r23530: Fix bugs #4678 and #4697 which had the same root cause.

In make_server_info_pw() we assign a user SID in our
authoritative SAM, even though this may be from a
pure "Unix User" that doesn't exist in the SAM.
This causes lookups on "[in]valid users" to fail as they
will lookup this name as a "Unix User" SID to check against
the user token. Fix this by adding the "Unix User"\unix_username
SID to the sid array. The correct fix should probably be
changing the server_info->sam_account user SID to be a
S-1-22 Unix SID, but this might break old configs where
plaintext passwords were used with no SAM backend.
Jeremy

diff --git a/source/auth/auth_util.c b/source/auth/auth_util.c
index f66c500943bd85734d2e90887396f99b67f899e3..7509b5ad1ce22f08ae7e50d06a435fef69416cb5 100644 (file)
--- a/source/auth/auth_util.c
+++ b/source/auth/auth_util.c
@@ -966,6 +966,10 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info,
        NTSTATUS status;
        struct samu *sampass = NULL;
        gid_t *gids;
+       char *qualified_name = NULL;
+       TALLOC_CTX *mem_ctx = NULL;
+       DOM_SID u_sid;
+       enum lsa_SidType type;
        auth_serversupplied_info *result;
        
        if ( !(sampass = samu_new( NULL )) ) {
@@ -999,6 +1003,56 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info,
                return status;
        }
 
+       /*
+        * The SID returned in server_info->sam_account is based
+        * on our SAM sid even though for a pure UNIX account this should
+        * not be the case as it doesn't really exist in the SAM db.
+        * This causes lookups on "[in]valid users" to fail as they
+        * will lookup this name as a "Unix User" SID to check against
+        * the user token. Fix this by adding the "Unix User"\unix_username
+        * SID to the sid array. The correct fix should probably be
+        * changing the server_info->sam_account user SID to be a
+        * S-1-22 Unix SID, but this might break old configs where
+        * plaintext passwords were used with no SAM backend.
+        */
+
+       mem_ctx = talloc_init("make_server_info_pw_tmp");
+       if (!mem_ctx) {
+               TALLOC_FREE(result);
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
+                                       unix_users_domain_name(),
+                                       unix_username );
+       if (!qualified_name) {
+               TALLOC_FREE(result);
+               TALLOC_FREE(mem_ctx);
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
+                                               NULL, NULL,
+                                               &u_sid, &type)) {
+               TALLOC_FREE(result);
+               TALLOC_FREE(mem_ctx);
+               return NT_STATUS_NO_SUCH_USER;
+       }
+
+       TALLOC_FREE(mem_ctx);
+
+       if (type != SID_NAME_USER) {
+               TALLOC_FREE(result);
+               return NT_STATUS_NO_SUCH_USER;
+       }
+
+       if (!add_sid_to_array_unique(result, &u_sid,
+                                       &result->sids,
+                                       &result->num_sids)) {
+               TALLOC_FREE(result);
+               return NT_STATUS_NO_MEMORY;
+       }
+
        /* For now we throw away the gids and convert via sid_to_gid
         * later. This needs fixing, but I'd like to get the code straight and
         * simple first. */