svn commit: samba r23530 - in branches: SAMBA_3_0/source/auth SAMBA_3_0_25/source/auth SAMBA_3_0_26/source/auth

jra at samba.org jra at samba.org
Sun Jun 17 19:23:32 GMT 2007 

Author: jra
Date: 2007-06-17 19:23:32 +0000 (Sun, 17 Jun 2007)
New Revision: 23530

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=23530

Log:
Fix bugs #4678 and #4697 which had the same root cause.
In make_server_info_pw() we assign a user SID in our
authoritative SAM, even though this may be from a
pure "Unix User" that doesn't exist in the SAM.
This causes lookups on "[in]valid users" to fail as they
will lookup this name as a "Unix User" SID to check against
the user token. Fix this by adding the "Unix User"\unix_username
SID to the sid array. The correct fix should probably be
changing the server_info->sam_account user SID to be a
S-1-22 Unix SID, but this might break old configs where
plaintext passwords were used with no SAM backend.
Jeremy

Modified:
   branches/SAMBA_3_0/source/auth/auth_util.c
   branches/SAMBA_3_0_25/source/auth/auth_util.c
   branches/SAMBA_3_0_26/source/auth/auth_util.c


Changeset:
Modified: branches/SAMBA_3_0/source/auth/auth_util.c
===================================================================
--- branches/SAMBA_3_0/source/auth/auth_util.c	2007-06-17 16:46:44 UTC (rev 23529)
+++ branches/SAMBA_3_0/source/auth/auth_util.c	2007-06-17 19:23:32 UTC (rev 23530)
@@ -966,6 +966,10 @@
 	NTSTATUS status;
 	struct samu *sampass = NULL;
 	gid_t *gids;
+	char *qualified_name = NULL;
+	TALLOC_CTX *mem_ctx = NULL;
+	DOM_SID u_sid;
+	enum lsa_SidType type;
 	auth_serversupplied_info *result;
 	
 	if ( !(sampass = samu_new( NULL )) ) {
@@ -999,6 +1003,56 @@
 		return status;
 	}
 
+	/*
+	 * The SID returned in server_info->sam_account is based
+	 * on our SAM sid even though for a pure UNIX account this should
+	 * not be the case as it doesn't really exist in the SAM db.
+	 * This causes lookups on "[in]valid users" to fail as they
+	 * will lookup this name as a "Unix User" SID to check against
+	 * the user token. Fix this by adding the "Unix User"\unix_username
+	 * SID to the sid array. The correct fix should probably be
+	 * changing the server_info->sam_account user SID to be a
+	 * S-1-22 Unix SID, but this might break old configs where
+	 * plaintext passwords were used with no SAM backend.
+	 */
+
+	mem_ctx = talloc_init("make_server_info_pw_tmp");
+	if (!mem_ctx) {
+		TALLOC_FREE(result);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
+					unix_users_domain_name(),
+					unix_username );
+	if (!qualified_name) {
+		TALLOC_FREE(result);
+		TALLOC_FREE(mem_ctx);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
+						NULL, NULL,
+						&u_sid, &type)) {
+		TALLOC_FREE(result);
+		TALLOC_FREE(mem_ctx);
+		return NT_STATUS_NO_SUCH_USER;
+	}
+
+	TALLOC_FREE(mem_ctx);
+
+	if (type != SID_NAME_USER) {
+		TALLOC_FREE(result);
+		return NT_STATUS_NO_SUCH_USER;
+	}
+
+	if (!add_sid_to_array_unique(result, &u_sid,
+					&result->sids,
+					&result->num_sids)) {
+		TALLOC_FREE(result);
+		return NT_STATUS_NO_MEMORY;
+	}
+
 	/* For now we throw away the gids and convert via sid_to_gid
 	 * later. This needs fixing, but I'd like to get the code straight and
 	 * simple first. */

Modified: branches/SAMBA_3_0_25/source/auth/auth_util.c
===================================================================
--- branches/SAMBA_3_0_25/source/auth/auth_util.c	2007-06-17 16:46:44 UTC (rev 23529)
+++ branches/SAMBA_3_0_25/source/auth/auth_util.c	2007-06-17 19:23:32 UTC (rev 23530)
@@ -1356,6 +1356,10 @@
 	NTSTATUS status;
 	struct samu *sampass = NULL;
 	gid_t *gids;
+	char *qualified_name = NULL;
+	TALLOC_CTX *mem_ctx = NULL;
+	DOM_SID u_sid;
+	enum lsa_SidType type;
 	auth_serversupplied_info *result;
 	
 	if ( !(sampass = samu_new( NULL )) ) {
@@ -1389,6 +1393,56 @@
 		return status;
 	}
 
+	/*
+	 * The SID returned in server_info->sam_account is based
+	 * on our SAM sid even though for a pure UNIX account this should
+	 * not be the case as it doesn't really exist in the SAM db.
+	 * This causes lookups on "[in]valid users" to fail as they
+	 * will lookup this name as a "Unix User" SID to check against
+	 * the user token. Fix this by adding the "Unix User"\unix_username
+	 * SID to the sid array. The correct fix should probably be
+	 * changing the server_info->sam_account user SID to be a
+	 * S-1-22 Unix SID, but this might break old configs where
+	 * plaintext passwords were used with no SAM backend.
+	 */
+
+	mem_ctx = talloc_init("make_server_info_pw_tmp");
+	if (!mem_ctx) {
+		TALLOC_FREE(result);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
+					unix_users_domain_name(),
+					unix_username );
+	if (!qualified_name) {
+		TALLOC_FREE(result);
+		TALLOC_FREE(mem_ctx);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
+						NULL, NULL,
+						&u_sid, &type)) {
+		TALLOC_FREE(result);
+		TALLOC_FREE(mem_ctx);
+		return NT_STATUS_NO_SUCH_USER;
+	}
+
+	TALLOC_FREE(mem_ctx);
+
+	if (type != SID_NAME_USER) {
+		TALLOC_FREE(result);
+		return NT_STATUS_NO_SUCH_USER;
+	}
+
+	if (!add_sid_to_array_unique(result, &u_sid,
+					&result->sids,
+					&result->num_sids)) {
+		TALLOC_FREE(result);
+		return NT_STATUS_NO_MEMORY;
+	}
+
 	/* For now we throw away the gids and convert via sid_to_gid
 	 * later. This needs fixing, but I'd like to get the code straight and
 	 * simple first. */

Modified: branches/SAMBA_3_0_26/source/auth/auth_util.c
===================================================================
--- branches/SAMBA_3_0_26/source/auth/auth_util.c	2007-06-17 16:46:44 UTC (rev 23529)
+++ branches/SAMBA_3_0_26/source/auth/auth_util.c	2007-06-17 19:23:32 UTC (rev 23530)
@@ -966,6 +966,10 @@
 	NTSTATUS status;
 	struct samu *sampass = NULL;
 	gid_t *gids;
+	char *qualified_name = NULL;
+	TALLOC_CTX *mem_ctx = NULL;
+	DOM_SID u_sid;
+	enum lsa_SidType type;
 	auth_serversupplied_info *result;
 	
 	if ( !(sampass = samu_new( NULL )) ) {
@@ -999,6 +1003,56 @@
 		return status;
 	}
 
+	/*
+	 * The SID returned in server_info->sam_account is based
+	 * on our SAM sid even though for a pure UNIX account this should
+	 * not be the case as it doesn't really exist in the SAM db.
+	 * This causes lookups on "[in]valid users" to fail as they
+	 * will lookup this name as a "Unix User" SID to check against
+	 * the user token. Fix this by adding the "Unix User"\unix_username
+	 * SID to the sid array. The correct fix should probably be
+	 * changing the server_info->sam_account user SID to be a
+	 * S-1-22 Unix SID, but this might break old configs where
+	 * plaintext passwords were used with no SAM backend.
+	 */
+
+	mem_ctx = talloc_init("make_server_info_pw_tmp");
+	if (!mem_ctx) {
+		TALLOC_FREE(result);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
+					unix_users_domain_name(),
+					unix_username );
+	if (!qualified_name) {
+		TALLOC_FREE(result);
+		TALLOC_FREE(mem_ctx);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
+						NULL, NULL,
+						&u_sid, &type)) {
+		TALLOC_FREE(result);
+		TALLOC_FREE(mem_ctx);
+		return NT_STATUS_NO_SUCH_USER;
+	}
+
+	TALLOC_FREE(mem_ctx);
+
+	if (type != SID_NAME_USER) {
+		TALLOC_FREE(result);
+		return NT_STATUS_NO_SUCH_USER;
+	}
+
+	if (!add_sid_to_array_unique(result, &u_sid,
+					&result->sids,
+					&result->num_sids)) {
+		TALLOC_FREE(result);
+		return NT_STATUS_NO_MEMORY;
+	}
+
 	/* For now we throw away the gids and convert via sid_to_gid
 	 * later. This needs fixing, but I'd like to get the code straight and
 	 * simple first. */

More information about the samba-cvs mailing list