diff options
| author | Volker Lendecke <vlendec@samba.org> | 2004-11-12 15:49:47 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 10:53:15 -0500 |
| commit | f9e87b9ba65f37bafa45eacb1a6c9b8c5483d46b (patch) | |
| tree | 226655c957de8578b3c3e0c854930b03e90d37a1 /source3/auth | |
| parent | 69ddbbf97b4c37cba879f7dd9ce8cb5f4d336857 (diff) | |
| download | samba-f9e87b9ba65f37bafa45eacb1a6c9b8c5483d46b.tar.gz samba-f9e87b9ba65f37bafa45eacb1a6c9b8c5483d46b.tar.xz samba-f9e87b9ba65f37bafa45eacb1a6c9b8c5483d46b.zip | |
r3705: Nobody has commented, so I'll take this as an ack...
abartlet, I'd like to ask you to take a severe look at this!
We have solved the problem to find the global groups a user is in twice: Once
in auth_util.c and another time for the corresponding samr call. The attached
patch unifies these and sends them through the passdb backend (new function
pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further
optimize the corresponding call if the samba and posix accounts are unified by
issuing a specialized ldap query.
The parameter to activate this ldapsam behaviour is
ldapsam:trusted = yes
Volker
(This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
Diffstat (limited to 'source3/auth')
| -rw-r--r-- | source3/auth/auth_util.c | 52 |
1 files changed, 16 insertions, 36 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 96a229f0dc..1ef64ab845 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -657,47 +657,27 @@ static NTSTATUS get_user_groups(const char *username, uid_t uid, gid_t gid, *n_groups = 0; *groups = NULL; - - /* Try winbind first */ - if ( strchr(username, *lp_winbind_separator()) ) { - n_unix_groups = winbind_getgroups( username, unix_groups ); + if (strchr(username, *lp_winbind_separator()) == NULL) { + NTSTATUS result; - DEBUG(10,("get_user_groups: winbind_getgroups(%s): result = %s\n", username, - n_unix_groups == -1 ? "FAIL" : "SUCCESS")); - - if ( n_unix_groups == -1 ) - return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ + become_root(); + result = pdb_enum_group_memberships(username, gid, groups, + unix_groups, n_groups); + unbecome_root(); + return result; } - else { - /* fallback to getgrouplist() */ - - n_unix_groups = groups_max(); - - if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) { - DEBUG(0, ("get_user_groups: Out of memory allocating unix group list\n")); - return NT_STATUS_NO_MEMORY; - } + + /* We have the separator, this must be winbind */ - if (sys_getgrouplist(username, gid, *unix_groups, &n_unix_groups) == -1) { - - gid_t *groups_tmp; - - groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); - - if (!groups_tmp) { - SAFE_FREE(*unix_groups); - return NT_STATUS_NO_MEMORY; - } - *unix_groups = groups_tmp; + n_unix_groups = winbind_getgroups( username, unix_groups ); - if (sys_getgrouplist(username, gid, *unix_groups, &n_unix_groups) == -1) { - DEBUG(0, ("get_user_groups: failed to get the unix group list\n")); - SAFE_FREE(*unix_groups); - return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ - } - } - } + DEBUG(10,("get_user_groups: winbind_getgroups(%s): result = %s\n", + username, n_unix_groups == -1 ? "FAIL" : "SUCCESS")); + + if ( n_unix_groups == -1 ) + return NT_STATUS_NO_SUCH_USER; /* what should this return + * value be? */ debug_unix_user_token(DBGC_CLASS, 5, uid, gid, n_unix_groups, *unix_groups); |