svn commit: samba r17736 - in branches: SAMBA_3_0/source/auth
SAMBA_3_0_23/source/auth
jerry at samba.org
jerry at samba.org
Wed Aug 23 02:45:46 GMT 2006
Author: jerry
Date: 2006-08-23 02:45:45 +0000 (Wed, 23 Aug 2006)
New Revision: 17736
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=17736
Log:
Apply the Unix group patch when creating the token for a
username map.
Modified:
branches/SAMBA_3_0/source/auth/auth_util.c
branches/SAMBA_3_0_23/source/auth/auth_util.c
Changeset:
Modified: branches/SAMBA_3_0/source/auth/auth_util.c
===================================================================
--- branches/SAMBA_3_0/source/auth/auth_util.c 2006-08-23 02:06:07 UTC (rev 17735)
+++ branches/SAMBA_3_0/source/auth/auth_util.c 2006-08-23 02:45:45 UTC (rev 17736)
@@ -1068,7 +1068,10 @@
gid_t *gids;
DOM_SID primary_group_sid;
DOM_SID *group_sids;
+ DOM_SID unix_group_sid;
size_t num_group_sids;
+ size_t num_gids;
+ size_t i;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
@@ -1135,7 +1138,6 @@
* directly, without consulting passdb */
struct passwd *pass;
- size_t i;
/*
* This goto target is used as a fallback for the passdb
@@ -1205,6 +1207,31 @@
*found_username = talloc_strdup(mem_ctx, username);
}
+ /* Add the "Unix Group" SID for each gid to catch mapped groups
+ and their Unix equivalent. This is to solve the backwards
+ compatibility problem of 'valid users = +ntadmin' where
+ ntadmin has been paired with "Domain Admins" in the group
+ mapping table. Otherwise smb.conf would need to be changed
+ to 'valid user = "Domain Admins"'. --jerry */
+
+ num_gids = num_group_sids;
+ for ( i=0; i<num_gids; i++ ) {
+ gid_t high, low;
+
+ /* don't pickup anything managed by Winbind */
+
+ if ( lp_idmap_gid(&low, &high) && (gids[i] >= low) && (gids[i] <= high) )
+ continue;
+
+ if ( !gid_to_unix_groups_sid( gids[i], &unix_group_sid ) ) {
+ DEBUG(1,("create_token_from_username: Failed to create SID "
+ "for gid %d!\n", gids[i]));
+ continue;
+ }
+ add_sid_to_array_unique( mem_ctx, &unix_group_sid,
+ &group_sids, &num_group_sids );
+ }
+
*token = create_local_nt_token(mem_ctx, &user_sid,
is_guest, num_group_sids, group_sids);
Modified: branches/SAMBA_3_0_23/source/auth/auth_util.c
===================================================================
--- branches/SAMBA_3_0_23/source/auth/auth_util.c 2006-08-23 02:06:07 UTC (rev 17735)
+++ branches/SAMBA_3_0_23/source/auth/auth_util.c 2006-08-23 02:45:45 UTC (rev 17736)
@@ -1067,7 +1067,10 @@
gid_t *gids;
DOM_SID primary_group_sid;
DOM_SID *group_sids;
+ DOM_SID unix_group_sid;
size_t num_group_sids;
+ size_t num_gids;
+ size_t i;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
@@ -1134,7 +1137,6 @@
* directly, without consulting passdb */
struct passwd *pass;
- size_t i;
/*
* This goto target is used as a fallback for the passdb
@@ -1204,6 +1206,31 @@
*found_username = talloc_strdup(mem_ctx, username);
}
+ /* Add the "Unix Group" SID for each gid to catch mapped groups
+ and their Unix equivalent. This is to solve the backwards
+ compatibility problem of 'valid users = +ntadmin' where
+ ntadmin has been paired with "Domain Admins" in the group
+ mapping table. Otherwise smb.conf would need to be changed
+ to 'valid user = "Domain Admins"'. --jerry */
+
+ num_gids = num_group_sids;
+ for ( i=0; i<num_gids; i++ ) {
+ gid_t high, low;
+
+ /* don't pickup anything managed by Winbind */
+
+ if ( lp_idmap_gid(&low, &high) && (gids[i] >= low) && (gids[i] <= high) )
+ continue;
+
+ if ( !gid_to_unix_groups_sid( gids[i], &unix_group_sid ) ) {
+ DEBUG(1,("create_token_from_username: Failed to create SID "
+ "for gid %d!\n", gids[i]));
+ continue;
+ }
+ add_sid_to_array_unique( mem_ctx, &unix_group_sid,
+ &group_sids, &num_group_sids );
+ }
+
*token = create_local_nt_token(mem_ctx, &user_sid,
is_guest, num_group_sids, group_sids);
More information about the samba-cvs
mailing list