[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Tue Jun 19 05:35:03 MDT 2012
The branch, master has been updated
via 4f15b47 s3-auth: make_new_system_info_session() now does not query nss
via 5c67599 s3-auth: make_new_system_info_session() not query passdb
via 8ecee11 s3-auth: inline make_session_info functions into only callers
via e49656e auth: Use only security_token_is_system to determine that a user is SYSTEM
via 873ec60 s3-auth: Fix system token as just being SID_NT_SYSTEM
via faf24ed s3-spoolss: delete_drivers should be called as the connecting user.
from 7e80b89 ntdb: add autoconf support.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 4f15b47324e437cf502b3165553138b7e6ab474b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 14 09:41:05 2012 +1000
s3-auth: make_new_system_info_session() now does not query nss
This is important in some situations where these queries might be
costly LDAP queries and is just not required for the system token.
This is because the system token should be just the NT
AUTHORITY\SYSTEM user and just enough unix info to allow the token to
be used.
Andrew Bartlett
Signed-off-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Tue Jun 19 13:34:28 CEST 2012 on sn-devel-104
commit 5c67599650f2cb1974a0ea05f78cb414e19da72a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jun 12 17:15:19 2012 +1000
s3-auth: make_new_system_info_session() not query passdb
This is important in some situations where these queries might be
costly LDAP queries and is just not required for the system token.
This is because the system token should be just the NT
AUTHORITY\SYSTEM user and just enough unix info to allow the token to
be used.
We query only NSS to get the name of sec_initial_uid()
Signed-off-by: Andreas Schneider <asn at samba.org>
commit 8ecee11790c68948a12bdc46f07a05586c8afaf6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Jun 3 23:12:22 2012 +1000
s3-auth: inline make_session_info functions into only callers
With the split up to handle system specially, there is no need for these
static helper functions any more.
Andrew Bartlett
Signed-off-by: Andreas Schneider <asn at samba.org>
commit e49656e2ee596a481277a5a2c3dd5d3969411c19
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Jun 3 22:34:13 2012 +1000
auth: Use only security_token_is_system to determine that a user is SYSTEM
This removes the duplication on how to detect that a user is system in Samba
now that the smbd system account is also only SID_NT_SYSTEM we can use the same
check everywhere.
Andrew Bartlett
Signed-off-by: Andreas Schneider <asn at samba.org>
commit 873ec60f5406aecdbb1f6a1149af517f21939e43
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Jun 3 22:21:42 2012 +1000
s3-auth: Fix system token as just being SID_NT_SYSTEM
This removes the SID matching the sec_initial_uid().
Andrew Bartlett
Signed-off-by: Andreas Schneider <asn at samba.org>
commit faf24ed6ced23dbeb560beaa5b44eea7f2520d6f
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jun 19 09:48:38 2012 +0200
s3-spoolss: delete_drivers should be called as the connecting user.
Signed-off-by: Andreas Schneider <asn at samba.org>
-----------------------------------------------------------------------
Summary of changes:
librpc/idl/auth.idl | 5 -
source3/auth/auth_util.c | 170 ++++++++++-----------------
source3/rpc_server/samr/srv_samr_nt.c | 2 +-
source3/rpc_server/spoolss/srv_spoolss_nt.c | 2 +-
source4/auth/unix_token.c | 2 -
5 files changed, 64 insertions(+), 117 deletions(-)
Changeset truncated at 500 lines:
diff --git a/librpc/idl/auth.idl b/librpc/idl/auth.idl
index b0494f9..0bed671 100644
--- a/librpc/idl/auth.idl
+++ b/librpc/idl/auth.idl
@@ -60,11 +60,6 @@ interface auth
} auth_user_info_torture;
typedef [public] struct {
- /* These match exactly the values from the
- * auth_serversupplied_info, but should be changed to
- * checks involving just the SIDs */
- boolean8 system;
-
[unique,charset(UTF8),string] char *unix_name;
/*
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index eb5961d..b38ee48 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -506,8 +506,6 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
session_info->unix_info->sanitized_username =
talloc_strdup(session_info->unix_info, tmp);
- session_info->unix_info->system = server_info->system;
-
if (session_key) {
data_blob_free(&session_info->session_key);
session_info->session_key = data_blob_talloc(session_info,
@@ -533,9 +531,8 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
if (server_info->security_token) {
/* Just copy the token, it has already been finalised
- * (nasty hack to support a cached guest session_info,
- * and a possible strategy for auth_samba4 to pass in
- * a finalised session) */
+ * (nasty hack to support a cached guest/system session_info
+ */
session_info->security_token = dup_nt_token(session_info, server_info->security_token);
if (!session_info->security_token) {
@@ -772,26 +769,16 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
}
static NTSTATUS get_system_info3(TALLOC_CTX *mem_ctx,
- struct passwd *pwd,
struct netr_SamInfo3 *info3)
{
NTSTATUS status;
struct dom_sid *system_sid;
- const char *tmp;
/* Set account name */
- tmp = talloc_strdup(mem_ctx, pwd->pw_name);
- if (tmp == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- init_lsa_String(&info3->base.account_name, tmp);
+ init_lsa_String(&info3->base.account_name, "SYSTEM");
/* Set domain name */
- tmp = talloc_strdup(mem_ctx, get_global_sam_name());
- if (tmp == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- init_lsa_StringLarge(&info3->base.logon_domain, tmp);
+ init_lsa_StringLarge(&info3->base.logon_domain, "NT AUTHORITY");
/* The SID set here will be overwirtten anyway, but try and make it SID_NT_SYSTEM anyway */
@@ -936,129 +923,89 @@ done:
return status;
}
-/****************************************************************************
- Fake a auth_session_info just from a username (as a
- session_info structure, with create_local_token() already called on
- it.
-****************************************************************************/
+/***************************************************************************
+ Make (and fill) a auth_session_info struct for a system user login.
+ This *must* succeed for smbd to start.
+***************************************************************************/
-static NTSTATUS make_system_session_info_from_pw(TALLOC_CTX *mem_ctx,
- struct passwd *pwd,
- struct auth_session_info **session_info)
+static NTSTATUS make_new_session_info_system(TALLOC_CTX *mem_ctx,
+ struct auth_session_info **session_info)
{
+ NTSTATUS status;
struct auth_serversupplied_info *server_info;
- const char *domain = lp_netbios_name();
- struct netr_SamInfo3 info3;
TALLOC_CTX *tmp_ctx;
- NTSTATUS status;
tmp_ctx = talloc_stackframe();
if (tmp_ctx == NULL) {
return NT_STATUS_NO_MEMORY;
}
- ZERO_STRUCT(info3);
-
- status = get_system_info3(tmp_ctx, pwd, &info3);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("Failed creating system info3 with %s\n",
- nt_errstr(status)));
+ server_info = make_server_info(tmp_ctx);
+ if (!server_info) {
+ status = NT_STATUS_NO_MEMORY;
+ DEBUG(0, ("failed making server_info\n"));
goto done;
}
- status = make_server_info_info3(tmp_ctx,
- pwd->pw_name,
- domain,
- &server_info,
- &info3);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("make_server_info_info3 failed with %s\n",
- nt_errstr(status)));
+ server_info->info3 = talloc_zero(server_info, struct netr_SamInfo3);
+ if (!server_info->info3) {
+ status = NT_STATUS_NO_MEMORY;
+ DEBUG(0, ("talloc failed setting info3\n"));
goto done;
}
- server_info->nss_token = true;
-
- /* Now turn the server_info into a session_info with the full token etc */
- status = create_local_token(mem_ctx, server_info, NULL, pwd->pw_name, session_info);
+ status = get_system_info3(server_info, server_info->info3);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("create_local_token failed: %s\n",
+ DEBUG(0, ("Failed creating system info3 with %s\n",
nt_errstr(status)));
goto done;
}
- talloc_free(server_info);
+ server_info->utok.uid = sec_initial_uid();
+ server_info->utok.gid = sec_initial_gid();
+ server_info->unix_name = talloc_asprintf(server_info,
+ "NT AUTHORITY%cSYSTEM",
+ *lp_winbind_separator());
- /* SYSTEM has all privilages */
- (*session_info)->security_token->privilege_mask = ~0;
-
- talloc_steal(mem_ctx, *session_info);
-
- status = NT_STATUS_OK;
-done:
- TALLOC_FREE(tmp_ctx);
- return status;
-}
-
-static NTSTATUS make_session_info_from_pw(TALLOC_CTX *mem_ctx,
- struct passwd *pwd,
- bool is_guest,
- struct auth_session_info **session_info)
-{
- struct auth_serversupplied_info *result;
- NTSTATUS status;
+ if (!server_info->unix_name) {
+ status = NT_STATUS_NO_MEMORY;
+ DEBUG(0, ("talloc_asprintf failed setting unix_name\n"));
+ goto done;
+ }
- status = make_server_info_pw(&result, pwd->pw_name, pwd);
+ server_info->security_token = talloc_zero(server_info, struct security_token);
+ if (!server_info->security_token) {
+ status = NT_STATUS_NO_MEMORY;
+ DEBUG(0, ("talloc failed setting security token\n"));
+ goto done;
+ }
+ status = add_sid_to_array_unique(server_info->security_token->sids,
+ &global_sid_System,
+ &server_info->security_token->sids,
+ &server_info->security_token->num_sids);
if (!NT_STATUS_IS_OK(status)) {
- return status;
+ goto done;
}
- result->nss_token = true;
- result->guest = is_guest;
+ /* SYSTEM has all privilages */
+ server_info->security_token->privilege_mask = ~0;
/* Now turn the server_info into a session_info with the full token etc */
- status = create_local_token(mem_ctx, result, NULL, pwd->pw_name, session_info);
- talloc_free(result);
- return status;
-}
-
-/***************************************************************************
- Make (and fill) a auth_session_info struct for a system user login.
- This *must* succeed for smbd to start.
-***************************************************************************/
-
-static NTSTATUS make_new_session_info_system(TALLOC_CTX *mem_ctx,
- struct auth_session_info **session_info)
-{
- struct passwd *pwd;
- NTSTATUS status;
-
- pwd = getpwuid_alloc(mem_ctx, sec_initial_uid());
- if (pwd == NULL) {
- return NT_STATUS_NO_SUCH_USER;
- }
+ status = create_local_token(mem_ctx, server_info, NULL, "SYSTEM", session_info);
+ talloc_free(server_info);
- status = make_system_session_info_from_pw(mem_ctx,
- pwd,
- session_info);
- TALLOC_FREE(pwd);
if (!NT_STATUS_IS_OK(status)) {
- return status;
+ DEBUG(0, ("create_local_token failed: %s\n",
+ nt_errstr(status)));
+ goto done;
}
- (*session_info)->unix_info->system = true;
-
- status = add_sid_to_array_unique((*session_info)->security_token->sids,
- &global_sid_System,
- &(*session_info)->security_token->sids,
- &(*session_info)->security_token->num_sids);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE((*session_info));
- return status;
- }
+ talloc_steal(mem_ctx, *session_info);
- return NT_STATUS_OK;
+done:
+ TALLOC_FREE(tmp_ctx);
+ return status;
}
/****************************************************************************
@@ -1074,20 +1021,27 @@ NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx,
{
struct passwd *pwd;
NTSTATUS status;
+ struct auth_serversupplied_info *result;
pwd = Get_Pwnam_alloc(talloc_tos(), username);
if (pwd == NULL) {
return NT_STATUS_NO_SUCH_USER;
}
- status = make_session_info_from_pw(mem_ctx, pwd, is_guest, session_info);
+ status = make_server_info_pw(&result, pwd->pw_name, pwd);
if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(pwd);
return status;
}
+ result->nss_token = true;
+ result->guest = is_guest;
+
+ /* Now turn the server_info into a session_info with the full token etc */
+ status = create_local_token(mem_ctx, result, NULL, pwd->pw_name, session_info);
+ TALLOC_FREE(result);
TALLOC_FREE(pwd);
+
return status;
}
diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
index 77888ea..b52e88c 100644
--- a/source3/rpc_server/samr/srv_samr_nt.c
+++ b/source3/rpc_server/samr/srv_samr_nt.c
@@ -2711,7 +2711,7 @@ static NTSTATUS get_user_info_18(struct pipes_struct *p,
ZERO_STRUCTP(r);
- if (p->session_info->unix_info->system) {
+ if (security_token_is_system(p->session_info->security_token)) {
goto query;
}
diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
index 2b0387d..d8ad1ac 100644
--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
@@ -2202,7 +2202,7 @@ static WERROR spoolss_dpd_version(TALLOC_CTX *mem_ctx,
* because the driver doesn not exist any more
*/
if (delete_files) {
- delete_driver_files(get_session_info_system(), info);
+ delete_driver_files(p->session_info, info);
}
done:
diff --git a/source4/auth/unix_token.c b/source4/auth/unix_token.c
index 7a7d464..3810945 100644
--- a/source4/auth/unix_token.c
+++ b/source4/auth/unix_token.c
@@ -142,8 +142,6 @@ NTSTATUS auth_session_info_fill_unix(struct wbc_context *wbc_ctx,
session_info->unix_info = talloc_zero(session_info, struct auth_user_info_unix);
NT_STATUS_HAVE_NO_MEMORY(session_info->unix_info);
- session_info->unix_info->system = security_token_is_system(session_info->security_token);
-
session_info->unix_info->unix_name = talloc_asprintf(session_info->unix_info,
"%s%s%s", session_info->info->domain_name,
lpcfg_winbind_separator(lp_ctx),
--
Samba Shared Repository
More information about the samba-cvs
mailing list