Attachment 11102 Details for Bug 11299 – Patch to allow mapped user connections to retain necessary domain SID credentials

[patch] Patch to allow mapped user connections to retain necessary domain SID credentials

samba-mapped-user.patch (text/plain), 2.93 KB, created by pspencer on 2015-05-28 20:13:02 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: pspencer

Created: 2015-05-28 20:13:02 UTC

Size: 2.93 KB

patch

obsolete

>--- samba-4.2.1/source3/auth/auth_util.c.orig	2015-02-24 13:59:51.000000000 -0500
>+++ samba-4.2.1/source3/auth/auth_util.c	2015-05-28 15:49:48.349595747 -0400
>@@ -447,6 +447,8 @@
> 	struct auth_session_info *session_info;
> 	struct unixid *ids;
> 	fstring tmp;
>+	bool skip_token_from_info3;
>+	struct unixid tmp_uid;
> 
> 	/* Ensure we can't possible take a code path leading to a
> 	 * null defref. */
>@@ -535,11 +537,47 @@
> 	/*
> 	 * If winbind is not around, we can not make much use of the SIDs the
> 	 * domain controller provided us with. Likewise if the user name was
>-	 * mapped to some local unix user.
>-	 */
>+	 * mapped to some local unix user, EXCEPT in the case when the domain
>+         * controller has a uidNumber mapping from the domain account to the
>+         * correct local unix id, in which case we CAN use the SIDs provided
>+         * by the domain controller.
> 
>+         * Previous behaviour was to always use create_token_from_username 
>+         * if the user name was mapped. This caused NT_STATUS_ACCESS_DENIED
>+         * errors when trying to access a file owned by the local unix user
>+         * if that userid gets mapped by winbind to a domain SID. So, we
>+         * now only jump straight to create_token_from_username if winbind
>+         * is unavailable or we have a mapped user and a non-domain-member
>+         * role. For mapped users in a domain member role, we first try
>+         * create_local_nt_token_from_info3 and then fall back to
>+         * create_token_from_username if we don't get a satisfactory
>+         * token with the right local unix id. 
>+	*/
>+	
> 	if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
>-	    (server_info->nss_token)) {
>+          (lp_server_role() != ROLE_DOMAIN_MEMBER && server_info->nss_token)) {
>+		skip_token_from_info3 = true;
>+	} else {
>+		skip_token_from_info3 = false;
>+		status = create_local_nt_token_from_info3(session_info,
>+							  server_info->guest,
>+							  server_info->info3,
>+							  &server_info->extra,
>+							  &session_info->security_token);
>+	 	/* For a mapped user, skip the token we just obtained if
>+                   it doesn't have the right userid. */
>+		if (NT_STATUS_IS_OK(status) && server_info->nss_token) {
>+		      t = session_info->security_token;
>+	              if ((! sids_to_unixids(t->sids, 1, &tmp_uid)) ||
>+			  (tmp_uid.type != ID_TYPE_UID) ||
>+			  (tmp_uid.id != server_info->utok.uid)) {
>+				skip_token_from_info3 = true;
>+			}
>+		}
>+
>+	}
>+		
>+	if (skip_token_from_info3) {
> 		char *found_username = NULL;
> 		status = create_token_from_username(session_info,
> 						    server_info->unix_name,
>@@ -551,12 +588,6 @@
> 		if (NT_STATUS_IS_OK(status)) {
> 			session_info->unix_info->unix_name = found_username;
> 		}
>-	} else {
>-		status = create_local_nt_token_from_info3(session_info,
>-							  server_info->guest,
>-							  server_info->info3,
>-							  &server_info->extra,
>-							  &session_info->security_token);
> 	}
> 
> 	if (!NT_STATUS_IS_OK(status)) {

Actions: View

Attachments on bug 11299: 11102