NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info,
struct samu *sampass)
{
struct passwd *pwd;
struct auth_serversupplied_info *result;
const char *username = pdb_get_username(sampass);
NTSTATUS status;
if ( !(result = make_server_info(NULL)) ) {
return NT_STATUS_NO_MEMORY;
}
if ( !(pwd = Get_Pwnam_alloc(result, username)) ) {
DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n",
pdb_get_username(sampass)));
TALLOC_FREE(result);
return NT_STATUS_NO_SUCH_USER;
}
status = samu_to_SamInfo3(result, sampass, lp_netbios_name(),
&result->info3, &result->extra);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(result);
return status;
}
result->unix_name = pwd->pw_name;
/* Ensure that we keep pwd->pw_name, because we will free pwd below */
talloc_steal(result, pwd->pw_name);
result->utok.gid = pwd->pw_gid;
result->utok.uid = pwd->pw_uid;
TALLOC_FREE(pwd);
if (IS_DC && is_our_machine_account(username)) {
/*
* This is a hack of monstrous proportions.
* If we know it's winbindd talking to us,
* we know we must never recurse into it,
* so turn off contacting winbindd for this
* entire process. This will get fixed when
* winbindd doesn't need to talk to smbd on
* a PDC. JRA.
*/
(void)winbind_off();
DEBUG(10, ("make_server_info_sam: our machine account %s "
"turning off winbindd requests.\n", username));
}
DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n",
pdb_get_username(sampass), result->unix_name));
*server_info = result;
return NT_STATUS_OK;
}
NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
char *unix_username,
struct passwd *pwd)
{
NTSTATUS status;
struct samu *sampass = NULL;
char *qualified_name = NULL;
TALLOC_CTX *mem_ctx = NULL;
struct dom_sid u_sid;
enum lsa_SidType type;
struct auth_serversupplied_info *result;
/*
* The SID returned in server_info->sam_account is based
* on our SAM sid even though for a pure UNIX account this should
* not be the case as it doesn't really exist in the SAM db.
* This causes lookups on "[in]valid users" to fail as they
* will lookup this name as a "Unix User" SID to check against
* the user token. Fix this by adding the "Unix User"\unix_username
* SID to the sid array. The correct fix should probably be
* changing the server_info->sam_account user SID to be a
* S-1-22 Unix SID, but this might break old configs where
* plaintext passwords were used with no SAM backend.
*/
mem_ctx = talloc_init("make_server_info_pw_tmp");
if (!mem_ctx) {
return NT_STATUS_NO_MEMORY;
}
qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
unix_users_domain_name(),
unix_username );
if (!qualified_name) {
TALLOC_FREE(mem_ctx);
return NT_STATUS_NO_MEMORY;
}
if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
NULL, NULL,
&u_sid, &type)) {
TALLOC_FREE(mem_ctx);
return NT_STATUS_NO_SUCH_USER;
}
TALLOC_FREE(mem_ctx);
if (type != SID_NAME_USER) {
return NT_STATUS_NO_SUCH_USER;
}
if ( !(sampass = samu_new( NULL )) ) {
return NT_STATUS_NO_MEMORY;
}
status = samu_set_unix( sampass, pwd );
if (!NT_STATUS_IS_OK(status)) {
return status;
}
/* In pathological cases the above call can set the account
* name to the DOMAIN\username form. Reset the account name
* using unix_username */
pdb_set_username(sampass, unix_username, PDB_SET);
/* set the user sid to be the calculated u_sid */
pdb_set_user_sid(sampass, &u_sid, PDB_SET);
result = make_server_info(NULL);
if (result == NULL) {
TALLOC_FREE(sampass);
return NT_STATUS_NO_MEMORY;
}
status = samu_to_SamInfo3(result, sampass, global_myname(),
&result->info3, &result->extra);
TALLOC_FREE(sampass);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("Failed to convert samu to info3: %s\n",
nt_errstr(status)));
TALLOC_FREE(result);
return status;
}
result->unix_name = talloc_strdup(result, unix_username);
result->sanitized_username = sanitize_username(result, unix_username);
if ((result->unix_name == NULL)
|| (result->sanitized_username == NULL)) {
TALLOC_FREE(result);
return NT_STATUS_NO_MEMORY;
}
result->utok.uid = pwd->pw_uid;
result->utok.gid = pwd->pw_gid;
*server_info = result;
return NT_STATUS_OK;
}
