1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

80 Commits

Author SHA1 Message Date
Jeremy Allison
6034ab521c s3: smbd: Ensure we always go via getgroups_unix_user() when creating an NT token.
This has to be done in every code path that creates
an NT token, as remote users may have been added to
the local /etc/group database. Tokens created merely
from the info3 structs (via the DC or via the krb5 PAC)
won't have these local groups.

https://bugzilla.samba.org/show_bug.cgi?id=10508

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
2014-03-21 19:20:17 +01:00
Garming Sam
e23c7adb1a param: rename lp function and variable from 'guestaccount' to 'guest_account'
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-02-07 16:19:10 -08:00
Christian Ambach
6c2d6ada42 s3:auth small optimization in create_token_from_sid
save some calls to lp_idmap_default_range(), calling it
once is enough

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Tue Feb  5 19:14:25 CET 2013 on sn-devel-104
2013-02-05 19:14:25 +01:00
Michael Adam
4e52fa7b73 s3:auth: use new lp_idmap_default_range() instead of lp_idmap_gid() in create_token_from_sid()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Christian Ambach <ambi@samba.org>
2013-02-05 17:36:33 +01:00
Jeremy Allison
0f75d9274c s3:auth: Tidy up some of the API confusion in create_token_from_XXX() calls.
Based on Michaels example, split out the return of NT_STATUS_NO_MEMORY
on talloc fail from other possible errors. Allow the NTSTATUS return
to be the only valid indication of success in these calls.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Dec 11 20:04:25 CET 2012 on sn-devel-104
2012-12-11 20:04:25 +01:00
Michael Adam
a20c47410f s3:auth: fix dereference level in talloc checks in create_token_from_sid()
Commit c5b150b33f introduced these checks.
The current check "found_username == NULL" is wrong (we would segfault earlier
in this case). We need to check *found_username == NULL instead as
noted by Günter.

Reported-by: Günter Kukkukk <linux@kukkukk.com>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2012-12-11 18:22:15 +01:00
Michael Adam
1d949cb0e5 s3:auth: fix function header comment for user_sid_in_group_sid()
This is embarrassing: the commit 0770a4c01b
which intended to fix an earlier copy'n'paste error, contained another
typo, fixed with this commit...

Signed-off-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Dec 11 00:04:45 CET 2012 on sn-devel-104
2012-12-11 00:04:45 +01:00
Michael Adam
c5b150b33f s3:auth: fix create_token_from_sid() to not fail in the winbindd case
Commit 1c3c5e2156 which factored
the sid-based variant out of create_token_from_username() broke
the case of a user handled by winbindd in that the "found_username"
was set to NULL which caused the function to fail with
NT_STATUS_NO_MEMORY further down.

This patch fixes the function so that the case of found_username == NULL
is cleanly separated from the NO_MEMORY case and the caller can provide
the username in this case, if required.

This fixes bug #9457.

Signed-off-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Dec 10 18:18:54 CET 2012 on sn-devel-104
2012-12-10 18:18:54 +01:00
Michael Adam
0770a4c01b s3:auth: fix header comment for user_sid_in_group_sid()
This function was created in 1c3c5e2156
and the header comment contained copy'n'paste errors from the original
function user_in_group_sid() that took the user name.

Signed-off-by: Michael Adam <obnox@samba.org>
2012-12-10 16:34:22 +01:00
Christian Ambach
99b5c75974 s3:auth fix a compiler warning 2012-09-16 11:50:11 -07:00
Andrew Bartlett
1c3c5e2156 s3-smbd: Create a shortcut for building the token of a user by SID for posix_acls
When a user owns a file, but does not have specific permissions on that file, we need to
make up the user permissions.  This change ensures that the first thing that we do
is to look up the SID, and confirm it is a user.  Then, we avoid the getpwnam()
and directly create the token via the SID.

Andrew Bartlett

Signed-off-by: Jeremy Allison <jra@samba.org>
2012-08-10 14:38:47 -07:00
Michael Adam
1ee95e4cb1 s3: rename sid_check_is_in_our_domain() to sid_check_is_in_our_sam()
This does not check whether the given sid is in our domain, but
but whether it belongs to the local sam, which is a different
thing on a domain member server.

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Thu Jul 12 18:36:02 CEST 2012 on sn-devel-104
2012-07-12 18:36:02 +02:00
Jelmer Vernooij
43f275008f lib/util: Remove dummy wrapper for getpwuid(). 2012-03-24 15:25:05 +01:00
Jelmer Vernooij
818e0722e1 lib/util: Remove dummy wrapper for getpwnam(). 2012-03-24 15:24:15 +01:00
Günther Deschner
06aec034ae s3-auth: token_util needs system/passwd.h.
Guenther
2011-10-14 12:07:23 +02:00
Andrew Bartlett
e244319599 s3-auth Add const to indicate input elements
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:10 +10:00
Andrew Bartlett
ad0a07c531 s3-talloc Change TALLOC_ZERO_P() to talloc_zero()
Using the standard macro makes it easier to move code into common, as
TALLOC_ZERO_P isn't standard talloc.
2011-06-09 12:40:08 +02:00
Andrew Bartlett
3d15137653 s3-talloc Change TALLOC_ARRAY() to talloc_array()
Using the standard macro makes it easier to move code into common, as
TALLOC_ARRAY isn't standard talloc.
2011-06-09 12:40:08 +02:00
Günther Deschner
58db720e27 s3-auth: run minimal_includes.pl
Guenther
2011-05-05 02:05:26 +02:00
Günther Deschner
c2d6260f10 s3: only include lib/privileges.h where needed.
This finally removes the global lsa.h inclusion.

Guenther
2011-03-30 01:13:10 +02:00
Günther Deschner
7e73214ebf s3-auth: use auth.h where needed.
Guenther
2011-03-30 01:13:09 +02:00
Günther Deschner
235f148590 s3-passdb: use passdb headers where needed.
Guenther
2011-03-30 01:13:08 +02:00
Günther Deschner
03e6082e3c s3: create_builtin_users/administrators belongs to passdb not auth.
Guenther
2011-03-30 01:13:07 +02:00
Günther Deschner
d85f140826 s3-winbind: remove global inclusion of libwbclient.
Guenther
2011-03-30 01:13:06 +02:00
Günther Deschner
64421129b6 lib/util/util_pw: share sys_get{pw,gr} group of calls.
Guenther
2011-03-30 01:13:06 +02:00
Volker Lendecke
16b007c223 Quite some callers of sid_split_rid do not care about the rid 2011-03-10 18:48:34 +01:00
Stefan Metzmacher
d7fa349052 s3:auth: change num_groups to from size_t to uint32_t
This will help with the change from UNIX_USER_TOKEN to security_unix_token

metze
2011-02-22 16:20:11 +11:00
Jeremy Allison
e1cfca1e2e Make getpwnam_alloc() static to lib/username.c, and ensure all username lookups go
through Get_Pwnam_alloc(), which is the correct wrapper function. We were using
it *some* of the time anyway, so this just makes us properly consistent.

Jeremy.

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Wed Oct 20 16:02:12 UTC 2010 on sn-devel-104
2010-10-20 16:02:12 +00:00
Andrew Bartlett
170b345e0c s3-auth Use security_token_debug() from common code
This prints the security token including the privileges as strings
instead of just a bitmap.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-10-14 02:35:04 +00:00
Andrew Bartlett
58cf83732a s3-auth use security_token_has_sid() from the common code
The wrapper call is left here to avoid changing semantics for
the NULL parameter case.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-10-14 02:35:04 +00:00
Andrew Bartlett
f768b32e37 libcli/security Provide a common, top level libcli/security/security.h
This will reduce the noise from merges of the rest of the
libcli/security code, without this commit changing what code
is actually used.

This includes (along with other security headers) dom_sid.h and
security_token.h

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
2010-10-12 05:54:10 +00:00
Volker Lendecke
86919606c7 s3: Remove talloc_autofree_context() from get_root_nt_token()
The memcache_add_talloc() later on steals it anyway
2010-09-26 03:29:27 +02:00
Volker Lendecke
e4591eb8c1 s3: Fix a typo 2010-09-25 15:45:09 -07:00
Günther Deschner
4dbd743e46 s3-util_sid: use shared dom_sid_compare_auth and dom_sid_equal_X functions.
Guenther
2010-09-20 14:04:37 -07:00
Andrew Bartlett
2387e3bcfe s3-privs Call security_token_set_privilege() rather than manual assignment
This avoids as much direct modifiction of the bitmask as possible.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11 18:46:09 +10:00
Andrew Bartlett
b29b6c13a3 s3-privs Inline dump_se_priv into callers now that it's just a uint64_t
The previous 128 bit structure needed this helper function.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11 18:46:07 +10:00
Andrew Bartlett
d1bb21b0d5 s3:auth Remove NT_USER_TOKEN
The all UPPER case typedef is no longer the preferred Samba style
and this makes it easier to see that this is the IDL-derivied structure

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11 18:46:06 +10:00
Andrew Bartlett
4bfc8d3b1a s3-auth Change struct nt_user_token -> struct security_token
This common structure is defined in security.idl

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11 18:46:05 +10:00
Andrew Bartlett
4bf783d4d6 s3-auth Change type of num_sids to uint32_t
size_t is overkill here, and in struct security_token in the num_sids
is uint32_t.

This includes a change to the prototype of add_sid_to_array()
and add_sid_to_array_unique(), which has had a number of
consequnetial changes as I try to sort out all the callers using
a pointer to the number of sids.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11 18:46:05 +10:00
Andrew Bartlett
eee63b7e75 s3-auth Rename NT_USER_TOKEN privileges -> privilege_mask
This is closer to the struct security_token from security.idl

Andrew Bartlett
2010-08-31 11:25:41 +10:00
Andrew Bartlett
8c15cf54ae s3-auth Rename NT_USER_TOKEN user_sids -> sids
This is closer to the struct security_token from security.idl
2010-08-31 10:20:14 +10:00
Günther Deschner
aba1bf4b5e s3-build: only include memcache.h where needed.
Guenther
2010-08-26 00:20:28 +02:00
Günther Deschner
0f8e032628 s3-netlogon: remove global include of netlogon.h.
This reduces precompiled headers by another 4 MB and also slightly speeds up the
build.

Guenther
2010-08-06 15:46:16 +02:00
Günther Deschner
c136b84f0d s3-secrets: only include secrets.h when needed.
Guenther
2010-08-05 10:12:25 +02:00
Volker Lendecke
c186f92437 s3: [ug]id_to_unix_... can not fail
Remove some silly failure checks
2010-07-11 17:33:34 +02:00
Simo Sorce
aa1a3cbad2 s3:auth create nt token from info3 directly
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-06-07 22:53:07 +10:00
Andrew Bartlett
cba7f8b827 s3:dom_sid Global replace of DOM_SID with struct dom_sid
This matches the structure that new code is being written to,
and removes one more of the old-style named structures, and
the need to know that is is just an alias for struct dom_sid.

Andrew Bartlett

Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 10:39:59 +02:00
Günther Deschner
ca73e03eb7 security: merge builtin rid tables.
Guenther
2010-05-18 00:44:26 +02:00
Günther Deschner
3b529d50be s3-rpc_misc: clean out include/rpc_misc.h.
Well known rids don't really belong into an rpc header, just use the ones
defined in security.idl.

Guenther
2010-05-18 00:44:26 +02:00
Volker Lendecke
7ba21a339c s3: Move user_in_group() and create_token_from_username() to token_utils.c
Goal is to be able to call check_sam_security from winbind
2010-04-11 22:59:45 +02:00