diff -urN --exclude-from=/home/drizzt/jerry/tmp/diff.excludes samba-3.0.23b/source/auth/auth_util.c samba-3.0.23b-patched/source/auth/auth_util.c --- samba-3.0.23b/source/auth/auth_util.c 2006-08-07 11:46:33.000000000 -0500 +++ samba-3.0.23b-patched/source/auth/auth_util.c 2006-08-22 11:09:19.000000000 -0500 @@ -562,6 +562,10 @@ struct passwd *pwd; gid_t *gids; auth_serversupplied_info *result; + int i; + size_t num_gids; + DOM_SID unix_group_sid; + if ( !(pwd = getpwnam_alloc(NULL, pdb_get_username(sampass))) ) { DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", @@ -592,10 +596,29 @@ TALLOC_FREE(result); return status; } + + /* Add the "Unix Group" SID for each gid to catch mapped groups + and their Unix equivalent. This is to solve the backwards + compatibility problem of 'valid users = +ntadmin' where + ntadmin has been paired with "Domain Admins" in the group + mapping table. Otherwise smb.conf would need to be changed + to 'valid user = "Domain Admins"'. --jerry */ + + num_gids = result->num_sids; + for ( i=0; isids, &result->num_sids ); + } /* For now we throw away the gids and convert via sid_to_gid * later. This needs fixing, but I'd like to get the code straight and * simple first. */ + TALLOC_FREE(gids); DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n", @@ -873,7 +896,7 @@ become_root(); status = create_builtin_administrators( ); if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n")); + DEBUG(2,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n")); /* don't fail, just log the message */ } unbecome_root(); @@ -900,7 +923,7 @@ become_root(); status = create_builtin_users( ); if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n")); + DEBUG(2,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n")); /* don't fail, just log the message */ } unbecome_root(); diff -urN --exclude-from=/home/drizzt/jerry/tmp/diff.excludes samba-3.0.23b/source/groupdb/mapping.c samba-3.0.23b-patched/source/groupdb/mapping.c --- samba-3.0.23b/source/groupdb/mapping.c 2006-04-19 21:29:21.000000000 -0500 +++ samba-3.0.23b-patched/source/groupdb/mapping.c 2006-08-22 11:09:00.000000000 -0500 @@ -195,7 +195,7 @@ fstrcpy(map.nt_name, grpname); if (pdb_rid_algorithm()) { - rid = pdb_gid_to_group_rid( grp->gr_gid ); + rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid ); } else { if (!pdb_new_rid(&rid)) { DEBUG(3, ("Could not get a new RID for %s\n", diff -urN --exclude-from=/home/drizzt/jerry/tmp/diff.excludes samba-3.0.23b/source/include/smb.h samba-3.0.23b-patched/source/include/smb.h --- samba-3.0.23b/source/include/smb.h 2006-07-10 11:27:52.000000000 -0500 +++ samba-3.0.23b-patched/source/include/smb.h 2006-08-22 11:09:00.000000000 -0500 @@ -272,7 +272,7 @@ #define LOOKUP_NAME_REMOTE 2 /* Ask others */ #define LOOKUP_NAME_ALL (LOOKUP_NAME_ISOLATED|LOOKUP_NAME_REMOTE) -#define LOOKUP_NAME_GROUP 4 /* This is a NASTY hack for valid users = @foo +#define LOOKUP_NAME_GROUP 4 /* (unused) This is a NASTY hack for valid users = @foo * where foo also exists in as user. */ /** diff -urN --exclude-from=/home/drizzt/jerry/tmp/diff.excludes samba-3.0.23b/source/passdb/lookup_sid.c samba-3.0.23b-patched/source/passdb/lookup_sid.c --- samba-3.0.23b/source/passdb/lookup_sid.c 2006-08-07 11:46:33.000000000 -0500 +++ samba-3.0.23b-patched/source/passdb/lookup_sid.c 2006-08-22 11:09:14.000000000 -0500 @@ -43,7 +43,6 @@ DOM_SID sid; enum SID_NAME_USE type; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); - struct group *grp; if (tmp_ctx == NULL) { DEBUG(0, ("talloc_new failed\n")); @@ -120,63 +119,6 @@ goto failed; } - /* - * Nasty hack necessary for too common scenarios: - * - * For 'valid users = +users' we know "users" is most probably not - * BUILTIN\users but the unix group users. This hack requires the - * admin to explicitly qualify BUILTIN if BUILTIN\users is meant. - * - * Please note that LOOKUP_NAME_GROUP can not be requested via for - * example lsa_lookupnames, it only comes into this routine via - * the expansion of group names coming in from smb.conf - */ - - if ((flags & LOOKUP_NAME_GROUP) && ((grp = getgrnam(name)) != NULL)) { - - GROUP_MAP map; - - if (pdb_getgrgid(&map, grp->gr_gid)) { - /* The hack gets worse. Handle the case where we have - * 'force group = +unixgroup' but "unixgroup" has a - * group mapping */ - - if (sid_check_is_in_builtin(&map.sid)) { - domain = talloc_strdup( - tmp_ctx, builtin_domain_name()); - } else { - domain = talloc_strdup( - tmp_ctx, get_global_sam_name()); - } - - sid_copy(&sid, &map.sid); - type = map.sid_name_use; - goto ok; - } - - /* If we are using the smbpasswd backend, we need to use the - * algorithmic mapping for the unix group we find. This is - * necessary because when creating the NT token from the unix - * gid list we got from initgroups() we use gid_to_sid() that - * uses algorithmic mapping if pdb_rid_algorithm() is true. */ - - if (pdb_rid_algorithm() && - (grp->gr_gid < max_algorithmic_gid())) { - domain = talloc_strdup(tmp_ctx, get_global_sam_name()); - sid_compose(&sid, get_global_sam_sid(), - pdb_gid_to_group_rid(grp->gr_gid)); - type = SID_NAME_DOM_GRP; - goto ok; - } - - if (lookup_unix_group_name(name, &sid)) { - domain = talloc_strdup(tmp_ctx, - unix_groups_domain_name()); - type = SID_NAME_DOM_GRP; - goto ok; - } - } - /* Now the guesswork begins, we haven't been given an explicit * domain. Try the sequence as documented on * http://msdn.microsoft.com/library/en-us/secmgmt/security/lsalookupnames.asp @@ -1138,14 +1080,9 @@ goto done; } - if (pdb_rid_algorithm() && (uid < max_algorithmic_uid())) { - sid_copy(psid, get_global_sam_sid()); - sid_append_rid(psid, algorithmic_pdb_uid_to_user_rid(uid)); - goto done; - } else { - uid_to_unix_users_sid(uid, psid); - goto done; - } + /* This is an unmapped user */ + + uid_to_unix_users_sid(uid, psid); done: DEBUG(10,("uid_to_sid: local %u -> %s\n", (unsigned int)uid, @@ -1180,16 +1117,10 @@ /* This is a mapped group */ goto done; } + + /* This is an unmapped group */ - if (pdb_rid_algorithm() && (gid < max_algorithmic_gid())) { - sid_copy(psid, get_global_sam_sid()); - sid_append_rid(psid, pdb_gid_to_group_rid(gid)); - goto done; - } else { - sid_copy(psid, &global_sid_Unix_Groups); - sid_append_rid(psid, gid); - goto done; - } + gid_to_unix_groups_sid(gid, psid); done: DEBUG(10,("gid_to_sid: local %u -> %s\n", (unsigned int)gid, @@ -1235,14 +1166,9 @@ *puid = id.uid; goto done; } - if (pdb_rid_algorithm() && - algorithmic_pdb_rid_is_user(rid)) { - *puid = algorithmic_pdb_user_rid_to_uid(rid); - goto done; - } - /* This was ours, but it was neither mapped nor - * algorithmic. Fail */ + /* This was ours, but it was not mapped. Fail */ + return False; } @@ -1323,14 +1249,9 @@ *pgid = id.gid; goto done; } - if (pdb_rid_algorithm() && - !algorithmic_pdb_rid_is_user(rid)) { - /* This must be a group, presented as alias */ - *pgid = pdb_group_rid_to_gid(rid); - goto done; - } - /* This was ours, but it was neither mapped nor - * algorithmic. Fail. */ + + /* This was ours, but it was not mapped. Fail */ + return False; } diff -urN --exclude-from=/home/drizzt/jerry/tmp/diff.excludes samba-3.0.23b/source/passdb/passdb.c samba-3.0.23b-patched/source/passdb/passdb.c --- samba-3.0.23b/source/passdb/passdb.c 2006-07-10 11:27:52.000000000 -0500 +++ samba-3.0.23b-patched/source/passdb/passdb.c 2006-08-22 11:09:00.000000000 -0500 @@ -505,7 +505,7 @@ there is not anymore a direct link between the gid and the rid. ********************************************************************/ -uint32 pdb_gid_to_group_rid(gid_t gid) +uint32 algorithmic_pdb_gid_to_group_rid(gid_t gid) { int rid_offset = algorithmic_rid_base(); return (((((uint32)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE); diff -urN --exclude-from=/home/drizzt/jerry/tmp/diff.excludes samba-3.0.23b/source/passdb/pdb_interface.c samba-3.0.23b-patched/source/passdb/pdb_interface.c --- samba-3.0.23b/source/passdb/pdb_interface.c 2006-07-21 11:22:57.000000000 -0500 +++ samba-3.0.23b-patched/source/passdb/pdb_interface.c 2006-08-22 11:09:00.000000000 -0500 @@ -595,7 +595,7 @@ } if (pdb_rid_algorithm()) { - *rid = pdb_gid_to_group_rid( grp->gr_gid ); + *rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid ); } else { if (!pdb_new_rid(rid)) { return NT_STATUS_ACCESS_DENIED; diff -urN --exclude-from=/home/drizzt/jerry/tmp/diff.excludes samba-3.0.23b/source/passdb/util_unixsids.c samba-3.0.23b-patched/source/passdb/util_unixsids.c --- samba-3.0.23b/source/passdb/util_unixsids.c 2006-07-10 11:27:52.000000000 -0500 +++ samba-3.0.23b-patched/source/passdb/util_unixsids.c 2006-08-22 11:09:14.000000000 -0500 @@ -42,6 +42,12 @@ return sid_append_rid(sid, uid); } +BOOL gid_to_unix_groups_sid(gid_t gid, DOM_SID *sid) +{ + sid_copy(sid, &global_sid_Unix_Groups); + return sid_append_rid(sid, gid); +} + const char *unix_users_domain_name(void) { return "Unix User"; diff -urN --exclude-from=/home/drizzt/jerry/tmp/diff.excludes samba-3.0.23b/source/utils/net_groupmap.c samba-3.0.23b-patched/source/utils/net_groupmap.c --- samba-3.0.23b/source/utils/net_groupmap.c 2006-04-19 21:29:41.000000000 -0500 +++ samba-3.0.23b-patched/source/utils/net_groupmap.c 2006-08-22 11:09:00.000000000 -0500 @@ -275,7 +275,7 @@ if ( (rid == 0) && (string_sid[0] == '\0') ) { d_printf("No rid or sid specified, choosing a RID\n"); if (pdb_rid_algorithm()) { - rid = pdb_gid_to_group_rid(gid); + rid = algorithmic_pdb_gid_to_group_rid(gid); } else { if (!pdb_new_rid(&rid)) { d_printf("Could not get new RID\n"); @@ -555,7 +555,14 @@ map.gid = grp->gr_gid; if (opt_rid == 0) { - opt_rid = pdb_gid_to_group_rid(map.gid); + if ( pdb_rid_algorithm() ) + opt_rid = algorithmic_pdb_gid_to_group_rid(map.gid); + else { + if ( !pdb_new_rid((uint32*)&opt_rid) ) { + d_fprintf( stderr, "Could not allocate new RID\n"); + return -1; + } + } } sid_copy(&map.sid, get_global_sam_sid());