1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-26 10:04:02 +03:00

Added some extra fields to the auth_serversupplied_info structure.

To obtain the full group membership of a user (i.e nested groups on a
win2k native mode server) it is necessary to merge this list of groups
with the groups returned by winbindd when creating an nt access token.

This breaks winbindd linking while AB and I sync up our changes to the
authentication subsystem.
(This used to be commit 4eeb7bcd783d7cfb3ac232f1faa035773007401d)
This commit is contained in:
Tim Potter 2001-10-31 06:20:58 +00:00
parent eab05eac39
commit 6f0b8a38ec
8 changed files with 70 additions and 8 deletions

View File

@ -129,6 +129,7 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user,
auth_serversupplied_info server_info; auth_serversupplied_info server_info;
AUTH_STR ourdomain, theirdomain, unix_username, smb_username, AUTH_STR ourdomain, theirdomain, unix_username, smb_username,
wksta_name; wksta_name;
NTSTATUS result;
ZERO_STRUCT(user_info); ZERO_STRUCT(user_info);
ZERO_STRUCT(ourdomain); ZERO_STRUCT(ourdomain);
@ -203,7 +204,11 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user,
} }
return check_password(&user_info, &server_info); result = check_password(&user_info, &server_info);
free_serversupplied_info(&server_info); /* No info needed */
return result;
} }
NTSTATUS pass_check_smb(char *smb_user, char *unix_user, NTSTATUS pass_check_smb(char *smb_user, char *unix_user,
@ -255,3 +260,10 @@ BOOL password_ok(char *user, char *password, int pwlen)
return False; return False;
} }
/* Free a auth_serversupplied_info structure */
void free_serversupplied_info(auth_serversupplied_info *server_info)
{
SAFE_FREE(server_info->group_rids);
}

View File

@ -90,6 +90,11 @@ typedef struct serversupplied_info
/* This groups info is needed for when we become_user() for this uid */ /* This groups info is needed for when we become_user() for this uid */
int n_groups; int n_groups;
gid_t *groups; gid_t *groups;
/* NT group information taken from the info3 structure */
int n_rids;
uint32 *group_rids;
uchar session_key[16]; uchar session_key[16];

View File

@ -326,6 +326,7 @@ NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info,
status = cli_nt_login_network(&cli, user_info, smb_uid_low, status = cli_nt_login_network(&cli, user_info, smb_uid_low,
&ctr, &info3); &ctr, &info3);
if (!NT_STATUS_IS_OK(status)) { if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("domain_client_validate: unable to validate password " DEBUG(0,("domain_client_validate: unable to validate password "
"for user %s in domain %s to Domain controller %s. " "for user %s in domain %s to Domain controller %s. "
@ -335,8 +336,28 @@ NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info,
} }
/* /*
* Here, if we really want it, we have lots of info about the user in info3. * Here, if we really want it, we have lots of info about the user
*/ * in info3.
*/
/* Store the user group information in the server_info returned to
the caller. */
if ((server_info->group_rids = malloc(info3.num_groups2 *
sizeof(uint32))) == NULL) {
DEBUG(1, ("out of memory allocating rid group membership\n"));
status = NT_STATUS_NO_MEMORY;
} else {
int i;
server_info->n_rids = info3.num_groups2;
for (i = 0; i < server_info->n_rids; i++) {
server_info->group_rids[i] = info3.gids[i].g_rid;
DEBUG(5, ("** adding group rid 0x%x\n",
info3.gids[i].g_rid));
}
}
#if 0 #if 0
/* /*

View File

@ -107,7 +107,9 @@ static BOOL fill_grent_mem(struct winbindd_domain *domain,
DEBUG(10, ("fill_grent_mem(): processing name %s\n", DEBUG(10, ("fill_grent_mem(): processing name %s\n",
the_name)); the_name));
/* Only add domain users */ /* FIXME: need to cope with groups within groups. These
occur in Universal groups on a Windows 2000 native mode
server. */
if (name_types[i] != SID_NAME_USER) { if (name_types[i] != SID_NAME_USER) {
DEBUG(3, ("fill_grent_mem(): name %s isn't a domain " DEBUG(3, ("fill_grent_mem(): name %s isn't a domain "

View File

@ -141,6 +141,8 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
auth_dc, trust_passwd, auth_dc, trust_passwd,
last_change_time); last_change_time);
free_serversupplied_info(&server_info); /* No info needed */
return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
} }
@ -218,6 +220,8 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
auth_dc, trust_passwd, auth_dc, trust_passwd,
last_change_time); last_change_time);
free_serversupplied_info(&server_info); /* No info needed */
return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
} }

View File

@ -344,6 +344,9 @@ BOOL winbindd_lookup_groupmem(struct winbindd_domain *domain,
NTSTATUS result = NT_STATUS_UNSUCCESSFUL; NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
uint32 i, total_names = 0; uint32 i, total_names = 0;
/* Step #1: Get a list of user rids that are the members of the
group. */
if (!(group_hnd = cm_get_sam_group_handle(domain->name, &domain->sid, if (!(group_hnd = cm_get_sam_group_handle(domain->name, &domain->sid,
group_rid))) group_rid)))
goto done; goto done;
@ -357,9 +360,10 @@ BOOL winbindd_lookup_groupmem(struct winbindd_domain *domain,
if (!NT_STATUS_IS_OK(result)) if (!NT_STATUS_IS_OK(result))
goto done; goto done;
/* Convert list of rids into list of names. Do this in bunches of /* Step #2: Convert list of rids into list of usernames. Do this
~1000 to avoid crashing NT4. It looks like there is a buffer in bunches of ~1000 to avoid crashing NT4. It looks like there
overflow or something like that lurking around somewhere. */ is a buffer overflow or something like that lurking around
somewhere. */
if (!(dom_hnd = cm_get_sam_dom_handle(domain->name, &domain->sid))) if (!(dom_hnd = cm_get_sam_dom_handle(domain->name, &domain->sid)))
goto done; goto done;

View File

@ -595,6 +595,8 @@ static NTSTATUS _net_logon_any(NET_ID_INFO_CTR *ctr, char *user, char *domain, c
DEBUG(5, ("_net_logon_any: exited with status %s\n", DEBUG(5, ("_net_logon_any: exited with status %s\n",
get_nt_error_msg(nt_status))); get_nt_error_msg(nt_status)));
free_serversupplied_info(&server_info); /* No info needed */
return nt_status; return nt_status;
} }

View File

@ -129,6 +129,7 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user,
auth_serversupplied_info server_info; auth_serversupplied_info server_info;
AUTH_STR ourdomain, theirdomain, unix_username, smb_username, AUTH_STR ourdomain, theirdomain, unix_username, smb_username,
wksta_name; wksta_name;
NTSTATUS result;
ZERO_STRUCT(user_info); ZERO_STRUCT(user_info);
ZERO_STRUCT(ourdomain); ZERO_STRUCT(ourdomain);
@ -203,7 +204,11 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user,
} }
return check_password(&user_info, &server_info); result = check_password(&user_info, &server_info);
free_serversupplied_info(&server_info); /* No info needed */
return result;
} }
NTSTATUS pass_check_smb(char *smb_user, char *unix_user, NTSTATUS pass_check_smb(char *smb_user, char *unix_user,
@ -255,3 +260,10 @@ BOOL password_ok(char *user, char *password, int pwlen)
return False; return False;
} }
/* Free a auth_serversupplied_info structure */
void free_serversupplied_info(auth_serversupplied_info *server_info)
{
SAFE_FREE(server_info->group_rids);
}