path = $share_dir
valid users = \"+$dcvars->{DOMAIN}/domain users\"
-[valid_users_nis_group]
- path = $share_dir
- valid users = \"&$dcvars->{DOMAIN}/domain users\"
-
[valid_users_unix_nis_group]
path = $share_dir
valid users = \"+&$dcvars->{DOMAIN}/domain users\"
#include "auth.h"
#include "lib/gencache.h"
-#ifdef HAVE_NETGROUP
-/* rpc/xdr.h uses TRUE and FALSE */
-#ifdef TRUE
-#undef TRUE
-#endif
-
-#ifdef FALSE
-#undef FALSE
-#endif
-
-#include "system/nis.h"
-#endif
-
/*******************************************************************
Map a username from a dos name to a unix name by looking in the username
map. Note that this modifies the name in place.
}
/****************************************************************************
- Check if a user is in a netgroup user list. If at first we don't succeed,
- try lower case.
-****************************************************************************/
-
-bool user_in_netgroup(TALLOC_CTX *ctx, const char *user, const char *ngname)
-{
-#ifdef HAVE_NETGROUP
- static char *my_yp_domain = NULL;
- char *lowercase_user = NULL;
+ Check if a user is in a user list
- if (my_yp_domain == NULL) {
- yp_get_default_domain(&my_yp_domain);
- }
-
- if (my_yp_domain == NULL) {
- DEBUG(5,("Unable to get default yp domain, "
- "let's try without specifying it\n"));
- }
-
- DEBUG(5,("looking for user %s of domain %s in netgroup %s\n",
- user, my_yp_domain?my_yp_domain:"(ANY)", ngname));
-
- if (innetgr(ngname, NULL, user, my_yp_domain)) {
- DEBUG(5,("user_in_netgroup: Found\n"));
- return true;
- }
-
- /*
- * Ok, innetgr is case sensitive. Try once more with lowercase
- * just in case. Attempt to fix #703. JRA.
- */
- lowercase_user = talloc_strdup(ctx, user);
- if (!lowercase_user) {
- return false;
- }
- if (!strlower_m(lowercase_user)) {
- return false;
- }
-
- if (strcmp(user,lowercase_user) == 0) {
- /* user name was already lower case! */
- return false;
- }
+ We removed NIS support in 2021, but need to keep configs working.
- DEBUG(5,("looking for user %s of domain %s in netgroup %s\n",
- lowercase_user, my_yp_domain?my_yp_domain:"(ANY)", ngname));
-
- if (innetgr(ngname, NULL, lowercase_user, my_yp_domain)) {
- DEBUG(5,("user_in_netgroup: Found\n"));
- return true;
- }
-#endif /* HAVE_NETGROUP */
- return false;
-}
-
-/****************************************************************************
- Check if a user is in a user list - can check combinations of UNIX
- and netgroup lists.
+ TOOD FIXME: Remove this funciton
****************************************************************************/
bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list)
{
- if (!list || !*list)
- return False;
-
- DEBUG(10,("user_in_list: checking user %s in list\n", user));
-
- while (*list) {
- DEBUG(10,("user_in_list: checking user |%s| against |%s|\n",
- user, *list));
-
- /*
- * Check raw username.
- */
- if (strequal(user, *list))
- return(True);
-
- /*
- * Now check to see if any combination
- * of UNIX and netgroups has been specified.
- */
-
- if(**list == '@') {
- /*
- * Old behaviour. Check netgroup list
- * followed by UNIX list.
- */
- if(user_in_netgroup(ctx, user, *list +1))
- return True;
- if(user_in_group(user, *list +1))
- return True;
- } else if (**list == '+') {
+ if (list == NULL || *list == NULL) {
+ return false;
+ }
- if((*(*list +1)) == '&') {
- /*
- * Search UNIX list followed by netgroup.
- */
- if(user_in_group(user, *list +2))
- return True;
- if(user_in_netgroup(ctx, user, *list +2))
- return True;
+ DBG_DEBUG("Checking user %s in list\n", user);
- } else {
+ while (*list) {
+ const char *p = *list;
+ bool ok;
- /*
- * Just search UNIX list.
- */
+ /* Check raw username */
+ if (strequal(user, p)) {
+ return true;
+ }
- if(user_in_group(user, *list +1))
- return True;
- }
+ while (*p == '@' || *p == '&' || *p == '+') {
+ p++;
+ }
- } else if (**list == '&') {
-
- if(*(*list +1) == '+') {
- /*
- * Search netgroup list followed by UNIX list.
- */
- if(user_in_netgroup(ctx, user, *list +2))
- return True;
- if(user_in_group(user, *list +2))
- return True;
- } else {
- /*
- * Just search netgroup list.
- */
- if(user_in_netgroup(ctx, user, *list +1))
- return True;
- }
+ ok = user_in_group(user, p);
+ if (ok) {
+ return true;
}
list++;
}
- return(False);
+
+ return false;
}
bool map_username(TALLOC_CTX *ctx, const char *user_in, char **p_user_out)
bld.SAMBA3_SUBSYSTEM('USER_UTIL',
source='user_util.c',
- deps='TOKEN_UTIL tirpc nsl')
+ deps='TOKEN_UTIL')
bld.SAMBA3_SUBSYSTEM('AUTH_COMMON',
source='''auth_util.c
#include <langinfo.h>
#endif
-#ifdef HAVE_NETGROUP_H
-#include <netgroup.h>
-#endif
-
/* Special macros that are no-ops except when run under Valgrind on
* x86. They've moved a little bit from valgrind 1.0.4 to 1.9.4 */
#ifdef HAVE_VALGRIND_MEMCHECK_H
/* Max allowable allococation - 256mb - 0x10000000 */
#define MAX_ALLOC_SIZE (1024*1024*256)
-#if (defined(HAVE_NETGROUP) && defined (WITH_AUTOMOUNT))
-/* rpc/xdr.h uses TRUE and FALSE */
-#ifdef TRUE
-#undef TRUE
-#endif
-
-#ifdef FALSE
-#undef FALSE
-#endif
-
-#include "system/nis.h"
-
-#ifdef WITH_NISPLUS_HOME
-#ifdef BROKEN_NISPLUS_INCLUDE_FILES
-/*
- * The following lines are needed due to buggy include files
- * in Solaris 2.6 which define GROUP in both /usr/include/sys/acl.h and
- * also in /usr/include/rpcsvc/nis.h. The definitions conflict. JRA.
- * Also GROUP_OBJ is defined as 0x4 in /usr/include/sys/acl.h and as
- * an enum in /usr/include/rpcsvc/nis.h.
- */
-
-#if defined(GROUP)
-#undef GROUP
-#endif
-
-#if defined(GROUP_OBJ)
-#undef GROUP_OBJ
-#endif
-
-#endif /* BROKEN_NISPLUS_INCLUDE_FILES */
-
-#include <rpcsvc/nis.h>
-
-#endif /* WITH_NISPLUS_HOME */
-#endif /* HAVE_NETGROUP && WITH_AUTOMOUNT */
-
static enum protocol_types Protocol = PROTOCOL_COREPLUS;
enum protocol_types get_Protocol(void)
}
}
-#if (defined(HAVE_NETGROUP) && defined(WITH_AUTOMOUNT))
-/******************************************************************
- Remove any mount options such as -rsize=2048,wsize=2048 etc.
- Based on a fix from <Thomas.Hepper@icem.de>.
- Returns a malloc'ed string.
-*******************************************************************/
-
-static char *strip_mount_options(TALLOC_CTX *ctx, const char *str)
-{
- if (*str == '-') {
- const char *p = str;
- while(*p && !isspace(*p))
- p++;
- while(*p && isspace(*p))
- p++;
- if(*p) {
- return talloc_strdup(ctx, p);
- }
- }
- return NULL;
-}
-
-/*******************************************************************
- Patch from jkf@soton.ac.uk
- Split Luke's automount_server into YP lookup and string splitter
- so can easily implement automount_path().
- Returns a malloc'ed string.
-*******************************************************************/
-
-#ifdef WITH_NISPLUS_HOME
-char *automount_lookup(TALLOC_CTX *ctx, const char *user_name)
-{
- const struct loadparm_substitution *lp_sub =
- loadparm_s3_global_substitution();
- char *value = NULL;
-
- char *nis_map = (char *)lp_homedir_map(talloc_tos(), lp_sub);
-
- char buffer[NIS_MAXATTRVAL + 1];
- nis_result *result;
- nis_object *object;
- entry_obj *entry;
-
- snprintf(buffer, sizeof(buffer), "[key=%s],%s", user_name, nis_map);
- DEBUG(5, ("NIS+ querystring: %s\n", buffer));
-
- if (result = nis_list(buffer, FOLLOW_PATH|EXPAND_NAME|HARD_LOOKUP, NULL, NULL)) {
- if (result->status != NIS_SUCCESS) {
- DEBUG(3, ("NIS+ query failed: %s\n", nis_sperrno(result->status)));
- } else {
- object = result->objects.objects_val;
- if (object->zo_data.zo_type == ENTRY_OBJ) {
- entry = &object->zo_data.objdata_u.en_data;
- DEBUG(5, ("NIS+ entry type: %s\n", entry->en_type));
- DEBUG(3, ("NIS+ result: %s\n", entry->en_cols.en_cols_val[1].ec_value.ec_value_val));
-
- value = talloc_strdup(ctx,
- entry->en_cols.en_cols_val[1].ec_value.ec_value_val);
- if (!value) {
- nis_freeresult(result);
- return NULL;
- }
- value = talloc_string_sub(ctx,
- value,
- "&",
- user_name);
- }
- }
- }
- nis_freeresult(result);
-
- if (value) {
- value = strip_mount_options(ctx, value);
- DEBUG(4, ("NIS+ Lookup: %s resulted in %s\n",
- user_name, value));
- }
- return value;
-}
-#else /* WITH_NISPLUS_HOME */
-
-char *automount_lookup(TALLOC_CTX *ctx, const char *user_name)
-{
- const struct loadparm_substitution *lp_sub =
- loadparm_s3_global_substitution();
- char *value = NULL;
-
- int nis_error; /* returned by yp all functions */
- char *nis_result; /* yp_match inits this */
- int nis_result_len; /* and set this */
- char *nis_domain; /* yp_get_default_domain inits this */
- char *nis_map = lp_homedir_map(talloc_tos(), lp_sub);
-
- if ((nis_error = yp_get_default_domain(&nis_domain)) != 0) {
- DEBUG(3, ("YP Error: %s\n", yperr_string(nis_error)));
- return NULL;
- }
-
- DEBUG(5, ("NIS Domain: %s\n", nis_domain));
-
- if ((nis_error = yp_match(nis_domain, nis_map, user_name,
- strlen(user_name), &nis_result,
- &nis_result_len)) == 0) {
- if (nis_result_len > 0 && nis_result[nis_result_len] == '\n') {
- nis_result[nis_result_len] = '\0';
- }
- value = talloc_strdup(ctx, nis_result);
- if (!value) {
- return NULL;
- }
- value = strip_mount_options(ctx, value);
- } else if(nis_error == YPERR_KEY) {
- DEBUG(3, ("YP Key not found: while looking up \"%s\" in map \"%s\"\n",
- user_name, nis_map));
- DEBUG(3, ("using defaults for server and home directory\n"));
- } else {
- DEBUG(3, ("YP Error: \"%s\" while looking up \"%s\" in map \"%s\"\n",
- yperr_string(nis_error), user_name, nis_map));
- }
-
- if (value) {
- DEBUG(4, ("YP Lookup: %s resulted in %s\n", user_name, value));
- }
- return value;
-}
-#endif /* WITH_NISPLUS_HOME */
-#endif
-
bool process_exists(const struct server_id pid)
{
return serverid_exists(&pid);
Globals.machine_password_timeout = 60 * 60 * 24 * 7; /* 7 days default. */
Globals.lm_announce = Auto; /* = Auto: send only if LM clients found */
Globals.lm_interval = 60;
-#if (defined(HAVE_NETGROUP) && defined(WITH_AUTOMOUNT))
- Globals.nis_homedir = false;
-#ifdef WITH_NISPLUS_HOME
- lpcfg_string_set(Globals.ctx, &Globals.homedir_map,
- "auto_home.org_dir");
-#else
- lpcfg_string_set(Globals.ctx, &Globals.homedir_map, "auto.home");
-#endif
-#endif
Globals.time_server = false;
Globals.bind_interfaces_only = false;
Globals.unix_password_sync = false;
return 1
fi
- # User not in NIS group in "valid users" can't login to service
- cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$DC_USERNAME%$DC_PASSWORD //$SERVER/valid_users_nis_group $ADDARGS < $tmpfile 2>&1'
- eval echo "$cmd"
- out=`eval $cmd`
- echo "$out" | grep 'NT_STATUS_ACCESS_DENIED'
- ret=$?
-
- if [ $ret -ne 0 ] ; then
- echo "$out"
- echo "test_valid_users:valid_users_nis_group 'User not in NIS group in 'valid users' can't login to service' failed - $ret"
- return 1
- fi
-
# Check user in UNIX, then in NIS group in "valid users" can login to service
cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$DC_USERNAME%$DC_PASSWORD //$SERVER/valid_users_unix_nis_group $ADDARGS < $tmpfile 2>&1'
eval echo "$cmd"
#include "auth.h"
/*
- * No prefix means direct username
- * @name means netgroup first, then unix group
- * &name means netgroup
- * +name means unix group
- * + and & may be combined
+ * We dropped NIS support in 2021, but need to keep configs working.
+ *
+ * TODO FIXME: Remove me in future
*/
static bool do_group_checks(const char **name, const char **pattern)
{
if ((*name)[0] == '@') {
- *pattern = "&+";
+ *pattern = "+";
*name += 1;
return True;
}
if (((*name)[0] == '+') && ((*name)[1] == '&')) {
- *pattern = "+&";
+ *pattern = "+";
*name += 2;
return True;
}
}
if (((*name)[0] == '&') && ((*name)[1] == '+')) {
- *pattern = "&+";
+ *pattern = "+";
*name += 2;
return True;
}
if ((*name)[0] == '&') {
- *pattern = "&";
+ *pattern = "+";
*name += 1;
return True;
}
continue;
}
if (*prefix == '&') {
- if (username) {
- if (user_in_netgroup(mem_ctx, username, name)) {
- return True;
- }
- }
continue;
}
smb_panic("got invalid prefix from do_groups_check");
conf.CHECK_FUNCS('lutimes utimensat futimens')
conf.CHECK_FUNCS('mlock munlock mlockall munlockall')
conf.CHECK_FUNCS('memalign posix_memalign hstrerror')
- conf.CHECK_FUNCS_IN('yp_get_default_domain', 'nsl')
conf.CHECK_FUNCS_IN('dn_expand _dn_expand __dn_expand', 'resolv')
conf.CHECK_FUNCS_IN('dn_expand', 'inet')
conf.CHECK_DECLS('readahead', reverse=True, headers='fcntl.h')
headers='unistd.h sys/types.h dirent.h',
define='HAVE_DIRENT_D_OFF')
- if (conf.CONFIG_SET('HAVE_YP_GET_DEFAULT_DOMAIN')):
- conf.DEFINE('HAVE_NETGROUP', '1')
-
# Look for CUPS
if Options.options.with_cups:
conf.find_program('cups-config', var='CUPS_CONFIG')