Author: vlendec Date: 2006-06-06 20:18:11 +0000 (Tue, 06 Jun 2006) New Revision: 16064
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=16064 Log: Bug fix for another one Tom Bork has reported: 'valid users = +unixgroup' failed with smbpasswd if 'unixgroup' has a (non-algorithmic) group mapping. Thanks a lot! People out there listening, please test current code, this release is **BIG** :-) Volker Modified: branches/SAMBA_3_0/source/passdb/lookup_sid.c trunk/source/passdb/lookup_sid.c Changeset: Modified: branches/SAMBA_3_0/source/passdb/lookup_sid.c =================================================================== --- branches/SAMBA_3_0/source/passdb/lookup_sid.c 2006-06-06 17:55:41 UTC (rev 16063) +++ branches/SAMBA_3_0/source/passdb/lookup_sid.c 2006-06-06 20:18:11 UTC (rev 16064) @@ -43,6 +43,7 @@ DOM_SID sid; enum SID_NAME_USE type; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + struct group *grp; if (tmp_ctx == NULL) { DEBUG(0, ("talloc_new failed\n")); @@ -128,16 +129,35 @@ * the expansion of group names coming in from smb.conf */ - if (flags & LOOKUP_NAME_GROUP) { - struct group *grp; + if ((flags & LOOKUP_NAME_GROUP) && ((grp = getgrnam(name)) != NULL)) { + GROUP_MAP map; + + if (pdb_getgrgid(&map, grp->gr_gid)) { + /* The hack gets worse. Handle the case where we have + * 'force group = +unixgroup' but "unixgroup" has a + * group mapping */ + + if (sid_check_is_in_builtin(&map.sid)) { + domain = talloc_strdup( + tmp_ctx, builtin_domain_name()); + } else { + domain = talloc_strdup( + tmp_ctx, get_global_sam_name()); + } + + sid_copy(&sid, &map.sid); + type = map.sid_name_use; + goto ok; + } + /* If we are using the smbpasswd backend, we need to use the * algorithmic mapping for the unix group we find. This is * necessary because when creating the NT token from the unix * gid list we got from initgroups() we use gid_to_sid() that * uses algorithmic mapping if pdb_rid_algorithm() is true. */ - if (pdb_rid_algorithm() && ((grp = getgrnam(name)) != NULL) && + if (pdb_rid_algorithm() && (grp->gr_gid < max_algorithmic_gid())) { domain = talloc_strdup(tmp_ctx, get_global_sam_name()); sid_compose(&sid, get_global_sam_sid(), Modified: trunk/source/passdb/lookup_sid.c =================================================================== --- trunk/source/passdb/lookup_sid.c 2006-06-06 17:55:41 UTC (rev 16063) +++ trunk/source/passdb/lookup_sid.c 2006-06-06 20:18:11 UTC (rev 16064) @@ -43,6 +43,7 @@ DOM_SID sid; enum SID_NAME_USE type; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + struct group *grp; if (tmp_ctx == NULL) { DEBUG(0, ("talloc_new failed\n")); @@ -128,16 +129,35 @@ * the expansion of group names coming in from smb.conf */ - if (flags & LOOKUP_NAME_GROUP) { - struct group *grp; + if ((flags & LOOKUP_NAME_GROUP) && ((grp = getgrnam(name)) != NULL)) { + GROUP_MAP map; + + if (pdb_getgrgid(&map, grp->gr_gid)) { + /* The hack gets worse. Handle the case where we have + * 'force group = +unixgroup' but "unixgroup" has a + * group mapping */ + + if (sid_check_is_in_builtin(&map.sid)) { + domain = talloc_strdup( + tmp_ctx, builtin_domain_name()); + } else { + domain = talloc_strdup( + tmp_ctx, get_global_sam_name()); + } + + sid_copy(&sid, &map.sid); + type = map.sid_name_use; + goto ok; + } + /* If we are using the smbpasswd backend, we need to use the * algorithmic mapping for the unix group we find. This is * necessary because when creating the NT token from the unix * gid list we got from initgroups() we use gid_to_sid() that * uses algorithmic mapping if pdb_rid_algorithm() is true. */ - if (pdb_rid_algorithm() && ((grp = getgrnam(name)) != NULL) && + if (pdb_rid_algorithm() && (grp->gr_gid < max_algorithmic_gid())) { domain = talloc_strdup(tmp_ctx, get_global_sam_name()); sid_compose(&sid, get_global_sam_sid(),
