mirror of
https://github.com/samba-team/samba.git
synced 2024-12-27 03:21:53 +03:00
Machines are people too!
While machine accounts cannot use an NTLM login (NT4 style), they are otherwise full and valid members of the domain, and expect to be able to use kerberos to connect to CIFS servers. This means that the LocalSystem account, used by various services, can perform things like backups, without the admin needing to enter further passwords. This particular issue (bug 722) has started to come up a lot on the lists. I have only enabled it for winbindd-based systems, as the macros use use to call the 'add user script' will strip the $ from the username for security reasons. Andrew Bartlett
This commit is contained in:
parent
fac9e6d712
commit
6a9bbd1da3
@ -112,7 +112,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
|
||||
goto done;
|
||||
}
|
||||
|
||||
rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
|
||||
rc = ads_search_retry(ads, &res, "(objectClass=user)", attrs);
|
||||
if (!ADS_ERR_OK(rc) || !res) {
|
||||
DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
|
||||
goto done;
|
||||
|
@ -152,18 +152,13 @@ static BOOL fill_grent_mem(struct winbindd_domain *domain,
|
||||
occur in Universal groups on a Windows 2000 native mode
|
||||
server. */
|
||||
|
||||
if (name_types[i] != SID_NAME_USER) {
|
||||
/* make sure to allow machine accounts */
|
||||
|
||||
if (name_types[i] != SID_NAME_USER && name_types[i] != SID_NAME_COMPUTER) {
|
||||
DEBUG(3, ("name %s isn't a domain user\n", the_name));
|
||||
continue;
|
||||
}
|
||||
|
||||
/* Don't bother with machine accounts */
|
||||
|
||||
if (the_name[strlen(the_name) - 1] == '$') {
|
||||
DEBUG(10, ("%s is machine account\n", the_name));
|
||||
continue;
|
||||
}
|
||||
|
||||
/* Append domain name */
|
||||
|
||||
fill_domain_username(name, domain->name, the_name);
|
||||
|
@ -37,7 +37,8 @@ static BOOL winbindd_fill_pwent(char *dom_name, char *user_name,
|
||||
char *full_name, struct winbindd_pw *pw)
|
||||
{
|
||||
fstring output_username;
|
||||
pstring homedir;
|
||||
char *homedir;
|
||||
char *shell;
|
||||
fstring sid_string;
|
||||
|
||||
if (!pw || !dom_name || !user_name)
|
||||
@ -72,17 +73,25 @@ static BOOL winbindd_fill_pwent(char *dom_name, char *user_name,
|
||||
shell. */
|
||||
|
||||
/* The substitution of %U and %D in the 'template homedir' is done
|
||||
by lp_string() calling standard_sub_basic(). */
|
||||
by alloc_sub_specified() below. */
|
||||
|
||||
fstrcpy(current_user_info.smb_name, user_name);
|
||||
sub_set_smb_name(user_name);
|
||||
fstrcpy(current_user_info.domain, dom_name);
|
||||
|
||||
pstrcpy(homedir, lp_template_homedir());
|
||||
homedir = alloc_sub_specified(lp_template_homedir(), user_name, dom_name, pw->pw_uid, pw->pw_gid);
|
||||
|
||||
if (!homedir)
|
||||
return False;
|
||||
|
||||
safe_strcpy(pw->pw_dir, homedir, sizeof(pw->pw_dir) - 1);
|
||||
|
||||
safe_strcpy(pw->pw_shell, lp_template_shell(),
|
||||
SAFE_FREE(homedir);
|
||||
|
||||
shell = alloc_sub_specified(lp_template_shell(), user_name, dom_name, pw->pw_uid, pw->pw_gid);
|
||||
|
||||
if (!shell)
|
||||
return False;
|
||||
|
||||
safe_strcpy(pw->pw_shell, shell,
|
||||
sizeof(pw->pw_shell) - 1);
|
||||
|
||||
/* Password - set to "x" as we can't generate anything useful here.
|
||||
@ -149,15 +158,13 @@ enum winbindd_result winbindd_getpwnam(struct winbindd_cli_state *state)
|
||||
return WINBINDD_ERROR;
|
||||
}
|
||||
|
||||
if (name_type != SID_NAME_USER) {
|
||||
if (name_type != SID_NAME_USER && name_type != SID_NAME_COMPUTER) {
|
||||
DEBUG(1, ("name '%s' is not a user name: %d\n", name_user,
|
||||
name_type));
|
||||
return WINBINDD_ERROR;
|
||||
}
|
||||
|
||||
/* Get some user info. Split the user rid from the sid obtained
|
||||
from the winbind_lookup_by_name() call and use it in a
|
||||
winbind_lookup_userinfo() */
|
||||
/* Get some user info. */
|
||||
|
||||
if (!(mem_ctx = talloc_init("winbindd_getpwnam([%s]\\[%s])",
|
||||
name_domain, name_user))) {
|
||||
@ -530,15 +537,6 @@ enum winbindd_result winbindd_getpwent(struct winbindd_cli_state *state)
|
||||
|
||||
name_list = ent->sam_entries;
|
||||
|
||||
/* Skip machine accounts */
|
||||
|
||||
if (name_list[ent->sam_entry_index].
|
||||
name[strlen(name_list[ent->sam_entry_index].name) - 1]
|
||||
== '$') {
|
||||
ent->sam_entry_index++;
|
||||
continue;
|
||||
}
|
||||
|
||||
/* Lookup user info */
|
||||
|
||||
result = winbindd_fill_pwent(
|
||||
|
@ -201,7 +201,7 @@ void add_trusted_domains( struct winbindd_domain *domain )
|
||||
return;
|
||||
}
|
||||
|
||||
DEBUG(1, ("scanning trusted domain list\n"));
|
||||
DEBUG(5, ("scanning trusted domain list\n"));
|
||||
|
||||
if (!(mem_ctx = talloc_init("init_domain_list")))
|
||||
return;
|
||||
@ -365,10 +365,6 @@ BOOL winbindd_lookup_sid_by_name(struct winbindd_domain *domain,
|
||||
{
|
||||
NTSTATUS result;
|
||||
TALLOC_CTX *mem_ctx;
|
||||
/* Don't bother with machine accounts */
|
||||
|
||||
if (name[strlen(name) - 1] == '$')
|
||||
return False;
|
||||
|
||||
mem_ctx = talloc_init("lookup_sid_by_name for %s\n", name);
|
||||
if (!mem_ctx)
|
||||
|
@ -1678,8 +1678,8 @@ FN_GLOBAL_STRING(lp_abort_shutdown_script, &Globals.szAbortShutdownScript)
|
||||
FN_GLOBAL_STRING(lp_wins_hook, &Globals.szWINSHook)
|
||||
FN_GLOBAL_STRING(lp_wins_partners, &Globals.szWINSPartners)
|
||||
FN_GLOBAL_STRING(lp_template_primary_group, &Globals.szTemplatePrimaryGroup)
|
||||
FN_GLOBAL_STRING(lp_template_homedir, &Globals.szTemplateHomedir)
|
||||
FN_GLOBAL_STRING(lp_template_shell, &Globals.szTemplateShell)
|
||||
FN_GLOBAL_CONST_STRING(lp_template_homedir, &Globals.szTemplateHomedir)
|
||||
FN_GLOBAL_CONST_STRING(lp_template_shell, &Globals.szTemplateShell)
|
||||
FN_GLOBAL_CONST_STRING(lp_winbind_separator, &Globals.szWinbindSeparator)
|
||||
FN_GLOBAL_STRING(lp_acl_compatibility, &Globals.szAclCompat)
|
||||
FN_GLOBAL_BOOL(lp_winbind_enable_local_accounts, &Globals.bWinbindEnableLocalAccounts)
|
||||
|
Loading…
Reference in New Issue
Block a user