summaryrefslogtreecommitdiffstats
path: root/source/auth
diff options
context:
space:
mode:
Diffstat (limited to 'source/auth')
-rw-r--r--source/auth/auth_util.c56
1 files changed, 25 insertions, 31 deletions
diff --git a/source/auth/auth_util.c b/source/auth/auth_util.c
index 5298560ba43..67fe508721d 100644
--- a/source/auth/auth_util.c
+++ b/source/auth/auth_util.c
@@ -29,7 +29,6 @@
static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
const DOM_SID *user_sid,
- const DOM_SID *group_sid,
BOOL is_guest,
int num_groupsids,
const DOM_SID *groupsids);
@@ -509,7 +508,7 @@ NT_USER_TOKEN *get_root_nt_token( void )
uid_to_sid(&u_sid, pw->pw_uid);
gid_to_sid(&g_sid, pw->pw_gid);
- token = create_local_nt_token(NULL, &u_sid, &g_sid, False,
+ token = create_local_nt_token(NULL, &u_sid, False,
1, &global_sid_Builtin_Administrators);
return token;
}
@@ -803,7 +802,6 @@ static NTSTATUS create_builtin_administrators( void )
static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
const DOM_SID *user_sid,
- const DOM_SID *group_sid,
BOOL is_guest,
int num_groupsids,
const DOM_SID *groupsids)
@@ -830,8 +828,12 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
add_sid_to_array(result, user_sid,
&result->user_sids, &result->num_sids);
- add_sid_to_array(result, group_sid,
- &result->user_sids, &result->num_sids);
+
+ /* For guest, num_groupsids may be zero. */
+ if (num_groupsids) {
+ add_sid_to_array(result, &groupsids[0],
+ &result->user_sids, &result->num_sids);
+ }
/* Add in BUILTIN sids */
@@ -850,9 +852,11 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
/* Now the SIDs we got from authentication. These are the ones from
* the info3 struct or from the pdb_enum_group_memberships, depending
- * on who authenticated the user. */
+ * on who authenticated the user.
+ * Note that we start the for loop at "1" here, we already added the
+ * first group sid as primary above. */
- for (i=0; i<num_groupsids; i++) {
+ for (i=1; i<num_groupsids; i++) {
add_sid_to_array_unique(result, &groupsids[i],
&result->user_sids, &result->num_sids);
}
@@ -955,8 +959,8 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info)
return NT_STATUS_NO_MEMORY;
}
- if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
- server_info->was_mapped) {
+ if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
+ (server_info->was_mapped)) {
status = create_token_from_username(server_info,
server_info->unix_name,
server_info->guest,
@@ -969,7 +973,6 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info)
server_info->ptok = create_local_nt_token(
server_info,
pdb_get_user_sid(server_info->sam_account),
- pdb_get_group_sid(server_info->sam_account),
server_info->guest,
server_info->num_sids, server_info->sids);
status = server_info->ptok ?
@@ -1072,7 +1075,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
/* This is a passdb user, so ask passdb */
struct samu *sam_acct = NULL;
- const DOM_SID *gr_sid = NULL;
if ( !(sam_acct = samu_new( tmp_ctx )) ) {
result = NT_STATUS_NO_MEMORY;
@@ -1086,20 +1088,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
goto unix_user;
}
- gr_sid = pdb_get_group_sid(sam_acct);
- if (!gr_sid) {
- goto unix_user;
- }
-
- sid_copy(&primary_group_sid, gr_sid);
-
- if (!sid_to_gid(&primary_group_sid, gid)) {
- DEBUG(1, ("sid_to_gid(%s) failed\n",
- sid_string_static(&primary_group_sid)));
- DEBUGADD(1, ("Fall back to unix user %s\n", username));
- goto unix_user;
- }
-
result = pdb_enum_group_memberships(tmp_ctx, sam_acct,
&group_sids, &gids,
&num_group_sids);
@@ -1110,6 +1098,10 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
goto unix_user;
}
+ /* see the smb_panic() in pdb_default_enum_group_memberships */
+ SMB_ASSERT(num_group_sids > 0);
+
+ *gid = gids[0];
*found_username = talloc_strdup(mem_ctx,
pdb_get_username(sam_acct));
@@ -1138,9 +1130,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
goto done;
}
- *gid = pass->pw_gid;
- gid_to_sid(&primary_group_sid, pass->pw_gid);
-
if (!getgroups_unix_user(tmp_ctx, username, pass->pw_gid,
&gids, &num_group_sids)) {
DEBUG(1, ("getgroups_unix_user for user %s failed\n",
@@ -1158,6 +1147,11 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
for (i=0; i<num_group_sids; i++) {
gid_to_sid(&group_sids[i], gids[i]);
}
+
+ /* In getgroups_unix_user we always set the primary gid */
+ SMB_ASSERT(num_group_sids > 0);
+
+ *gid = gids[0];
*found_username = talloc_strdup(mem_ctx, pass->pw_name);
} else {
@@ -1181,13 +1175,13 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
goto done;
}
- num_group_sids = 0;
- group_sids = NULL;
+ num_group_sids = 1;
+ group_sids = &primary_group_sid;
*found_username = talloc_strdup(mem_ctx, username);
}
- *token = create_local_nt_token(mem_ctx, &user_sid, &primary_group_sid,
+ *token = create_local_nt_token(mem_ctx, &user_sid,
is_guest, num_group_sids, group_sids);
if ((*token == NULL) || (*found_username == NULL)) {