diff options
author | Samuel Cabrero <scabrero@samba.org> | 2022-06-03 15:07:18 +0200 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2022-06-12 07:44:10 +0000 |
commit | f179184a2be2ddd38f463fcc12252f8d24e529f8 (patch) | |
tree | a7934c5a10c3fd4a40a1fdfe49ba8a3391d7a755 /source3 | |
parent | e8a5a952868a3ac1503755e1993286ee181a98a0 (diff) | |
download | samba-f179184a2be2ddd38f463fcc12252f8d24e529f8.tar.gz |
Revert "s3:smbd: Remove NIS support"
This partly reverts commit edda7a329e5bed442418de9782cec9f567092aae.
Revert the chunks related to netgroups and skip NIS support related ones.
Use getdomainname() from glibc instead of yp_get_default_domain() from
libnsl to get the NIS domain name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15087
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 21796ef8f807d88e01627dc993b757e251788980)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/auth/user_util.c | 141 | ||||
-rwxr-xr-x | source3/script/tests/test_smbclient_s3.sh | 13 | ||||
-rw-r--r-- | source3/smbd/share_access.c | 21 | ||||
-rw-r--r-- | source3/wscript | 4 |
4 files changed, 150 insertions, 29 deletions
diff --git a/source3/auth/user_util.c b/source3/auth/user_util.c index 70b4f320c5e..f40123e246a 100644 --- a/source3/auth/user_util.c +++ b/source3/auth/user_util.c @@ -129,44 +129,141 @@ static void store_map_in_gencache(TALLOC_CTX *ctx, const char *from, const char } /**************************************************************************** - Check if a user is in a user list - - We removed NIS support in 2021, but need to keep configs working. - - TOOD FIXME: Remove this funciton + Check if a user is in a netgroup user list. If at first we don't succeed, + try lower case. ****************************************************************************/ -bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list) +bool user_in_netgroup(TALLOC_CTX *ctx, const char *user, const char *ngname) { +#ifdef HAVE_NETGROUP + char nis_domain_buf[256]; + const char *nis_domain = NULL; + char *lowercase_user = NULL; + + if (getdomainname(nis_domain_buf, sizeof(nis_domain_buf)) == 0) { + nis_domain = &nis_domain_buf[0]; + } else { + DEBUG(5,("Unable to get default yp domain, " + "let's try without specifying it\n")); + nis_domain = NULL; + } + + DEBUG(5,("looking for user %s of domain %s in netgroup %s\n", + user, nis_domain ? nis_domain : "(ANY)", ngname)); + + if (innetgr(ngname, NULL, user, nis_domain)) { + DEBUG(5,("user_in_netgroup: Found\n")); + return true; + } + + /* + * Ok, innetgr is case sensitive. Try once more with lowercase + * just in case. Attempt to fix #703. JRA. + */ + lowercase_user = talloc_strdup(ctx, user); + if (!lowercase_user) { + return false; + } + if (!strlower_m(lowercase_user)) { + return false; + } - if (list == NULL || *list == NULL) { + if (strcmp(user,lowercase_user) == 0) { + /* user name was already lower case! */ return false; } - DBG_DEBUG("Checking user %s in list\n", user); + DEBUG(5,("looking for user %s of domain %s in netgroup %s\n", + lowercase_user, nis_domain ? nis_domain : "(ANY)", ngname)); + + if (innetgr(ngname, NULL, lowercase_user, nis_domain)) { + DEBUG(5,("user_in_netgroup: Found\n")); + return true; + } +#endif /* HAVE_NETGROUP */ + return false; +} + +/**************************************************************************** + Check if a user is in a user list - can check combinations of UNIX + and netgroup lists. +****************************************************************************/ + +bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list) +{ + if (!list || !*list) + return False; + + DEBUG(10,("user_in_list: checking user %s in list\n", user)); while (*list) { - const char *p = *list; - bool ok; - /* Check raw username */ - if (strequal(user, p)) { - return true; - } + DEBUG(10,("user_in_list: checking user |%s| against |%s|\n", + user, *list)); + + /* + * Check raw username. + */ + if (strequal(user, *list)) + return(True); + + /* + * Now check to see if any combination + * of UNIX and netgroups has been specified. + */ + + if(**list == '@') { + /* + * Old behaviour. Check netgroup list + * followed by UNIX list. + */ + if(user_in_netgroup(ctx, user, *list +1)) + return True; + if(user_in_group(user, *list +1)) + return True; + } else if (**list == '+') { - while (*p == '@' || *p == '&' || *p == '+') { - p++; - } + if((*(*list +1)) == '&') { + /* + * Search UNIX list followed by netgroup. + */ + if(user_in_group(user, *list +2)) + return True; + if(user_in_netgroup(ctx, user, *list +2)) + return True; + + } else { - ok = user_in_group(user, p); - if (ok) { - return true; + /* + * Just search UNIX list. + */ + + if(user_in_group(user, *list +1)) + return True; + } + + } else if (**list == '&') { + + if(*(*list +1) == '+') { + /* + * Search netgroup list followed by UNIX list. + */ + if(user_in_netgroup(ctx, user, *list +2)) + return True; + if(user_in_group(user, *list +2)) + return True; + } else { + /* + * Just search netgroup list. + */ + if(user_in_netgroup(ctx, user, *list +1)) + return True; + } } list++; } - - return false; + return(False); } bool map_username(TALLOC_CTX *ctx, const char *user_in, char **p_user_out) diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh index 3da37e699e6..4d03b97f476 100755 --- a/source3/script/tests/test_smbclient_s3.sh +++ b/source3/script/tests/test_smbclient_s3.sh @@ -1965,6 +1965,19 @@ EOF return 1 fi + # User not in NIS group in "valid users" can't login to service + cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$DC_USERNAME%$DC_PASSWORD //$SERVER/valid_users_nis_group $ADDARGS < $tmpfile 2>&1' + eval echo "$cmd" + out=`eval $cmd` + echo "$out" | grep 'NT_STATUS_ACCESS_DENIED' + ret=$? + + if [ $ret -ne 0 ] ; then + echo "$out" + echo "test_valid_users:valid_users_nis_group 'User not in NIS group in 'valid users' can't login to service' failed - $ret" + return 1 + fi + # Check user in UNIX, then in NIS group in "valid users" can login to service cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$DC_USERNAME%$DC_PASSWORD //$SERVER/valid_users_unix_nis_group $ADDARGS < $tmpfile 2>&1' eval echo "$cmd" diff --git a/source3/smbd/share_access.c b/source3/smbd/share_access.c index c44c4bd8c69..45928144693 100644 --- a/source3/smbd/share_access.c +++ b/source3/smbd/share_access.c @@ -26,21 +26,23 @@ #include "source3/lib/substitute.h" /* - * We dropped NIS support in 2021, but need to keep configs working. - * - * TODO FIXME: Remove me in future + * No prefix means direct username + * @name means netgroup first, then unix group + * &name means netgroup + * +name means unix group + * + and & may be combined */ static bool do_group_checks(const char **name, const char **pattern) { if ((*name)[0] == '@') { - *pattern = "+"; + *pattern = "&+"; *name += 1; return True; } if (((*name)[0] == '+') && ((*name)[1] == '&')) { - *pattern = "+"; + *pattern = "+&"; *name += 2; return True; } @@ -52,13 +54,13 @@ static bool do_group_checks(const char **name, const char **pattern) } if (((*name)[0] == '&') && ((*name)[1] == '+')) { - *pattern = "+"; + *pattern = "&+"; *name += 2; return True; } if ((*name)[0] == '&') { - *pattern = "+"; + *pattern = "&"; *name += 1; return True; } @@ -146,6 +148,11 @@ static bool token_contains_name(TALLOC_CTX *mem_ctx, continue; } if (*prefix == '&') { + if (username) { + if (user_in_netgroup(mem_ctx, username, name)) { + return True; + } + } continue; } smb_panic("got invalid prefix from do_groups_check"); diff --git a/source3/wscript b/source3/wscript index 8ec9ed1d9b9..b664b6fe9e9 100644 --- a/source3/wscript +++ b/source3/wscript @@ -139,6 +139,7 @@ def configure(conf): conf.CHECK_FUNCS('lutimes utimensat futimens') conf.CHECK_FUNCS('mlock munlock mlockall munlockall') conf.CHECK_FUNCS('memalign posix_memalign hstrerror') + conf.CHECK_FUNCS('getdomainname') conf.CHECK_FUNCS_IN('dn_expand _dn_expand __dn_expand', 'resolv') conf.CHECK_FUNCS_IN('dn_expand', 'inet') conf.CHECK_DECLS('readahead', reverse=True, headers='fcntl.h') @@ -628,6 +629,9 @@ msg.msg_accrightslen = sizeof(fd); headers='unistd.h sys/types.h dirent.h', define='HAVE_DIRENT_D_OFF') + if (conf.CONFIG_SET('HAVE_GETDOMAINNAME')): + conf.DEFINE('HAVE_NETGROUP', '1') + # Look for CUPS if Options.options.with_cups: conf.find_program('cups-config', var='CUPS_CONFIG') |