMETER; + goto done; + } DEBUG(10,("sid_to_gid: Fall back to algorithmic mapping\n")); @@ -280,6 +313,7 @@ NTSTATUS sid_to_gid(const DOM_SID *sid, gid_t *gid) } } +done: return ret; } @@ -338,5 +372,6 @@ BOOL idmap_init_wellknown_sids(void) } } + passwd_free(&pass); return True; } -- cgit