[SCM] Samba Shared Repository - branch v3-3-test updated -
release-3-2-0pre2-3463-ge92faf5
Jeremy Allison
jra at samba.org
Wed Jul 30 21:07:07 GMT 2008
The branch, v3-3-test has been updated
via e92faf5996cadac480deb60a4f6232eea90b00f6 (commit)
via f6411ccb4a1530034e481e1c63b6114a93317b29 (commit)
via 8d75d40b9f6d22bae7430211f8a1fe99051b756c (commit)
via 668ef314559df40f1b8aa0991539adcd8d35ffe3 (commit)
from fef58091408cce0d7870c86f28f78cf9400cf2b6 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test
- Log -----------------------------------------------------------------
commit e92faf5996cadac480deb60a4f6232eea90b00f6
Author: Tim Prouty <tim.prouty at isilon.com>
Date: Wed Jul 23 20:50:21 2008 -0700
Enabled domain groups to be added to builtin groups at domain join time
Previously this was done at token creation time if the Administrators and Users
builtins hadn't been created yet. A major drawback to this approach is that if
a customer is joined to a domain and decides they want to join a different
domain, the domain groups from this new domain will not be added to the
builtins.
It would be ideal if these groups could be added exclusively at domain join
time, but we can't rely solely on that because there are cases where winbindd
must be running to allocate new gids for the builtins. In the future if there
is a way to allocate gids for builtins without running winbindd, this code
can be removed from create_local_nt_token.
- Made create_builtin_users and create_builtin_administrators non-static so
they can be called from libnet
- Added a new function to libnet_join that will make a best effort to add
domain administrators and domain users to BUILTIN\Administrators and
BUILTIN\Users, respectively. If the builtins don't exist yet, winbindd must be
running to allocate new gids, but if the builtins already exist, the domain
groups will be added even if winbindd is not running. In the case of a
failure the error will be logged, but the join will not be failed.
- Plumbed libnet_join_add_dom_rids_to_builtins into the join post processing.
commit f6411ccb4a1530034e481e1c63b6114a93317b29
Author: Tim Prouty <tim.prouty at isilon.com>
Date: Wed Jul 23 20:42:32 2008 -0700
Refactored the code that adds Domain Admins to BUILTIN\Administrators to use the new helper functions.
- Modified create_builtin_administrators and add_builtin_administrators to take
in the domain sid to reduce the number of times it needs to be looked up.
- Changed create_builtin_administrators to call the new helper functions.
- Changed create_local_nt_token to call the new version of
create_builtin_administrators and handle the new error that can be returned.
- Made it more explicit that add_builtin_administrators is only called when
winbindd can't be pinged.
commit 8d75d40b9f6d22bae7430211f8a1fe99051b756c
Author: Tim Prouty <tim.prouty at isilon.com>
Date: Wed Jul 23 20:33:15 2008 -0700
Refactored the code that adds Domain Users to BUILTIN\Users to use the new helper functions.
- Modified create_builtin_users to take in the domain sid to reduce the number
of times it needs to be looked up.
- Changed create_builtin_users to call the new helper functions.
- Changed create_local_nt_token to call the new version of create_builtin_users
and handle the new error that can be returned.
commit 668ef314559df40f1b8aa0991539adcd8d35ffe3
Author: Tim Prouty <tim.prouty at isilon.com>
Date: Wed Jul 23 20:24:39 2008 -0700
Helper functions to enable domain groups to be added to builtin groups at domain join time
Added two new helper functions which wrap the raw pdb alias functions so they
can be more conveniently called while adding domain groups to builtin groups.
-----------------------------------------------------------------------
Summary of changes:
source/auth/token_util.c | 154 +++++++++++++++++++++++++++++++------------
source/include/proto.h | 2 +
source/libnet/libnet_join.c | 33 +++++++++
3 files changed, 146 insertions(+), 43 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/auth/token_util.c b/source/auth/token_util.c
index cd67c2a..e5b9e1b 100644
--- a/source/auth/token_util.c
+++ b/source/auth/token_util.c
@@ -165,7 +165,8 @@ done:
/*******************************************************************
*******************************************************************/
-static NTSTATUS add_builtin_administrators( struct nt_user_token *token )
+static NTSTATUS add_builtin_administrators(struct nt_user_token *token,
+ const DOM_SID *dom_sid)
{
DOM_SID domadm;
NTSTATUS status;
@@ -181,8 +182,7 @@ static NTSTATUS add_builtin_administrators( struct nt_user_token *token )
if ( IS_DC ) {
sid_copy( &domadm, get_global_sam_sid() );
} else {
- if ( !secrets_fetch_domain_sid( lp_workgroup(), &domadm ) )
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ sid_copy(&domadm, dom_sid);
}
sid_append_rid( &domadm, DOMAIN_GROUP_RID_ADMINS );
@@ -200,15 +200,74 @@ static NTSTATUS add_builtin_administrators( struct nt_user_token *token )
return NT_STATUS_OK;
}
+/**
+ * Create the requested BUILTIN if it doesn't already exist. This requires
+ * winbindd to be running.
+ *
+ * @param[in] rid BUILTIN rid to create
+ * @return Normal NTSTATUS return.
+ */
+static NTSTATUS create_builtin(uint32 rid)
+{
+ NTSTATUS status = NT_STATUS_OK;
+ DOM_SID sid;
+ gid_t gid;
+
+ if (!sid_compose(&sid, &global_sid_Builtin, rid)) {
+ return NT_STATUS_NO_SUCH_ALIAS;
+ }
+
+ if (!sid_to_gid(&sid, &gid)) {
+ if (!lp_winbind_nested_groups() || !winbind_ping()) {
+ return NT_STATUS_PROTOCOL_UNREACHABLE;
+ }
+ status = pdb_create_builtin_alias(rid);
+ }
+ return status;
+}
+
+/**
+ * Add sid as a member of builtin_sid.
+ *
+ * @param[in] builtin_sid An existing builtin group.
+ * @param[in] dom_sid sid to add as a member of builtin_sid.
+ * @return Normal NTSTATUS return
+ */
+static NTSTATUS add_sid_to_builtin(const DOM_SID *builtin_sid,
+ const DOM_SID *dom_sid)
+{
+ NTSTATUS status = NT_STATUS_OK;
+
+ if (!dom_sid || !builtin_sid) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ status = pdb_add_aliasmem(builtin_sid, dom_sid);
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_MEMBER_IN_ALIAS)) {
+ DEBUG(5, ("add_sid_to_builtin %s is already a member of %s\n",
+ sid_string_dbg(dom_sid),
+ sid_string_dbg(builtin_sid)));
+ return NT_STATUS_OK;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("add_sid_to_builtin %s could not be added to %s: "
+ "%s\n", sid_string_dbg(dom_sid),
+ sid_string_dbg(builtin_sid), nt_errstr(status)));
+ }
+ return status;
+}
+
/*******************************************************************
*******************************************************************/
-static NTSTATUS create_builtin_users( void )
+NTSTATUS create_builtin_users(const DOM_SID *dom_sid)
{
NTSTATUS status;
DOM_SID dom_users;
- status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_USERS );
+ status = create_builtin(BUILTIN_ALIAS_RID_USERS);
if ( !NT_STATUS_IS_OK(status) ) {
DEBUG(5,("create_builtin_users: Failed to create Users\n"));
return status;
@@ -216,10 +275,10 @@ static NTSTATUS create_builtin_users( void )
/* add domain users */
if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER))
- && secrets_fetch_domain_sid(lp_workgroup(), &dom_users))
+ && sid_compose(&dom_users, dom_sid, DOMAIN_GROUP_RID_USERS))
{
- sid_append_rid(&dom_users, DOMAIN_GROUP_RID_USERS );
- status = pdb_add_aliasmem( &global_sid_Builtin_Users, &dom_users);
+ status = add_sid_to_builtin(&global_sid_Builtin_Users,
+ &dom_users);
if ( !NT_STATUS_IS_OK(status) ) {
DEBUG(4,("create_builtin_administrators: Failed to add Domain Users to"
" Users\n"));
@@ -233,7 +292,7 @@ static NTSTATUS create_builtin_users( void )
/*******************************************************************
*******************************************************************/
-static NTSTATUS create_builtin_administrators( void )
+NTSTATUS create_builtin_administrators(const DOM_SID *dom_sid)
{
NTSTATUS status;
DOM_SID dom_admins, root_sid;
@@ -242,7 +301,7 @@ static NTSTATUS create_builtin_administrators( void )
TALLOC_CTX *ctx;
bool ret;
- status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_ADMINS );
+ status = create_builtin(BUILTIN_ALIAS_RID_ADMINS);
if ( !NT_STATUS_IS_OK(status) ) {
DEBUG(5,("create_builtin_administrators: Failed to create Administrators\n"));
return status;
@@ -250,10 +309,10 @@ static NTSTATUS create_builtin_administrators( void )
/* add domain admins */
if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER))
- && secrets_fetch_domain_sid(lp_workgroup(), &dom_admins))
+ && sid_compose(&dom_admins, dom_sid, DOMAIN_GROUP_RID_ADMINS))
{
- sid_append_rid(&dom_admins, DOMAIN_GROUP_RID_ADMINS);
- status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &dom_admins );
+ status = add_sid_to_builtin(&global_sid_Builtin_Administrators,
+ &dom_admins);
if ( !NT_STATUS_IS_OK(status) ) {
DEBUG(4,("create_builtin_administrators: Failed to add Domain Admins"
" Administrators\n"));
@@ -271,7 +330,8 @@ static NTSTATUS create_builtin_administrators( void )
TALLOC_FREE( ctx );
if ( ret ) {
- status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &root_sid );
+ status = add_sid_to_builtin(&global_sid_Builtin_Administrators,
+ &root_sid);
if ( !NT_STATUS_IS_OK(status) ) {
DEBUG(4,("create_builtin_administrators: Failed to add root"
" Administrators\n"));
@@ -297,6 +357,7 @@ struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
int i;
NTSTATUS status;
gid_t gid;
+ DOM_SID dom_sid;
DEBUG(10, ("Create local NT token for %s\n",
sid_string_dbg(user_sid)));
@@ -373,27 +434,30 @@ struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
be resolved then assume that the add_aliasmem( S-1-5-32 )
handled it. */
- if ( !sid_to_gid( &global_sid_Builtin_Administrators, &gid ) ) {
- /* We can only create a mapping if winbind is running
- and the nested group functionality has been enabled */
+ if (!sid_to_gid(&global_sid_Builtin_Administrators, &gid)) {
- if ( lp_winbind_nested_groups() && winbind_ping() ) {
- become_root();
- status = create_builtin_administrators( );
- if ( !NT_STATUS_IS_OK(status) ) {
- DEBUG(2,("WARNING: Failed to create BUILTIN\\Administrators "
- "group! Can Winbind allocate gids?\n"));
- /* don't fail, just log the message */
- }
- unbecome_root();
+ become_root();
+ if (!secrets_fetch_domain_sid(lp_workgroup(), &dom_sid)) {
+ status = NT_STATUS_OK;
+ DEBUG(3, ("Failed to fetch domain sid for %s\n",
+ lp_workgroup()));
+ } else {
+ status = create_builtin_administrators(&dom_sid);
}
- else {
- status = add_builtin_administrators( result );
+ unbecome_root();
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
+ /* Add BUILTIN\Administrators directly to token. */
+ status = add_builtin_administrators(result, &dom_sid);
if ( !NT_STATUS_IS_OK(status) ) {
- /* just log a complaint but do not fail */
- DEBUG(3,("create_local_nt_token: failed to check for local Administrators"
- " membership (%s)\n", nt_errstr(status)));
+ DEBUG(3, ("Failed to check for local "
+ "Administrators membership (%s)\n",
+ nt_errstr(status)));
}
+ } else if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(2, ("WARNING: Failed to create "
+ "BUILTIN\\Administrators group! Can "
+ "Winbind allocate gids?\n"));
}
}
@@ -401,19 +465,23 @@ struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
be resolved then assume that the add_aliasmem( S-1-5-32 )
handled it. */
- if ( !sid_to_gid( &global_sid_Builtin_Users, &gid ) ) {
- /* We can only create a mapping if winbind is running
- and the nested group functionality has been enabled */
+ if (!sid_to_gid(&global_sid_Builtin_Users, &gid)) {
- if ( lp_winbind_nested_groups() && winbind_ping() ) {
- become_root();
- status = create_builtin_users( );
- if ( !NT_STATUS_IS_OK(status) ) {
- DEBUG(2,("WARNING: Failed to create BUILTIN\\Users group! "
- "Can Winbind allocate gids?\n"));
- /* don't fail, just log the message */
- }
- unbecome_root();
+ become_root();
+ if (!secrets_fetch_domain_sid(lp_workgroup(), &dom_sid)) {
+ status = NT_STATUS_OK;
+ DEBUG(3, ("Failed to fetch domain sid for %s\n",
+ lp_workgroup()));
+ } else {
+ status = create_builtin_users(&dom_sid);
+ }
+ unbecome_root();
+
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) &&
+ !NT_STATUS_IS_OK(status))
+ {
+ DEBUG(2, ("WARNING: Failed to create BUILTIN\\Users group! "
+ "Can Winbind allocate gids?\n"));
}
}
diff --git a/source/include/proto.h b/source/include/proto.h
index 7e70f3c..01b7a35 100644
--- a/source/include/proto.h
+++ b/source/include/proto.h
@@ -171,6 +171,8 @@ bool nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid );
NT_USER_TOKEN *get_root_nt_token( void );
NTSTATUS add_aliases(const DOM_SID *domain_sid,
struct nt_user_token *token);
+NTSTATUS create_builtin_users(const DOM_SID *sid);
+NTSTATUS create_builtin_administrators(const DOM_SID *sid);
struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
const DOM_SID *user_sid,
bool is_guest,
diff --git a/source/libnet/libnet_join.c b/source/libnet/libnet_join.c
index 814eeba..59dec1a 100644
--- a/source/libnet/libnet_join.c
+++ b/source/libnet/libnet_join.c
@@ -1447,6 +1447,37 @@ static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
/****************************************************************
****************************************************************/
+static void libnet_join_add_dom_rids_to_builtins(struct dom_sid *domain_sid)
+{
+ NTSTATUS status;
+
+ /* Try adding dom admins to builtin\admins. Only log failures. */
+ status = create_builtin_administrators(domain_sid);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
+ DEBUG(10,("Unable to auto-add domain administrators to "
+ "BUILTIN\\Administrators during join because "
+ "winbindd must be running."));
+ } else if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(5, ("Failed to auto-add domain administrators to "
+ "BUILTIN\\Administrators during join: %s\n",
+ nt_errstr(status)));
+ }
+
+ /* Try adding dom users to builtin\users. Only log failures. */
+ status = create_builtin_users(domain_sid);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
+ DEBUG(10,("Unable to auto-add domain users to BUILTIN\\users "
+ "during join because winbindd must be running."));
+ } else if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(5, ("Failed to auto-add domain administrators to "
+ "BUILTIN\\Administrators during join: %s\n",
+ nt_errstr(status)));
+ }
+}
+
+/****************************************************************
+****************************************************************/
+
static WERROR libnet_join_post_processing(TALLOC_CTX *mem_ctx,
struct libnet_JoinCtx *r)
{
@@ -1465,6 +1496,8 @@ static WERROR libnet_join_post_processing(TALLOC_CTX *mem_ctx,
saf_store(r->in.domain_name, r->in.dc_name);
}
+ libnet_join_add_dom_rids_to_builtins(r->out.domain_sid);
+
return WERR_OK;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list