From faaf5157f94b79f00d9c10c1b4cebe0d771059c4 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 14 May 2012 10:31:32 +0200 Subject: [PATCH] s3-auth: Don't lookup the system user in pdb. This fixes bug #8944, ldapsam:trusted and ipasam. It is an additional fix for bug #8567 (0528cb5f3a15b72dcb34ece21a3ffb3e7b8d6eb9). Signed-off-by: Andreas Schneider --- source3/auth/auth_util.c | 103 +++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 98 insertions(+), 5 deletions(-) diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index a904da4..c7e266a 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -655,6 +655,44 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info, return NT_STATUS_OK; } +static NTSTATUS get_system_info3(TALLOC_CTX *mem_ctx, + struct passwd *pwd, + struct netr_SamInfo3 *info3) +{ + struct dom_sid domain_sid; + const char *tmp; + + /* Set account name */ + tmp = talloc_strdup(mem_ctx, pwd->pw_name); + if (tmp == NULL) { + return NT_STATUS_NO_MEMORY; + } + init_lsa_String(&info3->base.account_name, tmp); + + /* Set domain name */ + tmp = talloc_strdup(mem_ctx, get_global_sam_name()); + if (tmp == NULL) { + return NT_STATUS_NO_MEMORY; + } + init_lsa_StringLarge(&info3->base.domain, tmp); + + /* Domain sid */ + sid_copy(&domain_sid, get_global_sam_sid()); + + info3->base.domain_sid = dom_sid_dup(mem_ctx, &domain_sid); + if (info3->base.domain_sid == NULL) { + return NT_STATUS_NO_MEMORY; + } + + /* Admin rid */ + info3->base.rid = DOMAIN_RID_ADMINISTRATOR; + + /* Primary gid */ + info3->base.primary_gid = BUILTIN_RID_ADMINISTRATORS; + + return NT_STATUS_OK; +} + static NTSTATUS get_guest_info3(TALLOC_CTX *mem_ctx, struct netr_SamInfo3 *info3) { @@ -760,7 +798,63 @@ static NTSTATUS make_new_server_info_guest(struct auth_serversupplied_info **ser status = NT_STATUS_OK; done: TALLOC_FREE(tmp_ctx); - return NT_STATUS_OK; + return status; +} + +/**************************************************************************** + Fake a auth_session_info just from a username (as a + session_info structure, with create_local_token() already called on + it. +****************************************************************************/ + +static NTSTATUS make_system_session_info_from_pw(TALLOC_CTX *mem_ctx, + struct passwd *pwd, + struct auth_serversupplied_info **server_info) +{ + const char *domain = global_myname(); + struct netr_SamInfo3 info3; + TALLOC_CTX *tmp_ctx; + NTSTATUS status; + + tmp_ctx = talloc_stackframe(); + if (tmp_ctx == NULL) { + return NT_STATUS_NO_MEMORY; + } + + ZERO_STRUCT(info3); + + status = get_system_info3(tmp_ctx, pwd, &info3); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed creating system info3 with %s\n", + nt_errstr(status))); + goto done; + } + + status = make_server_info_info3(mem_ctx, + pwd->pw_name, + domain, + server_info, + &info3); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("make_server_info_info3 failed with %s\n", + nt_errstr(status))); + goto done; + } + + (*server_info)->nss_token = true; + + /* Now turn the server_info into a session_info with the full token etc */ + status = create_local_token(*server_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("create_local_token failed: %s\n", + nt_errstr(status))); + goto done; + } + + status = NT_STATUS_OK; +done: + TALLOC_FREE(tmp_ctx); + return status; } /*************************************************************************** @@ -779,10 +873,9 @@ static NTSTATUS make_new_session_info_system(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_SUCH_USER; } - status = make_serverinfo_from_username(mem_ctx, - pwd->pw_name, - false, - session_info); + status = make_system_session_info_from_pw(mem_ctx, + pwd, + session_info); TALLOC_FREE(pwd); if (!NT_STATUS_IS_OK(status)) { return status; -- 1.7.9.2