svn commit: samba r15475 - branches/SAMBA_3_0/source/auth
branches/SAMBA_3_0/source/include
branches/SAMBA_3_0/source/smbd trunk/source/auth
trunk/source/include trunk/source/smbd
vlendec at samba.org
vlendec at samba.org
Sat May 6 19:24:36 GMT 2006
Author: vlendec
Date: 2006-05-06 19:24:35 +0000 (Sat, 06 May 2006)
New Revision: 15475
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=15475
Log:
Ugly and disgusting patch to fix the username map problem I created by
changing the token generation. I *hate* this code!
Jerry, you have been looking at this as well, can you double-check that I did
not screw it up?
Thanks,
Volker
Modified:
branches/SAMBA_3_0/source/auth/auth_ntlmssp.c
branches/SAMBA_3_0/source/auth/auth_util.c
branches/SAMBA_3_0/source/auth/auth_winbind.c
branches/SAMBA_3_0/source/include/auth.h
branches/SAMBA_3_0/source/smbd/sesssetup.c
trunk/source/auth/auth_ntlmssp.c
trunk/source/auth/auth_util.c
trunk/source/auth/auth_winbind.c
trunk/source/include/auth.h
trunk/source/smbd/sesssetup.c
Changeset:
Modified: branches/SAMBA_3_0/source/auth/auth_ntlmssp.c
===================================================================
--- branches/SAMBA_3_0/source/auth/auth_ntlmssp.c 2006-05-06 16:19:29 UTC (rev 15474)
+++ branches/SAMBA_3_0/source/auth/auth_ntlmssp.c 2006-05-06 19:24:35 UTC (rev 15475)
@@ -80,6 +80,7 @@
AUTH_NTLMSSP_STATE *auth_ntlmssp_state = ntlmssp_state->auth_context;
auth_usersupplied_info *user_info = NULL;
NTSTATUS nt_status;
+ BOOL username_was_mapped;
/* the client has given us its machine name (which we otherwise would not get on port 445).
we need to possibly reload smb.conf if smb.conf includes depend on the machine name */
@@ -110,12 +111,16 @@
nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context,
user_info, &auth_ntlmssp_state->server_info);
+ username_was_mapped = user_info->was_mapped;
+
free_user_info(&user_info);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
+ auth_ntlmssp_state->server_info->was_mapped |= username_was_mapped;
+
nt_status = create_local_token(auth_ntlmssp_state->server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
Modified: branches/SAMBA_3_0/source/auth/auth_util.c
===================================================================
--- branches/SAMBA_3_0/source/auth/auth_util.c 2006-05-06 16:19:29 UTC (rev 15474)
+++ branches/SAMBA_3_0/source/auth/auth_util.c 2006-05-06 19:24:35 UTC (rev 15475)
@@ -152,9 +152,11 @@
BOOL encrypted)
{
const char *domain;
+ NTSTATUS result;
+ BOOL was_mapped;
fstring internal_username;
fstrcpy(internal_username, smb_name);
- map_username(internal_username);
+ was_mapped = map_username(internal_username);
DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n",
client_domain, smb_name, wksta_name));
@@ -176,11 +178,15 @@
/* we know that it is a trusted domain (and we are allowing them) or it is our domain */
- return make_user_info(user_info, smb_name, internal_username,
+ result = make_user_info(user_info, smb_name, internal_username,
client_domain, domain, wksta_name,
lm_pwd, nt_pwd,
lm_interactive_pwd, nt_interactive_pwd,
plaintext, encrypted);
+ if (NT_STATUS_IS_OK(result)) {
+ (*user_info)->was_mapped = was_mapped;
+ }
+ return result;
}
/****************************************************************************
@@ -923,15 +929,29 @@
return NT_STATUS_NO_MEMORY;
}
- server_info->ptok = create_local_nt_token(
- server_info,
- pdb_get_user_sid(server_info->sam_account),
- pdb_get_group_sid(server_info->sam_account),
- server_info->guest,
- server_info->num_sids, server_info->sids);
+ if (server_info->was_mapped) {
+ status = create_token_from_username(server_info,
+ server_info->unix_name,
+ server_info->guest,
+ &server_info->uid,
+ &server_info->gid,
+ &server_info->unix_name,
+ &server_info->ptok);
+
+ } else {
+ server_info->ptok = create_local_nt_token(
+ server_info,
+ pdb_get_user_sid(server_info->sam_account),
+ pdb_get_group_sid(server_info->sam_account),
+ server_info->guest,
+ server_info->num_sids, server_info->sids);
+ status = server_info->ptok ?
+ NT_STATUS_OK : NT_STATUS_NO_SUCH_USER;
+ }
- if ( !server_info->ptok ) {
- return NT_STATUS_NO_SUCH_USER;
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(mem_ctx);
+ return status;
}
/* Convert the SIDs to gids. */
@@ -1366,7 +1386,8 @@
const char *username,
char **found_username,
uid_t *uid, gid_t *gid,
- struct samu *account)
+ struct samu *account,
+ BOOL *username_was_mapped)
{
NTSTATUS nt_status;
fstring dom_user, lower_username;
@@ -1381,7 +1402,7 @@
/* Get the passwd struct. Try to create the account is necessary. */
- map_username( dom_user );
+ *username_was_mapped = map_username( dom_user );
if ( !(passwd = smb_getpwnam( NULL, dom_user, real_username, True )) )
return NT_STATUS_NO_SUCH_USER;
@@ -1510,6 +1531,7 @@
struct samu *sam_account = NULL;
DOM_SID user_sid;
DOM_SID group_sid;
+ BOOL username_was_mapped;
uid_t uid;
gid_t gid;
@@ -1565,7 +1587,8 @@
/* this call will try to create the user if necessary */
nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username,
- &found_username, &uid, &gid, sam_account);
+ &found_username, &uid, &gid, sam_account,
+ &username_was_mapped);
/* if we still don't have a valid unix account check for
@@ -1716,6 +1739,8 @@
sizeof(info3->lm_sess_key));
}
+ result->was_mapped = username_was_mapped;
+
*server_info = result;
return NT_STATUS_OK;
Modified: branches/SAMBA_3_0/source/auth/auth_winbind.c
===================================================================
--- branches/SAMBA_3_0/source/auth/auth_winbind.c 2006-05-06 16:19:29 UTC (rev 15474)
+++ branches/SAMBA_3_0/source/auth/auth_winbind.c 2006-05-06 19:24:35 UTC (rev 15475)
@@ -132,6 +132,9 @@
server_info, &info3);
}
+ if (NT_STATUS_IS_OK(nt_status)) {
+ (*server_info)->was_mapped |= user_info->was_mapped;
+ }
}
} else if (NT_STATUS_IS_OK(nt_status)) {
nt_status = NT_STATUS_NO_LOGON_SERVERS;
Modified: branches/SAMBA_3_0/source/include/auth.h
===================================================================
--- branches/SAMBA_3_0/source/include/auth.h 2006-05-06 16:19:29 UTC (rev 15474)
+++ branches/SAMBA_3_0/source/include/auth.h 2006-05-06 19:24:35 UTC (rev 15475)
@@ -29,6 +29,7 @@
BOOL encrypted;
+ BOOL was_mapped; /* Did the username map actually match? */
char *client_domain; /* domain name string */
char *domain; /* domain name after mapping */
char *internal_username; /* username after mapping */
@@ -67,6 +68,7 @@
void *pam_handle;
+ BOOL was_mapped; /* Did the username map match? */
char *unix_name;
} auth_serversupplied_info;
Modified: branches/SAMBA_3_0/source/smbd/sesssetup.c
===================================================================
--- branches/SAMBA_3_0/source/smbd/sesssetup.c 2006-05-06 16:19:29 UTC (rev 15474)
+++ branches/SAMBA_3_0/source/smbd/sesssetup.c 2006-05-06 19:24:35 UTC (rev 15475)
@@ -176,6 +176,7 @@
DATA_BLOB nullblob = data_blob(NULL, 0);
fstring real_username;
BOOL map_domainuser_to_guest = False;
+ BOOL username_was_mapped;
PAC_LOGON_INFO *logon_info = NULL;
ZERO_STRUCT(ticket);
@@ -288,7 +289,7 @@
/* lookup the passwd struct, create a new user if necessary */
- map_username( user );
+ username_was_mapped = map_username( user );
pw = smb_getpwnam( mem_ctx, user, real_username, True );
if (!pw) {
@@ -355,6 +356,8 @@
pdb_set_domain(server_info->sam_account, domain, PDB_SET);
}
}
+
+ server_info->was_mapped |= username_was_mapped;
/* we need to build the token for the user. make_server_info_guest()
already does this */
Modified: trunk/source/auth/auth_ntlmssp.c
===================================================================
--- trunk/source/auth/auth_ntlmssp.c 2006-05-06 16:19:29 UTC (rev 15474)
+++ trunk/source/auth/auth_ntlmssp.c 2006-05-06 19:24:35 UTC (rev 15475)
@@ -80,6 +80,7 @@
AUTH_NTLMSSP_STATE *auth_ntlmssp_state = ntlmssp_state->auth_context;
auth_usersupplied_info *user_info = NULL;
NTSTATUS nt_status;
+ BOOL username_was_mapped;
/* the client has given us its machine name (which we otherwise would not get on port 445).
we need to possibly reload smb.conf if smb.conf includes depend on the machine name */
@@ -110,12 +111,16 @@
nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context,
user_info, &auth_ntlmssp_state->server_info);
+ username_was_mapped = user_info->was_mapped;
+
free_user_info(&user_info);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
+ auth_ntlmssp_state->server_info->was_mapped |= username_was_mapped;
+
nt_status = create_local_token(auth_ntlmssp_state->server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
Modified: trunk/source/auth/auth_util.c
===================================================================
--- trunk/source/auth/auth_util.c 2006-05-06 16:19:29 UTC (rev 15474)
+++ trunk/source/auth/auth_util.c 2006-05-06 19:24:35 UTC (rev 15475)
@@ -152,9 +152,11 @@
BOOL encrypted)
{
const char *domain;
+ NTSTATUS result;
+ BOOL was_mapped;
fstring internal_username;
fstrcpy(internal_username, smb_name);
- map_username(internal_username);
+ was_mapped = map_username(internal_username);
DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n",
client_domain, smb_name, wksta_name));
@@ -176,11 +178,15 @@
/* we know that it is a trusted domain (and we are allowing them) or it is our domain */
- return make_user_info(user_info, smb_name, internal_username,
+ result = make_user_info(user_info, smb_name, internal_username,
client_domain, domain, wksta_name,
lm_pwd, nt_pwd,
lm_interactive_pwd, nt_interactive_pwd,
plaintext, encrypted);
+ if (NT_STATUS_IS_OK(result)) {
+ (*user_info)->was_mapped = was_mapped;
+ }
+ return result;
}
/****************************************************************************
@@ -923,15 +929,29 @@
return NT_STATUS_NO_MEMORY;
}
- server_info->ptok = create_local_nt_token(
- server_info,
- pdb_get_user_sid(server_info->sam_account),
- pdb_get_group_sid(server_info->sam_account),
- server_info->guest,
- server_info->num_sids, server_info->sids);
+ if (server_info->was_mapped) {
+ status = create_token_from_username(server_info,
+ server_info->unix_name,
+ server_info->guest,
+ &server_info->uid,
+ &server_info->gid,
+ &server_info->unix_name,
+ &server_info->ptok);
+
+ } else {
+ server_info->ptok = create_local_nt_token(
+ server_info,
+ pdb_get_user_sid(server_info->sam_account),
+ pdb_get_group_sid(server_info->sam_account),
+ server_info->guest,
+ server_info->num_sids, server_info->sids);
+ status = server_info->ptok ?
+ NT_STATUS_OK : NT_STATUS_NO_SUCH_USER;
+ }
- if ( !server_info->ptok ) {
- return NT_STATUS_NO_SUCH_USER;
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(mem_ctx);
+ return status;
}
/* Convert the SIDs to gids. */
@@ -1366,7 +1386,8 @@
const char *username,
char **found_username,
uid_t *uid, gid_t *gid,
- struct samu *account)
+ struct samu *account,
+ BOOL *username_was_mapped)
{
NTSTATUS nt_status;
fstring dom_user, lower_username;
@@ -1381,7 +1402,7 @@
/* Get the passwd struct. Try to create the account is necessary. */
- map_username( dom_user );
+ *username_was_mapped = map_username( dom_user );
if ( !(passwd = smb_getpwnam( NULL, dom_user, real_username, True )) )
return NT_STATUS_NO_SUCH_USER;
@@ -1510,6 +1531,7 @@
struct samu *sam_account = NULL;
DOM_SID user_sid;
DOM_SID group_sid;
+ BOOL username_was_mapped;
uid_t uid;
gid_t gid;
@@ -1565,7 +1587,8 @@
/* this call will try to create the user if necessary */
nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username,
- &found_username, &uid, &gid, sam_account);
+ &found_username, &uid, &gid, sam_account,
+ &username_was_mapped);
/* if we still don't have a valid unix account check for
@@ -1716,6 +1739,8 @@
sizeof(info3->lm_sess_key));
}
+ result->was_mapped = username_was_mapped;
+
*server_info = result;
return NT_STATUS_OK;
Modified: trunk/source/auth/auth_winbind.c
===================================================================
--- trunk/source/auth/auth_winbind.c 2006-05-06 16:19:29 UTC (rev 15474)
+++ trunk/source/auth/auth_winbind.c 2006-05-06 19:24:35 UTC (rev 15475)
@@ -132,6 +132,9 @@
server_info, &info3);
}
+ if (NT_STATUS_IS_OK(nt_status)) {
+ (*server_info)->was_mapped |= user_info->was_mapped;
+ }
}
} else if (NT_STATUS_IS_OK(nt_status)) {
nt_status = NT_STATUS_NO_LOGON_SERVERS;
Modified: trunk/source/include/auth.h
===================================================================
--- trunk/source/include/auth.h 2006-05-06 16:19:29 UTC (rev 15474)
+++ trunk/source/include/auth.h 2006-05-06 19:24:35 UTC (rev 15475)
@@ -29,6 +29,7 @@
BOOL encrypted;
+ BOOL was_mapped; /* Did the username map actually match? */
char *client_domain; /* domain name string */
char *domain; /* domain name after mapping */
char *internal_username; /* username after mapping */
@@ -67,6 +68,7 @@
void *pam_handle;
+ BOOL was_mapped; /* Did the username map match? */
char *unix_name;
} auth_serversupplied_info;
Modified: trunk/source/smbd/sesssetup.c
===================================================================
--- trunk/source/smbd/sesssetup.c 2006-05-06 16:19:29 UTC (rev 15474)
+++ trunk/source/smbd/sesssetup.c 2006-05-06 19:24:35 UTC (rev 15475)
@@ -176,6 +176,7 @@
DATA_BLOB nullblob = data_blob(NULL, 0);
fstring real_username;
BOOL map_domainuser_to_guest = False;
+ BOOL username_was_mapped;
PAC_LOGON_INFO *logon_info = NULL;
ZERO_STRUCT(ticket);
@@ -288,7 +289,7 @@
/* lookup the passwd struct, create a new user if necessary */
- map_username( user );
+ username_was_mapped = map_username( user );
pw = smb_getpwnam( mem_ctx, user, real_username, True );
if (!pw) {
@@ -355,6 +356,8 @@
pdb_set_domain(server_info->sam_account, domain, PDB_SET);
}
}
+
+ server_info->was_mapped |= username_was_mapped;
/* we need to build the token for the user. make_server_info_guest()
already does this */
More information about the samba-cvs
mailing list