Converts NT user RID to a UNIX uid.
********************************************************************/
+static int algorithmic_rid_base(void)
+{
+ static int rid_offset = 0;
+
+ if (rid_offset != 0)
+ return rid_offset;
+
+ rid_offset = lp_algorithmic_rid_base();
+
+ if (rid_offset < BASE_RID) {
+ /* Try to prevent admin foot-shooting, we can't put algorithmic
+ rids below 1000, that's the 'well known RIDs' on NT */
+ DEBUG(0, ("'algorithmic rid base' must be equal to or above %ld\n", BASE_RID));
+ rid_offset = BASE_RID;
+ }
+ if (rid_offset & 1) {
+ DEBUG(0, ("algorithmic rid base must be even\n"));
+ rid_offset += 1;
+ }
+ return rid_offset;
+}
+
+
uid_t fallback_pdb_user_rid_to_uid(uint32 user_rid)
{
- int rid_offset = lp_algorithmic_rid_base();
+ int rid_offset = algorithmic_rid_base();
return (uid_t)(((user_rid & (~USER_RID_TYPE))- rid_offset)/RID_MULTIPLIER);
}
uint32 fallback_pdb_uid_to_user_rid(uid_t uid)
{
- int rid_offset = lp_algorithmic_rid_base();
+ int rid_offset = algorithmic_rid_base();
return (((((uint32)uid)*RID_MULTIPLIER) + rid_offset) | USER_RID_TYPE);
}
gid_t pdb_group_rid_to_gid(uint32 group_rid)
{
- int rid_offset = lp_algorithmic_rid_base();
+ int rid_offset = algorithmic_rid_base();
return (gid_t)(((group_rid & (~GROUP_RID_TYPE))- rid_offset)/RID_MULTIPLIER);
}
uint32 pdb_gid_to_group_rid(gid_t gid)
{
- int rid_offset = lp_algorithmic_rid_base();
+ int rid_offset = algorithmic_rid_base();
return (((((uint32)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE);
}
return False;
}
- if ((smbpasswd_state->permit_non_unix_accounts)
- && (pw_buf->smb_userid >= smbpasswd_state->low_nua_userid)
- && (pw_buf->smb_userid <= smbpasswd_state->high_nua_userid)) {
-
- pdb_set_user_sid_from_rid(sam_pass, fallback_pdb_uid_to_user_rid (pw_buf->smb_userid), PDB_SET);
-
- /* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here.
-
- This was down the bottom for machines, but it looks pretty good as
- a general default for non-unix users. --abartlet 2002-01-08
- */
- pdb_set_group_sid_from_rid (sam_pass, DOMAIN_GROUP_RID_USERS, PDB_SET);
- pdb_set_username (sam_pass, pw_buf->smb_name, PDB_SET);
- pdb_set_domain (sam_pass, lp_workgroup(), PDB_DEFAULT);
- } else {
-
- pwfile = getpwnam_alloc(pw_buf->smb_name);
- if (pwfile == NULL) {
+ pwfile = getpwnam_alloc(pw_buf->smb_name);
+ if (pwfile == NULL) {
+ if ((smbpasswd_state->permit_non_unix_accounts)
+ && (pw_buf->smb_userid >= smbpasswd_state->low_nua_userid)
+ && (pw_buf->smb_userid <= smbpasswd_state->high_nua_userid)) {
+
+ pdb_set_user_sid_from_rid(sam_pass, fallback_pdb_uid_to_user_rid (pw_buf->smb_userid), PDB_SET);
+
+ /* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here.
+
+ This was down the bottom for machines, but it looks pretty good as
+ a general default for non-unix users. --abartlet 2002-01-08
+ */
+ pdb_set_group_sid_from_rid (sam_pass, DOMAIN_GROUP_RID_USERS, PDB_SET);
+ pdb_set_username (sam_pass, pw_buf->smb_name, PDB_SET);
+ pdb_set_domain (sam_pass, lp_workgroup(), PDB_DEFAULT);
+
+ } else {
DEBUG(0,("build_sam_account: smbpasswd database is corrupt! username %s with uid %u is not in unix passwd database!\n", pw_buf->smb_name, pw_buf->smb_userid));
return False;
}
-
+ } else {
+
if (!NT_STATUS_IS_OK(pdb_fill_sam_pw(sam_pass, pwfile))) {
return False;
}
struct smb_passwd *smb_pw;
void *fp = NULL;
- DEBUG(10, ("pdb_getsampwrid: search by rid: %d\n", rid));
+ DEBUG(10, ("smbpasswd_getsampwrid: search by rid: %d\n", rid));
/* More special case 'guest account' hacks... */
if (rid == DOMAIN_USER_RID_GUEST) {
printf("'winbind separator = +' might cause problems with group membership.\n");
}
+ if (lp_algorithmic_rid_base() < BASE_RID) {
+ /* Try to prevent admin foot-shooting, we can't put algorithmic
+ rids below 1000, that's the 'well known RIDs' on NT */
+ printf("'algorithmic rid base' must be equal to or above %lu\n", BASE_RID);
+ }
+
+ if (lp_algorithmic_rid_base() & 1) {
+ printf("'algorithmic rid base' must be even.\n");
+ }
+
return ret;
}
git.samba.org / ira / wip.git / commitdiff