#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
-static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
- const DOM_SID *user_sid,
- const DOM_SID *group_sid,
- BOOL is_guest,
- int num_groupsids,
- const DOM_SID *groupsids);
-
/****************************************************************************
Create a UNIX user on demand.
****************************************************************************/
DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name));
*user_info = SMB_MALLOC_P(auth_usersupplied_info);
- if (!user_info) {
+ if (*user_info == NULL) {
DEBUG(0,("malloc failed for user_info (size %lu)\n", (unsigned long)sizeof(*user_info)));
return NT_STATUS_NO_MEMORY;
}
BOOL encrypted)
{
const char *domain;
+ NTSTATUS result;
+ BOOL was_mapped;
fstring internal_username;
fstrcpy(internal_username, smb_name);
- map_username(internal_username);
+ was_mapped = map_username(internal_username);
DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n",
client_domain, smb_name, wksta_name));
/* we know that it is a trusted domain (and we are allowing them) or it is our domain */
- return make_user_info(user_info, smb_name, internal_username,
+ result = make_user_info(user_info, smb_name, internal_username,
client_domain, domain, wksta_name,
lm_pwd, nt_pwd,
lm_interactive_pwd, nt_interactive_pwd,
plaintext, encrypted);
+ if (NT_STATUS_IS_OK(result)) {
+ (*user_info)->was_mapped = was_mapped;
+ }
+ return result;
}
/****************************************************************************
const uchar nt_interactive_pwd[16],
const uchar *dc_sess_key)
{
- char lm_pwd[16];
- char nt_pwd[16];
+ unsigned char lm_pwd[16];
+ unsigned char nt_pwd[16];
unsigned char local_lm_response[24];
unsigned char local_nt_response[24];
unsigned char key[16];
#ifdef DEBUG_PASSWORD
DEBUG(100,("key:"));
- dump_data(100, (char *)key, sizeof(key));
+ dump_data(100, key, sizeof(key));
DEBUG(100,("lm owf password:"));
dump_data(100, lm_pwd, sizeof(lm_pwd));
#endif
if (lm_interactive_pwd)
- SamOEMhash((uchar *)lm_pwd, key, sizeof(lm_pwd));
+ SamOEMhash(lm_pwd, key, sizeof(lm_pwd));
if (nt_interactive_pwd)
- SamOEMhash((uchar *)nt_pwd, key, sizeof(nt_pwd));
+ SamOEMhash(nt_pwd, key, sizeof(nt_pwd));
#ifdef DEBUG_PASSWORD
DEBUG(100,("decrypt of lm owf password:"));
#endif
if (lm_interactive_pwd)
- SMBOWFencrypt((const unsigned char *)lm_pwd, chal,
+ SMBOWFencrypt(lm_pwd, chal,
local_lm_response);
if (nt_interactive_pwd)
- SMBOWFencrypt((const unsigned char *)nt_pwd, chal,
+ SMBOWFencrypt(nt_pwd, chal,
local_nt_response);
/* Password info paranoia */
#ifdef DEBUG_PASSWORD
DEBUG(10,("Unencrypted password (len %d):\n",
(int)plaintext_password.length));
- dump_data(100, (const char *)plaintext_password.data,
+ dump_data(100, plaintext_password.data,
plaintext_password.length);
#endif
return NT_STATUS_IS_OK(nt_status) ? True : False;
}
-/****************************************************************************
- prints a NT_USER_TOKEN to debug output.
-****************************************************************************/
-
-void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token)
-{
- size_t i;
-
- if (!token) {
- DEBUGC(dbg_class, dbg_lev, ("NT user token: (NULL)\n"));
- return;
- }
-
- DEBUGC(dbg_class, dbg_lev,
- ("NT user token of user %s\n",
- sid_string_static(&token->user_sids[0]) ));
- DEBUGADDC(dbg_class, dbg_lev,
- ("contains %lu SIDs\n", (unsigned long)token->num_sids));
- for (i = 0; i < token->num_sids; i++)
- DEBUGADDC(dbg_class, dbg_lev,
- ("SID[%3lu]: %s\n", (unsigned long)i,
- sid_string_static(&token->user_sids[i])));
-
- dump_se_priv( dbg_class, dbg_lev, &token->privileges );
-}
-
-/****************************************************************************
- prints a UNIX 'token' to debug output.
-****************************************************************************/
-
-void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid,
- int n_groups, gid_t *groups)
-{
- int i;
- DEBUGC(dbg_class, dbg_lev,
- ("UNIX token of user %ld\n", (long int)uid));
-
- DEBUGADDC(dbg_class, dbg_lev,
- ("Primary group is %ld and contains %i supplementary "
- "groups\n", (long int)gid, n_groups));
- for (i = 0; i < n_groups; i++)
- DEBUGADDC(dbg_class, dbg_lev, ("Group[%3i]: %ld\n", i,
- (long int)groups[i]));
-}
-
-/******************************************************************************
- Create a token for the root user to be used internally by smbd.
- This is similar to running under the context of the LOCAL_SYSTEM account
- in Windows. This is a read-only token. Do not modify it or free() it.
- Create a copy if your need to change it.
-******************************************************************************/
-
-NT_USER_TOKEN *get_root_nt_token( void )
-{
- static NT_USER_TOKEN *token = NULL;
- DOM_SID u_sid, g_sid;
- struct passwd *pw;
-
- if ( token )
- return token;
-
- if ( !(pw = sys_getpwnam( "root" )) ) {
- DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n"));
- return NULL;
- }
-
- /* get the user and primary group SIDs; although the
- BUILTIN\Administrators SId is really the one that matters here */
-
- uid_to_sid(&u_sid, pw->pw_uid);
- gid_to_sid(&g_sid, pw->pw_gid);
-
- token = create_local_nt_token(NULL, &u_sid, &g_sid, False,
- 1, &global_sid_Builtin_Administrators);
- return token;
-}
-
-static int server_info_dtor(void *p)
+static int server_info_dtor(auth_serversupplied_info *server_info)
{
- auth_serversupplied_info *server_info =
- talloc_get_type_abort(p, auth_serversupplied_info);
-
- if (server_info->sam_account != NULL) {
- TALLOC_FREE(server_info->sam_account);
- }
-
+ TALLOC_FREE(server_info->sam_account);
ZERO_STRUCTP(server_info);
return 0;
}
struct passwd *pwd;
gid_t *gids;
auth_serversupplied_info *result;
+ int i;
+ size_t num_gids;
+ DOM_SID unix_group_sid;
+
+
+ if ( !(result = make_server_info(NULL)) ) {
+ return NT_STATUS_NO_MEMORY;
+ }
- if ( !(pwd = getpwnam_alloc(NULL, pdb_get_username(sampass))) ) {
+ if ( !(pwd = getpwnam_alloc(result, pdb_get_username(sampass))) ) {
DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n",
pdb_get_username(sampass)));
+ TALLOC_FREE(result);
return NT_STATUS_NO_SUCH_USER;
}
- if ( !(result = make_server_info(NULL)) ) {
- TALLOC_FREE(pwd);
- return NT_STATUS_NO_MEMORY;
- }
-
result->sam_account = sampass;
- result->unix_name = talloc_strdup(result, pwd->pw_name);
+ /* Ensure thaat the sampass will be freed with the result */
+ talloc_steal(result, sampass);
+ result->unix_name = pwd->pw_name;
+ /* Ensure that we keep pwd->pw_name, because we will free pwd below */
+ talloc_steal(result, pwd->pw_name);
result->gid = pwd->pw_gid;
result->uid = pwd->pw_uid;
TALLOC_FREE(result);
return status;
}
+
+ /* Add the "Unix Group" SID for each gid to catch mapped groups
+ and their Unix equivalent. This is to solve the backwards
+ compatibility problem of 'valid users = +ntadmin' where
+ ntadmin has been paired with "Domain Admins" in the group
+ mapping table. Otherwise smb.conf would need to be changed
+ to 'valid user = "Domain Admins"'. --jerry */
+
+ num_gids = result->num_sids;
+ for ( i=0; i<num_gids; i++ ) {
+ if ( !gid_to_unix_groups_sid( gids[i], &unix_group_sid ) ) {
+ DEBUG(1,("make_server_info_sam: Failed to create SID "
+ "for gid %d!\n", gids[i]));
+ continue;
+ }
+ if (!add_sid_to_array_unique( result, &unix_group_sid,
+ &result->sids, &result->num_sids )) {
+ result->sam_account = NULL; /* Don't free on error exit. */
+ TALLOC_FREE(result);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
/* For now we throw away the gids and convert via sid_to_gid
* later. This needs fixing, but I'd like to get the code straight and
* simple first. */
+
TALLOC_FREE(gids);
DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n",
return NT_STATUS_OK;
}
-/*
- * Add alias SIDs from memberships within the partially created token SID list
- */
-
-static NTSTATUS add_aliases(TALLOC_CTX *tmp_ctx, const DOM_SID *domain_sid,
- struct nt_user_token *token)
-{
- uint32 *aliases;
- size_t i, num_aliases;
- NTSTATUS status;
-
- aliases = NULL;
- num_aliases = 0;
-
- status = pdb_enum_alias_memberships(tmp_ctx, domain_sid,
- token->user_sids,
- token->num_sids,
- &aliases, &num_aliases);
-
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10, ("pdb_enum_alias_memberships failed: %s\n",
- nt_errstr(status)));
- return status;
- }
-
- for (i=0; i<num_aliases; i++) {
- DOM_SID alias_sid;
- sid_compose(&alias_sid, domain_sid, aliases[i]);
- add_sid_to_array_unique(token, &alias_sid,
- &token->user_sids,
- &token->num_sids);
- if (token->user_sids == NULL) {
- DEBUG(0, ("add_sid_to_array failed\n"));
- return NT_STATUS_NO_MEMORY;
- }
- }
-
- return NT_STATUS_OK;
-}
-
static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token)
{
char *command;
return NT_STATUS_OK;
}
-/*
- * Create a NT token for the user, expanding local aliases
- */
-
-static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
- const DOM_SID *user_sid,
- const DOM_SID *group_sid,
- BOOL is_guest,
- int num_groupsids,
- const DOM_SID *groupsids)
-{
- TALLOC_CTX *tmp_ctx;
- struct nt_user_token *result = NULL;
- int i;
- NTSTATUS status;
-
- tmp_ctx = talloc_new(mem_ctx);
- if (tmp_ctx == NULL) {
- DEBUG(0, ("talloc_new failed\n"));
- return NULL;
- }
-
- result = TALLOC_ZERO_P(tmp_ctx, NT_USER_TOKEN);
- if (result == NULL) {
- DEBUG(0, ("talloc failed\n"));
- goto done;
- }
-
- /* First create the default SIDs */
-
- add_sid_to_array(result, user_sid,
- &result->user_sids, &result->num_sids);
- add_sid_to_array(result, group_sid,
- &result->user_sids, &result->num_sids);
- add_sid_to_array(result, &global_sid_World,
- &result->user_sids, &result->num_sids);
- add_sid_to_array(result, &global_sid_Network,
- &result->user_sids, &result->num_sids);
-
- if (is_guest) {
- add_sid_to_array(result, &global_sid_Builtin_Guests,
- &result->user_sids, &result->num_sids);
- } else {
- add_sid_to_array(result, &global_sid_Authenticated_Users,
- &result->user_sids, &result->num_sids);
- }
-
- /* Now the SIDs we got from authentication. These are the ones from
- * the info3 struct or from the pdb_enum_group_memberships, depending
- * on who authenticated the user. */
-
- for (i=0; i<num_groupsids; i++) {
- add_sid_to_array_unique(result, &groupsids[i],
- &result->user_sids, &result->num_sids);
- }
-
- if (lp_winbind_nested_groups()) {
-
- /* Now add the aliases. First the one from our local SAM */
-
- status = add_aliases(tmp_ctx, get_global_sam_sid(), result);
-
- if (!NT_STATUS_IS_OK(status)) {
- result = NULL;
- goto done;
- }
-
- /* Finally the builtin ones */
-
- status = add_aliases(tmp_ctx, &global_sid_Builtin, result);
-
- if (!NT_STATUS_IS_OK(status)) {
- result = NULL;
- goto done;
- }
- } else {
-
- /* Play jerry's trick to auto-add local admins if we're a
- * domain admin. */
-
- DOM_SID dom_admins;
- BOOL domain_mode = False;
-
- if (IS_DC) {
- sid_compose(&dom_admins, get_global_sam_sid(),
- DOMAIN_GROUP_RID_ADMINS);
- domain_mode = True;
- }
- if ((lp_server_role() == ROLE_DOMAIN_MEMBER) &&
- (secrets_fetch_domain_sid(lp_workgroup(), &dom_admins))) {
- sid_append_rid(&dom_admins, DOMAIN_GROUP_RID_ADMINS);
- domain_mode = True;
- }
-
- if (domain_mode) {
- for (i=0; i<result->num_sids; i++) {
- if (sid_equal(&dom_admins,
- &result->user_sids[i])) {
- add_sid_to_array_unique(
- result,
- &global_sid_Builtin_Administrators,
- &result->user_sids,
- &result->num_sids);
- break;
- }
- }
-
- }
- }
-
- get_privileges_for_sids(&result->privileges, result->user_sids,
- result->num_sids);
-
- talloc_steal(mem_ctx, result);
-
- done:
- TALLOC_FREE(tmp_ctx);
- return result;
-}
-
/*
* Create the token to use from server_info->sam_account and
* server_info->sids (the info3/sam groups). Find the unix gids.
return NT_STATUS_NO_MEMORY;
}
- server_info->ptok = create_local_nt_token(
- server_info,
- pdb_get_user_sid(server_info->sam_account),
- pdb_get_group_sid(server_info->sam_account),
- server_info->guest,
- server_info->num_sids, server_info->sids);
+ /*
+ * If winbind is not around, we can not make much use of the SIDs the
+ * domain controller provided us with. Likewise if the user name was
+ * mapped to some local unix user.
+ */
+
+ if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
+ (server_info->was_mapped)) {
+ status = create_token_from_username(server_info,
+ server_info->unix_name,
+ server_info->guest,
+ &server_info->uid,
+ &server_info->gid,
+ &server_info->unix_name,
+ &server_info->ptok);
+
+ } else {
+ server_info->ptok = create_local_nt_token(
+ server_info,
+ pdb_get_user_sid(server_info->sam_account),
+ server_info->guest,
+ server_info->num_sids, server_info->sids);
+ status = server_info->ptok ?
+ NT_STATUS_OK : NT_STATUS_NO_SUCH_USER;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(mem_ctx);
+ return status;
+ }
/* Convert the SIDs to gids. */
NTSTATUS result = NT_STATUS_NO_SUCH_USER;
TALLOC_CTX *tmp_ctx;
DOM_SID user_sid;
- enum SID_NAME_USE type;
+ enum lsa_SidType type;
gid_t *gids;
- DOM_SID primary_group_sid;
DOM_SID *group_sids;
+ DOM_SID unix_group_sid;
size_t num_group_sids;
+ size_t num_gids;
+ size_t i;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
return NT_STATUS_NO_MEMORY;
}
- if (!lookup_name(tmp_ctx, username, LOOKUP_NAME_ALL,
+ if (!lookup_name_smbconf(tmp_ctx, username, LOOKUP_NAME_ALL,
NULL, NULL, &user_sid, &type)) {
- DEBUG(1, ("lookup_name for %s failed\n", username));
+ DEBUG(1, ("lookup_name_smbconf for %s failed\n", username));
goto done;
}
goto done;
}
- if (sid_check_is_in_unix_users(&user_sid)) {
+ if (sid_check_is_in_our_domain(&user_sid)) {
+
+ /* This is a passdb user, so ask passdb */
+
+ struct samu *sam_acct = NULL;
+
+ if ( !(sam_acct = samu_new( tmp_ctx )) ) {
+ result = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ if (!pdb_getsampwsid(sam_acct, &user_sid)) {
+ DEBUG(1, ("pdb_getsampwsid(%s) for user %s failed\n",
+ sid_string_static(&user_sid), username));
+ DEBUGADD(1, ("Fall back to unix user %s\n", username));
+ goto unix_user;
+ }
+
+ result = pdb_enum_group_memberships(tmp_ctx, sam_acct,
+ &group_sids, &gids,
+ &num_group_sids);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10, ("enum_group_memberships failed for %s\n",
+ username));
+ DEBUGADD(1, ("Fall back to unix user %s\n", username));
+ goto unix_user;
+ }
+
+ /* see the smb_panic() in pdb_default_enum_group_memberships */
+ SMB_ASSERT(num_group_sids > 0);
+
+ *gid = gids[0];
+
+ /* Ensure we're returning the found_username on the right context. */
+ *found_username = talloc_strdup(mem_ctx,
+ pdb_get_username(sam_acct));
+
+ } else if (sid_check_is_in_unix_users(&user_sid)) {
/* This is a unix user not in passdb. We need to ask nss
* directly, without consulting passdb */
struct passwd *pass;
- size_t i;
+
+ /*
+ * This goto target is used as a fallback for the passdb
+ * case. The concrete bug report is when passdb gave us an
+ * unmapped gid.
+ */
+
+ unix_user:
+
+ uid_to_unix_users_sid(*uid, &user_sid);
pass = getpwuid_alloc(tmp_ctx, *uid);
if (pass == NULL) {
goto done;
}
- *gid = pass->pw_gid;
- gid_to_sid(&primary_group_sid, pass->pw_gid);
-
if (!getgroups_unix_user(tmp_ctx, username, pass->pw_gid,
&gids, &num_group_sids)) {
DEBUG(1, ("getgroups_unix_user for user %s failed\n",
goto done;
}
- group_sids = talloc_array(tmp_ctx, DOM_SID, num_group_sids);
- if (group_sids == NULL) {
- DEBUG(1, ("talloc_array failed\n"));
- result = NT_STATUS_NO_MEMORY;
- goto done;
+ if (num_group_sids) {
+ group_sids = TALLOC_ARRAY(tmp_ctx, DOM_SID, num_group_sids);
+ if (group_sids == NULL) {
+ DEBUG(1, ("TALLOC_ARRAY failed\n"));
+ result = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+ } else {
+ group_sids = NULL;
}
for (i=0; i<num_group_sids; i++) {
gid_to_sid(&group_sids[i], gids[i]);
}
- *found_username = talloc_strdup(mem_ctx, pass->pw_name);
-
- } else if (sid_check_is_in_our_domain(&user_sid)) {
- /* This is a passdb user, so ask passdb */
+ /* In getgroups_unix_user we always set the primary gid */
+ SMB_ASSERT(num_group_sids > 0);
- struct samu *sam_acct = NULL;
-
- if ( !(sam_acct = samu_new( tmp_ctx )) ) {
- goto done;
- }
-
- if (!pdb_getsampwsid(sam_acct, &user_sid)) {
- DEBUG(1, ("pdb_getsampwsid(%s) for user %s failed\n",
- sid_string_static(&user_sid), username));
- result = NT_STATUS_NO_SUCH_USER;
- goto done;
- }
-
- sid_copy(&primary_group_sid, pdb_get_group_sid(sam_acct));
-
- result = pdb_enum_group_memberships(tmp_ctx, sam_acct,
- &group_sids, &gids,
- &num_group_sids);
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(10, ("enum_group_memberships failed for %s\n",
- username));
- goto done;
- }
-
- *found_username = talloc_strdup(mem_ctx,
- pdb_get_username(sam_acct));
+ *gid = gids[0];
+ /* Ensure we're returning the found_username on the right context. */
+ *found_username = talloc_strdup(mem_ctx, pass->pw_name);
} else {
/* This user is from winbind, force the primary gid to the
uint32 dummy;
- sid_copy(&primary_group_sid, &user_sid);
- sid_split_rid(&primary_group_sid, &dummy);
- sid_append_rid(&primary_group_sid, DOMAIN_GROUP_RID_USERS);
+ num_group_sids = 1;
+ group_sids = TALLOC_ARRAY(tmp_ctx, DOM_SID, num_group_sids);
+ if (group_sids == NULL) {
+ DEBUG(1, ("TALLOC_ARRAY failed\n"));
+ result = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ sid_copy(&group_sids[0], &user_sid);
+ sid_split_rid(&group_sids[0], &dummy);
+ sid_append_rid(&group_sids[0], DOMAIN_GROUP_RID_USERS);
- if (!sid_to_gid(&primary_group_sid, gid)) {
+ if (!sid_to_gid(&group_sids[0], gid)) {
DEBUG(1, ("sid_to_gid(%s) failed\n",
- sid_string_static(&primary_group_sid)));
+ sid_string_static(&group_sids[0])));
goto done;
}
- num_group_sids = 0;
- group_sids = NULL;
+ gids = gid;
+ /* Ensure we're returning the found_username on the right context. */
*found_username = talloc_strdup(mem_ctx, username);
}
- *token = create_local_nt_token(mem_ctx, &user_sid, &primary_group_sid,
+ /* Add the "Unix Group" SID for each gid to catch mapped groups
+ and their Unix equivalent. This is to solve the backwards
+ compatibility problem of 'valid users = +ntadmin' where
+ ntadmin has been paired with "Domain Admins" in the group
+ mapping table. Otherwise smb.conf would need to be changed
+ to 'valid user = "Domain Admins"'. --jerry */
+
+ num_gids = num_group_sids;
+ for ( i=0; i<num_gids; i++ ) {
+ gid_t high, low;
+
+ /* don't pickup anything managed by Winbind */
+
+ if ( lp_idmap_gid(&low, &high) && (gids[i] >= low) && (gids[i] <= high) )
+ continue;
+
+ if ( !gid_to_unix_groups_sid( gids[i], &unix_group_sid ) ) {
+ DEBUG(1,("create_token_from_username: Failed to create SID "
+ "for gid %d!\n", gids[i]));
+ continue;
+ }
+ if (!add_sid_to_array_unique(tmp_ctx, &unix_group_sid,
+ &group_sids, &num_group_sids )) {
+ result = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+ }
+
+ /* Ensure we're creating the nt_token on the right context. */
+ *token = create_local_nt_token(mem_ctx, &user_sid,
is_guest, num_group_sids, group_sids);
if ((*token == NULL) || (*found_username == NULL)) {
Expensive helper function to figure out whether a user given its name is
member of a particular group.
***************************************************************************/
+
BOOL user_in_group_sid(const char *username, const DOM_SID *group_sid)
{
NTSTATUS status;
{
TALLOC_CTX *mem_ctx;
DOM_SID group_sid;
- NTSTATUS status;
BOOL ret;
mem_ctx = talloc_new(NULL);
TALLOC_FREE(mem_ctx);
if (!ret) {
- DEBUG(10, ("lookup_name(%s) failed: %s\n", groupname,
- nt_errstr(status)));
+ DEBUG(10, ("lookup_name for (%s) failed.\n", groupname));
return False;
}
}
-/***************************************************************************
- Make (and fill) a user_info struct from a Kerberos PAC logon_info by
- conversion to a struct samu
-***************************************************************************/
-
-NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info,
- char *unix_username,
- struct passwd *pwd,
- PAC_LOGON_INFO *logon_info)
-{
- NTSTATUS status;
- struct samu *sampass = NULL;
- DOM_SID user_sid, group_sid;
- fstring dom_name;
- auth_serversupplied_info *result;
-
- if ( !(sampass = samu_new( NULL )) ) {
- return NT_STATUS_NO_MEMORY;
- }
-
- status = samu_set_unix( sampass, pwd );
- if ( !NT_STATUS_IS_OK(status) ) {
- return status;
- }
-
- result = make_server_info(NULL);
- if (result == NULL) {
- TALLOC_FREE(sampass);
- return NT_STATUS_NO_MEMORY;
- }
-
- /* only copy user_sid, group_sid and domain name out of the PAC for
- * now, we will benefit from more later - Guenther */
-
- sid_copy(&user_sid, &logon_info->info3.dom_sid.sid);
- sid_append_rid(&user_sid, logon_info->info3.user_rid);
- pdb_set_user_sid(sampass, &user_sid, PDB_SET);
-
- sid_copy(&group_sid, &logon_info->info3.dom_sid.sid);
- sid_append_rid(&group_sid, logon_info->info3.group_rid);
- pdb_set_group_sid(sampass, &group_sid, PDB_SET);
-
- unistr2_to_ascii(dom_name, &logon_info->info3.uni_logon_dom, -1);
- pdb_set_domain(sampass, dom_name, PDB_SET);
-
- pdb_set_logon_count(sampass, logon_info->info3.logon_count, PDB_SET);
-
- result->sam_account = sampass;
- result->unix_name = talloc_strdup(result, unix_username);
- result->uid = pwd->pw_uid;
- result->gid = pwd->pw_gid;
-
- /* TODO: Add groups from pac */
- result->sids = NULL;
- result->num_sids = 0;
-
- *server_info = result;
-
- return NT_STATUS_OK;
-}
-
-
/***************************************************************************
Make (and fill) a user_info struct from a 'struct passwd' by conversion
to a struct samu
}
result = make_server_info(NULL);
-
- if (!NT_STATUS_IS_OK(status)) {
+ if (result == NULL) {
TALLOC_FREE(sampass);
- return status;
+ return NT_STATUS_NO_MEMORY;
}
result->sam_account = sampass;
Make (and fill) a user_info struct for a guest login.
This *must* succeed for smbd to start. If there is no mapping entry for
the guest gid, then create one.
-**********************
-*****************************************************/
+***************************************************************************/
static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_info)
{
struct samu *sampass = NULL;
DOM_SID guest_sid;
BOOL ret;
- static const char zeros[16];
+ static const char zeros[16] = { 0, };
if ( !(sampass = samu_new( NULL )) ) {
return NT_STATUS_NO_MEMORY;
dst->uid = src->uid;
dst->gid = src->gid;
dst->n_groups = src->n_groups;
- if (src->n_groups != 0)
- dst->groups = talloc_memdup(dst, src->groups,
- sizeof(gid_t)*dst->n_groups);
- else
+ if (src->n_groups != 0) {
+ dst->groups = (gid_t *)TALLOC_MEMDUP(
+ dst, src->groups, sizeof(gid_t)*dst->n_groups);
+ } else {
dst->groups = NULL;
-
- dst->ptok = dup_nt_token(dst, src->ptok);
+ }
+
+ if (src->ptok) {
+ dst->ptok = dup_nt_token(dst, src->ptok);
+ if (!dst->ptok) {
+ TALLOC_FREE(dst);
+ return NULL;
+ }
+ }
dst->user_session_key = data_blob_talloc( dst, src->user_session_key.data,
- src->user_session_key.length);
-
+ src->user_session_key.length);
+
dst->lm_session_key = data_blob_talloc(dst, src->lm_session_key.data,
- src->lm_session_key.length);
-
- if ( (dst->sam_account = samu_new( NULL )) != NULL )
- pdb_copy_sam_account(dst->sam_account, src->sam_account);
+ src->lm_session_key.length);
+
+ dst->sam_account = samu_new(NULL);
+ if (!dst->sam_account) {
+ TALLOC_FREE(dst);
+ return NULL;
+ }
+
+ if (!pdb_copy_sam_account(dst->sam_account, src->sam_account)) {
+ TALLOC_FREE(dst);
+ return NULL;
+ }
dst->pam_handle = NULL;
dst->unix_name = talloc_strdup(dst, src->unix_name);
+ if (!dst->unix_name) {
+ TALLOC_FREE(dst);
+ return NULL;
+ }
return dst;
}
{
if (guest_info != NULL)
return True;
-
-
return NT_STATUS_IS_OK(make_new_server_info_guest(&guest_info));
}
return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
}
+BOOL copy_current_user(struct current_user *dst, struct current_user *src)
+{
+ gid_t *groups;
+ NT_USER_TOKEN *nt_token;
+
+ groups = (gid_t *)memdup(src->ut.groups,
+ sizeof(gid_t) * src->ut.ngroups);
+ if ((src->ut.ngroups != 0) && (groups == NULL)) {
+ return False;
+ }
+
+ nt_token = dup_nt_token(NULL, src->nt_user_token);
+ if (nt_token == NULL) {
+ SAFE_FREE(groups);
+ return False;
+ }
+
+ dst->conn = src->conn;
+ dst->vuid = src->vuid;
+ dst->ut.uid = src->ut.uid;
+ dst->ut.gid = src->ut.gid;
+ dst->ut.ngroups = src->ut.ngroups;
+ dst->ut.groups = groups;
+ dst->nt_user_token = nt_token;
+ return True;
+}
+
+BOOL set_current_user_guest(struct current_user *dst)
+{
+ gid_t *groups;
+ NT_USER_TOKEN *nt_token;
+
+ groups = (gid_t *)memdup(guest_info->groups,
+ sizeof(gid_t) * guest_info->n_groups);
+ if (groups == NULL) {
+ return False;
+ }
+
+ nt_token = dup_nt_token(NULL, guest_info->ptok);
+ if (nt_token == NULL) {
+ SAFE_FREE(groups);
+ return False;
+ }
+
+ TALLOC_FREE(dst->nt_user_token);
+ SAFE_FREE(dst->ut.groups);
+
+ /* dst->conn is never really dereferenced, it's only tested for
+ * equality in uid.c */
+ dst->conn = NULL;
+
+ dst->vuid = UID_FIELD_INVALID;
+ dst->ut.uid = guest_info->uid;
+ dst->ut.gid = guest_info->gid;
+ dst->ut.ngroups = guest_info->n_groups;
+ dst->ut.groups = groups;
+ dst->nt_user_token = nt_token;
+ return True;
+}
+
/***************************************************************************
Purely internal function for make_server_info_info3
Fill the sam account from getpwnam
const char *username,
char **found_username,
uid_t *uid, gid_t *gid,
- struct samu *account)
+ struct samu *account,
+ BOOL *username_was_mapped)
{
NTSTATUS nt_status;
fstring dom_user, lower_username;
fstr_sprintf(dom_user, "%s%c%s", domain, *lp_winbind_separator(),
lower_username);
- /* get the passwd struct but don't create the user if he/she
- does not exist. We were explicitly called from a following
- a winbindd authentication request so we should assume that
- nss_winbindd is working */
+ /* Get the passwd struct. Try to create the account is necessary. */
- map_username( dom_user );
+ *username_was_mapped = map_username( dom_user );
if ( !(passwd = smb_getpwnam( NULL, dom_user, real_username, True )) )
return NT_STATUS_NO_SUCH_USER;
pw = Get_Pwnam_alloc(mem_ctx, username);
- /* Create local user if requested. */
+ /* Create local user if requested but only if winbindd
+ is not running. We need to protect against cases
+ where winbindd is failing and then prematurely
+ creating users in /etc/passwd */
- if ( !pw && create ) {
+ if ( !pw && create && !winbind_ping() ) {
/* Don't add a machine account. */
if (username[strlen(username)-1] == '$')
return NULL;
***************************************************************************/
NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
- const char *internal_username,
const char *sent_nt_username,
const char *domain,
auth_serversupplied_info **server_info,
NET_USER_INFO_3 *info3)
{
- static const char zeros[16];
+ static const char zeros[16] = { 0, };
NTSTATUS nt_status = NT_STATUS_OK;
char *found_username;
struct samu *sam_account = NULL;
DOM_SID user_sid;
DOM_SID group_sid;
+ BOOL username_was_mapped;
uid_t uid;
gid_t gid;
return NT_STATUS_NO_MEMORY;
}
+ /* this call will try to create the user if necessary */
+
nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username,
- &found_username, &uid, &gid, sam_account);
+ &found_username, &uid, &gid, sam_account,
+ &username_was_mapped);
- if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) {
- DEBUG(3,("User %s does not exist, trying to add it\n",
- internal_username));
- smb_create_user( nt_domain, sent_nt_username, NULL);
- nt_status = fill_sam_account( mem_ctx, nt_domain, sent_nt_username,
- &found_username, &uid, &gid, sam_account );
- }
/* if we still don't have a valid unix account check for
'map to guest = bad uid' */
return NT_STATUS_NO_MEMORY;
}
+ if (!pdb_set_pass_last_set_time(
+ sam_account,
+ nt_time_to_unix(info3->pass_last_set_time),
+ PDB_CHANGED)) {
+ TALLOC_FREE(sam_account);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!pdb_set_pass_can_change_time(
+ sam_account,
+ nt_time_to_unix(info3->pass_can_change_time),
+ PDB_CHANGED)) {
+ TALLOC_FREE(sam_account);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!pdb_set_pass_must_change_time(
+ sam_account,
+ nt_time_to_unix(info3->pass_must_change_time),
+ PDB_CHANGED)) {
+ TALLOC_FREE(sam_account);
+ return NT_STATUS_NO_MEMORY;
+ }
+
result = make_server_info(NULL);
if (result == NULL) {
DEBUG(4, ("make_server_info failed!\n"));
TALLOC_FREE(result);
return NT_STATUS_INVALID_PARAMETER;
}
- add_sid_to_array(result, &sid, &result->sids,
- &result->num_sids);
+ if (!add_sid_to_array(result, &sid, &result->sids,
+ &result->num_sids)) {
+ TALLOC_FREE(result);
+ return NT_STATUS_NO_MEMORY;
+ }
}
/* Copy 'other' sids. We need to do sid filtering here to
*/
for (i = 0; i < info3->num_other_sids; i++) {
- add_sid_to_array(result, &info3->other_sids[i].sid,
- &result->sids,
- &result->num_sids);
+ if (!add_sid_to_array(result, &info3->other_sids[i].sid,
+ &result->sids,
+ &result->num_sids)) {
+ TALLOC_FREE(result);
+ return NT_STATUS_NO_MEMORY;
+ }
}
result->login_server = unistr2_tdup(result,
sizeof(info3->lm_sess_key));
}
+ result->was_mapped = username_was_mapped;
+
*server_info = result;
return NT_STATUS_OK;
return True;
}
-/****************************************************************************
- Duplicate a SID token.
-****************************************************************************/
-
-NT_USER_TOKEN *dup_nt_token(TALLOC_CTX *mem_ctx, NT_USER_TOKEN *ptoken)
-{
- NT_USER_TOKEN *token;
-
- if (!ptoken)
- return NULL;
-
- token = TALLOC_P(mem_ctx, NT_USER_TOKEN);
- if (token == NULL) {
- DEBUG(0, ("talloc failed\n"));
- return NULL;
- }
-
- token->user_sids = talloc_memdup(token, ptoken->user_sids,
- sizeof(DOM_SID) * ptoken->num_sids );
-
- if ((ptoken->user_sids != NULL) && (token->user_sids == NULL)) {
- DEBUG(0, ("talloc_memdup failed\n"));
- TALLOC_FREE(token);
- return NULL;
- }
-
- token->num_sids = ptoken->num_sids;
-
- /* copy the privileges; don't consider failure to be critical here */
-
- if ( !se_priv_copy( &token->privileges, &ptoken->privileges ) ) {
- DEBUG(0,("dup_nt_token: Failure to copy SE_PRIV!. "
- "Continuing with 0 privileges assigned.\n"));
- }
-
- return token;
-}
-
-/****************************************************************************
- Check for a SID in an NT_USER_TOKEN
-****************************************************************************/
-
-BOOL nt_token_check_sid ( const DOM_SID *sid, const NT_USER_TOKEN *token )
-{
- int i;
-
- if ( !sid || !token )
- return False;
-
- for ( i=0; i<token->num_sids; i++ ) {
- if ( sid_equal( sid, &token->user_sids[i] ) )
- return True;
- }
-
- return False;
-}
-
-BOOL nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid )
-{
- DOM_SID domain_sid;
-
- /* if we are a domain member, the get the domain SID, else for
- a DC or standalone server, use our own SID */
-
- if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
- if ( !secrets_fetch_domain_sid( lp_workgroup(),
- &domain_sid ) ) {
- DEBUG(1,("nt_token_check_domain_rid: Cannot lookup "
- "SID for domain [%s]\n", lp_workgroup()));
- return False;
- }
- }
- else
- sid_copy( &domain_sid, get_global_sam_sid() );
-
- sid_append_rid( &domain_sid, rid );
-
- return nt_token_check_sid( &domain_sid, token );\
-}
-
/**
* Verify whether or not given domain is trusted.
*
become_root();
DEBUG (5,("is_trusted_domain: Checking for domain trust with "
"[%s]\n", dom_name ));
- ret = secrets_fetch_trusted_domain_password(dom_name, NULL,
- NULL, NULL);
+ ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
unbecome_root();
if (ret)
return True;