svn commit: samba r13683 - branches/SAMBA_3_0/source/passdb trunk/source/passdb

vlendec at samba.org vlendec at samba.org
Fri Feb 24 22:26:53 GMT 2006 

Author: vlendec
Date: 2006-02-24 22:26:53 +0000 (Fri, 24 Feb 2006)
New Revision: 13683

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=13683

Log:
Fix the 'valid users = +users' problem I introduced.

Volker
Modified:
   branches/SAMBA_3_0/source/passdb/lookup_sid.c
   trunk/source/passdb/lookup_sid.c


Changeset:
Modified: branches/SAMBA_3_0/source/passdb/lookup_sid.c
===================================================================
--- branches/SAMBA_3_0/source/passdb/lookup_sid.c	2006-02-24 22:04:07 UTC (rev 13682)
+++ branches/SAMBA_3_0/source/passdb/lookup_sid.c	2006-02-24 22:26:53 UTC (rev 13683)
@@ -116,6 +116,25 @@
 		goto failed;
 	}
 
+	/*
+	 * Nasty hack necessary for too common scenarios:
+	 *
+	 * For 'valid users = +users' we know "users" is most probably not
+	 * BUILTIN\users but the unix group users. This hack requires the
+	 * admin to explicitly qualify BUILTIN if BUILTIN\users is meant.
+	 *
+	 * Please note that LOOKUP_NAME_GROUP can not be requested via for
+	 * example lsa_lookupnames, it only comes into this routine via
+	 * the expansion of group names coming in from smb.conf
+	 */
+
+	if ((flags & LOOKUP_NAME_GROUP) &&
+	    (lookup_unix_group_name(name, &sid))) {
+		domain = talloc_strdup(tmp_ctx, unix_groups_domain_name());
+		type = SID_NAME_DOM_GRP;
+		goto ok;
+	}
+
 	/* Now the guesswork begins, we haven't been given an explicit
 	 * domain. Try the sequence as documented on
 	 * http://msdn.microsoft.com/library/en-us/secmgmt/security/lsalookupnames.asp

Modified: trunk/source/passdb/lookup_sid.c
===================================================================
--- trunk/source/passdb/lookup_sid.c	2006-02-24 22:04:07 UTC (rev 13682)
+++ trunk/source/passdb/lookup_sid.c	2006-02-24 22:26:53 UTC (rev 13683)
@@ -116,6 +116,25 @@
 		goto failed;
 	}
 
+	/*
+	 * Nasty hack necessary for too common scenarios:
+	 *
+	 * For 'valid users = +users' we know "users" is most probably not
+	 * BUILTIN\users but the unix group users. This hack requires the
+	 * admin to explicitly qualify BUILTIN if BUILTIN\users is meant.
+	 *
+	 * Please note that LOOKUP_NAME_GROUP can not be requested via for
+	 * example lsa_lookupnames, it only comes into this routine via
+	 * the expansion of group names coming in from smb.conf
+	 */
+
+	if ((flags & LOOKUP_NAME_GROUP) &&
+	    (lookup_unix_group_name(name, &sid))) {
+		domain = talloc_strdup(tmp_ctx, unix_groups_domain_name());
+		type = SID_NAME_DOM_GRP;
+		goto ok;
+	}
+
 	/* Now the guesswork begins, we haven't been given an explicit
 	 * domain. Try the sequence as documented on
 	 * http://msdn.microsoft.com/library/en-us/secmgmt/security/lsalookupnames.asp

More information about the samba-cvs mailing list