Changeset 124 for branches/samba-3.0/source/nsswitch
- Timestamp:
- Mar 12, 2008, 9:08:18 AM (18 years ago)
- Location:
- branches/samba-3.0/source/nsswitch
- Files:
-
- 11 edited
-
idmap.c (modified) (2 diffs)
-
pam_winbind.c (modified) (1 diff)
-
winbind_nss_config.h (modified) (1 diff)
-
winbindd.c (modified) (1 diff)
-
winbindd_async.c (modified) (9 diffs)
-
winbindd_cm.c (modified) (20 diffs)
-
winbindd_cred_cache.c (modified) (1 diff)
-
winbindd_dual.c (modified) (2 diffs)
-
winbindd_nss.h (modified) (1 diff)
-
winbindd_pam.c (modified) (1 diff)
-
winbindd_util.c (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
branches/samba-3.0/source/nsswitch/idmap.c
r105 r124 368 368 dl[1] = NULL; 369 369 370 dom_list = dl;370 dom_list = (const char **)dl; 371 371 default_domain = dl[0]; 372 372 } … … 907 907 /* huh, couldn't find a suitable domain, 908 908 * let's just leave it unmapped */ 909 DEBUG(10, ("Could not find idmap backend for SID %s ",909 DEBUG(10, ("Could not find idmap backend for SID %s\n", 910 910 sid_string_static(map->sid))); 911 911 return NT_STATUS_NO_SUCH_DOMAIN; -
branches/samba-3.0/source/nsswitch/pam_winbind.c
r30 r124 1029 1029 request.data.auth.uid = -1; 1030 1030 1031 request.flags = WBFLAG_PAM_INFO3_TEXT | WBFLAG_PAM_CONTACT_TRUSTDOM; 1031 request.flags = WBFLAG_PAM_INFO3_TEXT | 1032 WBFLAG_PAM_GET_PWD_POLICY | 1033 WBFLAG_PAM_CONTACT_TRUSTDOM; 1032 1034 1033 1035 if (ctrl & (WINBIND_KRB5_AUTH|WINBIND_CACHED_LOGIN)) { -
branches/samba-3.0/source/nsswitch/winbind_nss_config.h
r30 r124 37 37 #endif 38 38 39 #include "system/passwd.h"40 39 #include "system/filesys.h" 41 40 #include "system/network.h" 41 #include "system/passwd.h" 42 42 43 43 #include "nsswitch/winbind_nss.h" -
branches/samba-3.0/source/nsswitch/winbindd.c
r105 r124 542 542 if (*(uint32 *)(&state->request) != sizeof(state->request)) { 543 543 DEBUG(0,("request_len_recv: Invalid request size received: %d (expected %d)\n", 544 *(uint32 *)(&state->request), sizeof(state->request)));544 *(uint32 *)(&state->request), (uint32)sizeof(state->request))); 545 545 state->finished = True; 546 546 return; -
branches/samba-3.0/source/nsswitch/winbindd_async.c
r105 r124 783 783 ********************************************************************/ 784 784 785 struct lookupname_state { 786 char *dom_name; 787 char *name; 788 void *caller_private_data; 789 }; 790 785 791 static void lookupname_recv2(TALLOC_CTX *mem_ctx, BOOL success, 786 792 struct winbindd_response *response, … … 791 797 (void (*)(void *, BOOL, const DOM_SID *, enum lsa_SidType))c; 792 798 DOM_SID sid; 799 struct lookupname_state *s = talloc_get_type_abort(private_data, struct lookupname_state); 793 800 794 801 if (!success) { 795 802 DEBUG(5, ("Could not trigger lookup_name\n")); 796 cont( private_data, False, NULL, SID_NAME_UNKNOWN);803 cont(s->caller_private_data, False, NULL, SID_NAME_UNKNOWN); 797 804 return; 798 805 } … … 800 807 if (response->result != WINBINDD_OK) { 801 808 DEBUG(5, ("lookup_name returned an error\n")); 802 cont( private_data, False, NULL, SID_NAME_UNKNOWN);809 cont(s->caller_private_data, False, NULL, SID_NAME_UNKNOWN); 803 810 return; 804 811 } … … 807 814 DEBUG(0, ("Could not convert string %s to sid\n", 808 815 response->data.sid.sid)); 809 cont( private_data, False, NULL, SID_NAME_UNKNOWN);810 return; 811 } 812 813 cont( private_data, True, &sid,816 cont(s->caller_private_data, False, NULL, SID_NAME_UNKNOWN); 817 return; 818 } 819 820 cont(s->caller_private_data, True, &sid, 814 821 (enum lsa_SidType)response->data.sid.type); 815 822 } … … 827 834 (void (*)(void *, BOOL, const DOM_SID *, enum lsa_SidType))c; 828 835 DOM_SID sid; 836 struct lookupname_state *s = talloc_get_type_abort(private_data, struct lookupname_state); 829 837 830 838 if (!success) { 831 839 DEBUG(5, ("lookupname_recv: lookup_name() failed!\n")); 832 cont( private_data, False, NULL, SID_NAME_UNKNOWN);840 cont(s->caller_private_data, False, NULL, SID_NAME_UNKNOWN); 833 841 return; 834 842 } … … 837 845 /* Try again using the forest root */ 838 846 struct winbindd_domain *root_domain = find_root_domain(); 839 struct winbindd_cli_state *state = (struct winbindd_cli_state*)private_data; 840 struct winbindd_request request; 841 char *name_domain, *name_account; 842 847 struct winbindd_request request; 848 843 849 if ( !root_domain ) { 844 850 DEBUG(5,("lookupname_recv: unable to determine forest root\n")); 845 cont( private_data, False, NULL, SID_NAME_UNKNOWN);851 cont(s->caller_private_data, False, NULL, SID_NAME_UNKNOWN); 846 852 return; 847 853 } 848 854 849 name_domain = state->request.data.name.dom_name;850 name_account = state->request.data.name.name;851 852 855 ZERO_STRUCT(request); 853 856 request.cmd = WINBINDD_LOOKUPNAME; 854 fstrcpy(request.data.name.dom_name, name_domain);855 fstrcpy(request.data.name.name, name_account);857 fstrcpy(request.data.name.dom_name, s->dom_name); 858 fstrcpy(request.data.name.name, s->name); 856 859 857 860 do_async_domain(mem_ctx, root_domain, &request, lookupname_recv2, 858 (void *)cont, private_data);861 (void *)cont, s); 859 862 860 863 return; … … 864 867 DEBUG(0, ("Could not convert string %s to sid\n", 865 868 response->data.sid.sid)); 866 cont( private_data, False, NULL, SID_NAME_UNKNOWN);867 return; 868 } 869 870 cont( private_data, True, &sid,869 cont(s->caller_private_data, False, NULL, SID_NAME_UNKNOWN); 870 return; 871 } 872 873 cont(s->caller_private_data, True, &sid, 871 874 (enum lsa_SidType)response->data.sid.type); 872 875 } … … 887 890 struct winbindd_request request; 888 891 struct winbindd_domain *domain; 892 struct lookupname_state *s; 889 893 890 894 if ( (domain = find_lookup_domain_from_name(dom_name)) == NULL ) { … … 899 903 fstrcpy(request.data.name.name, name); 900 904 905 if ( (s = TALLOC_ZERO_P(mem_ctx, struct lookupname_state)) == NULL ) { 906 DEBUG(0, ("winbindd_lookupname_async: talloc failed\n")); 907 cont(private_data, False, NULL, SID_NAME_UNKNOWN); 908 return; 909 } 910 911 s->dom_name = talloc_strdup( s, dom_name ); 912 s->name = talloc_strdup( s, name ); 913 if (!s->dom_name || !s->name) { 914 cont(private_data, False, NULL, SID_NAME_UNKNOWN); 915 return; 916 } 917 918 s->caller_private_data = private_data; 919 901 920 do_async_domain(mem_ctx, domain, &request, lookupname_recv, 902 (void *)cont, private_data);921 (void *)cont, s); 903 922 } 904 923 -
branches/samba-3.0/source/nsswitch/winbindd_cm.c
r71 r124 586 586 } 587 587 588 /** 589 * Helper function to assemble trust password and account name 590 */ 591 static NTSTATUS get_trust_creds(const struct winbindd_domain *domain, 592 char **machine_password, 593 char **machine_account, 594 char **machine_krb5_principal) 595 { 596 const char *account_name; 597 598 if (!get_trust_pw_clear(domain->name, machine_password, 599 &account_name, NULL)) 600 { 601 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; 602 } 603 604 if ((machine_account != NULL) && 605 (asprintf(machine_account, "%s$", account_name) == -1)) 606 { 607 return NT_STATUS_NO_MEMORY; 608 } 609 610 /* this is at least correct when domain is our domain, 611 * which is the only case, when this is currently used: */ 612 if (machine_krb5_principal != NULL) 613 { 614 if (asprintf(machine_krb5_principal, "%s$@%s", 615 account_name, domain->alt_name) == -1) 616 { 617 return NT_STATUS_NO_MEMORY; 618 } 619 620 strupper_m(*machine_krb5_principal); 621 } 622 623 return NT_STATUS_OK; 624 } 625 588 626 /************************************************************************ 589 627 Given a fd with a just-connected TCP connection to a DC, open a connection … … 597 635 BOOL *retry) 598 636 { 599 char *machine_password, *machine_krb5_principal, *machine_account; 600 char *ipc_username, *ipc_domain, *ipc_password; 637 char *machine_password = NULL; 638 char *machine_krb5_principal = NULL; 639 char *machine_account = NULL; 640 char *ipc_username = NULL; 641 char *ipc_domain = NULL; 642 char *ipc_password = NULL; 601 643 602 644 BOOL got_mutex; … … 611 653 DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n", 612 654 controller, domain->name )); 613 614 machine_password = secrets_fetch_machine_password(lp_workgroup(), NULL,615 NULL);616 617 if (asprintf(&machine_account, "%s$", global_myname()) == -1) {618 SAFE_FREE(machine_password);619 return NT_STATUS_NO_MEMORY;620 }621 622 if (asprintf(&machine_krb5_principal, "%s$@%s", global_myname(),623 lp_realm()) == -1) {624 SAFE_FREE(machine_account);625 SAFE_FREE(machine_password);626 return NT_STATUS_NO_MEMORY;627 }628 629 cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);630 655 631 656 *retry = True; … … 685 710 goto done; 686 711 } 687 688 if ((*cli)->protocol >= PROTOCOL_NT1 && (*cli)->capabilities & CAP_EXTENDED_SECURITY) { 712 713 if (!is_trusted_domain_situation(domain->name) && 714 (*cli)->protocol >= PROTOCOL_NT1 && 715 (*cli)->capabilities & CAP_EXTENDED_SECURITY) 716 { 689 717 ADS_STATUS ads_status; 718 719 result = get_trust_creds(domain, &machine_password, 720 &machine_account, 721 &machine_krb5_principal); 722 if (!NT_STATUS_IS_OK(result)) { 723 goto done; 724 } 690 725 691 726 if (lp_security() == SEC_ADS) { … … 701 736 machine_krb5_principal, 702 737 machine_password, 703 lp_workgroup());738 domain->name); 704 739 705 740 if (!ADS_ERR_OK(ads_status)) { … … 711 746 if (NT_STATUS_IS_OK(result)) { 712 747 /* Ensure creds are stored for NTLMSSP authenticated pipe access. */ 713 cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);748 cli_init_creds(*cli, machine_account, domain->name, machine_password); 714 749 goto session_setup_done; 715 750 } … … 721 756 DEBUG(5, ("connecting to %s from %s with username " 722 757 "[%s]\\[%s]\n", controller, global_myname(), 723 lp_workgroup(), machine_account));758 domain->name, machine_account)); 724 759 725 760 ads_status = cli_session_setup_spnego(*cli, 726 761 machine_account, 727 762 machine_password, 728 lp_workgroup());763 domain->name); 729 764 if (!ADS_ERR_OK(ads_status)) { 730 765 DEBUG(4, ("authenticated session setup failed with %s\n", … … 735 770 if (NT_STATUS_IS_OK(result)) { 736 771 /* Ensure creds are stored for NTLMSSP authenticated pipe access. */ 737 cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);772 cli_init_creds(*cli, machine_account, domain->name, machine_password); 738 773 goto session_setup_done; 739 774 } 740 775 } 741 776 742 /* Fall back to non-kerberos session setup */777 /* Fall back to non-kerberos session setup with auth_user */ 743 778 744 779 (*cli)->use_kerberos = False; 780 781 cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password); 745 782 746 783 if ((((*cli)->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) != 0) && … … 908 945 p += 2; 909 946 910 p += dos_PutUniCode(p, global_myname(), sizeof(pstring), True); 947 p += dos_PutUniCode(p, global_myname(), 948 sizeof(outbuf) - PTR_DIFF(p, outbuf), True); 911 949 fstr_sprintf(my_acct_name, "%s$", global_myname()); 912 p += dos_PutUniCode(p, my_acct_name, sizeof(pstring), True); 950 p += dos_PutUniCode(p, my_acct_name, 951 sizeof(outbuf) - PTR_DIFF(p, outbuf), True); 952 953 if (strlen(my_mailslot)+1 > sizeof(outbuf) - PTR_DIFF(p, outbuf)) { 954 return False; 955 } 913 956 914 957 memcpy(p, my_mailslot, strlen(my_mailslot)+1); 915 958 p += strlen(my_mailslot)+1; 916 959 960 if (sizeof(outbuf) - PTR_DIFF(p, outbuf) < 8) { 961 return False; 962 } 917 963 SIVAL(p, 0, 0x80); 918 964 p+=4; … … 923 969 p = ALIGN4(p, outbuf); 924 970 925 sid_linearize(p, sid_size(sid), sid); 971 if (PTR_DIFF(p, outbuf) > sizeof(outbuf)) { 972 return False; 973 } 974 975 if (sid_size(sid) + 8 > sizeof(outbuf) - PTR_DIFF(p, outbuf)) { 976 return False; 977 } 978 979 sid_linearize(p, sizeof(outbuf) - PTR_DIFF(p, outbuf), sid); 926 980 p += sid_size(sid); 927 981 … … 1690 1744 fstring conn_pwd; 1691 1745 struct dcinfo *p_dcinfo; 1746 char *machine_password = NULL; 1747 char *machine_account = NULL; 1748 char *domain_name = NULL; 1692 1749 1693 1750 result = init_dc_connection(domain); … … 1712 1769 if ((conn->cli->user_name[0] == '\0') || 1713 1770 (conn->cli->domain[0] == '\0') || 1714 (conn_pwd[0] == '\0')) { 1715 DEBUG(10, ("cm_connect_sam: No no user available for " 1716 "domain %s, trying schannel\n", conn->cli->domain)); 1717 goto schannel; 1771 (conn_pwd[0] == '\0')) 1772 { 1773 result = get_trust_creds(domain, &machine_password, 1774 &machine_account, NULL); 1775 if (!NT_STATUS_IS_OK(result)) { 1776 DEBUG(10, ("cm_connect_sam: No no user available for " 1777 "domain %s, trying schannel\n", conn->cli->domain)); 1778 goto schannel; 1779 } 1780 domain_name = domain->name; 1781 } else { 1782 machine_password = SMB_STRDUP(conn_pwd); 1783 machine_account = SMB_STRDUP(conn->cli->user_name); 1784 domain_name = conn->cli->domain; 1785 } 1786 1787 if (!machine_password || !machine_account) { 1788 result = NT_STATUS_NO_MEMORY; 1789 goto done; 1718 1790 } 1719 1791 … … 1723 1795 cli_rpc_pipe_open_spnego_ntlmssp(conn->cli, PI_SAMR, 1724 1796 PIPE_AUTH_LEVEL_PRIVACY, 1725 conn->cli->domain,1726 conn->cli->user_name,1727 conn_pwd, &result);1797 domain_name, 1798 machine_account, 1799 machine_password, &result); 1728 1800 1729 1801 if (conn->samr_pipe == NULL) { … … 1731 1803 "pipe for domain %s using NTLMSSP " 1732 1804 "authenticated pipe: user %s\\%s. Error was " 1733 "%s\n", domain->name, conn->cli->domain,1734 conn->cli->user_name, nt_errstr(result)));1805 "%s\n", domain->name, domain_name, 1806 machine_account, nt_errstr(result))); 1735 1807 goto schannel; 1736 1808 } … … 1739 1811 "domain %s using NTLMSSP authenticated " 1740 1812 "pipe: user %s\\%s\n", domain->name, 1741 conn->cli->domain, conn->cli->user_name));1813 domain_name, machine_account)); 1742 1814 1743 1815 result = rpccli_samr_connect(conn->samr_pipe, mem_ctx, … … 1824 1896 *cli = conn->samr_pipe; 1825 1897 *sam_handle = conn->sam_domain_handle; 1898 SAFE_FREE(machine_password); 1899 SAFE_FREE(machine_account); 1826 1900 return result; 1827 1901 } … … 1954 2028 NTSTATUS result; 1955 2029 1956 uint32 neg_flags = NETLOGON_NEG_ AUTH2_FLAGS;2030 uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS; 1957 2031 uint8 mach_pwd[16]; 1958 2032 uint32 sec_chan_type; … … 1974 2048 } 1975 2049 1976 if (!get_trust_pw(domain->name, mach_pwd, &sec_chan_type)) {1977 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;1978 }1979 1980 2050 netlogon_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_NETLOGON, 1981 2051 &result); … … 1984 2054 } 1985 2055 2056 if ((!IS_DC) && (!domain->primary)) { 2057 /* Clear the schannel request bit and drop down */ 2058 neg_flags &= ~NETLOGON_NEG_SCHANNEL; 2059 goto no_schannel; 2060 } 2061 1986 2062 if (lp_client_schannel() != False) { 1987 2063 neg_flags |= NETLOGON_NEG_SCHANNEL; 1988 2064 } 1989 2065 1990 /* if we are a DC and this is a trusted domain, then we need to use our 1991 domain name in the net_req_auth2() request */ 1992 1993 if ( IS_DC 1994 && !strequal(domain->name, lp_workgroup()) 1995 && lp_allow_trusted_domains() ) 2066 if (!get_trust_pw_hash(domain->name, mach_pwd, &account_name, 2067 &sec_chan_type)) 1996 2068 { 1997 account_name = lp_workgroup();1998 } else {1999 account_name = domain->primary ?2000 global_myname() : domain->name;2001 }2002 2003 if (account_name == NULL) {2004 2069 cli_rpc_pipe_close(netlogon_pipe); 2005 return NT_STATUS_ NO_MEMORY;2070 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; 2006 2071 } 2007 2072 … … 2028 2093 } 2029 2094 2095 no_schannel: 2030 2096 if ((lp_client_schannel() == False) || 2031 2097 ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) { -
branches/samba-3.0/source/nsswitch/winbindd_cred_cache.c
r26 r124 427 427 { 428 428 struct WINBINDD_CCACHE_ENTRY *entry = get_ccache_by_username(username); 429 NTSTATUS status ;429 NTSTATUS status = NT_STATUS_OK; 430 430 #ifdef HAVE_KRB5 431 431 krb5_error_code ret; -
branches/samba-3.0/source/nsswitch/winbindd_dual.c
r44 r124 36 36 37 37 extern BOOL override_logfile; 38 extern struct winbindd_methods cache_methods; 38 39 39 40 /* Read some data from a client connection */ … … 989 990 } 990 991 992 /* Special case for Winbindd on a Samba DC, 993 * We want to make sure the child can connect to smbd 994 * but not the main daemon */ 995 996 if (child->domain && child->domain->internal && IS_DC) { 997 child->domain->internal = False; 998 child->domain->methods = &cache_methods; 999 child->domain->online = False; 1000 } 1001 991 1002 while (1) { 992 1003 -
branches/samba-3.0/source/nsswitch/winbindd_nss.h
r105 r124 207 207 #define WBFLAG_PAM_FALLBACK_AFTER_KRB5 0x2000 208 208 #define WBFLAG_PAM_CACHED_LOGIN 0x4000 209 #define WBFLAG_PAM_GET_PWD_POLICY 0x8000 /* not used */209 #define WBFLAG_PAM_GET_PWD_POLICY 0x8000 210 210 211 211 #define WINBINDD_MAX_EXTRA_DATA (128*1024) -
branches/samba-3.0/source/nsswitch/winbindd_pam.c
r39 r124 1518 1518 } 1519 1519 1520 result = fillup_password_policy(domain, state); 1521 1522 if (!NT_STATUS_IS_OK(result)) { 1523 DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result))); 1524 goto done; 1520 if (state->request.flags & WBFLAG_PAM_GET_PWD_POLICY) { 1521 result = fillup_password_policy(domain, state); 1522 1523 if (!NT_STATUS_IS_OK(result)) { 1524 DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result))); 1525 goto done; 1526 } 1525 1527 } 1526 1528 -
branches/samba-3.0/source/nsswitch/winbindd_util.c
r62 r124 84 84 return False; 85 85 86 if ( IS_DC )87 return sid_check_is_builtin(sid);88 89 86 return (sid_check_is_domain(sid) || sid_check_is_builtin(sid)); 90 87 } … … 94 91 if (sid == NULL) 95 92 return False; 96 97 if ( IS_DC )98 return sid_check_is_in_builtin(sid);99 93 100 94 return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid));
Note:
See TracChangeset
for help on using the changeset viewer.
