diff options
| author | kcrowenex <kevin.crowe@nexenta.com> | 2014-12-15 14:02:48 -0500 |
|---|---|---|
| committer | Dan McDonald <danmcd@mnx.io> | 2022-10-06 17:33:48 -0400 |
| commit | cd918266dec8ae2553f7a0efd53c52aa90d99a39 (patch) | |
| tree | f1d91062b69af55e973195229b4bb5031c1e83c2 /usr/src/lib | |
| parent | dd03b475cb030673a110ddade24162f09801d116 (diff) | |
| download | illumos-joyent-cd918266dec8ae2553f7a0efd53c52aa90d99a39.tar.gz | |
2271 CIFS clients fail to authenticate when idmap is using IDMU
Reviewed by: Gordon Ross <gordon.w.ross@gmail.com>
Approved by: Dan McDonald <danmcd@mnx.io>
Diffstat (limited to 'usr/src/lib')
| -rw-r--r-- | usr/src/lib/libbsm/common/adt.c | 49 |
1 files changed, 36 insertions, 13 deletions
diff --git a/usr/src/lib/libbsm/common/adt.c b/usr/src/lib/libbsm/common/adt.c index d598decc60..7ab93647a0 100644 --- a/usr/src/lib/libbsm/common/adt.c +++ b/usr/src/lib/libbsm/common/adt.c @@ -22,6 +22,7 @@ /* * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. * Copyright 2017 OmniOS Community Edition (OmniOSce) Association. + * Copyright 2014 Nexenta Systems, Inc. All rights reserved. */ #include <bsm/adt.h> @@ -191,7 +192,23 @@ adt_get_mask_from_user(uid_t uid, au_mask_t *mask) /* c2audit excluded */ mask->am_success = 0; mask->am_failure = 0; - } else if (uid <= MAXUID) { + return (0); + } + + /* + * This function applies the 'attributable' mask, modified by + * any per-user flags, to any user whose UID can be mapped to + * a name via name services. + * Others, such as users with Ephemeral UIDs, or NFS clients + * using AUTH_SYS, get the 'non-attributable mask'. + * This is true even if some _other_ system or service could + * map the ID to a name, or if it could be inferred from + * other records. + * Note that it is possible for records to contain _only_ + * an ephemeral ID, which can't be mapped back to a name + * once it becomes invalid (e.g. server reboot). + */ + if (uid <= MAXUID) { if ((buff_sz = sysconf(_SC_GETPW_R_SIZE_MAX)) == -1) { adt_write_syslog("couldn't determine maximum size of " "password buffer", errno); @@ -200,18 +217,24 @@ adt_get_mask_from_user(uid_t uid, au_mask_t *mask) if ((pwd_buff = calloc(1, (size_t)++buff_sz)) == NULL) { return (-1); } - if (getpwuid_r(uid, &pwd, pwd_buff, (int)buff_sz) == NULL) { - errno = EINVAL; /* user doesn't exist */ - free(pwd_buff); - return (-1); - } - if (au_user_mask(pwd.pw_name, mask)) { + /* + * Ephemeral id's and id's that exist in a name service we + * don't have configured (LDAP, NIS) can't be looked up, + * but either way it's not an error. + */ + if (getpwuid_r(uid, &pwd, pwd_buff, (int)buff_sz) != NULL) { + if (au_user_mask(pwd.pw_name, mask)) { + free(pwd_buff); + errno = EFAULT; /* undetermined failure */ + return (-1); + } free(pwd_buff); - errno = EFAULT; /* undetermined failure */ - return (-1); + return (0); } free(pwd_buff); - } else if (auditon(A_GETKMASK, (caddr_t)mask, sizeof (*mask)) == -1) { + } + + if (auditon(A_GETKMASK, (caddr_t)mask, sizeof (*mask)) == -1) { return (-1); } @@ -1084,9 +1107,9 @@ adt_from_export_format(adt_internal_state_t *internal, struct export_header head; struct export_link link; adr_t context; - int32_t offset; - int32_t length; - int32_t version; + int32_t offset; + int32_t length; + int32_t version; size_t label_len; char *p = (char *)external; |