From: Andreas Schneider Date: Tue, 20 Apr 2021 15:59:34 +0000 (+0200) Subject: s3:smbd: Remove NIS support X-Git-Tag: tevent-0.11.0~1047 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=edda7a329e5bed442418de9782cec9f567092aae;p=thirdparty%2Fsamba.git s3:smbd: Remove NIS support Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison --- diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 48ca3bf4688..39a67377d19 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -736,10 +736,6 @@ sub provision_ad_member path = $share_dir valid users = \"+$dcvars->{DOMAIN}/domain users\" -[valid_users_nis_group] - path = $share_dir - valid users = \"&$dcvars->{DOMAIN}/domain users\" - [valid_users_unix_nis_group] path = $share_dir valid users = \"+&$dcvars->{DOMAIN}/domain users\" diff --git a/source3/auth/user_util.c b/source3/auth/user_util.c index f4bdd2d323e..70b4f320c5e 100644 --- a/source3/auth/user_util.c +++ b/source3/auth/user_util.c @@ -24,19 +24,6 @@ #include "auth.h" #include "lib/gencache.h" -#ifdef HAVE_NETGROUP -/* rpc/xdr.h uses TRUE and FALSE */ -#ifdef TRUE -#undef TRUE -#endif - -#ifdef FALSE -#undef FALSE -#endif - -#include "system/nis.h" -#endif - /******************************************************************* Map a username from a dos name to a unix name by looking in the username map. Note that this modifies the name in place. @@ -142,141 +129,44 @@ static void store_map_in_gencache(TALLOC_CTX *ctx, const char *from, const char } /**************************************************************************** - Check if a user is in a netgroup user list. If at first we don't succeed, - try lower case. -****************************************************************************/ - -bool user_in_netgroup(TALLOC_CTX *ctx, const char *user, const char *ngname) -{ -#ifdef HAVE_NETGROUP - static char *my_yp_domain = NULL; - char *lowercase_user = NULL; + Check if a user is in a user list - if (my_yp_domain == NULL) { - yp_get_default_domain(&my_yp_domain); - } - - if (my_yp_domain == NULL) { - DEBUG(5,("Unable to get default yp domain, " - "let's try without specifying it\n")); - } - - DEBUG(5,("looking for user %s of domain %s in netgroup %s\n", - user, my_yp_domain?my_yp_domain:"(ANY)", ngname)); - - if (innetgr(ngname, NULL, user, my_yp_domain)) { - DEBUG(5,("user_in_netgroup: Found\n")); - return true; - } - - /* - * Ok, innetgr is case sensitive. Try once more with lowercase - * just in case. Attempt to fix #703. JRA. - */ - lowercase_user = talloc_strdup(ctx, user); - if (!lowercase_user) { - return false; - } - if (!strlower_m(lowercase_user)) { - return false; - } - - if (strcmp(user,lowercase_user) == 0) { - /* user name was already lower case! */ - return false; - } + We removed NIS support in 2021, but need to keep configs working. - DEBUG(5,("looking for user %s of domain %s in netgroup %s\n", - lowercase_user, my_yp_domain?my_yp_domain:"(ANY)", ngname)); - - if (innetgr(ngname, NULL, lowercase_user, my_yp_domain)) { - DEBUG(5,("user_in_netgroup: Found\n")); - return true; - } -#endif /* HAVE_NETGROUP */ - return false; -} - -/**************************************************************************** - Check if a user is in a user list - can check combinations of UNIX - and netgroup lists. + TOOD FIXME: Remove this funciton ****************************************************************************/ bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list) { - if (!list || !*list) - return False; - - DEBUG(10,("user_in_list: checking user %s in list\n", user)); - - while (*list) { - DEBUG(10,("user_in_list: checking user |%s| against |%s|\n", - user, *list)); - - /* - * Check raw username. - */ - if (strequal(user, *list)) - return(True); - - /* - * Now check to see if any combination - * of UNIX and netgroups has been specified. - */ - - if(**list == '@') { - /* - * Old behaviour. Check netgroup list - * followed by UNIX list. - */ - if(user_in_netgroup(ctx, user, *list +1)) - return True; - if(user_in_group(user, *list +1)) - return True; - } else if (**list == '+') { + if (list == NULL || *list == NULL) { + return false; + } - if((*(*list +1)) == '&') { - /* - * Search UNIX list followed by netgroup. - */ - if(user_in_group(user, *list +2)) - return True; - if(user_in_netgroup(ctx, user, *list +2)) - return True; + DBG_DEBUG("Checking user %s in list\n", user); - } else { + while (*list) { + const char *p = *list; + bool ok; - /* - * Just search UNIX list. - */ + /* Check raw username */ + if (strequal(user, p)) { + return true; + } - if(user_in_group(user, *list +1)) - return True; - } + while (*p == '@' || *p == '&' || *p == '+') { + p++; + } - } else if (**list == '&') { - - if(*(*list +1) == '+') { - /* - * Search netgroup list followed by UNIX list. - */ - if(user_in_netgroup(ctx, user, *list +2)) - return True; - if(user_in_group(user, *list +2)) - return True; - } else { - /* - * Just search netgroup list. - */ - if(user_in_netgroup(ctx, user, *list +1)) - return True; - } + ok = user_in_group(user, p); + if (ok) { + return true; } list++; } - return(False); + + return false; } bool map_username(TALLOC_CTX *ctx, const char *user_in, char **p_user_out) diff --git a/source3/auth/wscript_build b/source3/auth/wscript_build index 277c4306557..97008fc9e03 100644 --- a/source3/auth/wscript_build +++ b/source3/auth/wscript_build @@ -6,7 +6,7 @@ bld.SAMBA3_SUBSYSTEM('TOKEN_UTIL', bld.SAMBA3_SUBSYSTEM('USER_UTIL', source='user_util.c', - deps='TOKEN_UTIL tirpc nsl') + deps='TOKEN_UTIL') bld.SAMBA3_SUBSYSTEM('AUTH_COMMON', source='''auth_util.c diff --git a/source3/include/includes.h b/source3/include/includes.h index 2299e30ee05..6fc2ee25d95 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -96,10 +96,6 @@ #include #endif -#ifdef HAVE_NETGROUP_H -#include -#endif - /* Special macros that are no-ops except when run under Valgrind on * x86. They've moved a little bit from valgrind 1.0.4 to 1.9.4 */ #ifdef HAVE_VALGRIND_MEMCHECK_H diff --git a/source3/lib/util.c b/source3/lib/util.c index ee6cab17f0f..0cd5c8e6698 100644 --- a/source3/lib/util.c +++ b/source3/lib/util.c @@ -46,43 +46,6 @@ /* Max allowable allococation - 256mb - 0x10000000 */ #define MAX_ALLOC_SIZE (1024*1024*256) -#if (defined(HAVE_NETGROUP) && defined (WITH_AUTOMOUNT)) -/* rpc/xdr.h uses TRUE and FALSE */ -#ifdef TRUE -#undef TRUE -#endif - -#ifdef FALSE -#undef FALSE -#endif - -#include "system/nis.h" - -#ifdef WITH_NISPLUS_HOME -#ifdef BROKEN_NISPLUS_INCLUDE_FILES -/* - * The following lines are needed due to buggy include files - * in Solaris 2.6 which define GROUP in both /usr/include/sys/acl.h and - * also in /usr/include/rpcsvc/nis.h. The definitions conflict. JRA. - * Also GROUP_OBJ is defined as 0x4 in /usr/include/sys/acl.h and as - * an enum in /usr/include/rpcsvc/nis.h. - */ - -#if defined(GROUP) -#undef GROUP -#endif - -#if defined(GROUP_OBJ) -#undef GROUP_OBJ -#endif - -#endif /* BROKEN_NISPLUS_INCLUDE_FILES */ - -#include - -#endif /* WITH_NISPLUS_HOME */ -#endif /* HAVE_NETGROUP && WITH_AUTOMOUNT */ - static enum protocol_types Protocol = PROTOCOL_COREPLUS; enum protocol_types get_Protocol(void) @@ -598,133 +561,6 @@ char *get_mydnsdomname(TALLOC_CTX *ctx) } } -#if (defined(HAVE_NETGROUP) && defined(WITH_AUTOMOUNT)) -/****************************************************************** - Remove any mount options such as -rsize=2048,wsize=2048 etc. - Based on a fix from . - Returns a malloc'ed string. -*******************************************************************/ - -static char *strip_mount_options(TALLOC_CTX *ctx, const char *str) -{ - if (*str == '-') { - const char *p = str; - while(*p && !isspace(*p)) - p++; - while(*p && isspace(*p)) - p++; - if(*p) { - return talloc_strdup(ctx, p); - } - } - return NULL; -} - -/******************************************************************* - Patch from jkf@soton.ac.uk - Split Luke's automount_server into YP lookup and string splitter - so can easily implement automount_path(). - Returns a malloc'ed string. -*******************************************************************/ - -#ifdef WITH_NISPLUS_HOME -char *automount_lookup(TALLOC_CTX *ctx, const char *user_name) -{ - const struct loadparm_substitution *lp_sub = - loadparm_s3_global_substitution(); - char *value = NULL; - - char *nis_map = (char *)lp_homedir_map(talloc_tos(), lp_sub); - - char buffer[NIS_MAXATTRVAL + 1]; - nis_result *result; - nis_object *object; - entry_obj *entry; - - snprintf(buffer, sizeof(buffer), "[key=%s],%s", user_name, nis_map); - DEBUG(5, ("NIS+ querystring: %s\n", buffer)); - - if (result = nis_list(buffer, FOLLOW_PATH|EXPAND_NAME|HARD_LOOKUP, NULL, NULL)) { - if (result->status != NIS_SUCCESS) { - DEBUG(3, ("NIS+ query failed: %s\n", nis_sperrno(result->status))); - } else { - object = result->objects.objects_val; - if (object->zo_data.zo_type == ENTRY_OBJ) { - entry = &object->zo_data.objdata_u.en_data; - DEBUG(5, ("NIS+ entry type: %s\n", entry->en_type)); - DEBUG(3, ("NIS+ result: %s\n", entry->en_cols.en_cols_val[1].ec_value.ec_value_val)); - - value = talloc_strdup(ctx, - entry->en_cols.en_cols_val[1].ec_value.ec_value_val); - if (!value) { - nis_freeresult(result); - return NULL; - } - value = talloc_string_sub(ctx, - value, - "&", - user_name); - } - } - } - nis_freeresult(result); - - if (value) { - value = strip_mount_options(ctx, value); - DEBUG(4, ("NIS+ Lookup: %s resulted in %s\n", - user_name, value)); - } - return value; -} -#else /* WITH_NISPLUS_HOME */ - -char *automount_lookup(TALLOC_CTX *ctx, const char *user_name) -{ - const struct loadparm_substitution *lp_sub = - loadparm_s3_global_substitution(); - char *value = NULL; - - int nis_error; /* returned by yp all functions */ - char *nis_result; /* yp_match inits this */ - int nis_result_len; /* and set this */ - char *nis_domain; /* yp_get_default_domain inits this */ - char *nis_map = lp_homedir_map(talloc_tos(), lp_sub); - - if ((nis_error = yp_get_default_domain(&nis_domain)) != 0) { - DEBUG(3, ("YP Error: %s\n", yperr_string(nis_error))); - return NULL; - } - - DEBUG(5, ("NIS Domain: %s\n", nis_domain)); - - if ((nis_error = yp_match(nis_domain, nis_map, user_name, - strlen(user_name), &nis_result, - &nis_result_len)) == 0) { - if (nis_result_len > 0 && nis_result[nis_result_len] == '\n') { - nis_result[nis_result_len] = '\0'; - } - value = talloc_strdup(ctx, nis_result); - if (!value) { - return NULL; - } - value = strip_mount_options(ctx, value); - } else if(nis_error == YPERR_KEY) { - DEBUG(3, ("YP Key not found: while looking up \"%s\" in map \"%s\"\n", - user_name, nis_map)); - DEBUG(3, ("using defaults for server and home directory\n")); - } else { - DEBUG(3, ("YP Error: \"%s\" while looking up \"%s\" in map \"%s\"\n", - yperr_string(nis_error), user_name, nis_map)); - } - - if (value) { - DEBUG(4, ("YP Lookup: %s resulted in %s\n", user_name, value)); - } - return value; -} -#endif /* WITH_NISPLUS_HOME */ -#endif - bool process_exists(const struct server_id pid) { return serverid_exists(&pid); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index e13571c3e4f..078e67db48f 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -682,15 +682,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.machine_password_timeout = 60 * 60 * 24 * 7; /* 7 days default. */ Globals.lm_announce = Auto; /* = Auto: send only if LM clients found */ Globals.lm_interval = 60; -#if (defined(HAVE_NETGROUP) && defined(WITH_AUTOMOUNT)) - Globals.nis_homedir = false; -#ifdef WITH_NISPLUS_HOME - lpcfg_string_set(Globals.ctx, &Globals.homedir_map, - "auto_home.org_dir"); -#else - lpcfg_string_set(Globals.ctx, &Globals.homedir_map, "auto.home"); -#endif -#endif Globals.time_server = false; Globals.bind_interfaces_only = false; Globals.unix_password_sync = false; diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh index a9d59095bd3..525f7f0a2a9 100755 --- a/source3/script/tests/test_smbclient_s3.sh +++ b/source3/script/tests/test_smbclient_s3.sh @@ -1874,19 +1874,6 @@ EOF return 1 fi - # User not in NIS group in "valid users" can't login to service - cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$DC_USERNAME%$DC_PASSWORD //$SERVER/valid_users_nis_group $ADDARGS < $tmpfile 2>&1' - eval echo "$cmd" - out=`eval $cmd` - echo "$out" | grep 'NT_STATUS_ACCESS_DENIED' - ret=$? - - if [ $ret -ne 0 ] ; then - echo "$out" - echo "test_valid_users:valid_users_nis_group 'User not in NIS group in 'valid users' can't login to service' failed - $ret" - return 1 - fi - # Check user in UNIX, then in NIS group in "valid users" can login to service cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$DC_USERNAME%$DC_PASSWORD //$SERVER/valid_users_unix_nis_group $ADDARGS < $tmpfile 2>&1' eval echo "$cmd" diff --git a/source3/smbd/share_access.c b/source3/smbd/share_access.c index 694c0c290e8..debe4fc6385 100644 --- a/source3/smbd/share_access.c +++ b/source3/smbd/share_access.c @@ -25,23 +25,21 @@ #include "auth.h" /* - * No prefix means direct username - * @name means netgroup first, then unix group - * &name means netgroup - * +name means unix group - * + and & may be combined + * We dropped NIS support in 2021, but need to keep configs working. + * + * TODO FIXME: Remove me in future */ static bool do_group_checks(const char **name, const char **pattern) { if ((*name)[0] == '@') { - *pattern = "&+"; + *pattern = "+"; *name += 1; return True; } if (((*name)[0] == '+') && ((*name)[1] == '&')) { - *pattern = "+&"; + *pattern = "+"; *name += 2; return True; } @@ -53,13 +51,13 @@ static bool do_group_checks(const char **name, const char **pattern) } if (((*name)[0] == '&') && ((*name)[1] == '+')) { - *pattern = "&+"; + *pattern = "+"; *name += 2; return True; } if ((*name)[0] == '&') { - *pattern = "&"; + *pattern = "+"; *name += 1; return True; } @@ -147,11 +145,6 @@ static bool token_contains_name(TALLOC_CTX *mem_ctx, continue; } if (*prefix == '&') { - if (username) { - if (user_in_netgroup(mem_ctx, username, name)) { - return True; - } - } continue; } smb_panic("got invalid prefix from do_groups_check"); diff --git a/source3/wscript b/source3/wscript index b58a9479590..42960e5d03a 100644 --- a/source3/wscript +++ b/source3/wscript @@ -141,7 +141,6 @@ def configure(conf): conf.CHECK_FUNCS('lutimes utimensat futimens') conf.CHECK_FUNCS('mlock munlock mlockall munlockall') conf.CHECK_FUNCS('memalign posix_memalign hstrerror') - conf.CHECK_FUNCS_IN('yp_get_default_domain', 'nsl') conf.CHECK_FUNCS_IN('dn_expand _dn_expand __dn_expand', 'resolv') conf.CHECK_FUNCS_IN('dn_expand', 'inet') conf.CHECK_DECLS('readahead', reverse=True, headers='fcntl.h') @@ -631,9 +630,6 @@ msg.msg_accrightslen = sizeof(fd); headers='unistd.h sys/types.h dirent.h', define='HAVE_DIRENT_D_OFF') - if (conf.CONFIG_SET('HAVE_YP_GET_DEFAULT_DOMAIN')): - conf.DEFINE('HAVE_NETGROUP', '1') - # Look for CUPS if Options.options.with_cups: conf.find_program('cups-config', var='CUPS_CONFIG')