svn commit: samba r17392 - in branches: SAMBA_3_0/source/auth SAMBA_3_0_23/source/auth

jra at samba.org jra at samba.org
Fri Aug 4 00:00:16 GMT 2006


Author: jra
Date: 2006-08-04 00:00:15 +0000 (Fri, 04 Aug 2006)
New Revision: 17392

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=17392

Log:
Commit Volker's fix for the valid users problem.
Let's look at the build farm now... :-).
Jeremy.

Modified:
   branches/SAMBA_3_0/source/auth/auth_util.c
   branches/SAMBA_3_0_23/source/auth/auth_util.c


Changeset:
Modified: branches/SAMBA_3_0/source/auth/auth_util.c
===================================================================
--- branches/SAMBA_3_0/source/auth/auth_util.c	2006-08-03 23:44:07 UTC (rev 17391)
+++ branches/SAMBA_3_0/source/auth/auth_util.c	2006-08-04 00:00:15 UTC (rev 17392)
@@ -29,7 +29,6 @@
 
 static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
 						   const DOM_SID *user_sid,
-						   const DOM_SID *group_sid,
 						   BOOL is_guest,
 						   int num_groupsids,
 						   const DOM_SID *groupsids);
@@ -509,7 +508,7 @@
 	uid_to_sid(&u_sid, pw->pw_uid);
 	gid_to_sid(&g_sid, pw->pw_gid);
 
-	token = create_local_nt_token(NULL, &u_sid, &g_sid, False,
+	token = create_local_nt_token(NULL, &u_sid, False,
 				      1, &global_sid_Builtin_Administrators);
 	return token;
 }
@@ -811,7 +810,6 @@
 
 static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
 						   const DOM_SID *user_sid,
-						   const DOM_SID *group_sid,
 						   BOOL is_guest,
 						   int num_groupsids,
 						   const DOM_SID *groupsids)
@@ -830,7 +828,9 @@
 
 	add_sid_to_array(result, user_sid,
 			 &result->user_sids, &result->num_sids);
-	add_sid_to_array(result, group_sid,
+
+	SMB_ASSERT(num_groupsids > 0);
+	add_sid_to_array(result, &groupsids[0],
 			 &result->user_sids, &result->num_sids);
 			 
 	/* Add in BUILTIN sids */
@@ -850,9 +850,11 @@
 	
 	/* Now the SIDs we got from authentication. These are the ones from
 	 * the info3 struct or from the pdb_enum_group_memberships, depending
-	 * on who authenticated the user. */
+	 * on who authenticated the user.
+	 * Note that we start the for loop at "1" here, we already added the
+	 * first group sid as primary above. */
 
-	for (i=0; i<num_groupsids; i++) {
+	for (i=1; i<num_groupsids; i++) {
 		add_sid_to_array_unique(result, &groupsids[i],
 					&result->user_sids, &result->num_sids);
 	}
@@ -956,8 +958,8 @@
 	 * mapped to some local unix user.
 	 */
 
-	if ((lp_server_role() == ROLE_DOMAIN_MEMBER) && 
-			(server_info->was_mapped || !winbind_ping())) {
+	if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
+	    (server_info->was_mapped)) {
 		status = create_token_from_username(server_info,
 						    server_info->unix_name,
 						    server_info->guest,
@@ -970,7 +972,6 @@
 		server_info->ptok = create_local_nt_token(
 			server_info,
 			pdb_get_user_sid(server_info->sam_account),
-			pdb_get_group_sid(server_info->sam_account),
 			server_info->guest,
 			server_info->num_sids, server_info->sids);
 		status = server_info->ptok ?
@@ -1073,7 +1074,6 @@
 		/* This is a passdb user, so ask passdb */
 
 		struct samu *sam_acct = NULL;
-		const DOM_SID *gr_sid = NULL;
 
 		if ( !(sam_acct = samu_new( tmp_ctx )) ) {
 			result = NT_STATUS_NO_MEMORY;
@@ -1087,20 +1087,6 @@
 			goto unix_user;
 		}
 
-		gr_sid = pdb_get_group_sid(sam_acct);
-		if (!gr_sid) {
-			goto unix_user;
-		}
-
-		sid_copy(&primary_group_sid, gr_sid);
-
-		if (!sid_to_gid(&primary_group_sid, gid)) {
-			DEBUG(1, ("sid_to_gid(%s) failed\n",
-				  sid_string_static(&primary_group_sid)));
-			DEBUGADD(1, ("Fall back to unix user %s\n", username));
-			goto unix_user;
-		}
-
 		result = pdb_enum_group_memberships(tmp_ctx, sam_acct,
 						    &group_sids, &gids,
 						    &num_group_sids);
@@ -1111,6 +1097,10 @@
 			goto unix_user;
 		}
 
+		/* see the smb_panic() in pdb_default_enum_group_memberships */
+		SMB_ASSERT(num_group_sids > 0); 
+
+		*gid = gids[0];
 		*found_username = talloc_strdup(mem_ctx,
 						pdb_get_username(sam_acct));
 
@@ -1139,9 +1129,6 @@
 			goto done;
 		}
 
-		*gid = pass->pw_gid;
-		gid_to_sid(&primary_group_sid, pass->pw_gid);
-
 		if (!getgroups_unix_user(tmp_ctx, username, pass->pw_gid,
 					 &gids, &num_group_sids)) {
 			DEBUG(1, ("getgroups_unix_user for user %s failed\n",
@@ -1159,6 +1146,11 @@
 		for (i=0; i<num_group_sids; i++) {
 			gid_to_sid(&group_sids[i], gids[i]);
 		}
+
+		/* In getgroups_unix_user we always set the primary gid */
+		SMB_ASSERT(num_group_sids > 0); 
+
+		*gid = gids[0];
 		*found_username = talloc_strdup(mem_ctx, pass->pw_name);
 
 	} else {
@@ -1182,13 +1174,13 @@
 			goto done;
 		}
 
-		num_group_sids = 0;
-		group_sids = NULL;
+		num_group_sids = 1;
+		group_sids = &primary_group_sid;
 
 		*found_username = talloc_strdup(mem_ctx, username);
 	}
 
-	*token = create_local_nt_token(mem_ctx, &user_sid, &primary_group_sid,
+	*token = create_local_nt_token(mem_ctx, &user_sid,
 				       is_guest, num_group_sids, group_sids);
 
 	if ((*token == NULL) || (*found_username == NULL)) {

Modified: branches/SAMBA_3_0_23/source/auth/auth_util.c
===================================================================
--- branches/SAMBA_3_0_23/source/auth/auth_util.c	2006-08-03 23:44:07 UTC (rev 17391)
+++ branches/SAMBA_3_0_23/source/auth/auth_util.c	2006-08-04 00:00:15 UTC (rev 17392)
@@ -29,7 +29,6 @@
 
 static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
 						   const DOM_SID *user_sid,
-						   const DOM_SID *group_sid,
 						   BOOL is_guest,
 						   int num_groupsids,
 						   const DOM_SID *groupsids);
@@ -509,7 +508,7 @@
 	uid_to_sid(&u_sid, pw->pw_uid);
 	gid_to_sid(&g_sid, pw->pw_gid);
 
-	token = create_local_nt_token(NULL, &u_sid, &g_sid, False,
+	token = create_local_nt_token(NULL, &u_sid, False,
 				      1, &global_sid_Builtin_Administrators);
 	return token;
 }
@@ -803,7 +802,6 @@
 
 static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
 						   const DOM_SID *user_sid,
-						   const DOM_SID *group_sid,
 						   BOOL is_guest,
 						   int num_groupsids,
 						   const DOM_SID *groupsids)
@@ -830,7 +828,9 @@
 
 	add_sid_to_array(result, user_sid,
 			 &result->user_sids, &result->num_sids);
-	add_sid_to_array(result, group_sid,
+
+	SMB_ASSERT(num_groupsids > 0);
+	add_sid_to_array(result, &groupsids[0],
 			 &result->user_sids, &result->num_sids);
 			 
 	/* Add in BUILTIN sids */
@@ -850,9 +850,11 @@
 	
 	/* Now the SIDs we got from authentication. These are the ones from
 	 * the info3 struct or from the pdb_enum_group_memberships, depending
-	 * on who authenticated the user. */
+	 * on who authenticated the user.
+	 * Note that we start the for loop at "1" here, we already added the
+	 * first group sid as primary above. */
 
-	for (i=0; i<num_groupsids; i++) {
+	for (i=1; i<num_groupsids; i++) {
 		add_sid_to_array_unique(result, &groupsids[i],
 					&result->user_sids, &result->num_sids);
 	}
@@ -955,8 +957,8 @@
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	if ((lp_server_role() == ROLE_DOMAIN_MEMBER) &&
-			(server_info->was_mapped || !winbind_ping())) {
+	if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
+	    (server_info->was_mapped)) {
 		status = create_token_from_username(server_info,
 						    server_info->unix_name,
 						    server_info->guest,
@@ -969,7 +971,6 @@
 		server_info->ptok = create_local_nt_token(
 			server_info,
 			pdb_get_user_sid(server_info->sam_account),
-			pdb_get_group_sid(server_info->sam_account),
 			server_info->guest,
 			server_info->num_sids, server_info->sids);
 		status = server_info->ptok ?
@@ -1072,7 +1073,6 @@
 		/* This is a passdb user, so ask passdb */
 
 		struct samu *sam_acct = NULL;
-		const DOM_SID *gr_sid = NULL;
 
 		if ( !(sam_acct = samu_new( tmp_ctx )) ) {
 			result = NT_STATUS_NO_MEMORY;
@@ -1086,20 +1086,6 @@
 			goto unix_user;
 		}
 
-		gr_sid = pdb_get_group_sid(sam_acct);
-		if (!gr_sid) {
-			goto unix_user;
-		}
-
-		sid_copy(&primary_group_sid, gr_sid);
-
-		if (!sid_to_gid(&primary_group_sid, gid)) {
-			DEBUG(1, ("sid_to_gid(%s) failed\n",
-				  sid_string_static(&primary_group_sid)));
-			DEBUGADD(1, ("Fall back to unix user %s\n", username));
-			goto unix_user;
-		}
-
 		result = pdb_enum_group_memberships(tmp_ctx, sam_acct,
 						    &group_sids, &gids,
 						    &num_group_sids);
@@ -1110,6 +1096,10 @@
 			goto unix_user;
 		}
 
+		/* see the smb_panic() in pdb_default_enum_group_memberships */
+		SMB_ASSERT(num_group_sids > 0); 
+
+		*gid = gids[0];
 		*found_username = talloc_strdup(mem_ctx,
 						pdb_get_username(sam_acct));
 
@@ -1138,9 +1128,6 @@
 			goto done;
 		}
 
-		*gid = pass->pw_gid;
-		gid_to_sid(&primary_group_sid, pass->pw_gid);
-
 		if (!getgroups_unix_user(tmp_ctx, username, pass->pw_gid,
 					 &gids, &num_group_sids)) {
 			DEBUG(1, ("getgroups_unix_user for user %s failed\n",
@@ -1158,6 +1145,11 @@
 		for (i=0; i<num_group_sids; i++) {
 			gid_to_sid(&group_sids[i], gids[i]);
 		}
+
+		/* In getgroups_unix_user we always set the primary gid */
+		SMB_ASSERT(num_group_sids > 0); 
+
+		*gid = gids[0];
 		*found_username = talloc_strdup(mem_ctx, pass->pw_name);
 
 	} else {
@@ -1181,13 +1173,13 @@
 			goto done;
 		}
 
-		num_group_sids = 0;
-		group_sids = NULL;
+		num_group_sids = 1;
+		group_sids = &primary_group_sid;
 
 		*found_username = talloc_strdup(mem_ctx, username);
 	}
 
-	*token = create_local_nt_token(mem_ctx, &user_sid, &primary_group_sid,
+	*token = create_local_nt_token(mem_ctx, &user_sid,
 				       is_guest, num_group_sids, group_sids);
 
 	if ((*token == NULL) || (*found_username == NULL)) {



More information about the samba-cvs mailing list