svn commit: samba r14421 - branches/SAMBA_3_0/source/auth
branches/SAMBA_3_0/source/nsswitch trunk/source/auth
trunk/source/nsswitch
jerry at samba.org
jerry at samba.org
Wed Mar 15 03:46:21 GMT 2006
Author: jerry
Date: 2006-03-15 03:46:20 +0000 (Wed, 15 Mar 2006)
New Revision: 14421
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=14421
Log:
This does two things
* Automatically creates the BUILTIN\Users group similar to
how BUILTIN\Administrators is done. This code does need to
be cleaned up considerably. I'll continue to work on this.
* The important fix is for getusergroups() when dealing with a
local user and nested groups. Now I can run the following
successfully:
$ su - jerry -c groups
users BUILTIN\users
Modified:
branches/SAMBA_3_0/source/auth/auth_util.c
branches/SAMBA_3_0/source/nsswitch/winbindd_async.c
branches/SAMBA_3_0/source/nsswitch/winbindd_group.c
branches/SAMBA_3_0/source/nsswitch/winbindd_passdb.c
trunk/source/auth/auth_util.c
trunk/source/nsswitch/winbindd_async.c
trunk/source/nsswitch/winbindd_group.c
trunk/source/nsswitch/winbindd_passdb.c
Changeset:
Modified: branches/SAMBA_3_0/source/auth/auth_util.c
===================================================================
--- branches/SAMBA_3_0/source/auth/auth_util.c 2006-03-15 03:38:30 UTC (rev 14420)
+++ branches/SAMBA_3_0/source/auth/auth_util.c 2006-03-15 03:46:20 UTC (rev 14421)
@@ -688,6 +688,36 @@
/*******************************************************************
*******************************************************************/
+static NTSTATUS create_builtin_users( void )
+{
+ NTSTATUS status;
+ DOM_SID dom_users;
+
+ status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_USERS );
+ if ( !NT_STATUS_IS_OK(status) ) {
+ DEBUG(0,("create_builtin_users: Failed to create Users\n"));
+ return status;
+ }
+
+ /* add domain users */
+ if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER))
+ && secrets_fetch_domain_sid(lp_workgroup(), &dom_users))
+ {
+ sid_append_rid(&dom_users, DOMAIN_GROUP_RID_USERS );
+ status = pdb_add_aliasmem( &global_sid_Builtin_Users, &dom_users);
+ if ( !NT_STATUS_IS_OK(status) ) {
+ DEBUG(0,("create_builtin_administrators: Failed to add Domain Users to"
+ " Users\n"));
+ return status;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+/*******************************************************************
+*******************************************************************/
+
static NTSTATUS create_builtin_administrators( void )
{
NTSTATUS status;
@@ -822,6 +852,25 @@
}
}
+ /* Deal with the BUILTIN\Users group. If the SID can
+ be resolved then assume that the add_aliasmem( S-1-5-32 )
+ handled it. */
+
+ if ( !sid_to_gid( &global_sid_Builtin_Users, &gid ) ) {
+ /* We can only create a mapping if winbind is running
+ and the nested group functionality has been enabled */
+
+ if ( lp_winbind_nested_groups() ) {
+ become_root();
+ status = create_builtin_users( );
+ if ( !NT_STATUS_IS_OK(status) ) {
+ DEBUG(0,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n"));
+ /* don't fail, just log the message */
+ }
+ unbecome_root();
+ }
+ }
+
/* Deal with local groups */
if (lp_winbind_nested_groups()) {
Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_async.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_async.c 2006-03-15 03:38:30 UTC (rev 14420)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_async.c 2006-03-15 03:46:20 UTC (rev 14421)
@@ -4,6 +4,7 @@
Async helpers for blocking functions
Copyright (C) Volker Lendecke 2005
+ Copyright (C) Volker Lendecke 2006
The helpers always consist of three functions:
@@ -364,6 +365,10 @@
ZERO_STRUCT(request);
request.cmd = WINBINDD_DUAL_SID2GID;
sid_to_string(request.data.dual_sid2id.sid, sid);
+
+ DEBUG(7,("idmap_sid2gid_async: Resolving %s to a gid\n",
+ request.data.dual_sid2id.sid));
+
request.data.dual_sid2id.alloc = alloc;
do_async(mem_ctx, idmap_child(), &request, idmap_sid2gid_recv,
cont, private_data);
@@ -391,6 +396,15 @@
state->request.data.dual_sid2id.alloc ?
0 : ID_QUERY_ONLY);
+ /* If the lookup failed, the perhaps we need to look
+ at the passdb for local groups */
+
+ if ( !NT_STATUS_IS_OK(result) ) {
+ if ( sid_to_gid( &sid, &(state->response.data.gid) ) ) {
+ result = NT_STATUS_OK;
+ }
+ }
+
return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
}
@@ -1013,9 +1027,14 @@
sids_str = response->extra_data;
if (sids_str == NULL) {
- DEBUG(10, ("Received no domain groups\n"));
- state->cont(state->private_data, True, NULL, 0);
- return;
+ /* This could be normal if we are dealing with a
+ local user and local groups */
+
+ if ( !sid_check_is_in_our_domain( &state->user_sid ) ) {
+ DEBUG(10, ("Received no domain groups\n"));
+ state->cont(state->private_data, True, NULL, 0);
+ return;
+ }
}
state->sids = NULL;
@@ -1024,7 +1043,7 @@
add_sid_to_array(mem_ctx, &state->user_sid, &state->sids,
&state->num_sids);
- if (!parse_sidlist(mem_ctx, sids_str, &state->sids,
+ if (sids_str && !parse_sidlist(mem_ctx, sids_str, &state->sids,
&state->num_sids)) {
DEBUG(0, ("Could not parse sids\n"));
state->cont(state->private_data, False, NULL, 0);
Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_group.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_group.c 2006-03-15 03:38:30 UTC (rev 14420)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_group.c 2006-03-15 03:46:20 UTC (rev 14421)
@@ -997,8 +997,16 @@
&s->domname, &s->username)) {
DEBUG(5, ("Could not parse domain user: %s\n",
state->request.data.username));
- request_error(state);
- return;
+
+ /* error out if we do not have nested group support */
+
+ if ( !lp_winbind_nested_groups() ) {
+ request_error(state);
+ return;
+ }
+
+ s->domname = talloc_strdup( state->mem_ctx, get_global_sam_name() );
+ s->username = talloc_strdup( state->mem_ctx, state->request.data.username );
}
/* Get info for the domain */
Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_passdb.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_passdb.c 2006-03-15 03:38:30 UTC (rev 14420)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_passdb.c 2006-03-15 03:46:20 UTC (rev 14421)
@@ -245,11 +245,12 @@
{
DEBUG(10, ("Finding name %s\n", name));
- if (!pdb_find_alias(name, sid))
+ if ( !lookup_name( mem_ctx, name, LOOKUP_NAME_ALL,
+ NULL, NULL, sid, type ) )
+ {
return NT_STATUS_NONE_MAPPED;
+ }
- *type = SID_NAME_ALIAS;
-
return NT_STATUS_OK;
}
Modified: trunk/source/auth/auth_util.c
===================================================================
--- trunk/source/auth/auth_util.c 2006-03-15 03:38:30 UTC (rev 14420)
+++ trunk/source/auth/auth_util.c 2006-03-15 03:46:20 UTC (rev 14421)
@@ -688,6 +688,36 @@
/*******************************************************************
*******************************************************************/
+static NTSTATUS create_builtin_users( void )
+{
+ NTSTATUS status;
+ DOM_SID dom_users;
+
+ status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_USERS );
+ if ( !NT_STATUS_IS_OK(status) ) {
+ DEBUG(0,("create_builtin_users: Failed to create Users\n"));
+ return status;
+ }
+
+ /* add domain users */
+ if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER))
+ && secrets_fetch_domain_sid(lp_workgroup(), &dom_users))
+ {
+ sid_append_rid(&dom_users, DOMAIN_GROUP_RID_USERS );
+ status = pdb_add_aliasmem( &global_sid_Builtin_Users, &dom_users);
+ if ( !NT_STATUS_IS_OK(status) ) {
+ DEBUG(0,("create_builtin_administrators: Failed to add Domain Users to"
+ " Users\n"));
+ return status;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+/*******************************************************************
+*******************************************************************/
+
static NTSTATUS create_builtin_administrators( void )
{
NTSTATUS status;
@@ -822,6 +852,25 @@
}
}
+ /* Deal with the BUILTIN\Users group. If the SID can
+ be resolved then assume that the add_aliasmem( S-1-5-32 )
+ handled it. */
+
+ if ( !sid_to_gid( &global_sid_Builtin_Users, &gid ) ) {
+ /* We can only create a mapping if winbind is running
+ and the nested group functionality has been enabled */
+
+ if ( lp_winbind_nested_groups() ) {
+ become_root();
+ status = create_builtin_users( );
+ if ( !NT_STATUS_IS_OK(status) ) {
+ DEBUG(0,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n"));
+ /* don't fail, just log the message */
+ }
+ unbecome_root();
+ }
+ }
+
/* Deal with local groups */
if (lp_winbind_nested_groups()) {
Modified: trunk/source/nsswitch/winbindd_async.c
===================================================================
--- trunk/source/nsswitch/winbindd_async.c 2006-03-15 03:38:30 UTC (rev 14420)
+++ trunk/source/nsswitch/winbindd_async.c 2006-03-15 03:46:20 UTC (rev 14421)
@@ -4,6 +4,7 @@
Async helpers for blocking functions
Copyright (C) Volker Lendecke 2005
+ Copyright (C) Volker Lendecke 2006
The helpers always consist of three functions:
@@ -364,6 +365,10 @@
ZERO_STRUCT(request);
request.cmd = WINBINDD_DUAL_SID2GID;
sid_to_string(request.data.dual_sid2id.sid, sid);
+
+ DEBUG(7,("idmap_sid2gid_async: Resolving %s to a gid\n",
+ request.data.dual_sid2id.sid));
+
request.data.dual_sid2id.alloc = alloc;
do_async(mem_ctx, idmap_child(), &request, idmap_sid2gid_recv,
cont, private_data);
@@ -391,6 +396,15 @@
state->request.data.dual_sid2id.alloc ?
0 : ID_QUERY_ONLY);
+ /* If the lookup failed, the perhaps we need to look
+ at the passdb for local groups */
+
+ if ( !NT_STATUS_IS_OK(result) ) {
+ if ( sid_to_gid( &sid, &(state->response.data.gid) ) ) {
+ result = NT_STATUS_OK;
+ }
+ }
+
return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
}
@@ -1013,9 +1027,14 @@
sids_str = response->extra_data;
if (sids_str == NULL) {
- DEBUG(10, ("Received no domain groups\n"));
- state->cont(state->private_data, True, NULL, 0);
- return;
+ /* This could be normal if we are dealing with a
+ local user and local groups */
+
+ if ( !sid_check_is_in_our_domain( &state->user_sid ) ) {
+ DEBUG(10, ("Received no domain groups\n"));
+ state->cont(state->private_data, True, NULL, 0);
+ return;
+ }
}
state->sids = NULL;
@@ -1024,7 +1043,7 @@
add_sid_to_array(mem_ctx, &state->user_sid, &state->sids,
&state->num_sids);
- if (!parse_sidlist(mem_ctx, sids_str, &state->sids,
+ if (sids_str && !parse_sidlist(mem_ctx, sids_str, &state->sids,
&state->num_sids)) {
DEBUG(0, ("Could not parse sids\n"));
state->cont(state->private_data, False, NULL, 0);
Modified: trunk/source/nsswitch/winbindd_group.c
===================================================================
--- trunk/source/nsswitch/winbindd_group.c 2006-03-15 03:38:30 UTC (rev 14420)
+++ trunk/source/nsswitch/winbindd_group.c 2006-03-15 03:46:20 UTC (rev 14421)
@@ -997,8 +997,16 @@
&s->domname, &s->username)) {
DEBUG(5, ("Could not parse domain user: %s\n",
state->request.data.username));
- request_error(state);
- return;
+
+ /* error out if we do not have nested group support */
+
+ if ( !lp_winbind_nested_groups() ) {
+ request_error(state);
+ return;
+ }
+
+ s->domname = talloc_strdup( state->mem_ctx, get_global_sam_name() );
+ s->username = talloc_strdup( state->mem_ctx, state->request.data.username );
}
/* Get info for the domain */
Modified: trunk/source/nsswitch/winbindd_passdb.c
===================================================================
--- trunk/source/nsswitch/winbindd_passdb.c 2006-03-15 03:38:30 UTC (rev 14420)
+++ trunk/source/nsswitch/winbindd_passdb.c 2006-03-15 03:46:20 UTC (rev 14421)
@@ -245,11 +245,12 @@
{
DEBUG(10, ("Finding name %s\n", name));
- if (!pdb_find_alias(name, sid))
+ if ( !lookup_name( mem_ctx, name, LOOKUP_NAME_ALL,
+ NULL, NULL, sid, type ) )
+ {
return NT_STATUS_NONE_MAPPED;
+ }
- *type = SID_NAME_ALIAS;
-
return NT_STATUS_OK;
}
More information about the samba-cvs
mailing list