add-ds-groups-to-token [plain text]
<rdar://problem/5641804> GROUPS: SMB limits group membership to 15
The Leopard SMB client calls SMB_WHOAMI to get its server-side group
list because it needs to evaluate effective access from the server-side
Unix permission bits or SMB ACLs. This means that we need to return
the complete groups list (ie. we can't use getgroups).
Index: samba/source/configure.in
===================================================================
--- samba/source/configure.in.orig
+++ samba/source/configure.in
@@ -916,6 +916,7 @@ main() {
AC_CHECK_FUNCS(pthread_setugid_np)
AC_CHECK_FUNCS(accessx_np)
+ AC_CHECK_FUNCS(getgrouplist_2)
;;
*hurd*)
Index: samba/source/lib/system_smbd.c
===================================================================
--- samba/source/lib/system_smbd.c.orig
+++ samba/source/lib/system_smbd.c
@@ -146,10 +146,55 @@ static int sys_getgrouplist(const char *
return retval;
}
+#if HAVE_GETGROUPLIST_2
+extern int32_t getgrouplist_2(const char *name, gid_t basegid, gid_t **groups);
+
+static BOOL getgroups_unix_user_ds(TALLOC_CTX *mem_ctx,
+ const char *user,
+ gid_t primary_gid,
+ gid_t **ret_groups,
+ size_t *p_ngroups)
+{
+ int32_t max_grp;
+ size_t ngrp = 0;
+ gid_t *groups = NULL;
+ int i;
+ gid_t * temp_groups = NULL;
+
+ max_grp = getgrouplist_2(user, primary_gid, &temp_groups);
+ if (max_grp == -1) {
+ return False;
+ }
+
+ /* Add in primary group first */
+ if (!add_gid_to_array_unique(mem_ctx, primary_gid, &groups, &ngrp)) {
+ SAFE_FREE(temp_groups);
+ return False;
+ }
+
+ for (i = 0; i < max_grp; i++) {
+ if (!add_gid_to_array_unique(mem_ctx, temp_groups[i],
+ &groups, &ngrp)) {
+ SAFE_FREE(temp_groups);
+ return False;
+ }
+ }
+
+ *p_ngroups = ngrp;
+ *ret_groups = groups;
+ SAFE_FREE(temp_groups);
+ return True;
+}
+#endif /* HAVE_GETGROUPLIST_2 */
+
BOOL getgroups_unix_user(TALLOC_CTX *mem_ctx, const char *user,
gid_t primary_gid,
gid_t **ret_groups, size_t *p_ngroups)
{
+#if HAVE_GETGROUPLIST_2
+ return getgroups_unix_user_ds(mem_ctx, user, primary_gid,
+ ret_groups, p_ngroups);
+#else
size_t ngrp;
int max_grp;
gid_t *temp_groups;
@@ -198,4 +243,5 @@ BOOL getgroups_unix_user(TALLOC_CTX *mem
*ret_groups = groups;
SAFE_FREE(temp_groups);
return True;
+#endif /* HAVE_GETGROUPLIST_2 */
}