diff options
author | Corinna Vinschen <corinna@vinschen.de> | 2015-01-13 12:06:53 +0300 |
---|---|---|
committer | Corinna Vinschen <corinna@vinschen.de> | 2015-01-13 12:06:53 +0300 |
commit | f5a9dd02c440696624e74af4a022c22aabbdced5 (patch) | |
tree | e7f7ae58e8d4454b2acba92a48c49a5afd8f7924 /winsup/cygwin/uinfo.cc | |
parent | 84f425add14c58c8ab096f434d2559364659a7c0 (diff) |
* uinfo.cc (pwdgrp::fetch_account_from_windows): Drop code from
2014-11-17, always prepending domain to NT SERVICE accounts when
searching by name. Fix test expression to allow fully qualified
names for NT SERVICE accounts. Extend comment to explain a bit.
Diffstat (limited to 'winsup/cygwin/uinfo.cc')
-rw-r--r-- | winsup/cygwin/uinfo.cc | 24 |
1 files changed, 8 insertions, 16 deletions
diff --git a/winsup/cygwin/uinfo.cc b/winsup/cygwin/uinfo.cc index 6a2232d32..89ed5c27b 100644 --- a/winsup/cygwin/uinfo.cc +++ b/winsup/cygwin/uinfo.cc @@ -1749,19 +1749,6 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap) ret = LookupAccountNameW (NULL, name, sid, &slen, dom, &dlen, &acc_type); } - /* LookupAccountName doesn't find NT SERVICE accounts. Try just for - kicks (and to make TrustedInstaller work here :-P */ - else if (!ret) - { - p = wcpcpy (name, L"NT SERVICE"); - *p = L'\\'; - sys_mbstowcs (p + 1, UNLEN + 1, arg.name); - slen = SECURITY_MAX_SID_SIZE; - dlen = DNLEN + 1; - sid = csid; - ret = LookupAccountNameW (NULL, name, sid, &slen, dom, &dlen, - &acc_type); - } if (!ret) { debug_printf ("LookupAccountNameW (%W), %E", name); @@ -1807,12 +1794,17 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap) /* All is well if db_prefix is always. */ if (cygheap->pg.nss_prefix_always ()) break; - /* Otherwise, no fully_qualified for builtin accounts. */ + /* Otherwise, no fully_qualified for builtin accounts, except for + NT SERVICE, for which we require the prefix. Note that there's + no equivalent test in the `if (!fq_name)' branch above, because + LookupAccountName never returns NT SERVICE accounts if they are + not prependend with the domain anyway. */ if (sid_id_auth (sid) != 5 /* SECURITY_NT_AUTHORITY */ - || sid_sub_auth (sid, 0) != SECURITY_NT_NON_UNIQUE) + || (sid_sub_auth (sid, 0) != SECURITY_NT_NON_UNIQUE + && sid_sub_auth (sid, 0) != SECURITY_SERVICE_ID_BASE_RID)) { debug_printf ("Invalid account name <%s> (fully qualified/" - "not NON_UNIQUE)", arg.name); + "not NON_UNIQUE or NT_SERVICE)", arg.name); return NULL; } /* All is well if db_prefix is primary. */ |