r17736: Apply the Unix group patch when creating the token for a

author Gerald Carter <jerry@samba.org>

Wed, 23 Aug 2006 02:45:45 +0000 (02:45 +0000)

committer Gerald (Jerry) Carter <jerry@samba.org>

Wed, 10 Oct 2007 16:38:47 +0000 (11:38 -0500)
author Gerald Carter <jerry@samba.org>
Wed, 23 Aug 2006 02:45:45 +0000 (02:45 +0000)
committer Gerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 16:38:47 +0000 (11:38 -0500)
diff --git a/source/auth/auth_util.c b/source/auth/auth_util.c

index 7ba1bea9558c9e4ffebe5332c89c50d7fb1d3b95..2c20beb33c8c507bf8eadea64220d86e8b95d7c9 100644 (file)
--- a/source/auth/auth_util.c
+++ b/source/auth/auth_util.c
@@ -1068,7 +1068,10 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
         gid_t *gids;
         DOM_SID primary_group_sid;
         DOM_SID *group_sids;
         gid_t *gids;
         DOM_SID primary_group_sid;
         DOM_SID *group_sids;
+       DOM_SID unix_group_sid;
         size_t num_group_sids;
         size_t num_group_sids;
+       size_t num_gids;
+       size_t i;
  
         tmp_ctx = talloc_new(NULL);
         if (tmp_ctx == NULL) {
  
         tmp_ctx = talloc_new(NULL);
         if (tmp_ctx == NULL) {
@@ -1135,7 +1138,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
                  * directly, without consulting passdb */
  
                 struct passwd *pass;
                  * directly, without consulting passdb */
  
                 struct passwd *pass;
-               size_t i;
  
                 /*
                  * This goto target is used as a fallback for the passdb
  
                 /*
                  * This goto target is used as a fallback for the passdb
@@ -1205,6 +1207,31 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
                 *found_username = talloc_strdup(mem_ctx, username);
         }
  
                 *found_username = talloc_strdup(mem_ctx, username);
         }
  
+       /* Add the "Unix Group" SID for each gid to catch mapped groups
+          and their Unix equivalent.  This is to solve the backwards
+          compatibility problem of 'valid users = +ntadmin' where
+          ntadmin has been paired with "Domain Admins" in the group
+          mapping table.  Otherwise smb.conf would need to be changed
+          to 'valid user = "Domain Admins"'.  --jerry */
+
+       num_gids = num_group_sids;
+       for ( i=0; i<num_gids; i++ ) {
+               gid_t high, low;
+
+               /* don't pickup anything managed by Winbind */
+
+               if ( lp_idmap_gid(&low, &high) && (gids[i] >= low) && (gids[i] <= high) )
+                       continue;
+
+               if ( !gid_to_unix_groups_sid( gids[i], &unix_group_sid ) ) {
+                       DEBUG(1,("create_token_from_username: Failed to create SID "
+                               "for gid %d!\n", gids[i]));
+                       continue;
+               }
+               add_sid_to_array_unique( mem_ctx, &unix_group_sid,
+                       &group_sids, &num_group_sids );
+       }
+
         *token = create_local_nt_token(mem_ctx, &user_sid,
                                        is_guest, num_group_sids, group_sids);
  
         *token = create_local_nt_token(mem_ctx, &user_sid,
                                        is_guest, num_group_sids, group_sids);
author	Gerald Carter <jerry@samba.org>
	Wed, 23 Aug 2006 02:45:45 +0000 (02:45 +0000)
committer	Gerald (Jerry) Carter <jerry@samba.org>
	Wed, 10 Oct 2007 16:38:47 +0000 (11:38 -0500)