extern DOM_SID global_sid_Builtin_Guests;
extern DOM_SID global_sid_Authenticated_Users;
-
-/****************************************************************************
- Create a UNIX user on demand.
-****************************************************************************/
-
-static int smb_create_user(const char *domain, const char *unix_username, const char *homedir)
-{
- pstring add_script;
- int ret;
-
- pstrcpy(add_script, lp_adduser_script());
- if (! *add_script)
- return -1;
- all_string_sub(add_script, "%u", unix_username, sizeof(pstring));
- if (domain)
- all_string_sub(add_script, "%D", domain, sizeof(pstring));
- if (homedir)
- all_string_sub(add_script, "%H", homedir, sizeof(pstring));
- ret = smbrun(add_script,NULL);
- DEBUG(3,("smb_create_user: Running the command `%s' gave %d\n",add_script,ret));
- return ret;
-}
-
-/****************************************************************************
- Add and Delete UNIX users on demand, based on NTSTATUS codes.
-****************************************************************************/
-
-void smb_user_control(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info, NTSTATUS nt_status)
-{
- struct passwd *pwd=NULL;
-
- if (NT_STATUS_IS_OK(nt_status)) {
-
- if (!(server_info->sam_fill_level & SAM_FILL_UNIX)) {
-
- /*
- * User validated ok against Domain controller.
- * If the admin wants us to try and create a UNIX
- * user on the fly, do so.
- */
-
- if(lp_adduser_script() && !(pwd = Get_Pwnam(user_info->internal_username.str))) {
- smb_create_user(user_info->domain.str, user_info->internal_username.str, NULL);
- }
- }
- }
-}
-
/****************************************************************************
Create a SAM_ACCOUNT - either by looking in the pdb, or by faking it up from
unix info.
return token;
}
-/******************************************************************************
- * this function returns the groups (SIDs) of the local SAM the user is in.
- * If this samba server is a DC of the domain the user belongs to, it returns
- * both domain groups and local / builtin groups. If the user is in a trusted
- * domain, or samba is a member server of a domain, then this function returns
- * local and builtin groups the user is a member of.
- *
- * currently this is a hack, as there is no sam implementation that is capable
- * of groups.
- ******************************************************************************/
-
-static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass,
- int *n_groups, DOM_SID **groups, gid_t **unix_groups)
-{
- uid_t uid;
- gid_t gid;
- int n_unix_groups;
- int i;
- struct passwd *usr;
-
- *n_groups = 0;
- *groups = NULL;
-
- if (!IS_SAM_UNIX_USER(sampass)) {
- DEBUG(1, ("user %s does not have a unix identity!\n", pdb_get_username(sampass)));
- return NT_STATUS_NO_SUCH_USER;
- }
-
- uid = pdb_get_uid(sampass);
- gid = pdb_get_gid(sampass);
-
- n_unix_groups = groups_max();
- if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) {
- DEBUG(0, ("get_user_groups_from_local_sam: Out of memory allocating unix group list\n"));
- passwd_free(&usr);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) {
- gid_t *groups_tmp;
- groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups);
- if (!groups_tmp) {
- SAFE_FREE(*unix_groups);
- passwd_free(&usr);
- return NT_STATUS_NO_MEMORY;
- }
- *unix_groups = groups_tmp;
-
- if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) {
- DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n"));
- SAFE_FREE(*unix_groups);
- passwd_free(&usr);
- return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */
- }
- }
-
- debug_unix_user_token(DBGC_CLASS, 5, uid, gid, n_unix_groups, *unix_groups);
-
- if (n_unix_groups > 0) {
- *groups = malloc(sizeof(DOM_SID) * n_unix_groups);
- if (!*groups) {
- DEBUG(0, ("get_user_group_from_local_sam: malloc() failed for DOM_SID list!\n"));
- SAFE_FREE(*unix_groups);
- return NT_STATUS_NO_MEMORY;
- }
- }
-
- *n_groups = n_unix_groups;
-
- for (i = 0; i < *n_groups; i++) {
- if (!gid_to_sid(&(*groups)[i], (*unix_groups)[i])) {
- DEBUG(1, ("get_user_groups_from_local_sam: failed to convert gid %ld to a sid!\n", (long int)(*unix_groups)[i+1]));
- SAFE_FREE(*groups);
- SAFE_FREE(*unix_groups);
- return NT_STATUS_NO_SUCH_USER;
- }
- }
-
- return NT_STATUS_OK;
-}
-
/***************************************************************************
Make a user_info struct
***************************************************************************/
}
ZERO_STRUCTP(*server_info);
- (*server_info)->sam_fill_level = SAM_FILL_ALL;
- (*server_info)->sam_account = sampass;
-
return NT_STATUS_OK;
}
NTSTATUS nt_status = NT_STATUS_OK;
const DOM_SID *user_sid = pdb_get_user_sid(sampass);
const DOM_SID *group_sid = pdb_get_group_sid(sampass);
- int n_groupSIDs = 0;
- DOM_SID *groupSIDs = NULL;
- gid_t *unix_groups = NULL;
NT_USER_TOKEN *token;
BOOL is_guest;
uint32 rid;
return nt_status;
}
- if (!NT_STATUS_IS_OK(nt_status
- = get_user_groups_from_local_sam(sampass,
- &n_groupSIDs, &groupSIDs, &unix_groups)))
- {
- DEBUG(4,("get_user_groups_from_local_sam failed\n"));
- free_server_info(server_info);
- return nt_status;
- }
-
is_guest = (sid_peek_rid(user_sid, &rid) && rid == DOMAIN_USER_RID_GUEST);
if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token(user_sid, group_sid,
- n_groupSIDs, groupSIDs, is_guest,
+ 0, NULL, is_guest,
&token)))
{
DEBUG(4,("create_nt_user_token failed\n"));
- SAFE_FREE(groupSIDs);
- SAFE_FREE(unix_groups);
free_server_info(server_info);
return nt_status;
}
-
- SAFE_FREE(groupSIDs);
-
- (*server_info)->n_groups = n_groupSIDs;
- (*server_info)->groups = unix_groups;
(*server_info)->ptok = token;
- DEBUG(5,("make_server_info_sam: made server info for user %s\n",
- pdb_get_username((*server_info)->sam_account)));
-
return nt_status;
}
{
DEBUG(5,("attempting to free (and zero) a server_info structure\n"));
if (*server_info != NULL) {
- pdb_free_sam(&(*server_info)->sam_account);
/* call pam_end here, unless we know we are keeping it */
delete_nt_token( &(*server_info)->ptok );
- SAFE_FREE((*server_info)->groups);
ZERO_STRUCT(**server_info);
}
SAFE_FREE(*server_info);
if (vuser == NULL)
return;
- SAFE_FREE(vuser->homedir);
- SAFE_FREE(vuser->unix_homedir);
- SAFE_FREE(vuser->logon_script);
-
data_blob_free(&vuser->session_key);
session_yield(vuser);
from the vuid 'owner' of connections */
/* REWRITE: conn_clear_vuid_cache(smb, vuid); */
- SAFE_FREE(vuser->groups);
delete_nt_token(&vuser->nt_user_token);
SAFE_FREE(vuser);
smb->users.num_validated_vuids--;
vuser->vuid = smb->users.next_vuid;
- /* the next functions should be done by a SID mapping system (SMS) as
- * the new real sam db won't have reference to unix uids or gids
- */
- if (!IS_SAM_UNIX_USER(server_info->sam_account)) {
- DEBUG(0,("Attempted session setup with invalid user. No uid/gid in SAM_ACCOUNT\n"));
- free(vuser);
- free_server_info(&server_info);
- return UID_FIELD_INVALID;
- }
-
- vuser->uid = pdb_get_uid(server_info->sam_account);
- vuser->gid = pdb_get_gid(server_info->sam_account);
-
- vuser->n_groups = server_info->n_groups;
- if (vuser->n_groups) {
- if (!(vuser->groups = memdup(server_info->groups, sizeof(gid_t) * vuser->n_groups))) {
- DEBUG(0,("register_vuid: failed to memdup vuser->groups\n"));
- free(vuser);
- free_server_info(&server_info);
- return UID_FIELD_INVALID;
- }
- }
-
vuser->guest = server_info->guest;
- fstrcpy(vuser->user.unix_name, pdb_get_username(server_info->sam_account));
-
- /* This is a potentially untrusted username */
- alpha_strcpy(vuser->user.smb_name, smb_name, ". _-$", sizeof(vuser->user.smb_name));
-
- fstrcpy(vuser->user.domain, pdb_get_domain(server_info->sam_account));
- fstrcpy(vuser->user.full_name, pdb_get_fullname(server_info->sam_account));
-
- {
- /* Keep the homedir handy */
- const char *homedir = pdb_get_homedir(server_info->sam_account);
- const char *unix_homedir = pdb_get_unix_homedir(server_info->sam_account);
- const char *logon_script = pdb_get_logon_script(server_info->sam_account);
- if (homedir) {
- vuser->homedir = smb_xstrdup(homedir);
- }
-
- if (unix_homedir) {
- vuser->unix_homedir = smb_xstrdup(unix_homedir);
- }
-
- if (logon_script) {
- vuser->logon_script = smb_xstrdup(logon_script);
- }
- }
vuser->session_key = *session_key;
- DEBUG(10,("register_vuid: (%u,%u) %s %s %s guest=%d\n",
- (unsigned int)vuser->uid,
- (unsigned int)vuser->gid,
- vuser->user.unix_name, vuser->user.smb_name, vuser->user.domain, vuser->guest ));
-
- DEBUG(3, ("User name: %s\tReal name: %s\n",vuser->user.unix_name,vuser->user.full_name));
+ DEBUG(10,("register_vuid: guest=%d\n", vuser->guest ));
if (server_info->ptok) {
vuser->nt_user_token = dup_nt_token(server_info->ptok);
} else {
DEBUG(1, ("server_info does not contain a user_token - cannot continue\n"));
free_server_info(&server_info);
- SAFE_FREE(vuser->homedir);
- SAFE_FREE(vuser->unix_homedir);
- SAFE_FREE(vuser->logon_script);
SAFE_FREE(vuser);
return UID_FIELD_INVALID;
/* use this to keep tabs on all our info from the authentication */
vuser->server_info = server_info;
- DEBUG(3,("UNIX uid %d is UNIX user %s, and will be vuid %u\n",(int)vuser->uid,vuser->user.unix_name, vuser->vuid));
-
smb->users.next_vuid++;
smb->users.num_validated_vuids++;
return -1;
}
- /* Register a home dir service for this user */
- if ((!vuser->guest) && vuser->unix_homedir && *(vuser->unix_homedir)) {
- DEBUG(3, ("Adding/updating homes service for user '%s' using home direcotry: '%s'\n",
- vuser->user.unix_name, vuser->unix_homedir));
- vuser->homes_snum = add_home_service(vuser->user.unix_name, vuser->user.unix_name, vuser->unix_homedir);
- } else {
- vuser->homes_snum = -1;
- }
-
return vuser->vuid;
}
git.samba.org / samba.git / commitdiff