Create a UNIX user on demand.
****************************************************************************/
-static int smb_create_user(const char *unix_user, const char *homedir)
+static int smb_create_user(const char *domain, const char *unix_username, const char *homedir)
{
pstring add_script;
int ret;
pstrcpy(add_script, lp_adduser_script());
if (! *add_script)
return -1;
- all_string_sub(add_script, "%u", unix_user, sizeof(pstring));
+ all_string_sub(add_script, "%u", unix_username, sizeof(pstring));
+ if (domain)
+ all_string_sub(add_script, "%D", domain, sizeof(pstring));
if (homedir)
all_string_sub(add_script, "%H", homedir, sizeof(pstring));
ret = smbrun(add_script,NULL);
Add and Delete UNIX users on demand, based on NTSTATUS codes.
****************************************************************************/
-void smb_user_control(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info, NTSTATUS nt_status)
+void auth_add_user_script(const char *domain, const char *username)
{
struct passwd *pwd=NULL;
- if (NT_STATUS_IS_OK(nt_status)) {
-
- if (!(server_info->sam_fill_level & SAM_FILL_UNIX)) {
-
- /*
- * User validated ok against Domain controller.
- * If the admin wants us to try and create a UNIX
- * user on the fly, do so.
- */
-
- if(lp_adduser_script() && !(pwd = Get_Pwnam(user_info->internal_username.str))) {
- smb_create_user(user_info->internal_username.str, NULL);
- }
- }
+ /*
+ * User validated ok against Domain controller.
+ * If the admin wants us to try and create a UNIX
+ * user on the fly, do so.
+ */
+
+ if(lp_adduser_script() && !(pwd = Get_Pwnam(username))) {
+ smb_create_user(domain, username, NULL);
}
}
where it doens't supply a domain for logon script
'net use' commands.
- The way I do it here is by checking if the fully
- qualified username exists. This is rather reliant
- on winbind, but until we have a better method this
- will have to do
+ Finally, we do this by looking up a cache of trusted domains!
*/
domain = client_domain;
- if ((smb_name) && (*smb_name)) { /* Don't do this for guests */
- char *user = NULL;
- if (asprintf(&user, "%s%s%s",
- client_domain, lp_winbind_separator(),
- smb_name) < 0) {
- DEBUG(0, ("make_user_info_map: asprintf() failed!\n"));
- return NT_STATUS_NO_MEMORY;
- }
-
- DEBUG(5, ("make_user_info_map: testing for user %s\n", user));
-
- if (Get_Pwnam(user) == NULL) {
- DEBUG(5, ("make_user_info_map: test for user %s failed\n", user));
- domain = lp_workgroup();
- DEBUG(5, ("make_user_info_map: trusted domain %s doesn't appear to exist, using %s\n",
- client_domain, domain));
- } else {
- DEBUG(5, ("make_user_info_map: using trusted domain %s\n", domain));
- }
- SAFE_FREE(user);
+ if (is_trusted_domain(domain)) {
+ return make_user_info(user_info, smb_name, internal_username,
+ client_domain, domain, wksta_name,
+ lm_pwd, nt_pwd, plaintext, ntlmssp_flags,
+ encrypted);
}
+
} else {
domain = lp_workgroup();
}
NT_USER_TOKEN *token;
int i;
- if (!uid_to_sid(&user_sid, uid)) {
+ if (NT_STATUS_IS_ERR(uid_to_sid(&user_sid, uid))) {
return NULL;
}
- if (!gid_to_sid(&group_sid, gid)) {
+ if (NT_STATUS_IS_ERR(gid_to_sid(&group_sid, gid))) {
return NULL;
}
- group_sids = malloc(sizeof(DOM_SID) * ngroups);
+ group_sids = malloc(sizeof(DOM_SID) * ngroups);
if (!group_sids) {
DEBUG(0, ("create_nt_token: malloc() failed for DOM_SID list!\n"));
return NULL;
}
for (i = 0; i < ngroups; i++) {
- if (!gid_to_sid(&(group_sids)[i], (groups)[i])) {
+ if (NT_STATUS_IS_ERR(gid_to_sid(&(group_sids)[i], (groups)[i]))) {
DEBUG(1, ("create_nt_token: failed to convert gid %ld to a sid!\n", (long int)groups[i]));
SAFE_FREE(group_sids);
return NULL;
* If this samba server is a DC of the domain the user belongs to, it returns
* both domain groups and local / builtin groups. If the user is in a trusted
* domain, or samba is a member server of a domain, then this function returns
- * local and builtin groups the user is a member of.
+ * local and builtin groups the user is a member of.
*
* currently this is a hack, as there is no sam implementation that is capable
* of groups.
gid_t gid;
int n_unix_groups;
int i;
- struct passwd *usr;
*n_groups = 0;
*groups = NULL;
- if (!IS_SAM_UNIX_USER(sampass)) {
- DEBUG(1, ("user %s does not have a unix identity!\n", pdb_get_username(sampass)));
- return NT_STATUS_NO_SUCH_USER;
+ if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sampass), &uid)) || NT_STATUS_IS_ERR(sid_to_gid(pdb_get_group_sid(sampass), &gid))) {
+ DEBUG(0, ("get_user_groups_from_local_sam: error fetching uid or gid for user!\n"));
+ return NT_STATUS_UNSUCCESSFUL;
}
-
- uid = pdb_get_uid(sampass);
- gid = pdb_get_gid(sampass);
n_unix_groups = groups_max();
if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) {
DEBUG(0, ("get_user_groups_from_local_sam: Out of memory allocating unix group list\n"));
- passwd_free(&usr);
return NT_STATUS_NO_MEMORY;
}
groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups);
if (!groups_tmp) {
SAFE_FREE(*unix_groups);
- passwd_free(&usr);
return NT_STATUS_NO_MEMORY;
}
*unix_groups = groups_tmp;
if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) {
DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n"));
SAFE_FREE(*unix_groups);
- passwd_free(&usr);
return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */
}
}
*n_groups = n_unix_groups;
for (i = 0; i < *n_groups; i++) {
- if (!gid_to_sid(&(*groups)[i], (*unix_groups)[i])) {
+ if (NT_STATUS_IS_ERR(gid_to_sid(&(*groups)[i], (*unix_groups)[i]))) {
DEBUG(1, ("get_user_groups_from_local_sam: failed to convert gid %ld to a sid!\n", (long int)(*unix_groups)[i+1]));
SAFE_FREE(*groups);
SAFE_FREE(*unix_groups);
static NTSTATUS make_server_info(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass)
{
+ NTSTATUS ret;
+
*server_info = malloc(sizeof(**server_info));
if (!*server_info) {
DEBUG(0,("make_server_info: malloc failed!\n"));
(*server_info)->sam_fill_level = SAM_FILL_ALL;
(*server_info)->sam_account = sampass;
+ if (NT_STATUS_IS_ERR(ret = sid_to_uid(pdb_get_user_sid(sampass), &((*server_info)->uid))))
+ return ret;
+ if (NT_STATUS_IS_ERR(ret = sid_to_gid(pdb_get_group_sid(sampass), &((*server_info)->gid))))
+ return ret;
return NT_STATUS_OK;
}
return nt_status;
}
+/***************************************************************************
+ Purely internal function for make_server_info_info3
+ Fill the sam account from getpwnam
+***************************************************************************/
+static NTSTATUS fill_sam_account(const char *domain,
+ const char *username,
+ SAM_ACCOUNT **sam_account)
+{
+ fstring dom_user;
+ struct passwd *passwd;
+
+ fstr_sprintf(dom_user, "%s%s%s",
+ domain, lp_winbind_separator(), username);
+
+ passwd = Get_Pwnam(dom_user);
+
+ if ( (passwd == NULL) && is_myworkgroup(domain) ) {
+ /* For our own domain also try unqualified */
+ passwd = Get_Pwnam(username);
+ }
+
+ if (passwd == NULL)
+ return NT_STATUS_NO_SUCH_USER;
+
+ return pdb_init_sam_pw(sam_account, passwd);
+}
+
/***************************************************************************
Make a server_info struct from the info3 returned by a domain logon
***************************************************************************/
struct passwd *passwd;
- uid_t uid;
- gid_t gid;
+ unid_t u_id, g_id;
+ int u_type, g_type;
int n_lgroupSIDs;
DOM_SID *lgroupSIDs = NULL;
domain = domain;
}
- if (winbind_sid_to_uid(&uid, &user_sid)
- && winbind_sid_to_gid(&gid, &group_sid)
- && ((passwd = getpwuid_alloc(uid)))) {
+ u_type = ID_USERID;
+ g_type = ID_GROUPID;
+ if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&u_id, &u_type, &user_sid))
+ && NT_STATUS_IS_OK(idmap_get_id_from_sid(&g_id, &g_type, &group_sid))
+ && ((passwd = getpwuid_alloc(u_id.uid)))) {
nt_status = pdb_init_sam_pw(&sam_account, passwd);
passwd_free(&passwd);
} else {
- char *dom_user;
- dom_user = talloc_asprintf(mem_ctx, "%s%s%s",
- nt_domain,
- lp_winbind_separator(),
- internal_username);
-
- if (!dom_user) {
- DEBUG(0, ("talloc_asprintf failed!\n"));
- return NT_STATUS_NO_MEMORY;
- } else {
-
- if (!(passwd = Get_Pwnam(dom_user))
- /* Only lookup local for the local
- domain, we don't want this for
- trusted domains */
- && strequal(nt_domain, lp_workgroup())) {
- passwd = Get_Pwnam(internal_username);
- }
-
- if (!passwd) {
- return NT_STATUS_NO_SUCH_USER;
- } else {
- nt_status = pdb_init_sam_pw(&sam_account, passwd);
- }
+
+ nt_status = fill_sam_account(nt_domain,
+ internal_username,
+ &sam_account);
+
+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) {
+ DEBUG(3,("User %s does not exist, trying to add it\n",
+ internal_username));
+ auth_add_user_script(nt_domain, internal_username);
+ nt_status = fill_sam_account(nt_domain,
+ internal_username,
+ &sam_account);
}
}
(n_lgroupSIDs + info3->num_groups2 +
info3->num_other_sids));
if (!all_group_SIDs) {
- DEBUG(0, ("create_nt_token_info3: malloc() failed for DOM_SID list!\n"));
+ DEBUG(0, ("malloc() failed for DOM_SID list!\n"));
SAFE_FREE(lgroupSIDs);
return NT_STATUS_NO_MEMORY;
}
sid_copy(&all_group_SIDs[i+n_lgroupSIDs], &(info3->dom_sid.sid));
if (!sid_append_rid(&all_group_SIDs[i+n_lgroupSIDs], info3->gids[i].g_rid)) {
nt_status = NT_STATUS_INVALID_PARAMETER;
- DEBUG(3,("create_nt_token_info3: could not append additional group rid 0x%x\n",
+ DEBUG(3,("could not append additional group rid 0x%x\n",
info3->gids[i].g_rid));
SAFE_FREE(lgroupSIDs);
return nt_status;