svn commit: samba r5332 - in trunk/source: auth lib nsswitch param
vlendec at samba.org
vlendec at samba.org
Fri Feb 11 10:35:44 GMT 2005
Author: vlendec
Date: 2005-02-11 10:35:41 +0000 (Fri, 11 Feb 2005)
New Revision: 5332
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=5332
Log:
Support SIDs as %s replacements in the afs username map parameter.
Add 'log nt token command' parameter. If set, %s is replaced with the user
sid, and %t takes all the group sids.
Volker
Modified:
trunk/source/auth/auth_util.c
trunk/source/lib/afs.c
trunk/source/nsswitch/winbindd_pam.c
trunk/source/param/loadparm.c
Changeset:
Modified: trunk/source/auth/auth_util.c
===================================================================
--- trunk/source/auth/auth_util.c 2005-02-11 10:32:46 UTC (rev 5331)
+++ trunk/source/auth/auth_util.c 2005-02-11 10:35:41 UTC (rev 5332)
@@ -592,6 +592,39 @@
debug_nt_user_token(DBGC_AUTH, 10, ptoken);
+ if ((lp_log_nt_token_command() != NULL) &&
+ (strlen(lp_log_nt_token_command()) > 0)) {
+ TALLOC_CTX *mem_ctx;
+ char *command;
+ fstring sidstr;
+ char *user_sidstr, *group_sidstr;
+
+ mem_ctx = talloc_init("setnttoken");
+ if (mem_ctx == NULL)
+ return NT_STATUS_NO_MEMORY;
+
+ sid_to_string(sidstr, &ptoken->user_sids[0]);
+ user_sidstr = talloc_strdup(mem_ctx, sidstr);
+
+ group_sidstr = talloc_strdup(mem_ctx, "");
+ for (i=1; i<ptoken->num_sids; i++) {
+ sid_to_string(sidstr, &ptoken->user_sids[i]);
+ group_sidstr = talloc_asprintf(mem_ctx, "%s %s",
+ group_sidstr, sidstr);
+ }
+
+ command = strdup(lp_log_nt_token_command());
+ command = realloc_string_sub(command, "%s", user_sidstr);
+ command = realloc_string_sub(command, "%t", group_sidstr);
+ DEBUG(8, ("running command: [%s]\n", command));
+ if (smbrun(command, NULL) != 0) {
+ DEBUG(0, ("Could not log NT token\n"));
+ nt_status = NT_STATUS_ACCESS_DENIED;
+ }
+ talloc_destroy(mem_ctx);
+ SAFE_FREE(command);
+ }
+
*token = ptoken;
return nt_status;
Modified: trunk/source/lib/afs.c
===================================================================
--- trunk/source/lib/afs.c 2005-02-11 10:32:46 UTC (rev 5331)
+++ trunk/source/lib/afs.c 2005-02-11 10:35:41 UTC (rev 5332)
@@ -214,12 +214,16 @@
char *cell;
BOOL result;
char *ticket_str;
+ DOM_SID user_sid;
struct ClearToken ct;
pstrcpy(afs_username, lp_afs_username_map());
standard_sub_conn(conn, afs_username, sizeof(afs_username));
+ if (NT_STATUS_IS_OK(uid_to_sid(&user_sid, conn->uid)))
+ pstring_sub(afs_username, "%s", sid_string_static(&user_sid));
+
/* The pts command always generates completely lower-case user
* names. */
strlower_m(afs_username);
Modified: trunk/source/nsswitch/winbindd_pam.c
===================================================================
--- trunk/source/nsswitch/winbindd_pam.c 2005-02-11 10:32:46 UTC (rev 5331)
+++ trunk/source/nsswitch/winbindd_pam.c 2005-02-11 10:35:41 UTC (rev 5332)
@@ -467,10 +467,22 @@
afsname = realloc_string_sub(afsname, "%u", name_user);
afsname = realloc_string_sub(afsname, "%U", name_user);
+ {
+ DOM_SID user_sid;
+ fstring sidstr;
+
+ sid_copy(&user_sid, &info3.dom_sid.sid);
+ sid_append_rid(&user_sid, info3.user_rid);
+ sid_to_string(sidstr, &user_sid);
+ afsname = realloc_string_sub(afsname, "%s", sidstr);
+ }
+
if (afsname == NULL) goto no_token;
strlower_m(afsname);
+ DEBUG(10, ("Generating token for user %s\n", afsname));
+
cell = strchr(afsname, '@');
if (cell == NULL) goto no_token;
Modified: trunk/source/param/loadparm.c
===================================================================
--- trunk/source/param/loadparm.c 2005-02-11 10:32:46 UTC (rev 5331)
+++ trunk/source/param/loadparm.c 2005-02-11 10:35:41 UTC (rev 5332)
@@ -130,6 +130,7 @@
char *szRealm;
char *szAfsUsernameMap;
int iAfsTokenLifetime;
+ char *szLogNtTokenCommand;
char *szUsernameMap;
char *szLogonScript;
char *szLogonPath;
@@ -1135,6 +1136,7 @@
{"homedir map", P_STRING, P_GLOBAL, &Globals.szNISHomeMapName, NULL, NULL, FLAG_ADVANCED},
{"afs username map", P_STRING, P_GLOBAL, &Globals.szAfsUsernameMap, NULL, NULL, FLAG_ADVANCED},
{"afs token lifetime", P_INTEGER, P_GLOBAL, &Globals.iAfsTokenLifetime, NULL, NULL, FLAG_ADVANCED},
+ {"log nt token command", P_STRING, P_GLOBAL, &Globals.szLogNtTokenCommand, NULL, NULL, FLAG_ADVANCED},
{"time offset", P_INTEGER, P_GLOBAL, &extra_time_offset, NULL, NULL, FLAG_ADVANCED},
{"NIS homedir", P_BOOL, P_GLOBAL, &Globals.bNISHomeMap, NULL, NULL, FLAG_ADVANCED},
{"-valid", P_BOOL, P_LOCAL, &sDefault.valid, NULL, NULL, FLAG_HIDE},
@@ -1675,6 +1677,7 @@
FN_GLOBAL_STRING(lp_realm, &Globals.szRealm)
FN_GLOBAL_CONST_STRING(lp_afs_username_map, &Globals.szAfsUsernameMap)
FN_GLOBAL_INTEGER(lp_afs_token_lifetime, &Globals.iAfsTokenLifetime)
+FN_GLOBAL_STRING(lp_log_nt_token_command, &Globals.szLogNtTokenCommand)
FN_GLOBAL_STRING(lp_username_map, &Globals.szUsernameMap)
FN_GLOBAL_CONST_STRING(lp_logon_script, &Globals.szLogonScript)
FN_GLOBAL_CONST_STRING(lp_logon_path, &Globals.szLogonPath)
More information about the samba-cvs
mailing list