########################################################
SAMBA_VERSION_MAJOR=3
SAMBA_VERSION_MINOR=0
-SAMBA_VERSION_RELEASE=22
+SAMBA_VERSION_RELEASE=23
########################################################
# If a official release has a serious bug #
static int sys_getgrouplist(const char *user, gid_t gid, gid_t *groups, int *grpcnt)
{
int retval;
+ char *winbindd_env;
DEBUG(10,("sys_getgrouplist: user [%s]\n", user));
+
+ /* Save the winbindd state and not just blindly turn it back on */
+
+ winbindd_env = getenv(WINBINDD_DONT_ENV);
/* This is only ever called for Unix users, remote memberships are
* always determined by the info3 coming back from auth3 or the
* PAC. */
- if ( !winbind_off() ) {
+ if ( !winbind_putenv("0") ) {
DEBUG(0,("sys_getgroup_list: Insufficient environment space "
"for %s\n", WINBINDD_DONT_ENV));
} else {
#endif
/* allow winbindd lookups */
- winbind_on();
+
+ winbind_putenv( winbindd_env ? winbindd_env : "1" );
return retval;
}
/* Use putenv() instead of setenv() in these functions as not all
environments have the latter. */
-BOOL winbind_off( void )
+BOOL winbind_putenv( const char *s )
{
- static char *s = CONST_DISCARD(char *, WINBINDD_DONT_ENV "=1");
+ fstring env;
- return putenv(s) != -1;
-}
+ if ( !s ) {
+ return False;
+ }
-BOOL winbind_on( void )
-{
- static char *s = CONST_DISCARD(char *, WINBINDD_DONT_ENV "=0");
+ snprintf( env, sizeof(env), "%s=%s", WINBINDD_DONT_ENV, s );
- return putenv(s) != -1;
+ return putenv(env) != -1;
}
/* Set environment variable so we don't recursively call ourselves.
This may also be useful interactively. */
- setenv(WINBINDD_DONT_ENV, "1", 1);
+ if ( !winbind_putenv("0") ) {
+ DEBUG(0,("Failed to disable recusive winbindd calls. Exiting.\n"));
+ exit(1);
+ }
/* Initialise samba/rpc client stuff */
const DOM_SID *user_sid,
uint32 *num_groups, DOM_SID **user_gids)
{
- return NT_STATUS_NO_SUCH_USER;
+ NTSTATUS result;
+ DOM_SID *groups = NULL;
+ gid_t *gids = NULL;
+ size_t ngroups = 0;
+ struct samu *user;
+
+ if ( (user = samu_new(mem_ctx)) == NULL ) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if ( !pdb_getsampwsid( user, user_sid ) ) {
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ result = pdb_enum_group_memberships( mem_ctx, user, &groups, &gids, &ngroups );
+
+ TALLOC_FREE( user );
+
+ *num_groups = (uint32)ngroups;
+ *user_gids = groups;
+
+ return result;
}
static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
extern struct winbindd_methods cache_methods;
extern struct winbindd_methods passdb_methods;
struct winbindd_domain *domain;
+ int role = lp_server_role();
/* Free existing list */
free_domain_list();
/* Add ourselves as the first entry. */
- if (IS_DC) {
- domain = add_trusted_domain(get_global_sam_name(), NULL,
- &passdb_methods,
- get_global_sam_sid());
- } else {
-
+ if ( role == ROLE_DOMAIN_MEMBER ) {
DOM_SID our_sid;
if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
domain = add_trusted_domain( lp_workgroup(), lp_realm(),
&cache_methods, &our_sid);
+ domain->primary = True;
+ setup_domain_child(domain, &domain->child, NULL);
}
- domain->primary = True;
+ /* Local SAM */
+
+ domain = add_trusted_domain(get_global_sam_name(), NULL,
+ &passdb_methods, get_global_sam_sid());
+ if ( role != ROLE_DOMAIN_MEMBER ) {
+ domain->primary = True;
+ }
setup_domain_child(domain, &domain->child, NULL);
- /* Add our local SAM domains */
+ /* BUILTIN domain */
domain = add_trusted_domain("BUILTIN", NULL, &passdb_methods,
&global_sid_Builtin);
setup_domain_child(domain, &domain->child, NULL);
- if (!IS_DC) {
- domain = add_trusted_domain(get_global_sam_name(), NULL,
- &passdb_methods,
- get_global_sam_sid());
- setup_domain_child(domain, &domain->child, NULL);
- }
-
return True;
}
{"writable", P_BOOLREV, P_LOCAL, &sDefault.bRead_only, NULL, NULL, FLAG_HIDE},
{"acl check permissions", P_BOOL, P_LOCAL, &sDefault.bAclCheckPermissions, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE},
- {"acl group control", P_BOOL, P_LOCAL, &sDefault.bAclGroupControl, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE},
+ {"acl group control", P_BOOL, P_LOCAL, &sDefault.bAclGroupControl, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE | FLAG_DEPRECATED },
{"acl map full control", P_BOOL, P_LOCAL, &sDefault.bAclMapFullControl, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE},
{"create mask", P_OCTAL, P_LOCAL, &sDefault.iCreate_mask, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE},
{"create mode", P_OCTAL, P_LOCAL, &sDefault.iCreate_mask, NULL, NULL, FLAG_HIDE},
struct group *grp;
char **gr;
struct passwd *pwd;
+ char *winbindd_env;
*pp_uids = NULL;
*p_num = 0;
/* We only look at our own sam, so don't care about imported stuff */
- winbind_off();
+ winbindd_env = getenv(WINBINDD_DONT_ENV);
+ winbind_putenv("0");
if ((grp = getgrgid(gid)) == NULL) {
- winbind_on();
+ /* allow winbindd lookups */
+ winbind_putenv( winbindd_env ? winbindd_env : "1" );
+
return False;
}
add_uid_to_array_unique(mem_ctx, pw->pw_uid, pp_uids, p_num);
}
- winbind_on();
+ /* allow winbindd lookups */
+ winbind_putenv( winbindd_env ? winbindd_env : "1" );
return True;
}
const char *username = pdb_get_username(user);
-#if 0
/* Ignore the primary group SID. Honor the real Unix primary group.
The primary group SID is only of real use to Windows clients */
- if (!sid_to_gid(pdb_get_group_sid(user), &gid)) {
- DEBUG(10, ("sid_to_gid failed\n"));
- return NT_STATUS_NO_SUCH_USER;
- }
-#else
if ( !(pw = getpwnam_alloc(mem_ctx, username)) ) {
return NT_STATUS_NO_SUCH_USER;
}
gid = pw->pw_gid;
TALLOC_FREE( pw );
-#endif
if (!getgroups_unix_user(mem_ctx, username, gid, pp_gids, p_num_groups)) {
return NT_STATUS_NO_SUCH_USER;
}
/****************************************************************************
- Should we override a deny ?
+ Should we override a deny ? Check deprecated 'acl group control'
+ and 'dos filemode'
****************************************************************************/
static BOOL acl_group_override(connection_struct *conn, gid_t prim_gid)
{
- if ((errno == EACCES || errno == EPERM) &&
- lp_acl_group_control(SNUM(conn)) &&
- current_user_in_group(prim_gid)) {
+ if ( (errno == EACCES || errno == EPERM)
+ && (lp_acl_group_control(SNUM(conn) || lp_dos_filemode(SNUM(conn))))
+ && current_user_in_group(prim_gid) )
+ {
return True;
- } else {
- return False;
- }
+ }
+
+ return False;
}
/****************************************************************************