Changeset 751 for trunk/server/source3/auth

Timestamp:

Nov 29, 2012, 1:59:04 PM (13 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: updated trunk to 3.6.9

Location:

trunk/server/source3/auth

Files:

• auth_util.c (modified) (8 diffs)
• server_info.c (modified) (6 diffs)

trunk/server/source3/auth/auth_util.c

@@ -656 +656 @@
 }
 
+static NTSTATUS get_system_info3(TALLOC_CTX *mem_ctx,
+                                 struct passwd *pwd,
+                                 struct netr_SamInfo3 *info3)
+{
+        struct dom_sid domain_sid;
+        const char *tmp;
+
+        /* Set account name */
+        tmp = talloc_strdup(mem_ctx, pwd->pw_name);
+        if (tmp == NULL) {
+                return NT_STATUS_NO_MEMORY;
+        }
+        init_lsa_String(&info3->base.account_name, tmp);
+
+        /* Set domain name */
+        tmp = talloc_strdup(mem_ctx, get_global_sam_name());
+        if (tmp == NULL) {
+                return NT_STATUS_NO_MEMORY;
+        }
+        init_lsa_StringLarge(&info3->base.domain, tmp);
+
+        /* Domain sid */
+        sid_copy(&domain_sid, get_global_sam_sid());
+
+        info3->base.domain_sid = dom_sid_dup(mem_ctx, &domain_sid);
+        if (info3->base.domain_sid == NULL) {
+                return NT_STATUS_NO_MEMORY;
+        }
+
+        /* Admin rid */
+        info3->base.rid = DOMAIN_RID_ADMINISTRATOR;
+
+        /* Primary gid */
+        info3->base.primary_gid = BUILTIN_RID_ADMINISTRATORS;
+
+        return NT_STATUS_OK;
+}
+
 static NTSTATUS get_guest_info3(TALLOC_CTX *mem_ctx,
                                 struct netr_SamInfo3 *info3)
@@ -697 +735 @@
 
         /* Primary gid */
-        info3->base.primary_gid = BUILTIN_RID_GUESTS;
+        info3->base.primary_gid = DOMAIN_RID_GUESTS;
 
         TALLOC_FREE(pwd);
@@ -761 +799 @@
 done:
         TALLOC_FREE(tmp_ctx);
-        return NT_STATUS_OK;
+        return status;
+}
+
+/****************************************************************************
+  Fake a auth_session_info just from a username (as a
+  session_info structure, with create_local_token() already called on
+  it.
+****************************************************************************/
+
+static NTSTATUS make_system_session_info_from_pw(TALLOC_CTX *mem_ctx,
+                                                 struct passwd *pwd,
+                                                 struct auth_serversupplied_info **server_info)
+{
+        const char *domain = global_myname();
+        struct netr_SamInfo3 info3;
+        TALLOC_CTX *tmp_ctx;
+        NTSTATUS status;
+
+        tmp_ctx = talloc_stackframe();
+        if (tmp_ctx == NULL) {
+                return NT_STATUS_NO_MEMORY;
+        }
+
+        ZERO_STRUCT(info3);
+
+        status = get_system_info3(tmp_ctx, pwd, &info3);
+        if (!NT_STATUS_IS_OK(status)) {
+                DEBUG(0, ("Failed creating system info3 with %s\n",
+                          nt_errstr(status)));
+                goto done;
+        }
+
+        status = make_server_info_info3(mem_ctx,
+                                        pwd->pw_name,
+                                        domain,
+                                        server_info,
+                                        &info3);
+        if (!NT_STATUS_IS_OK(status)) {
+                DEBUG(0, ("make_server_info_info3 failed with %s\n",
+                          nt_errstr(status)));
+                goto done;
+        }
+
+        (*server_info)->nss_token = true;
+
+        /* Now turn the server_info into a session_info with the full token etc */
+        status = create_local_token(*server_info);
+        if (!NT_STATUS_IS_OK(status)) {
+                DEBUG(0, ("create_local_token failed: %s\n",
+                          nt_errstr(status)));
+                goto done;
+        }
+
+        status = NT_STATUS_OK;
+done:
+        TALLOC_FREE(tmp_ctx);
+        return status;
 }
 
@@ -780 +874 @@
         }
 
-        status = make_serverinfo_from_username(mem_ctx,
-                                             pwd->pw_name,
-                                             false,
-                                             session_info);
+        status = make_system_session_info_from_pw(mem_ctx,
+                                                  pwd,
+                                                  session_info);
         TALLOC_FREE(pwd);
         if (!NT_STATUS_IS_OK(status)) {
@@ -1158 +1251 @@
         const char *nt_domain;
         const char *nt_username;
+        struct dom_sid user_sid;
+        struct dom_sid group_sid;
         bool username_was_mapped;
         struct passwd *pwd;
         struct auth_serversupplied_info *result;
-        struct dom_sid *group_sid;
-        struct netr_SamInfo3 *i3;
 
         /* 
@@ -1169 +1262 @@
            matches.
         */
+
+        if (!sid_compose(&user_sid, info3->base.domain_sid, info3->base.rid)) {
+                return NT_STATUS_INVALID_PARAMETER;
+        }
+
+        if (!sid_compose(&group_sid, info3->base.domain_sid,
+                         info3->base.primary_gid)) {
+                return NT_STATUS_INVALID_PARAMETER;
+        }
 
         nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
@@ -1221 +1323 @@
 
         /* copy in the info3 */
-        result->info3 = i3 = copy_netr_SamInfo3(result, info3);
+        result->info3 = copy_netr_SamInfo3(result, info3);
         if (result->info3 == NULL) {
                 TALLOC_FREE(result);
@@ -1228 +1330 @@
 
         /* Fill in the unix info we found on the way */
+
         result->utok.uid = pwd->pw_uid;
         result->utok.gid = pwd->pw_gid;
-
-        /* We can't just trust that the primary group sid sent us is something
-         * we can really use. Obtain the useable sid, and store the original
-         * one as an additional group if it had to be replaced */
-        nt_status = get_primary_group_sid(mem_ctx, found_username,
-                                          &pwd, &group_sid);
-        if (!NT_STATUS_IS_OK(nt_status)) {
-                TALLOC_FREE(result);
-                return nt_status;
-        }
-
-        /* store and check if it is the same we got originally */
-        sid_peek_rid(group_sid, &i3->base.primary_gid);
-        if (i3->base.primary_gid != info3->base.primary_gid) {
-                uint32_t n = i3->base.groups.count;
-                /* not the same, store the original as an additional group */
-                i3->base.groups.rids =
-                        talloc_realloc(i3, i3->base.groups.rids,
-                                        struct samr_RidWithAttribute, n + 1);
-                if (i3->base.groups.rids == NULL) {
-                        TALLOC_FREE(result);
-                        return NT_STATUS_NO_MEMORY;
-                }
-                i3->base.groups.rids[n].rid = info3->base.primary_gid;
-                i3->base.groups.rids[n].attributes = SE_GROUP_ENABLED;
-                i3->base.groups.count = n + 1;
-        }
 
         /* ensure we are never given NULL session keys */

trunk/server/source3/auth/server_info.c

@@ -274 +274 @@
                 ok = sid_peek_check_rid(domain_sid, &sids[i], &rid);
                 if (ok) {
-
-                        /* if it is the primary gid, skip it, we
-                         * obviously already have it */
-                        if (info3->base.primary_gid == rid) continue;
-
                         /* store domain group rid */
-                        groups->rids[i].rid = rid;
-                        groups->rids[i].attributes = attributes;
+                        groups->rids[groups->count].rid = rid;
+                        groups->rids[groups->count].attributes = attributes;
                         groups->count++;
                         continue;
@@ -439 +434 @@
         info3->base.bad_password_count = pdb_get_bad_password_count(samu);
 
+        info3->base.domain.string = talloc_strdup(info3,
+                                                  pdb_get_domain(samu));
+        RET_NOMEM(info3->base.domain.string);
+
+        info3->base.domain_sid = dom_sid_dup(info3, &domain_sid);
+        RET_NOMEM(info3->base.domain_sid);
+
         status = pdb_enum_group_memberships(mem_ctx, samu,
                                             &group_sids, &gids,
@@ -468 +470 @@
                 RET_NOMEM(info3->base.logon_server.string);
         }
-
-        info3->base.domain.string = talloc_strdup(info3,
-                                                  pdb_get_domain(samu));
-        RET_NOMEM(info3->base.domain.string);
-
-        info3->base.domain_sid = dom_sid_dup(info3, &domain_sid);
-        RET_NOMEM(info3->base.domain_sid);
 
         info3->base.acct_flags = pdb_get_acct_ctrl(samu);
@@ -530 +525 @@
                                 size_t num_sids)
 {
-        unsigned int i;
+        unsigned int i, j = 0;
         bool ok;
 
@@ -543 +538 @@
                 ok = sid_peek_check_rid(domain_sid,
                                         (const struct dom_sid *)&sids[i].sid,
-                                        &groups->rids[i].rid);
+                                        &groups->rids[j].rid);
                 if (!ok) continue;
 
-                groups->rids[i].attributes = SE_GROUP_MANDATORY |
+                groups->rids[j].attributes = SE_GROUP_MANDATORY |
                                              SE_GROUP_ENABLED_BY_DEFAULT |
                                              SE_GROUP_ENABLED;
-                groups->count++;
-        }
-
+                j++;
+        }
+
+        groups->count = j;
+        return NT_STATUS_OK;
+}
+
+static NTSTATUS wbcsids_to_netr_SidAttrArray(
+                                const struct dom_sid *domain_sid,
+                                const struct wbcSidWithAttr *sids,
+                                size_t num_sids,
+                                TALLOC_CTX *mem_ctx,
+                                struct netr_SidAttr **_info3_sids,
+                                uint32_t *info3_num_sids)
+{
+        unsigned int i, j = 0;
+        struct netr_SidAttr *info3_sids;
+
+        info3_sids = talloc_array(mem_ctx, struct netr_SidAttr, num_sids);
+        if (info3_sids == NULL) {
+                return NT_STATUS_NO_MEMORY;
+        }
+
+        /* a wbcDomainSid is the same as a dom_sid */
+        for (i = 0; i < num_sids; i++) {
+                const struct dom_sid *sid;
+
+                sid = (const struct dom_sid *)&sids[i].sid;
+
+                if (dom_sid_in_domain(domain_sid, sid)) {
+                        continue;
+                }
+
+                info3_sids[j].sid = dom_sid_dup(info3_sids, sid);
+                if (info3_sids[j].sid == NULL) {
+                        talloc_free(info3_sids);
+                        return NT_STATUS_NO_MEMORY;
+                }
+                info3_sids[j].attributes = SE_GROUP_MANDATORY |
+                                           SE_GROUP_ENABLED_BY_DEFAULT |
+                                           SE_GROUP_ENABLED;
+                j++;
+        }
+
+        *info3_num_sids = j;
+        *_info3_sids = info3_sids;
         return NT_STATUS_OK;
 }
@@ -637 +675 @@
         }
 
+        status = wbcsids_to_netr_SidAttrArray(&domain_sid,
+                                              &info->sids[1],
+                                              info->num_sids - 1,
+                                              info3,
+                                              &info3->sids,
+                                              &info3->sidcount);
+        if (!NT_STATUS_IS_OK(status)) {
+                TALLOC_FREE(info3);
+                return NULL;
+        }
+
         info3->base.user_flags = info->user_flags;
         memcpy(info3->base.key.key, info->user_session_key, 16);