Revert "s3 auth: Add parameter that forces every user through an NSS lookup"

After the discussion on samba-technical, it was decided that the best
answer for now was to revert this change.  The right way to do this is
to rewrite the token api to use opaque tokens with pluggable modules.

This reverts commit 8e19a288052bca5efdb0277a40c1e0fdd099cc2b.

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 0dab05b97c5c072454222fab3e62ab3af19fc2c1..1f00e22a3c426ccc7f59fb470894216a97b03486 100644 (file)
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -710,8 +710,6 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info)
        NTSTATUS status;
        size_t i;
        struct dom_sid tmp_sid;
-       const char *name_to_use;
-       bool force_nss;
 
        /*
         * If winbind is not around, we can not make much use of the SIDs the
@@ -719,22 +717,11 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info)
         * mapped to some local unix user.
         */
 
-       DEBUG(10, ("creating token for %s (SAM: %s)\n", server_info->unix_name,
-               server_info->sam_account->username));
-
-       force_nss = lp_force_username_map() && !server_info->nss_token;
        if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
-           server_info->nss_token || force_nss) {
-               if (force_nss)
-                       name_to_use =
-                           pdb_get_username(server_info->sam_account);
-               else
-                       name_to_use = server_info->unix_name;
-
+           (server_info->nss_token)) {
                status = create_token_from_username(server_info,
-                                                   name_to_use,
+                                                   server_info->unix_name,
                                                    server_info->guest,
-                                                   force_nss,
                                                    &server_info->utok.uid,
                                                    &server_info->utok.gid,
                                                    &server_info->unix_name,
@@ -839,7 +826,6 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info)
 
 NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
                                    bool is_guest,
-                                   bool force_nss,
                                    uid_t *uid, gid_t *gid,
                                    char **found_username,
                                    struct nt_user_token **token)
@@ -855,9 +841,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
        size_t num_gids;
        size_t i;
 
-       DEBUG(10, ("creating token for %s,%s guest,%s forcing NSS lookup\n",
-               username, is_guest ? "" : " not", force_nss ? "" : " not"));
-
        tmp_ctx = talloc_new(NULL);
        if (tmp_ctx == NULL) {
                DEBUG(0, ("talloc_new failed\n"));
@@ -882,7 +865,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
                goto done;
        }
 
-       if (sid_check_is_in_our_domain(&user_sid) && !force_nss) {
+       if (sid_check_is_in_our_domain(&user_sid)) {
                bool ret;
 
                /* This is a passdb user, so ask passdb */
@@ -924,7 +907,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
                *found_username = talloc_strdup(mem_ctx,
                                                pdb_get_username(sam_acct));
 
-       } else  if (force_nss || sid_check_is_in_unix_users(&user_sid)) {
+       } else  if (sid_check_is_in_unix_users(&user_sid)) {
 
                /* This is a unix user not in passdb. We need to ask nss
                 * directly, without consulting passdb */
@@ -1080,7 +1063,6 @@ bool user_in_group_sid(const char *username, const DOM_SID *group_sid)
        }
 
        status = create_token_from_username(mem_ctx, username, False,
-                                           lp_force_username_map(),
                                            &uid, &gid, &found_username,
                                            &token);
 

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 587bb290423b296147ef090c6fbe05f8649227a9..9dc9719e48b497b29d5666ed77f6011c00e46305 100644 (file)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -110,7 +110,6 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
 NTSTATUS create_local_token(auth_serversupplied_info *server_info);
 NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
                                    bool is_guest,
-                                   bool force_nss,
                                    uid_t *uid, gid_t *gid,
                                    char **found_username,
                                    struct nt_user_token **token);
@@ -3971,7 +3970,6 @@ const char *lp_afs_username_map(void);
 int lp_afs_token_lifetime(void);
 char *lp_log_nt_token_command(void);
 char *lp_username_map(void);
-bool lp_force_username_map(void);
 const char *lp_logon_script(void);
 const char *lp_logon_path(void);
 const char *lp_logon_drive(void);

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 3d29f3afd93ab5789dfa6b8aedd797588d0d6a4f..e50ab929adcfa0b42fdba4dfdb4336da78cdad9d 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -144,7 +144,6 @@ struct global {
        int iAfsTokenLifetime;
        char *szLogNtTokenCommand;
        char *szUsernameMap;
-       bool bForceUsernameMap;
        char *szLogonScript;
        char *szLogonPath;
        char *szLogonDrive;
@@ -1282,15 +1281,6 @@ static struct parm_struct parm_table[] = {
                .enum_list      = NULL,
                .flags          = FLAG_ADVANCED,
        },
-       {
-               .label          = "force username map",
-               .type           = P_BOOL,
-               .p_class        = P_GLOBAL,
-               .ptr            = &Globals.bForceUsernameMap,
-               .special        = NULL,
-               .enum_list      = NULL,
-               .flags          = FLAG_ADVANCED,
-       },
        {
                .label          = "password level",
                .type           = P_INTEGER,
@@ -5246,7 +5236,6 @@ FN_GLOBAL_CONST_STRING(lp_afs_username_map, &Globals.szAfsUsernameMap)
 FN_GLOBAL_INTEGER(lp_afs_token_lifetime, &Globals.iAfsTokenLifetime)
 FN_GLOBAL_STRING(lp_log_nt_token_command, &Globals.szLogNtTokenCommand)
 FN_GLOBAL_STRING(lp_username_map, &Globals.szUsernameMap)
-FN_GLOBAL_BOOL(lp_force_username_map, &Globals.bForceUsernameMap)
 FN_GLOBAL_CONST_STRING(lp_logon_script, &Globals.szLogonScript)
 FN_GLOBAL_CONST_STRING(lp_logon_path, &Globals.szLogonPath)
 FN_GLOBAL_CONST_STRING(lp_logon_drive, &Globals.szLogonDrive)