diff options
| author | Stefan Metzmacher <metze@samba.org> | 2009-02-11 11:46:18 +0100 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2009-02-16 09:57:03 +0100 |
| commit | 7c0bfe55146bdded09db837fa37766edba4ae7d9 (patch) | |
| tree | 8dd770d44e187f5bb51540021d16b2fedb01f712 /source | |
| parent | a83324752ab973c79e2d0f25a154c5d3d221a7fc (diff) | |
| download | samba-7c0bfe55146bdded09db837fa37766edba4ae7d9.tar.gz | |
s3:auth: add S-1-22-X-Y sids to the local token
metze
(cherry picked from commit f14e4d4e54f424c05147cb0e635c9b8930270262)
(cherry picked from commit 490f7214f0d26e7466f0fdfb978e4b09f2433146)
Diffstat (limited to 'source')
| -rw-r--r-- | source/auth/auth_util.c | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/source/auth/auth_util.c b/source/auth/auth_util.c index 9ee19ca798f..7fc23c869fc 100644 --- a/source/auth/auth_util.c +++ b/source/auth/auth_util.c @@ -719,6 +719,7 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) { NTSTATUS status; size_t i; + struct dom_sid tmp_sid; /* * If winbind is not around, we can not make much use of the SIDs the @@ -771,7 +772,44 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) &server_info->utok.ngroups); } + /* + * Add the "Unix Group" SID for each gid to catch mapped groups + * and their Unix equivalent. This is to solve the backwards + * compatibility problem of 'valid users = +ntadmin' where + * ntadmin has been paired with "Domain Admins" in the group + * mapping table. Otherwise smb.conf would need to be changed + * to 'valid user = "Domain Admins"'. --jerry + * + * For consistency we also add the "Unix User" SID, + * so that the complete unix token is represented within + * the nt token. + */ + + if (!uid_to_unix_users_sid(server_info->utok.uid, &tmp_sid)) { + DEBUG(1,("create_local_token: Failed to create SID " + "for uid %d!\n", server_info->utok.uid)); + } + add_sid_to_array_unique(server_info->ptok, &tmp_sid, + &server_info->ptok->user_sids, + &server_info->ptok->num_sids); + + for ( i=0; i<server_info->utok.ngroups; i++ ) { + if (!gid_to_unix_groups_sid( server_info->utok.groups[i], &tmp_sid ) ) { + DEBUG(1,("create_local_token: Failed to create SID " + "for gid %d!\n", server_info->utok.groups[i])); + continue; + } + add_sid_to_array_unique(server_info->ptok, &tmp_sid, + &server_info->ptok->user_sids, + &server_info->ptok->num_sids); + } + debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok); + debug_unix_user_token(DBGC_AUTH, 10, + server_info->utok.uid, + server_info->utok.gid, + server_info->utok.ngroups, + server_info->utok.groups); status = log_nt_token(server_info->ptok); return status; |