New approach to "valid users" fix
Hansjörg Maurer
hansjoerg.maurer at dlr.de
Fri Aug 11 22:21:55 GMT 2006
Hi Jerry
I had problems with the ACL editor (described on wednesday) on
an AD member server where all users (of the AD Domain) are available
on the underlying unix
systems as NIS users to (and all groups are only NIS groups)
Should I try this patch and report the results to or is my problem
completly different.
Sorry, that I do not understand the complete connections in this thread
and thank you
for your hard efforts in solving this strange problems
Greetings from munich
hansjörg
>
> I think will also fix the ACL editor problem with smbpasswd
> backends where it was displaying a raw SID.
>
>
>
> cheers, jerry
-------------------------
diff -urN --exclude-from=/home/drizzt/jerry/tmp/diff.excludes
samba-3.0.23b/source/auth/auth_util.c
samba-3.0.23b-patched/source/auth/auth_util.c
--- samba-3.0.23b/source/auth/auth_util.c 2006-08-07
11:46:33.000000000 -0500
+++ samba-3.0.23b-patched/source/auth/auth_util.c 2006-08-11
10:03:44.000000000 -0500
@@ -1052,9 +1052,8 @@
return NT_STATUS_NO_MEMORY;
}
- if (!lookup_name_smbconf(tmp_ctx, username, LOOKUP_NAME_ALL,
- NULL, NULL, &user_sid, &type)) {
- DEBUG(1, ("lookup_name_smbconf for %s failed\n", username));
+ if (!lookup_user_smbconf(tmp_ctx, username, &user_sid, &type)) {
+ DEBUG(1, ("lookup_user_smbconf(%s) failed\n", username));
goto done;
}
diff -urN --exclude-from=/home/drizzt/jerry/tmp/diff.excludes
samba-3.0.23b/source/include/smb.h
samba-3.0.23b-patched/source/include/smb.h
--- samba-3.0.23b/source/include/smb.h 2006-07-10 11:27:52.000000000
-0500
+++ samba-3.0.23b-patched/source/include/smb.h 2006-08-11
10:03:44.000000000 -0500
@@ -272,7 +272,7 @@
#define LOOKUP_NAME_REMOTE 2 /* Ask others */
#define LOOKUP_NAME_ALL (LOOKUP_NAME_ISOLATED|LOOKUP_NAME_REMOTE)
-#define LOOKUP_NAME_GROUP 4 /* This is a NASTY hack for valid users
= @foo
+#define LOOKUP_NAME_GROUP 4 /* (unused) This is a NASTY hack for
valid users = @foo
* where foo also exists in as user. */
/**
diff -urN --exclude-from=/home/drizzt/jerry/tmp/diff.excludes
samba-3.0.23b/source/passdb/lookup_sid.c
samba-3.0.23b-patched/source/passdb/lookup_sid.c
--- samba-3.0.23b/source/passdb/lookup_sid.c 2006-08-07
11:46:33.000000000 -0500
+++ samba-3.0.23b-patched/source/passdb/lookup_sid.c 2006-08-11
10:03:44.000000000 -0500
@@ -120,63 +120,6 @@
goto failed;
}
- /*
- * Nasty hack necessary for too common scenarios:
- *
- * For 'valid users = +users' we know "users" is most probably not
- * BUILTIN\users but the unix group users. This hack requires the
- * admin to explicitly qualify BUILTIN if BUILTIN\users is meant.
- *
- * Please note that LOOKUP_NAME_GROUP can not be requested via for
- * example lsa_lookupnames, it only comes into this routine via
- * the expansion of group names coming in from smb.conf
- */
-
- if ((flags & LOOKUP_NAME_GROUP) && ((grp = getgrnam(name)) != NULL)) {
-
- GROUP_MAP map;
-
- if (pdb_getgrgid(&map, grp->gr_gid)) {
- /* The hack gets worse. Handle the case where we have
- * 'force group = +unixgroup' but "unixgroup" has a
- * group mapping */
-
- if (sid_check_is_in_builtin(&map.sid)) {
- domain = talloc_strdup(
- tmp_ctx, builtin_domain_name());
- } else {
- domain = talloc_strdup(
- tmp_ctx, get_global_sam_name());
- }
-
- sid_copy(&sid, &map.sid);
- type = map.sid_name_use;
- goto ok;
- }
-
- /* If we are using the smbpasswd backend, we need to use the
- * algorithmic mapping for the unix group we find. This is
- * necessary because when creating the NT token from the unix
- * gid list we got from initgroups() we use gid_to_sid() that
- * uses algorithmic mapping if pdb_rid_algorithm() is true. */
-
- if (pdb_rid_algorithm() &&
- (grp->gr_gid < max_algorithmic_gid())) {
- domain = talloc_strdup(tmp_ctx, get_global_sam_name());
- sid_compose(&sid, get_global_sam_sid(),
- pdb_gid_to_group_rid(grp->gr_gid));
- type = SID_NAME_DOM_GRP;
- goto ok;
- }
-
- if (lookup_unix_group_name(name, &sid)) {
- domain = talloc_strdup(tmp_ctx,
- unix_groups_domain_name());
- type = SID_NAME_DOM_GRP;
- goto ok;
- }
- }
-
/* Now the guesswork begins, we haven't been given an explicit
* domain. Try the sequence as documented on
*
http://msdn.microsoft.com/library/en-us/secmgmt/security/lsalookupnames.asp
@@ -357,71 +300,56 @@
}
/************************************************************************
- Names from smb.conf can be unqualified. eg. valid users = foo
- These names should never map to a remote name. Try global_sam_name()\foo,
- and then "Unix Users"\foo (or "Unix Groups"\foo).
************************************************************************/
-BOOL lookup_name_smbconf(TALLOC_CTX *mem_ctx,
- const char *full_name, int flags,
- const char **ret_domain, const char **ret_name,
- DOM_SID *ret_sid, enum SID_NAME_USE *ret_type)
+BOOL lookup_user_smbconf( TALLOC_CTX *mem_ctx, const char *full_name,
+ DOM_SID *ret_sid, enum SID_NAME_USE *ret_type)
{
- char *qualified_name;
- const char *p;
-
- /* NB. No winbindd_separator here as lookup_name needs \\' */
- if ((p = strchr_m(full_name, *lp_winbind_separator())) != NULL) {
-
- /* The name is already qualified with a domain. */
-
- if (*lp_winbind_separator() != '\\') {
- char *tmp;
-
- /* lookup_name() needs '\\' as a separator */
+ struct passwd *pw;
- tmp = talloc_strdup(mem_ctx, full_name);
- if (!tmp) {
- return False;
- }
- tmp[p - full_name] = '\\';
- full_name = tmp;
- }
-
- return lookup_name(mem_ctx, full_name, flags,
- ret_domain, ret_name,
- ret_sid, ret_type);
+ if ( (pw = sys_getpwnam( full_name ) ) == NULL ) {
+ DEBUG(5,("lookup_user_smbconf: Failed to convert %s to a uid.\n",
+ full_name));
+ return False;
}
-
- /* Try with our own SAM name. */
- qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
- get_global_sam_name(),
- full_name );
- if (!qualified_name) {
+
+ uid_to_sid( ret_sid, pw->pw_uid );
+
+ if ( !lookup_sid( mem_ctx, ret_sid, NULL, NULL, ret_type ) ) {
+ DEBUG(0,("lookup_user_smbconf: lookup_sid() failed! This
should not happen!\n"));
return False;
}
+
+ return True;
+}
- if (lookup_name(mem_ctx, qualified_name, flags,
- ret_domain, ret_name,
- ret_sid, ret_type)) {
- return True;
- }
+/************************************************************************
+************************************************************************/
- /* Finally try with "Unix Users" or "Unix Group" */
- qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
- flags & LOOKUP_NAME_GROUP ?
- unix_groups_domain_name() :
- unix_users_domain_name(),
- full_name );
- if (!qualified_name) {
+BOOL lookup_group_smbconf( TALLOC_CTX *mem_ctx, const char *full_name,
+ DOM_SID *ret_sid, enum SID_NAME_USE *ret_type)
+{
+ struct group *grp;
+
+ if ( (grp = sys_getgrnam( full_name ) ) == NULL ) {
+ DEBUG(5,("lookup_group_smbconf: Failed to convert %s to a gid.\n",
+ full_name));
return False;
}
-
- return lookup_name(mem_ctx, qualified_name, flags,
- ret_domain, ret_name,
- ret_sid, ret_type);
+
+ gid_to_sid( ret_sid, grp->gr_gid );
+
+ if ( !lookup_sid( mem_ctx, ret_sid, NULL, NULL, ret_type ) ) {
+ DEBUG(0,("lookup_group_smbconf: lookup_sid() failed! This
should not happen!\n"));
+ return False;
+ }
+
+ return True;
}
+/************************************************************************
+************************************************************************/
+
static BOOL winbind_lookup_rids(TALLOC_CTX *mem_ctx,
const DOM_SID *domain_sid,
int num_rids, uint32 *rids,
diff -urN --exclude-from=/home/drizzt/jerry/tmp/diff.excludes
samba-3.0.23b/source/passdb/pdb_interface.c
samba-3.0.23b-patched/source/passdb/pdb_interface.c
--- samba-3.0.23b/source/passdb/pdb_interface.c 2006-07-21
11:22:57.000000000 -0500
+++ samba-3.0.23b-patched/source/passdb/pdb_interface.c 2006-08-11
10:03:44.000000000 -0500
@@ -1532,20 +1532,53 @@
return True;
}
-
- /* Windows will always map RID 513 to something. On a non-domain
- controller, this gets mapped to SERVER\None. */
- if ( unix_id ) {
- DEBUG(5, ("Can't find a unix id for an unmapped group\n"));
- return False;
+ /* if we don't need a bvalid uid or gid, just see if
+ we can resolve the name. Windows will always map
+ RID 513 to something. On a non-domain controller,
+ this gets mapped to SERVER\None. */
+
+ if ( !unix_id && rid == DOMAIN_GROUP_RID_USERS ) {
+ *name = talloc_strdup(mem_ctx, "None" );
+ *psid_name_use = SID_NAME_DOM_GRP;
+
+ return True;
}
- if ( rid == DOMAIN_GROUP_RID_USERS ) {
- *name = talloc_strdup(mem_ctx, "None" );
+ /* we haven't resolved the RID at this point. But
+ if the passdb is using a RID algorithm, we should
+ just apply the invese function */
+
+ if ( pdb_rid_algorithm() ) {
+ uid_t uid;
+ gid_t gid;
+ struct passwd *pw;
+ struct group *grp;
+
+ /* Is it is a user? */
+
+ if ( algorithmic_pdb_rid_is_user(rid) ) {
+ uid = algorithmic_pdb_user_rid_to_uid( rid );
+ if ( (pw = sys_getpwuid(uid) ) == NULL ) {
+ return False;
+ }
+ *name = talloc_strdup(mem_ctx, pw->pw_name );
+ *psid_name_use = SID_NAME_USER;
+
+ return True;
+ }
+
+ /* else it's a group */
+
+ gid = pdb_group_rid_to_gid( rid );
+ if ( (grp = getgrgid( gid )) == NULL ) {
+ return False;
+ }
+ *name = talloc_strdup(mem_ctx, grp->gr_name );
*psid_name_use = SID_NAME_DOM_GRP;
return True;
+
}
return False;
diff -urN --exclude-from=/home/drizzt/jerry/tmp/diff.excludes
samba-3.0.23b/source/smbd/service.c
samba-3.0.23b-patched/source/smbd/service.c
--- samba-3.0.23b/source/smbd/service.c 2006-08-07 11:46:33.000000000
-0500
+++ samba-3.0.23b-patched/source/smbd/service.c 2006-08-11
10:03:44.000000000 -0500
@@ -443,11 +443,8 @@
groupname = talloc_string_sub(mem_ctx, groupname,
"%S", lp_servicename(snum));
- if (!lookup_name_smbconf(mem_ctx, groupname,
- LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP,
- NULL, NULL, &group_sid, &type)) {
- DEBUG(10, ("lookup_name_smbconf(%s) failed\n",
- groupname));
+ if (!lookup_group_smbconf(mem_ctx, groupname, &group_sid, &type)) {
+ DEBUG(10, ("lookup_group_smbconf(%s) failed\n", groupname));
goto done;
}
diff -urN --exclude-from=/home/drizzt/jerry/tmp/diff.excludes
samba-3.0.23b/source/smbd/share_access.c
samba-3.0.23b-patched/source/smbd/share_access.c
--- samba-3.0.23b/source/smbd/share_access.c 2006-08-07
11:46:33.000000000 -0500
+++ samba-3.0.23b-patched/source/smbd/share_access.c 2006-08-11
10:03:44.000000000 -0500
@@ -94,8 +94,7 @@
}
if (!do_group_checks(&name, &prefix)) {
- if (!lookup_name_smbconf(mem_ctx, name, LOOKUP_NAME_ALL,
- NULL, NULL, &sid, &type)) {
+ if (!lookup_user_smbconf(mem_ctx, name, &sid, &type)) {
DEBUG(5, ("lookup_name %s failed\n", name));
return False;
}
@@ -109,9 +108,7 @@
for (/* initialized above */ ; *prefix != '\0'; prefix++) {
if (*prefix == '+') {
- if (!lookup_name_smbconf(mem_ctx, name,
- LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP,
- NULL, NULL, &sid, &type)) {
+ if (!lookup_group_smbconf(mem_ctx, name, &sid, &type)) {
DEBUG(5, ("lookup_name %s failed\n", name));
return False;
}
More information about the samba-technical
mailing list