summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSteven Danneman <steven.danneman@isilon.com>2009-02-27 08:35:18 -0800
committerKarolin Seeger <kseeger@samba.org>2009-03-27 13:06:51 +0100
commitf816072e3f8b92886b891a3101f4e50ffb727c6f (patch)
tree25656abe8c5a248e9805cd91c288aa7c183984c9
parent55af8687bcdddfb7295268f3c988a0b05ad8bf68 (diff)
downloadsamba-f816072e3f8b92886b891a3101f4e50ffb727c6f.tar.gz
s3: fix guest auth when winbindd is running
This fix is very subtle. If a server is configured with "security = share" and "guest ok = yes" and winbindd is running authorization will fail during tree connect. This is due to our inability to map the guest sid S-1-5-21-X-501 to a uid through sid_to_uid(). Winbindd is unaware of the hard coded mapping between this sid and whatever uid the name in lp_guestaccount() is assigned. So sid_to_uid() fails and we exit create_token_from_username() without ever calling pdb_getsampwsid() which IS aware of the hard coded mapping. This patch just reorganizes the code, moving sid_to_uid() down to the block of code in which it is needed, avoiding this early failure. (cherry picked from commit 671812696217fe1337562b661d5131be79797f1c)
-rw-r--r--source/auth/auth_util.c14
1 files changed, 7 insertions, 7 deletions
diff --git a/source/auth/auth_util.c b/source/auth/auth_util.c
index 939fbeefebb..f3075aca60e 100644
--- a/source/auth/auth_util.c
+++ b/source/auth/auth_util.c
@@ -773,7 +773,7 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info)
}
/*
- * Create an artificial NT token given just a username. (Initially indended
+ * Create an artificial NT token given just a username. (Initially intended
* for force user)
*
* We go through lookup_name() to avoid problems we had with 'winbind use
@@ -826,12 +826,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
goto done;
}
- if (!sid_to_uid(&user_sid, uid)) {
- DEBUG(1, ("sid_to_uid for %s (%s) failed\n",
- username, sid_string_dbg(&user_sid)));
- goto done;
- }
-
if (sid_check_is_in_our_domain(&user_sid)) {
bool ret;
@@ -889,6 +883,12 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
unix_user:
+ if (!sid_to_uid(&user_sid, uid)) {
+ DEBUG(1, ("sid_to_uid for %s (%s) failed\n",
+ username, sid_string_dbg(&user_sid)));
+ goto done;
+ }
+
uid_to_unix_users_sid(*uid, &user_sid);
pass = getpwuid_alloc(tmp_ctx, *uid);