sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-08 21:18:16 +03:00
Code

s3:smbd: Remove NIS support

Browse Source 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
Andreas Schneider 2021-04-20 17:59:34 +02:00 committed by Jeremy Allison
parent 622e84cfca
commit edda7a329e
9 changed files with 30 additions and 345 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
selftest/target/Samba3.pm
View File

@ -736,10 +736,6 @@ sub provision_ad_member
path = $share_dir
valid users = \"+$dcvars->{DOMAIN}/domain users\"
[valid_users_nis_group]
path = $share_dir
valid users = \"&$dcvars->{DOMAIN}/domain users\"
[valid_users_unix_nis_group]
path = $share_dir
valid users = \"+&$dcvars->{DOMAIN}/domain users\"

154
source3/auth/user_util.c
View File

@ -24,19 +24,6 @@
#include "auth.h"
#include "lib/gencache.h"
#ifdef HAVE_NETGROUP
/* rpc/xdr.h uses TRUE and FALSE */
#ifdef TRUE
#undef TRUE
#endif
#ifdef FALSE
#undef FALSE
#endif
#include "system/nis.h"
#endif
/*******************************************************************
Map a username from a dos name to a unix name by looking in the username
map. Note that this modifies the name in place.
@ -142,141 +129,44 @@ static void store_map_in_gencache(TALLOC_CTX *ctx, const char *from, const char
}
/****************************************************************************
Check if a user is in a netgroup user list. If at first we don't succeed,
try lower case.
****************************************************************************/
Check if a user is in a user list
bool user_in_netgroup(TALLOC_CTX *ctx, const char *user, const char *ngname)
{
#ifdef HAVE_NETGROUP
static char *my_yp_domain = NULL;
char *lowercase_user = NULL;
We removed NIS support in 2021, but need to keep configs working.
if (my_yp_domain == NULL) {
yp_get_default_domain(&my_yp_domain);
}
if (my_yp_domain == NULL) {
DEBUG(5,("Unable to get default yp domain, "
"let's try without specifying it\n"));
}
DEBUG(5,("looking for user %s of domain %s in netgroup %s\n",
user, my_yp_domain?my_yp_domain:"(ANY)", ngname));
if (innetgr(ngname, NULL, user, my_yp_domain)) {
DEBUG(5,("user_in_netgroup: Found\n"));
return true;
}
/*
* Ok, innetgr is case sensitive. Try once more with lowercase
* just in case. Attempt to fix #703. JRA.
*/
lowercase_user = talloc_strdup(ctx, user);
if (!lowercase_user) {
return false;
}
if (!strlower_m(lowercase_user)) {
return false;
}
if (strcmp(user,lowercase_user) == 0) {
/* user name was already lower case! */
return false;
}
DEBUG(5,("looking for user %s of domain %s in netgroup %s\n",
lowercase_user, my_yp_domain?my_yp_domain:"(ANY)", ngname));
if (innetgr(ngname, NULL, lowercase_user, my_yp_domain)) {
DEBUG(5,("user_in_netgroup: Found\n"));
return true;
}
#endif /* HAVE_NETGROUP */
return false;
}
/****************************************************************************
Check if a user is in a user list - can check combinations of UNIX
and netgroup lists.
TOOD FIXME: Remove this funciton
****************************************************************************/
bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list)
{
if (!list || !*list)
return False;
DEBUG(10,("user_in_list: checking user %s in list\n", user));
if (list == NULL || *list == NULL) {
return false;
}
DBG_DEBUG("Checking user %s in list\n", user);
while (*list) {
const char *p = *list;
bool ok;
DEBUG(10,("user_in_list: checking user |%s| against |%s|\n",
user, *list));
/* Check raw username */
if (strequal(user, p)) {
return true;
}
/*
* Check raw username.
*/
if (strequal(user, *list))
return(True);
while (*p == '@' || *p == '&' || *p == '+') {
p++;
}
/*
* Now check to see if any combination
* of UNIX and netgroups has been specified.
*/
if(**list == '@') {
/*
* Old behaviour. Check netgroup list
* followed by UNIX list.
*/
if(user_in_netgroup(ctx, user, *list +1))
return True;
if(user_in_group(user, *list +1))
return True;
} else if (**list == '+') {
if((*(*list +1)) == '&') {
/*
* Search UNIX list followed by netgroup.
*/
if(user_in_group(user, *list +2))
return True;
if(user_in_netgroup(ctx, user, *list +2))
return True;
} else {
/*
* Just search UNIX list.
*/
if(user_in_group(user, *list +1))
return True;
}
} else if (**list == '&') {
if(*(*list +1) == '+') {
/*
* Search netgroup list followed by UNIX list.
*/
if(user_in_netgroup(ctx, user, *list +2))
return True;
if(user_in_group(user, *list +2))
return True;
} else {
/*
* Just search netgroup list.
*/
if(user_in_netgroup(ctx, user, *list +1))
return True;
}
ok = user_in_group(user, p);
if (ok) {
return true;
}
list++;
}
return(False);
return false;
}
bool map_username(TALLOC_CTX *ctx, const char *user_in, char **p_user_out)

2
source3/auth/wscript_build
View File

@ -6,7 +6,7 @@ bld.SAMBA3_SUBSYSTEM('TOKEN_UTIL',
bld.SAMBA3_SUBSYSTEM('USER_UTIL',
source='user_util.c',
deps='TOKEN_UTIL tirpc nsl')
deps='TOKEN_UTIL')
bld.SAMBA3_SUBSYSTEM('AUTH_COMMON',
source='''auth_util.c

4
source3/include/includes.h
View File

@ -96,10 +96,6 @@
#include <langinfo.h>
#endif
#ifdef HAVE_NETGROUP_H
#include <netgroup.h>
#endif
/* Special macros that are no-ops except when run under Valgrind on
* x86. They've moved a little bit from valgrind 1.0.4 to 1.9.4 */
#ifdef HAVE_VALGRIND_MEMCHECK_H

164
source3/lib/util.c
View File

@ -46,43 +46,6 @@
/* Max allowable allococation - 256mb - 0x10000000 */
#define MAX_ALLOC_SIZE (1024*1024*256)
#if (defined(HAVE_NETGROUP) && defined (WITH_AUTOMOUNT))
/* rpc/xdr.h uses TRUE and FALSE */
#ifdef TRUE
#undef TRUE
#endif
#ifdef FALSE
#undef FALSE
#endif
#include "system/nis.h"
#ifdef WITH_NISPLUS_HOME
#ifdef BROKEN_NISPLUS_INCLUDE_FILES
/*
* The following lines are needed due to buggy include files
* in Solaris 2.6 which define GROUP in both /usr/include/sys/acl.h and
* also in /usr/include/rpcsvc/nis.h. The definitions conflict. JRA.
* Also GROUP_OBJ is defined as 0x4 in /usr/include/sys/acl.h and as
* an enum in /usr/include/rpcsvc/nis.h.
*/
#if defined(GROUP)
#undef GROUP
#endif
#if defined(GROUP_OBJ)
#undef GROUP_OBJ
#endif
#endif /* BROKEN_NISPLUS_INCLUDE_FILES */
#include <rpcsvc/nis.h>
#endif /* WITH_NISPLUS_HOME */
#endif /* HAVE_NETGROUP && WITH_AUTOMOUNT */
static enum protocol_types Protocol = PROTOCOL_COREPLUS;
enum protocol_types get_Protocol(void)
@ -598,133 +561,6 @@ char *get_mydnsdomname(TALLOC_CTX *ctx)
}
}
#if (defined(HAVE_NETGROUP) && defined(WITH_AUTOMOUNT))
/******************************************************************
Remove any mount options such as -rsize=2048,wsize=2048 etc.
Based on a fix from <Thomas.Hepper@icem.de>.
Returns a malloc'ed string.
*******************************************************************/
static char *strip_mount_options(TALLOC_CTX *ctx, const char *str)
{
if (*str == '-') {
const char *p = str;
while(*p && !isspace(*p))
p++;
while(*p && isspace(*p))
p++;
if(*p) {
return talloc_strdup(ctx, p);
}
}
return NULL;
}
/*******************************************************************
Patch from jkf@soton.ac.uk
Split Luke's automount_server into YP lookup and string splitter
so can easily implement automount_path().
Returns a malloc'ed string.
*******************************************************************/
#ifdef WITH_NISPLUS_HOME
char *automount_lookup(TALLOC_CTX *ctx, const char *user_name)
{
const struct loadparm_substitution *lp_sub =
loadparm_s3_global_substitution();
char *value = NULL;
char *nis_map = (char *)lp_homedir_map(talloc_tos(), lp_sub);
char buffer[NIS_MAXATTRVAL + 1];
nis_result *result;
nis_object *object;
entry_obj *entry;
snprintf(buffer, sizeof(buffer), "[key=%s],%s", user_name, nis_map);
DEBUG(5, ("NIS+ querystring: %s\n", buffer));
if (result = nis_list(buffer, FOLLOW_PATH|EXPAND_NAME|HARD_LOOKUP, NULL, NULL)) {
if (result->status != NIS_SUCCESS) {
DEBUG(3, ("NIS+ query failed: %s\n", nis_sperrno(result->status)));
} else {
object = result->objects.objects_val;
if (object->zo_data.zo_type == ENTRY_OBJ) {
entry = &object->zo_data.objdata_u.en_data;
DEBUG(5, ("NIS+ entry type: %s\n", entry->en_type));
DEBUG(3, ("NIS+ result: %s\n", entry->en_cols.en_cols_val[1].ec_value.ec_value_val));
value = talloc_strdup(ctx,
entry->en_cols.en_cols_val[1].ec_value.ec_value_val);
if (!value) {
nis_freeresult(result);
return NULL;
}
value = talloc_string_sub(ctx,
value,
"&",
user_name);
}
}
}
nis_freeresult(result);
if (value) {
value = strip_mount_options(ctx, value);
DEBUG(4, ("NIS+ Lookup: %s resulted in %s\n",
user_name, value));
}
return value;
}
#else /* WITH_NISPLUS_HOME */
char *automount_lookup(TALLOC_CTX *ctx, const char *user_name)
{
const struct loadparm_substitution *lp_sub =
loadparm_s3_global_substitution();
char *value = NULL;
int nis_error; /* returned by yp all functions */
char *nis_result; /* yp_match inits this */
int nis_result_len; /* and set this */
char *nis_domain; /* yp_get_default_domain inits this */
char *nis_map = lp_homedir_map(talloc_tos(), lp_sub);
if ((nis_error = yp_get_default_domain(&nis_domain)) != 0) {
DEBUG(3, ("YP Error: %s\n", yperr_string(nis_error)));
return NULL;
}
DEBUG(5, ("NIS Domain: %s\n", nis_domain));
if ((nis_error = yp_match(nis_domain, nis_map, user_name,
strlen(user_name), &nis_result,
&nis_result_len)) == 0) {
if (nis_result_len > 0 && nis_result[nis_result_len] == '\n') {
nis_result[nis_result_len] = '\0';
}
value = talloc_strdup(ctx, nis_result);
if (!value) {
return NULL;
}
value = strip_mount_options(ctx, value);
} else if(nis_error == YPERR_KEY) {
DEBUG(3, ("YP Key not found: while looking up \"%s\" in map \"%s\"\n",
user_name, nis_map));
DEBUG(3, ("using defaults for server and home directory\n"));
} else {
DEBUG(3, ("YP Error: \"%s\" while looking up \"%s\" in map \"%s\"\n",
yperr_string(nis_error), user_name, nis_map));
}
if (value) {
DEBUG(4, ("YP Lookup: %s resulted in %s\n", user_name, value));
}
return value;
}
#endif /* WITH_NISPLUS_HOME */
#endif
bool process_exists(const struct server_id pid)
{
return serverid_exists(&pid);

9
source3/param/loadparm.c
View File

@ -682,15 +682,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.machine_password_timeout = 60 * 60 * 24 * 7; /* 7 days default. */
Globals.lm_announce = Auto; /* = Auto: send only if LM clients found */
Globals.lm_interval = 60;
#if (defined(HAVE_NETGROUP) && defined(WITH_AUTOMOUNT))
Globals.nis_homedir = false;
#ifdef WITH_NISPLUS_HOME
lpcfg_string_set(Globals.ctx, &Globals.homedir_map,
"auto_home.org_dir");
#else
lpcfg_string_set(Globals.ctx, &Globals.homedir_map, "auto.home");
#endif
#endif
Globals.time_server = false;
Globals.bind_interfaces_only = false;
Globals.unix_password_sync = false;

13
source3/script/tests/test_smbclient_s3.sh
View File

@ -1874,19 +1874,6 @@ EOF
return 1
fi
# User not in NIS group in "valid users" can't login to service
cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$DC_USERNAME%$DC_PASSWORD //$SERVER/valid_users_nis_group $ADDARGS < $tmpfile 2>&1'
eval echo "$cmd"
out=`eval $cmd`
echo "$out" | grep 'NT_STATUS_ACCESS_DENIED'
ret=$?
if [ $ret -ne 0 ] ; then
echo "$out"
echo "test_valid_users:valid_users_nis_group 'User not in NIS group in 'valid users' can't login to service' failed - $ret"
return 1
fi
# Check user in UNIX, then in NIS group in "valid users" can login to service
cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$DC_USERNAME%$DC_PASSWORD //$SERVER/valid_users_unix_nis_group $ADDARGS < $tmpfile 2>&1'
eval echo "$cmd"

21
source3/smbd/share_access.c
View File

@ -25,23 +25,21 @@
#include "auth.h"
/*
* No prefix means direct username
* @name means netgroup first, then unix group
* &name means netgroup
* +name means unix group
* + and & may be combined
* We dropped NIS support in 2021, but need to keep configs working.
*
* TODO FIXME: Remove me in future
*/
static bool do_group_checks(const char **name, const char **pattern)
{
if ((*name)[0] == '@') {
*pattern = "&+";
*pattern = "+";
*name += 1;
return True;
}
if (((*name)[0] == '+') && ((*name)[1] == '&')) {
*pattern = "+&";
*pattern = "+";
*name += 2;
return True;
}
@ -53,13 +51,13 @@ static bool do_group_checks(const char **name, const char **pattern)
}
if (((*name)[0] == '&') && ((*name)[1] == '+')) {
*pattern = "&+";
*pattern = "+";
*name += 2;
return True;
}
if ((*name)[0] == '&') {
*pattern = "&";
*pattern = "+";
*name += 1;
return True;
}
@ -147,11 +145,6 @@ static bool token_contains_name(TALLOC_CTX *mem_ctx,
continue;
}
if (*prefix == '&') {
if (username) {
if (user_in_netgroup(mem_ctx, username, name)) {
return True;
}
}
continue;
}
smb_panic("got invalid prefix from do_groups_check");

4
source3/wscript
View File

@ -141,7 +141,6 @@ def configure(conf):
conf.CHECK_FUNCS('lutimes utimensat futimens')
conf.CHECK_FUNCS('mlock munlock mlockall munlockall')
conf.CHECK_FUNCS('memalign posix_memalign hstrerror')
conf.CHECK_FUNCS_IN('yp_get_default_domain', 'nsl')
conf.CHECK_FUNCS_IN('dn_expand _dn_expand __dn_expand', 'resolv')
conf.CHECK_FUNCS_IN('dn_expand', 'inet')
conf.CHECK_DECLS('readahead', reverse=True, headers='fcntl.h')
@ -631,9 +630,6 @@ msg.msg_accrightslen = sizeof(fd);
headers='unistd.h sys/types.h dirent.h',
define='HAVE_DIRENT_D_OFF')
if (conf.CONFIG_SET('HAVE_YP_GET_DEFAULT_DOMAIN')):
conf.DEFINE('HAVE_NETGROUP', '1')
# Look for CUPS
if Options.options.with_cups:
conf.find_program('cups-config', var='CUPS_CONFIG')