r2934: - changed the unixuid module to use the nt_user_token instead of the server...

- added SID_WORLD and SID_NETWORK to the foreign sids in the
  provisioning, as these are auto-added to the nt_user_token (why is
  that done? Andrew?)

diff --git a/source/ntvfs/unixuid/vfs_unixuid.c b/source/ntvfs/unixuid/vfs_unixuid.c
index 846bd6617913f9085d7371945370871df9f58ee0..a5934a07fa6c732dddcb74690a62d9acb55c4246 100644 (file)
--- a/source/ntvfs/unixuid/vfs_unixuid.c
+++ b/source/ntvfs/unixuid/vfs_unixuid.c
@@ -26,7 +26,7 @@
 struct unixuid_private {
        void *samctx;
        struct unix_sec_ctx *last_sec_ctx;
-       struct auth_session_info *last_session_info;
+       struct nt_user_token *last_token;
 };
 
 
@@ -238,35 +238,40 @@ static NTSTATUS set_unix_security(struct unix_sec_ctx *sec)
 }
 
 /*
-  form a unix_sec_ctx from the current session info
+  form a unix_sec_ctx from the current nt_user_token
 */
-static NTSTATUS authinfo_to_unix_security(struct ntvfs_module_context *ntvfs,
+static NTSTATUS nt_token_to_unix_security(struct ntvfs_module_context *ntvfs,
                                          struct smbsrv_request *req,
-                                         struct auth_serversupplied_info *info,
+                                         struct nt_user_token *token,
                                          struct unix_sec_ctx **sec)
 {
        int i;
        NTSTATUS status;
        *sec = talloc_p(req, struct unix_sec_ctx);
 
-       status = sid_to_unixuid(ntvfs, req, info->user_sid, &(*sec)->uid);
+       /* we can't do unix security without a user and group */
+       if (token->num_sids < 2) {
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
+       status = sid_to_unixuid(ntvfs, req, token->user_sids[0], &(*sec)->uid);
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }
 
-       status = sid_to_unixgid(ntvfs, req, info->primary_group_sid, &(*sec)->gid);
+       status = sid_to_unixgid(ntvfs, req, token->user_sids[1], &(*sec)->gid);
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }
 
-       (*sec)->ngroups = info->n_domain_groups;
+       (*sec)->ngroups = token->num_sids - 2;
        (*sec)->groups = talloc_array_p(*sec, gid_t, (*sec)->ngroups);
        if ((*sec)->groups == NULL) {
                return NT_STATUS_NO_MEMORY;
        }
 
        for (i=0;i<(*sec)->ngroups;i++) {
-               status = sid_to_unixgid(ntvfs, req, info->domain_groups[i], &(*sec)->groups[i]);
+               status = sid_to_unixgid(ntvfs, req, token->user_sids[i+2], &(*sec)->groups[i]);
                if (!NT_STATUS_IS_OK(status)) {
                        return status;
                }
@@ -282,7 +287,7 @@ static NTSTATUS unixuid_setup_security(struct ntvfs_module_context *ntvfs,
                                       struct smbsrv_request *req, struct unix_sec_ctx **sec)
 {
        struct unixuid_private *private = ntvfs->private_data;
-       struct auth_serversupplied_info *info = req->session->session_info->server_info;
+       struct nt_user_token *token = req->session->session_info->nt_user_token;
        void *ctx = talloc(req, 0);
        struct unix_sec_ctx *newsec;
        NTSTATUS status;
@@ -292,10 +297,10 @@ static NTSTATUS unixuid_setup_security(struct ntvfs_module_context *ntvfs,
                return NT_STATUS_NO_MEMORY;
        }
 
-       if (req->session->session_info == private->last_session_info) {
+       if (req->session->session_info->nt_user_token == private->last_token) {
                newsec = private->last_sec_ctx;
        } else {
-               status = authinfo_to_unix_security(ntvfs, req, info, &newsec);
+               status = nt_token_to_unix_security(ntvfs, req, token, &newsec);
                if (!NT_STATUS_IS_OK(status)) {
                        talloc_free(ctx);
                        return status;
@@ -304,7 +309,7 @@ static NTSTATUS unixuid_setup_security(struct ntvfs_module_context *ntvfs,
                        talloc_free(private->last_sec_ctx);
                }
                private->last_sec_ctx = newsec;
-               private->last_session_info = req->session->session_info;
+               private->last_token = req->session->session_info->nt_user_token;
                talloc_steal(private, newsec);
        }
 
@@ -354,7 +359,7 @@ static NTSTATUS unixuid_connect(struct ntvfs_module_context *ntvfs,
 
        ntvfs->private_data = private;
        private->last_sec_ctx = NULL;
-       private->last_session_info = NULL;
+       private->last_token = NULL;
 
        PASS_THRU_REQ(ntvfs, req, connect, (ntvfs, req, sharename));
 
@@ -611,7 +616,7 @@ static NTSTATUS unixuid_logoff(struct ntvfs_module_context *ntvfs,
 
        PASS_THRU_REQ(ntvfs, req, logoff, (ntvfs, req));
 
-       private->last_session_info = NULL;
+       private->last_token = NULL;
 
        return status;
 }

diff --git a/source/script/provision.pl b/source/script/provision.pl
index e98181b05fbc00e37be886536fda410b1019c0bb..326a7e60cf133e64aabe05f4987710460d4806ad 100755 (executable)
--- a/source/script/provision.pl
+++ b/source/script/provision.pl
@@ -322,6 +322,8 @@ $basedn = "DC=" . join(",DC=", split(/\./, $opt_realm));
 my $data = FileLoad("provision.ldif") || die "Unable to load provision.ldif\n";
 
 $data .= add_foreign("S-1-5-7", "Anonymous", "\${NOBODY}");
+$data .= add_foreign("S-1-1-0", "World", "\${NOGROUP}");
+$data .= add_foreign("S-1-5-2", "Network", "\${NOGROUP}");
 $data .= add_foreign("S-1-5-18", "System", "root");
 $data .= add_foreign("S-1-5-11", "Authenticated Users", "\${USERS}");