svn commit: samba r5332 - in trunk/source: auth lib nsswitch param

Fri Feb 11 10:35:44 GMT 2005

Author: vlendec
Date: 2005-02-11 10:35:41 +0000 (Fri, 11 Feb 2005)
New Revision: 5332

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=5332

Log:
Support SIDs as %s replacements in the afs username map parameter.

Add 'log nt token command' parameter. If set, %s is replaced with the user
sid, and %t takes all the group sids.

Volker
Modified:
   trunk/source/auth/auth_util.c
   trunk/source/lib/afs.c
   trunk/source/nsswitch/winbindd_pam.c
   trunk/source/param/loadparm.c


Changeset:
Modified: trunk/source/auth/auth_util.c
===================================================================

--- trunk/source/auth/auth_util.c	2005-02-11 10:32:46 UTC (rev 5331)
+++ trunk/source/auth/auth_util.c	2005-02-11 10:35:41 UTC (rev 5332)
@@ -592,6 +592,39 @@
 	
 	debug_nt_user_token(DBGC_AUTH, 10, ptoken);
 	
+	if ((lp_log_nt_token_command() != NULL) &&
+	    (strlen(lp_log_nt_token_command()) > 0)) {
+		TALLOC_CTX *mem_ctx;
+		char *command;
+		fstring sidstr;
+		char *user_sidstr, *group_sidstr;
+
+		mem_ctx = talloc_init("setnttoken");
+		if (mem_ctx == NULL)
+			return NT_STATUS_NO_MEMORY;
+
+		sid_to_string(sidstr, &ptoken->user_sids[0]);
+		user_sidstr = talloc_strdup(mem_ctx, sidstr);
+
+		group_sidstr = talloc_strdup(mem_ctx, "");
+		for (i=1; i<ptoken->num_sids; i++) {
+			sid_to_string(sidstr, &ptoken->user_sids[i]);
+			group_sidstr = talloc_asprintf(mem_ctx, "%s %s",
+						       group_sidstr, sidstr);
+		}
+
+		command = strdup(lp_log_nt_token_command());
+		command = realloc_string_sub(command, "%s", user_sidstr);
+		command = realloc_string_sub(command, "%t", group_sidstr);
+		DEBUG(8, ("running command: [%s]\n", command));
+		if (smbrun(command, NULL) != 0) {
+			DEBUG(0, ("Could not log NT token\n"));
+			nt_status = NT_STATUS_ACCESS_DENIED;
+		}
+		talloc_destroy(mem_ctx);
+		SAFE_FREE(command);
+	}
+
 	*token = ptoken;
 
 	return nt_status;

Modified: trunk/source/lib/afs.c
===================================================================
--- trunk/source/lib/afs.c	2005-02-11 10:32:46 UTC (rev 5331)
+++ trunk/source/lib/afs.c	2005-02-11 10:35:41 UTC (rev 5332)
@@ -214,12 +214,16 @@
 	char *cell;
 	BOOL result;
 	char *ticket_str;
+	DOM_SID user_sid;
 
 	struct ClearToken ct;
 
 	pstrcpy(afs_username, lp_afs_username_map());
 	standard_sub_conn(conn, afs_username, sizeof(afs_username));
 
+	if (NT_STATUS_IS_OK(uid_to_sid(&user_sid, conn->uid)))
+		pstring_sub(afs_username, "%s", sid_string_static(&user_sid));
+
 	/* The pts command always generates completely lower-case user
 	 * names. */
 	strlower_m(afs_username);

Modified: trunk/source/nsswitch/winbindd_pam.c
===================================================================
--- trunk/source/nsswitch/winbindd_pam.c	2005-02-11 10:32:46 UTC (rev 5331)
+++ trunk/source/nsswitch/winbindd_pam.c	2005-02-11 10:35:41 UTC (rev 5332)
@@ -467,10 +467,22 @@
 		afsname = realloc_string_sub(afsname, "%u", name_user);
 		afsname = realloc_string_sub(afsname, "%U", name_user);
 
+		{
+			DOM_SID user_sid;
+			fstring sidstr;
+
+			sid_copy(&user_sid, &info3.dom_sid.sid);
+			sid_append_rid(&user_sid, info3.user_rid);
+			sid_to_string(sidstr, &user_sid);
+			afsname = realloc_string_sub(afsname, "%s", sidstr);
+		}
+
 		if (afsname == NULL) goto no_token;
 
 		strlower_m(afsname);
 
+		DEBUG(10, ("Generating token for user %s\n", afsname));
+
 		cell = strchr(afsname, '@');
 
 		if (cell == NULL) goto no_token;

Modified: trunk/source/param/loadparm.c
===================================================================
--- trunk/source/param/loadparm.c	2005-02-11 10:32:46 UTC (rev 5331)
+++ trunk/source/param/loadparm.c	2005-02-11 10:35:41 UTC (rev 5332)
@@ -130,6 +130,7 @@
 	char *szRealm;
 	char *szAfsUsernameMap;
 	int iAfsTokenLifetime;
+ 	char *szLogNtTokenCommand;
 	char *szUsernameMap;
 	char *szLogonScript;
 	char *szLogonPath;
@@ -1135,6 +1136,7 @@
 	{"homedir map", P_STRING, P_GLOBAL, &Globals.szNISHomeMapName, NULL, NULL, FLAG_ADVANCED}, 
 	{"afs username map", P_STRING, P_GLOBAL, &Globals.szAfsUsernameMap, NULL, NULL, FLAG_ADVANCED}, 
 	{"afs token lifetime", P_INTEGER, P_GLOBAL, &Globals.iAfsTokenLifetime, NULL, NULL, FLAG_ADVANCED},
+	{"log nt token command", P_STRING, P_GLOBAL, &Globals.szLogNtTokenCommand, NULL, NULL, FLAG_ADVANCED},
 	{"time offset", P_INTEGER, P_GLOBAL, &extra_time_offset, NULL, NULL, FLAG_ADVANCED}, 
 	{"NIS homedir", P_BOOL, P_GLOBAL, &Globals.bNISHomeMap, NULL, NULL, FLAG_ADVANCED}, 
 	{"-valid", P_BOOL, P_LOCAL, &sDefault.valid, NULL, NULL, FLAG_HIDE}, 
@@ -1675,6 +1677,7 @@
 FN_GLOBAL_STRING(lp_realm, &Globals.szRealm)
 FN_GLOBAL_CONST_STRING(lp_afs_username_map, &Globals.szAfsUsernameMap)
 FN_GLOBAL_INTEGER(lp_afs_token_lifetime, &Globals.iAfsTokenLifetime)
+FN_GLOBAL_STRING(lp_log_nt_token_command, &Globals.szLogNtTokenCommand)
 FN_GLOBAL_STRING(lp_username_map, &Globals.szUsernameMap)
 FN_GLOBAL_CONST_STRING(lp_logon_script, &Globals.szLogonScript)
 FN_GLOBAL_CONST_STRING(lp_logon_path, &Globals.szLogonPath)

