[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha6-846-ge7f7ed8

Stefan Metzmacher Fri, 13 Feb 2009 01:41:07 -0800

The branch, master has been updated
       via  e7f7ed8bf6281ef01aca53ea44acdd4af4c51aa7 (commit)
       via  f14e4d4e54f424c05147cb0e635c9b8930270262 (commit)
      from  c2f7f1b40b20e20fbc111fba59adc49a35f4fda0 (commit)


http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit e7f7ed8bf6281ef01aca53ea44acdd4af4c51aa7
Author: Stefan Metzmacher <me...@samba.org>
Date:   Wed Feb 11 11:47:41 2009 +0100

    s3:auth: only create_local_token() should add S-1-22-X-Y sids
    
    metze

commit f14e4d4e54f424c05147cb0e635c9b8930270262
Author: Stefan Metzmacher <me...@samba.org>
Date:   Wed Feb 11 11:46:18 2009 +0100

    s3:auth: add S-1-22-X-Y sids to the local token
    
    metze

-----------------------------------------------------------------------

Summary of changes:
 source3/auth/auth_util.c |   65 +++++++++++++++++++++++++++-------------------
 1 files changed, 38 insertions(+), 27 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 892e5c4..1f00e22 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -572,9 +572,6 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info 
**server_info,
        struct passwd *pwd;
        gid_t *gids;
        auth_serversupplied_info *result;
-       int i;
-       size_t num_gids;
-       DOM_SID unix_group_sid;
        const char *username = pdb_get_username(sampass);
        NTSTATUS status;
 
@@ -646,30 +643,6 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info 
**server_info,
                }
        }
 
-       /* Add the "Unix Group" SID for each gid to catch mapped groups
-          and their Unix equivalent.  This is to solve the backwards 
-          compatibility problem of 'valid users = +ntadmin' where 
-          ntadmin has been paired with "Domain Admins" in the group 
-          mapping table.  Otherwise smb.conf would need to be changed
-          to 'valid user = "Domain Admins"'.  --jerry */
-       
-       num_gids = result->num_sids;
-       for ( i=0; i<num_gids; i++ ) {
-               if ( !gid_to_unix_groups_sid( gids[i], &unix_group_sid ) ) {
-                       DEBUG(1,("make_server_info_sam: Failed to create SID "
-                               "for gid %d!\n", gids[i]));
-                       continue;
-               }
-               status = add_sid_to_array_unique(result, &unix_group_sid,
-                                                &result->sids,
-                                                &result->num_sids);
-               if (!NT_STATUS_IS_OK(status)) {
-                       result->sam_account = NULL; /* Don't free on error 
exit. */
-                       TALLOC_FREE(result);
-                       return status;
-               }
-       }
-
        /* For now we throw away the gids and convert via sid_to_gid
         * later. This needs fixing, but I'd like to get the code straight and
         * simple first. */
@@ -736,6 +709,7 @@ NTSTATUS create_local_token(auth_serversupplied_info 
*server_info)
 {
        NTSTATUS status;
        size_t i;
+       struct dom_sid tmp_sid;
 
        /*
         * If winbind is not around, we can not make much use of the SIDs the
@@ -788,7 +762,44 @@ NTSTATUS create_local_token(auth_serversupplied_info 
*server_info)
                                        &server_info->utok.ngroups);
        }
 
+       /*
+        * Add the "Unix Group" SID for each gid to catch mapped groups
+        * and their Unix equivalent.  This is to solve the backwards
+        * compatibility problem of 'valid users = +ntadmin' where
+        * ntadmin has been paired with "Domain Admins" in the group
+        * mapping table.  Otherwise smb.conf would need to be changed
+        * to 'valid user = "Domain Admins"'.  --jerry
+        *
+        * For consistency we also add the "Unix User" SID,
+        * so that the complete unix token is represented within
+        * the nt token.
+        */
+
+       if (!uid_to_unix_users_sid(server_info->utok.uid, &tmp_sid)) {
+               DEBUG(1,("create_local_token: Failed to create SID "
+                       "for uid %d!\n", server_info->utok.uid));
+       }
+       add_sid_to_array_unique(server_info->ptok, &tmp_sid,
+                               &server_info->ptok->user_sids,
+                               &server_info->ptok->num_sids);
+
+       for ( i=0; i<server_info->utok.ngroups; i++ ) {
+               if (!gid_to_unix_groups_sid( server_info->utok.groups[i], 
&tmp_sid ) ) {
+                       DEBUG(1,("create_local_token: Failed to create SID "
+                               "for gid %d!\n", server_info->utok.groups[i]));
+                       continue;
+               }
+               add_sid_to_array_unique(server_info->ptok, &tmp_sid,
+                                       &server_info->ptok->user_sids,
+                                       &server_info->ptok->num_sids);
+       }
+
        debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok);
+       debug_unix_user_token(DBGC_AUTH, 10,
+                             server_info->utok.uid,
+                             server_info->utok.gid,
+                             server_info->utok.ngroups,
+                             server_info->utok.groups);
 
        status = log_nt_token(server_info->ptok);
        return status;


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha6-846-ge7f7ed8

Reply via email to