After the discussion on samba-technical, it was decided that the best
answer for now was to revert this change. The right way to do this is
to rewrite the token api to use opaque tokens with pluggable modules.
This reverts commit
8e19a288052bca5efdb0277a40c1e0fdd099cc2b.
NTSTATUS status;
size_t i;
struct dom_sid tmp_sid;
NTSTATUS status;
size_t i;
struct dom_sid tmp_sid;
- const char *name_to_use;
- bool force_nss;
/*
* If winbind is not around, we can not make much use of the SIDs the
/*
* If winbind is not around, we can not make much use of the SIDs the
* mapped to some local unix user.
*/
* mapped to some local unix user.
*/
- DEBUG(10, ("creating token for %s (SAM: %s)\n", server_info->unix_name,
- server_info->sam_account->username));
-
- force_nss = lp_force_username_map() && !server_info->nss_token;
if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
- server_info->nss_token || force_nss) {
- if (force_nss)
- name_to_use =
- pdb_get_username(server_info->sam_account);
- else
- name_to_use = server_info->unix_name;
-
+ (server_info->nss_token)) {
status = create_token_from_username(server_info,
status = create_token_from_username(server_info,
+ server_info->unix_name,
&server_info->utok.uid,
&server_info->utok.gid,
&server_info->unix_name,
&server_info->utok.uid,
&server_info->utok.gid,
&server_info->unix_name,
NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
bool is_guest,
NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
bool is_guest,
uid_t *uid, gid_t *gid,
char **found_username,
struct nt_user_token **token)
uid_t *uid, gid_t *gid,
char **found_username,
struct nt_user_token **token)
size_t num_gids;
size_t i;
size_t num_gids;
size_t i;
- DEBUG(10, ("creating token for %s,%s guest,%s forcing NSS lookup\n",
- username, is_guest ? "" : " not", force_nss ? "" : " not"));
-
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
DEBUG(0, ("talloc_new failed\n"));
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
DEBUG(0, ("talloc_new failed\n"));
- if (sid_check_is_in_our_domain(&user_sid) && !force_nss) {
+ if (sid_check_is_in_our_domain(&user_sid)) {
bool ret;
/* This is a passdb user, so ask passdb */
bool ret;
/* This is a passdb user, so ask passdb */
*found_username = talloc_strdup(mem_ctx,
pdb_get_username(sam_acct));
*found_username = talloc_strdup(mem_ctx,
pdb_get_username(sam_acct));
- } else if (force_nss || sid_check_is_in_unix_users(&user_sid)) {
+ } else if (sid_check_is_in_unix_users(&user_sid)) {
/* This is a unix user not in passdb. We need to ask nss
* directly, without consulting passdb */
/* This is a unix user not in passdb. We need to ask nss
* directly, without consulting passdb */
}
status = create_token_from_username(mem_ctx, username, False,
}
status = create_token_from_username(mem_ctx, username, False,
- lp_force_username_map(),
&uid, &gid, &found_username,
&token);
&uid, &gid, &found_username,
&token);
NTSTATUS create_local_token(auth_serversupplied_info *server_info);
NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
bool is_guest,
NTSTATUS create_local_token(auth_serversupplied_info *server_info);
NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
bool is_guest,
uid_t *uid, gid_t *gid,
char **found_username,
struct nt_user_token **token);
uid_t *uid, gid_t *gid,
char **found_username,
struct nt_user_token **token);
int lp_afs_token_lifetime(void);
char *lp_log_nt_token_command(void);
char *lp_username_map(void);
int lp_afs_token_lifetime(void);
char *lp_log_nt_token_command(void);
char *lp_username_map(void);
-bool lp_force_username_map(void);
const char *lp_logon_script(void);
const char *lp_logon_path(void);
const char *lp_logon_drive(void);
const char *lp_logon_script(void);
const char *lp_logon_path(void);
const char *lp_logon_drive(void);
int iAfsTokenLifetime;
char *szLogNtTokenCommand;
char *szUsernameMap;
int iAfsTokenLifetime;
char *szLogNtTokenCommand;
char *szUsernameMap;
- bool bForceUsernameMap;
char *szLogonScript;
char *szLogonPath;
char *szLogonDrive;
char *szLogonScript;
char *szLogonPath;
char *szLogonDrive;
.enum_list = NULL,
.flags = FLAG_ADVANCED,
},
.enum_list = NULL,
.flags = FLAG_ADVANCED,
},
- {
- .label = "force username map",
- .type = P_BOOL,
- .p_class = P_GLOBAL,
- .ptr = &Globals.bForceUsernameMap,
- .special = NULL,
- .enum_list = NULL,
- .flags = FLAG_ADVANCED,
- },
{
.label = "password level",
.type = P_INTEGER,
{
.label = "password level",
.type = P_INTEGER,
FN_GLOBAL_INTEGER(lp_afs_token_lifetime, &Globals.iAfsTokenLifetime)
FN_GLOBAL_STRING(lp_log_nt_token_command, &Globals.szLogNtTokenCommand)
FN_GLOBAL_STRING(lp_username_map, &Globals.szUsernameMap)
FN_GLOBAL_INTEGER(lp_afs_token_lifetime, &Globals.iAfsTokenLifetime)
FN_GLOBAL_STRING(lp_log_nt_token_command, &Globals.szLogNtTokenCommand)
FN_GLOBAL_STRING(lp_username_map, &Globals.szUsernameMap)
-FN_GLOBAL_BOOL(lp_force_username_map, &Globals.bForceUsernameMap)
FN_GLOBAL_CONST_STRING(lp_logon_script, &Globals.szLogonScript)
FN_GLOBAL_CONST_STRING(lp_logon_path, &Globals.szLogonPath)
FN_GLOBAL_CONST_STRING(lp_logon_drive, &Globals.szLogonDrive)
FN_GLOBAL_CONST_STRING(lp_logon_script, &Globals.szLogonScript)
FN_GLOBAL_CONST_STRING(lp_logon_path, &Globals.szLogonPath)
FN_GLOBAL_CONST_STRING(lp_logon_drive, &Globals.szLogonDrive)