From 318c6fa2ac457a16ac910542d4d70ded60fbec07 Mon Sep 17 00:00:00 2001 From: hno <> Date: Sun, 11 May 2003 19:01:34 +0000 Subject: [PATCH] Bug #622: Domain-qualified group notation support to wb_group helper --- helpers/external_acl/winbind_group/readme.txt | 4 +- .../winbind_group/wb_check_group.c | 50 +++++++++++++------ .../external_acl/winbind_group/wb_common.c | 1 + .../external_acl/winbind_group/wb_common.h | 12 +++++ helpers/external_acl/winbind_group/wbntlm.h | 4 +- 5 files changed, 53 insertions(+), 18 deletions(-) create mode 100644 helpers/external_acl/winbind_group/wb_common.h diff --git a/helpers/external_acl/winbind_group/readme.txt b/helpers/external_acl/winbind_group/readme.txt index 5cbaad8c13..762c2119bd 100755 --- a/helpers/external_acl/winbind_group/readme.txt +++ b/helpers/external_acl/winbind_group/readme.txt @@ -43,6 +43,9 @@ http_access deny all In the previous example all validated NT users member of ProxyUsers Global domain group are allowed to use the cache. +Groups name can be specified in both domain-qualified group notation +(DOMAIN\Groupname) or simple group name notation. + Groups with spaces in name, for example "Domain Users", must be quoted and the acl data ("Domain Users") must be placed into a separate file included by specifying "/path/to/file". The previous example will be: @@ -53,7 +56,6 @@ and the DomainUsers files will contain only the following line: "Domain Users" - NOTE: the standard group name comparation is case sensitive, so group name must be specified with same case as in the NT/2000 Domain. It's possible to enable not case sensitive group name comparation (-c), diff --git a/helpers/external_acl/winbind_group/wb_check_group.c b/helpers/external_acl/winbind_group/wb_check_group.c index 7ebe8f1bcb..266423350d 100755 --- a/helpers/external_acl/winbind_group/wb_check_group.c +++ b/helpers/external_acl/winbind_group/wb_check_group.c @@ -31,6 +31,13 @@ * * History: * + * Version 1.20 + * 10-05-2003 Roberto Moreda + * Added support for domain-qualified group Microsoft notation + * (DOMAIN\Groupname). + * Guido Serassio + * More debug info. + * Updated documentation. * Version 1.10 * 26-04-2003 Guido Serassio * Added option for case insensitive group name comparation. @@ -64,16 +71,13 @@ #include "nsswitch/winbind_nss_config.h" #include "nsswitch/winbindd_nss.h" +#include "wb_common.h" #define BUFSIZE 8192 /* the stdin buffer size */ char debug_enabled=0; -char *myname; +const char *myname; pid_t mypid; -int use_case_insensitive_compare=0; - -NSS_STATUS winbindd_request(int req_type, - struct winbindd_request *request, - struct winbindd_response *response); +static int use_case_insensitive_compare=0; static char * strwordtok(char *buf, char **t) @@ -121,7 +125,7 @@ strwordtok(char *buf, char **t) } -int strCaseCmp (const char *s1, const char *s2) +static int strCaseCmp (const char *s1, const char *s2) { while (*s1 && toupper (*s1) == toupper (*s2)) s1++, s2++; return *s1 - *s2; @@ -129,7 +133,7 @@ int strCaseCmp (const char *s1, const char *s2) /* Convert sid to string */ -char * wbinfo_lookupsid(char * group, char *sid) +static char * wbinfo_lookupsid(char * group, char *sid) { struct winbindd_request request; struct winbindd_response response; @@ -147,13 +151,15 @@ char * wbinfo_lookupsid(char * group, char *sid) /* Display response */ - strcpy(group,response.data.name.name); + strcpy(group,response.data.name.dom_name); + strcat(group,"\\"); + strcat(group,response.data.name.name); return group; } /* Convert gid to sid */ -char * wbinfo_gid_to_sid(char * sid, gid_t gid) +static char * wbinfo_gid_to_sid(char * sid, gid_t gid) { struct winbindd_request request; struct winbindd_response response; @@ -179,9 +185,21 @@ char * wbinfo_gid_to_sid(char * sid, gid_t gid) /* returns 0 on match, -1 if no match */ static inline int strcmparray(const char *str, const char **array) { + const char *wgroup; + while (*array) { - debug("Windows group: %s, Squid group: %s\n", str, *array); - if ((use_case_insensitive_compare ? strCaseCmp(str, *array) : strcmp(str, *array)) == 0) + /* If the groups we want to match are specified as 'group', and + * not as 'DOMAIN\group' we strip the domain from the group to + * match against */ + if (strstr(*array,"\\") == NULL) { + wgroup = strstr(str,"\\") + 1; + debug("Stripping domain from group name %s\n", str); + } else { + wgroup = str; + } + + debug("Windows group: %s, Squid group: %s\n", wgroup, *array); + if ((use_case_insensitive_compare ? strCaseCmp(wgroup, *array) : strcmp(wgroup, *array)) == 0) return 0; array++; } @@ -189,7 +207,7 @@ static inline int strcmparray(const char *str, const char **array) } /* returns 1 on success, 0 on failure */ -int +static int Valid_Groups(char *UserName, const char **UserGroups) { struct winbindd_request request; @@ -217,8 +235,10 @@ Valid_Groups(char *UserName, const char **UserGroups) for (i = 0; i < response.data.num_entries; i++) { if ((wbinfo_gid_to_sid(sid, (int)((gid_t *)response.extra_data)[i])) != NULL) { debug("SID: %s\n", sid); - if (wbinfo_lookupsid(group,sid) == NULL) + if (wbinfo_lookupsid(group,sid) == NULL) { + warn("Can't lookup group SID.\n"); break; + } if (strcmparray(group, UserGroups) == 0) { match = 1; break; @@ -242,7 +262,7 @@ usage(char *program) program); } -void +static void process_options(int argc, char *argv[]) { int opt; diff --git a/helpers/external_acl/winbind_group/wb_common.c b/helpers/external_acl/winbind_group/wb_common.c index 785ef86ffe..c9976ccf59 100755 --- a/helpers/external_acl/winbind_group/wb_common.c +++ b/helpers/external_acl/winbind_group/wb_common.c @@ -26,6 +26,7 @@ #include "nsswitch/winbind_nss_config.h" #include "nsswitch/winbindd_nss.h" #include "config.h" +#include "wb_common.h" /* Global variables. These are effectively the client state information */ diff --git a/helpers/external_acl/winbind_group/wb_common.h b/helpers/external_acl/winbind_group/wb_common.h new file mode 100644 index 0000000000..b77e5a56ec --- /dev/null +++ b/helpers/external_acl/winbind_group/wb_common.h @@ -0,0 +1,12 @@ +/* wb_common.c */ +void free_response(struct winbindd_response *response); +void winbind_exclude_domain(const char *domain); +void init_request(struct winbindd_request *request, int request_type); +void init_response(struct winbindd_response *response); +void close_sock(void); +int winbind_open_pipe_sock(void); +int write_sock(void *buffer, int count); +int read_reply(struct winbindd_response *response); +NSS_STATUS winbindd_send_request(int req_type, struct winbindd_request *request); +NSS_STATUS winbindd_get_response(struct winbindd_response *response); +NSS_STATUS winbindd_request(int req_type, struct winbindd_request *request, struct winbindd_response *response); diff --git a/helpers/external_acl/winbind_group/wbntlm.h b/helpers/external_acl/winbind_group/wbntlm.h index 1b01f47095..469dce2ecd 100755 --- a/helpers/external_acl/winbind_group/wbntlm.h +++ b/helpers/external_acl/winbind_group/wbntlm.h @@ -38,8 +38,8 @@ /************* END CONFIGURATION *************/ /* Debugging stuff */ -extern char *myname; -static char *__foo; +extern const char *myname; +static const char *__foo; extern pid_t mypid; extern char debug_enabled; -- 2.47.2