Revert "s3:smbd: Remove NIS support"

This partly reverts commit edda7a3. Revert the chunks related to netgroups and skip NIS support related ones. Use getdomainname() from glibc instead of yp_get_default_domain() from libnsl to get the NIS domain name. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15087 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 21796ef)
samba-team · Jun 12, 2022 · f179184 · f179184
1 parent e8a5a95
commit f179184
Show file tree

Hide file tree

Showing 5 changed files with 154 additions and 29 deletions.
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
@@ -767,6 +767,10 @@ sub provision_ad_member
     path = $share_dir
     valid users = \"+$dcvars->{DOMAIN}/domain users\"
 
+[valid_users_nis_group]
+    path = $share_dir
+    valid users = \"&$dcvars->{DOMAIN}/domain users\"
+
 [valid_users_unix_nis_group]
     path = $share_dir
     valid users = \"+&$dcvars->{DOMAIN}/domain users\"

diff --git a/source3/auth/user_util.c b/source3/auth/user_util.c
@@ -129,44 +129,141 @@ static void store_map_in_gencache(TALLOC_CTX *ctx, const char *from, const char
 }
 
 /****************************************************************************
- Check if a user is in a user list
-
- We removed NIS support in 2021, but need to keep configs working.
-
- TOOD FIXME: Remove this funciton
+ Check if a user is in a netgroup user list. If at first we don't succeed,
+ try lower case.
 ****************************************************************************/
 
-bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list)
+bool user_in_netgroup(TALLOC_CTX *ctx, const char *user, const char *ngname)
 {
+#ifdef HAVE_NETGROUP
+	char nis_domain_buf[256];
+	const char *nis_domain = NULL;
+	char *lowercase_user = NULL;
+
+	if (getdomainname(nis_domain_buf, sizeof(nis_domain_buf)) == 0) {
+		nis_domain = &nis_domain_buf[0];
+	} else {
+		DEBUG(5,("Unable to get default yp domain, "
+			"let's try without specifying it\n"));
+		nis_domain = NULL;
+	}
+
+	DEBUG(5,("looking for user %s of domain %s in netgroup %s\n",
+		user, nis_domain ? nis_domain : "(ANY)", ngname));
+
+	if (innetgr(ngname, NULL, user, nis_domain)) {
+		DEBUG(5,("user_in_netgroup: Found\n"));
+		return true;
+	}
+
+	/*
+	 * Ok, innetgr is case sensitive. Try once more with lowercase
+	 * just in case. Attempt to fix #703. JRA.
+	 */
+	lowercase_user = talloc_strdup(ctx, user);
+	if (!lowercase_user) {
+		return false;
+	}
+	if (!strlower_m(lowercase_user)) {
+		return false;
+	}
 
-	if (list == NULL || *list == NULL) {
+	if (strcmp(user,lowercase_user) == 0) {
+		/* user name was already lower case! */
 		return false;
 	}
 
-	DBG_DEBUG("Checking user %s in list\n", user);
+	DEBUG(5,("looking for user %s of domain %s in netgroup %s\n",
+		lowercase_user, nis_domain ? nis_domain : "(ANY)", ngname));
+
+	if (innetgr(ngname, NULL, lowercase_user, nis_domain)) {
+		DEBUG(5,("user_in_netgroup: Found\n"));
+		return true;
+	}
+#endif /* HAVE_NETGROUP */
+	return false;
+}
+
+/****************************************************************************
+ Check if a user is in a user list - can check combinations of UNIX
+ and netgroup lists.
+****************************************************************************/
+
+bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list)
+{
+	if (!list || !*list)
+		return False;
+
+	DEBUG(10,("user_in_list: checking user %s in list\n", user));
 
 	while (*list) {
-		const char *p = *list;
-		bool ok;
 
-		/* Check raw username */
-		if (strequal(user, p)) {
-			return true;
-		}
+		DEBUG(10,("user_in_list: checking user |%s| against |%s|\n",
+			  user, *list));
+
+		/*
+		 * Check raw username.
+		 */
+		if (strequal(user, *list))
+			return(True);
+
+		/*
+		 * Now check to see if any combination
+		 * of UNIX and netgroups has been specified.
+		 */
+
+		if(**list == '@') {
+			/*
+			 * Old behaviour. Check netgroup list
+			 * followed by UNIX list.
+			 */
+			if(user_in_netgroup(ctx, user, *list +1))
+				return True;
+			if(user_in_group(user, *list +1))
+				return True;
+		} else if (**list == '+') {
 
-		while (*p == '@' || *p == '&' || *p == '+') {
-			p++;
-		}
+			if((*(*list +1)) == '&') {
+				/*
+				 * Search UNIX list followed by netgroup.
+				 */
+				if(user_in_group(user, *list +2))
+					return True;
+				if(user_in_netgroup(ctx, user, *list +2))
+					return True;
+
+			} else {
 
-		ok = user_in_group(user, p);
-		if (ok) {
-			return true;
+				/*
+				 * Just search UNIX list.
+				 */
+
+				if(user_in_group(user, *list +1))
+					return True;
+			}
+
+		} else if (**list == '&') {
+
+			if(*(*list +1) == '+') {
+				/*
+				 * Search netgroup list followed by UNIX list.
+				 */
+				if(user_in_netgroup(ctx, user, *list +2))
+					return True;
+				if(user_in_group(user, *list +2))
+					return True;
+			} else {
+				/*
+				 * Just search netgroup list.
+				 */
+				if(user_in_netgroup(ctx, user, *list +1))
+					return True;
+			}
 		}
 
 		list++;
 	}
-
-	return false;
+	return(False);
 }
 
 bool map_username(TALLOC_CTX *ctx, const char *user_in, char **p_user_out)

diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh
@@ -1965,6 +1965,19 @@ EOF
        return 1
     fi
 
+    # User not in NIS group in "valid users" can't login to service
+    cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$DC_USERNAME%$DC_PASSWORD //$SERVER/valid_users_nis_group $ADDARGS < $tmpfile 2>&1'
+    eval echo "$cmd"
+    out=`eval $cmd`
+    echo "$out" | grep 'NT_STATUS_ACCESS_DENIED'
+    ret=$?
+
+    if [ $ret -ne 0 ] ; then
+       echo "$out"
+       echo "test_valid_users:valid_users_nis_group 'User not in NIS group in 'valid users' can't login to service' failed - $ret"
+       return 1
+    fi
+
     # Check user in UNIX, then in NIS group in "valid users" can login to service
     cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$DC_USERNAME%$DC_PASSWORD //$SERVER/valid_users_unix_nis_group $ADDARGS < $tmpfile 2>&1'
     eval echo "$cmd"

diff --git a/source3/smbd/share_access.c b/source3/smbd/share_access.c
@@ -26,21 +26,23 @@
 #include "source3/lib/substitute.h"
 
 /*
- * We dropped NIS support in 2021, but need to keep configs working.
- *
- * TODO FIXME: Remove me in future
+ * No prefix means direct username
+ * @name means netgroup first, then unix group
+ * &name means netgroup
+ * +name means unix group
+ * + and & may be combined
  */
 
 static bool do_group_checks(const char **name, const char **pattern)
 {
 	if ((*name)[0] == '@') {
-		*pattern = "+";
+		*pattern = "&+";
 		*name += 1;
 		return True;
 	}
 
 	if (((*name)[0] == '+') && ((*name)[1] == '&')) {
-		*pattern = "+";
+		*pattern = "+&";
 		*name += 2;
 		return True;
 	}
@@ -52,13 +54,13 @@ static bool do_group_checks(const char **name, const char **pattern)
 	}
 
 	if (((*name)[0] == '&') && ((*name)[1] == '+')) {
-		*pattern = "+";
+		*pattern = "&+";
 		*name += 2;
 		return True;
 	}
 
 	if ((*name)[0] == '&') {
-		*pattern = "+";
+		*pattern = "&";
 		*name += 1;
 		return True;
 	}
@@ -146,6 +148,11 @@ static bool token_contains_name(TALLOC_CTX *mem_ctx,
 			continue;
 		}
 		if (*prefix == '&') {
+			if (username) {
+				if (user_in_netgroup(mem_ctx, username, name)) {
+					return True;
+				}
+			}
 			continue;
 		}
 		smb_panic("got invalid prefix from do_groups_check");

diff --git a/source3/wscript b/source3/wscript
@@ -139,6 +139,7 @@ def configure(conf):
     conf.CHECK_FUNCS('lutimes utimensat futimens')
     conf.CHECK_FUNCS('mlock munlock mlockall munlockall')
     conf.CHECK_FUNCS('memalign posix_memalign hstrerror')
+    conf.CHECK_FUNCS('getdomainname')
     conf.CHECK_FUNCS_IN('dn_expand _dn_expand __dn_expand', 'resolv')
     conf.CHECK_FUNCS_IN('dn_expand', 'inet')
     conf.CHECK_DECLS('readahead', reverse=True, headers='fcntl.h')
@@ -628,6 +629,9 @@ msg.msg_accrightslen = sizeof(fd);
                                 headers='unistd.h sys/types.h dirent.h',
                                 define='HAVE_DIRENT_D_OFF')
 
+    if (conf.CONFIG_SET('HAVE_GETDOMAINNAME')):
+        conf.DEFINE('HAVE_NETGROUP', '1')
+
     # Look for CUPS
     if Options.options.with_cups:
         conf.find_program('cups-config', var='CUPS_CONFIG')