[PATCH] fix creation of builtins when "tdbsam:map builtin = false"

Michael Adam obnox at samba.org
Mon May 12 02:09:01 MDT 2014 

Hi!

Any comments? This fixes a real bug... ;-)

Thanks - Michael

On 2014-05-03 at 03:07 +0200, Michael Adam wrote:
> Attached find a patch with a fix for $SUBJECT.
> (And explanation in the commit msg).
> 
> comments / review / push appreciated!
> 
> Thanks - Michael

> From 0b5204d3d8a549cdfdd1428db8eb17bb270b4ce8 Mon Sep 17 00:00:00 2001
> From: Michael Adam <obnox at samba.org>
> Date: Sat, 3 May 2014 02:59:37 +0200
> Subject: [PATCH] smbd: fix creation of BUILTIN\{Administrators,Users} when
>  "tdbsam:map builtin = false"
> 
> In this case, passdb/group mapping is not responsible for the id mapping
> of the builtins, so the check whether the SID maps to a unix ID is not
> valid for checking whether the builtin has been created as a proper group.
> So this patch changes the check to whether we find the builtin in the group
> mapping database.
> 
> Signed-off-by: Michael Adam <obnox at samba.org>
> ---
>  source3/auth/token_util.c |   15 +++++++++++++--
>  1 files changed, 13 insertions(+), 2 deletions(-)
> 
> diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c
> index 82eaaff..e3ad4a3 100644
> --- a/source3/auth/token_util.c
> +++ b/source3/auth/token_util.c
> @@ -489,6 +489,7 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,
>  	struct dom_sid dom_sid;
>  	gid_t gid;
>  	NTSTATUS status;
> +	struct acct_info *info;
>  
>  	/* Add any local groups. */
>  
> @@ -527,11 +528,18 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,
>  		}
>  	}
>  
> +	info = talloc_zero(talloc_tos(), struct acct_info);
> +	if (info == NULL) {
> +		DEBUG(0, ("talloc failed!\n"));
> +		return NT_STATUS_NO_MEMORY;
> +	}
> +
>  	/* Deal with the BUILTIN\Administrators group.  If the SID can
>  	   be resolved then assume that the add_aliasmem( S-1-5-32 )
>  	   handled it. */
>  
> -	if (!sid_to_gid(&global_sid_Builtin_Administrators, &gid)) {
> +	status = pdb_get_aliasinfo(&global_sid_Builtin_Administrators, info);
> +	if (!NT_STATUS_IS_OK(status)) {
>  
>  		become_root();
>  		if (!secrets_fetch_domain_sid(lp_workgroup(), &dom_sid)) {
> @@ -562,7 +570,8 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,
>  	   be resolved then assume that the add_aliasmem( S-1-5-32 )
>  	   handled it. */
>  
> -	if (!sid_to_gid(&global_sid_Builtin_Users, &gid)) {
> +	status = pdb_get_aliasinfo(&global_sid_Builtin_Users, info);
> +	if (!NT_STATUS_IS_OK(status)) {
>  
>  		become_root();
>  		if (!secrets_fetch_domain_sid(lp_workgroup(), &dom_sid)) {
> @@ -582,6 +591,8 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,
>  		}
>  	}
>  
> +	TALLOC_FREE(info);
> +
>  	/* Deal with local groups */
>  
>  	if (lp_winbind_nested_groups()) {
> -- 
> 1.7.5.4
> 



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140512/4fb5b2b2/attachment.pgp>

More information about the samba-technical mailing list