The Samba-Bugzilla – Attachment 7735 Details for
Bug 9066
Domain Users incorrectly added as addition group on domain members
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Backported patch to v3-6-test
0001-Revert-s3-auth-make-sure-the-primary-group-sid-is-us.patch (text/plain), 3.46 KB, created by
Christof Schmitt
on 2012-08-02 23:25:43 UTC
(
hide
)
Description:
Backported patch to v3-6-test
Filename:
MIME Type:
Creator:
Christof Schmitt
Created:
2012-08-02 23:25:43 UTC
Size:
3.46 KB
patch
obsolete
>From ab9bb53297ef224ea7764731fc2c78979534747b Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Sun, 15 Jul 2012 12:22:44 +1000 >Subject: [PATCH 1/2] Revert "s3:auth make sure the primary group sid is usable" > >This reverts commit 00089fd74af740f832573d904312854e494a869e. > >The issue with this patch, which I did sign off on, is that for the >domain member case, we already know that the SID is reasonable and >valid, and we indeed rely on that, because we keep it as an additonal >group anyway. The primary group is not so special that we need to do >extra validation. > >Calling this function may put a user into the domain 'domain users' >group, even if they are not in that group to start with. > >Andrew Bartlett >--- > source3/auth/auth_util.c | 43 +++++++++++++------------------------------ > 1 files changed, 13 insertions(+), 30 deletions(-) > >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index c7e266a..cb1d319 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -1250,11 +1250,11 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, > char *found_username = NULL; > const char *nt_domain; > const char *nt_username; >+ struct dom_sid user_sid; >+ struct dom_sid group_sid; > bool username_was_mapped; > struct passwd *pwd; > struct auth_serversupplied_info *result; >- struct dom_sid *group_sid; >- struct netr_SamInfo3 *i3; > > /* > Here is where we should check the list of >@@ -1262,6 +1262,15 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, > matches. > */ > >+ if (!sid_compose(&user_sid, info3->base.domain_sid, info3->base.rid)) { >+ return NT_STATUS_INVALID_PARAMETER; >+ } >+ >+ if (!sid_compose(&group_sid, info3->base.domain_sid, >+ info3->base.primary_gid)) { >+ return NT_STATUS_INVALID_PARAMETER; >+ } >+ > nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string); > if (!nt_username) { > /* If the server didn't give us one, just use the one we sent >@@ -1313,43 +1322,17 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, > } > > /* copy in the info3 */ >- result->info3 = i3 = copy_netr_SamInfo3(result, info3); >+ result->info3 = copy_netr_SamInfo3(result, info3); > if (result->info3 == NULL) { > TALLOC_FREE(result); > return NT_STATUS_NO_MEMORY; > } > > /* Fill in the unix info we found on the way */ >+ > result->utok.uid = pwd->pw_uid; > result->utok.gid = pwd->pw_gid; > >- /* We can't just trust that the primary group sid sent us is something >- * we can really use. Obtain the useable sid, and store the original >- * one as an additional group if it had to be replaced */ >- nt_status = get_primary_group_sid(mem_ctx, found_username, >- &pwd, &group_sid); >- if (!NT_STATUS_IS_OK(nt_status)) { >- TALLOC_FREE(result); >- return nt_status; >- } >- >- /* store and check if it is the same we got originally */ >- sid_peek_rid(group_sid, &i3->base.primary_gid); >- if (i3->base.primary_gid != info3->base.primary_gid) { >- uint32_t n = i3->base.groups.count; >- /* not the same, store the original as an additional group */ >- i3->base.groups.rids = >- talloc_realloc(i3, i3->base.groups.rids, >- struct samr_RidWithAttribute, n + 1); >- if (i3->base.groups.rids == NULL) { >- TALLOC_FREE(result); >- return NT_STATUS_NO_MEMORY; >- } >- i3->base.groups.rids[n].rid = info3->base.primary_gid; >- i3->base.groups.rids[n].attributes = SE_GROUP_ENABLED; >- i3->base.groups.count = n + 1; >- } >- > /* ensure we are never given NULL session keys */ > > if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) { >-- >1.7.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
abartlet
:
review+
jra
:
review+
Actions:
View
Attachments on
bug 9066
: 7735