r16915: grab vl's fix for BUG 3915

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 453a563fd9aefffae12904d064fc33264863f881..0accd7829aca77eaf96eaebb2321c6eb81a5f24e 100644 (file)
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -201,6 +201,8 @@ o   Volker Lendecke <vl@samba.org>
       shares.
     * Fix an invalid munlock() call in winbindd's credentials cache.
     * Fix compile warnings when passing NULL to snprintf().
+    * BUG 3915: Fall back to a pure unix user with S-1-22 SIDs in the
+      token in case anything weird is going on with the 'force user'.
 
 
 o   Jason Mader <jason@ncac.gwu.edu>

diff --git a/source/auth/auth_util.c b/source/auth/auth_util.c
index c5ce55bc8c1a8a0b9b4793142b0e47fd4bd0e9a4..493d7393d072eb0ab046f94c77cc79b67d3e943f 100644 (file)
--- a/source/auth/auth_util.c
+++ b/source/auth/auth_util.c
@@ -1066,44 +1066,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
                goto done;
        }
 
-       if (sid_check_is_in_unix_users(&user_sid)) {
-
-               /* This is a unix user not in passdb. We need to ask nss
-                * directly, without consulting passdb */
-
-               struct passwd *pass;
-               size_t i;
-
-               pass = getpwuid_alloc(tmp_ctx, *uid);
-               if (pass == NULL) {
-                       DEBUG(1, ("getpwuid(%d) for user %s failed\n",
-                                 *uid, username));
-                       goto done;
-               }
-
-               *gid = pass->pw_gid;
-               gid_to_sid(&primary_group_sid, pass->pw_gid);
-
-               if (!getgroups_unix_user(tmp_ctx, username, pass->pw_gid,
-                                        &gids, &num_group_sids)) {
-                       DEBUG(1, ("getgroups_unix_user for user %s failed\n",
-                                 username));
-                       goto done;
-               }
-
-               group_sids = talloc_array(tmp_ctx, DOM_SID, num_group_sids);
-               if (group_sids == NULL) {
-                       DEBUG(1, ("talloc_array failed\n"));
-                       result = NT_STATUS_NO_MEMORY;
-                       goto done;
-               }
-
-               for (i=0; i<num_group_sids; i++) {
-                       gid_to_sid(&group_sids[i], gids[i]);
-               }
-               *found_username = talloc_strdup(mem_ctx, pass->pw_name);
-
-       } else if (sid_check_is_in_our_domain(&user_sid)) {
+       if (sid_check_is_in_our_domain(&user_sid)) {
 
                /* This is a passdb user, so ask passdb */
 
@@ -1118,14 +1081,13 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
                if (!pdb_getsampwsid(sam_acct, &user_sid)) {
                        DEBUG(1, ("pdb_getsampwsid(%s) for user %s failed\n",
                                  sid_string_static(&user_sid), username));
-                       result = NT_STATUS_NO_SUCH_USER;
-                       goto done;
+                       DEBUGADD(1, ("Fall back to unix user %s\n", username));
+                       goto unix_user;
                }
 
                gr_sid = pdb_get_group_sid(sam_acct);
                if (!gr_sid) {
-                       result = NT_STATUS_NO_MEMORY;
-                       goto done;
+                       goto unix_user;
                }
 
                sid_copy(&primary_group_sid, gr_sid);
@@ -1133,7 +1095,8 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
                if (!sid_to_gid(&primary_group_sid, gid)) {
                        DEBUG(1, ("sid_to_gid(%s) failed\n",
                                  sid_string_static(&primary_group_sid)));
-                       goto done;
+                       DEBUGADD(1, ("Fall back to unix user %s\n", username));
+                       goto unix_user;
                }
 
                result = pdb_enum_group_memberships(tmp_ctx, sam_acct,
@@ -1142,12 +1105,60 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
                if (!NT_STATUS_IS_OK(result)) {
                        DEBUG(10, ("enum_group_memberships failed for %s\n",
                                   username));
-                       goto done;
+                       DEBUGADD(1, ("Fall back to unix user %s\n", username));
+                       goto unix_user;
                }
 
                *found_username = talloc_strdup(mem_ctx,
                                                pdb_get_username(sam_acct));
 
+       } else  if (sid_check_is_in_unix_users(&user_sid)) {
+
+               /* This is a unix user not in passdb. We need to ask nss
+                * directly, without consulting passdb */
+
+               struct passwd *pass;
+               size_t i;
+
+               /*
+                * This goto target is used as a fallback for the passdb
+                * case. The concrete bug report is when passdb gave us an
+                * unmapped gid.
+                */
+
+       unix_user:
+
+               uid_to_unix_users_sid(*uid, &user_sid);
+
+               pass = getpwuid_alloc(tmp_ctx, *uid);
+               if (pass == NULL) {
+                       DEBUG(1, ("getpwuid(%d) for user %s failed\n",
+                                 *uid, username));
+                       goto done;
+               }
+
+               *gid = pass->pw_gid;
+               gid_to_sid(&primary_group_sid, pass->pw_gid);
+
+               if (!getgroups_unix_user(tmp_ctx, username, pass->pw_gid,
+                                        &gids, &num_group_sids)) {
+                       DEBUG(1, ("getgroups_unix_user for user %s failed\n",
+                                 username));
+                       goto done;
+               }
+
+               group_sids = talloc_array(tmp_ctx, DOM_SID, num_group_sids);
+               if (group_sids == NULL) {
+                       DEBUG(1, ("talloc_array failed\n"));
+                       result = NT_STATUS_NO_MEMORY;
+                       goto done;
+               }
+
+               for (i=0; i<num_group_sids; i++) {
+                       gid_to_sid(&group_sids[i], gids[i]);
+               }
+               *found_username = talloc_strdup(mem_ctx, pass->pw_name);
+
        } else {
 
                /* This user is from winbind, force the primary gid to the

diff --git a/source/passdb/lookup_sid.c b/source/passdb/lookup_sid.c
index 8a28f75ec8537530f47f6befdec6b74a1c62518a..ea08c37dd0e7ec4574ca6a435feafaf46933e905 100644 (file)
--- a/source/passdb/lookup_sid.c
+++ b/source/passdb/lookup_sid.c
@@ -1074,8 +1074,7 @@ void uid_to_sid(DOM_SID *psid, uid_t uid)
                sid_append_rid(psid, algorithmic_pdb_uid_to_user_rid(uid));
                goto done;
        } else {
-               sid_copy(psid, &global_sid_Unix_Users);
-               sid_append_rid(psid, uid);
+               uid_to_unix_users_sid(uid, psid);
                goto done;
        }
 

diff --git a/source/passdb/util_unixsids.c b/source/passdb/util_unixsids.c
index 2a4818e3aec95f0ccc5c108b7ec2970e039d5d65..d3f0999d6ac09496b65f7b5cb17ce351b0b7ec7f 100644 (file)
--- a/source/passdb/util_unixsids.c
+++ b/source/passdb/util_unixsids.c
@@ -36,6 +36,12 @@ BOOL sid_check_is_in_unix_users(const DOM_SID *sid)
        return sid_check_is_unix_users(&dom_sid);
 }
 
+BOOL uid_to_unix_users_sid(uid_t uid, DOM_SID *sid)
+{
+       sid_copy(sid, &global_sid_Unix_Users);
+       return sid_append_rid(sid, uid);
+}
+
 const char *unix_users_domain_name(void)
 {
        return "Unix User";