[SCM] Samba Shared Repository - branch v3-6-test updated

Karolin Seeger kseeger at samba.org
Wed Aug 15 11:57:04 MDT 2012


The branch, v3-6-test has been updated
       via  68aedaf Revert "s3:auth make sure the primary group sid is usable"
      from  d80fbbe s3: Fix a crash in reply_lockingX_error

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test


- Log -----------------------------------------------------------------
commit 68aedaf59787971cd9520cef3a345d99da079ca3
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Sun Jul 15 12:22:44 2012 +1000

    Revert "s3:auth make sure the primary group sid is usable"
    
    This reverts commit 00089fd74af740f832573d904312854e494a869e.
    
    The issue with this patch, which I did sign off on, is that for the
    domain member case, we already know that the SID is reasonable and
    valid, and we indeed rely on that, because we keep it as an additonal
    group anyway.  The primary group is not so special that we need to do
    extra validation.
    
    Calling this function may put a user into the domain 'domain users'
    group, even if they are not in that group to start with.
    
    Andrew Bartlett
    
    Fix bug #9066 - Domain Users incorrectly added as addition group on domain
    members.

-----------------------------------------------------------------------

Summary of changes:
 source3/auth/auth_util.c |   43 +++++++++++++------------------------------
 1 files changed, 13 insertions(+), 30 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index c7e266a..cb1d319 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1250,11 +1250,11 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 	char *found_username = NULL;
 	const char *nt_domain;
 	const char *nt_username;
+	struct dom_sid user_sid;
+	struct dom_sid group_sid;
 	bool username_was_mapped;
 	struct passwd *pwd;
 	struct auth_serversupplied_info *result;
-	struct dom_sid *group_sid;
-	struct netr_SamInfo3 *i3;
 
 	/* 
 	   Here is where we should check the list of
@@ -1262,6 +1262,15 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 	   matches.
 	*/
 
+	if (!sid_compose(&user_sid, info3->base.domain_sid, info3->base.rid)) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	if (!sid_compose(&group_sid, info3->base.domain_sid,
+			 info3->base.primary_gid)) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
 	if (!nt_username) {
 		/* If the server didn't give us one, just use the one we sent
@@ -1313,43 +1322,17 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 	}
 
 	/* copy in the info3 */
-	result->info3 = i3 = copy_netr_SamInfo3(result, info3);
+	result->info3 = copy_netr_SamInfo3(result, info3);
 	if (result->info3 == NULL) {
 		TALLOC_FREE(result);
 		return NT_STATUS_NO_MEMORY;
 	}
 
 	/* Fill in the unix info we found on the way */
+
 	result->utok.uid = pwd->pw_uid;
 	result->utok.gid = pwd->pw_gid;
 
-	/* We can't just trust that the primary group sid sent us is something
-	 * we can really use. Obtain the useable sid, and store the original
-	 * one as an additional group if it had to be replaced */
-	nt_status = get_primary_group_sid(mem_ctx, found_username,
-					  &pwd, &group_sid);
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		TALLOC_FREE(result);
-		return nt_status;
-	}
-
-	/* store and check if it is the same we got originally */
-	sid_peek_rid(group_sid, &i3->base.primary_gid);
-	if (i3->base.primary_gid != info3->base.primary_gid) {
-		uint32_t n = i3->base.groups.count;
-		/* not the same, store the original as an additional group */
-		i3->base.groups.rids =
-			talloc_realloc(i3, i3->base.groups.rids,
-					struct samr_RidWithAttribute, n + 1);
-		if (i3->base.groups.rids == NULL) {
-			TALLOC_FREE(result);
-			return NT_STATUS_NO_MEMORY;
-		}
-		i3->base.groups.rids[n].rid = info3->base.primary_gid;
-		i3->base.groups.rids[n].attributes = SE_GROUP_ENABLED;
-		i3->base.groups.count = n + 1;
-	}
-
 	/* ensure we are never given NULL session keys */
 
 	if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) {


-- 
Samba Shared Repository


More information about the samba-cvs mailing list