The branch, master has been updated via 6dc463d3e2e s3:auth: Fix user_in_list() for UNIX groups via af8747a28bd s3:tests Test "username map" for UNIX groups via 0feeb6d58a6 selftest: Add to "username.map" mapping for jackthemappergroup via 26e4268d6e3 selftest: Create groups "jackthemappergroup" and "jacknomappergroup" via 1b014618222 selftest: Create users "jackthemapper" and "jacknomapper" from a27bbfc8a96 streams_depot: Simplify stream_dir()
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 6dc463d3e2eb229df1c4f620cfcaf22ac71738d4 Author: Pavel Filipenský <pfili...@redhat.com> Date: Fri Mar 25 11:11:50 2022 +0100 s3:auth: Fix user_in_list() for UNIX groups BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041 Signed-off-by: Pavel Filipenský <pfili...@redhat.com> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Noel Power <npo...@samba.org> Autobuild-User(master): Noel Power <npo...@samba.org> Autobuild-Date(master): Thu Apr 7 09:49:44 UTC 2022 on sn-devel-184 commit af8747a28bd62937a01fa4648f404bd0b09a44c0 Author: Pavel Filipenský <pfili...@redhat.com> Date: Tue Apr 5 14:04:52 2022 +0200 s3:tests Test "username map" for UNIX groups BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041 Signed-off-by: Pavel Filipenský <pfili...@redhat.com> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Noel Power <npo...@samba.org> commit 0feeb6d58a6d6b1949faa842473053af4562c979 Author: Pavel Filipenský <pfili...@redhat.com> Date: Tue Apr 5 08:31:41 2022 +0200 selftest: Add to "username.map" mapping for jackthemappergroup BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041 Only for environment ad_member_idmap_nss. * !jacknompapper = \@jackthemappergroup jackthemaper from group jackthemappergroup is mapped to jacknompapper * !root = jacknomappergroup since there is no '@' or '+' prefix, it is not an UNIX group mapping Signed-off-by: Pavel Filipenský <pfili...@redhat.com> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Noel Power <npo...@samba.org> commit 26e4268d6e3bde74520e36f3ca3cc9d979292d1d Author: Pavel Filipenský <pfili...@redhat.com> Date: Tue Apr 5 08:30:23 2022 +0200 selftest: Create groups "jackthemappergroup" and "jacknomappergroup" BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041 Signed-off-by: Pavel Filipenský <pfili...@redhat.com> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Noel Power <npo...@samba.org> commit 1b0146182224fe01ed70815364656a626038685a Author: Pavel Filipenský <pfili...@redhat.com> Date: Fri Apr 1 15:56:30 2022 +0200 selftest: Create users "jackthemapper" and "jacknomapper" BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041 Signed-off-by: Pavel Filipenský <pfili...@redhat.com> Reviewed-by: Noel Power <npo...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> ----------------------------------------------------------------------- Summary of changes: selftest/target/Samba3.pm | 22 ++++++++++++++++++++-- source3/auth/user_util.c | 12 +++++++----- source3/script/tests/test_usernamemap.sh | 28 ++++++++++++++++++++++++++++ source3/selftest/tests.py | 2 ++ 4 files changed, 57 insertions(+), 7 deletions(-) create mode 100755 source3/script/tests/test_usernamemap.sh Changeset truncated at 500 lines: diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 068d3b1f06e..4a86a77bb95 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -1569,8 +1569,10 @@ sub setup_ad_member_idmap_nss my $extra_member_options = " # bob:x:65521:65531:localbob gecos:/:/bin/false # jane:x:65520:65531:localjane gecos:/:/bin/false + # jackthemapper:x:65519:65531:localjackthemaper gecos:/:/bin/false + # jacknomapper:x:65518:65531:localjacknomaper gecos:/:/bin/false idmap config $dcvars->{DOMAIN} : backend = nss - idmap config $dcvars->{DOMAIN} : range = 65520-65521 + idmap config $dcvars->{DOMAIN} : range = 65518-65521 # Support SMB1 so that we can use posix_whoami(). client min protocol = CORE @@ -1591,6 +1593,8 @@ sub setup_ad_member_idmap_nss open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map"); print USERMAP " +!jacknomapper = \@jackthemappergroup +!root = jacknomappergroup root = $dcvars->{DOMAIN}/root bob = $dcvars->{DOMAIN}/bob "; @@ -2663,6 +2667,8 @@ sub provision($$) my ($gid_nobody, $gid_nogroup, $gid_root, $gid_domusers, $gid_domadmins); my ($gid_userdup, $gid_everyone); my ($gid_force_user); + my ($gid_jackthemapper); + my ($gid_jacknomapper); my ($uid_user1); my ($uid_user2); my ($uid_gooduser); @@ -2670,6 +2676,8 @@ sub provision($$) my ($uid_slashuser); my ($uid_localbob); my ($uid_localjane); + my ($uid_localjackthemapper); + my ($uid_localjacknomapper); if ($unix_uid < 0xffff - 13) { $max_uid = 0xffff; @@ -2692,6 +2700,8 @@ sub provision($$) $uid_slashuser = $max_uid - 13; $uid_localbob = $max_uid - 14; $uid_localjane = $max_uid - 15; + $uid_localjackthemapper = $max_uid - 16; + $uid_localjacknomapper = $max_uid - 17; if ($unix_gids[0] < 0xffff - 8) { $max_gid = 0xffff; @@ -2707,6 +2717,8 @@ sub provision($$) $gid_userdup = $max_gid - 6; $gid_everyone = $max_gid - 7; $gid_force_user = $max_gid - 8; + $gid_jackthemapper = $max_gid - 9; + $gid_jacknomapper = $max_gid - 10; ## ## create conffile @@ -3436,6 +3448,8 @@ eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false slashuser:x:$uid_slashuser:$gid_domusers:slashuser gecos:/:/bin/false bob:x:$uid_localbob:$gid_domusers:localbob gecos:/:/bin/false jane:x:$uid_localjane:$gid_domusers:localjane gecos:/:/bin/false +jackthemapper:x:$uid_localjackthemapper:$gid_domusers:localjackthemaper gecos:/:/bin/false +jacknomapper:x:$uid_localjacknomapper:$gid_domusers:localjacknomaper gecos:/:/bin/false "; if ($unix_uid != 0) { print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false @@ -3455,6 +3469,8 @@ domadmins:X:$gid_domadmins: userdup:x:$gid_userdup:$unix_name everyone:x:$gid_everyone: force_user:x:$gid_force_user: +jackthemappergroup:x:$gid_jackthemapper:jackthemapper +jacknomappergroup:x:$gid_jacknomapper:jacknomapper "; if ($unix_gids[0] != 0) { print GROUP "root:x:$gid_root: @@ -3500,6 +3516,8 @@ force_user:x:$gid_force_user: createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser"); createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser"); createuser($self, "slashuser", $password, $conffile, \%createuser_env) || die("Unable to create slashuser"); + createuser($self, "jackthemapper", "mApsEcrEt", $conffile, \%createuser_env) || die("Unable to create jackthemapper"); + createuser($self, "jacknomapper", "nOmApsEcrEt", $conffile, \%createuser_env) || die("Unable to create jacknomapper"); open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list"); print DNS_UPDATE_LIST "A $server. $server_ip\n"; @@ -4012,4 +4030,4 @@ sub wait_for_start_ctdb($$) return 1; } -1; \ No newline at end of file +1; diff --git a/source3/auth/user_util.c b/source3/auth/user_util.c index 70b4f320c5e..aa765c2a692 100644 --- a/source3/auth/user_util.c +++ b/source3/auth/user_util.c @@ -143,11 +143,11 @@ bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list) return false; } - DBG_DEBUG("Checking user %s in list\n", user); - while (*list) { const char *p = *list; - bool ok; + bool check_unix_group = false; + + DBG_DEBUG("Checking user '%s' in list '%s'.\n", user, *list); /* Check raw username */ if (strequal(user, p)) { @@ -155,11 +155,13 @@ bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list) } while (*p == '@' || *p == '&' || *p == '+') { + if (*p == '@' || *p == '+') { + check_unix_group = true; + } p++; } - ok = user_in_group(user, p); - if (ok) { + if (check_unix_group && user_in_group(user, p)) { return true; } diff --git a/source3/script/tests/test_usernamemap.sh b/source3/script/tests/test_usernamemap.sh new file mode 100755 index 00000000000..3a3344a8781 --- /dev/null +++ b/source3/script/tests/test_usernamemap.sh @@ -0,0 +1,28 @@ +#!/bin/sh +# +# Copyright (c) 2022 Pavel Filipenský <pfili...@redhat.com> +# +# Tests for "username map" smb.conf parameter for UNIX groups + +if [ $# -lt 2 ]; then +cat <<EOF +Usage: test_usernamemap.sh SERVER SMBCLIENT +EOF +exit 1; +fi + +SERVER="$1" +SMBCLIENT="$2" +SMBCLIENT="${VALGRIND} ${SMBCLIENT}" + +incdir=$(dirname "$0")/../../../testprogs/blackbox +. "${incdir}"/subunit.sh + +failed=0 + +# jackthemapper is mapped to jacknomapper, so we need jacknomapper password +testit "jackthemapper" "${SMBCLIENT}" //"${SERVER}"/tmp -U"${SERVER}/jackthemapper%nOmApsEcrEt" -c ls || failed=$((failed + 1)) +# jacknomapper is not mapped, so we need jacknomapper password +testit "jacknomapper" "${SMBCLIENT}" //"${SERVER}"/tmp -U"${SERVER}/jacknomapper%nOmApsEcrEt" -c ls || failed=$((failed + 1)) + +testok "$0" "${failed}" diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index 199ebf23a57..bddc26a95db 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -401,6 +401,8 @@ plantestsuite("samba3.blackbox.smbclient_basic.SMB2_10", "nt4_dc_schannel", [os. plantestsuite("samba3.blackbox.smbclient_basic.SMB3_02", "nt4_dc_schannel", [os.path.join(samba3srcdir, "script/tests/test_smbclient_basic.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, "-mSMB3_02"]) plantestsuite("samba3.blackbox.smbclient_basic.SMB3_11", "nt4_dc_schannel", [os.path.join(samba3srcdir, "script/tests/test_smbclient_basic.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, "-mSMB3_11"]) +plantestsuite("samba3.blackbox.smbclient_usernamemap", "ad_member_idmap_nss:local", [os.path.join(samba3srcdir, "script/tests/test_usernamemap.sh"), '$SERVER', smbclient3]) + plantestsuite("samba3.blackbox.smbclient_basic", "ad_member", [os.path.join(samba3srcdir, "script/tests/test_smbclient_basic.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration]) for options in ["", "--option=clientntlmv2auth=no", "--option=clientusespnego=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --max-protocol=LANMAN2", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --option=clientmaxprotocol=NT1"]: if "NT1" in options or "LANMAN2" in options: -- Samba Shared Repository