[PATCH] make 'required_membership_sid' accessible for
pam_winbind
Andrew Bartlett
abartlet at samba.org
Tue Jul 13 13:30:07 GMT 2004
On Tue, 2004-07-13 at 19:24, Guenther Deschner wrote:
> Hi,
>
> attached is a new version that adds support for *any* type of sid to make
> successfull authentication dependend on (this works now for pam_winbindd and
> ntlm_auth).
Thanks,
> For this to work, I've added aliases to winbindd_getusersids()
> (winbindd_getgroups already enumerates gid-representations of aliases).
>
> It can be tested the easiest with ntlm_auth:
> Add W2K3TEST\Administrator to e.g. BUILTIN\Administrators.
>
> ntlm_auth --username=administrator --password=secret --domain=w2k3test
> --require-membership-of=BUILTIN\\Administrators
>
> The way get_user_sids gets all sids for the user is not very well done, I'm
> afraid. How could it be done cleaner?
Yes, it looks ugly. Why do you have a name->sid call in there? The
existing code already shows how to create a user sid from the RID in the
info3 reply.
And instead of this:
+ /* lookup sids for user_sid */
+ fstrcpy(state->request.data.sid, sid_string_static(&user_sid));
+
+ if (!winbindd_getusersids(state))
+ return NT_STATUS_UNSUCCESSFUL;
You should patch the winbindd_getusersids() to have a wrapper, and a
function with 'normal' arguments, and call that from within winbindd.
Andrew Bartlett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040713/31d0feb2/attachment.bin
More information about the samba-technical
mailing list