s3 auth: Add parameter that forces every user through an NSS lookup
authorZach Loafman <zach.loafman@isilon.com>
Sat, 14 Feb 2009 18:20:33 +0000 (18:20 +0000)
committerTim Prouty <tprouty@samba.org>
Mon, 16 Feb 2009 08:29:21 +0000 (00:29 -0800)
When set to yes, "force username map" forces every user, even AD
users, through an NSS lookup. This allows the token to be overridden
with information from NSS in certain broken environments.

source3/auth/auth_util.c
source3/include/proto.h
source3/param/loadparm.c

index 1f00e22..0dab05b 100644 (file)
@@ -710,6 +710,8 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info)
        NTSTATUS status;
        size_t i;
        struct dom_sid tmp_sid;
+       const char *name_to_use;
+       bool force_nss;
 
        /*
         * If winbind is not around, we can not make much use of the SIDs the
@@ -717,11 +719,22 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info)
         * mapped to some local unix user.
         */
 
+       DEBUG(10, ("creating token for %s (SAM: %s)\n", server_info->unix_name,
+               server_info->sam_account->username));
+
+       force_nss = lp_force_username_map() && !server_info->nss_token;
        if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
-           (server_info->nss_token)) {
+           server_info->nss_token || force_nss) {
+               if (force_nss)
+                       name_to_use =
+                           pdb_get_username(server_info->sam_account);
+               else
+                       name_to_use = server_info->unix_name;
+
                status = create_token_from_username(server_info,
-                                                   server_info->unix_name,
+                                                   name_to_use,
                                                    server_info->guest,
+                                                   force_nss,
                                                    &server_info->utok.uid,
                                                    &server_info->utok.gid,
                                                    &server_info->unix_name,
@@ -826,6 +839,7 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info)
 
 NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
                                    bool is_guest,
+                                   bool force_nss,
                                    uid_t *uid, gid_t *gid,
                                    char **found_username,
                                    struct nt_user_token **token)
@@ -841,6 +855,9 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
        size_t num_gids;
        size_t i;
 
+       DEBUG(10, ("creating token for %s,%s guest,%s forcing NSS lookup\n",
+               username, is_guest ? "" : " not", force_nss ? "" : " not"));
+
        tmp_ctx = talloc_new(NULL);
        if (tmp_ctx == NULL) {
                DEBUG(0, ("talloc_new failed\n"));
@@ -865,7 +882,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
                goto done;
        }
 
-       if (sid_check_is_in_our_domain(&user_sid)) {
+       if (sid_check_is_in_our_domain(&user_sid) && !force_nss) {
                bool ret;
 
                /* This is a passdb user, so ask passdb */
@@ -907,7 +924,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
                *found_username = talloc_strdup(mem_ctx,
                                                pdb_get_username(sam_acct));
 
-       } else  if (sid_check_is_in_unix_users(&user_sid)) {
+       } else  if (force_nss || sid_check_is_in_unix_users(&user_sid)) {
 
                /* This is a unix user not in passdb. We need to ask nss
                 * directly, without consulting passdb */
@@ -1063,6 +1080,7 @@ bool user_in_group_sid(const char *username, const DOM_SID *group_sid)
        }
 
        status = create_token_from_username(mem_ctx, username, False,
+                                           lp_force_username_map(),
                                            &uid, &gid, &found_username,
                                            &token);
 
index 8a5d649..3baa8c0 100644 (file)
@@ -110,6 +110,7 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
 NTSTATUS create_local_token(auth_serversupplied_info *server_info);
 NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
                                    bool is_guest,
+                                   bool force_nss,
                                    uid_t *uid, gid_t *gid,
                                    char **found_username,
                                    struct nt_user_token **token);
@@ -3969,6 +3970,7 @@ const char *lp_afs_username_map(void);
 int lp_afs_token_lifetime(void);
 char *lp_log_nt_token_command(void);
 char *lp_username_map(void);
+bool lp_force_username_map(void);
 const char *lp_logon_script(void);
 const char *lp_logon_path(void);
 const char *lp_logon_drive(void);
index a9f2809..37af703 100644 (file)
@@ -144,6 +144,7 @@ struct global {
        int iAfsTokenLifetime;
        char *szLogNtTokenCommand;
        char *szUsernameMap;
+       bool bForceUsernameMap;
        char *szLogonScript;
        char *szLogonPath;
        char *szLogonDrive;
@@ -1281,6 +1282,15 @@ static struct parm_struct parm_table[] = {
                .enum_list      = NULL,
                .flags          = FLAG_ADVANCED,
        },
+       {
+               .label          = "force username map",
+               .type           = P_BOOL,
+               .p_class        = P_GLOBAL,
+               .ptr            = &Globals.bForceUsernameMap,
+               .special        = NULL,
+               .enum_list      = NULL,
+               .flags          = FLAG_ADVANCED,
+       },
        {
                .label          = "password level",
                .type           = P_INTEGER,
@@ -5200,6 +5210,7 @@ FN_GLOBAL_CONST_STRING(lp_afs_username_map, &Globals.szAfsUsernameMap)
 FN_GLOBAL_INTEGER(lp_afs_token_lifetime, &Globals.iAfsTokenLifetime)
 FN_GLOBAL_STRING(lp_log_nt_token_command, &Globals.szLogNtTokenCommand)
 FN_GLOBAL_STRING(lp_username_map, &Globals.szUsernameMap)
+FN_GLOBAL_BOOL(lp_force_username_map, &Globals.bForceUsernameMap)
 FN_GLOBAL_CONST_STRING(lp_logon_script, &Globals.szLogonScript)
 FN_GLOBAL_CONST_STRING(lp_logon_path, &Globals.szLogonPath)
 FN_GLOBAL_CONST_STRING(lp_logon_drive, &Globals.szLogonDrive)