[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Tue Mar 25 11:30:05 MDT 2014
The branch, master has been updated
via a7df00c s3-nmbd: reset debug settings after reading config file (bug #10239)
via a9fa097 s3: smbd: Factor out code that calls getgroups_unix_user() into a separate function.
from 547111b s4:librpc/rpc: use dcerpc_binding_get_object() in order to pass the object to the epmapper
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a7df00c82049547129f063a40a842b156c8aead4
Author: Björn Baumbach <bb at sernet.de>
Date: Wed Mar 19 15:01:11 2014 +0100
s3-nmbd: reset debug settings after reading config file (bug #10239)
Signed-off-by: Björn Baumbach <bb at sernet.de>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Mar 25 18:29:06 CET 2014 on sn-devel-104
commit a9fa09723bee3588db2168ac13f7ad0334452c11
Author: Jeremy Allison <jra at samba.org>
Date: Sat Mar 22 21:23:48 2014 -0700
s3: smbd: Factor out code that calls getgroups_unix_user() into a separate function.
This code needs to special-case the guest user, as
this token can have the token_sid[0] set to the Guest
SID, not the mapping of UNIX uid -> SID.
Other users that may have a well-known SID
set in token_sid[0] (like SYSTEM) are usually
not mappable to UNIX users and can be ignored
when adding local groups from /etc/group.
Found by <linux at kukkukk.com>.
Second part of the bugfix for:
https://bugzilla.samba.org/show_bug.cgi?id=10508
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/auth/token_util.c | 144 +++++++++++++++++++++++++++++----------------
source3/nmbd/nmbd.c | 4 +
2 files changed, 96 insertions(+), 52 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c
index bccf1db..82eaaff 100644
--- a/source3/auth/token_util.c
+++ b/source3/auth/token_util.c
@@ -389,72 +389,112 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
return result;
}
-static NTSTATUS finalize_local_nt_token(struct security_token *result,
- bool is_guest)
+/***************************************************
+ Merge in any groups from /etc/group.
+***************************************************/
+
+static NTSTATUS add_local_groups(struct security_token *result,
+ bool is_guest)
{
- struct dom_sid dom_sid;
- gid_t gid;
- uid_t uid;
- NTSTATUS status;
+ gid_t *gids = NULL;
+ uint32_t getgroups_num_group_sids = 0;
+ struct passwd *pass = NULL;
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ int i;
- /* result->sids[0] is always the user sid. */
- if (sid_to_uid(&result->sids[0], &uid)) {
+ if (is_guest) {
/*
- * Now we must get any groups this user has been
- * added to in /etc/group and merge them in.
- * This has to be done in every code path
- * that creates an NT token, as remote users
- * may have been added to the local /etc/group
- * database. Tokens created merely from the
- * info3 structs (via the DC or via the krb5 PAC)
- * won't have these local groups. Note the
- * groups added here will only be UNIX groups
- * (S-1-22-2-XXXX groups) as getgroups_unix_user()
- * turns off winbindd before calling getgroups().
- *
- * NB. This is duplicating work already
- * done in the 'unix_user:' case of
- * create_token_from_sid() but won't
- * do anything other than be inefficient
- * in that case.
+ * Guest is a special case. It's always
+ * a user that can be looked up, but
+ * result->sids[0] is set to DOMAIN\Guest.
+ * Lookup by account name instead.
*/
- struct passwd *pass = NULL;
- gid_t *gids = NULL;
- uint32_t getgroups_num_group_sids = 0;
- int i;
- TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ pass = Get_Pwnam_alloc(tmp_ctx, lp_guest_account());
+ } else {
+ uid_t uid;
+
+ /* For non-guest result->sids[0] is always the user sid. */
+ if (!sid_to_uid(&result->sids[0], &uid)) {
+ /*
+ * Non-mappable SID like SYSTEM.
+ * Can't be in any /etc/group groups.
+ */
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_OK;
+ }
pass = getpwuid_alloc(tmp_ctx, uid);
if (pass == NULL) {
- DEBUG(1, ("getpwuid(%u) failed\n",
+ DEBUG(1, ("SID %s -> getpwuid(%u) failed\n",
+ sid_string_dbg(&result->sids[0]),
(unsigned int)uid));
- TALLOC_FREE(tmp_ctx);
- return NT_STATUS_UNSUCCESSFUL;
}
+ }
- if (!getgroups_unix_user(tmp_ctx, pass->pw_name, pass->pw_gid,
- &gids, &getgroups_num_group_sids)) {
- DEBUG(1, ("getgroups_unix_user for user %s failed\n",
- pass->pw_name));
+ if (!pass) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ /*
+ * Now we must get any groups this user has been
+ * added to in /etc/group and merge them in.
+ * This has to be done in every code path
+ * that creates an NT token, as remote users
+ * may have been added to the local /etc/group
+ * database. Tokens created merely from the
+ * info3 structs (via the DC or via the krb5 PAC)
+ * won't have these local groups. Note the
+ * groups added here will only be UNIX groups
+ * (S-1-22-2-XXXX groups) as getgroups_unix_user()
+ * turns off winbindd before calling getgroups().
+ *
+ * NB. This is duplicating work already
+ * done in the 'unix_user:' case of
+ * create_token_from_sid() but won't
+ * do anything other than be inefficient
+ * in that case.
+ */
+
+ if (!getgroups_unix_user(tmp_ctx, pass->pw_name, pass->pw_gid,
+ &gids, &getgroups_num_group_sids)) {
+ DEBUG(1, ("getgroups_unix_user for user %s failed\n",
+ pass->pw_name));
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ for (i=0; i<getgroups_num_group_sids; i++) {
+ NTSTATUS status;
+ struct dom_sid grp_sid;
+ gid_to_sid(&grp_sid, gids[i]);
+
+ status = add_sid_to_array_unique(result,
+ &grp_sid,
+ &result->sids,
+ &result->num_sids);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("Failed to add UNIX SID to nt token\n"));
TALLOC_FREE(tmp_ctx);
- return NT_STATUS_UNSUCCESSFUL;
+ return status;
}
+ }
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_OK;
+}
- for (i=0; i<getgroups_num_group_sids; i++) {
- struct dom_sid grp_sid;
- gid_to_sid(&grp_sid, gids[i]);
+static NTSTATUS finalize_local_nt_token(struct security_token *result,
+ bool is_guest)
+{
+ struct dom_sid dom_sid;
+ gid_t gid;
+ NTSTATUS status;
- status = add_sid_to_array_unique(result,
- &grp_sid,
- &result->sids,
- &result->num_sids);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(3, ("Failed to add UNIX SID to nt token\n"));
- TALLOC_FREE(tmp_ctx);
- return status;
- }
- }
- TALLOC_FREE(tmp_ctx);
+ /* Add any local groups. */
+
+ status = add_local_groups(result, is_guest);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
/* Add in BUILTIN sids */
diff --git a/source3/nmbd/nmbd.c b/source3/nmbd/nmbd.c
index addb416..050afb3 100644
--- a/source3/nmbd/nmbd.c
+++ b/source3/nmbd/nmbd.c
@@ -415,6 +415,8 @@ static bool reload_nmbd_services(bool test)
reload_nmbd_services( True );
}
+ reopen_logs();
+
return(ret);
}
@@ -908,6 +910,8 @@ static bool open_sockets(bool isdaemon, int port)
exit(1);
}
+ reopen_logs();
+
if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC
&& !lp_parm_bool(-1, "server role check", "inhibit", false)) {
/* TODO: when we have a merged set of defaults for
--
Samba Shared Repository
More information about the samba-cvs
mailing list