[SCM] Samba Shared Repository - branch v4-3-test updated

Karolin Seeger Mon, 23 Nov 2015 06:48:24 -0800

The branch, v4-3-test has been updated
       via  9e8785e selftest: add test for force user and well-known primary 
group
       via  225b8d6 auth: consistent handling of well-known alias as primary gid
       via  3e76e69 auth: remove a line that has no effect
       via  325d725 winbind: Don't crash on invalid idmap configs
      from  da97bd4 fix writev(vector[...]) points to uninitialised bytes in 
call_trans2findfirst


https://git.samba.org/?p=samba.git;a=shortlog;h=v4-3-test


- Log -----------------------------------------------------------------
commit 9e8785ea911b14add9b23c361f0bf24b2d4cf651
Author: Uri Simchoni <u...@samba.org>
Date:   Tue Nov 17 23:14:36 2015 +0200

    selftest: add test for force user and well-known primary group
    
    Add a test for connecting to a share with a "force user" whos
    primary unix gid maps to a well-known alias.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11608
    
    Signed-off-by: Uri Simchoni <u...@samba.org>
    Reviewed-by: Jeremy Allison <j...@samba.org>
    
    Autobuild-User(master): Jeremy Allison <j...@samba.org>
    Autobuild-Date(master): Thu Nov 19 23:20:36 CET 2015 on sn-devel-104
    (cherry picked from commit d451bbaee2e025d4135f686c0f220d6337dbf38e)
    
    Autobuild-User(v4-3-test): Karolin Seeger <ksee...@samba.org>
    Autobuild-Date(v4-3-test): Mon Nov 23 15:46:03 CET 2015 on sn-devel-104

commit 225b8d6d7c7b3ad678975b29d564ea101b6423f2
Author: Uri Simchoni <u...@samba.org>
Date:   Tue Nov 17 23:05:10 2015 +0200

    auth: consistent handling of well-known alias as primary gid
    
    When a local user has its primary group id mapped to a well-known
    alias or a builtin group, smbd accepts logins of such a user, but
    fails tree-connects to shares with a "force user" set to this user
    with an error of NT_STATUS_INVALID_SID.
    
    This fix causes the connect to succeed and the NT token to resemble
    the token that would have been created in a login.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11608
    
    Signed-off-by: Uri Simchoni <u...@samba.org>
    Reviewed-by: Jeremy Allison <j...@samba.org>
    (cherry picked from commit d8717a038ef82caf05fff611c7cf92aecc436563)

commit 3e76e69aaa39e1e5ee0f1aa21c66f07baed012f6
Author: Uri Simchoni <u...@samba.org>
Date:   Tue Nov 17 21:43:44 2015 +0200

    auth: remove a line that has no effect
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11608
    
    Signed-off-by: Uri Simchoni <u...@samba.org>
    Reviewed-by: Jeremy Allison <j...@samba.org>
    (cherry picked from commit 42b7d48f76189b1e138f5cac6489a4d018598c87)

commit 325d725e0da0086e3f5cec1480918b717fc77406
Author: Volker Lendecke <v...@samba.org>
Date:   Thu Nov 19 17:00:49 2015 +0100

    winbind: Don't crash on invalid idmap configs
    
    We should not leave NULL in idmap_domains[]. This will lead to NULL
    ptr deferences in idmap_find_domain().
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=11612
    Signed-off-by: Volker Lendecke <v...@samba.org>
    Reviewed-by: Andreas Schneider <a...@samba.org>
    
    Autobuild-User(master): Volker Lendecke <v...@samba.org>
    Autobuild-Date(master): Thu Nov 19 20:16:44 CET 2015 on sn-devel-104
    
    (cherry picked from commit 7e9aaecec552ca53c50fc0c731419af467f76a00)

-----------------------------------------------------------------------

Summary of changes:
 selftest/target/Samba3.pm                   | 18 +++++++++++++++++-
 source3/auth/server_info.c                  | 25 +++++++++++++++++--------
 source3/script/tests/test_smbclient_auth.sh |  1 +
 source3/winbindd/idmap.c                    |  1 +
 4 files changed, 36 insertions(+), 9 deletions(-)


Changeset truncated at 500 lines:

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 774d7a0..931667e 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1202,7 +1202,9 @@ sub provision($$$$$$$$)
 
        my ($max_uid, $max_gid);
        my ($uid_nobody, $uid_root, $uid_pdbtest, $uid_pdbtest2);
+       my ($uid_pdbtest_wkn);
        my ($gid_nobody, $gid_nogroup, $gid_root, $gid_domusers, 
$gid_domadmins);
+       my ($gid_everyone);
 
        if ($unix_uid < 0xffff - 4) {
                $max_uid = 0xffff;
@@ -1214,8 +1216,9 @@ sub provision($$$$$$$$)
        $uid_nobody = $max_uid - 2;
        $uid_pdbtest = $max_uid - 3;
        $uid_pdbtest2 = $max_uid - 4;
+       $uid_pdbtest_wkn = $max_uid - 6;
 
-       if ($unix_gids[0] < 0xffff - 5) {
+       if ($unix_gids[0] < 0xffff - 7) {
                $max_gid = 0xffff;
        } else {
                $max_gid = $unix_gids[0];
@@ -1226,6 +1229,7 @@ sub provision($$$$$$$$)
        $gid_root = $max_gid - 3;
        $gid_domusers = $max_gid - 4;
        $gid_domadmins = $max_gid - 5;
+       $gid_everyone = $max_gid - 7;
 
        ##
        ## create conffile
@@ -1368,9 +1372,15 @@ sub provision($$$$$$$$)
         force user = $unix_name
         guest ok = yes
 [forceuser_unixonly]
+       comment = force a user with unix user SID and group SID
        path = $shrdir
        force user = pdbtest
        guest ok = yes
+[forceuser_wkngroup]
+       comment = force a user with well-known group SID
+       path = $shrdir
+       force user = pdbtest_wkn
+       guest ok = yes
 [forcegroup]
        path = $shrdir
         force group = nogroup
@@ -1497,6 +1507,7 @@ sub provision($$$$$$$$)
 $unix_name:x:$unix_uid:$unix_gids[0]:$unix_name gecos:$prefix_abs:/bin/false
 pdbtest:x:$uid_pdbtest:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false
 pdbtest2:x:$uid_pdbtest2:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false
+pdbtest_wkn:x:$uid_pdbtest_wkn:$gid_everyone:pdbtest_wkn 
gecos:$prefix_abs:/bin/false
 ";
        if ($unix_uid != 0) {
                print PASSWD "root:x:$uid_root:$gid_root:root 
gecos:$prefix_abs:/bin/false
@@ -1513,6 +1524,7 @@ nogroup:x:$gid_nogroup:nobody
 $unix_name-group:x:$unix_gids[0]:
 domusers:X:$gid_domusers:
 domadmins:X:$gid_domadmins:
+everyone:x:$gid_everyone:
 ";
        if ($unix_gids[0] != 0) {
                print GROUP "root:x:$gid_root:
@@ -1705,6 +1717,10 @@ sub wait_for_start($$$$$)
        if ($ret != 0) {
            return 1;
        }
+       $ret = system(Samba::bindir_path($self, "net") ." 
$envvars->{CONFIGURATION} groupmap add sid=S-1-1-0 unixgroup=everyone 
type=builtin");
+       if ($ret != 0) {
+           return 1;
+       }
 
        if ($winbindd eq "yes") {
            # note: creating builtin groups requires winbindd for the
diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index b537390..9194cbd 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -599,18 +599,27 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
                 * will be rejected by other Samba code.
                 */
                gid_to_sid(&group_sid, pwd->pw_gid);
+       }
 
-               ZERO_STRUCT(domain_sid);
-
-               /*
-                * If we are a unix group, set the group_sid to the
-                * 'Domain Users' RID of 513 which will always resolve to a
-                * name.
-                */
-               if (sid_check_is_in_unix_groups(&group_sid)) {
+       /*
+        * If we are a unix group, or a wellknown/builtin alias,
+        * set the group_sid to the
+        * 'Domain Users' RID of 513 which will always resolve to a
+        * name.
+        */
+       if (sid_check_is_in_unix_groups(&group_sid) ||
+           sid_check_is_in_builtin(&group_sid) ||
+           sid_check_is_in_wellknown_domain(&group_sid)) {
+               if (sid_check_is_in_unix_users(&user_sid)) {
                        sid_compose(&group_sid,
                                    get_global_sam_sid(),
                                    DOMAIN_RID_USERS);
+               } else {
+                       sid_copy(&domain_sid, &user_sid);
+                       sid_split_rid(&domain_sid, NULL);
+                       sid_compose(&group_sid,
+                                   &domain_sid,
+                                   DOMAIN_RID_USERS);
                }
        }
 
diff --git a/source3/script/tests/test_smbclient_auth.sh 
b/source3/script/tests/test_smbclient_auth.sh
index 24e98b1..057414c 100755
--- a/source3/script/tests/test_smbclient_auth.sh
+++ b/source3/script/tests/test_smbclient_auth.sh
@@ -28,5 +28,6 @@ testit "smbclient //$SERVER/tmpguest as anon" $SMBCLIENT 
//$SERVER/tmpguest $CON
 testit "smbclient //$SERVER/forceuser" $SMBCLIENT //$SERVER/forceuser 
$CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
 testit "smbclient //$SERVER/forceuser as anon" $SMBCLIENT //$SERVER/forceuser 
$CONFIGURATION -U% -I $SERVER_IP -p 139 -c quit $ADDARGS
 testit "smbclient //$SERVER/forceuser_unixonly" $SMBCLIENT 
//$SERVER/forceuser_unixonly $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP 
-p 139 -c quit $ADDARGS
+testit "smbclient //$SERVER/forceuser_wkngroup" $SMBCLIENT 
//$SERVER/forceuser_wkngroup $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP 
-p 139 -c quit $ADDARGS
 testit "smbclient //$SERVER/forcegroup" $SMBCLIENT //$SERVER/forcegroup 
$CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
 testit "smbclient //$SERVER/forcegroup as anon" $SMBCLIENT 
//$SERVER/forcegroup $CONFIGURATION -U% -I $SERVER_IP -p 139 -c quit $ADDARGS
diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c
index 8de8990..4012e70 100644
--- a/source3/winbindd/idmap.c
+++ b/source3/winbindd/idmap.c
@@ -146,6 +146,7 @@ static bool idmap_found_domain_backend(
                if (dom == NULL) {
                        DBG_NOTICE("Could not init idmap domain %s\n",
                                   domname);
+                       return false;
                }
 
                tmp = talloc_realloc(idmap_domains, idmap_domains,


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-3-test updated

Reply via email to