2024-12-23 17:34:34 +03:00 · 2006-08-21 20:04:01 +00:00 · 2006-08-21 20:04:01 +00:00 · c9f9c65050
commit c9f9c65050
parent e7a49f2b25
7 changed files with 30 additions and 96 deletions
--- a/source3/groupdb/mapping.c
+++ b/source3/groupdb/mapping.c
@ -195,7 +195,7 @@ NTSTATUS map_unix_group(const struct group *grp, GROUP_MAP *pmap)
 	fstrcpy(map.nt_name, grpname);

 	if (pdb_rid_algorithm()) {
-		rid = pdb_gid_to_group_rid( grp->gr_gid );
+		rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
 	} else {
 		if (!pdb_new_rid(&rid)) {
 			DEBUG(3, ("Could not get a new RID for %s\n",
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@ -269,7 +269,7 @@ enum SID_NAME_USE {
 #define LOOKUP_NAME_REMOTE   2  /* Ask others */
 #define LOOKUP_NAME_ALL (LOOKUP_NAME_ISOLATED|LOOKUP_NAME_REMOTE)

-#define LOOKUP_NAME_GROUP    4  /* This is a NASTY hack for valid users = @foo
+#define LOOKUP_NAME_GROUP    4  /* (unused) This is a NASTY hack for valid users = @foo
 				 * where foo also exists in as user. */

 /**
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@ -43,7 +43,6 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx,
 	DOM_SID sid;
 	enum SID_NAME_USE type;
 	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
-	struct group *grp;

 	if (tmp_ctx == NULL) {
 		DEBUG(0, ("talloc_new failed\n"));
@ -126,63 +125,6 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx,
 		return False;
 	}

-	/*
-	 * Nasty hack necessary for too common scenarios:
-	 *
-	 * For 'valid users = +users' we know "users" is most probably not
-	 * BUILTIN\users but the unix group users. This hack requires the
-	 * admin to explicitly qualify BUILTIN if BUILTIN\users is meant.
-	 *
-	 * Please note that LOOKUP_NAME_GROUP can not be requested via for
-	 * example lsa_lookupnames, it only comes into this routine via
-	 * the expansion of group names coming in from smb.conf
-	 */
-
-	if ((flags & LOOKUP_NAME_GROUP) && ((grp = getgrnam(name)) != NULL)) {
-
-		GROUP_MAP map;
-
-		if (pdb_getgrgid(&map, grp->gr_gid)) {
-			/* The hack gets worse. Handle the case where we have
-			 * 'force group = +unixgroup' but "unixgroup" has a
-			 * group mapping */
-
-			if (sid_check_is_in_builtin(&map.sid)) {
-				domain = talloc_strdup(
-					tmp_ctx, builtin_domain_name());
-			} else {
-				domain = talloc_strdup(
-					tmp_ctx, get_global_sam_name());
-			}
-
-			sid_copy(&sid, &map.sid);
-			type = map.sid_name_use;
-			goto ok;
-		}
-
-		/* If we are using the smbpasswd backend, we need to use the
-		 * algorithmic mapping for the unix group we find. This is
-		 * necessary because when creating the NT token from the unix
-		 * gid list we got from initgroups() we use gid_to_sid() that
-		 * uses algorithmic mapping if pdb_rid_algorithm() is true. */
-
-		if (pdb_rid_algorithm() &&
-		    (grp->gr_gid < max_algorithmic_gid())) {
-			domain = talloc_strdup(tmp_ctx, get_global_sam_name());
-			sid_compose(&sid, get_global_sam_sid(),
-				    pdb_gid_to_group_rid(grp->gr_gid));
-			type = SID_NAME_DOM_GRP;
-			goto ok;
-		}
-		
-		if (lookup_unix_group_name(name, &sid)) {
-			domain = talloc_strdup(tmp_ctx,
-					       unix_groups_domain_name());
-			type = SID_NAME_DOM_GRP;
-			goto ok;
-		}
-	}
-
 	/* Now the guesswork begins, we haven't been given an explicit
 	 * domain. Try the sequence as documented on
 	 * http://msdn.microsoft.com/library/en-us/secmgmt/security/lsalookupnames.asp
@ -1186,14 +1128,9 @@ void uid_to_sid(DOM_SID *psid, uid_t uid)
 		goto done;
 	}

-	if (pdb_rid_algorithm() && (uid < max_algorithmic_uid())) {
-		sid_copy(psid, get_global_sam_sid());
-		sid_append_rid(psid, algorithmic_pdb_uid_to_user_rid(uid));
-		goto done;
-	} else {
-		uid_to_unix_users_sid(uid, psid);
-		goto done;
-	}
+	/* This is an unmapped user */
+
+	uid_to_unix_users_sid(uid, psid);

 done:
 	DEBUG(10,("uid_to_sid: local %u -> %s\n", (unsigned int)uid,
@ -1228,16 +1165,10 @@ void gid_to_sid(DOM_SID *psid, gid_t gid)
 		/* This is a mapped group */
 		goto done;
 	}
+	
+	/* This is an unmapped group */

-	if (pdb_rid_algorithm() && (gid < max_algorithmic_gid())) {
-		sid_copy(psid, get_global_sam_sid());
-		sid_append_rid(psid, pdb_gid_to_group_rid(gid));
-		goto done;
-	} else {
-		sid_copy(psid, &global_sid_Unix_Groups);
-		sid_append_rid(psid, gid);
-		goto done;
-	}
+	uid_to_unix_groups_sid(gid, psid);

 done:
 	DEBUG(10,("gid_to_sid: local %u -> %s\n", (unsigned int)gid,
@ -1283,14 +1214,9 @@ BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid)
 			*puid = id.uid;
 			goto done;
 		}
-		if (pdb_rid_algorithm() &&
-		    algorithmic_pdb_rid_is_user(rid)) {
-			*puid = algorithmic_pdb_user_rid_to_uid(rid);
-			goto done;
-		}

-		/* This was ours, but it was neither mapped nor
-		 * algorithmic. Fail */
+		/* This was ours, but it was not mapped.  Fail */
+
 		return False;
 	}

@ -1371,14 +1297,9 @@ BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid)
 			*pgid = id.gid;
 			goto done;
 		}
-		if (pdb_rid_algorithm() &&
-		    !algorithmic_pdb_rid_is_user(rid)) {
-			/* This must be a group, presented as alias */
-			*pgid = pdb_group_rid_to_gid(rid);
-			goto done;
-		}
-		/* This was ours, but it was neither mapped nor
-		 * algorithmic. Fail. */
+
+		/* This was ours, but it was not mapped.  Fail */
+
 		return False;
 	}
 	
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@ -505,7 +505,7 @@ gid_t max_algorithmic_gid(void)
 there is not anymore a direct link between the gid and the rid.
 ********************************************************************/

-uint32 pdb_gid_to_group_rid(gid_t gid)
+uint32 algorithmic_pdb_gid_to_group_rid(gid_t gid)
 {
 	int rid_offset = algorithmic_rid_base();
 	return (((((uint32)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE);
--- a/source3/passdb/pdb_interface.c
+++ b/source3/passdb/pdb_interface.c
@ -604,7 +604,7 @@ static NTSTATUS pdb_default_create_dom_group(struct pdb_methods *methods,
 	}

 	if (pdb_rid_algorithm()) {
-		*rid = pdb_gid_to_group_rid( grp->gr_gid );
+		*rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
 	} else {
 		if (!pdb_new_rid(rid)) {
 			return NT_STATUS_ACCESS_DENIED;
--- a/source3/passdb/util_unixsids.c
+++ b/source3/passdb/util_unixsids.c
@ -42,6 +42,12 @@ BOOL uid_to_unix_users_sid(uid_t uid, DOM_SID *sid)
 	return sid_append_rid(sid, uid);
 }

+BOOL uid_to_unix_groups_sid(gid_t gid, DOM_SID *sid)
+{
+	sid_copy(sid, &global_sid_Unix_Groups);
+	return sid_append_rid(sid, gid);
+}
+
 const char *unix_users_domain_name(void)
 {
 	return "Unix User";
--- a/source3/utils/net_groupmap.c
+++ b/source3/utils/net_groupmap.c
@ -289,7 +289,7 @@ static int net_groupmap_add(int argc, const char **argv)
 	if ( (rid == 0) && (string_sid[0] == '\0') ) {
 		d_printf("No rid or sid specified, choosing a RID\n");
 		if (pdb_rid_algorithm()) {
-			rid = pdb_gid_to_group_rid(gid);
+			rid = algorithmic_pdb_gid_to_group_rid(gid);
 		} else {
 			if (!pdb_new_rid(&rid)) {
 				d_printf("Could not get new RID\n");
@ -573,7 +573,14 @@ static int net_groupmap_set(int argc, const char **argv)
 		map.gid = grp->gr_gid;

 		if (opt_rid == 0) {
-			opt_rid = pdb_gid_to_group_rid(map.gid);
+			if ( pdb_rid_algorithm() )
+				opt_rid = algorithmic_pdb_gid_to_group_rid(map.gid);
+			else {
+				if ( !pdb_new_rid((uint32*)&opt_rid) ) {
+					d_fprintf( stderr, "Could not allocate new RID\n");
+					return -1;
+				}
+			}
 		}

 		sid_copy(&map.sid, get_global_sam_sid());