Machines are people too!

While machine accounts cannot use an NTLM login (NT4 style), they are
otherwise full and valid members of the domain, and expect to be able to
use kerberos to connect to CIFS servers.

This means that the LocalSystem account, used by various services, can
perform things like backups, without the admin needing to enter further
passwords.

This particular issue (bug 722) has started to come up a lot on the lists.

I have only enabled it for winbindd-based systems, as the macros use use
to call the 'add user script' will strip the $ from the username for
security reasons.

Andrew Bartlett

source/nsswitch/winbindd_ads.c

@@ -112,7 +112,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
 		goto done;
 	}
 
-	rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
+	rc = ads_search_retry(ads, &res, "(objectClass=user)", attrs);
 	if (!ADS_ERR_OK(rc) || !res) {
 		DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
 		goto done;

source/nsswitch/winbindd_group.c

@@ -152,15 +152,10 @@ static BOOL fill_grent_mem(struct winbindd_domain *domain,
                    occur in Universal groups on a Windows 2000 native mode
                    server. */
 
-		if (name_types[i] != SID_NAME_USER) {
-			DEBUG(3, ("name %s isn't a domain user\n", the_name));
-			continue;
-		}
+		/* make sure to allow machine accounts */
 
-		/* Don't bother with machine accounts */
-		
-		if (the_name[strlen(the_name) - 1] == '$') {
-			DEBUG(10, ("%s is machine account\n", the_name));
+		if (name_types[i] != SID_NAME_USER && name_types[i] != SID_NAME_COMPUTER) {
+			DEBUG(3, ("name %s isn't a domain user\n", the_name));
 			continue;
 		}
 

source/nsswitch/winbindd_user.c

@@ -37,7 +37,8 @@ static BOOL winbindd_fill_pwent(char *dom_name, char *user_name,
 				char *full_name, struct winbindd_pw *pw)
 {
 	fstring output_username;
-	pstring homedir;
+	char *homedir;
+	char *shell;
 	fstring sid_string;
 	
 	if (!pw || !dom_name || !user_name)
@@ -72,24 +73,32 @@ static BOOL winbindd_fill_pwent(char *dom_name, char *user_name,
 	   shell. */
 	
 	/* The substitution of %U and %D in the 'template homedir' is done
-	   by lp_string() calling standard_sub_basic(). */
+	   by alloc_sub_specified() below. */
 
-	fstrcpy(current_user_info.smb_name, user_name);
-	sub_set_smb_name(user_name);
 	fstrcpy(current_user_info.domain, dom_name);
 
-	pstrcpy(homedir, lp_template_homedir());
+	homedir = alloc_sub_specified(lp_template_homedir(), user_name, dom_name, pw->pw_uid, pw->pw_gid);
+
+	if (!homedir)
+		return False;
 	
 	safe_strcpy(pw->pw_dir, homedir, sizeof(pw->pw_dir) - 1);
 	
-	safe_strcpy(pw->pw_shell, lp_template_shell(), 
+	SAFE_FREE(homedir);
+	
+	shell = alloc_sub_specified(lp_template_shell(), user_name, dom_name, pw->pw_uid, pw->pw_gid);
+
+	if (!shell)
+		return False;
+
+	safe_strcpy(pw->pw_shell, shell, 
 		    sizeof(pw->pw_shell) - 1);
 	
 	/* Password - set to "x" as we can't generate anything useful here.
 	   Authentication can be done using the pam_winbind module. */
 
 	safe_strcpy(pw->pw_passwd, "x", sizeof(pw->pw_passwd) - 1);
-	
+
 	return True;
 }
 
@@ -149,15 +158,13 @@ enum winbindd_result winbindd_getpwnam(struct winbindd_cli_state *state)
 		return WINBINDD_ERROR;
 	}
 
-	if (name_type != SID_NAME_USER) {
+	if (name_type != SID_NAME_USER && name_type != SID_NAME_COMPUTER) {
 		DEBUG(1, ("name '%s' is not a user name: %d\n", name_user, 
 			  name_type));
 		return WINBINDD_ERROR;
 	}
 	
-	/* Get some user info.  Split the user rid from the sid obtained
-	   from the winbind_lookup_by_name() call and use it in a
-	   winbind_lookup_userinfo() */
+	/* Get some user info. */
     
 	if (!(mem_ctx = talloc_init("winbindd_getpwnam([%s]\\[%s])", 
 					  name_domain, name_user))) {
@@ -530,15 +537,6 @@ enum winbindd_result winbindd_getpwent(struct winbindd_cli_state *state)
 
 		name_list = ent->sam_entries;
 
-		/* Skip machine accounts */
-
-		if (name_list[ent->sam_entry_index].
-		    name[strlen(name_list[ent->sam_entry_index].name) - 1] 
-		    == '$') {
-			ent->sam_entry_index++;
-			continue;
-		}
-
 		/* Lookup user info */
 		
 		result = winbindd_fill_pwent(

source/nsswitch/winbindd_util.c

@@ -201,7 +201,7 @@ void add_trusted_domains( struct winbindd_domain *domain )
 		return;
 	}
 
-	DEBUG(1, ("scanning trusted domain list\n"));
+	DEBUG(5, ("scanning trusted domain list\n"));
 
 	if (!(mem_ctx = talloc_init("init_domain_list")))
 		return;
@@ -365,10 +365,6 @@ BOOL winbindd_lookup_sid_by_name(struct winbindd_domain *domain,
 {
 	NTSTATUS result;
         TALLOC_CTX *mem_ctx;
-	/* Don't bother with machine accounts */
-
-	if (name[strlen(name) - 1] == '$')
-		return False;
 
 	mem_ctx = talloc_init("lookup_sid_by_name for %s\n", name);
 	if (!mem_ctx) 

source/param/loadparm.c

@@ -1678,8 +1678,8 @@ FN_GLOBAL_STRING(lp_abort_shutdown_script, &Globals.szAbortShutdownScript)
 FN_GLOBAL_STRING(lp_wins_hook, &Globals.szWINSHook)
 FN_GLOBAL_STRING(lp_wins_partners, &Globals.szWINSPartners)
 FN_GLOBAL_STRING(lp_template_primary_group, &Globals.szTemplatePrimaryGroup)
-FN_GLOBAL_STRING(lp_template_homedir, &Globals.szTemplateHomedir)
-FN_GLOBAL_STRING(lp_template_shell, &Globals.szTemplateShell)
+FN_GLOBAL_CONST_STRING(lp_template_homedir, &Globals.szTemplateHomedir)
+FN_GLOBAL_CONST_STRING(lp_template_shell, &Globals.szTemplateShell)
 FN_GLOBAL_CONST_STRING(lp_winbind_separator, &Globals.szWinbindSeparator)
 FN_GLOBAL_STRING(lp_acl_compatibility, &Globals.szAclCompat)
 FN_GLOBAL_BOOL(lp_winbind_enable_local_accounts, &Globals.bWinbindEnableLocalAccounts)