2025-01-08 21:18:16 +03:00 · 2022-06-03 15:07:18 +02:00 · 2022-06-03 15:07:18 +02:00 · 87f5949434
commit 87f5949434
parent cdbd540b7c
5 changed files with 154 additions and 29 deletions
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@ -750,6 +750,10 @@ sub provision_ad_member
    path = $share_dir
    valid users = \"+$dcvars->{DOMAIN}/domain users\"

+[valid_users_nis_group]
+    path = $share_dir
+    valid users = \"&$dcvars->{DOMAIN}/domain users\"
+
 [valid_users_unix_nis_group]
    path = $share_dir
    valid users = \"+&$dcvars->{DOMAIN}/domain users\"
--- a/source3/auth/user_util.c
+++ b/source3/auth/user_util.c
@ -129,44 +129,141 @@ static void store_map_in_gencache(TALLOC_CTX *ctx, const char *from, const char
 }

 /****************************************************************************
- Check if a user is in a user list
+ Check if a user is in a netgroup user list. If at first we don't succeed,
+ try lower case.
+****************************************************************************/

- We removed NIS support in 2021, but need to keep configs working.
+bool user_in_netgroup(TALLOC_CTX *ctx, const char *user, const char *ngname)
+{
+#ifdef HAVE_NETGROUP
+	char nis_domain_buf[256];
+	const char *nis_domain = NULL;
+	char *lowercase_user = NULL;

- TOOD FIXME: Remove this funciton
+	if (getdomainname(nis_domain_buf, sizeof(nis_domain_buf)) == 0) {
+		nis_domain = &nis_domain_buf[0];
+	} else {
+		DEBUG(5,("Unable to get default yp domain, "
+			"let's try without specifying it\n"));
+		nis_domain = NULL;
+	}
+
+	DEBUG(5,("looking for user %s of domain %s in netgroup %s\n",
+		user, nis_domain ? nis_domain : "(ANY)", ngname));
+
+	if (innetgr(ngname, NULL, user, nis_domain)) {
+		DEBUG(5,("user_in_netgroup: Found\n"));
+		return true;
+	}
+
+	/*
+	 * Ok, innetgr is case sensitive. Try once more with lowercase
+	 * just in case. Attempt to fix #703. JRA.
+	 */
+	lowercase_user = talloc_strdup(ctx, user);
+	if (!lowercase_user) {
+		return false;
+	}
+	if (!strlower_m(lowercase_user)) {
+		return false;
+	}
+
+	if (strcmp(user,lowercase_user) == 0) {
+		/* user name was already lower case! */
+		return false;
+	}
+
+	DEBUG(5,("looking for user %s of domain %s in netgroup %s\n",
+		lowercase_user, nis_domain ? nis_domain : "(ANY)", ngname));
+
+	if (innetgr(ngname, NULL, lowercase_user, nis_domain)) {
+		DEBUG(5,("user_in_netgroup: Found\n"));
+		return true;
+	}
+#endif /* HAVE_NETGROUP */
+	return false;
+}
+
+/****************************************************************************
+ Check if a user is in a user list - can check combinations of UNIX
+ and netgroup lists.
 ****************************************************************************/

 bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list)
 {
+	if (!list || !*list)
+		return False;

-	if (list == NULL || *list == NULL) {
-		return false;
-	}
-
-	DBG_DEBUG("Checking user %s in list\n", user);
+	DEBUG(10,("user_in_list: checking user %s in list\n", user));

 	while (*list) {
-		const char *p = *list;
-		bool ok;

-		/* Check raw username */
-		if (strequal(user, p)) {
-			return true;
-		}
+		DEBUG(10,("user_in_list: checking user |%s| against |%s|\n",
+			  user, *list));

-		while (*p == '@' || *p == '&' || *p == '+') {
-			p++;
-		}
+		/*
+		 * Check raw username.
+		 */
+		if (strequal(user, *list))
+			return(True);

-		ok = user_in_group(user, p);
-		if (ok) {
-			return true;
+		/*
+		 * Now check to see if any combination
+		 * of UNIX and netgroups has been specified.
+		 */
+
+		if(**list == '@') {
+			/*
+			 * Old behaviour. Check netgroup list
+			 * followed by UNIX list.
+			 */
+			if(user_in_netgroup(ctx, user, *list +1))
+				return True;
+			if(user_in_group(user, *list +1))
+				return True;
+		} else if (**list == '+') {
+
+			if((*(*list +1)) == '&') {
+				/*
+				 * Search UNIX list followed by netgroup.
+				 */
+				if(user_in_group(user, *list +2))
+					return True;
+				if(user_in_netgroup(ctx, user, *list +2))
+					return True;
+
+			} else {
+
+				/*
+				 * Just search UNIX list.
+				 */
+
+				if(user_in_group(user, *list +1))
+					return True;
+			}
+
+		} else if (**list == '&') {
+
+			if(*(*list +1) == '+') {
+				/*
+				 * Search netgroup list followed by UNIX list.
+				 */
+				if(user_in_netgroup(ctx, user, *list +2))
+					return True;
+				if(user_in_group(user, *list +2))
+					return True;
+			} else {
+				/*
+				 * Just search netgroup list.
+				 */
+				if(user_in_netgroup(ctx, user, *list +1))
+					return True;
+			}
 		}

 		list++;
 	}
-
-	return false;
+	return(False);
 }

 bool map_username(TALLOC_CTX *ctx, const char *user_in, char **p_user_out)
--- a/source3/script/tests/test_smbclient_s3.sh
+++ b/source3/script/tests/test_smbclient_s3.sh
@ -1965,6 +1965,19 @@ EOF
       return 1
    fi

+    # User not in NIS group in "valid users" can't login to service
+    cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$DC_USERNAME%$DC_PASSWORD //$SERVER/valid_users_nis_group $ADDARGS < $tmpfile 2>&1'
+    eval echo "$cmd"
+    out=`eval $cmd`
+    echo "$out" | grep 'NT_STATUS_ACCESS_DENIED'
+    ret=$?
+
+    if [ $ret -ne 0 ] ; then
+       echo "$out"
+       echo "test_valid_users:valid_users_nis_group 'User not in NIS group in 'valid users' can't login to service' failed - $ret"
+       return 1
+    fi
+
    # Check user in UNIX, then in NIS group in "valid users" can login to service
    cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$DC_USERNAME%$DC_PASSWORD //$SERVER/valid_users_unix_nis_group $ADDARGS < $tmpfile 2>&1'
    eval echo "$cmd"
--- a/source3/smbd/share_access.c
+++ b/source3/smbd/share_access.c
@ -26,21 +26,23 @@
 #include "source3/lib/substitute.h"

 /*
- * We dropped NIS support in 2021, but need to keep configs working.
- *
- * TODO FIXME: Remove me in future
+ * No prefix means direct username
+ * @name means netgroup first, then unix group
+ * &name means netgroup
+ * +name means unix group
+ * + and & may be combined
 */

 static bool do_group_checks(const char **name, const char **pattern)
 {
 	if ((*name)[0] == '@') {
-		*pattern = "+";
+		*pattern = "&+";
 		*name += 1;
 		return True;
 	}

 	if (((*name)[0] == '+') && ((*name)[1] == '&')) {
-		*pattern = "+";
+		*pattern = "+&";
 		*name += 2;
 		return True;
 	}
@ -52,13 +54,13 @@ static bool do_group_checks(const char **name, const char **pattern)
 	}

 	if (((*name)[0] == '&') && ((*name)[1] == '+')) {
-		*pattern = "+";
+		*pattern = "&+";
 		*name += 2;
 		return True;
 	}

 	if ((*name)[0] == '&') {
-		*pattern = "+";
+		*pattern = "&";
 		*name += 1;
 		return True;
 	}
@ -146,6 +148,11 @@ static bool token_contains_name(TALLOC_CTX *mem_ctx,
 			continue;
 		}
 		if (*prefix == '&') {
+			if (username) {
+				if (user_in_netgroup(mem_ctx, username, name)) {
+					return True;
+				}
+			}
 			continue;
 		}
 		smb_panic("got invalid prefix from do_groups_check");
--- a/source3/wscript
+++ b/source3/wscript
@ -139,6 +139,7 @@ def configure(conf):
    conf.CHECK_FUNCS('lutimes utimensat futimens')
    conf.CHECK_FUNCS('mlock munlock mlockall munlockall')
    conf.CHECK_FUNCS('memalign posix_memalign hstrerror')
+    conf.CHECK_FUNCS('getdomainname')
    conf.CHECK_FUNCS_IN('dn_expand _dn_expand __dn_expand', 'resolv')
    conf.CHECK_FUNCS_IN('dn_expand', 'inet')
    conf.CHECK_DECLS('readahead', reverse=True, headers='fcntl.h')
@ -613,6 +614,9 @@ msg.msg_accrightslen = sizeof(fd);
                                headers='unistd.h sys/types.h dirent.h',
                                define='HAVE_DIRENT_D_OFF')

+    if (conf.CONFIG_SET('HAVE_GETDOMAINNAME')):
+        conf.DEFINE('HAVE_NETGROUP', '1')
+
    # Look for CUPS
    if Options.options.with_cups:
        conf.find_program('cups-config', var='CUPS_CONFIG')