svn commit: samba r13441 - in trunk/source: auth lib smbd
vlendec at samba.org
vlendec at samba.org
Fri Feb 10 23:00:40 GMT 2006
Author: vlendec
Date: 2006-02-10 23:00:35 +0000 (Fri, 10 Feb 2006)
New Revision: 13441
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=13441
Log:
For the well-known reasons user_in_group is broken (winbind can't always
reliably tell). Replace two uses by an appropriate check going via
create_token_from_username.
Sounds expensive and probably is, but user_in_group is potentially much more
expensive as it lists all group members and checks for membership. Potentially
even much more expensive.
The change in auth_sam is for the "+" in the list of allowed
workstations. This only makes sense on for workstations defined locally
anyway, thus unix_in_group->unix_in_user_group.
Volker
Modified:
trunk/source/auth/auth_sam.c
trunk/source/auth/auth_util.c
trunk/source/lib/username.c
trunk/source/smbd/posix_acls.c
trunk/source/smbd/service.c
Changeset:
Modified: trunk/source/auth/auth_sam.c
===================================================================
--- trunk/source/auth/auth_sam.c 2006-02-10 21:16:30 UTC (rev 13440)
+++ trunk/source/auth/auth_sam.c 2006-02-10 23:00:35 UTC (rev 13441)
@@ -192,7 +192,7 @@
if (tok[0] == '+') {
DEBUG(10,("sam_account_ok: checking for workstation %s in group: %s\n",
machine_name, tok + 1));
- if (user_in_group(machine_name, tok + 1)) {
+ if (user_in_unix_group(machine_name, tok + 1)) {
invalid_ws = False;
break;
}
Modified: trunk/source/auth/auth_util.c
===================================================================
--- trunk/source/auth/auth_util.c 2006-02-10 21:16:30 UTC (rev 13440)
+++ trunk/source/auth/auth_util.c 2006-02-10 23:00:35 UTC (rev 13441)
@@ -1021,6 +1021,46 @@
}
/***************************************************************************
+ Build upon create_token_from_username:
+
+ Expensive helper function to figure out whether a user given its name is
+ member of a particular group.
+
+ (Justification: Before this function existed, the callers of this function
+ called user_in_group() which was potentially even more expensive as
+ it lists all group members which can be *huge* -- vl )
+
+***************************************************************************/
+BOOL username_in_group(const char *username, const DOM_SID *group_sid)
+{
+ NTSTATUS status;
+ uid_t uid;
+ gid_t gid;
+ char *found_username;
+ struct nt_user_token *token;
+ BOOL result;
+
+ TALLOC_CTX *mem_ctx;
+
+ mem_ctx = talloc_new(NULL);
+ if (mem_ctx == NULL) {
+ DEBUG(0, ("talloc_new failed\n"));
+ return False;
+ }
+
+ status = create_token_from_username(mem_ctx, username, False,
+ &uid, &gid, &found_username,
+ &token);
+
+ result = nt_token_check_sid(group_sid, token);
+
+ talloc_free(mem_ctx);
+ return result;
+
+}
+
+
+/***************************************************************************
Make (and fill) a user_info struct from a Kerberos PAC logon_info by
conversion to a SAM_ACCOUNT
***************************************************************************/
Modified: trunk/source/lib/username.c
===================================================================
--- trunk/source/lib/username.c 2006-02-10 21:16:30 UTC (rev 13440)
+++ trunk/source/lib/username.c 2006-02-10 23:00:35 UTC (rev 13441)
@@ -529,7 +529,7 @@
Check if a user is in a group list. Ask winbind first, then use UNIX.
****************************************************************************/
-BOOL user_in_group(const char *user, const char *gname)
+static BOOL user_in_group(const char *user, const char *gname)
{
BOOL winbind_answered = False;
BOOL ret;
Modified: trunk/source/smbd/posix_acls.c
===================================================================
--- trunk/source/smbd/posix_acls.c 2006-02-10 21:16:30 UTC (rev 13440)
+++ trunk/source/smbd/posix_acls.c 2006-02-10 23:00:35 UTC (rev 13441)
@@ -1015,7 +1015,6 @@
static BOOL uid_entry_in_group( canon_ace *uid_ace, canon_ace *group_ace )
{
fstring u_name;
- fstring g_name;
/* "Everyone" always matches every uid. */
@@ -1028,14 +1027,7 @@
return True;
fstrcpy(u_name, uidtoname(uid_ace->unix_ug.uid));
- fstrcpy(g_name, gidtoname(group_ace->unix_ug.gid));
-
- /*
- * Due to the winbind interfaces we need to do this via names,
- * not uids/gids.
- */
-
- return user_in_group(u_name, g_name);
+ return username_in_group(u_name, &group_ace->trustee);
}
/****************************************************************************
Modified: trunk/source/smbd/service.c
===================================================================
--- trunk/source/smbd/service.c 2006-02-10 21:16:30 UTC (rev 13440)
+++ trunk/source/smbd/service.c 2006-02-10 23:00:35 UTC (rev 13441)
@@ -473,7 +473,7 @@
*/
if (force_user && user_must_be_member) {
- if (user_in_group(username, groupname)) {
+ if (username_in_group(username, &group_sid)) {
sid_copy(pgroup_sid, &group_sid);
*pgid = gid;
DEBUG(3,("Forced group %s for member %s\n",
More information about the samba-cvs
mailing list