struct auth_serversupplied_info **server_info)
{
NTSTATUS status;
- struct samu *sampass = NULL;
- char *qualified_name = NULL;
- TALLOC_CTX *tmp_ctx;
- struct dom_sid u_sid;
- enum lsa_SidType type;
+ TALLOC_CTX *tmp_ctx = NULL;
struct auth_serversupplied_info *result;
- /*
- * The SID returned in server_info->sam_account is based
- * on our SAM sid even though for a pure UNIX account this should
- * not be the case as it doesn't really exist in the SAM db.
- * This causes lookups on "[in]valid users" to fail as they
- * will lookup this name as a "Unix User" SID to check against
- * the user token. Fix this by adding the "Unix User"\unix_username
- * SID to the sid array. The correct fix should probably be
- * changing the server_info->sam_account user SID to be a
- * S-1-22 Unix SID, but this might break old configs where
- * plaintext passwords were used with no SAM backend.
- */
-
tmp_ctx = talloc_stackframe();
if (tmp_ctx == NULL) {
return NT_STATUS_NO_MEMORY;
}
- qualified_name = talloc_asprintf(tmp_ctx, "%s\\%s",
- unix_users_domain_name(),
- unix_username );
- if (!qualified_name) {
- TALLOC_FREE(tmp_ctx);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!lookup_name(tmp_ctx, qualified_name, LOOKUP_NAME_ALL,
- NULL, NULL,
- &u_sid, &type)) {
- TALLOC_FREE(tmp_ctx);
- return NT_STATUS_NO_SUCH_USER;
- }
-
- TALLOC_FREE(tmp_ctx);
-
- if (type != SID_NAME_USER) {
- return NT_STATUS_NO_SUCH_USER;
- }
-
- if ( !(sampass = samu_new( NULL )) ) {
- return NT_STATUS_NO_MEMORY;
- }
-
- status = samu_set_unix( sampass, pwd );
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- /* In pathological cases the above call can set the account
- * name to the DOMAIN\username form. Reset the account name
- * using unix_username */
- pdb_set_username(sampass, unix_username, PDB_SET);
-
- /* set the user sid to be the calculated u_sid */
- pdb_set_user_sid(sampass, &u_sid, PDB_SET);
-
- result = make_server_info(mem_ctx);
+ result = make_server_info(tmp_ctx);
if (result == NULL) {
- TALLOC_FREE(sampass);
- return NT_STATUS_NO_MEMORY;
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
}
- status = samu_to_SamInfo3(result, sampass, lp_netbios_name(),
- &result->info3, &result->extra);
- TALLOC_FREE(sampass);
+ status = passwd_to_SamInfo3(result,
+ unix_username,
+ pwd,
+ &result->info3);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10, ("Failed to convert samu to info3: %s\n",
- nt_errstr(status)));
- TALLOC_FREE(result);
- return status;
+ goto done;
}
result->unix_name = talloc_strdup(result, unix_username);
-
if (result->unix_name == NULL) {
- TALLOC_FREE(result);
- return NT_STATUS_NO_MEMORY;
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
}
result->utok.uid = pwd->pw_uid;
result->utok.gid = pwd->pw_gid;
- *server_info = result;
+ *server_info = talloc_steal(mem_ctx, result);
+ status = NT_STATUS_OK;
+done:
+ talloc_free(tmp_ctx);
- return NT_STATUS_OK;
+ return status;
}
static NTSTATUS get_system_info3(TALLOC_CTX *mem_ctx,
}
} else {
/*
- * Winbind is not running, create the group_sid from the
- * group id.
+ * Winbind is not running, try to create the group_sid from the
+ * passwd group id.
+ */
+
+ /*
+ * This can lead to a primary group of S-1-22-2-XX which
+ * will be rejected by other Samba code.
*/
gid_to_sid(&group_sid, pwd->pw_gid);
+
+ ZERO_STRUCT(domain_sid);
+
+ /*
+ * If we are a unix group, set the group_sid to the
+ * 'Domain Users' RID of 513 which will always resolve to a
+ * name.
+ */
+ if (sid_check_is_in_unix_groups(&group_sid)) {
+ sid_compose(&group_sid,
+ get_global_sam_sid(),
+ DOMAIN_RID_USERS);
+ }
}
/* Make sure we have a valid group sid */