From c9f9c6505091aa1bf469c06c779040689c0737f7 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 21 Aug 2006 20:04:01 +0000 Subject: [PATCH] r17669: Remove RID algorithm support from unmapped users and groups when using smbpasswd (This used to be commit dde552336c732ddd6076a6a32575a37cb51aa94c) --- source3/groupdb/mapping.c | 2 +- source3/include/smb.h | 2 +- source3/passdb/lookup_sid.c | 101 ++++----------------------------- source3/passdb/passdb.c | 2 +- source3/passdb/pdb_interface.c | 2 +- source3/passdb/util_unixsids.c | 6 ++ source3/utils/net_groupmap.c | 11 +++- 7 files changed, 30 insertions(+), 96 deletions(-) diff --git a/source3/groupdb/mapping.c b/source3/groupdb/mapping.c index c701ef165dd..b1c5275bc10 100644 --- a/source3/groupdb/mapping.c +++ b/source3/groupdb/mapping.c @@ -195,7 +195,7 @@ NTSTATUS map_unix_group(const struct group *grp, GROUP_MAP *pmap) fstrcpy(map.nt_name, grpname); if (pdb_rid_algorithm()) { - rid = pdb_gid_to_group_rid( grp->gr_gid ); + rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid ); } else { if (!pdb_new_rid(&rid)) { DEBUG(3, ("Could not get a new RID for %s\n", diff --git a/source3/include/smb.h b/source3/include/smb.h index 92228ec3d49..9aa8be437c2 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -269,7 +269,7 @@ enum SID_NAME_USE { #define LOOKUP_NAME_REMOTE 2 /* Ask others */ #define LOOKUP_NAME_ALL (LOOKUP_NAME_ISOLATED|LOOKUP_NAME_REMOTE) -#define LOOKUP_NAME_GROUP 4 /* This is a NASTY hack for valid users = @foo +#define LOOKUP_NAME_GROUP 4 /* (unused) This is a NASTY hack for valid users = @foo * where foo also exists in as user. */ /** diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c index f612cff092a..48f6d666ceb 100644 --- a/source3/passdb/lookup_sid.c +++ b/source3/passdb/lookup_sid.c @@ -43,7 +43,6 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx, DOM_SID sid; enum SID_NAME_USE type; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); - struct group *grp; if (tmp_ctx == NULL) { DEBUG(0, ("talloc_new failed\n")); @@ -126,63 +125,6 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx, return False; } - /* - * Nasty hack necessary for too common scenarios: - * - * For 'valid users = +users' we know "users" is most probably not - * BUILTIN\users but the unix group users. This hack requires the - * admin to explicitly qualify BUILTIN if BUILTIN\users is meant. - * - * Please note that LOOKUP_NAME_GROUP can not be requested via for - * example lsa_lookupnames, it only comes into this routine via - * the expansion of group names coming in from smb.conf - */ - - if ((flags & LOOKUP_NAME_GROUP) && ((grp = getgrnam(name)) != NULL)) { - - GROUP_MAP map; - - if (pdb_getgrgid(&map, grp->gr_gid)) { - /* The hack gets worse. Handle the case where we have - * 'force group = +unixgroup' but "unixgroup" has a - * group mapping */ - - if (sid_check_is_in_builtin(&map.sid)) { - domain = talloc_strdup( - tmp_ctx, builtin_domain_name()); - } else { - domain = talloc_strdup( - tmp_ctx, get_global_sam_name()); - } - - sid_copy(&sid, &map.sid); - type = map.sid_name_use; - goto ok; - } - - /* If we are using the smbpasswd backend, we need to use the - * algorithmic mapping for the unix group we find. This is - * necessary because when creating the NT token from the unix - * gid list we got from initgroups() we use gid_to_sid() that - * uses algorithmic mapping if pdb_rid_algorithm() is true. */ - - if (pdb_rid_algorithm() && - (grp->gr_gid < max_algorithmic_gid())) { - domain = talloc_strdup(tmp_ctx, get_global_sam_name()); - sid_compose(&sid, get_global_sam_sid(), - pdb_gid_to_group_rid(grp->gr_gid)); - type = SID_NAME_DOM_GRP; - goto ok; - } - - if (lookup_unix_group_name(name, &sid)) { - domain = talloc_strdup(tmp_ctx, - unix_groups_domain_name()); - type = SID_NAME_DOM_GRP; - goto ok; - } - } - /* Now the guesswork begins, we haven't been given an explicit * domain. Try the sequence as documented on * http://msdn.microsoft.com/library/en-us/secmgmt/security/lsalookupnames.asp @@ -1186,14 +1128,9 @@ void uid_to_sid(DOM_SID *psid, uid_t uid) goto done; } - if (pdb_rid_algorithm() && (uid < max_algorithmic_uid())) { - sid_copy(psid, get_global_sam_sid()); - sid_append_rid(psid, algorithmic_pdb_uid_to_user_rid(uid)); - goto done; - } else { - uid_to_unix_users_sid(uid, psid); - goto done; - } + /* This is an unmapped user */ + + uid_to_unix_users_sid(uid, psid); done: DEBUG(10,("uid_to_sid: local %u -> %s\n", (unsigned int)uid, @@ -1228,16 +1165,10 @@ void gid_to_sid(DOM_SID *psid, gid_t gid) /* This is a mapped group */ goto done; } + + /* This is an unmapped group */ - if (pdb_rid_algorithm() && (gid < max_algorithmic_gid())) { - sid_copy(psid, get_global_sam_sid()); - sid_append_rid(psid, pdb_gid_to_group_rid(gid)); - goto done; - } else { - sid_copy(psid, &global_sid_Unix_Groups); - sid_append_rid(psid, gid); - goto done; - } + uid_to_unix_groups_sid(gid, psid); done: DEBUG(10,("gid_to_sid: local %u -> %s\n", (unsigned int)gid, @@ -1283,14 +1214,9 @@ BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid) *puid = id.uid; goto done; } - if (pdb_rid_algorithm() && - algorithmic_pdb_rid_is_user(rid)) { - *puid = algorithmic_pdb_user_rid_to_uid(rid); - goto done; - } - /* This was ours, but it was neither mapped nor - * algorithmic. Fail */ + /* This was ours, but it was not mapped. Fail */ + return False; } @@ -1371,14 +1297,9 @@ BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid) *pgid = id.gid; goto done; } - if (pdb_rid_algorithm() && - !algorithmic_pdb_rid_is_user(rid)) { - /* This must be a group, presented as alias */ - *pgid = pdb_group_rid_to_gid(rid); - goto done; - } - /* This was ours, but it was neither mapped nor - * algorithmic. Fail. */ + + /* This was ours, but it was not mapped. Fail */ + return False; } diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index f74b1fbe3ba..bfa0430af47 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -505,7 +505,7 @@ gid_t max_algorithmic_gid(void) there is not anymore a direct link between the gid and the rid. ********************************************************************/ -uint32 pdb_gid_to_group_rid(gid_t gid) +uint32 algorithmic_pdb_gid_to_group_rid(gid_t gid) { int rid_offset = algorithmic_rid_base(); return (((((uint32)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE); diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c index 7f2a8f25b3d..4baddb3a935 100644 --- a/source3/passdb/pdb_interface.c +++ b/source3/passdb/pdb_interface.c @@ -604,7 +604,7 @@ static NTSTATUS pdb_default_create_dom_group(struct pdb_methods *methods, } if (pdb_rid_algorithm()) { - *rid = pdb_gid_to_group_rid( grp->gr_gid ); + *rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid ); } else { if (!pdb_new_rid(rid)) { return NT_STATUS_ACCESS_DENIED; diff --git a/source3/passdb/util_unixsids.c b/source3/passdb/util_unixsids.c index d3f0999d6ac..80d22a314f1 100644 --- a/source3/passdb/util_unixsids.c +++ b/source3/passdb/util_unixsids.c @@ -42,6 +42,12 @@ BOOL uid_to_unix_users_sid(uid_t uid, DOM_SID *sid) return sid_append_rid(sid, uid); } +BOOL uid_to_unix_groups_sid(gid_t gid, DOM_SID *sid) +{ + sid_copy(sid, &global_sid_Unix_Groups); + return sid_append_rid(sid, gid); +} + const char *unix_users_domain_name(void) { return "Unix User"; diff --git a/source3/utils/net_groupmap.c b/source3/utils/net_groupmap.c index df13a93de6b..4708efa908d 100644 --- a/source3/utils/net_groupmap.c +++ b/source3/utils/net_groupmap.c @@ -289,7 +289,7 @@ static int net_groupmap_add(int argc, const char **argv) if ( (rid == 0) && (string_sid[0] == '\0') ) { d_printf("No rid or sid specified, choosing a RID\n"); if (pdb_rid_algorithm()) { - rid = pdb_gid_to_group_rid(gid); + rid = algorithmic_pdb_gid_to_group_rid(gid); } else { if (!pdb_new_rid(&rid)) { d_printf("Could not get new RID\n"); @@ -573,7 +573,14 @@ static int net_groupmap_set(int argc, const char **argv) map.gid = grp->gr_gid; if (opt_rid == 0) { - opt_rid = pdb_gid_to_group_rid(map.gid); + if ( pdb_rid_algorithm() ) + opt_rid = algorithmic_pdb_gid_to_group_rid(map.gid); + else { + if ( !pdb_new_rid((uint32*)&opt_rid) ) { + d_fprintf( stderr, "Could not allocate new RID\n"); + return -1; + } + } } sid_copy(&map.sid, get_global_sam_sid()); -- 2.34.1