[PATCH] make 'required_membership_sid' accessible for pam_winbind

Andrew Bartlett abartlet at samba.org
Tue Jul 13 13:30:07 GMT 2004


On Tue, 2004-07-13 at 19:24, Guenther Deschner wrote:
> Hi,
> 
> attached is a new version that adds support for *any* type of sid to make
> successfull authentication dependend on (this works now for pam_winbindd and
> ntlm_auth).

Thanks,

> For this to work, I've added aliases to winbindd_getusersids()
> (winbindd_getgroups already enumerates gid-representations of aliases).
> 
> It can be tested the easiest with ntlm_auth:
> Add W2K3TEST\Administrator to e.g. BUILTIN\Administrators.
> 
> ntlm_auth --username=administrator --password=secret --domain=w2k3test
> --require-membership-of=BUILTIN\\Administrators
> 
> The way get_user_sids gets all sids for the user is not very well done, I'm
> afraid. How could it be done cleaner?

Yes, it looks ugly.  Why do you have a name->sid call in there?  The
existing code already shows how to create a user sid from the RID in the
info3 reply.

And instead of this:

+       /* lookup sids for user_sid */
+       fstrcpy(state->request.data.sid, sid_string_static(&user_sid));
+       
+       if (!winbindd_getusersids(state))
+               return NT_STATUS_UNSUCCESSFUL;

You should patch the winbindd_getusersids() to have a wrapper, and a
function with 'normal' arguments, and call that from within winbindd.

Andrew Bartlett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040713/31d0feb2/attachment.bin


More information about the samba-technical mailing list