diff options
author | Gerald Carter <jerry@samba.org> | 2006-08-04 17:09:13 +0000 |
---|---|---|
committer | Gerald Carter <jerry@samba.org> | 2006-08-04 17:09:13 +0000 |
commit | ef426b9e2a9c29668ea5118e81af28588632d0f8 (patch) | |
tree | 62be961725dc09a1607eb43e3b3928f0ba7451bd /source | |
parent | 33cf334255d1937f238030a3a9e23b3e02f3be27 (diff) | |
download | samba-ef426b9e2a9c29668ea5118e81af28588632d0f8.tar.gz samba-ef426b9e2a9c29668ea5118e81af28588632d0f8.tar.xz samba-ef426b9e2a9c29668ea5118e81af28588632d0f8.zip |
r17400: grabbing latest changes from SAMBA_3_0_23 to help in testing
Diffstat (limited to 'source')
-rw-r--r-- | source/VERSION | 2 | ||||
-rw-r--r-- | source/auth/auth_util.c | 56 | ||||
-rw-r--r-- | source/nsswitch/pam_winbind.c | 27 | ||||
-rw-r--r-- | source/nsswitch/pam_winbind.h | 1 | ||||
-rw-r--r-- | source/smbd/msdfs.c | 22 | ||||
-rw-r--r-- | source/utils/net_ads.c | 34 |
6 files changed, 74 insertions, 68 deletions
diff --git a/source/VERSION b/source/VERSION index 0b9ecab60b9..673d82d34d9 100644 --- a/source/VERSION +++ b/source/VERSION @@ -37,7 +37,7 @@ SAMBA_VERSION_RELEASE=23 # e.g. SAMBA_VERSION_REVISION=a # # -> "2.2.8a" # ######################################################## -SAMBA_VERSION_REVISION=a +SAMBA_VERSION_REVISION=b ######################################################## # For 'pre' releases the version will be # diff --git a/source/auth/auth_util.c b/source/auth/auth_util.c index 5298560ba43..67fe508721d 100644 --- a/source/auth/auth_util.c +++ b/source/auth/auth_util.c @@ -29,7 +29,6 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, const DOM_SID *user_sid, - const DOM_SID *group_sid, BOOL is_guest, int num_groupsids, const DOM_SID *groupsids); @@ -509,7 +508,7 @@ NT_USER_TOKEN *get_root_nt_token( void ) uid_to_sid(&u_sid, pw->pw_uid); gid_to_sid(&g_sid, pw->pw_gid); - token = create_local_nt_token(NULL, &u_sid, &g_sid, False, + token = create_local_nt_token(NULL, &u_sid, False, 1, &global_sid_Builtin_Administrators); return token; } @@ -803,7 +802,6 @@ static NTSTATUS create_builtin_administrators( void ) static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, const DOM_SID *user_sid, - const DOM_SID *group_sid, BOOL is_guest, int num_groupsids, const DOM_SID *groupsids) @@ -830,8 +828,12 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, add_sid_to_array(result, user_sid, &result->user_sids, &result->num_sids); - add_sid_to_array(result, group_sid, - &result->user_sids, &result->num_sids); + + /* For guest, num_groupsids may be zero. */ + if (num_groupsids) { + add_sid_to_array(result, &groupsids[0], + &result->user_sids, &result->num_sids); + } /* Add in BUILTIN sids */ @@ -850,9 +852,11 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, /* Now the SIDs we got from authentication. These are the ones from * the info3 struct or from the pdb_enum_group_memberships, depending - * on who authenticated the user. */ + * on who authenticated the user. + * Note that we start the for loop at "1" here, we already added the + * first group sid as primary above. */ - for (i=0; i<num_groupsids; i++) { + for (i=1; i<num_groupsids; i++) { add_sid_to_array_unique(result, &groupsids[i], &result->user_sids, &result->num_sids); } @@ -955,8 +959,8 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) return NT_STATUS_NO_MEMORY; } - if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) || - server_info->was_mapped) { + if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) || + (server_info->was_mapped)) { status = create_token_from_username(server_info, server_info->unix_name, server_info->guest, @@ -969,7 +973,6 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) server_info->ptok = create_local_nt_token( server_info, pdb_get_user_sid(server_info->sam_account), - pdb_get_group_sid(server_info->sam_account), server_info->guest, server_info->num_sids, server_info->sids); status = server_info->ptok ? @@ -1072,7 +1075,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, /* This is a passdb user, so ask passdb */ struct samu *sam_acct = NULL; - const DOM_SID *gr_sid = NULL; if ( !(sam_acct = samu_new( tmp_ctx )) ) { result = NT_STATUS_NO_MEMORY; @@ -1086,20 +1088,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto unix_user; } - gr_sid = pdb_get_group_sid(sam_acct); - if (!gr_sid) { - goto unix_user; - } - - sid_copy(&primary_group_sid, gr_sid); - - if (!sid_to_gid(&primary_group_sid, gid)) { - DEBUG(1, ("sid_to_gid(%s) failed\n", - sid_string_static(&primary_group_sid))); - DEBUGADD(1, ("Fall back to unix user %s\n", username)); - goto unix_user; - } - result = pdb_enum_group_memberships(tmp_ctx, sam_acct, &group_sids, &gids, &num_group_sids); @@ -1110,6 +1098,10 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto unix_user; } + /* see the smb_panic() in pdb_default_enum_group_memberships */ + SMB_ASSERT(num_group_sids > 0); + + *gid = gids[0]; *found_username = talloc_strdup(mem_ctx, pdb_get_username(sam_acct)); @@ -1138,9 +1130,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto done; } - *gid = pass->pw_gid; - gid_to_sid(&primary_group_sid, pass->pw_gid); - if (!getgroups_unix_user(tmp_ctx, username, pass->pw_gid, &gids, &num_group_sids)) { DEBUG(1, ("getgroups_unix_user for user %s failed\n", @@ -1158,6 +1147,11 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, for (i=0; i<num_group_sids; i++) { gid_to_sid(&group_sids[i], gids[i]); } + + /* In getgroups_unix_user we always set the primary gid */ + SMB_ASSERT(num_group_sids > 0); + + *gid = gids[0]; *found_username = talloc_strdup(mem_ctx, pass->pw_name); } else { @@ -1181,13 +1175,13 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto done; } - num_group_sids = 0; - group_sids = NULL; + num_group_sids = 1; + group_sids = &primary_group_sid; *found_username = talloc_strdup(mem_ctx, username); } - *token = create_local_nt_token(mem_ctx, &user_sid, &primary_group_sid, + *token = create_local_nt_token(mem_ctx, &user_sid, is_guest, num_group_sids, group_sids); if ((*token == NULL) || (*found_username == NULL)) { diff --git a/source/nsswitch/pam_winbind.c b/source/nsswitch/pam_winbind.c index bbb27f21c9e..5a9fb4cf595 100644 --- a/source/nsswitch/pam_winbind.c +++ b/source/nsswitch/pam_winbind.c @@ -209,12 +209,15 @@ static int _make_remark_format(pam_handle_t * pamh, int type, const char *format { va_list args; char *var; + int ret; va_start(args, format); vasprintf(&var, format, args); va_end(args); - return _make_remark(pamh, type, var); + ret = _make_remark(pamh, type, var); + SAFE_FREE(var); + return ret; } static int pam_winbind_request(pam_handle_t * pamh, int ctrl, @@ -482,13 +485,27 @@ static int winbind_auth_request(pam_handle_t * pamh, /* save the CIFS homedir for pam_cifs / pam_mount */ if (response.data.auth.info3.home_dir[0] != '\0') { - char *buf; - if (!asprintf(&buf, "%s", response.data.auth.info3.home_dir)) { - return PAM_BUF_ERR; + int ret2 = pam_set_data(pamh, PAM_WINBIND_HOMEDIR, + (void *) strdup(response.data.auth.info3.home_dir), + _pam_winbind_cleanup_func); + if (ret2) { + _pam_log_debug(ctrl, LOG_DEBUG, "Could not set data: %s", + pam_strerror(pamh, ret2)); } - pam_set_data( pamh, PAM_WINBIND_HOMEDIR, (void *)buf, _pam_winbind_cleanup_func); + } + + /* save the logon script path for other PAM modules */ + if (response.data.auth.info3.logon_script[0] != '\0') { + + int ret2 = pam_set_data(pamh, PAM_WINBIND_LOGONSCRIPT, + (void *) strdup(response.data.auth.info3.logon_script), + _pam_winbind_cleanup_func); + if (ret2) { + _pam_log_debug(ctrl, LOG_DEBUG, "Could not set data: %s", + pam_strerror(pamh, ret2)); + } } return ret; diff --git a/source/nsswitch/pam_winbind.h b/source/nsswitch/pam_winbind.h index fb2769d1c1a..2b7080182be 100644 --- a/source/nsswitch/pam_winbind.h +++ b/source/nsswitch/pam_winbind.h @@ -108,6 +108,7 @@ do { \ #define PAM_WINBIND_NEW_AUTHTOK_REQD "PAM_WINBIND_NEW_AUTHTOK_REQD" #define PAM_WINBIND_HOMEDIR "PAM_WINBIND_HOMEDIR" +#define PAM_WINBIND_LOGONSCRIPT "PAM_WINBIND_LOGONSCRIPT" #define PAM_WINBIND_PWD_LAST_SET "PAM_WINBIND_PWD_LAST_SET" #define SECONDS_PER_DAY 86400 diff --git a/source/smbd/msdfs.c b/source/smbd/msdfs.c index 55a6850478f..8dc29728249 100644 --- a/source/smbd/msdfs.c +++ b/source/smbd/msdfs.c @@ -505,13 +505,10 @@ BOOL get_referred_path(TALLOC_CTX *ctx, char *pathname, struct junction_map *juc parse_dfs_path(pathname, &dp); /* Verify hostname in path */ - if ( !strequal(get_local_machine_name(), dp.hostname) ) { - /* Hostname mismatch, check if one of our IP addresses */ - if (!ismyip(*interpret_addr2(dp.hostname))) { - DEBUG(3, ("get_referred_path: Invalid hostname %s in path %s\n", - dp.hostname, pathname)); - return False; - } + if (!is_myname_or_ipaddr(dp.hostname)) { + DEBUG(3, ("get_referred_path: Invalid hostname %s in path %s\n", + dp.hostname, pathname)); + return False; } pstrcpy(jucn->service_name, dp.servicename); @@ -878,13 +875,10 @@ BOOL create_junction(char *pathname, struct junction_map *jucn) parse_dfs_path(pathname,&dp); /* check if path is dfs : validate first token */ - if ( !strequal(get_local_machine_name(),dp.hostname) ) { - /* Hostname mismatch, check if one of our IP addresses */ - if (!ismyip(*interpret_addr2(dp.hostname))) { - DEBUG(4,("create_junction: Invalid hostname %s in dfs path %s\n", - dp.hostname, pathname)); - return False; - } + if (!is_myname_or_ipaddr(dp.hostname)) { + DEBUG(4,("create_junction: Invalid hostname %s in dfs path %s\n", + dp.hostname, pathname)); + return False; } /* Check for a non-DFS share */ diff --git a/source/utils/net_ads.c b/source/utils/net_ads.c index dcbd53bafc3..f01f7ac33b3 100644 --- a/source/utils/net_ads.c +++ b/source/utils/net_ads.c @@ -1169,7 +1169,7 @@ static int net_ads_join_usage(int argc, const char **argv) int net_ads_join(int argc, const char **argv) { - ADS_STRUCT *ads; + ADS_STRUCT *ads = NULL; ADS_STATUS status; char *machine_account = NULL; const char *short_domain_name = NULL; @@ -1184,24 +1184,23 @@ int net_ads_join(int argc, const char **argv) if ( check_ads_config() != 0 ) { d_fprintf(stderr, "Invalid configuration. Exiting....\n"); - return -1; + goto fail; } if ( (ads = ads_startup(True)) == NULL ) { - return -1; + goto fail; } if (strcmp(ads->config.realm, lp_realm()) != 0) { d_fprintf(stderr, "realm of remote server (%s) and realm in smb.conf " "(%s) DO NOT match. Aborting join\n", ads->config.realm, lp_realm()); - ads_destroy(&ads); - return -1; + goto fail; } if (!(ctx = talloc_init("net_ads_join"))) { DEBUG(0, ("Could not initialise talloc context\n")); - return -1; + goto fail; } /* process additional command line args */ @@ -1214,12 +1213,12 @@ int net_ads_join(int argc, const char **argv) else if ( !StrnCaseCmp(argv[i], "createcomputer", strlen("createcomputer")) ) { if ( (create_in_ou = get_string_param(argv[i])) == NULL ) { d_fprintf(stderr, "Please supply a valid OU path\n"); - return -1; + goto fail; } } else { d_fprintf(stderr, "Bad option: %s\n", argv[i]); - return -1; + goto fail; } } @@ -1231,8 +1230,7 @@ int net_ads_join(int argc, const char **argv) if ( !ADS_ERR_OK(status) ) { d_fprintf( stderr, "Failed to pre-create the machine object " "in OU %s.\n", argv[0]); - ads_destroy( &ads ); - return -1; + goto fail; } } @@ -1243,7 +1241,7 @@ int net_ads_join(int argc, const char **argv) if ( net_join_domain( ctx, ads->config.ldap_server_name, &ads->ldap_ip, &domain_sid, password ) != 0 ) { d_fprintf(stderr, "Failed to join domain!\n"); - return -1; + goto fail; } /* Check the short name of the domain */ @@ -1274,15 +1272,14 @@ int net_ads_join(int argc, const char **argv) if ( (netdom_store_machine_account( lp_workgroup(), domain_sid, password ) == -1) || (netdom_store_machine_account( short_domain_name, domain_sid, password ) == -1) ) { - ads_destroy(&ads); - return -1; + goto fail; } /* Verify that everything is ok */ if ( net_rpc_join_ok(short_domain_name, ads->config.ldap_server_name, &ads->ldap_ip) != 0 ) { d_fprintf(stderr, "Failed to verify membership in domain!\n"); - return -1; + goto fail; } /* create the dNSHostName & servicePrincipalName values */ @@ -1306,13 +1303,12 @@ int net_ads_join(int argc, const char **argv) netdom_store_machine_account( lp_workgroup(), domain_sid, "" ); netdom_store_machine_account( short_domain_name, domain_sid, "" ); - return -1; + goto fail; } if ( !net_derive_salting_principal( ctx, ads ) ) { DEBUG(1,("Failed to determine salting principal\n")); - ads_destroy(&ads); - return -1; + goto fail; } if ( createupn ) { @@ -1343,6 +1339,10 @@ int net_ads_join(int argc, const char **argv) ads_destroy(&ads); return 0; + +fail: + ads_destroy(&ads); + return -1; } /******************************************************************* |